Commit 8ee6f289 authored by Mark Andrews's avatar Mark Andrews

4450. [port] Provide more nuanced HSM support which better matches

                        the specific PKCS11 providers capabilities. [RT #42458]
parent 85342bec
4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]
4449. [test] Fix catalog zones test on slower systems. [RT #42997] 4449. [test] Fix catalog zones test on slower systems. [RT #42997]
4448. [bug] win32: ::1 was not being found when iterating 4448. [bug] win32: ::1 was not being found when iterating
......
...@@ -25,6 +25,8 @@ ...@@ -25,6 +25,8 @@
#include <isc/result.h> #include <isc/result.h>
#include <isc/string.h> #include <isc/string.h>
#include <pk11/site.h>
#include <dns/keyvalues.h> #include <dns/keyvalues.h>
#include <dns/name.h> #include <dns/name.h>
...@@ -40,8 +42,10 @@ ...@@ -40,8 +42,10 @@
const char * const char *
alg_totext(dns_secalg_t alg) { alg_totext(dns_secalg_t alg) {
switch (alg) { switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
return "hmac-md5"; return "hmac-md5";
#endif
case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA1:
return "hmac-sha1"; return "hmac-sha1";
case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA224:
...@@ -66,8 +70,10 @@ alg_fromtext(const char *name) { ...@@ -66,8 +70,10 @@ alg_fromtext(const char *name) {
if (strncasecmp(p, "hmac-", 5) == 0) if (strncasecmp(p, "hmac-", 5) == 0)
p = &name[5]; p = &name[5];
#ifndef PK11_MD5_DISABLE
if (strcasecmp(p, "md5") == 0) if (strcasecmp(p, "md5") == 0)
return DST_ALG_HMACMD5; return DST_ALG_HMACMD5;
#endif
if (strcasecmp(p, "sha1") == 0) if (strcasecmp(p, "sha1") == 0)
return DST_ALG_HMACSHA1; return DST_ALG_HMACSHA1;
if (strcasecmp(p, "sha224") == 0) if (strcasecmp(p, "sha224") == 0)
...@@ -122,7 +128,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg, ...@@ -122,7 +128,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
dst_key_t *key = NULL; dst_key_t *key = NULL;
switch (alg) { switch (alg) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
#endif
case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA1:
case DST_ALG_HMACSHA224: case DST_ALG_HMACSHA224:
case DST_ALG_HMACSHA256: case DST_ALG_HMACSHA256:
......
...@@ -39,6 +39,8 @@ ...@@ -39,6 +39,8 @@
#include <isc/time.h> #include <isc/time.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <dns/keyvalues.h> #include <dns/keyvalues.h>
#include <dns/name.h> #include <dns/name.h>
...@@ -65,6 +67,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST; ...@@ -65,6 +67,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
static void static void
usage(int status) { usage(int status) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "\ fprintf(stderr, "\
Usage:\n\ Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
...@@ -80,6 +83,23 @@ Usage:\n\ ...@@ -80,6 +83,23 @@ Usage:\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n", -u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef); progname, keydef);
#else
fprintf(stderr, "\
Usage:\n\
%s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
[-s addr] [-t chrootdir] [-u user]\n\
-a: generate just the key clause and write it to keyfile (%s)\n\
-A alg: algorithm (default hmac-sha256)\n\
-b bits: from 1 through 512, default 256; total length of the secret\n\
-c keyfile: specify an alternate key file (requires -a)\n\
-k keyname: the name as it will be used in named.conf and rndc.conf\n\
-p port: the port named will listen on and rndc will connect to\n\
-r randomfile: source of random data (use \"keyboard\" for key timing)\n\
-s addr: the address to which rndc should connect\n\
-t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
-u user: set the keyfile owner to \"user\" (requires -a)\n",
progname, keydef);
#endif
exit (status); exit (status);
} }
...@@ -115,7 +135,11 @@ main(int argc, char **argv) { ...@@ -115,7 +135,11 @@ main(int argc, char **argv) {
progname = program; progname = program;
keyname = DEFAULT_KEYNAME; keyname = DEFAULT_KEYNAME;
#ifndef PK11_MD5_DISABLE
alg = DST_ALG_HMACMD5; alg = DST_ALG_HMACMD5;
#else
alg = DST_ALG_HMACSHA256;
#endif
serveraddr = DEFAULT_SERVER; serveraddr = DEFAULT_SERVER;
port = DEFAULT_PORT; port = DEFAULT_PORT;
......
...@@ -128,7 +128,8 @@ ...@@ -128,7 +128,8 @@
<para> <para>
Specifies the algorithm to use for the TSIG key. Available Specifies the algorithm to use for the TSIG key. Available
choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256, choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
hmac-sha384 and hmac-sha512. The default is hmac-md5. hmac-sha384 and hmac-sha512. The default is hmac-md5 or
if MD5 was disabled hmac-sha256.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -21,6 +21,8 @@ ...@@ -21,6 +21,8 @@
#include <isc/task.h> #include <isc/task.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <dns/byaddr.h> #include <dns/byaddr.h>
#include <dns/fixedname.h> #include <dns/fixedname.h>
#include <dns/masterdump.h> #include <dns/masterdump.h>
...@@ -1672,7 +1674,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup, ...@@ -1672,7 +1674,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
ptr = ptr2; ptr = ptr2;
ptr2 = ptr3; ptr2 = ptr3;
} else { } else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
digestbits = 0; digestbits = 0;
} }
strncpy(keynametext, ptr, sizeof(keynametext)); strncpy(keynametext, ptr, sizeof(keynametext));
......
...@@ -390,7 +390,8 @@ ...@@ -390,7 +390,8 @@
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>, <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter> <literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
is not specified, the default is <literal>hmac-md5</literal>. is not specified, the default is <literal>hmac-md5</literal>
or if MD5 was disabled <literal>hmac-sha256</literal>.
</para> </para>
<para> <para>
NOTE: You should use the <option>-k</option> option and NOTE: You should use the <option>-k</option> option and
......
...@@ -82,6 +82,8 @@ ...@@ -82,6 +82,8 @@
#include <isc/types.h> #include <isc/types.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h> #include <isccfg/namedconf.h>
#include <lwres/lwres.h> #include <lwres/lwres.h>
...@@ -1142,12 +1144,15 @@ parse_hmac(const char *hmac) { ...@@ -1142,12 +1144,15 @@ parse_hmac(const char *hmac) {
digestbits = 0; digestbits = 0;
#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) { if (strcasecmp(buf, "hmac-md5") == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128); digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
} else if (strcasecmp(buf, "hmac-sha1") == 0) { } else
#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
hmacname = DNS_TSIG_HMACSHA1_NAME; hmacname = DNS_TSIG_HMACSHA1_NAME;
digestbits = 0; digestbits = 0;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
...@@ -1260,9 +1265,11 @@ setup_file_key(void) { ...@@ -1260,9 +1265,11 @@ setup_file_key(void) {
} }
switch (dst_key_alg(dstkey)) { switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
break; break;
#endif
case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME; hmacname = DNS_TSIG_HMACSHA1_NAME;
break; break;
......
...@@ -22,6 +22,8 @@ ...@@ -22,6 +22,8 @@
#include <isc/string.h> #include <isc/string.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h> #include <dns/dnssec.h>
#include <dns/fixedname.h> #include <dns/fixedname.h>
#include <dns/keyvalues.h> #include <dns/keyvalues.h>
...@@ -404,10 +406,20 @@ main(int argc, char **argv) { ...@@ -404,10 +406,20 @@ main(int argc, char **argv) {
} }
if (strcasecmp(algname, "RSA") == 0) { if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not " fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to " "recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify " "use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n"); "\"-a RSAMD5\"\n");
#else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
if (freeit != NULL)
free(freeit);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
#endif
if (freeit != NULL) if (freeit != NULL)
free(freeit); free(freeit);
return (1); return (1);
...@@ -504,6 +516,11 @@ main(int argc, char **argv) { ...@@ -504,6 +516,11 @@ main(int argc, char **argv) {
alg = dst_key_alg(prevkey); alg = dst_key_alg(prevkey);
flags = dst_key_flags(prevkey); flags = dst_key_flags(prevkey);
#ifdef PK11_MD5_DISABLE
if (alg == DST_ALG_RSAMD5)
fatal("Key %s uses disabled RSAMD5", predecessor);
#endif
dst_key_format(prevkey, keystr, sizeof(keystr)); dst_key_format(prevkey, keystr, sizeof(keystr));
dst_key_getprivateformat(prevkey, &major, &minor); dst_key_getprivateformat(prevkey, &major, &minor);
if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION) if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
......
...@@ -37,6 +37,8 @@ ...@@ -37,6 +37,8 @@
#include <isc/string.h> #include <isc/string.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <dns/dnssec.h> #include <dns/dnssec.h>
#include <dns/fixedname.h> #include <dns/fixedname.h>
#include <dns/keyvalues.h> #include <dns/keyvalues.h>
...@@ -546,15 +548,30 @@ main(int argc, char **argv) { ...@@ -546,15 +548,30 @@ main(int argc, char **argv) {
} }
if (strcasecmp(algname, "RSA") == 0) { if (strcasecmp(algname, "RSA") == 0) {
#ifndef PK11_MD5_DISABLE
fprintf(stderr, "The use of RSA (RSAMD5) is not " fprintf(stderr, "The use of RSA (RSAMD5) is not "
"recommended.\nIf you still wish to " "recommended.\nIf you still wish to "
"use RSA (RSAMD5) please specify " "use RSA (RSAMD5) please specify "
"\"-a RSAMD5\"\n"); "\"-a RSAMD5\"\n");
INSIST(freeit == NULL); INSIST(freeit == NULL);
return (1); return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0) } else if (strcasecmp(algname, "HMAC-MD5") == 0) {
alg = DST_ALG_HMACMD5; alg = DST_ALG_HMACMD5;
else if (strcasecmp(algname, "HMAC-SHA1") == 0) #else
fprintf(stderr,
"The use of RSA (RSAMD5) was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "RSAMD5") == 0) {
fprintf(stderr, "The use of RSAMD5 was disabled\n");
INSIST(freeit == NULL);
return (1);
} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
fprintf(stderr,
"The use of HMAC-MD5 was disabled\n");
return (1);
#endif
} else if (strcasecmp(algname, "HMAC-SHA1") == 0)
alg = DST_ALG_HMACSHA1; alg = DST_ALG_HMACSHA1;
else if (strcasecmp(algname, "HMAC-SHA224") == 0) else if (strcasecmp(algname, "HMAC-SHA224") == 0)
alg = DST_ALG_HMACSHA224; alg = DST_ALG_HMACSHA224;
...@@ -574,6 +591,10 @@ main(int argc, char **argv) { ...@@ -574,6 +591,10 @@ main(int argc, char **argv) {
options |= DST_TYPE_KEY; options |= DST_TYPE_KEY;
} }
#ifdef PK11_MD5_DISABLE
INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
#endif
if (!dst_algorithm_supported(alg)) if (!dst_algorithm_supported(alg))
fatal("unsupported algorithm: %d", alg); fatal("unsupported algorithm: %d", alg);
......
...@@ -22,6 +22,8 @@ ...@@ -22,6 +22,8 @@
#include <isc/string.h> #include <isc/string.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h> #include <isccfg/namedconf.h>
#include <dns/fixedname.h> #include <dns/fixedname.h>
...@@ -939,9 +941,11 @@ struct keyalgorithms { ...@@ -939,9 +941,11 @@ struct keyalgorithms {
unsigned int type; unsigned int type;
isc_uint16_t size; isc_uint16_t size;
} algorithms[] = { } algorithms[] = {
#ifndef PK11_MD5_DISABLE
{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 }, { "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 }, { "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 }, { "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
#endif
{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 }, { "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 }, { "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 }, { "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
...@@ -988,7 +992,9 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name, ...@@ -988,7 +992,9 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,
if (name != NULL) { if (name != NULL) {
switch (algorithms[i].hmac) { switch (algorithms[i].hmac) {
#ifndef PK11_MD5_DISABLE
case hmacmd5: *name = dns_tsig_hmacmd5_name; break; case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
#endif
case hmacsha1: *name = dns_tsig_hmacsha1_name; break; case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
case hmacsha224: *name = dns_tsig_hmacsha224_name; break; case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
case hmacsha256: *name = dns_tsig_hmacsha256_name; break; case hmacsha256: *name = dns_tsig_hmacsha256_name; break;
......
...@@ -40,6 +40,8 @@ ...@@ -40,6 +40,8 @@
#include <isc/types.h> #include <isc/types.h>
#include <isc/util.h> #include <isc/util.h>
#include <pk11/site.h>
#include <isccfg/namedconf.h> #include <isccfg/namedconf.h>
#include <dns/callbacks.h> #include <dns/callbacks.h>
...@@ -451,6 +453,7 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) { ...@@ -451,6 +453,7 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
strncpy(buf, hmacstr, len); strncpy(buf, hmacstr, len);
buf[len] = 0; buf[len] = 0;
#ifndef PK11_MD5_DISABLE
if (strcasecmp(buf, "hmac-md5") == 0) { if (strcasecmp(buf, "hmac-md5") == 0) {
*hmac = DNS_TSIG_HMACMD5_NAME; *hmac = DNS_TSIG_HMACMD5_NAME;
} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) { } else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
...@@ -459,7 +462,9 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) { ...@@ -459,7 +462,9 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
if (result != ISC_R_SUCCESS || digestbits > 128) if (result != ISC_R_SUCCESS || digestbits > 128)
fatal("digest-bits out of range [0..128]"); fatal("digest-bits out of range [0..128]");
digestbits = (digestbits +7) & ~0x7U; digestbits = (digestbits +7) & ~0x7U;
} else if (strcasecmp(buf, "hmac-sha1") == 0) { } else
#endif
if (strcasecmp(buf, "hmac-sha1") == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME; *hmac = DNS_TSIG_HMACSHA1_NAME;
} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) { } else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
*hmac = DNS_TSIG_HMACSHA1_NAME; *hmac = DNS_TSIG_HMACSHA1_NAME;
...@@ -549,7 +554,11 @@ setup_keystr(void) { ...@@ -549,7 +554,11 @@ setup_keystr(void) {
secretstr = n + 1; secretstr = n + 1;
digestbits = parse_hmac(&hmacname, keystr, s - keystr); digestbits = parse_hmac(&hmacname, keystr, s - keystr);
} else { } else {
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
name = keystr; name = keystr;
n = s; n = s;
} }
...@@ -683,9 +692,11 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) { ...@@ -683,9 +692,11 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
} }
switch (dst_key_alg(dstkey)) { switch (dst_key_alg(dstkey)) {
#ifndef PK11_MD5_DISABLE
case DST_ALG_HMACMD5: case DST_ALG_HMACMD5:
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
break; break;
#endif
case DST_ALG_HMACSHA1: case DST_ALG_HMACSHA1:
hmacname = DNS_TSIG_HMACSHA1_NAME; hmacname = DNS_TSIG_HMACSHA1_NAME;
break; break;
...@@ -1541,7 +1552,11 @@ evaluate_key(char *cmdline) { ...@@ -1541,7 +1552,11 @@ evaluate_key(char *cmdline) {
digestbits = parse_hmac(&hmacname, namestr, n - namestr); digestbits = parse_hmac(&hmacname, namestr, n - namestr);
namestr = n + 1; namestr = n + 1;
} else } else
#ifndef PK11_MD5_DISABLE
hmacname = DNS_TSIG_HMACMD5_NAME; hmacname = DNS_TSIG_HMACMD5_NAME;
#else
hmacname = DNS_TSIG_HMACSHA256_NAME;
#endif
isc_buffer_init(&b, namestr, strlen(namestr)); isc_buffer_init(&b, namestr, strlen(namestr));
isc_buffer_add(&b, strlen(namestr)); isc_buffer_add(&b, strlen(namestr));
......
...@@ -324,7 +324,8 @@ ...@@ -324,7 +324,8 @@
<literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>, <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
<literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
<literal>hmac-sha512</literal>. If <parameter>hmac</parameter> <literal>hmac-sha512</literal>. If <parameter>hmac</parameter>
is not specified, the default is <literal>hmac-md5</literal>. is not specified, the default is <literal>hmac-md5</literal>
or if MD5 was disabled <literal>hmac-sha256</literal>.
</para> </para>
<para> <para>
NOTE: Use of the <option>-y</option> option is discouraged because the NOTE: Use of the <option>-y</option> option is discouraged because the
...@@ -481,7 +482,8 @@ ...@@ -481,7 +482,8 @@
<parameter>keyname</parameter> <parameter>secret</parameter> pair. <parameter>keyname</parameter> <parameter>secret</parameter> pair.
If <parameter>hmac</parameter> is specified, then it sets the If <parameter>hmac</parameter> is specified, then it sets the
signing algorithm in use; the default is signing algorithm in use; the default is
<literal>hmac-md5</literal>. The <command>key</command> <literal>hmac-md5</literal> or if MD5 was disabled
<literal>hmac-sha256</literal>. The <command>key</command>
command overrides any key specified on the command line via command overrides any key specified on the command line via
<option>-y</option> or <option>-k</option>. <option>-y</option> or <option>-k</option>.
</para> </para>
......
...@@ -39,7 +39,7 @@ ...@@ -39,7 +39,7 @@
pkcs11-tokens \- list PKCS#11 available tokens pkcs11-tokens \- list PKCS#11 available tokens
.SH "SYNOPSIS" .SH "SYNOPSIS"
.HP \w'\fBpkcs11\-tokens\fR\ 'u .HP \w'\fBpkcs11\-tokens\fR\ 'u
\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] \fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-v\fR]
.SH "DESCRIPTION" .SH "DESCRIPTION"
.PP .PP
\fBpkcs11\-tokens\fR \fBpkcs11\-tokens\fR
...@@ -50,6 +50,11 @@ lists the PKCS#11 available tokens with defaults from the slot/token scan perfor ...@@ -50,6 +50,11 @@ lists the PKCS#11 available tokens with defaults from the slot/token scan perfor
.RS 4 .RS 4
Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&. Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
.RE .RE
.PP
\-e
.RS 4
Make the PKCS#11 libisc initialization verbose\&.
.RE
.SH "SEE ALSO" .SH "SEE ALSO"
.PP .PP
\fBpkcs11-destroy\fR(8), \fBpkcs11-destroy\fR(8),
......
...@@ -38,11 +38,14 @@ main(int argc, char *argv[]) { ...@@ -38,11 +38,14 @@ main(int argc, char *argv[]) {
isc_mem_t *mctx = NULL; isc_mem_t *mctx = NULL;
pk11_context_t pctx; pk11_context_t pctx;
while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) { while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
switch (c) { switch (c) {
case 'm': case 'm':
lib_name = isc_commandline_argument; lib_name = isc_commandline_argument;
break; break;
case 'v':
pk11_verbose_init = ISC_TRUE;
break;
case ':': case ':':
fprintf(stderr, "Option -%c requires an operand\n", fprintf(stderr, "Option -%c requires an operand\n",
isc_commandline_option); isc_commandline_option);
...@@ -58,7 +61,7 @@ main(int argc, char *argv[]) { ...@@ -58,7 +61,7 @@ main(int argc, char *argv[]) {
if (errflg) { if (errflg) {
fprintf(stderr, "Usage:\n");