4450. [port] Provide more nuanced HSM support which better matches

the specific PKCS11 providers capabilities. [RT #42458]

4450. [port] Provide more nuanced HSM support which better matches
the specific PKCS11 providers capabilities. [RT #42458]
8ee6f289 · Mark Andrews · 85342bec · 8ee6f289 · 8ee6f289 · 8ee6f289
Commit 8ee6f289 authored Aug 19, 2016 by Mark Andrews
56 changed files
--- a/CHANGES
+++ b/CHANGES
+4450.	[port]		Provide more nuanced HSM support which better matches
+			the specific PKCS11 providers capabilities. [RT #42458]
+
 4449.	[test]		Fix catalog zones test on slower systems. [RT #42997]

 4448.	[bug]		win32: ::1 was not being found when iterating

--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -25,6 +25,8 @@
 #include <isc/result.h>
 #include <isc/string.h>

+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>

@@ -40,8 +42,10 @@
 const char *
 alg_totext(dns_secalg_t alg) {
 	switch (alg) {
+#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
 		return "hmac-md5";
+#endif
 	    case DST_ALG_HMACSHA1:
 		return "hmac-sha1";
 	    case DST_ALG_HMACSHA224:
@@ -66,8 +70,10 @@ alg_fromtext(const char *name) {
 	if (strncasecmp(p, "hmac-", 5) == 0)
 		p = &name[5];

+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(p, "md5") == 0)
 		return DST_ALG_HMACMD5;
+#endif
 	if (strcasecmp(p, "sha1") == 0)
 		return DST_ALG_HMACSHA1;
 	if (strcasecmp(p, "sha224") == 0)
@@ -122,7 +128,9 @@ generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
 	dst_key_t *key = NULL;

 	switch (alg) {
+#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
+#endif
 	    case DST_ALG_HMACSHA1:
 	    case DST_ALG_HMACSHA224:
 	    case DST_ALG_HMACSHA256:

--- a/bin/confgen/rndc-confgen.c
+++ b/bin/confgen/rndc-confgen.c
@@ -39,6 +39,8 @@
 #include <isc/time.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <dns/keyvalues.h>
 #include <dns/name.h>

@@ -65,6 +67,7 @@ usage(int status) ISC_PLATFORM_NORETURN_POST;
 static void
 usage(int status) {

+#ifndef PK11_MD5_DISABLE
 	fprintf(stderr, "\
 Usage:\n\
 %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
@@ -80,6 +83,23 @@ Usage:\n\
  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
 		 progname, keydef);
+#else
+	fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+[-s addr] [-t chrootdir] [-u user]\n\
+  -a:		 generate just the key clause and write it to keyfile (%s)\n\
+  -A alg:	 algorithm (default hmac-sha256)\n\
+  -b bits:	 from 1 through 512, default 256; total length of the secret\n\
+  -c keyfile:	 specify an alternate key file (requires -a)\n\
+  -k keyname:	 the name as it will be used  in named.conf and rndc.conf\n\
+  -p port:	 the port named will listen on and rndc will connect to\n\
+  -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+  -s addr:	 the address to which rndc should connect\n\
+  -t chrootdir:	 write a keyfile in chrootdir as well (requires -a)\n\
+  -u user:	 set the keyfile owner to \"user\" (requires -a)\n",
+		 progname, keydef);
+#endif

 	exit (status);
 }
@@ -115,7 +135,11 @@ main(int argc, char **argv) {
 	progname = program;

 	keyname = DEFAULT_KEYNAME;
+#ifndef PK11_MD5_DISABLE
 	alg = DST_ALG_HMACMD5;
+#else
+	alg = DST_ALG_HMACSHA256;
+#endif
 	serveraddr = DEFAULT_SERVER;
 	port = DEFAULT_PORT;


--- a/bin/confgen/rndc-confgen.docbook
+++ b/bin/confgen/rndc-confgen.docbook
@@ -128,7 +128,8 @@
          <para>
            Specifies the algorithm to use for the TSIG key.  Available
            choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
-            hmac-sha384 and hmac-sha512.  The default is hmac-md5.
+            hmac-sha384 and hmac-sha512.  The default is hmac-md5 or
+            if MD5 was disabled hmac-sha256.
          </para>
        </listitem>
      </varlistentry>

--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -21,6 +21,8 @@
 #include <isc/task.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <dns/byaddr.h>
 #include <dns/fixedname.h>
 #include <dns/masterdump.h>
@@ -1672,7 +1674,11 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
+#ifndef PK11_MD5_DISABLE
 			hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+			hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
 			digestbits = 0;
 		}
 		strncpy(keynametext, ptr, sizeof(keynametext));

--- a/bin/dig/dig.docbook
+++ b/bin/dig/dig.docbook
@@ -390,7 +390,8 @@
 	    <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
 	    <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
 	    <literal>hmac-sha512</literal>.  If <parameter>hmac</parameter>
-	    is not specified, the default is <literal>hmac-md5</literal>.
+	    is not specified, the default is <literal>hmac-md5</literal>
+	    or if MD5 was disabled <literal>hmac-sha256</literal>.
 	  </para>
 	  <para>
 	    NOTE: You should use the <option>-k</option> option and

--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -82,6 +82,8 @@
 #include <isc/types.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>

 #include <lwres/lwres.h>
@@ -1142,12 +1144,15 @@ parse_hmac(const char *hmac) {

 	digestbits = 0;

+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(buf, "hmac-md5") == 0) {
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
-	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+	} else
+#endif
+	if (strcasecmp(buf, "hmac-sha1") == 0) {
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		digestbits = 0;
 	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
@@ -1260,9 +1265,11 @@ setup_file_key(void) {
 	}

 	switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		break;
+#endif
 	case DST_ALG_HMACSHA1:
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		break;

--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -22,6 +22,8 @@
 #include <isc/string.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -404,10 +406,20 @@ main(int argc, char **argv) {
 		}

 		if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
 			fprintf(stderr, "The use of RSA (RSAMD5) is not "
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
+#else
+			fprintf(stderr,
+				"The use of RSA (RSAMD5) was disabled\n");
+			if (freeit != NULL)
+				free(freeit);
+			return (1);
+		} else if (strcasecmp(algname, "RSAMD5") == 0) {
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
+#endif
 			if (freeit != NULL)
 				free(freeit);
 			return (1);
@@ -504,6 +516,11 @@ main(int argc, char **argv) {
 		alg = dst_key_alg(prevkey);
 		flags = dst_key_flags(prevkey);

+#ifdef PK11_MD5_DISABLE
+		if (alg == DST_ALG_RSAMD5)
+			fatal("Key %s uses disabled RSAMD5", predecessor);
+#endif
+
 		dst_key_format(prevkey, keystr, sizeof(keystr));
 		dst_key_getprivateformat(prevkey, &major, &minor);
 		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)

--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -37,6 +37,8 @@
 #include <isc/string.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <dns/dnssec.h>
 #include <dns/fixedname.h>
 #include <dns/keyvalues.h>
@@ -546,15 +548,30 @@ main(int argc, char **argv) {
 		}

 		if (strcasecmp(algname, "RSA") == 0) {
+#ifndef PK11_MD5_DISABLE
 			fprintf(stderr, "The use of RSA (RSAMD5) is not "
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
 			INSIST(freeit == NULL);
 			return (1);
-		} else if (strcasecmp(algname, "HMAC-MD5") == 0)
+		} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
 			alg = DST_ALG_HMACMD5;
-		else if (strcasecmp(algname, "HMAC-SHA1") == 0)
+#else
+			fprintf(stderr,
+				"The use of RSA (RSAMD5) was disabled\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else if (strcasecmp(algname, "RSAMD5") == 0) {
+			fprintf(stderr, "The use of RSAMD5 was disabled\n");
+			INSIST(freeit == NULL);
+			return (1);
+		} else if (strcasecmp(algname, "HMAC-MD5") == 0) {
+			fprintf(stderr,
+				"The use of HMAC-MD5 was disabled\n");
+			return (1);
+#endif
+		} else if (strcasecmp(algname, "HMAC-SHA1") == 0)
 			alg = DST_ALG_HMACSHA1;
 		else if (strcasecmp(algname, "HMAC-SHA224") == 0)
 			alg = DST_ALG_HMACSHA224;
@@ -574,6 +591,10 @@ main(int argc, char **argv) {
 				options |= DST_TYPE_KEY;
 		}

+#ifdef PK11_MD5_DISABLE
+		INSIST((alg != DNS_KEYALG_RSAMD5) && (alg != DST_ALG_HMACMD5));
+#endif
+
 		if (!dst_algorithm_supported(alg))
 			fatal("unsupported algorithm: %d", alg);


--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -22,6 +22,8 @@
 #include <isc/string.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>

 #include <dns/fixedname.h>
@@ -939,9 +941,11 @@ struct keyalgorithms {
 	unsigned int type;
 	isc_uint16_t size;
 } algorithms[] = {
+#ifndef PK11_MD5_DISABLE
 	{ "hmac-md5", hmacmd5, DST_ALG_HMACMD5, 128 },
 	{ "hmac-md5.sig-alg.reg.int", hmacmd5, DST_ALG_HMACMD5, 0 },
 	{ "hmac-md5.sig-alg.reg.int.", hmacmd5, DST_ALG_HMACMD5, 0 },
+#endif
 	{ "hmac-sha1", hmacsha1, DST_ALG_HMACSHA1, 160 },
 	{ "hmac-sha224", hmacsha224, DST_ALG_HMACSHA224, 224 },
 	{ "hmac-sha256", hmacsha256, DST_ALG_HMACSHA256, 256 },
@@ -988,7 +992,9 @@ ns_config_getkeyalgorithm2(const char *str, dns_name_t **name,

 	if (name != NULL) {
 		switch (algorithms[i].hmac) {
+#ifndef PK11_MD5_DISABLE
 		case hmacmd5: *name = dns_tsig_hmacmd5_name; break;
+#endif
 		case hmacsha1: *name = dns_tsig_hmacsha1_name; break;
 		case hmacsha224: *name = dns_tsig_hmacsha224_name; break;
 		case hmacsha256: *name = dns_tsig_hmacsha256_name; break;

--- a/bin/nsupdate/nsupdate.c
+++ b/bin/nsupdate/nsupdate.c
@@ -40,6 +40,8 @@
 #include <isc/types.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>

 #include <dns/callbacks.h>
@@ -451,6 +453,7 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
 	strncpy(buf, hmacstr, len);
 	buf[len] = 0;

+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(buf, "hmac-md5") == 0) {
 		*hmac = DNS_TSIG_HMACMD5_NAME;
 	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
@@ -459,7 +462,9 @@ parse_hmac(dns_name_t **hmac, const char *hmacstr, size_t len) {
 		if (result != ISC_R_SUCCESS || digestbits > 128)
 			fatal("digest-bits out of range [0..128]");
 		digestbits = (digestbits +7) & ~0x7U;
-	} else if (strcasecmp(buf, "hmac-sha1") == 0) {
+	} else
+#endif
+	if (strcasecmp(buf, "hmac-sha1") == 0) {
 		*hmac = DNS_TSIG_HMACSHA1_NAME;
 	} else if (strncasecmp(buf, "hmac-sha1-", 10) == 0) {
 		*hmac = DNS_TSIG_HMACSHA1_NAME;
@@ -549,7 +554,11 @@ setup_keystr(void) {
 		secretstr = n + 1;
 		digestbits = parse_hmac(&hmacname, keystr, s - keystr);
 	} else {
+#ifndef PK11_MD5_DISABLE
 		hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif
 		name = keystr;
 		n = s;
 	}
@@ -683,9 +692,11 @@ setup_keyfile(isc_mem_t *mctx, isc_log_t *lctx) {
 	}

 	switch (dst_key_alg(dstkey)) {
+#ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		break;
+#endif
 	case DST_ALG_HMACSHA1:
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		break;
@@ -1541,7 +1552,11 @@ evaluate_key(char *cmdline) {
 		digestbits = parse_hmac(&hmacname, namestr, n - namestr);
 		namestr = n + 1;
 	} else
+#ifndef PK11_MD5_DISABLE
 		hmacname = DNS_TSIG_HMACMD5_NAME;
+#else
+		hmacname = DNS_TSIG_HMACSHA256_NAME;
+#endif

 	isc_buffer_init(&b, namestr, strlen(namestr));
 	isc_buffer_add(&b, strlen(namestr));

--- a/bin/nsupdate/nsupdate.docbook
+++ b/bin/nsupdate/nsupdate.docbook
@@ -324,7 +324,8 @@
 	    <literal>hmac-sha1</literal>, <literal>hmac-sha224</literal>,
 	    <literal>hmac-sha256</literal>, <literal>hmac-sha384</literal>, or
 	    <literal>hmac-sha512</literal>.  If <parameter>hmac</parameter>
-	    is not specified, the default is <literal>hmac-md5</literal>.
+	    is not specified, the default is <literal>hmac-md5</literal>
+	    or if MD5 was disabled <literal>hmac-sha256</literal>.
 	  </para>
 	  <para>
 	    NOTE: Use of the <option>-y</option> option is discouraged because the
@@ -481,7 +482,8 @@
 	      <parameter>keyname</parameter> <parameter>secret</parameter> pair.
 	      If <parameter>hmac</parameter> is specified, then it sets the
 	      signing algorithm in use; the default is
-	      <literal>hmac-md5</literal>.  The <command>key</command>
+	      <literal>hmac-md5</literal> or if MD5 was disabled
+	      <literal>hmac-sha256</literal>.  The <command>key</command>
 	      command overrides any key specified on the command line via
 	      <option>-y</option> or <option>-k</option>.
 	    </para>

--- a/bin/pkcs11/pkcs11-tokens.8
+++ b/bin/pkcs11/pkcs11-tokens.8
@@ -39,7 +39,7 @@
 pkcs11-tokens \- list PKCS#11 available tokens
 .SH "SYNOPSIS"
 .HP \w'\fBpkcs11\-tokens\fR\ 'u
-\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR]
+\fBpkcs11\-tokens\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-v\fR]
 .SH "DESCRIPTION"
 .PP
 \fBpkcs11\-tokens\fR
@@ -50,6 +50,11 @@ lists the PKCS#11 available tokens with defaults from the slot/token scan perfor
 .RS 4
 Specify the PKCS#11 provider module\&. This must be the full path to a shared library object implementing the PKCS#11 API for the device\&.
 .RE
+.PP
+\-e
+.RS 4
+Make the PKCS#11 libisc initialization verbose\&.
+.RE
 .SH "SEE ALSO"
 .PP
 \fBpkcs11-destroy\fR(8),

--- a/bin/pkcs11/pkcs11-tokens.c
+++ b/bin/pkcs11/pkcs11-tokens.c
@@ -38,11 +38,14 @@ main(int argc, char *argv[]) {
 	isc_mem_t *mctx = NULL;
 	pk11_context_t pctx;

-	while ((c = isc_commandline_parse(argc, argv, ":m:")) != -1) {
+	while ((c = isc_commandline_parse(argc, argv, ":m:v")) != -1) {
 		switch (c) {
 		case 'm':
 			lib_name = isc_commandline_argument;
 			break;
+		case 'v':
+			pk11_verbose_init = ISC_TRUE;
+			break;
 		case ':':
 			fprintf(stderr, "Option -%c requires an operand\n",
 				isc_commandline_option);
@@ -58,7 +61,7 @@ main(int argc, char *argv[]) {

 	if (errflg) {
 		fprintf(stderr, "Usage:\n");
-		fprintf(stderr, "\tpkcs11-tokens [-m module]\n");
+		fprintf(stderr, "\tpkcs11-tokens [-v] [-m module]\n");
 		exit(1);
 	}

@@ -73,7 +76,7 @@ main(int argc, char *argv[]) {
 	if (lib_name != NULL)
 		pk11_set_lib_name(lib_name);

-	result = pk11_get_session(&pctx, OP_ANY, ISC_FALSE, ISC_FALSE,
+	result = pk11_get_session(&pctx, OP_ANY, ISC_TRUE, ISC_FALSE,
 				  ISC_FALSE, NULL, 0);
 	if (result == PK11_R_NORANDOMSERVICE ||
 	    result == PK11_R_NODIGESTSERVICE ||
@@ -81,7 +84,7 @@ main(int argc, char *argv[]) {
 		fprintf(stderr, "Warning: %s\n", isc_result_totext(result));
 		fprintf(stderr, "This HSM will not work with BIND 9 "
 				"using native PKCS#11.\n\n");
-	} else if (result != ISC_R_SUCCESS) {
+	} else if ((result != ISC_R_SUCCESS) && (result != ISC_R_NOTFOUND)) {
 		fprintf(stderr, "Unrecoverable error initializing "
 				"PKCS#11: %s\n", isc_result_totext(result));
 		exit(1);

--- a/bin/pkcs11/pkcs11-tokens.docbook
+++ b/bin/pkcs11/pkcs11-tokens.docbook
@@ -40,6 +40,7 @@
    <cmdsynopsis sepchar=" ">
      <command>pkcs11-tokens</command>
      <arg choice="opt" rep="norepeat"><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+      <arg choice="opt" rep="norepeat"><option>-v</option></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -65,6 +66,15 @@
          </para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>-v</term>
+        <listitem>
+          <para>
+            Make the PKCS#11 libisc initialization verbose.
+          </para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsection>


--- a/bin/pkcs11/pkcs11-tokens.html
+++ b/bin/pkcs11/pkcs11-tokens.html
 <!--
 - Copyright (C) 2014-2016 Internet Systems Consortium, Inc. ("ISC")
 - 
- - This Source Code Form is subject to the terms of the Mozilla Public
- - License, v. 2.0. If a copy of the MPL was not distributed with this
- - file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ - 
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
 -->
 <html>
 <head>
@@ -19,7 +27,7 @@
 </div>
 <div class="refsynopsisdiv">
 <h2>Synopsis</h2>
-<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>]</p></div>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-tokens</code>  [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-v</code>]</p></div>
 </div>
 <div class="refsection">
 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
@@ -38,6 +46,10 @@
            path to a shared library object implementing the PKCS#11 API
            for the device.
          </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+            Make the PKCS#11 libisc initialization verbose.
+          </p></dd>
 </dl></div>
 </div>
 <div class="refsection">

--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -32,6 +32,8 @@
 #include <isc/thread.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <isccfg/namedconf.h>

 #include <isccc/alist.h>
@@ -628,9 +630,12 @@ parse_config(isc_mem_t *mctx, isc_log_t *log, const char *keyname,
 	secretstr = cfg_obj_asstring(secretobj);
 	algorithmstr = cfg_obj_asstring(algorithmobj);

+#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(algorithmstr, "hmac-md5") == 0)
 		algorithm = ISCCC_ALG_HMACMD5;
-	else if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
+	else
+#endif
+	if (strcasecmp(algorithmstr, "hmac-sha1") == 0)
 		algorithm = ISCCC_ALG_HMACSHA1;
 	else if (strcasecmp(algorithmstr, "hmac-sha224") == 0)
 		algorithm = ISCCC_ALG_HMACSHA224;

--- a/bin/tests/hash_test.c
+++ b/bin/tests/hash_test.c
@@ -22,6 +22,8 @@
 #include <isc/print.h>
 #include <isc/string.h>

+#include <pk11/site.h>
+
 static void
 print_digest(const char *s, const char *hash, unsigned char *d,
 	     unsigned int words)
@@ -41,8 +43,10 @@ int
 main(int argc, char **argv) {
 	isc_sha1_t sha1;
 	isc_sha224_t sha224;
+#ifndef PK11_MD5_DISABLE
 	isc_md5_t md5;
 	isc_hmacmd5_t hmacmd5;
+#endif
 	isc_hmacsha1_t hmacsha1;
 	isc_hmacsha224_t hmacsha224;
 	isc_hmacsha256_t hmacsha256;
@@ -84,6 +88,7 @@ main(int argc, char **argv) {
 	isc_sha224_final(digest, &sha224);
 	print_digest(s, "sha224", digest, ISC_SHA224_DIGESTLENGTH/4);

+#ifndef PK11_MD5_DISABLE
 	s = "abc";
 	isc_md5_init(&md5);
 	memmove(buffer, s, strlen(s));
@@ -121,6 +126,7 @@ main(int argc, char **argv) {
 	isc_hmacmd5_update(&hmacmd5, buffer, strlen(s));
 	isc_hmacmd5_sign(&hmacmd5, digest);
 	print_digest(s, "hmacmd5", digest, 4);
+#endif

 	/*
 	 * The 3 HMAC-SHA1 examples from RFC4634.

--- a/bin/tests/hashes/t_hashes.c
+++ b/bin/tests/hashes/t_hashes.c
@@ -24,6 +24,8 @@
 #include <isc/string.h>
 #include <isc/util.h>

+#include <pk11/site.h>
+
 #include <tests/t_api.h>


@@ -47,7 +49,9 @@ typedef struct {

 union {
    unsigned char b[1024];
+#ifndef PK11_MD5_DISABLE
    unsigned char md5[16];
+#endif
    unsigned char sha1[ISC_SHA1_DIGESTLENGTH];
    unsigned char sha224[ISC_SHA224_DIGESTLENGTH];
    unsigned char sha256[ISC_SHA256_DIGESTLENGTH];
@@ -72,9 +76,11 @@ static OUT_ abc_sha1 = {
 static OUT_ abc_sha224 = {
 	"23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7",
 	ISC_SHA224_DIGESTLENGTH};
+#ifndef PK11_MD5_DISABLE
 static OUT_ abc_md5 = {
 	"900150983cd24fb0d6963f7d28e17f72",
 	16};
+#endif

 static IN_ abc_blah = { "\"abcdbc...\"", NULL, 0,
 	STR_INIT("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq")};
@@ -84,6 +90,7 @@ static OUT_ abc_blah_sha1 =  {
 static OUT_ abc_blah_sha224 = {
 	"75388b16512776cc5dba5da1fd890150b0c6455cb4f58b1952522525",
 	ISC_SHA224_DIGESTLENGTH};
+#ifndef PK11_MD5_DISABLE
 static OUT_ abc_blah_md5 = {
 	"8215ef0796a20bcaaae116d3876c664a",
 	16};
@@ -122,6 +129,7 @@ static IN_ rfc2104_3 = {"RFC 2104 #3", rfc2104_3_key, sizeof(rfc2104_3_key),
 static OUT_ rfc2104_3_hmac = {
 	"56be34521d144c88dbb8c733f0e8b3f6",
 	16};
+#endif

 /*
 * four three HMAC-SHA tests cut-and-pasted from RFC 4634 starting on page 86
@@ -309,7 +317,9 @@ t_hash(const char *hname, HASH_INIT init, UPDATE update, FINAL final,
 	union {
 	    unsigned char b[1024];
 	    isc_sha1_t sha1;
+#ifndef PK11_MD5_DISABLE
 	    isc_md5_t md5;
+#endif
 	} ctx;

 	init(&ctx);
@@ -340,17 +350,23 @@ t_sha224(IN_ *in, OUT_ *out)


 static void
+#ifndef PK11_MD5_DISABLE
 t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224, OUT_ *out_md5)
+#else
+t_hashes(IN_ *in, OUT_ *out_sha1, OUT_ *out_sha224)
+#endif
 {
 	t_hash("SHA1", (HASH_INIT)isc_sha1_init, (UPDATE)isc_sha1_update,
 	       (FINAL)isc_sha1_final, in, out_sha1);
 	t_sha224(in, out_sha224);
+#ifndef PK11_MD5_DISABLE
 	t_hash("md5", (HASH_INIT)isc_md5_init, (UPDATE)isc_md5_update,