From 2079e44fb9cf5c8211e12177b3c5d1b789836217 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 3 Nov 2018 15:50:30 +0700 Subject: [PATCH 1/3] Define PK11_UTIMACO_FLAVOR and add detection code to configure.ac --- configure | 6 ++++++ configure.ac | 5 +++++ lib/isc/include/pk11/site.h | 2 ++ 3 files changed, 13 insertions(+) diff --git a/configure b/configure index 062347791a..fa25b03fc4 100755 --- a/configure +++ b/configure @@ -17626,6 +17626,12 @@ $as_echo "AEP Keyper" >&6; } pk11_flavor="PK11_AEP_FLAVOR" set_pk11_flavor="yes" ;; + *libcs*) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: Utimaco HSM" >&5 +$as_echo "Utimaco HSM" >&6; } + pk11_flavor="PK11_UTIMACO_FLAVOR" + set_pk11_flavor="yes" + ;; undefined) { $as_echo "$as_me:${as_lineno-$LINENO}: result: undefined provider?" >&5 $as_echo "undefined provider?" >&6; } diff --git a/configure.ac b/configure.ac index d8e2b300be..7f7b7ac859 100644 --- a/configure.ac +++ b/configure.ac @@ -2293,6 +2293,11 @@ case "$want_native_pkcs11" in pk11_flavor="PK11_AEP_FLAVOR" set_pk11_flavor="yes" ;; + *libcs*) + AC_MSG_RESULT(Utimaco HSM) + pk11_flavor="PK11_UTIMACO_FLAVOR" + set_pk11_flavor="yes" + ;; undefined) AC_MSG_RESULT(undefined provider?) ;; diff --git a/lib/isc/include/pk11/site.h b/lib/isc/include/pk11/site.h index 1d97dbb0a1..f27691ed7f 100644 --- a/lib/isc/include/pk11/site.h +++ b/lib/isc/include/pk11/site.h @@ -60,6 +60,8 @@ PK11_PAD_HMAC_KEYS #define PK11_CRYPTECH_FLAVOR 3 /* AEP Keyper */ #define PK11_AEP_FLAVOR 4 +/* Utimaco HSM */ +#define PK11_UTIMACO_FLAVOR 5 /* Default is for Thales nCipher */ #ifndef PK11_FLAVOR From 52784fc3cc2e5f0df3d2facc026fb1c7007fb347 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 3 Nov 2018 15:50:38 +0700 Subject: [PATCH 2/3] Disable runtime detection of md5 and sha1 support for Utimaco HSM. Utimaco HSM requires user to be logged in before executing DigestUpdate, thus breaking dst_lib_init2 that ran isc_md5_check and isc_sha1_check before sending PIN to the HSM. Therefore isc_*_check needs to be disabled when Utimaco HSM is being used as PKCS#11 library. --- lib/dns/hmac_link.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/dns/hmac_link.c b/lib/dns/hmac_link.c index 94e73b1d9e..3b6579bf10 100644 --- a/lib/dns/hmac_link.c +++ b/lib/dns/hmac_link.c @@ -355,12 +355,13 @@ dst__hmacmd5_init(dst_func_t **funcp) { } #endif +#if PK11_FLAVOR != PK11_UTIMACO_FLAVOR /* * Prevent use of incorrect crypto */ - RUNTIME_CHECK(isc_md5_check(false)); RUNTIME_CHECK(isc_hmacmd5_check(0)); +#endif REQUIRE(funcp != NULL); if (*funcp == NULL) @@ -648,11 +649,13 @@ static dst_func_t hmacsha1_functions = { isc_result_t dst__hmacsha1_init(dst_func_t **funcp) { +#if PK11_FLAVOR != PK11_UTIMACO_FLAVOR /* * Prevent use of incorrect crypto */ RUNTIME_CHECK(isc_sha1_check(false)); RUNTIME_CHECK(isc_hmacsha1_check(0)); +#endif REQUIRE(funcp != NULL); if (*funcp == NULL) From ebe63fd31653c31da6e7f90ea0f79549783a1645 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 9 Nov 2018 00:12:32 +0700 Subject: [PATCH 3/3] Add CHANGES entry for GL #656 --- CHANGES | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CHANGES b/CHANGES index 07a8c06596..e5f84bc485 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +5084. [func] Add configure time detection of Utimaco HSM + and disable runtime md5/sha1 detection when it + compiled with it. [GL #656] + 5079. [func] Disable IDN processing in dig and nslookup when not on a tty. [GL #653]