--- /dev/null
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.8 2009/12/05 23:31:40 each Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_VERSION@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
+ ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCCCLIBS = ../../lib/isccc/libisccc.@A@
+ISCLIBS = ../../lib/isc/libisc.@A@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+BIND9LIBS = ../../lib/bind9/libbind9.@A@
+
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
+ISCDEPLIBS = ../../lib/isc/libisc.@A@
+DNSDEPLIBS = ../../lib/dns/libdns.@A@
+BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
+
+RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@
+RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
+
+NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
+
+CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
+
+SRCS= rndc-confgen.c ddns-confgen.c
+
+SUBDIRS = unix
+
+TARGETS = rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@
+
+MANPAGES = rndc-confgen.8 ddns-confgen.8
+
+HTMLPAGES = rndc-confgen.html ddns-confgen.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
+UOBJS = unix/os.@O@
+
+@BIND9_MAKE_RULES@
+
+rndc-confgen.@O@: rndc-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} \
+ -DRNDC_KEYFILE=\"${sysconfdir}/rndc.key\" \
+ -c ${srcdir}/rndc-confgen.c
+
+ddns-confgen.@O@: ddns-confgen.c
+ ${LIBTOOL_MODE_COMPILE} ${CC} ${ALL_CFLAGS} -c ${srcdir}/ddns-confgen.c
+
+rndc-confgen@EXEEXT@: rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ export BASEOBJS="rndc-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
+ddns-confgen@EXEEXT@: ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS} ${CONFDEPLIBS}
+ export BASEOBJS="ddns-confgen.@O@ util.@O@ keygen.@O@ ${UOBJS}"; \
+ ${FINALBUILDCMD}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: rndc-confgen@EXEEXT@ ddns-confgen@EXEEXT@ installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} rndc-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} ddns-confgen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_DATA} ${srcdir}/rndc-confgen.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/ddns-confgen.8 ${DESTDIR}${mandir}/man8
+
+clean distclean maintainer-clean::
+ rm -f ${TARGETS}
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: ddns-confgen.8,v 1.10 2009/09/19 01:14:52 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: ddns\-confgen
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Jan 29, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DDNS\-CONFGEN" "8" "Jan 29, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+ddns\-confgen \- ddns key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBddns\-confgen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\-s\ \fIname\fR | \-z\ \fIzone\fR] [\fB\-q\fR] [name]
+.SH "DESCRIPTION"
+.PP
+\fBddns\-confgen\fR
+generates a key for use by
+\fBnsupdate\fR
+and
+\fBnamed\fR. It simplifies configuration of dynamic zones by generating a key and providing the
+\fBnsupdate\fR
+and
+\fBnamed.conf\fR
+syntax that will be needed to use it, including an example
+\fBupdate\-policy\fR
+statement.
+.PP
+If a domain name is specified on the command line, it will be used in the name of the generated key and in the sample
+\fBnamed.conf\fR
+syntax. For example,
+\fBddns\-confgen example.com\fR
+would generate a key called "ddns\-key.example.com", and sample
+\fBnamed.conf\fR
+command that could be used in the zone definition for "example.com".
+.PP
+Note that
+\fBnamed\fR
+itself can configure a local DDNS key for use with
+\fBnsupdate \-l\fR.
+\fBddns\-confgen\fR
+is only needed when a more elaborate configuration is required: for instance, if
+\fBnsupdate\fR
+is to be used from a remote system.
+.SH "OPTIONS"
+.PP
+\-a \fIalgorithm\fR
+.RS 4
+Specifies the algorithm to use for the TSIG key. Available choices are: hmac\-md5, hmac\-sha1, hmac\-sha224, hmac\-sha256, hmac\-sha384 and hmac\-sha512. The default is hmac\-sha256.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBddns\-confgen\fR.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the DDNS authentication key. The default is
+\fBddns\-key\fR
+when neither the
+\fB\-s\fR
+nor
+\fB\-z\fR
+option is specified; otherwise, the default is
+\fBddns\-key\fR
+as a separate label followed by the argument of the option, e.g.,
+\fBddns\-key.example.com.\fR
+The key name must have the format of a valid domain name, consisting of letters, digits, hyphens and periods.
+.RE
+.PP
+\-q
+.RS 4
+Quiet mode: Print only the key, with no explanatory text or usage examples.
+.RE
+.PP
+\-r \fIrandomfile\fR
+.RS 4
+Specifies a source of random data for generating the authorization. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-s \fIname\fR
+.RS 4
+Single host mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIname\fR
+using the "name" nametype. The default key name is ddns\-key.\fIname\fR. Note that the "self" nametype cannot be used, since the name to be updated may differ from the key name. This option cannot be used with the
+\fB\-z\fR
+option.
+.RE
+.PP
+\-z \fIzone\fR
+.RS 4
+zone mode: The example
+\fBnamed.conf\fR
+text shows how to set an update policy for the specified
+\fIzone\fR
+using the "zonesub" nametype, allowing updates to all subdomain names within that
+\fIzone\fR. This option cannot be used with the
+\fB\-s\fR
+option.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBnsupdate\fR(1),
+\fBnamed.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: ddns-confgen.c,v 1.9 2009/09/29 15:06:05 fdupont Exp $ */
+
+/*! \file */
+
+/**
+ * ddns-confgen generates configuration files for dynamic DNS. It can
+ * be used as a convenient alternative to writing the ddns.key file
+ * and the corresponding key and update-policy statements in named.conf.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define DEFAULT_KEYNAME "ddns-key"
+
+static char program[256];
+const char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+
+ fprintf(stderr, "\
+Usage:\n\
+ %s [-a alg] [-k keyname] [-r randomfile] [-q] [-s name | -z zone]\n\
+ -a alg: algorithm (default hmac-sha256)\n\
+ -k keyname: name of the key as it will be used in named.conf\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -s name: domain name to be updated using the created key\n\
+ -z zone: name of the zone as it will be used in named.conf\n\
+ -q: quiet mode: print the key, with no explanatory text\n",
+ progname);
+
+ exit (status);
+}
+
+int
+main(int argc, char **argv) {
+ isc_boolean_t show_final_mem = ISC_FALSE;
+ isc_boolean_t quiet = ISC_FALSE;
+ isc_buffer_t key_txtbuffer;
+ char key_txtsecret[256];
+ isc_mem_t *mctx = NULL;
+ isc_result_t result = ISC_R_SUCCESS;
+ const char *randomfile = NULL;
+ const char *keyname = NULL;
+ const char *zone = NULL;
+ const char *self_domain = NULL;
+ char *keybuf = NULL;
+ dns_secalg_t alg = DST_ALG_HMACSHA256;
+ const char *algname = alg_totext(alg);
+ int keysize = 256;
+ int len = 0;
+ int ch;
+
+ result = isc_file_progname(*argv, program, sizeof(program));
+ if (result != ISC_R_SUCCESS)
+ memcpy(program, "ddns-confgen", 13);
+ progname = program;
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "a:hk:Mmr:qs:Vy:z:")) != -1) {
+ switch (ch) {
+ case 'a':
+ algname = isc_commandline_argument;
+ alg = alg_fromtext(algname);
+ if (alg == DST_ALG_UNKNOWN)
+ fatal("Unsupported algorithm '%s'", algname);
+ keysize = alg_bits(alg);
+ break;
+ case 'h':
+ usage(0);
+ case 'k':
+ case 'y':
+ keyname = isc_commandline_argument;
+ break;
+ case 'M':
+ isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+ break;
+ case 'm':
+ show_final_mem = ISC_TRUE;
+ break;
+ case 'q':
+ quiet = ISC_TRUE;
+ break;
+ case 'r':
+ randomfile = isc_commandline_argument;
+ break;
+ case 's':
+ self_domain = isc_commandline_argument;
+ break;
+ case 'V':
+ verbose = ISC_TRUE;
+ break;
+ case 'z':
+ zone = isc_commandline_argument;
+ break;
+ case '?':
+ if (isc_commandline_option != '?') {
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ usage(1);
+ } else
+ usage(0);
+ break;
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ argc -= isc_commandline_index;
+ argv += isc_commandline_index;
+
+ if (self_domain != NULL && zone != NULL)
+ usage(1); /* -s and -z cannot coexist */
+
+ if (argc > 0)
+ usage(1);
+
+ DO("create memory context", isc_mem_create(0, 0, &mctx));
+
+ if (keyname == NULL) {
+ const char *suffix = NULL;
+
+ keyname = DEFAULT_KEYNAME;
+ if (self_domain != NULL)
+ suffix = self_domain;
+ else if (zone != NULL)
+ suffix = zone;
+ if (suffix != NULL) {
+ len = strlen(keyname) + strlen(suffix) + 2;
+ keybuf = isc_mem_get(mctx, len);
+ if (keybuf == NULL)
+ fatal("failed to allocate memory for keyname");
+ snprintf(keybuf, len, "%s.%s", keyname, suffix);
+ keyname = (const char *) keybuf;
+ }
+ }
+
+ isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+ generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+
+ if (!quiet)
+ printf("\
+# To activate this key, place the following in named.conf, and\n\
+# in a separate keyfile on the system or systems from which nsupdate\n\
+# will be run:\n");
+
+ printf("\
+key \"%s\" {\n\
+ algorithm %s;\n\
+ secret \"%.*s\";\n\
+};\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(&key_txtbuffer),
+ (char *)isc_buffer_base(&key_txtbuffer));
+
+ if (!quiet) {
+ if (self_domain != NULL) {
+ printf("\n\
+# Then, in the \"zone\" statement for the zone containing the\n\
+# name \"%s\", place an \"update-policy\" statement\n\
+# like this one, adjusted as needed for your preferred permissions:\n\
+update-policy {\n\
+ grant %s name %s ANY;\n\
+};\n",
+ self_domain, keyname, self_domain);
+ } else if (zone != NULL) {
+ printf("\n\
+# Then, in the \"zone\" definition statement for \"%s\",\n\
+# place an \"update-policy\" statement like this one, adjusted as \n\
+# needed for your preferred permissions:\n\
+update-policy {\n\
+ grant %s zonesub ANY;\n\
+};\n",
+ zone, keyname);
+ } else {
+ printf("\n\
+# Then, in the \"zone\" statement for each zone you wish to dynamically\n\
+# update, place an \"update-policy\" statement granting update permission\n\
+# to this key. For example, the following statement grants this key\n\
+# permission to update any name within the zone:\n\
+update-policy {\n\
+ grant %s zonesub ANY;\n\
+};\n",
+ keyname);
+ }
+
+ printf("\n\
+# After the keyfile has been placed, the following command will\n\
+# execute nsupdate using this key:\n\
+nsupdate -k <keyfile>\n");
+
+ }
+
+ if (keybuf != NULL)
+ isc_mem_put(mctx, keybuf, len);
+
+ if (show_final_mem)
+ isc_mem_stats(mctx, stderr);
+
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: ddns-confgen.docbook,v 1.6 2009/09/18 22:08:55 fdupont Exp $ -->
+<refentry id="man.ddns-confgen">
+ <refentryinfo>
+ <date>Jan 29, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>ddns-confgen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>ddns-confgen</application></refname>
+ <refpurpose>ddns key generation tool</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>ddns-confgen</command>
+ <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+ <group>
+ <arg choice="plain">-s <replaceable class="parameter">name</replaceable></arg>
+ <arg choice="plain">-z <replaceable class="parameter">zone</replaceable></arg>
+ </group>
+ <arg><option>-q</option></arg>
+ <arg choice="opt">name</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>ddns-confgen</command>
+ generates a key for use by <command>nsupdate</command>
+ and <command>named</command>. It simplifies configuration
+ of dynamic zones by generating a key and providing the
+ <command>nsupdate</command> and <command>named.conf</command>
+ syntax that will be needed to use it, including an example
+ <command>update-policy</command> statement.
+ </para>
+
+ <para>
+ If a domain name is specified on the command line, it will
+ be used in the name of the generated key and in the sample
+ <command>named.conf</command> syntax. For example,
+ <command>ddns-confgen example.com</command> would
+ generate a key called "ddns-key.example.com", and sample
+ <command>named.conf</command> command that could be used
+ in the zone definition for "example.com".
+ </para>
+
+ <para>
+ Note that <command>named</command> itself can configure a
+ local DDNS key for use with <command>nsupdate -l</command>.
+ <command>ddns-confgen</command> is only needed when a
+ more elaborate configuration is required: for instance, if
+ <command>nsupdate</command> is to be used from a remote system.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>ddns-confgen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-k <replaceable class="parameter">keyname</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the key name of the DDNS authentication key.
+ The default is <constant>ddns-key</constant> when neither
+ the <option>-s</option> nor <option>-z</option> option is
+ specified; otherwise, the default
+ is <constant>ddns-key</constant> as a separate label
+ followed by the argument of the option, e.g.,
+ <constant>ddns-key.example.com.</constant>
+ The key name must have the format of a valid domain name,
+ consisting of letters, digits, hyphens and periods.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-q</term>
+ <listitem>
+ <para>
+ Quiet mode: Print only the key, with no explanatory text or
+ usage examples.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomfile</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a source of random data for generating the
+ authorization. If the operating system does not provide a
+ <filename>/dev/random</filename> or equivalent device, the
+ default source of randomness is keyboard input.
+ <filename>randomdev</filename> specifies the name of a
+ character device or file containing random data to be used
+ instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard input
+ should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">name</replaceable></term>
+ <listitem>
+ <para>
+ Single host mode: The example <command>named.conf</command> text
+ shows how to set an update policy for the specified
+ <replaceable class="parameter">name</replaceable>
+ using the "name" nametype.
+ The default key name is
+ ddns-key.<replaceable class="parameter">name</replaceable>.
+ Note that the "self" nametype cannot be used, since
+ the name to be updated may differ from the key name.
+ This option cannot be used with the <option>-z</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-z <replaceable class="parameter">zone</replaceable></term>
+ <listitem>
+ <para>
+ zone mode: The example <command>named.conf</command> text
+ shows how to set an update policy for the specified
+ <replaceable class="parameter">zone</replaceable>
+ using the "zonesub" nametype, allowing updates to all subdomain
+ names within
+ that <replaceable class="parameter">zone</replaceable>.
+ This option cannot be used with the <option>-s</option> option.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: ddns-confgen.html,v 1.10 2009/09/19 01:14:52 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>ddns-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.ddns-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">ddns-confgen</span> — ddns key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">ddns-confgen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [ -s <em class="replaceable"><code>name</code></em> | -z <em class="replaceable"><code>zone</code></em> ] [<code class="option">-q</code>] [name]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543395"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">ddns-confgen</strong></span>
+ generates a key for use by <span><strong class="command">nsupdate</strong></span>
+ and <span><strong class="command">named</strong></span>. It simplifies configuration
+ of dynamic zones by generating a key and providing the
+ <span><strong class="command">nsupdate</strong></span> and <span><strong class="command">named.conf</strong></span>
+ syntax that will be needed to use it, including an example
+ <span><strong class="command">update-policy</strong></span> statement.
+ </p>
+<p>
+ If a domain name is specified on the command line, it will
+ be used in the name of the generated key and in the sample
+ <span><strong class="command">named.conf</strong></span> syntax. For example,
+ <span><strong class="command">ddns-confgen example.com</strong></span> would
+ generate a key called "ddns-key.example.com", and sample
+ <span><strong class="command">named.conf</strong></span> command that could be used
+ in the zone definition for "example.com".
+ </p>
+<p>
+ Note that <span><strong class="command">named</strong></span> itself can configure a
+ local DDNS key for use with <span><strong class="command">nsupdate -l</strong></span>.
+ <span><strong class="command">ddns-confgen</strong></span> is only needed when a
+ more elaborate configuration is required: for instance, if
+ <span><strong class="command">nsupdate</strong></span> is to be used from a remote system.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543454"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
+<dd><p>
+ Specifies the algorithm to use for the TSIG key. Available
+ choices are: hmac-md5, hmac-sha1, hmac-sha224, hmac-sha256,
+ hmac-sha384 and hmac-sha512. The default is hmac-sha256.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">ddns-confgen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+ Specifies the key name of the DDNS authentication key.
+ The default is <code class="constant">ddns-key</code> when neither
+ the <code class="option">-s</code> nor <code class="option">-z</code> option is
+ specified; otherwise, the default
+ is <code class="constant">ddns-key</code> as a separate label
+ followed by the argument of the option, e.g.,
+ <code class="constant">ddns-key.example.com.</code>
+ The key name must have the format of a valid domain name,
+ consisting of letters, digits, hyphens and periods.
+ </p></dd>
+<dt><span class="term">-q</span></dt>
+<dd><p>
+ Quiet mode: Print only the key, with no explanatory text or
+ usage examples.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+ Specifies a source of random data for generating the
+ authorization. If the operating system does not provide a
+ <code class="filename">/dev/random</code> or equivalent device, the
+ default source of randomness is keyboard input.
+ <code class="filename">randomdev</code> specifies the name of a
+ character device or file containing random data to be used
+ instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard input
+ should be used.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>name</code></em></span></dt>
+<dd><p>
+ Single host mode: The example <span><strong class="command">named.conf</strong></span> text
+ shows how to set an update policy for the specified
+ <em class="replaceable"><code>name</code></em>
+ using the "name" nametype.
+ The default key name is
+ ddns-key.<em class="replaceable"><code>name</code></em>.
+ Note that the "self" nametype cannot be used, since
+ the name to be updated may differ from the key name.
+ This option cannot be used with the <code class="option">-z</code> option.
+ </p></dd>
+<dt><span class="term">-z <em class="replaceable"><code>zone</code></em></span></dt>
+<dd><p>
+ zone mode: The example <span><strong class="command">named.conf</strong></span> text
+ shows how to set an update policy for the specified
+ <em class="replaceable"><code>zone</code></em>
+ using the "zonesub" nametype, allowing updates to all subdomain
+ names within
+ that <em class="replaceable"><code>zone</code></em>.
+ This option cannot be used with the <code class="option">-s</code> option.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543642"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">nsupdate</span>(1)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named.conf</span>(5)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543681"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#ifndef RNDC_OS_H
+#define RNDC_OS_H 1
+
+#include <isc/lang.h>
+#include <stdio.h>
+
+ISC_LANG_BEGINDECLS
+
+int set_user(FILE *fd, const char *user);
+/*%<
+ * Set the owner of the file referenced by 'fd' to 'user'.
+ * Returns:
+ * 0 success
+ * -1 insufficient permissions, or 'user' does not exist.
+ */
+
+ISC_LANG_ENDDECLS
+
+#endif
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.c,v 1.4 2009/11/12 14:02:38 marka Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/result.h>
+#include <isc/string.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+/*%
+ * Convert algorithm type to string.
+ */
+const char *
+alg_totext(dns_secalg_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return "hmac-md5";
+ case DST_ALG_HMACSHA1:
+ return "hmac-sha1";
+ case DST_ALG_HMACSHA224:
+ return "hmac-sha224";
+ case DST_ALG_HMACSHA256:
+ return "hmac-sha256";
+ case DST_ALG_HMACSHA384:
+ return "hmac-sha384";
+ case DST_ALG_HMACSHA512:
+ return "hmac-sha512";
+ default:
+ return "(unknown)";
+ }
+}
+
+/*%
+ * Convert string to algorithm type.
+ */
+dns_secalg_t
+alg_fromtext(const char *name) {
+ if (strcmp(name, "hmac-md5") == 0)
+ return DST_ALG_HMACMD5;
+ if (strcmp(name, "hmac-sha1") == 0)
+ return DST_ALG_HMACSHA1;
+ if (strcmp(name, "hmac-sha224") == 0)
+ return DST_ALG_HMACSHA224;
+ if (strcmp(name, "hmac-sha256") == 0)
+ return DST_ALG_HMACSHA256;
+ if (strcmp(name, "hmac-sha384") == 0)
+ return DST_ALG_HMACSHA384;
+ if (strcmp(name, "hmac-sha512") == 0)
+ return DST_ALG_HMACSHA512;
+ return DST_ALG_UNKNOWN;
+}
+
+/*%
+ * Return default keysize for a given algorithm type.
+ */
+int
+alg_bits(dns_secalg_t alg) {
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ return 128;
+ case DST_ALG_HMACSHA1:
+ return 160;
+ case DST_ALG_HMACSHA224:
+ return 224;
+ case DST_ALG_HMACSHA256:
+ return 256;
+ case DST_ALG_HMACSHA384:
+ return 384;
+ case DST_ALG_HMACSHA512:
+ return 512;
+ default:
+ return 0;
+ }
+}
+
+/*%
+ * Generate a key of size 'keysize' using entropy source 'randomfile',
+ * and place it in 'key_txtbuffer'
+ */
+void
+generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ int keysize, isc_buffer_t *key_txtbuffer) {
+ isc_result_t result = ISC_R_SUCCESS;
+ isc_entropysource_t *entropy_source = NULL;
+ int open_keyboard = ISC_ENTROPY_KEYBOARDMAYBE;
+ int entropy_flags = 0;
+ isc_entropy_t *ectx = NULL;
+ isc_buffer_t key_rawbuffer;
+ isc_region_t key_rawregion;
+ char key_rawsecret[64];
+ dst_key_t *key = NULL;
+
+ switch (alg) {
+ case DST_ALG_HMACMD5:
+ if (keysize < 1 || keysize > 512)
+ fatal("keysize %d out of range (must be 1-512)\n",
+ keysize);
+ break;
+ case DST_ALG_HMACSHA256:
+ if (keysize < 1 || keysize > 256)
+ fatal("keysize %d out of range (must be 1-256)\n",
+ keysize);
+ break;
+ default:
+ fatal("unsupported algorithm %d\n", alg);
+ }
+
+
+ DO("create entropy context", isc_entropy_create(mctx, &ectx));
+
+ if (randomfile != NULL && strcmp(randomfile, "keyboard") == 0) {
+ randomfile = NULL;
+ open_keyboard = ISC_ENTROPY_KEYBOARDYES;
+ }
+ DO("start entropy source", isc_entropy_usebestsource(ectx,
+ &entropy_source,
+ randomfile,
+ open_keyboard));
+
+ entropy_flags = ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY;
+
+ DO("initialize dst library", dst_lib_init(mctx, ectx, entropy_flags));
+
+ DO("generate key", dst_key_generate(dns_rootname, alg,
+ keysize, 0, 0,
+ DNS_KEYPROTO_ANY,
+ dns_rdataclass_in, mctx, &key));
+
+ isc_buffer_init(&key_rawbuffer, &key_rawsecret, sizeof(key_rawsecret));
+
+ DO("dump key to buffer", dst_key_tobuffer(key, &key_rawbuffer));
+
+ isc_buffer_usedregion(&key_rawbuffer, &key_rawregion);
+
+ DO("bsse64 encode secret", isc_base64_totext(&key_rawregion, -1, "",
+ key_txtbuffer));
+
+ /*
+ * Shut down the entropy source now so the "stop typing" message
+ * does not muck with the output.
+ */
+ if (entropy_source != NULL)
+ isc_entropy_destroysource(&entropy_source);
+
+ if (key != NULL)
+ dst_key_free(&key);
+
+ isc_entropy_detach(&ectx);
+ dst_lib_destroy();
+}
+
+/*%
+ * Write a key file to 'keyfile'. If 'user' is non-NULL,
+ * make that user the owner of the file. The key will have
+ * the name 'keyname' and the secret in the buffer 'secret'.
+ */
+void
+write_key_file(const char *keyfile, const char *user,
+ const char *keyname, isc_buffer_t *secret,
+ dns_secalg_t alg) {
+ isc_result_t result;
+ const char *algname = alg_totext(alg);
+ FILE *fd = NULL;
+
+ DO("create keyfile", isc_file_safecreate(keyfile, &fd));
+
+ if (user != NULL) {
+ if (set_user(fd, user) == -1)
+ fatal("unable to set file owner\n");
+ }
+
+ fprintf(fd, "key \"%s\" {\n\talgorithm %s;\n"
+ "\tsecret \"%.*s\";\n};\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(secret),
+ (char *)isc_buffer_base(secret));
+ fflush(fd);
+ if (ferror(fd))
+ fatal("write to %s failed\n", keyfile);
+ if (fclose(fd))
+ fatal("fclose(%s) failed\n", keyfile);
+ fprintf(stderr, "wrote key file \"%s\"\n", keyfile);
+}
+
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: keygen.h,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+#ifndef RNDC_KEYGEN_H
+#define RNDC_KEYGEN_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+
+ISC_LANG_BEGINDECLS
+
+void generate_key(isc_mem_t *mctx, const char *randomfile, dns_secalg_t alg,
+ int keysize, isc_buffer_t *key_txtbuffer);
+
+void write_key_file(const char *keyfile, const char *user,
+ const char *keyname, isc_buffer_t *secret,
+ dns_secalg_t alg);
+
+const char *alg_totext(dns_secalg_t alg);
+dns_secalg_t alg_fromtext(const char *name);
+int alg_bits(dns_secalg_t alg);
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_KEYGEN_H */
--- /dev/null
+.\" Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+.\" Copyright (C) 2001, 2003 Internet Software Consortium.
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: rndc-confgen.8,v 1.7 2009/07/11 01:12:45 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: rndc\-confgen
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Aug 27, 2001
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "RNDC\-CONFGEN" "8" "Aug 27, 2001" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+rndc\-confgen \- rndc key generation tool
+.SH "SYNOPSIS"
+.HP 13
+\fBrndc\-confgen\fR [\fB\-a\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-c\ \fR\fB\fIkeyfile\fR\fR] [\fB\-h\fR] [\fB\-k\ \fR\fB\fIkeyname\fR\fR] [\fB\-p\ \fR\fB\fIport\fR\fR] [\fB\-r\ \fR\fB\fIrandomfile\fR\fR] [\fB\-s\ \fR\fB\fIaddress\fR\fR] [\fB\-t\ \fR\fB\fIchrootdir\fR\fR] [\fB\-u\ \fR\fB\fIuser\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBrndc\-confgen\fR
+generates configuration files for
+\fBrndc\fR. It can be used as a convenient alternative to writing the
+\fIrndc.conf\fR
+file and the corresponding
+\fBcontrols\fR
+and
+\fBkey\fR
+statements in
+\fInamed.conf\fR
+by hand. Alternatively, it can be run with the
+\fB\-a\fR
+option to set up a
+\fIrndc.key\fR
+file and avoid the need for a
+\fIrndc.conf\fR
+file and a
+\fBcontrols\fR
+statement altogether.
+.SH "OPTIONS"
+.PP
+\-a
+.RS 4
+Do automatic
+\fBrndc\fR
+configuration. This creates a file
+\fIrndc.key\fR
+in
+\fI/etc\fR
+(or whatever
+\fIsysconfdir\fR
+was specified as when
+BIND
+was built) that is read by both
+\fBrndc\fR
+and
+\fBnamed\fR
+on startup. The
+\fIrndc.key\fR
+file defines a default command channel and authentication key allowing
+\fBrndc\fR
+to communicate with
+\fBnamed\fR
+on the local host with no further configuration.
+.sp
+Running
+\fBrndc\-confgen \-a\fR
+allows BIND 9 and
+\fBrndc\fR
+to be used as drop\-in replacements for BIND 8 and
+\fBndc\fR, with no changes to the existing BIND 8
+\fInamed.conf\fR
+file.
+.sp
+If a more elaborate configuration than that generated by
+\fBrndc\-confgen \-a\fR
+is required, for example if rndc is to be used remotely, you should run
+\fBrndc\-confgen\fR
+without the
+\fB\-a\fR
+option and set up a
+\fIrndc.conf\fR
+and
+\fInamed.conf\fR
+as directed.
+.RE
+.PP
+\-b \fIkeysize\fR
+.RS 4
+Specifies the size of the authentication key in bits. Must be between 1 and 512 bits; the default is 128.
+.RE
+.PP
+\-c \fIkeyfile\fR
+.RS 4
+Used with the
+\fB\-a\fR
+option to specify an alternate location for
+\fIrndc.key\fR.
+.RE
+.PP
+\-h
+.RS 4
+Prints a short summary of the options and arguments to
+\fBrndc\-confgen\fR.
+.RE
+.PP
+\-k \fIkeyname\fR
+.RS 4
+Specifies the key name of the rndc authentication key. This must be a valid domain name. The default is
+\fBrndc\-key\fR.
+.RE
+.PP
+\-p \fIport\fR
+.RS 4
+Specifies the command channel port where
+\fBnamed\fR
+listens for connections from
+\fBrndc\fR. The default is 953.
+.RE
+.PP
+\-r \fIrandomfile\fR
+.RS 4
+Specifies a source of random data for generating the authorization. If the operating system does not provide a
+\fI/dev/random\fR
+or equivalent device, the default source of randomness is keyboard input.
+\fIrandomdev\fR
+specifies the name of a character device or file containing random data to be used instead of the default. The special value
+\fIkeyboard\fR
+indicates that keyboard input should be used.
+.RE
+.PP
+\-s \fIaddress\fR
+.RS 4
+Specifies the IP address where
+\fBnamed\fR
+listens for command channel connections from
+\fBrndc\fR. The default is the loopback address 127.0.0.1.
+.RE
+.PP
+\-t \fIchrootdir\fR
+.RS 4
+Used with the
+\fB\-a\fR
+option to specify a directory where
+\fBnamed\fR
+will run chrooted. An additional copy of the
+\fIrndc.key\fR
+will be written relative to this directory so that it will be found by the chrooted
+\fBnamed\fR.
+.RE
+.PP
+\-u \fIuser\fR
+.RS 4
+Used with the
+\fB\-a\fR
+option to set the owner of the
+\fIrndc.key\fR
+file generated. If
+\fB\-t\fR
+is also specified only the file in the chroot area has its owner changed.
+.RE
+.SH "EXAMPLES"
+.PP
+To allow
+\fBrndc\fR
+to be used with no manual configuration, run
+.PP
+\fBrndc\-confgen \-a\fR
+.PP
+To print a sample
+\fIrndc.conf\fR
+file and corresponding
+\fBcontrols\fR
+and
+\fBkey\fR
+statements to be manually inserted into
+\fInamed.conf\fR, run
+.PP
+\fBrndc\-confgen\fR
+.SH "SEE ALSO"
+.PP
+\fBrndc\fR(8),
+\fBrndc.conf\fR(5),
+\fBnamed\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
+Copyright \(co 2001, 2003 Internet Software Consortium.
+.br
--- /dev/null
+/*
+ * Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2001, 2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: rndc-confgen.c,v 1.5 2009/09/29 15:06:05 fdupont Exp $ */
+
+/*! \file */
+
+/**
+ * rndc-confgen generates configuration files for rndc. It can be used
+ * as a convenient alternative to writing the rndc.conf file and the
+ * corresponding controls and key statements in named.conf by hand.
+ * Alternatively, it can be run with the -a option to set up a
+ * rndc.key file and avoid the need for a rndc.conf file and a
+ * controls statement altogether.
+ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/assertions.h>
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/keyboard.h>
+#include <isc/mem.h>
+#include <isc/net.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/time.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/name.h>
+
+#include <dst/dst.h>
+#include <confgen/os.h>
+
+#include "util.h"
+#include "keygen.h"
+
+#define DEFAULT_KEYLENGTH 128 /*% Bits. */
+#define DEFAULT_KEYNAME "rndc-key"
+#define DEFAULT_SERVER "127.0.0.1"
+#define DEFAULT_PORT 953
+
+static char program[256];
+const char *progname;
+
+isc_boolean_t verbose = ISC_FALSE;
+
+const char *keyfile, *keydef;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(int status) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(int status) {
+
+ fprintf(stderr, "\
+Usage:\n\
+ %s [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] \
+[-s addr] [-t chrootdir] [-u user]\n\
+ -a: generate just the key clause and write it to keyfile (%s)\n\
+ -b bits: from 1 through 512, default %d; total length of the secret\n\
+ -c keyfile: specify an alternate key file (requires -a)\n\
+ -k keyname: the name as it will be used in named.conf and rndc.conf\n\
+ -p port: the port named will listen on and rndc will connect to\n\
+ -r randomfile: source of random data (use \"keyboard\" for key timing)\n\
+ -s addr: the address to which rndc should connect\n\
+ -t chrootdir: write a keyfile in chrootdir as well (requires -a)\n\
+ -u user: set the keyfile owner to \"user\" (requires -a)\n",
+ progname, keydef, DEFAULT_KEYLENGTH);
+
+ exit (status);
+}
+
+int
+main(int argc, char **argv) {
+ isc_boolean_t show_final_mem = ISC_FALSE;
+ isc_buffer_t key_txtbuffer;
+ char key_txtsecret[256];
+ isc_mem_t *mctx = NULL;
+ isc_result_t result = ISC_R_SUCCESS;
+ const char *keyname = NULL;
+ const char *randomfile = NULL;
+ const char *serveraddr = NULL;
+ dns_secalg_t alg = DST_ALG_HMACMD5;
+ const char *algname = alg_totext(alg);
+ char *p;
+ int ch;
+ int port;
+ int keysize;
+ struct in_addr addr4_dummy;
+ struct in6_addr addr6_dummy;
+ char *chrootdir = NULL;
+ char *user = NULL;
+ isc_boolean_t keyonly = ISC_FALSE;
+ int len;
+
+ keydef = keyfile = RNDC_KEYFILE;
+
+ result = isc_file_progname(*argv, program, sizeof(program));
+ if (result != ISC_R_SUCCESS)
+ memcpy(program, "rndc-confgen", 13);
+ progname = program;
+
+ keyname = DEFAULT_KEYNAME;
+ keysize = DEFAULT_KEYLENGTH;
+ serveraddr = DEFAULT_SERVER;
+ port = DEFAULT_PORT;
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "ab:c:hk:Mmp:r:s:t:u:Vy")) != -1) {
+ switch (ch) {
+ case 'a':
+ keyonly = ISC_TRUE;
+ break;
+ case 'b':
+ keysize = strtol(isc_commandline_argument, &p, 10);
+ if (*p != '\0' || keysize < 0)
+ fatal("-b requires a non-negative number");
+ if (keysize < 1 || keysize > 512)
+ fatal("-b must be in the range 1 through 512");
+ break;
+ case 'c':
+ keyfile = isc_commandline_argument;
+ break;
+ case 'h':
+ usage(0);
+ case 'k':
+ case 'y': /* Compatible with rndc -y. */
+ keyname = isc_commandline_argument;
+ break;
+ case 'M':
+ isc_mem_debugging = ISC_MEM_DEBUGTRACE;
+ break;
+
+ case 'm':
+ show_final_mem = ISC_TRUE;
+ break;
+ case 'p':
+ port = strtol(isc_commandline_argument, &p, 10);
+ if (*p != '\0' || port < 0 || port > 65535)
+ fatal("port '%s' out of range",
+ isc_commandline_argument);
+ break;
+ case 'r':
+ randomfile = isc_commandline_argument;
+ break;
+ case 's':
+ serveraddr = isc_commandline_argument;
+ if (inet_pton(AF_INET, serveraddr, &addr4_dummy) != 1 &&
+ inet_pton(AF_INET6, serveraddr, &addr6_dummy) != 1)
+ fatal("-s should be an IPv4 or IPv6 address");
+ break;
+ case 't':
+ chrootdir = isc_commandline_argument;
+ break;
+ case 'u':
+ user = isc_commandline_argument;
+ break;
+ case 'V':
+ verbose = ISC_TRUE;
+ break;
+ case '?':
+ if (isc_commandline_option != '?') {
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ usage(1);
+ } else
+ usage(0);
+ break;
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ argc -= isc_commandline_index;
+ argv += isc_commandline_index;
+
+ if (argc > 0)
+ usage(1);
+
+ DO("create memory context", isc_mem_create(0, 0, &mctx));
+ isc_buffer_init(&key_txtbuffer, &key_txtsecret, sizeof(key_txtsecret));
+
+ generate_key(mctx, randomfile, alg, keysize, &key_txtbuffer);
+
+ if (keyonly) {
+ write_key_file(keyfile, chrootdir == NULL ? user : NULL,
+ keyname, &key_txtbuffer, alg);
+
+ if (chrootdir != NULL) {
+ char *buf;
+ len = strlen(chrootdir) + strlen(keyfile) + 2;
+ buf = isc_mem_get(mctx, len);
+ if (buf == NULL)
+ fatal("isc_mem_get(%d) failed\n", len);
+ snprintf(buf, len, "%s%s%s", chrootdir,
+ (*keyfile != '/') ? "/" : "", keyfile);
+
+ write_key_file(buf, user, keyname, &key_txtbuffer, alg);
+ isc_mem_put(mctx, buf, len);
+ }
+ } else {
+ printf("\
+# Start of rndc.conf\n\
+key \"%s\" {\n\
+ algorithm %s;\n\
+ secret \"%.*s\";\n\
+};\n\
+\n\
+options {\n\
+ default-key \"%s\";\n\
+ default-server %s;\n\
+ default-port %d;\n\
+};\n\
+# End of rndc.conf\n\
+\n\
+# Use with the following in named.conf, adjusting the allow list as needed:\n\
+# key \"%s\" {\n\
+# algorithm %s;\n\
+# secret \"%.*s\";\n\
+# };\n\
+# \n\
+# controls {\n\
+# inet %s port %d\n\
+# allow { %s; } keys { \"%s\"; };\n\
+# };\n\
+# End of named.conf\n",
+ keyname, algname,
+ (int)isc_buffer_usedlength(&key_txtbuffer),
+ (char *)isc_buffer_base(&key_txtbuffer),
+ keyname, serveraddr, port,
+ keyname, algname,
+ (int)isc_buffer_usedlength(&key_txtbuffer),
+ (char *)isc_buffer_base(&key_txtbuffer),
+ serveraddr, port, serveraddr, keyname);
+ }
+
+ if (show_final_mem)
+ isc_mem_stats(mctx, stderr);
+
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: rndc-confgen.docbook,v 1.4 2009/06/15 23:47:59 tbox Exp $ -->
+<refentry id="man.rndc-confgen">
+ <refentryinfo>
+ <date>Aug 27, 2001</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>rndc-confgen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>rndc-confgen</application></refname>
+ <refpurpose>rndc key generation tool</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2004</year>
+ <year>2005</year>
+ <year>2007</year>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ <copyright>
+ <year>2001</year>
+ <year>2003</year>
+ <holder>Internet Software Consortium.</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>rndc-confgen</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
+ <arg><option>-c <replaceable class="parameter">keyfile</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-k <replaceable class="parameter">keyname</replaceable></option></arg>
+ <arg><option>-p <replaceable class="parameter">port</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">randomfile</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">address</replaceable></option></arg>
+ <arg><option>-t <replaceable class="parameter">chrootdir</replaceable></option></arg>
+ <arg><option>-u <replaceable class="parameter">user</replaceable></option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>rndc-confgen</command>
+ generates configuration files
+ for <command>rndc</command>. It can be used as a
+ convenient alternative to writing the
+ <filename>rndc.conf</filename> file
+ and the corresponding <command>controls</command>
+ and <command>key</command>
+ statements in <filename>named.conf</filename> by hand.
+ Alternatively, it can be run with the <command>-a</command>
+ option to set up a <filename>rndc.key</filename> file and
+ avoid the need for a <filename>rndc.conf</filename> file
+ and a <command>controls</command> statement altogether.
+ </para>
+
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Do automatic <command>rndc</command> configuration.
+ This creates a file <filename>rndc.key</filename>
+ in <filename>/etc</filename> (or whatever
+ <varname>sysconfdir</varname>
+ was specified as when <acronym>BIND</acronym> was
+ built)
+ that is read by both <command>rndc</command>
+ and <command>named</command> on startup. The
+ <filename>rndc.key</filename> file defines a default
+ command channel and authentication key allowing
+ <command>rndc</command> to communicate with
+ <command>named</command> on the local host
+ with no further configuration.
+ </para>
+ <para>
+ Running <command>rndc-confgen -a</command> allows
+ BIND 9 and <command>rndc</command> to be used as
+ drop-in
+ replacements for BIND 8 and <command>ndc</command>,
+ with no changes to the existing BIND 8
+ <filename>named.conf</filename> file.
+ </para>
+ <para>
+ If a more elaborate configuration than that
+ generated by <command>rndc-confgen -a</command>
+ is required, for example if rndc is to be used remotely,
+ you should run <command>rndc-confgen</command> without
+ the
+ <command>-a</command> option and set up a
+ <filename>rndc.conf</filename> and
+ <filename>named.conf</filename>
+ as directed.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-b <replaceable class="parameter">keysize</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the size of the authentication key in bits.
+ Must be between 1 and 512 bits; the default is 128.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">keyfile</replaceable></term>
+ <listitem>
+ <para>
+ Used with the <command>-a</command> option to specify
+ an alternate location for <filename>rndc.key</filename>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>rndc-confgen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-k <replaceable class="parameter">keyname</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the key name of the rndc authentication key.
+ This must be a valid domain name.
+ The default is <constant>rndc-key</constant>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">port</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the command channel port where <command>named</command>
+ listens for connections from <command>rndc</command>.
+ The default is 953.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomfile</replaceable></term>
+ <listitem>
+ <para>
+ Specifies a source of random data for generating the
+ authorization. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename>
+ specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">address</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the IP address where <command>named</command>
+ listens for command channel connections from
+ <command>rndc</command>. The default is the loopback
+ address 127.0.0.1.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t <replaceable class="parameter">chrootdir</replaceable></term>
+ <listitem>
+ <para>
+ Used with the <command>-a</command> option to specify
+ a directory where <command>named</command> will run
+ chrooted. An additional copy of the <filename>rndc.key</filename>
+ will be written relative to this directory so that
+ it will be found by the chrooted <command>named</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-u <replaceable class="parameter">user</replaceable></term>
+ <listitem>
+ <para>
+ Used with the <command>-a</command> option to set the
+ owner
+ of the <filename>rndc.key</filename> file generated.
+ If
+ <command>-t</command> is also specified only the file
+ in
+ the chroot area has its owner changed.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLES</title>
+ <para>
+ To allow <command>rndc</command> to be used with
+ no manual configuration, run
+ </para>
+ <para><userinput>rndc-confgen -a</userinput>
+ </para>
+ <para>
+ To print a sample <filename>rndc.conf</filename> file and
+ corresponding <command>controls</command> and <command>key</command>
+ statements to be manually inserted into <filename>named.conf</filename>,
+ run
+ </para>
+ <para><userinput>rndc-confgen</userinput>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2004, 2005, 2007, 2009 Internet Systems Consortium, Inc. ("ISC")
+ - Copyright (C) 2001, 2003 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: rndc-confgen.html,v 1.7 2009/07/11 01:12:45 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>rndc-confgen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.rndc-confgen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">rndc-confgen</span> — rndc key generation tool</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">rndc-confgen</code> [<code class="option">-a</code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-c <em class="replaceable"><code>keyfile</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k <em class="replaceable"><code>keyname</code></em></code>] [<code class="option">-p <em class="replaceable"><code>port</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomfile</code></em></code>] [<code class="option">-s <em class="replaceable"><code>address</code></em></code>] [<code class="option">-t <em class="replaceable"><code>chrootdir</code></em></code>] [<code class="option">-u <em class="replaceable"><code>user</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543432"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">rndc-confgen</strong></span>
+ generates configuration files
+ for <span><strong class="command">rndc</strong></span>. It can be used as a
+ convenient alternative to writing the
+ <code class="filename">rndc.conf</code> file
+ and the corresponding <span><strong class="command">controls</strong></span>
+ and <span><strong class="command">key</strong></span>
+ statements in <code class="filename">named.conf</code> by hand.
+ Alternatively, it can be run with the <span><strong class="command">-a</strong></span>
+ option to set up a <code class="filename">rndc.key</code> file and
+ avoid the need for a <code class="filename">rndc.conf</code> file
+ and a <span><strong class="command">controls</strong></span> statement altogether.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543477"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-a</span></dt>
+<dd>
+<p>
+ Do automatic <span><strong class="command">rndc</strong></span> configuration.
+ This creates a file <code class="filename">rndc.key</code>
+ in <code class="filename">/etc</code> (or whatever
+ <code class="varname">sysconfdir</code>
+ was specified as when <acronym class="acronym">BIND</acronym> was
+ built)
+ that is read by both <span><strong class="command">rndc</strong></span>
+ and <span><strong class="command">named</strong></span> on startup. The
+ <code class="filename">rndc.key</code> file defines a default
+ command channel and authentication key allowing
+ <span><strong class="command">rndc</strong></span> to communicate with
+ <span><strong class="command">named</strong></span> on the local host
+ with no further configuration.
+ </p>
+<p>
+ Running <span><strong class="command">rndc-confgen -a</strong></span> allows
+ BIND 9 and <span><strong class="command">rndc</strong></span> to be used as
+ drop-in
+ replacements for BIND 8 and <span><strong class="command">ndc</strong></span>,
+ with no changes to the existing BIND 8
+ <code class="filename">named.conf</code> file.
+ </p>
+<p>
+ If a more elaborate configuration than that
+ generated by <span><strong class="command">rndc-confgen -a</strong></span>
+ is required, for example if rndc is to be used remotely,
+ you should run <span><strong class="command">rndc-confgen</strong></span> without
+ the
+ <span><strong class="command">-a</strong></span> option and set up a
+ <code class="filename">rndc.conf</code> and
+ <code class="filename">named.conf</code>
+ as directed.
+ </p>
+</dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+ Specifies the size of the authentication key in bits.
+ Must be between 1 and 512 bits; the default is 128.
+ </p></dd>
+<dt><span class="term">-c <em class="replaceable"><code>keyfile</code></em></span></dt>
+<dd><p>
+ Used with the <span><strong class="command">-a</strong></span> option to specify
+ an alternate location for <code class="filename">rndc.key</code>.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Prints a short summary of the options and arguments to
+ <span><strong class="command">rndc-confgen</strong></span>.
+ </p></dd>
+<dt><span class="term">-k <em class="replaceable"><code>keyname</code></em></span></dt>
+<dd><p>
+ Specifies the key name of the rndc authentication key.
+ This must be a valid domain name.
+ The default is <code class="constant">rndc-key</code>.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>port</code></em></span></dt>
+<dd><p>
+ Specifies the command channel port where <span><strong class="command">named</strong></span>
+ listens for connections from <span><strong class="command">rndc</strong></span>.
+ The default is 953.
+ </p></dd>
+<dt><span class="term">-r <em class="replaceable"><code>randomfile</code></em></span></dt>
+<dd><p>
+ Specifies a source of random data for generating the
+ authorization. If the operating
+ system does not provide a <code class="filename">/dev/random</code>
+ or equivalent device, the default source of randomness
+ is keyboard input. <code class="filename">randomdev</code>
+ specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <code class="filename">keyboard</code> indicates that keyboard
+ input should be used.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>address</code></em></span></dt>
+<dd><p>
+ Specifies the IP address where <span><strong class="command">named</strong></span>
+ listens for command channel connections from
+ <span><strong class="command">rndc</strong></span>. The default is the loopback
+ address 127.0.0.1.
+ </p></dd>
+<dt><span class="term">-t <em class="replaceable"><code>chrootdir</code></em></span></dt>
+<dd><p>
+ Used with the <span><strong class="command">-a</strong></span> option to specify
+ a directory where <span><strong class="command">named</strong></span> will run
+ chrooted. An additional copy of the <code class="filename">rndc.key</code>
+ will be written relative to this directory so that
+ it will be found by the chrooted <span><strong class="command">named</strong></span>.
+ </p></dd>
+<dt><span class="term">-u <em class="replaceable"><code>user</code></em></span></dt>
+<dd><p>
+ Used with the <span><strong class="command">-a</strong></span> option to set the
+ owner
+ of the <code class="filename">rndc.key</code> file generated.
+ If
+ <span><strong class="command">-t</strong></span> is also specified only the file
+ in
+ the chroot area has its owner changed.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543790"></a><h2>EXAMPLES</h2>
+<p>
+ To allow <span><strong class="command">rndc</strong></span> to be used with
+ no manual configuration, run
+ </p>
+<p><strong class="userinput"><code>rndc-confgen -a</code></strong>
+ </p>
+<p>
+ To print a sample <code class="filename">rndc.conf</code> file and
+ corresponding <span><strong class="command">controls</strong></span> and <span><strong class="command">key</strong></span>
+ statements to be manually inserted into <code class="filename">named.conf</code>,
+ run
+ </p>
+<p><strong class="userinput"><code>rndc-confgen</code></strong>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543832"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">rndc</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">rndc.conf</span>(5)</span>,
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543870"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.3 2009/06/11 23:47:55 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = -I${srcdir}/include -I${srcdir}/../include \
+ ${DNS_INCLUDES} ${ISC_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+OBJS = os.@O@
+
+SRCS = os.c
+
+TARGETS = ${OBJS}
+
+@BIND9_MAKE_RULES@
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <confgen/os.h>
+
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <pwd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <sys/stat.h>
+
+int
+set_user(FILE *fd, const char *user) {
+ struct passwd *pw;
+
+ pw = getpwnam(user);
+ if (pw == NULL) {
+ errno = EINVAL;
+ return (-1);
+ }
+ return (fchown(fileno(fd), pw->pw_uid, -1));
+}
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+#include <isc/boolean.h>
+
+#include "util.h"
+
+extern isc_boolean_t verbose;
+extern const char *progname;
+
+void
+notify(const char *fmt, ...) {
+ va_list ap;
+
+ if (verbose) {
+ va_start(ap, fmt);
+ vfprintf(stderr, fmt, ap);
+ va_end(ap);
+ fputs("\n", stderr);
+ }
+}
+
+void
+fatal(const char *format, ...) {
+ va_list args;
+
+ fprintf(stderr, "%s: ", progname);
+ va_start(args, format);
+ vfprintf(stderr, format, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ exit(1);
+}
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: util.h,v 1.4 2009/09/29 15:06:05 fdupont Exp $ */
+
+#ifndef RNDC_UTIL_H
+#define RNDC_UTIL_H 1
+
+/*! \file */
+
+#include <isc/lang.h>
+#include <isc/platform.h>
+
+#include <isc/formatcheck.h>
+
+#define NS_CONTROL_PORT 953
+
+#undef DO
+#define DO(name, function) \
+ do { \
+ result = function; \
+ if (result != ISC_R_SUCCESS) \
+ fatal("%s: %s", name, isc_result_totext(result)); \
+ else \
+ notify("%s", name); \
+ } while (0)
+
+ISC_LANG_BEGINDECLS
+
+void
+notify(const char *fmt, ...) ISC_FORMAT_PRINTF(1, 2);
+
+ISC_PLATFORM_NORETURN_PRE void
+fatal(const char *format, ...)
+ISC_FORMAT_PRINTF(1, 2) ISC_PLATFORM_NORETURN_POST;
+
+ISC_LANG_ENDDECLS
+
+#endif /* RNDC_UTIL_H */
--- /dev/null
+# Microsoft Developer Studio Project File - Name="confgentool" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Static-Link Library" 0x0104\r
+\r
+CFG=confgentool - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "confgentool.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "confgentool.mak" CFG="confgentool - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "confgentool - Win32 Release" (based on "Win32 (x86) Static-Link Library")\r
+!MESSAGE "confgentool - Win32 Debug" (based on "Win32 (x86) Static-Link Library")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+MTL=midl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "confgentool - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /YX /FD /c /Fdconfgentool\r
+# SUBTRACT CPP /X\r
+# ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32\r
+# ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 \r
+# ADD LINK32 /out:"Release/confgentool.lib"\r
+LIB32=lib.exe\r
+# ADD BASE LIB32\r
+# ADD LIB32 /out:"Release/confgentool.lib"\r
+\r
+!ELSEIF "$(CFG)" == "confgentool - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "_WINDOWS" /D "__STDC__" /D "_MBCS" /FR /YX /FD /GZ /c /Fdconfgentool\r
+# SUBTRACT CPP /X\r
+# ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32\r
+# ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 \r
+# ADD LINK32 /debug /out:"Debug/confgentool.lib"\r
+LIB32=lib.exe\r
+# ADD BASE LIB32\r
+# ADD LIB32 /out:"Debug/confgentool.lib"\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "confgentool - Win32 Release"\r
+# Name "confgentool - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# Begin Source File\r
+\r
+SOURCE=..\keygen.h\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE=..\util.h\r
+# End Source File\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# Begin Group "Main Dns Lib"\r
+\r
+# PROP Default_Filter "c"\r
+# Begin Source File\r
+\r
+SOURCE=..\keygen.c\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE=..\util.c\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE=.\os.c\r
+# End Source File\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "confgentool"=".\confgentool.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="ddnsconfgen" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=ddnsconfgen - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "ddnsconfgen.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "ddnsconfgen.mak" CFG="ddnsconfgen - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "ddnsconfgen - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "ddnsconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/confgentool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/ddns-confgen.exe"\r
+\r
+!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/confgentool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/ddns-confgen.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "ddnsconfgen - Win32 Release"\r
+# Name "ddnsconfgen - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\ddns-confgen.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "ddnsconfgen"=".\ddnsconfgen.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on ddnsconfgen.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=ddnsconfgen - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to ddnsconfgen - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "ddnsconfgen - Win32 Release" && "$(CFG)" != "ddnsconfgen - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "ddnsconfgen.mak" CFG="ddnsconfgen - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "ddnsconfgen - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "ddnsconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\ddns-confgen.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\os.obj"\r
+ -@erase "$(INTDIR)\ddns-confgen.obj"\r
+ -@erase "$(INTDIR)\keygen.obj"\r
+ -@erase "$(INTDIR)\util.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\ddns-confgen.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\ddnsconfgen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\ddnsconfgen.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\ddns-confgen.pdb" /machine:I386 /out:"../../../Build/Release/ddns-confgen.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\os.obj" \\r
+ "$(INTDIR)\ddns-confgen.obj" \\r
+ "$(INTDIR)\keygen.obj" \\r
+ "$(INTDIR)\util.obj"\r
+\r
+"..\..\..\Build\Release\ddns-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\ddns-confgen.exe" "$(OUTDIR)\ddnsconfgen.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\os.obj"\r
+ -@erase "$(INTDIR)\os.sbr"\r
+ -@erase "$(INTDIR)\ddns-confgen.obj"\r
+ -@erase "$(INTDIR)\ddns-confgen.sbr"\r
+ -@erase "$(INTDIR)\keygen.obj"\r
+ -@erase "$(INTDIR)\keygen.sbr"\r
+ -@erase "$(INTDIR)\util.obj"\r
+ -@erase "$(INTDIR)\util.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\ddnsconfgen.bsc"\r
+ -@erase "$(OUTDIR)\ddns-confgen.pdb"\r
+ -@erase "..\..\..\Build\Debug\ddns-confgen.exe"\r
+ -@erase "..\..\..\Build\Debug\ddns-confgen.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\ddnsconfgen.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\os.sbr" \\r
+ "$(INTDIR)\ddns-confgen.sbr" \\r
+ "$(INTDIR)\keygen.sbr" \\r
+ "$(INTDIR)\util.sbr"\r
+\r
+"$(OUTDIR)\ddnsconfgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\ddns-confgen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/ddns-confgen.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\os.obj" \\r
+ "$(INTDIR)\ddns-confgen.obj" \\r
+ "$(INTDIR)\keygen.obj" \\r
+ "$(INTDIR)\util.obj"\r
+\r
+"..\..\..\Build\Debug\ddns-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("ddnsconfgen.dep")\r
+!INCLUDE "ddnsconfgen.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "ddnsconfgen.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release" || "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+SOURCE=.\os.c\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"\r
+\r
+\r
+!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\os.obj" "$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE="..\ddns-confgen.c"\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\ddns-confgen.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\ddns-confgen.obj" "$(INTDIR)\ddns-confgen.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE=..\keygen.c\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\keygen.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\keygen.obj" "$(INTDIR)\keygen.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE=..\util.c\r
+\r
+!IF "$(CFG)" == "ddnsconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "ddnsconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\util.obj" "$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: os.c,v 1.3 2009/06/11 23:47:55 tbox Exp $ */
+
+#include <config.h>
+
+#include <confgen/os.h>
+
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <errno.h>
+#include <stdio.h>
+#include <io.h>
+#include <sys/stat.h>
+
+int
+set_user(FILE *fd, const char *user) {
+ return (0);
+}
--- /dev/null
+# Microsoft Developer Studio Project File - Name="rndcconfgen" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=rndcconfgen - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "rndcconfgen.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "rndcconfgen.mak" CFG="rndcconfgen - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "rndcconfgen - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "rndcconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Release/confgentool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe"\r
+\r
+!ELSEIF "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ws2_32.lib Debug/confgentool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "rndcconfgen - Win32 Release"\r
+# Name "rndcconfgen - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\rndc-confgen.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "rndconfgen"=".\rndconfgen.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on confgen.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=rndcconfgen - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to rndcconfgen - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "rndcconfgen - Win32 Release" && "$(CFG)" != "rndcconfgen - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "rndcconfgen.mak" CFG="rndcconfgen - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "rndcconfgen - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "rndcconfgen - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\rndc-confgen.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\os.obj"\r
+ -@erase "$(INTDIR)\rndc-confgen.obj"\r
+ -@erase "$(INTDIR)\keygen.obj"\r
+ -@erase "$(INTDIR)\util.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\rndc-confgen.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "NDEBUG" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\confgen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib ../../../lib/isccfg/win32/Release/libisccfg.lib ../../../lib/isccc/win32/Release/libisccc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\rndc-confgen.pdb" /machine:I386 /out:"../../../Build/Release/rndc-confgen.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\os.obj" \\r
+ "$(INTDIR)\rndc-confgen.obj" \\r
+ "$(INTDIR)\keygen.obj" \\r
+ "$(INTDIR)\util.obj"\r
+\r
+"..\..\..\Build\Release\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\rndc-confgen.exe" "$(OUTDIR)\confgen.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\os.obj"\r
+ -@erase "$(INTDIR)\os.sbr"\r
+ -@erase "$(INTDIR)\rndc-confgen.obj"\r
+ -@erase "$(INTDIR)\rndc-confgen.sbr"\r
+ -@erase "$(INTDIR)\keygen.obj"\r
+ -@erase "$(INTDIR)\keygen.sbr"\r
+ -@erase "$(INTDIR)\util.obj"\r
+ -@erase "$(INTDIR)\util.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\confgen.bsc"\r
+ -@erase "$(OUTDIR)\rndc-confgen.pdb"\r
+ -@erase "..\..\..\Build\Debug\rndc-confgen.exe"\r
+ -@erase "..\..\..\Build\Debug\rndc-confgen.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/win32/include" /I "../../../lib/dns/include" /I "../../../lib/isccc/include" /I "../../../lib/isccfg/include" /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\confgen.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\os.sbr" \\r
+ "$(INTDIR)\rndc-confgen.sbr" \\r
+ "$(INTDIR)\keygen.sbr" \\r
+ "$(INTDIR)\util.sbr"\r
+\r
+"$(OUTDIR)\confgen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ws2_32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib ../../../lib/isccfg/win32/Debug/libisccfg.lib ../../../lib/isccc/win32/Debug/libisccc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\rndc-confgen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/rndc-confgen.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\os.obj" \\r
+ "$(INTDIR)\rndc-confgen.obj" \\r
+ "$(INTDIR)\keygen.obj" \\r
+ "$(INTDIR)\util.obj"\r
+\r
+"..\..\..\Build\Debug\rndc-confgen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("confgen.dep")\r
+!INCLUDE "confgen.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "confgen.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release" || "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+SOURCE=.\os.c\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\os.obj" : $(SOURCE) "$(INTDIR)"\r
+\r
+\r
+!ELSEIF "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\os.obj" "$(INTDIR)\os.sbr" : $(SOURCE) "$(INTDIR)"\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE="..\rndc-confgen.c"\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\rndc-confgen.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\rndc-confgen.obj" "$(INTDIR)\rndc-confgen.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE=..\keygen.c\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\keygen.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\keygen.obj" "$(INTDIR)\keygen.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE=..\util.c\r
+\r
+!IF "$(CFG)" == "rndcconfgen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\util.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "rndcconfgen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\util.obj" "$(INTDIR)\util.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-revoke.8,v 1.8.24.1 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: dnssec\-revoke
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: June 1, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DNSSEC\-REVOKE" "8" "June 1, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-revoke \- Set the REVOKED bit on a DNSSEC key
+.SH "SYNOPSIS"
+.HP 14
+\fBdnssec\-revoke\fR [\fB\-hr\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-revoke\fR
+reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now\-revoked key.
+.SH "OPTIONS"
+.PP
+\-h
+.RS 4
+Emit usage message and exit.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside.
+.RE
+.PP
+\-r
+.RS 4
+After writing the new keyset files remove the original keyset files.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.PP
+\-f
+.RS 4
+Force overwrite: Causes
+\fBdnssec\-revoke\fR
+to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-revoke.c,v 1.18.34.4 2010/05/06 23:49:37 tbox Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <libgen.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-revoke";
+int verbose;
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s [options] keyfile\n\n", program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E engine: specify OpenSSL engine "
+ "(default \"pkcs11\")\n");
+#else
+ fprintf(stderr, " -E engine: specify OpenSSL engine\n");
+#endif
+ fprintf(stderr, " -f: force overwrite\n");
+ fprintf(stderr, " -K directory: use directory for key files\n");
+ fprintf(stderr, " -h: help\n");
+ fprintf(stderr, " -r: remove old keyfiles after "
+ "creating revoked version\n");
+ fprintf(stderr, " -v level: set level of verbosity\n");
+ fprintf(stderr, "Output:\n");
+ fprintf(stderr, " K<name>+<alg>+<new id>.key, "
+ "K<name>+<alg>+<new id>.private\n");
+
+ exit (-1);
+}
+
+int
+main(int argc, char **argv) {
+ isc_result_t result;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
+ char *filename = NULL, *dir = NULL;
+ char newname[1024], oldname[1024];
+ char keystr[DST_KEY_FORMATSIZE];
+ char *endp;
+ int ch;
+ isc_entropy_t *ectx = NULL;
+ dst_key_t *key = NULL;
+ isc_uint32_t flags;
+ isc_buffer_t buf;
+ isc_boolean_t force = ISC_FALSE;
+ isc_boolean_t remove = ISC_FALSE;
+
+ if (argc == 1)
+ usage();
+
+ result = isc_mem_create(0, 0, &mctx);
+ if (result != ISC_R_SUCCESS)
+ fatal("Out of memory");
+
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((ch = isc_commandline_parse(argc, argv, "E:fK:rhv:")) != -1) {
+ switch (ch) {
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
+ case 'f':
+ force = ISC_TRUE;
+ break;
+ case 'K':
+ /*
+ * We don't have to copy it here, but do it to
+ * simplify cleanup later
+ */
+ dir = isc_mem_strdup(mctx, isc_commandline_argument);
+ if (dir == NULL) {
+ fatal("Failed to allocate memory for "
+ "directory");
+ }
+ break;
+ case 'r':
+ remove = ISC_TRUE;
+ break;
+ case 'v':
+ verbose = strtol(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0')
+ fatal("-v must be followed by a number");
+ break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ /* Falls into */
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (argc < isc_commandline_index + 1 ||
+ argv[isc_commandline_index] == NULL)
+ fatal("The key file name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("Extraneous arguments");
+
+ if (dir != NULL) {
+ filename = argv[isc_commandline_index];
+ } else {
+ result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+ &dir, &filename);
+ if (result != ISC_R_SUCCESS)
+ fatal("cannot process filename %s: %s",
+ argv[isc_commandline_index],
+ isc_result_totext(result));
+ if (strcmp(dir, ".") == 0) {
+ isc_mem_free(mctx, dir);
+ dir = NULL;
+ }
+ }
+
+ if (ectx == NULL)
+ setup_entropy(mctx, NULL, &ectx);
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize hash");
+ result = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize dst: %s",
+ isc_result_totext(result));
+ isc_entropy_stopcallbacksources(ectx);
+
+ result = dst_key_fromnamedfile(filename, dir,
+ DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+ mctx, &key);
+ if (result != ISC_R_SUCCESS)
+ fatal("Invalid keyfile name %s: %s",
+ filename, isc_result_totext(result));
+
+ dst_key_format(key, keystr, sizeof(keystr));
+
+ if (verbose > 2)
+ fprintf(stderr, "%s: %s\n", program, keystr);
+
+ if (force)
+ set_keyversion(key);
+ else
+ check_keyversion(key, keystr);
+
+
+ flags = dst_key_flags(key);
+ if ((flags & DNS_KEYFLAG_REVOKE) == 0) {
+ isc_stdtime_t now;
+
+ if ((flags & DNS_KEYFLAG_KSK) == 0)
+ fprintf(stderr, "%s: warning: Key is not flagged "
+ "as a KSK. Revoking a ZSK is "
+ "legal, but undefined.\n",
+ program);
+
+ isc_stdtime_get(&now);
+ dst_key_settime(key, DST_TIME_REVOKE, now);
+
+ dst_key_setflags(key, flags | DNS_KEYFLAG_REVOKE);
+
+ isc_buffer_init(&buf, newname, sizeof(newname));
+ dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+
+ if (access(newname, F_OK) == 0 && !force) {
+ fatal("Key file %s already exists; "
+ "use -f to force overwrite", newname);
+ }
+
+ result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+ dir);
+ if (result != ISC_R_SUCCESS) {
+ dst_key_format(key, keystr, sizeof(keystr));
+ fatal("Failed to write key %s: %s", keystr,
+ isc_result_totext(result));
+ }
+
+ isc_buffer_clear(&buf);
+ dst_key_buildfilename(key, 0, dir, &buf);
+ printf("%s\n", newname);
+
+ /*
+ * Remove old key file, if told to (and if
+ * it isn't the same as the new file)
+ */
+ if (remove && dst_key_alg(key) != DST_ALG_RSAMD5) {
+ isc_buffer_init(&buf, oldname, sizeof(oldname));
+ dst_key_setflags(key, flags & ~DNS_KEYFLAG_REVOKE);
+ dst_key_buildfilename(key, DST_TYPE_PRIVATE, dir, &buf);
+ if (strcmp(oldname, newname) == 0)
+ goto cleanup;
+ if (access(oldname, F_OK) == 0)
+ unlink(oldname);
+ isc_buffer_clear(&buf);
+ dst_key_buildfilename(key, DST_TYPE_PUBLIC, dir, &buf);
+ if (access(oldname, F_OK) == 0)
+ unlink(oldname);
+ }
+ } else {
+ dst_key_format(key, keystr, sizeof(keystr));
+ fatal("Key %s is already revoked", keystr);
+ }
+
+cleanup:
+ dst_key_free(&key);
+ dst_lib_destroy();
+ isc_hash_destroy();
+ cleanup_entropy(&ectx);
+ if (verbose > 10)
+ isc_mem_stats(mctx, stdout);
+ if (dir != NULL)
+ isc_mem_free(mctx, dir);
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-revoke.docbook,v 1.7 2009/11/03 21:44:46 each Exp $ -->
+<refentry id="man.dnssec-revoke">
+ <refentryinfo>
+ <date>June 1, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-revoke</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-revoke</application></refname>
+ <refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-revoke</command>
+ <arg><option>-hr</option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+ <arg><option>-f</option></arg>
+ <arg choice="req">keyfile</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>dnssec-revoke</command>
+ reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+ in RFC 5011, and creates a new pair of key files containing the
+ now-revoked key.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Emit usage message and exit.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-K <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Sets the directory in which the key files are to reside.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r</term>
+ <listitem>
+ <para>
+ After writing the new keyset files remove the original keyset
+ files.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pkcs11; the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f</term>
+ <listitem>
+ <para>
+ Force overwrite: Causes <command>dnssec-revoke</command> to
+ write the new key pair even if a file already exists matching
+ the algorithm and key ID of the revoked key.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 5011</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: dnssec-revoke.html,v 1.8.24.1 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-revoke</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-revoke"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-revoke</span> — Set the REVOKED bit on a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-revoke</code> [<code class="option">-hr</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f</code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543373"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-revoke</strong></span>
+ reads a DNSSEC key file, sets the REVOKED bit on the key as defined
+ in RFC 5011, and creates a new pair of key files containing the
+ now-revoked key.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543385"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Emit usage message and exit.
+ </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Sets the directory in which the key files are to reside.
+ </p></dd>
+<dt><span class="term">-r</span></dt>
+<dd><p>
+ After writing the new keyset files remove the original keyset
+ files.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pkcs11; the empty name resets it to no engine.
+ </p></dd>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+ Force overwrite: Causes <span><strong class="command">dnssec-revoke</strong></span> to
+ write the new key pair even if a file already exists matching
+ the algorithm and key ID of the revoked key.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543491"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 5011</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543515"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: dnssec-settime.8,v 1.9.24.5 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: dnssec\-settime
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: July 15, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "DNSSEC\-SETTIME" "8" "July 15, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+dnssec\-settime \- Set the key timing metadata for a DNSSEC key
+.SH "SYNOPSIS"
+.HP 15
+\fBdnssec\-settime\fR [\fB\-f\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-h\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] {keyfile}
+.SH "DESCRIPTION"
+.PP
+\fBdnssec\-settime\fR
+reads a DNSSEC private key file and sets the key timing metadata as specified by the
+\fB\-P\fR,
+\fB\-A\fR,
+\fB\-R\fR,
+\fB\-I\fR, and
+\fB\-D\fR
+options. The metadata can then be used by
+\fBdnssec\-signzone\fR
+or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc.
+.PP
+If none of these options is set on the command line, then
+\fBdnssec\-settime\fR
+simply prints the key timing metadata already stored in the key.
+.PP
+When key metadata fields are changed, both files of a key pair (\fIKnnnn.+aaa+iiiii.key\fR
+and
+\fIKnnnn.+aaa+iiiii.private\fR) are regenerated. Metadata fields are stored in the private file. A human\-readable description of the metadata is also placed in comments in the key file.
+.SH "OPTIONS"
+.PP
+\-f
+.RS 4
+Force an update of an old\-format key with no metadata fields. Without this option,
+\fBdnssec\-settime\fR
+will fail when attempting to update a legacy key. With this option, the key will be recreated in the new format, but with the original key data retained. The key's creation date will be set to the present time.
+.RE
+.PP
+\-K \fIdirectory\fR
+.RS 4
+Sets the directory in which the key files are to reside.
+.RE
+.PP
+\-h
+.RS 4
+Emit usage message and exit.
+.RE
+.PP
+\-v \fIlevel\fR
+.RS 4
+Sets the debugging level.
+.RE
+.PP
+\-E \fIengine\fR
+.RS 4
+Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
+.RE
+.SH "TIMING OPTIONS"
+.PP
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.
+.PP
+\-P \fIdate/offset\fR
+.RS 4
+Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
+.RE
+.PP
+\-A \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be activated. After that date, the key will be included in the zone and used to sign it.
+.RE
+.PP
+\-R \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
+.RE
+.PP
+\-I \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
+.RE
+.PP
+\-D \fIdate/offset\fR
+.RS 4
+Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
+.RE
+.SH "PRINTING OPTIONS"
+.PP
+\fBdnssec\-settime\fR
+can also be used to print the timing metadata associated with a key.
+.PP
+\-u
+.RS 4
+Print times in UNIX epoch format.
+.RE
+.PP
+\-p \fIC/P/A/R/I/D/all\fR
+.RS 4
+Print a specific metadata value or set of metadata values. The
+\fB\-p\fR
+option may be followed by one or more of the following letters to indicate which value or values to print:
+\fBC\fR
+for the creation date,
+\fBP\fR
+for the publication date,
+\fBA\fR
+for the activation date,
+\fBR\fR
+for the revocation date,
+\fBI\fR
+for the inactivation date, or
+\fBD\fR
+for the deletion date. To print all of the metadata, use
+\fB\-p all\fR.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBdnssec\-keygen\fR(8),
+\fBdnssec\-signzone\fR(8),
+BIND 9 Administrator Reference Manual,
+RFC 5011.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: dnssec-settime.c,v 1.19.34.6 2010/02/03 01:02:17 each Exp $ */
+
+/*! \file */
+
+#include <config.h>
+
+#include <libgen.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <errno.h>
+#include <time.h>
+
+#include <isc/buffer.h>
+#include <isc/commandline.h>
+#include <isc/entropy.h>
+#include <isc/file.h>
+#include <isc/hash.h>
+#include <isc/mem.h>
+#include <isc/print.h>
+#include <isc/string.h>
+#include <isc/util.h>
+
+#include <dns/keyvalues.h>
+#include <dns/result.h>
+
+#include <dst/dst.h>
+
+#include "dnssectool.h"
+
+const char *program = "dnssec-settime";
+int verbose;
+
+static isc_mem_t *mctx = NULL;
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, " %s [options] keyfile\n\n", program);
+ fprintf(stderr, "Version: %s\n", VERSION);
+ fprintf(stderr, "General options:\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E engine: specify OpenSSL engine "
+ "(default \"pkcs11\")\n");
+#else
+ fprintf(stderr, " -E engine: specify OpenSSL engine\n");
+#endif
+ fprintf(stderr, " -f: force update of old-style "
+ "keys\n");
+ fprintf(stderr, " -K directory: set key file location\n");
+ fprintf(stderr, " -v level: set level of verbosity\n");
+ fprintf(stderr, " -h: help\n");
+ fprintf(stderr, "Timing options:\n");
+ fprintf(stderr, " -P date/[+-]offset/none: set/unset key "
+ "publication date\n");
+ fprintf(stderr, " -A date/[+-]offset/none: set/unset key "
+ "activation date\n");
+ fprintf(stderr, " -R date/[+-]offset/none: set/unset key "
+ "revocation date\n");
+ fprintf(stderr, " -I date/[+-]offset/none: set/unset key "
+ "inactivation date\n");
+ fprintf(stderr, " -D date/[+-]offset/none: set/unset key "
+ "deletion date\n");
+ fprintf(stderr, "Printing options:\n");
+ fprintf(stderr, " -p C/P/A/R/I/D/all: print a particular time "
+ "value or values "
+ "[default: all]\n");
+ fprintf(stderr, " -u: print times in unix epoch "
+ "format\n");
+ fprintf(stderr, "Output:\n");
+ fprintf(stderr, " K<name>+<alg>+<new id>.key, "
+ "K<name>+<alg>+<new id>.private\n");
+
+ exit (-1);
+}
+
+static void
+printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
+ FILE *stream)
+{
+ isc_result_t result;
+ const char *output = NULL;
+ isc_stdtime_t when;
+
+ if (tag != NULL)
+ fprintf(stream, "%s: ", tag);
+
+ result = dst_key_gettime(key, type, &when);
+ if (result == ISC_R_NOTFOUND) {
+ fprintf(stream, "UNSET\n");
+ } else if (epoch) {
+ fprintf(stream, "%d\n", (int) when);
+ } else {
+ time_t time = when;
+ output = ctime(&time);
+ fprintf(stream, "%s", output);
+ }
+}
+
+int
+main(int argc, char **argv) {
+ isc_result_t result;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
+ char *filename = NULL, *directory = NULL;
+ char newname[1024];
+ char keystr[DST_KEY_FORMATSIZE];
+ char *endp, *p;
+ int ch;
+ isc_entropy_t *ectx = NULL;
+ dst_key_t *key = NULL;
+ isc_buffer_t buf;
+ isc_stdtime_t now;
+ isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
+ isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
+ isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
+ isc_boolean_t setdel = ISC_FALSE;
+ isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
+ isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
+ isc_boolean_t unsetdel = ISC_FALSE;
+ isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
+ isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
+ isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
+ isc_boolean_t force = ISC_FALSE;
+ isc_boolean_t epoch = ISC_FALSE;
+ isc_boolean_t changed = ISC_FALSE;
+
+ if (argc == 1)
+ usage();
+
+ result = isc_mem_create(0, 0, &mctx);
+ if (result != ISC_R_SUCCESS)
+ fatal("Out of memory");
+
+ dns_result_register();
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ isc_stdtime_get(&now);
+
+ while ((ch = isc_commandline_parse(argc, argv,
+ "E:fK:uhp:v:P:A:R:I:D:")) != -1) {
+ switch (ch) {
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
+ case 'f':
+ force = ISC_TRUE;
+ break;
+ case 'p':
+ p = isc_commandline_argument;
+ if (!strcasecmp(p, "all")) {
+ printcreate = ISC_TRUE;
+ printpub = ISC_TRUE;
+ printact = ISC_TRUE;
+ printrev = ISC_TRUE;
+ printinact = ISC_TRUE;
+ printdel = ISC_TRUE;
+ break;
+ }
+
+ do {
+ switch (*p++) {
+ case 'C':
+ printcreate = ISC_TRUE;
+ break;
+ case 'P':
+ printpub = ISC_TRUE;
+ break;
+ case 'A':
+ printact = ISC_TRUE;
+ break;
+ case 'R':
+ printrev = ISC_TRUE;
+ break;
+ case 'I':
+ printinact = ISC_TRUE;
+ break;
+ case 'D':
+ printdel = ISC_TRUE;
+ break;
+ case ' ':
+ break;
+ default:
+ usage();
+ break;
+ }
+ } while (*p != '\0');
+ break;
+ case 'u':
+ epoch = ISC_TRUE;
+ break;
+ case 'K':
+ /*
+ * We don't have to copy it here, but do it to
+ * simplify cleanup later
+ */
+ directory = isc_mem_strdup(mctx,
+ isc_commandline_argument);
+ if (directory == NULL) {
+ fatal("Failed to allocate memory for "
+ "directory");
+ }
+ break;
+ case 'v':
+ verbose = strtol(isc_commandline_argument, &endp, 0);
+ if (*endp != '\0')
+ fatal("-v must be followed by a number");
+ break;
+ case 'P':
+ if (setpub || unsetpub)
+ fatal("-P specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetpub = ISC_TRUE;
+ } else {
+ setpub = ISC_TRUE;
+ pub = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'A':
+ if (setact || unsetact)
+ fatal("-A specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetact = ISC_TRUE;
+ } else {
+ setact = ISC_TRUE;
+ act = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'R':
+ if (setrev || unsetrev)
+ fatal("-R specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetrev = ISC_TRUE;
+ } else {
+ setrev = ISC_TRUE;
+ rev = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'I':
+ if (setinact || unsetinact)
+ fatal("-I specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetinact = ISC_TRUE;
+ } else {
+ setinact = ISC_TRUE;
+ inact = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case 'D':
+ if (setdel || unsetdel)
+ fatal("-D specified more than once");
+
+ changed = ISC_TRUE;
+ if (!strcasecmp(isc_commandline_argument, "none")) {
+ unsetdel = ISC_TRUE;
+ } else {
+ setdel = ISC_TRUE;
+ del = strtotime(isc_commandline_argument,
+ now, now);
+ }
+ break;
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ /* Falls into */
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (argc < isc_commandline_index + 1 ||
+ argv[isc_commandline_index] == NULL)
+ fatal("The key file name was not specified");
+ if (argc > isc_commandline_index + 1)
+ fatal("Extraneous arguments");
+
+ if (directory != NULL) {
+ filename = argv[isc_commandline_index];
+ } else {
+ result = isc_file_splitpath(mctx, argv[isc_commandline_index],
+ &directory, &filename);
+ if (result != ISC_R_SUCCESS)
+ fatal("cannot process filename %s: %s",
+ argv[isc_commandline_index],
+ isc_result_totext(result));
+ }
+
+ if (ectx == NULL)
+ setup_entropy(mctx, NULL, &ectx);
+ result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize hash");
+ result = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ if (result != ISC_R_SUCCESS)
+ fatal("Could not initialize dst: %s",
+ isc_result_totext(result));
+ isc_entropy_stopcallbacksources(ectx);
+
+ result = dst_key_fromnamedfile(filename, directory,
+ DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
+ mctx, &key);
+ if (result != ISC_R_SUCCESS)
+ fatal("Invalid keyfile %s: %s",
+ filename, isc_result_totext(result));
+
+ if (!dst_key_isprivate(key))
+ fatal("%s is not a private key", filename);
+
+ dst_key_format(key, keystr, sizeof(keystr));
+
+ if (force)
+ set_keyversion(key);
+ else
+ check_keyversion(key, keystr);
+
+ if (verbose > 2)
+ fprintf(stderr, "%s: %s\n", program, keystr);
+
+ /*
+ * Set time values.
+ */
+ if (setpub)
+ dst_key_settime(key, DST_TIME_PUBLISH, pub);
+ else if (unsetpub)
+ dst_key_unsettime(key, DST_TIME_PUBLISH);
+
+ if (setact)
+ dst_key_settime(key, DST_TIME_ACTIVATE, act);
+ else if (unsetact)
+ dst_key_unsettime(key, DST_TIME_ACTIVATE);
+
+ if (setrev) {
+ if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+ fprintf(stderr, "%s: warning: Key %s is already "
+ "revoked; changing the revocation date "
+ "will not affect this.\n",
+ program, keystr);
+ if ((dst_key_flags(key) & DNS_KEYFLAG_KSK) == 0)
+ fprintf(stderr, "%s: warning: Key %s is not flagged as "
+ "a KSK, but -R was used. Revoking a "
+ "ZSK is legal, but undefined.\n",
+ program, keystr);
+ dst_key_settime(key, DST_TIME_REVOKE, rev);
+ } else if (unsetrev) {
+ if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
+ fprintf(stderr, "%s: warning: Key %s is already "
+ "revoked; removing the revocation date "
+ "will not affect this.\n",
+ program, keystr);
+ dst_key_unsettime(key, DST_TIME_REVOKE);
+ }
+
+ if (setinact)
+ dst_key_settime(key, DST_TIME_INACTIVE, inact);
+ else if (unsetinact)
+ dst_key_unsettime(key, DST_TIME_INACTIVE);
+
+ if (setdel)
+ dst_key_settime(key, DST_TIME_DELETE, del);
+ else if (unsetdel)
+ dst_key_unsettime(key, DST_TIME_DELETE);
+
+ /*
+ * Print out time values, if -p was used.
+ */
+ if (printcreate)
+ printtime(key, DST_TIME_CREATED, "Created", epoch, stdout);
+
+ if (printpub)
+ printtime(key, DST_TIME_PUBLISH, "Publish", epoch, stdout);
+
+ if (printact)
+ printtime(key, DST_TIME_ACTIVATE, "Activate", epoch, stdout);
+
+ if (printrev)
+ printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
+
+ if (printinact)
+ printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
+
+ if (printdel)
+ printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
+
+ if (changed) {
+ isc_buffer_init(&buf, newname, sizeof(newname));
+ result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
+ &buf);
+ if (result != ISC_R_SUCCESS) {
+ fatal("Failed to build public key filename: %s",
+ isc_result_totext(result));
+ }
+
+ result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
+ directory);
+ if (result != ISC_R_SUCCESS) {
+ dst_key_format(key, keystr, sizeof(keystr));
+ fatal("Failed to write key %s: %s", keystr,
+ isc_result_totext(result));
+ }
+
+ printf("%s\n", newname);
+
+ isc_buffer_clear(&buf);
+ result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
+ &buf);
+ if (result != ISC_R_SUCCESS) {
+ fatal("Failed to build private key filename: %s",
+ isc_result_totext(result));
+ }
+ printf("%s\n", newname);
+ }
+
+ dst_key_free(&key);
+ dst_lib_destroy();
+ isc_hash_destroy();
+ cleanup_entropy(&ectx);
+ if (verbose > 10)
+ isc_mem_stats(mctx, stdout);
+ isc_mem_free(mctx, directory);
+ isc_mem_destroy(&mctx);
+
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: dnssec-settime.docbook,v 1.7.24.3 2010/03/09 03:40:01 marka Exp $ -->
+<refentry id="man.dnssec-settime">
+ <refentryinfo>
+ <date>July 15, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-settime</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-settime</application></refname>
+ <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <year>2010</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-settime</command>
+ <arg><option>-f</option></arg>
+ <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
+ <arg choice="req">keyfile</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para><command>dnssec-settime</command>
+ reads a DNSSEC private key file and sets the key timing metadata
+ as specified by the <option>-P</option>, <option>-A</option>,
+ <option>-R</option>, <option>-I</option>, and <option>-D</option>
+ options. The metadata can then be used by
+ <command>dnssec-signzone</command> or other signing software to
+ determine when a key is to be published, whether it should be
+ used for signing a zone, etc.
+ </para>
+ <para>
+ If none of these options is set on the command line,
+ then <command>dnssec-settime</command> simply prints the key timing
+ metadata already stored in the key.
+ </para>
+ <para>
+ When key metadata fields are changed, both files of a key
+ pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
+ <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
+ Metadata fields are stored in the private file. A human-readable
+ description of the metadata is also placed in comments in the key
+ file.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-f</term>
+ <listitem>
+ <para>
+ Force an update of an old-format key with no metadata fields.
+ Without this option, <command>dnssec-settime</command> will
+ fail when attempting to update a legacy key. With this option,
+ the key will be recreated in the new format, but with the
+ original key data retained. The key's creation date will be
+ set to the present time.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-K <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Sets the directory in which the key files are to reside.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Emit usage message and exit.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pkcs11; the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>TIMING OPTIONS</title>
+ <para>
+ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+ If the argument begins with a '+' or '-', it is interpreted as
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds. To unset a date, use 'none'.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-P <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which a key is to be published to the zone.
+ After that date, the key will be included in the zone but will
+ not be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-A <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be activated. After that
+ date, the key will be included in the zone and used to sign
+ it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-R <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be revoked. After that
+ date, the key will be flagged as revoked. It will be included
+ in the zone and will be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-I <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-D <replaceable class="parameter">date/offset</replaceable></term>
+ <listitem>
+ <para>
+ Sets the date on which the key is to be deleted. After that
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>PRINTING OPTIONS</title>
+ <para>
+ <command>dnssec-settime</command> can also be used to print the
+ timing metadata associated with a key.
+ </para>
+
+ <variablelist>
+ <varlistentry>
+ <term>-u</term>
+ <listitem>
+ <para>
+ Print times in UNIX epoch format.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
+ <listitem>
+ <para>
+ Print a specific metadata value or set of metadata values.
+ The <option>-p</option> option may be followed by one or more
+ of the following letters to indicate which value or values to print:
+ <option>C</option> for the creation date,
+ <option>P</option> for the publication date,
+ <option>A</option> for the activation date,
+ <option>R</option> for the revocation date,
+ <option>I</option> for the inactivation date, or
+ <option>D</option> for the deletion date.
+ To print all of the metadata, use <option>-p all</option>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para><citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 5011</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: dnssec-settime.html,v 1.9.24.5 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>dnssec-settime</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.dnssec-settime"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543419"></a><h2>DESCRIPTION</h2>
+<p><span><strong class="command">dnssec-settime</strong></span>
+ reads a DNSSEC private key file and sets the key timing metadata
+ as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
+ <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
+ options. The metadata can then be used by
+ <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
+ determine when a key is to be published, whether it should be
+ used for signing a zone, etc.
+ </p>
+<p>
+ If none of these options is set on the command line,
+ then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
+ metadata already stored in the key.
+ </p>
+<p>
+ When key metadata fields are changed, both files of a key
+ pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
+ <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
+ Metadata fields are stored in the private file. A human-readable
+ description of the metadata is also placed in comments in the key
+ file.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543467"></a><h2>OPTIONS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-f</span></dt>
+<dd><p>
+ Force an update of an old-format key with no metadata fields.
+ Without this option, <span><strong class="command">dnssec-settime</strong></span> will
+ fail when attempting to update a legacy key. With this option,
+ the key will be recreated in the new format, but with the
+ original key data retained. The key's creation date will be
+ set to the present time.
+ </p></dd>
+<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
+<dd><p>
+ Sets the directory in which the key files are to reside.
+ </p></dd>
+<dt><span class="term">-h</span></dt>
+<dd><p>
+ Emit usage message and exit.
+ </p></dd>
+<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
+<dd><p>
+ Sets the debugging level.
+ </p></dd>
+<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
+<dd><p>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pkcs11; the empty name resets it to no engine.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543559"></a><h2>TIMING OPTIONS</h2>
+<p>
+ Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
+ If the argument begins with a '+' or '-', it is interpreted as
+ an offset from the present time. For convenience, if such an offset
+ is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
+ then the offset is computed in years (defined as 365 24-hour days,
+ ignoring leap years), months (defined as 30 24-hour days), weeks,
+ days, hours, or minutes, respectively. Without a suffix, the offset
+ is computed in seconds. To unset a date, use 'none'.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which a key is to be published to the zone.
+ After that date, the key will be included in the zone but will
+ not be used to sign it.
+ </p></dd>
+<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be activated. After that
+ date, the key will be included in the zone and used to sign
+ it.
+ </p></dd>
+<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be revoked. After that
+ date, the key will be flagged as revoked. It will be included
+ in the zone and will be used to sign it.
+ </p></dd>
+<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be retired. After that
+ date, the key will still be included in the zone, but it
+ will not be used to sign it.
+ </p></dd>
+<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
+<dd><p>
+ Sets the date on which the key is to be deleted. After that
+ date, the key will no longer be included in the zone. (It
+ may remain in the key repository, however.)
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543657"></a><h2>PRINTING OPTIONS</h2>
+<p>
+ <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
+ timing metadata associated with a key.
+ </p>
+<div class="variablelist"><dl>
+<dt><span class="term">-u</span></dt>
+<dd><p>
+ Print times in UNIX epoch format.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
+<dd><p>
+ Print a specific metadata value or set of metadata values.
+ The <code class="option">-p</code> option may be followed by one or more
+ of the following letters to indicate which value or values to print:
+ <code class="option">C</code> for the creation date,
+ <code class="option">P</code> for the publication date,
+ <code class="option">A</code> for the activation date,
+ <code class="option">R</code> for the revocation date,
+ <code class="option">I</code> for the inactivation date, or
+ <code class="option">D</code> for the deletion date.
+ To print all of the metadata, use <code class="option">-p all</code>.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543735"></a><h2>SEE ALSO</h2>
+<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 5011</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543768"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+# Microsoft Developer Studio Project File - Name="revoke" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=revoke - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "revoke.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "revoke.mak" CFG="revoke - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "revoke - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "revoke - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "revoke - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-revoke.exe"\r
+\r
+!ELSEIF "$(CFG)" == "revoke - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-revoke.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "revoke - Win32 Release"\r
+# Name "revoke - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\dnssec-revoke.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "revoke"=".\revoke.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on revoke.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=revoke - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to revoke - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "revoke - Win32 Release" && "$(CFG)" != "revoke - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "revoke.mak" CFG="revoke - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "revoke - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "revoke - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "revoke - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "revoke - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\dnssec-revoke.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\dnssec-revoke.obj"\r
+ -@erase "$(INTDIR)\dnssectool.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\dnssec-revoke.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\revoke.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\revoke.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-revoke.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-revoke.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\dnssec-revoke.obj" \\r
+ "$(INTDIR)\dnssectool.obj"\r
+\r
+"..\..\..\Build\Release\dnssec-revoke.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "revoke - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\dnssec-revoke.exe" "$(OUTDIR)\revoke.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\dnssec-revoke.obj"\r
+ -@erase "$(INTDIR)\dnssec-revoke.sbr"\r
+ -@erase "$(INTDIR)\dnssectool.obj"\r
+ -@erase "$(INTDIR)\dnssectool.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\dnssec-revoke.pdb"\r
+ -@erase "$(OUTDIR)\revoke.bsc"\r
+ -@erase "..\..\..\Build\Debug\dnssec-revoke.exe"\r
+ -@erase "..\..\..\Build\Debug\dnssec-revoke.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\revoke.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\dnssec-revoke.sbr" \\r
+ "$(INTDIR)\dnssectool.sbr"\r
+\r
+"$(OUTDIR)\revoke.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-revoke.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-revoke.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\dnssec-revoke.obj" \\r
+ "$(INTDIR)\dnssectool.obj"\r
+\r
+"..\..\..\Build\Debug\dnssec-revoke.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("revoke.dep")\r
+!INCLUDE "revoke.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "revoke.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "revoke - Win32 Release" || "$(CFG)" == "revoke - Win32 Debug"\r
+SOURCE="..\dnssec-revoke.c"\r
+\r
+!IF "$(CFG)" == "revoke - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\dnssec-revoke.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "revoke - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\dnssec-revoke.obj" "$(INTDIR)\dnssec-revoke.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE=..\dnssectool.c\r
+\r
+!IF "$(CFG)" == "revoke - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "revoke - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\dnssectool.obj" "$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="settime" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=settime - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "settime.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "settime.mak" CFG="settime - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "settime - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "settime - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "settime - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib Release/dnssectool.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/dnssec-settime.exe"\r
+\r
+!ELSEIF "$(CFG)" == "settime - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib Debug/dnssectool.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/dnssec-settime.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "settime - Win32 Release"\r
+# Name "settime - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\dnssec-settime.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "settime"=".\settime.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on settime.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=settime - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to settime - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "settime - Win32 Release" && "$(CFG)" != "settime - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "settime.mak" CFG="settime - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "settime - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "settime - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "settime - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "settime - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\dnssec-settime.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\dnssec-settime.obj"\r
+ -@erase "$(INTDIR)\dnssectool.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\dnssec-settime.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\settime.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\settime.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\dnssec-settime.pdb" /machine:I386 /out:"../../../Build/Release/dnssec-settime.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\dnssec-settime.obj" \\r
+ "$(INTDIR)\dnssectool.obj"\r
+\r
+"..\..\..\Build\Release\dnssec-settime.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "settime - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\dnssec-settime.exe" "$(OUTDIR)\settime.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\dnssec-settime.obj"\r
+ -@erase "$(INTDIR)\dnssec-settime.sbr"\r
+ -@erase "$(INTDIR)\dnssectool.obj"\r
+ -@erase "$(INTDIR)\dnssectool.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\dnssec-settime.pdb"\r
+ -@erase "$(OUTDIR)\settime.bsc"\r
+ -@erase "..\..\..\Build\Debug\dnssec-settime.exe"\r
+ -@erase "..\..\..\Build\Debug\dnssec-settime.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\settime.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\dnssec-settime.sbr" \\r
+ "$(INTDIR)\dnssectool.sbr"\r
+\r
+"$(OUTDIR)\settime.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\dnssec-settime.pdb" /debug /machine:I386 /out:"../../../Build/Debug/dnssec-settime.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\dnssec-settime.obj" \\r
+ "$(INTDIR)\dnssectool.obj"\r
+\r
+"..\..\..\Build\Debug\dnssec-settime.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("settime.dep")\r
+!INCLUDE "settime.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "settime.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "settime - Win32 Release" || "$(CFG)" == "settime - Win32 Debug"\r
+SOURCE="..\dnssec-settime.c"\r
+\r
+!IF "$(CFG)" == "settime - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\dnssec-settime.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "settime - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\dnssec-settime.obj" "$(INTDIR)\dnssec-settime.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+SOURCE=..\dnssectool.c\r
+\r
+!IF "$(CFG)" == "settime - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\dnssectool.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "settime - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\dnssectool.obj" "$(INTDIR)\dnssectool.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+#define TRUSTED_KEYS "\
+trusted-keys {\n\
+ # NOTE: This key is current as of October 2009.\n\
+ # If it fails to initialize correctly, it may have expired;\n\
+ # see https://www.isc.org/solutions/dlv for a replacement.\n\
+ dlv.isc.org. 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+};\n\
+"
+
+#define MANAGED_KEYS "\
+managed-keys {\n\
+ # NOTE: This key is current as of October 2009.\n\
+ # If it fails to initialize correctly, it may have expired;\n\
+ # see https://www.isc.org/solutions/dlv for a replacement.\n\
+ dlv.isc.org. initial-key 257 3 5 \"BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh\";\n\
+};\n\
+"
--- /dev/null
+#!/usr/bin/env perl
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: bindkeys.pl,v 1.3 2009/09/01 07:14:25 each Exp $
+
+use strict;
+use warnings;
+
+my $lines;
+while (<>) {
+ chomp;
+ s/\"/\\\"/g;
+ s/$/\\n\\/;
+ $lines .= $_ . "\n";
+}
+
+my $mkey = '#define MANAGED_KEYS "\\' . "\n" . $lines . "\"\n";
+
+$lines =~ s/managed-keys/trusted-keys/;
+$lines =~ s/\s+initial-key//;
+my $tkey = '#define TRUSTED_KEYS "\\' . "\n" . $lines . "\"\n";
+
+print $tkey;
+print "\n";
+print $mkey;
--- /dev/null
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.2 2009/10/05 12:07:08 fdupont Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+PROVIDER = @PKCS11_PROVIDER@
+
+CINCLUDES = -I${srcdir}/include -I${srcdir}/unix
+
+CDEFINES = -DPK11_LIB_LOCATION=\"${PROVIDER}\"
+
+# if FORCE_STATIC_PROVIDER: LIBS = ${PROVIDER}
+LIBS = -ldl
+
+SUBDIRS =
+
+TARGETS = pkcs11-keygen@EXEEXT@ pkcs11-list@EXEEXT@ \
+ pkcs11-destroy@EXEEXT@
+SRCS = pkcs11-keygen.c pkcs11-list.c pkcs11-destroy.c
+
+MANPAGES = pkcs11-keygen.8 pkcs11-list.8 pkcs11-destroy.8
+HTMLPAGES = pkcs11-keygen.html pkcs11-list.html pkcs11-destroy.html
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+pkcs11-keygen@EXEEXT@: @srcdir@/pkcs11-keygen.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+ -o $@ @srcdir@/pkcs11-keygen.c ${LIBS}
+
+pkcs11-list@EXEEXT@: @srcdir@/pkcs11-list.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+ -o $@ @srcdir@/pkcs11-list.c ${LIBS}
+
+pkcs11-destroy@EXEEXT@: @srcdir@/pkcs11-destroy.c
+ ${CC} ${ALL_CFLAGS} ${LDFLAGS} \
+ -o $@ @srcdir@/pkcs11-destroy.c ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+ ${INSTALL_PROGRAM} pkcs11-keygen@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_PROGRAM} pkcs11-list@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_PROGRAM} pkcs11-destroy@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_DATA} ${srcdir}/pkcs11-keygen.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/pkcs11-list.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/pkcs11-destroy.8 ${DESTDIR}${mandir}/man8
+
+clean distclean::
+ rm -f ${TARGETS}
--- /dev/null
+
+ BIND-9 PKCS#11 support
+
+Prerequisite
+
+The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
+released the 2008-12-02 for OpenSSL 0.9.8i, with back port of key by reference
+and some improvements, including user friendly PIN management. You may also
+use the original engine code.
+
+Compilation
+
+"configure --with-pkcs11 ..."
+
+PKCS#11 Libraries
+
+Tested with Solaris one with a SCA board and with openCryptoki with the
+software token. Known to work on Linux and Windows 2003 server so
+should work on most operating systems. For AEP Keyper or any device used
+only for its protected key store, please switch to the sign-only engine.
+
+OpenSSL Engines
+
+With PKCS#11 support the PKCS#11 engine is statically loaded but at its
+initialization it dynamically loads the PKCS#11 objects.
+Even the pre commands are therefore unused they are defined with:
+ SO_PATH:
+ define: PKCS11_SO_PATH
+ default: /usr/local/lib/engines/engine_pkcs11.so
+ MODULE_PATH:
+ define: PKCS11_MODULE_PATH
+ default: /usr/lib/libpkcs11.so
+Without PKCS#11 support, a specific OpenSSL engine can be still used
+by defining ENGINE_ID at compile time.
+
+PKCS#11 tools
+
+The contrib/pkcs11-keygen directory contains a set of experimental tools
+to handle keys stored in a Hardware Security Module at the benefit of BIND.
+
+The patch for OpenSSL 0.9.8i is in this directory. Read its README.pkcs11
+for the way to use it (these are the original notes so with the original
+path, etc. Define HAVE_GETPASSPHRASE if you have getpassphrase() on
+a operating system which is not Solaris.)
+
+Not all tools are supported on AEP Keyper but genkey and dnssec-keyfromlabel
+are functional.
+
+PIN management
+
+With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
+each time it is required. With the improved engine, the PIN should be
+entered the first time it is required or can be configured in the
+OpenSSL configuration file (aka. openssl.cnf) by adding in it:
+ - at the beginning:
+ openssl_conf = openssl_def
+ - at any place these sections:
+ [ openssl_def ]
+ engines = engine_section
+ [ engine_section ]
+ pkcs11 = pkcs11_section
+ [ pkcs11_section ]
+ PIN = put__your__pin__value__here
+
+Slot management
+
+The engine tries to use the first best slot but it is recommended
+to simply use the slot 0 (usual default, meta-slot on Solaris).
+
+Sign-only engine
+
+openssl.../crypto/engine/hw_pk11-kp.c and hw_pk11_pub-kp.c contain
+a stripped down version of hw_pk11.c and hw_pk11_pub.c files which
+has only the useful functions (i.e., signature with a RSA private
+key in the device protected key store and key loading).
+
+This engine should be used with a device which provides mainly
+a protected store and no acceleration. AEP Keyper is an example
+of such a device (BTW with the fully capable engine, key export
+must be enabled on this device and this configuration is not yet
+supported).
+
+Original engine
+
+If you are using the original engine and getpassphrase() is not defined, add:
+#define getpassphrase(x) getpass(x)
+in openssl.../crypto/engine/hw_pk11_pub.c
+
+Notes
+
+Some names here are registered trademarks, at least Solaris is a trademark
+of Sun Microsystems Inc...
+Include files are from RSA Labs., PKCS#11 version is 2.20 amendment 3.
+The PKCS#11 support is compatible with the forthcoming FIPS 140-2 support.
--- /dev/null
+/* pkcs11.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+#ifndef _PKCS11_H_
+#define _PKCS11_H_ 1
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* Before including this file (pkcs11.h) (or pkcs11t.h by
+ * itself), 6 platform-specific macros must be defined. These
+ * macros are described below, and typical definitions for them
+ * are also given. Be advised that these definitions can depend
+ * on both the platform and the compiler used (and possibly also
+ * on whether a Cryptoki library is linked statically or
+ * dynamically).
+ *
+ * In addition to defining these 6 macros, the packing convention
+ * for Cryptoki structures should be set. The Cryptoki
+ * convention on packing is that structures should be 1-byte
+ * aligned.
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, this might be done by using the following
+ * preprocessor directive before including pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(push, cryptoki, 1)
+ *
+ * and using the following preprocessor directive after including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(pop, cryptoki)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, this might be done by using
+ * the following preprocessor directive before including
+ * pkcs11.h or pkcs11t.h:
+ *
+ * #pragma pack(1)
+ *
+ * In a UNIX environment, you're on your own for this. You might
+ * not need to do (or be able to do!) anything.
+ *
+ *
+ * Now for the macros:
+ *
+ *
+ * 1. CK_PTR: The indirection string for making a pointer to an
+ * object. It can be used like this:
+ *
+ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to produce
+ * Win32 stuff, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to produce Win16 stuff, it might be defined by:
+ *
+ * #define CK_PTR far *
+ *
+ * In a typical UNIX environment, it might be defined by:
+ *
+ * #define CK_PTR *
+ *
+ *
+ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
+ * an exportable Cryptoki library function definition out of a
+ * return type and a function name. It should be used in the
+ * following fashion to define the exposed Cryptoki functions in
+ * a Cryptoki library:
+ *
+ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * )
+ * {
+ * ...
+ * }
+ *
+ * If you're using Microsoft Developer Studio 5.0 to define a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllexport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to define a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DEFINE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
+ * an importable Cryptoki library function declaration out of a
+ * return type and a function name. It should be used in the
+ * following fashion:
+ *
+ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
+ * CK_VOID_PTR pReserved
+ * );
+ *
+ * If you're using Microsoft Developer Studio 5.0 to declare a
+ * function in a Win32 Cryptoki .dll, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __declspec(dllimport) name
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to declare a function in a Win16 Cryptoki .dll, it
+ * might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType __export _far _pascal name
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION(returnType, name) \
+ * returnType name
+ *
+ *
+ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
+ * which makes a Cryptoki API function pointer declaration or
+ * function pointer type declaration out of a return type and a
+ * function name. It should be used in the following fashion:
+ *
+ * // Define funcPtr to be a pointer to a Cryptoki API function
+ * // taking arguments args and returning CK_RV.
+ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
+ *
+ * or
+ *
+ * // Define funcPtrType to be the type of a pointer to a
+ * // Cryptoki API function taking arguments args and returning
+ * // CK_RV, and then define funcPtr to be a variable of type
+ * // funcPtrType.
+ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
+ * funcPtrType funcPtr;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to access
+ * functions in a Win32 Cryptoki .dll, in might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __declspec(dllimport) (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to access functions in a Win16 Cryptoki .dll, it might
+ * be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType __export _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
+ * a function pointer type for an application callback out of
+ * a return type for the callback and a name for the callback.
+ * It should be used in the following fashion:
+ *
+ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
+ *
+ * to declare a function pointer, myCallback, to a callback
+ * which takes arguments args and returns a CK_RV. It can also
+ * be used like this:
+ *
+ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
+ * myCallbackType myCallback;
+ *
+ * If you're using Microsoft Developer Studio 5.0 to do Win32
+ * Cryptoki development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ * If you're using an earlier version of Microsoft Developer
+ * Studio to do Win16 development, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType _far _pascal (* name)
+ *
+ * In a UNIX environment, it might be defined by:
+ *
+ * #define CK_CALLBACK_FUNCTION(returnType, name) \
+ * returnType (* name)
+ *
+ *
+ * 6. NULL_PTR: This macro is the value of a NULL pointer.
+ *
+ * In any ANSI/ISO C environment (and in many others as well),
+ * this should best be defined by
+ *
+ * #ifndef NULL_PTR
+ * #define NULL_PTR 0
+ * #endif
+ */
+
+
+/* All the various Cryptoki types and #define'd values are in the
+ * file pkcs11t.h. */
+#include "pkcs11t.h"
+
+#define __PASTE(x,y) x##y
+
+
+/* ==============================================================
+ * Define the "extern" form of all the entry points.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ extern CK_DECLARE_FUNCTION(CK_RV, name)
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define the typedef form of all the entry points. That is, for
+ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
+ * a pointer to that kind of function.
+ * ==============================================================
+ */
+
+#define CK_NEED_ARG_LIST 1
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
+
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+#undef CK_NEED_ARG_LIST
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+/* ==============================================================
+ * Define structed vector of entry points. A CK_FUNCTION_LIST
+ * contains a CK_VERSION indicating a library's Cryptoki version
+ * and then a whole slew of function pointers to the routines in
+ * the library. This type was declared, but not defined, in
+ * pkcs11t.h.
+ * ==============================================================
+ */
+
+#define CK_PKCS11_FUNCTION_INFO(name) \
+ __PASTE(CK_,name) name;
+
+struct CK_FUNCTION_LIST {
+
+ CK_VERSION version; /* Cryptoki version */
+
+/* Pile all the function pointers into the CK_FUNCTION_LIST. */
+/* pkcs11f.h has all the information about the Cryptoki
+ * function prototypes. */
+#include "pkcs11f.h"
+
+};
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+
+#undef __PASTE
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
--- /dev/null
+/* pkcs11f.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This header file contains pretty much everything about all the */
+/* Cryptoki function prototypes. Because this information is */
+/* used for more than just declaring function prototypes, the */
+/* order of the functions appearing herein is important, and */
+/* should not be altered. */
+
+/* General-purpose */
+
+/* C_Initialize initializes the Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Initialize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
+ * cast to CK_C_INITIALIZE_ARGS_PTR
+ * and dereferenced */
+);
+#endif
+
+
+/* C_Finalize indicates that an application is done with the
+ * Cryptoki library. */
+CK_PKCS11_FUNCTION_INFO(C_Finalize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
+);
+#endif
+
+
+/* C_GetInfo returns general information about Cryptoki. */
+CK_PKCS11_FUNCTION_INFO(C_GetInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_INFO_PTR pInfo /* location that receives information */
+);
+#endif
+
+
+/* C_GetFunctionList returns the function list. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
+ * function list */
+);
+#endif
+
+
+
+/* Slot and token management */
+
+/* C_GetSlotList obtains a list of slots in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_BBOOL tokenPresent, /* only slots with tokens? */
+ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
+ CK_ULONG_PTR pulCount /* receives number of slots */
+);
+#endif
+
+
+/* C_GetSlotInfo obtains information about a particular slot in
+ * the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the ID of the slot */
+ CK_SLOT_INFO_PTR pInfo /* receives the slot information */
+);
+#endif
+
+
+/* C_GetTokenInfo obtains information about a particular token
+ * in the system. */
+CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_TOKEN_INFO_PTR pInfo /* receives the token information */
+);
+#endif
+
+
+/* C_GetMechanismList obtains a list of mechanism types
+ * supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of token's slot */
+ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
+ CK_ULONG_PTR pulCount /* gets # of mechs. */
+);
+#endif
+
+
+/* C_GetMechanismInfo obtains information about a particular
+ * mechanism possibly supported by a token. */
+CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_MECHANISM_TYPE type, /* type of mechanism */
+ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
+);
+#endif
+
+
+/* C_InitToken initializes a token. */
+CK_PKCS11_FUNCTION_INFO(C_InitToken)
+#ifdef CK_NEED_ARG_LIST
+/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
+(
+ CK_SLOT_ID slotID, /* ID of the token's slot */
+ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
+ CK_ULONG ulPinLen, /* length in bytes of the PIN */
+ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
+);
+#endif
+
+
+/* C_InitPIN initializes the normal user's PIN. */
+CK_PKCS11_FUNCTION_INFO(C_InitPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
+ CK_ULONG ulPinLen /* length in bytes of the PIN */
+);
+#endif
+
+
+/* C_SetPIN modifies the PIN of the user who is logged in. */
+CK_PKCS11_FUNCTION_INFO(C_SetPIN)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
+ CK_ULONG ulOldLen, /* length of the old PIN */
+ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
+ CK_ULONG ulNewLen /* length of the new PIN */
+);
+#endif
+
+
+
+/* Session management */
+
+/* C_OpenSession opens a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_OpenSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID, /* the slot's ID */
+ CK_FLAGS flags, /* from CK_SESSION_INFO */
+ CK_VOID_PTR pApplication, /* passed to callback */
+ CK_NOTIFY Notify, /* callback function */
+ CK_SESSION_HANDLE_PTR phSession /* gets session handle */
+);
+#endif
+
+
+/* C_CloseSession closes a session between an application and a
+ * token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseSession)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CloseAllSessions closes all sessions with a token. */
+CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SLOT_ID slotID /* the token's slot */
+);
+#endif
+
+
+/* C_GetSessionInfo obtains information about the session. */
+CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_SESSION_INFO_PTR pInfo /* receives session info */
+);
+#endif
+
+
+/* C_GetOperationState obtains the state of the cryptographic operation
+ * in a session. */
+CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* gets state */
+ CK_ULONG_PTR pulOperationStateLen /* gets state length */
+);
+#endif
+
+
+/* C_SetOperationState restores the state of the cryptographic
+ * operation in a session. */
+CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pOperationState, /* holds state */
+ CK_ULONG ulOperationStateLen, /* holds state length */
+ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
+ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
+);
+#endif
+
+
+/* C_Login logs a user into a token. */
+CK_PKCS11_FUNCTION_INFO(C_Login)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_USER_TYPE userType, /* the user type */
+ CK_UTF8CHAR_PTR pPin, /* the user's PIN */
+ CK_ULONG ulPinLen /* the length of the PIN */
+);
+#endif
+
+
+/* C_Logout logs a user out from a token. */
+CK_PKCS11_FUNCTION_INFO(C_Logout)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Object management */
+
+/* C_CreateObject creates a new object. */
+CK_PKCS11_FUNCTION_INFO(C_CreateObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
+);
+#endif
+
+
+/* C_CopyObject copies an object, creating a new object for the
+ * copy. */
+CK_PKCS11_FUNCTION_INFO(C_CopyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
+ CK_ULONG ulCount, /* attributes in template */
+ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
+);
+#endif
+
+
+/* C_DestroyObject destroys an object. */
+CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject /* the object's handle */
+);
+#endif
+
+
+/* C_GetObjectSize gets the size of an object in bytes. */
+CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ULONG_PTR pulSize /* receives size of object */
+);
+#endif
+
+
+/* C_GetAttributeValue obtains the value of one or more object
+ * attributes. */
+CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_SetAttributeValue modifies the value of one or more object
+ * attributes */
+CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hObject, /* the object's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
+ CK_ULONG ulCount /* attributes in template */
+);
+#endif
+
+
+/* C_FindObjectsInit initializes a search for token and session
+ * objects that match a template. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
+ CK_ULONG ulCount /* attrs in search template */
+);
+#endif
+
+
+/* C_FindObjects continues a search for token and session
+ * objects that match a template, obtaining additional object
+ * handles. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjects)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
+ CK_ULONG ulMaxObjectCount, /* max handles to get */
+ CK_ULONG_PTR pulObjectCount /* actual # returned */
+);
+#endif
+
+
+/* C_FindObjectsFinal finishes a search for token and session
+ * objects. */
+CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Encryption and decryption */
+
+/* C_EncryptInit initializes an encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of encryption key */
+);
+#endif
+
+
+/* C_Encrypt encrypts single-part data. */
+CK_PKCS11_FUNCTION_INFO(C_Encrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pData, /* the plaintext data */
+ CK_ULONG ulDataLen, /* bytes of plaintext */
+ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptUpdate continues a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext data len */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
+);
+#endif
+
+
+/* C_EncryptFinal finishes a multiple-part encryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session handle */
+ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
+ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
+);
+#endif
+
+
+/* C_DecryptInit initializes a decryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of decryption key */
+);
+#endif
+
+
+/* C_Decrypt decrypts encrypted data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Decrypt)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedData, /* ciphertext */
+ CK_ULONG ulEncryptedDataLen, /* ciphertext length */
+ CK_BYTE_PTR pData, /* gets plaintext */
+ CK_ULONG_PTR pulDataLen /* gets p-text size */
+);
+#endif
+
+
+/* C_DecryptUpdate continues a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* encrypted data */
+ CK_ULONG ulEncryptedPartLen, /* input length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* p-text size */
+);
+#endif
+
+
+/* C_DecryptFinal finishes a multiple-part decryption
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pLastPart, /* gets plaintext */
+ CK_ULONG_PTR pulLastPartLen /* p-text size */
+);
+#endif
+
+
+
+/* Message digesting */
+
+/* C_DigestInit initializes a message-digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
+);
+#endif
+
+
+/* C_Digest digests data in a single part. */
+CK_PKCS11_FUNCTION_INFO(C_Digest)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* data to be digested */
+ CK_ULONG ulDataLen, /* bytes of data to digest */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets digest length */
+);
+#endif
+
+
+/* C_DigestUpdate continues a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* data to be digested */
+ CK_ULONG ulPartLen /* bytes of data to be digested */
+);
+#endif
+
+
+/* C_DigestKey continues a multi-part message-digesting
+ * operation, by digesting the value of a secret key as part of
+ * the data already digested. */
+CK_PKCS11_FUNCTION_INFO(C_DigestKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_OBJECT_HANDLE hKey /* secret key to digest */
+);
+#endif
+
+
+/* C_DigestFinal finishes a multiple-part message-digesting
+ * operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pDigest, /* gets the message digest */
+ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
+);
+#endif
+
+
+
+/* Signing and MACing */
+
+/* C_SignInit initializes a signature (private key encryption)
+ * operation, where the signature is (will be) an appendix to
+ * the data, and plaintext cannot be recovered from the
+ *signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of signature key */
+);
+#endif
+
+
+/* C_Sign signs (encrypts with private key) data in a single
+ * part, where the signature is (will be) an appendix to the
+ * data, and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Sign)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignUpdate continues a multiple-part signature operation,
+ * where the signature is (will be) an appendix to the data,
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* the data to sign */
+ CK_ULONG ulPartLen /* count of bytes to sign */
+);
+#endif
+
+
+/* C_SignFinal finishes a multiple-part signature operation,
+ * returning the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+/* C_SignRecoverInit initializes a signature operation, where
+ * the data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
+ CK_OBJECT_HANDLE hKey /* handle of the signature key */
+);
+#endif
+
+
+/* C_SignRecover signs data in a single operation, where the
+ * data can be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_SignRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* the data to sign */
+ CK_ULONG ulDataLen, /* count of bytes to sign */
+ CK_BYTE_PTR pSignature, /* gets the signature */
+ CK_ULONG_PTR pulSignatureLen /* gets signature length */
+);
+#endif
+
+
+
+/* Verifying signatures and MACs */
+
+/* C_VerifyInit initializes a verification operation, where the
+ * signature is an appendix to the data, and plaintext cannot
+ * cannot be recovered from the signature (e.g. DSA). */
+CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_Verify verifies a signature in a single-part operation,
+ * where the signature is an appendix to the data, and plaintext
+ * cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_Verify)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pData, /* signed data */
+ CK_ULONG ulDataLen, /* length of signed data */
+ CK_BYTE_PTR pSignature, /* signature */
+ CK_ULONG ulSignatureLen /* signature length*/
+);
+#endif
+
+
+/* C_VerifyUpdate continues a multiple-part verification
+ * operation, where the signature is an appendix to the data,
+ * and plaintext cannot be recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pPart, /* signed data */
+ CK_ULONG ulPartLen /* length of signed data */
+);
+#endif
+
+
+/* C_VerifyFinal finishes a multiple-part verification
+ * operation, checking the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen /* signature length */
+);
+#endif
+
+
+/* C_VerifyRecoverInit initializes a signature verification
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
+ CK_OBJECT_HANDLE hKey /* verification key */
+);
+#endif
+
+
+/* C_VerifyRecover verifies a signature in a single-part
+ * operation, where the data is recovered from the signature. */
+CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSignature, /* signature to verify */
+ CK_ULONG ulSignatureLen, /* signature length */
+ CK_BYTE_PTR pData, /* gets signed data */
+ CK_ULONG_PTR pulDataLen /* gets signed data len */
+);
+#endif
+
+
+
+/* Dual-function cryptographic operations */
+
+/* C_DigestEncryptUpdate continues a multiple-part digesting
+ * and encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptDigestUpdate continues a multiple-part decryption and
+ * digesting operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets plaintext len */
+);
+#endif
+
+
+/* C_SignEncryptUpdate continues a multiple-part signing and
+ * encryption operation. */
+CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pPart, /* the plaintext data */
+ CK_ULONG ulPartLen, /* plaintext length */
+ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
+ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
+);
+#endif
+
+
+/* C_DecryptVerifyUpdate continues a multiple-part decryption and
+ * verify operation. */
+CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
+ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
+ CK_BYTE_PTR pPart, /* gets plaintext */
+ CK_ULONG_PTR pulPartLen /* gets p-text length */
+);
+#endif
+
+
+
+/* Key management */
+
+/* C_GenerateKey generates a secret key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key generation mech. */
+ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
+ CK_ULONG ulCount, /* # of attrs in template */
+ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
+);
+#endif
+
+
+/* C_GenerateKeyPair generates a public-key/private-key pair,
+ * creating new key objects. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session
+ * handle */
+ CK_MECHANISM_PTR pMechanism, /* key-gen
+ * mech. */
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
+ * for pub.
+ * key */
+ CK_ULONG ulPublicKeyAttributeCount, /* # pub.
+ * attrs. */
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
+ * for priv.
+ * key */
+ CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
+ * attrs. */
+ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
+ * key
+ * handle */
+ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
+ * priv. key
+ * handle */
+);
+#endif
+
+
+/* C_WrapKey wraps (i.e., encrypts) a key. */
+CK_PKCS11_FUNCTION_INFO(C_WrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
+ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
+ CK_OBJECT_HANDLE hKey, /* key to be wrapped */
+ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
+ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
+);
+#endif
+
+
+/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
+ * key object. */
+CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
+ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
+ CK_BYTE_PTR pWrappedKey, /* the wrapped key */
+ CK_ULONG ulWrappedKeyLen, /* wrapped key len */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+/* C_DeriveKey derives a key from a base key, creating a new key
+ * object. */
+CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* session's handle */
+ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
+ CK_OBJECT_HANDLE hBaseKey, /* base key */
+ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
+ CK_ULONG ulAttributeCount, /* template length */
+ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
+);
+#endif
+
+
+
+/* Random number generation */
+
+/* C_SeedRandom mixes additional seed material into the token's
+ * random number generator. */
+CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR pSeed, /* the seed material */
+ CK_ULONG ulSeedLen /* length of seed material */
+);
+#endif
+
+
+/* C_GenerateRandom generates random data. */
+CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_BYTE_PTR RandomData, /* receives the random data */
+ CK_ULONG ulRandomLen /* # of bytes to generate */
+);
+#endif
+
+
+
+/* Parallel function management */
+
+/* C_GetFunctionStatus is a legacy function; it obtains an
+ * updated status of a function running in parallel with an
+ * application. */
+CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+/* C_CancelFunction is a legacy function; it cancels a function
+ * running in parallel. */
+CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_SESSION_HANDLE hSession /* the session's handle */
+);
+#endif
+
+
+
+/* Functions added in for Cryptoki Version 2.01 or later */
+
+/* C_WaitForSlotEvent waits for a slot event (token insertion,
+ * removal, etc.) to occur. */
+CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
+#ifdef CK_NEED_ARG_LIST
+(
+ CK_FLAGS flags, /* blocking/nonblocking flag */
+ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
+ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
+);
+#endif
--- /dev/null
+/* pkcs11t.h include file for PKCS #11. */
+/* $Revision: 1.2 $ */
+
+/* License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* See top of pkcs11.h for information about the macros that
+ * must be defined and the structure-packing conventions that
+ * must be set before including this file. */
+
+#ifndef _PKCS11T_H_
+#define _PKCS11T_H_ 1
+
+#define CRYPTOKI_VERSION_MAJOR 2
+#define CRYPTOKI_VERSION_MINOR 20
+#define CRYPTOKI_VERSION_AMENDMENT 3
+
+#define CK_TRUE 1
+#define CK_FALSE 0
+
+#ifndef CK_DISABLE_TRUE_FALSE
+#ifndef FALSE
+#define FALSE CK_FALSE
+#endif
+
+#ifndef TRUE
+#define TRUE CK_TRUE
+#endif
+#endif
+
+/* an unsigned 8-bit value */
+typedef unsigned char CK_BYTE;
+
+/* an unsigned 8-bit character */
+typedef CK_BYTE CK_CHAR;
+
+/* an 8-bit UTF-8 character */
+typedef CK_BYTE CK_UTF8CHAR;
+
+/* a BYTE-sized Boolean flag */
+typedef CK_BYTE CK_BBOOL;
+
+/* an unsigned value, at least 32 bits long */
+typedef unsigned long int CK_ULONG;
+
+/* a signed value, the same size as a CK_ULONG */
+/* CK_LONG is new for v2.0 */
+typedef long int CK_LONG;
+
+/* at least 32 bits; each bit is a Boolean flag */
+typedef CK_ULONG CK_FLAGS;
+
+
+/* some special values for certain CK_ULONG variables */
+#define CK_UNAVAILABLE_INFORMATION (~0UL)
+#define CK_EFFECTIVELY_INFINITE 0
+
+
+typedef CK_BYTE CK_PTR CK_BYTE_PTR;
+typedef CK_CHAR CK_PTR CK_CHAR_PTR;
+typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
+typedef CK_ULONG CK_PTR CK_ULONG_PTR;
+typedef void CK_PTR CK_VOID_PTR;
+
+/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
+typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
+
+
+/* The following value is always invalid if used as a session */
+/* handle or object handle */
+#define CK_INVALID_HANDLE 0
+
+
+typedef struct CK_VERSION {
+ CK_BYTE major; /* integer portion of version number */
+ CK_BYTE minor; /* 1/100ths portion of version number */
+} CK_VERSION;
+
+typedef CK_VERSION CK_PTR CK_VERSION_PTR;
+
+
+typedef struct CK_INFO {
+ /* manufacturerID and libraryDecription have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags; /* must be zero */
+
+ /* libraryDescription and libraryVersion are new for v2.0 */
+ CK_UTF8CHAR libraryDescription[32]; /* blank padded */
+ CK_VERSION libraryVersion; /* version of library */
+} CK_INFO;
+
+typedef CK_INFO CK_PTR CK_INFO_PTR;
+
+
+/* CK_NOTIFICATION enumerates the types of notifications that
+ * Cryptoki provides to an application */
+/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_NOTIFICATION;
+#define CKN_SURRENDER 0
+
+/* The following notification is new for PKCS #11 v2.20 amendment 3 */
+#define CKN_OTP_CHANGED 1
+
+
+typedef CK_ULONG CK_SLOT_ID;
+
+typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
+
+
+/* CK_SLOT_INFO provides information about a slot */
+typedef struct CK_SLOT_INFO {
+ /* slotDescription and manufacturerID have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_UTF8CHAR slotDescription[64]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_FLAGS flags;
+
+ /* hardwareVersion and firmwareVersion are new for v2.0 */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+} CK_SLOT_INFO;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */
+#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/
+#define CKF_HW_SLOT 0x00000004 /* hardware slot */
+
+typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
+
+
+/* CK_TOKEN_INFO provides information about a token */
+typedef struct CK_TOKEN_INFO {
+ /* label, manufacturerID, and model have been changed from
+ * CK_CHAR to CK_UTF8CHAR for v2.10 */
+ CK_UTF8CHAR label[32]; /* blank padded */
+ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
+ CK_UTF8CHAR model[16]; /* blank padded */
+ CK_CHAR serialNumber[16]; /* blank padded */
+ CK_FLAGS flags; /* see below */
+
+ /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
+ * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
+ * changed from CK_USHORT to CK_ULONG for v2.0 */
+ CK_ULONG ulMaxSessionCount; /* max open sessions */
+ CK_ULONG ulSessionCount; /* sess. now open */
+ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
+ CK_ULONG ulRwSessionCount; /* R/W sess. now open */
+ CK_ULONG ulMaxPinLen; /* in bytes */
+ CK_ULONG ulMinPinLen; /* in bytes */
+ CK_ULONG ulTotalPublicMemory; /* in bytes */
+ CK_ULONG ulFreePublicMemory; /* in bytes */
+ CK_ULONG ulTotalPrivateMemory; /* in bytes */
+ CK_ULONG ulFreePrivateMemory; /* in bytes */
+
+ /* hardwareVersion, firmwareVersion, and time are new for
+ * v2.0 */
+ CK_VERSION hardwareVersion; /* version of hardware */
+ CK_VERSION firmwareVersion; /* version of firmware */
+ CK_CHAR utcTime[16]; /* time */
+} CK_TOKEN_INFO;
+
+/* The flags parameter is defined as follows:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RNG 0x00000001 /* has random #
+ * generator */
+#define CKF_WRITE_PROTECTED 0x00000002 /* token is
+ * write-
+ * protected */
+#define CKF_LOGIN_REQUIRED 0x00000004 /* user must
+ * login */
+#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's
+ * PIN is set */
+
+/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set,
+ * that means that *every* time the state of cryptographic
+ * operations of a session is successfully saved, all keys
+ * needed to continue those operations are stored in the state */
+#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020
+
+/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means
+ * that the token has some sort of clock. The time on that
+ * clock is returned in the token info structure */
+#define CKF_CLOCK_ON_TOKEN 0x00000040
+
+/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is
+ * set, that means that there is some way for the user to login
+ * without sending a PIN through the Cryptoki library itself */
+#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
+
+/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true,
+ * that means that a single session with the token can perform
+ * dual simultaneous cryptographic operations (digest and
+ * encrypt; decrypt and digest; sign and encrypt; and decrypt
+ * and sign) */
+#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200
+
+/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
+ * token has been initialized using C_InitializeToken or an
+ * equivalent mechanism outside the scope of PKCS #11.
+ * Calling C_InitializeToken when this flag is set will cause
+ * the token to be reinitialized. */
+#define CKF_TOKEN_INITIALIZED 0x00000400
+
+/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
+ * true, the token supports secondary authentication for
+ * private key objects. This flag is deprecated in v2.11 and
+ onwards. */
+#define CKF_SECONDARY_AUTHENTICATION 0x00000800
+
+/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect user login PIN has been entered at least once
+ * since the last successful authentication. */
+#define CKF_USER_PIN_COUNT_LOW 0x00010000
+
+/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect user PIN will it to become locked. */
+#define CKF_USER_PIN_FINAL_TRY 0x00020000
+
+/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
+ * user PIN has been locked. User login to the token is not
+ * possible. */
+#define CKF_USER_PIN_LOCKED 0x00040000
+
+/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the user PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000
+
+/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
+ * incorrect SO login PIN has been entered at least once since
+ * the last successful authentication. */
+#define CKF_SO_PIN_COUNT_LOW 0x00100000
+
+/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
+ * supplying an incorrect SO PIN will it to become locked. */
+#define CKF_SO_PIN_FINAL_TRY 0x00200000
+
+/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
+ * PIN has been locked. SO login to the token is not possible.
+ */
+#define CKF_SO_PIN_LOCKED 0x00400000
+
+/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
+ * the SO PIN value is the default value set by token
+ * initialization or manufacturing, or the PIN has been
+ * expired by the card. */
+#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
+
+typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
+
+
+/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
+ * identifies a session */
+typedef CK_ULONG CK_SESSION_HANDLE;
+
+typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
+
+
+/* CK_USER_TYPE enumerates the types of Cryptoki users */
+/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_USER_TYPE;
+/* Security Officer */
+#define CKU_SO 0
+/* Normal user */
+#define CKU_USER 1
+/* Context specific (added in v2.20) */
+#define CKU_CONTEXT_SPECIFIC 2
+
+/* CK_STATE enumerates the session states */
+/* CK_STATE has been changed from an enum to a CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_STATE;
+#define CKS_RO_PUBLIC_SESSION 0
+#define CKS_RO_USER_FUNCTIONS 1
+#define CKS_RW_PUBLIC_SESSION 2
+#define CKS_RW_USER_FUNCTIONS 3
+#define CKS_RW_SO_FUNCTIONS 4
+
+
+/* CK_SESSION_INFO provides information about a session */
+typedef struct CK_SESSION_INFO {
+ CK_SLOT_ID slotID;
+ CK_STATE state;
+ CK_FLAGS flags; /* see below */
+
+ /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulDeviceError; /* device-dependent error code */
+} CK_SESSION_INFO;
+
+/* The flags are defined in the following table:
+ * Bit Flag Mask Meaning
+ */
+#define CKF_RW_SESSION 0x00000002 /* session is r/w */
+#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */
+
+typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
+
+
+/* CK_OBJECT_HANDLE is a token-specific identifier for an
+ * object */
+typedef CK_ULONG CK_OBJECT_HANDLE;
+
+typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
+
+
+/* CK_OBJECT_CLASS is a value that identifies the classes (or
+ * types) of objects that Cryptoki recognizes. It is defined
+ * as follows: */
+/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_OBJECT_CLASS;
+
+/* The following classes of objects are defined: */
+/* CKO_HW_FEATURE is new for v2.10 */
+/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
+/* CKO_MECHANISM is new for v2.20 */
+#define CKO_DATA 0x00000000
+#define CKO_CERTIFICATE 0x00000001
+#define CKO_PUBLIC_KEY 0x00000002
+#define CKO_PRIVATE_KEY 0x00000003
+#define CKO_SECRET_KEY 0x00000004
+#define CKO_HW_FEATURE 0x00000005
+#define CKO_DOMAIN_PARAMETERS 0x00000006
+#define CKO_MECHANISM 0x00000007
+
+/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */
+#define CKO_OTP_KEY 0x00000008
+
+#define CKO_VENDOR_DEFINED 0x80000000
+
+typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
+
+/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
+ * value that identifies the hardware feature type of an object
+ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
+typedef CK_ULONG CK_HW_FEATURE_TYPE;
+
+/* The following hardware feature types are defined */
+/* CKH_USER_INTERFACE is new for v2.20 */
+#define CKH_MONOTONIC_COUNTER 0x00000001
+#define CKH_CLOCK 0x00000002
+#define CKH_USER_INTERFACE 0x00000003
+#define CKH_VENDOR_DEFINED 0x80000000
+
+/* CK_KEY_TYPE is a value that identifies a key type */
+/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG CK_KEY_TYPE;
+
+/* the following key types are defined: */
+#define CKK_RSA 0x00000000
+#define CKK_DSA 0x00000001
+#define CKK_DH 0x00000002
+
+/* CKK_ECDSA and CKK_KEA are new for v2.0 */
+/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
+#define CKK_ECDSA 0x00000003
+#define CKK_EC 0x00000003
+#define CKK_X9_42_DH 0x00000004
+#define CKK_KEA 0x00000005
+
+#define CKK_GENERIC_SECRET 0x00000010
+#define CKK_RC2 0x00000011
+#define CKK_RC4 0x00000012
+#define CKK_DES 0x00000013
+#define CKK_DES2 0x00000014
+#define CKK_DES3 0x00000015
+
+/* all these key types are new for v2.0 */
+#define CKK_CAST 0x00000016
+#define CKK_CAST3 0x00000017
+/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
+#define CKK_CAST5 0x00000018
+#define CKK_CAST128 0x00000018
+#define CKK_RC5 0x00000019
+#define CKK_IDEA 0x0000001A
+#define CKK_SKIPJACK 0x0000001B
+#define CKK_BATON 0x0000001C
+#define CKK_JUNIPER 0x0000001D
+#define CKK_CDMF 0x0000001E
+#define CKK_AES 0x0000001F
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKK_BLOWFISH 0x00000020
+#define CKK_TWOFISH 0x00000021
+
+/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */
+#define CKK_SECURID 0x00000022
+#define CKK_HOTP 0x00000023
+#define CKK_ACTI 0x00000024
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_CAMELLIA 0x00000025
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKK_ARIA 0x00000026
+
+
+#define CKK_VENDOR_DEFINED 0x80000000
+
+
+/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
+ * type */
+/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
+ * for v2.0 */
+typedef CK_ULONG CK_CERTIFICATE_TYPE;
+
+/* The following certificate types are defined: */
+/* CKC_X_509_ATTR_CERT is new for v2.10 */
+/* CKC_WTLS is new for v2.20 */
+#define CKC_X_509 0x00000000
+#define CKC_X_509_ATTR_CERT 0x00000001
+#define CKC_WTLS 0x00000002
+#define CKC_VENDOR_DEFINED 0x80000000
+
+
+/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
+ * type */
+/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_ATTRIBUTE_TYPE;
+
+/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
+ consists of an array of values. */
+#define CKF_ARRAY_ATTRIBUTE 0x40000000
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
+ and relates to the CKA_OTP_FORMAT attribute */
+#define CK_OTP_FORMAT_DECIMAL 0
+#define CK_OTP_FORMAT_HEXADECIMAL 1
+#define CK_OTP_FORMAT_ALPHANUMERIC 2
+#define CK_OTP_FORMAT_BINARY 3
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
+ and relates to the CKA_OTP_..._REQUIREMENT attributes */
+#define CK_OTP_PARAM_IGNORED 0
+#define CK_OTP_PARAM_OPTIONAL 1
+#define CK_OTP_PARAM_MANDATORY 2
+
+/* The following attribute types are defined: */
+#define CKA_CLASS 0x00000000
+#define CKA_TOKEN 0x00000001
+#define CKA_PRIVATE 0x00000002
+#define CKA_LABEL 0x00000003
+#define CKA_APPLICATION 0x00000010
+#define CKA_VALUE 0x00000011
+
+/* CKA_OBJECT_ID is new for v2.10 */
+#define CKA_OBJECT_ID 0x00000012
+
+#define CKA_CERTIFICATE_TYPE 0x00000080
+#define CKA_ISSUER 0x00000081
+#define CKA_SERIAL_NUMBER 0x00000082
+
+/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
+ * for v2.10 */
+#define CKA_AC_ISSUER 0x00000083
+#define CKA_OWNER 0x00000084
+#define CKA_ATTR_TYPES 0x00000085
+
+/* CKA_TRUSTED is new for v2.11 */
+#define CKA_TRUSTED 0x00000086
+
+/* CKA_CERTIFICATE_CATEGORY ...
+ * CKA_CHECK_VALUE are new for v2.20 */
+#define CKA_CERTIFICATE_CATEGORY 0x00000087
+#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088
+#define CKA_URL 0x00000089
+#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
+#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
+#define CKA_CHECK_VALUE 0x00000090
+
+#define CKA_KEY_TYPE 0x00000100
+#define CKA_SUBJECT 0x00000101
+#define CKA_ID 0x00000102
+#define CKA_SENSITIVE 0x00000103
+#define CKA_ENCRYPT 0x00000104
+#define CKA_DECRYPT 0x00000105
+#define CKA_WRAP 0x00000106
+#define CKA_UNWRAP 0x00000107
+#define CKA_SIGN 0x00000108
+#define CKA_SIGN_RECOVER 0x00000109
+#define CKA_VERIFY 0x0000010A
+#define CKA_VERIFY_RECOVER 0x0000010B
+#define CKA_DERIVE 0x0000010C
+#define CKA_START_DATE 0x00000110
+#define CKA_END_DATE 0x00000111
+#define CKA_MODULUS 0x00000120
+#define CKA_MODULUS_BITS 0x00000121
+#define CKA_PUBLIC_EXPONENT 0x00000122
+#define CKA_PRIVATE_EXPONENT 0x00000123
+#define CKA_PRIME_1 0x00000124
+#define CKA_PRIME_2 0x00000125
+#define CKA_EXPONENT_1 0x00000126
+#define CKA_EXPONENT_2 0x00000127
+#define CKA_COEFFICIENT 0x00000128
+#define CKA_PRIME 0x00000130
+#define CKA_SUBPRIME 0x00000131
+#define CKA_BASE 0x00000132
+
+/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
+#define CKA_PRIME_BITS 0x00000133
+#define CKA_SUBPRIME_BITS 0x00000134
+#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
+/* (To retain backwards-compatibility) */
+
+#define CKA_VALUE_BITS 0x00000160
+#define CKA_VALUE_LEN 0x00000161
+
+/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
+ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
+ * and CKA_EC_POINT are new for v2.0 */
+#define CKA_EXTRACTABLE 0x00000162
+#define CKA_LOCAL 0x00000163
+#define CKA_NEVER_EXTRACTABLE 0x00000164
+#define CKA_ALWAYS_SENSITIVE 0x00000165
+
+/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
+#define CKA_KEY_GEN_MECHANISM 0x00000166
+
+#define CKA_MODIFIABLE 0x00000170
+
+/* CKA_ECDSA_PARAMS is deprecated in v2.11,
+ * CKA_EC_PARAMS is preferred. */
+#define CKA_ECDSA_PARAMS 0x00000180
+#define CKA_EC_PARAMS 0x00000180
+
+#define CKA_EC_POINT 0x00000181
+
+/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
+ * are new for v2.10. Deprecated in v2.11 and onwards. */
+#define CKA_SECONDARY_AUTH 0x00000200
+#define CKA_AUTH_PIN_FLAGS 0x00000201
+
+/* CKA_ALWAYS_AUTHENTICATE ...
+ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
+#define CKA_ALWAYS_AUTHENTICATE 0x00000202
+
+#define CKA_WRAP_WITH_TRUSTED 0x00000210
+#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
+#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
+
+/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */
+#define CKA_OTP_FORMAT 0x00000220
+#define CKA_OTP_LENGTH 0x00000221
+#define CKA_OTP_TIME_INTERVAL 0x00000222
+#define CKA_OTP_USER_FRIENDLY_MODE 0x00000223
+#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224
+#define CKA_OTP_TIME_REQUIREMENT 0x00000225
+#define CKA_OTP_COUNTER_REQUIREMENT 0x00000226
+#define CKA_OTP_PIN_REQUIREMENT 0x00000227
+#define CKA_OTP_COUNTER 0x0000022E
+#define CKA_OTP_TIME 0x0000022F
+#define CKA_OTP_USER_IDENTIFIER 0x0000022A
+#define CKA_OTP_SERVICE_IDENTIFIER 0x0000022B
+#define CKA_OTP_SERVICE_LOGO 0x0000022C
+#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022D
+
+
+/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
+ * are new for v2.10 */
+#define CKA_HW_FEATURE_TYPE 0x00000300
+#define CKA_RESET_ON_INIT 0x00000301
+#define CKA_HAS_RESET 0x00000302
+
+/* The following attributes are new for v2.20 */
+#define CKA_PIXEL_X 0x00000400
+#define CKA_PIXEL_Y 0x00000401
+#define CKA_RESOLUTION 0x00000402
+#define CKA_CHAR_ROWS 0x00000403
+#define CKA_CHAR_COLUMNS 0x00000404
+#define CKA_COLOR 0x00000405
+#define CKA_BITS_PER_PIXEL 0x00000406
+#define CKA_CHAR_SETS 0x00000480
+#define CKA_ENCODING_METHODS 0x00000481
+#define CKA_MIME_TYPES 0x00000482
+#define CKA_MECHANISM_TYPE 0x00000500
+#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501
+#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
+#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
+#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
+
+#define CKA_VENDOR_DEFINED 0x80000000
+
+/* CK_ATTRIBUTE is a structure that includes the type, length
+ * and value of an attribute */
+typedef struct CK_ATTRIBUTE {
+ CK_ATTRIBUTE_TYPE type;
+ CK_VOID_PTR pValue;
+
+ /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
+ CK_ULONG ulValueLen; /* in bytes */
+} CK_ATTRIBUTE;
+
+typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
+
+
+/* CK_DATE is a structure that defines a date */
+typedef struct CK_DATE{
+ CK_CHAR year[4]; /* the year ("1900" - "9999") */
+ CK_CHAR month[2]; /* the month ("01" - "12") */
+ CK_CHAR day[2]; /* the day ("01" - "31") */
+} CK_DATE;
+
+
+/* CK_MECHANISM_TYPE is a value that identifies a mechanism
+ * type */
+/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+typedef CK_ULONG CK_MECHANISM_TYPE;
+
+/* the following mechanism types are defined: */
+#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
+#define CKM_RSA_PKCS 0x00000001
+#define CKM_RSA_9796 0x00000002
+#define CKM_RSA_X_509 0x00000003
+
+/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
+ * are new for v2.0. They are mechanisms which hash and sign */
+#define CKM_MD2_RSA_PKCS 0x00000004
+#define CKM_MD5_RSA_PKCS 0x00000005
+#define CKM_SHA1_RSA_PKCS 0x00000006
+
+/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
+ * CKM_RSA_PKCS_OAEP are new for v2.10 */
+#define CKM_RIPEMD128_RSA_PKCS 0x00000007
+#define CKM_RIPEMD160_RSA_PKCS 0x00000008
+#define CKM_RSA_PKCS_OAEP 0x00000009
+
+/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
+ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
+#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A
+#define CKM_RSA_X9_31 0x0000000B
+#define CKM_SHA1_RSA_X9_31 0x0000000C
+#define CKM_RSA_PKCS_PSS 0x0000000D
+#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E
+
+#define CKM_DSA_KEY_PAIR_GEN 0x00000010
+#define CKM_DSA 0x00000011
+#define CKM_DSA_SHA1 0x00000012
+#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
+#define CKM_DH_PKCS_DERIVE 0x00000021
+
+/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
+ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
+ * v2.11 */
+#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030
+#define CKM_X9_42_DH_DERIVE 0x00000031
+#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032
+#define CKM_X9_42_MQV_DERIVE 0x00000033
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_RSA_PKCS 0x00000040
+#define CKM_SHA384_RSA_PKCS 0x00000041
+#define CKM_SHA512_RSA_PKCS 0x00000042
+#define CKM_SHA256_RSA_PKCS_PSS 0x00000043
+#define CKM_SHA384_RSA_PKCS_PSS 0x00000044
+#define CKM_SHA512_RSA_PKCS_PSS 0x00000045
+
+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_RSA_PKCS 0x00000046
+#define CKM_SHA224_RSA_PKCS_PSS 0x00000047
+
+#define CKM_RC2_KEY_GEN 0x00000100
+#define CKM_RC2_ECB 0x00000101
+#define CKM_RC2_CBC 0x00000102
+#define CKM_RC2_MAC 0x00000103
+
+/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
+#define CKM_RC2_MAC_GENERAL 0x00000104
+#define CKM_RC2_CBC_PAD 0x00000105
+
+#define CKM_RC4_KEY_GEN 0x00000110
+#define CKM_RC4 0x00000111
+#define CKM_DES_KEY_GEN 0x00000120
+#define CKM_DES_ECB 0x00000121
+#define CKM_DES_CBC 0x00000122
+#define CKM_DES_MAC 0x00000123
+
+/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
+#define CKM_DES_MAC_GENERAL 0x00000124
+#define CKM_DES_CBC_PAD 0x00000125
+
+#define CKM_DES2_KEY_GEN 0x00000130
+#define CKM_DES3_KEY_GEN 0x00000131
+#define CKM_DES3_ECB 0x00000132
+#define CKM_DES3_CBC 0x00000133
+#define CKM_DES3_MAC 0x00000134
+
+/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
+ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
+ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
+#define CKM_DES3_MAC_GENERAL 0x00000135
+#define CKM_DES3_CBC_PAD 0x00000136
+#define CKM_CDMF_KEY_GEN 0x00000140
+#define CKM_CDMF_ECB 0x00000141
+#define CKM_CDMF_CBC 0x00000142
+#define CKM_CDMF_MAC 0x00000143
+#define CKM_CDMF_MAC_GENERAL 0x00000144
+#define CKM_CDMF_CBC_PAD 0x00000145
+
+/* the following four DES mechanisms are new for v2.20 */
+#define CKM_DES_OFB64 0x00000150
+#define CKM_DES_OFB8 0x00000151
+#define CKM_DES_CFB64 0x00000152
+#define CKM_DES_CFB8 0x00000153
+
+#define CKM_MD2 0x00000200
+
+/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD2_HMAC 0x00000201
+#define CKM_MD2_HMAC_GENERAL 0x00000202
+
+#define CKM_MD5 0x00000210
+
+/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
+#define CKM_MD5_HMAC 0x00000211
+#define CKM_MD5_HMAC_GENERAL 0x00000212
+
+#define CKM_SHA_1 0x00000220
+
+/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
+#define CKM_SHA_1_HMAC 0x00000221
+#define CKM_SHA_1_HMAC_GENERAL 0x00000222
+
+/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
+ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
+ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
+#define CKM_RIPEMD128 0x00000230
+#define CKM_RIPEMD128_HMAC 0x00000231
+#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232
+#define CKM_RIPEMD160 0x00000240
+#define CKM_RIPEMD160_HMAC 0x00000241
+#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256 0x00000250
+#define CKM_SHA256_HMAC 0x00000251
+#define CKM_SHA256_HMAC_GENERAL 0x00000252
+
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224 0x00000255
+#define CKM_SHA224_HMAC 0x00000256
+#define CKM_SHA224_HMAC_GENERAL 0x00000257
+
+#define CKM_SHA384 0x00000260
+#define CKM_SHA384_HMAC 0x00000261
+#define CKM_SHA384_HMAC_GENERAL 0x00000262
+#define CKM_SHA512 0x00000270
+#define CKM_SHA512_HMAC 0x00000271
+#define CKM_SHA512_HMAC_GENERAL 0x00000272
+
+/* SecurID is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_SECURID_KEY_GEN 0x00000280
+#define CKM_SECURID 0x00000282
+
+/* HOTP is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_HOTP_KEY_GEN 0x00000290
+#define CKM_HOTP 0x00000291
+
+/* ACTI is new for PKCS #11 v2.20 amendment 1 */
+#define CKM_ACTI 0x000002A0
+#define CKM_ACTI_KEY_GEN 0x000002A1
+
+/* All of the following mechanisms are new for v2.0 */
+/* Note that CAST128 and CAST5 are the same algorithm */
+#define CKM_CAST_KEY_GEN 0x00000300
+#define CKM_CAST_ECB 0x00000301
+#define CKM_CAST_CBC 0x00000302
+#define CKM_CAST_MAC 0x00000303
+#define CKM_CAST_MAC_GENERAL 0x00000304
+#define CKM_CAST_CBC_PAD 0x00000305
+#define CKM_CAST3_KEY_GEN 0x00000310
+#define CKM_CAST3_ECB 0x00000311
+#define CKM_CAST3_CBC 0x00000312
+#define CKM_CAST3_MAC 0x00000313
+#define CKM_CAST3_MAC_GENERAL 0x00000314
+#define CKM_CAST3_CBC_PAD 0x00000315
+#define CKM_CAST5_KEY_GEN 0x00000320
+#define CKM_CAST128_KEY_GEN 0x00000320
+#define CKM_CAST5_ECB 0x00000321
+#define CKM_CAST128_ECB 0x00000321
+#define CKM_CAST5_CBC 0x00000322
+#define CKM_CAST128_CBC 0x00000322
+#define CKM_CAST5_MAC 0x00000323
+#define CKM_CAST128_MAC 0x00000323
+#define CKM_CAST5_MAC_GENERAL 0x00000324
+#define CKM_CAST128_MAC_GENERAL 0x00000324
+#define CKM_CAST5_CBC_PAD 0x00000325
+#define CKM_CAST128_CBC_PAD 0x00000325
+#define CKM_RC5_KEY_GEN 0x00000330
+#define CKM_RC5_ECB 0x00000331
+#define CKM_RC5_CBC 0x00000332
+#define CKM_RC5_MAC 0x00000333
+#define CKM_RC5_MAC_GENERAL 0x00000334
+#define CKM_RC5_CBC_PAD 0x00000335
+#define CKM_IDEA_KEY_GEN 0x00000340
+#define CKM_IDEA_ECB 0x00000341
+#define CKM_IDEA_CBC 0x00000342
+#define CKM_IDEA_MAC 0x00000343
+#define CKM_IDEA_MAC_GENERAL 0x00000344
+#define CKM_IDEA_CBC_PAD 0x00000345
+#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350
+#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360
+#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362
+#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363
+#define CKM_XOR_BASE_AND_DATA 0x00000364
+#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365
+#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370
+#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371
+#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372
+
+/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
+ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
+ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
+#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373
+#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374
+#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375
+#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376
+#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377
+
+/* CKM_TLS_PRF is new for v2.20 */
+#define CKM_TLS_PRF 0x00000378
+
+#define CKM_SSL3_MD5_MAC 0x00000380
+#define CKM_SSL3_SHA1_MAC 0x00000381
+#define CKM_MD5_KEY_DERIVATION 0x00000390
+#define CKM_MD2_KEY_DERIVATION 0x00000391
+#define CKM_SHA1_KEY_DERIVATION 0x00000392
+
+/* CKM_SHA256/384/512 are new for v2.20 */
+#define CKM_SHA256_KEY_DERIVATION 0x00000393
+#define CKM_SHA384_KEY_DERIVATION 0x00000394
+#define CKM_SHA512_KEY_DERIVATION 0x00000395
+
+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_SHA224_KEY_DERIVATION 0x00000396
+
+#define CKM_PBE_MD2_DES_CBC 0x000003A0
+#define CKM_PBE_MD5_DES_CBC 0x000003A1
+#define CKM_PBE_MD5_CAST_CBC 0x000003A2
+#define CKM_PBE_MD5_CAST3_CBC 0x000003A3
+#define CKM_PBE_MD5_CAST5_CBC 0x000003A4
+#define CKM_PBE_MD5_CAST128_CBC 0x000003A4
+#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5
+#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5
+#define CKM_PBE_SHA1_RC4_128 0x000003A6
+#define CKM_PBE_SHA1_RC4_40 0x000003A7
+#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8
+#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9
+#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA
+#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB
+
+/* CKM_PKCS5_PBKD2 is new for v2.10 */
+#define CKM_PKCS5_PBKD2 0x000003B0
+
+#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0
+
+/* WTLS mechanisms are new for v2.20 */
+#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0
+#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1
+#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2
+#define CKM_WTLS_PRF 0x000003D3
+#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4
+#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5
+
+#define CKM_KEY_WRAP_LYNKS 0x00000400
+#define CKM_KEY_WRAP_SET_OAEP 0x00000401
+
+/* CKM_CMS_SIG is new for v2.20 */
+#define CKM_CMS_SIG 0x00000500
+
+/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
+#define CKM_KIP_DERIVE 0x00000510
+#define CKM_KIP_WRAP 0x00000511
+#define CKM_KIP_MAC 0x00000512
+
+/* Camellia is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_CAMELLIA_KEY_GEN 0x00000550
+#define CKM_CAMELLIA_ECB 0x00000551
+#define CKM_CAMELLIA_CBC 0x00000552
+#define CKM_CAMELLIA_MAC 0x00000553
+#define CKM_CAMELLIA_MAC_GENERAL 0x00000554
+#define CKM_CAMELLIA_CBC_PAD 0x00000555
+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556
+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557
+#define CKM_CAMELLIA_CTR 0x00000558
+
+/* ARIA is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_ARIA_KEY_GEN 0x00000560
+#define CKM_ARIA_ECB 0x00000561
+#define CKM_ARIA_CBC 0x00000562
+#define CKM_ARIA_MAC 0x00000563
+#define CKM_ARIA_MAC_GENERAL 0x00000564
+#define CKM_ARIA_CBC_PAD 0x00000565
+#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566
+#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567
+
+/* Fortezza mechanisms */
+#define CKM_SKIPJACK_KEY_GEN 0x00001000
+#define CKM_SKIPJACK_ECB64 0x00001001
+#define CKM_SKIPJACK_CBC64 0x00001002
+#define CKM_SKIPJACK_OFB64 0x00001003
+#define CKM_SKIPJACK_CFB64 0x00001004
+#define CKM_SKIPJACK_CFB32 0x00001005
+#define CKM_SKIPJACK_CFB16 0x00001006
+#define CKM_SKIPJACK_CFB8 0x00001007
+#define CKM_SKIPJACK_WRAP 0x00001008
+#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009
+#define CKM_SKIPJACK_RELAYX 0x0000100a
+#define CKM_KEA_KEY_PAIR_GEN 0x00001010
+#define CKM_KEA_KEY_DERIVE 0x00001011
+#define CKM_FORTEZZA_TIMESTAMP 0x00001020
+#define CKM_BATON_KEY_GEN 0x00001030
+#define CKM_BATON_ECB128 0x00001031
+#define CKM_BATON_ECB96 0x00001032
+#define CKM_BATON_CBC128 0x00001033
+#define CKM_BATON_COUNTER 0x00001034
+#define CKM_BATON_SHUFFLE 0x00001035
+#define CKM_BATON_WRAP 0x00001036
+
+/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
+ * CKM_EC_KEY_PAIR_GEN is preferred */
+#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
+#define CKM_EC_KEY_PAIR_GEN 0x00001040
+
+#define CKM_ECDSA 0x00001041
+#define CKM_ECDSA_SHA1 0x00001042
+
+/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
+ * are new for v2.11 */
+#define CKM_ECDH1_DERIVE 0x00001050
+#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
+#define CKM_ECMQV_DERIVE 0x00001052
+
+#define CKM_JUNIPER_KEY_GEN 0x00001060
+#define CKM_JUNIPER_ECB128 0x00001061
+#define CKM_JUNIPER_CBC128 0x00001062
+#define CKM_JUNIPER_COUNTER 0x00001063
+#define CKM_JUNIPER_SHUFFLE 0x00001064
+#define CKM_JUNIPER_WRAP 0x00001065
+#define CKM_FASTHASH 0x00001070
+
+/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
+ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
+ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
+ * new for v2.11 */
+#define CKM_AES_KEY_GEN 0x00001080
+#define CKM_AES_ECB 0x00001081
+#define CKM_AES_CBC 0x00001082
+#define CKM_AES_MAC 0x00001083
+#define CKM_AES_MAC_GENERAL 0x00001084
+#define CKM_AES_CBC_PAD 0x00001085
+
+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
+#define CKM_AES_CTR 0x00001086
+
+/* BlowFish and TwoFish are new for v2.20 */
+#define CKM_BLOWFISH_KEY_GEN 0x00001090
+#define CKM_BLOWFISH_CBC 0x00001091
+#define CKM_TWOFISH_KEY_GEN 0x00001092
+#define CKM_TWOFISH_CBC 0x00001093
+
+
+/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
+#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100
+#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101
+#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102
+#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103
+#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
+#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
+
+#define CKM_DSA_PARAMETER_GEN 0x00002000
+#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
+#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
+
+#define CKM_VENDOR_DEFINED 0x80000000
+
+typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
+
+
+/* CK_MECHANISM is a structure that specifies a particular
+ * mechanism */
+typedef struct CK_MECHANISM {
+ CK_MECHANISM_TYPE mechanism;
+ CK_VOID_PTR pParameter;
+
+ /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulParameterLen; /* in bytes */
+} CK_MECHANISM;
+
+typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
+
+
+/* CK_MECHANISM_INFO provides information about a particular
+ * mechanism */
+typedef struct CK_MECHANISM_INFO {
+ CK_ULONG ulMinKeySize;
+ CK_ULONG ulMaxKeySize;
+ CK_FLAGS flags;
+} CK_MECHANISM_INFO;
+
+/* The flags are defined as follows:
+ * Bit Flag Mask Meaning */
+#define CKF_HW 0x00000001 /* performed by HW */
+
+/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
+ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
+ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
+ * and CKF_DERIVE are new for v2.0. They specify whether or not
+ * a mechanism can be used for a particular task */
+#define CKF_ENCRYPT 0x00000100
+#define CKF_DECRYPT 0x00000200
+#define CKF_DIGEST 0x00000400
+#define CKF_SIGN 0x00000800
+#define CKF_SIGN_RECOVER 0x00001000
+#define CKF_VERIFY 0x00002000
+#define CKF_VERIFY_RECOVER 0x00004000
+#define CKF_GENERATE 0x00008000
+#define CKF_GENERATE_KEY_PAIR 0x00010000
+#define CKF_WRAP 0x00020000
+#define CKF_UNWRAP 0x00040000
+#define CKF_DERIVE 0x00080000
+
+/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
+ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
+ * describe a token's EC capabilities not available in mechanism
+ * information. */
+#define CKF_EC_F_P 0x00100000
+#define CKF_EC_F_2M 0x00200000
+#define CKF_EC_ECPARAMETERS 0x00400000
+#define CKF_EC_NAMEDCURVE 0x00800000
+#define CKF_EC_UNCOMPRESS 0x01000000
+#define CKF_EC_COMPRESS 0x02000000
+
+#define CKF_EXTENSION 0x80000000 /* FALSE for this version */
+
+typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
+
+
+/* CK_RV is a value that identifies the return value of a
+ * Cryptoki function */
+/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
+typedef CK_ULONG CK_RV;
+
+#define CKR_OK 0x00000000
+#define CKR_CANCEL 0x00000001
+#define CKR_HOST_MEMORY 0x00000002
+#define CKR_SLOT_ID_INVALID 0x00000003
+
+/* CKR_FLAGS_INVALID was removed for v2.0 */
+
+/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
+#define CKR_GENERAL_ERROR 0x00000005
+#define CKR_FUNCTION_FAILED 0x00000006
+
+/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
+ * and CKR_CANT_LOCK are new for v2.01 */
+#define CKR_ARGUMENTS_BAD 0x00000007
+#define CKR_NO_EVENT 0x00000008
+#define CKR_NEED_TO_CREATE_THREADS 0x00000009
+#define CKR_CANT_LOCK 0x0000000A
+
+#define CKR_ATTRIBUTE_READ_ONLY 0x00000010
+#define CKR_ATTRIBUTE_SENSITIVE 0x00000011
+#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012
+#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013
+#define CKR_DATA_INVALID 0x00000020
+#define CKR_DATA_LEN_RANGE 0x00000021
+#define CKR_DEVICE_ERROR 0x00000030
+#define CKR_DEVICE_MEMORY 0x00000031
+#define CKR_DEVICE_REMOVED 0x00000032
+#define CKR_ENCRYPTED_DATA_INVALID 0x00000040
+#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041
+#define CKR_FUNCTION_CANCELED 0x00000050
+#define CKR_FUNCTION_NOT_PARALLEL 0x00000051
+
+/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
+#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054
+
+#define CKR_KEY_HANDLE_INVALID 0x00000060
+
+/* CKR_KEY_SENSITIVE was removed for v2.0 */
+
+#define CKR_KEY_SIZE_RANGE 0x00000062
+#define CKR_KEY_TYPE_INCONSISTENT 0x00000063
+
+/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
+ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
+ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
+ * v2.0 */
+#define CKR_KEY_NOT_NEEDED 0x00000064
+#define CKR_KEY_CHANGED 0x00000065
+#define CKR_KEY_NEEDED 0x00000066
+#define CKR_KEY_INDIGESTIBLE 0x00000067
+#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068
+#define CKR_KEY_NOT_WRAPPABLE 0x00000069
+#define CKR_KEY_UNEXTRACTABLE 0x0000006A
+
+#define CKR_MECHANISM_INVALID 0x00000070
+#define CKR_MECHANISM_PARAM_INVALID 0x00000071
+
+/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
+ * were removed for v2.0 */
+#define CKR_OBJECT_HANDLE_INVALID 0x00000082
+#define CKR_OPERATION_ACTIVE 0x00000090
+#define CKR_OPERATION_NOT_INITIALIZED 0x00000091
+#define CKR_PIN_INCORRECT 0x000000A0
+#define CKR_PIN_INVALID 0x000000A1
+#define CKR_PIN_LEN_RANGE 0x000000A2
+
+/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
+#define CKR_PIN_EXPIRED 0x000000A3
+#define CKR_PIN_LOCKED 0x000000A4
+
+#define CKR_SESSION_CLOSED 0x000000B0
+#define CKR_SESSION_COUNT 0x000000B1
+#define CKR_SESSION_HANDLE_INVALID 0x000000B3
+#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4
+#define CKR_SESSION_READ_ONLY 0x000000B5
+#define CKR_SESSION_EXISTS 0x000000B6
+
+/* CKR_SESSION_READ_ONLY_EXISTS and
+ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
+#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7
+#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8
+
+#define CKR_SIGNATURE_INVALID 0x000000C0
+#define CKR_SIGNATURE_LEN_RANGE 0x000000C1
+#define CKR_TEMPLATE_INCOMPLETE 0x000000D0
+#define CKR_TEMPLATE_INCONSISTENT 0x000000D1
+#define CKR_TOKEN_NOT_PRESENT 0x000000E0
+#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1
+#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2
+#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0
+#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1
+#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2
+#define CKR_USER_ALREADY_LOGGED_IN 0x00000100
+#define CKR_USER_NOT_LOGGED_IN 0x00000101
+#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102
+#define CKR_USER_TYPE_INVALID 0x00000103
+
+/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
+ * are new to v2.01 */
+#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104
+#define CKR_USER_TOO_MANY_TYPES 0x00000105
+
+#define CKR_WRAPPED_KEY_INVALID 0x00000110
+#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112
+#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113
+#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114
+#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115
+#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120
+
+/* These are new to v2.0 */
+#define CKR_RANDOM_NO_RNG 0x00000121
+
+/* These are new to v2.11 */
+#define CKR_DOMAIN_PARAMS_INVALID 0x00000130
+
+/* These are new to v2.0 */
+#define CKR_BUFFER_TOO_SMALL 0x00000150
+#define CKR_SAVED_STATE_INVALID 0x00000160
+#define CKR_INFORMATION_SENSITIVE 0x00000170
+#define CKR_STATE_UNSAVEABLE 0x00000180
+
+/* These are new to v2.01 */
+#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190
+#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191
+#define CKR_MUTEX_BAD 0x000001A0
+#define CKR_MUTEX_NOT_LOCKED 0x000001A1
+
+/* The following return values are new for PKCS #11 v2.20 amendment 3 */
+#define CKR_NEW_PIN_MODE 0x000001B0
+#define CKR_NEXT_OTP 0x000001B1
+
+/* This is new to v2.20 */
+#define CKR_FUNCTION_REJECTED 0x00000200
+
+#define CKR_VENDOR_DEFINED 0x80000000
+
+
+/* CK_NOTIFY is an application callback that processes events */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
+ CK_SESSION_HANDLE hSession, /* the session's handle */
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication /* passed to C_OpenSession */
+);
+
+
+/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
+ * version and pointers of appropriate types to all the
+ * Cryptoki functions */
+/* CK_FUNCTION_LIST is new for v2.0 */
+typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
+
+typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
+
+typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
+
+
+/* CK_CREATEMUTEX is an application callback for creating a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
+ CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */
+);
+
+
+/* CK_DESTROYMUTEX is an application callback for destroying a
+ * mutex object */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_LOCKMUTEX is an application callback for locking a mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_UNLOCKMUTEX is an application callback for unlocking a
+ * mutex */
+typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
+ CK_VOID_PTR pMutex /* pointer to mutex */
+);
+
+
+/* CK_C_INITIALIZE_ARGS provides the optional arguments to
+ * C_Initialize */
+typedef struct CK_C_INITIALIZE_ARGS {
+ CK_CREATEMUTEX CreateMutex;
+ CK_DESTROYMUTEX DestroyMutex;
+ CK_LOCKMUTEX LockMutex;
+ CK_UNLOCKMUTEX UnlockMutex;
+ CK_FLAGS flags;
+ CK_VOID_PTR pReserved;
+} CK_C_INITIALIZE_ARGS;
+
+/* flags: bit flags that provide capabilities of the slot
+ * Bit Flag Mask Meaning
+ */
+#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
+#define CKF_OS_LOCKING_OK 0x00000002
+
+typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
+
+
+/* additional flags for parameters to functions */
+
+/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
+#define CKF_DONT_BLOCK 1
+
+/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message
+ * Generation Function (MGF) applied to a message block when
+ * formatting a message block for the PKCS #1 OAEP encryption
+ * scheme. */
+typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
+
+typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
+
+/* The following MGFs are defined */
+/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
+ * are new for v2.20 */
+#define CKG_MGF1_SHA1 0x00000001
+#define CKG_MGF1_SHA256 0x00000002
+#define CKG_MGF1_SHA384 0x00000003
+#define CKG_MGF1_SHA512 0x00000004
+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
+#define CKG_MGF1_SHA224 0x00000005
+
+/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
+ * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source
+ * of the encoding parameter when formatting a message block
+ * for the PKCS #1 OAEP encryption scheme. */
+typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
+
+typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
+
+/* The following encoding parameter sources are defined */
+#define CKZ_DATA_SPECIFIED 0x00000001
+
+/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
+ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_OAEP mechanism. */
+typedef struct CK_RSA_PKCS_OAEP_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
+ CK_VOID_PTR pSourceData;
+ CK_ULONG ulSourceDataLen;
+} CK_RSA_PKCS_OAEP_PARAMS;
+
+typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
+
+/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
+ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
+ * CKM_RSA_PKCS_PSS mechanism(s). */
+typedef struct CK_RSA_PKCS_PSS_PARAMS {
+ CK_MECHANISM_TYPE hashAlg;
+ CK_RSA_PKCS_MGF_TYPE mgf;
+ CK_ULONG sLen;
+} CK_RSA_PKCS_PSS_PARAMS;
+
+typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
+
+/* CK_EC_KDF_TYPE is new for v2.11. */
+typedef CK_ULONG CK_EC_KDF_TYPE;
+
+/* The following EC Key Derivation Functions are defined */
+#define CKD_NULL 0x00000001
+#define CKD_SHA1_KDF 0x00000002
+
+/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
+ * where each party contributes one key pair.
+ */
+typedef struct CK_ECDH1_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_ECDH1_DERIVE_PARAMS;
+
+typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
+
+
+/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
+ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
+typedef struct CK_ECDH2_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_ECDH2_DERIVE_PARAMS;
+
+typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_ECMQV_DERIVE_PARAMS {
+ CK_EC_KDF_TYPE kdf;
+ CK_ULONG ulSharedDataLen;
+ CK_BYTE_PTR pSharedData;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_ECMQV_DERIVE_PARAMS;
+
+typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
+
+/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
+ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
+typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
+typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
+
+/* The following X9.42 DH key derivation functions are defined
+ (besides CKD_NULL already defined : */
+#define CKD_SHA1_KDF_ASN1 0x00000003
+#define CKD_SHA1_KDF_CONCATENATE 0x00000004
+
+/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
+ * contributes one key pair */
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_X9_42_DH1_DERIVE_PARAMS;
+
+typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
+
+/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
+ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
+ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
+ * mechanisms, where each party contributes two key pairs */
+typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+} CK_X9_42_DH2_DERIVE_PARAMS;
+
+typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
+
+typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
+ CK_X9_42_DH_KDF_TYPE kdf;
+ CK_ULONG ulOtherInfoLen;
+ CK_BYTE_PTR pOtherInfo;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPrivateDataLen;
+ CK_OBJECT_HANDLE hPrivateData;
+ CK_ULONG ulPublicDataLen2;
+ CK_BYTE_PTR pPublicData2;
+ CK_OBJECT_HANDLE publicKey;
+} CK_X9_42_MQV_DERIVE_PARAMS;
+
+typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
+
+/* CK_KEA_DERIVE_PARAMS provides the parameters to the
+ * CKM_KEA_DERIVE mechanism */
+/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
+typedef struct CK_KEA_DERIVE_PARAMS {
+ CK_BBOOL isSender;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pRandomB;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+} CK_KEA_DERIVE_PARAMS;
+
+typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
+
+
+/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
+ * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just
+ * holds the effective keysize */
+typedef CK_ULONG CK_RC2_PARAMS;
+
+typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
+
+
+/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
+ * mechanism */
+typedef struct CK_RC2_CBC_PARAMS {
+ /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
+ * v2.0 */
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+
+ CK_BYTE iv[8]; /* IV for CBC mode */
+} CK_RC2_CBC_PARAMS;
+
+typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
+
+
+/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC2_MAC_GENERAL mechanism */
+/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC2_MAC_GENERAL_PARAMS {
+ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC2_MAC_GENERAL_PARAMS;
+
+typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC2_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
+ * CKM_RC5_MAC mechanisms */
+/* CK_RC5_PARAMS is new for v2.0 */
+typedef struct CK_RC5_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+} CK_RC5_PARAMS;
+
+typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
+
+
+/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
+ * mechanism */
+/* CK_RC5_CBC_PARAMS is new for v2.0 */
+typedef struct CK_RC5_CBC_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_BYTE_PTR pIv; /* pointer to IV */
+ CK_ULONG ulIvLen; /* length of IV in bytes */
+} CK_RC5_CBC_PARAMS;
+
+typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
+
+
+/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
+ * CKM_RC5_MAC_GENERAL mechanism */
+/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef struct CK_RC5_MAC_GENERAL_PARAMS {
+ CK_ULONG ulWordsize; /* wordsize in bits */
+ CK_ULONG ulRounds; /* number of rounds */
+ CK_ULONG ulMacLength; /* Length of MAC in bytes */
+} CK_RC5_MAC_GENERAL_PARAMS;
+
+typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
+ CK_RC5_MAC_GENERAL_PARAMS_PTR;
+
+
+/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
+ * ciphers' MAC_GENERAL mechanisms. Its value is the length of
+ * the MAC */
+/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_MAC_GENERAL_PARAMS;
+
+typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
+
+/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
+typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[8];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
+/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pPassword;
+ CK_ULONG ulPublicDataLen;
+ CK_BYTE_PTR pPublicData;
+ CK_ULONG ulPAndGLen;
+ CK_ULONG ulQLen;
+ CK_ULONG ulRandomLen;
+ CK_BYTE_PTR pRandomA;
+ CK_BYTE_PTR pPrimeP;
+ CK_BYTE_PTR pBaseG;
+ CK_BYTE_PTR pSubprimeQ;
+} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
+
+typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
+ CK_SKIPJACK_PRIVATE_WRAP_PTR;
+
+
+/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
+ * CKM_SKIPJACK_RELAYX mechanism */
+/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
+typedef struct CK_SKIPJACK_RELAYX_PARAMS {
+ CK_ULONG ulOldWrappedXLen;
+ CK_BYTE_PTR pOldWrappedX;
+ CK_ULONG ulOldPasswordLen;
+ CK_BYTE_PTR pOldPassword;
+ CK_ULONG ulOldPublicDataLen;
+ CK_BYTE_PTR pOldPublicData;
+ CK_ULONG ulOldRandomLen;
+ CK_BYTE_PTR pOldRandomA;
+ CK_ULONG ulNewPasswordLen;
+ CK_BYTE_PTR pNewPassword;
+ CK_ULONG ulNewPublicDataLen;
+ CK_BYTE_PTR pNewPublicData;
+ CK_ULONG ulNewRandomLen;
+ CK_BYTE_PTR pNewRandomA;
+} CK_SKIPJACK_RELAYX_PARAMS;
+
+typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
+ CK_SKIPJACK_RELAYX_PARAMS_PTR;
+
+
+typedef struct CK_PBE_PARAMS {
+ CK_BYTE_PTR pInitVector;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG ulPasswordLen;
+ CK_BYTE_PTR pSalt;
+ CK_ULONG ulSaltLen;
+ CK_ULONG ulIteration;
+} CK_PBE_PARAMS;
+
+typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
+
+
+/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
+ * CKM_KEY_WRAP_SET_OAEP mechanism */
+/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
+typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
+ CK_BYTE bBC; /* block contents byte */
+ CK_BYTE_PTR pX; /* extra data */
+ CK_ULONG ulXLen; /* length of extra data in bytes */
+} CK_KEY_WRAP_SET_OAEP_PARAMS;
+
+typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
+ CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_SSL3_RANDOM_DATA;
+
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_VERSION_PTR pVersion;
+} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
+
+typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hClientMacSecret;
+ CK_OBJECT_HANDLE hServerMacSecret;
+ CK_OBJECT_HANDLE hClientKey;
+ CK_OBJECT_HANDLE hServerKey;
+ CK_BYTE_PTR pIVClient;
+ CK_BYTE_PTR pIVServer;
+} CK_SSL3_KEY_MAT_OUT;
+
+typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
+
+
+typedef struct CK_SSL3_KEY_MAT_PARAMS {
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_BBOOL bIsExport;
+ CK_SSL3_RANDOM_DATA RandomInfo;
+ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_SSL3_KEY_MAT_PARAMS;
+
+typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
+
+/* CK_TLS_PRF_PARAMS is new for version 2.20 */
+typedef struct CK_TLS_PRF_PARAMS {
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_TLS_PRF_PARAMS;
+
+typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
+
+/* WTLS is new for version 2.20 */
+typedef struct CK_WTLS_RANDOM_DATA {
+ CK_BYTE_PTR pClientRandom;
+ CK_ULONG ulClientRandomLen;
+ CK_BYTE_PTR pServerRandom;
+ CK_ULONG ulServerRandomLen;
+} CK_WTLS_RANDOM_DATA;
+
+typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
+
+typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_BYTE_PTR pVersion;
+} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
+
+typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
+ CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
+
+typedef struct CK_WTLS_PRF_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+ CK_BYTE_PTR pLabel;
+ CK_ULONG ulLabelLen;
+ CK_BYTE_PTR pOutput;
+ CK_ULONG_PTR pulOutputLen;
+} CK_WTLS_PRF_PARAMS;
+
+typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_OUT {
+ CK_OBJECT_HANDLE hMacSecret;
+ CK_OBJECT_HANDLE hKey;
+ CK_BYTE_PTR pIV;
+} CK_WTLS_KEY_MAT_OUT;
+
+typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
+
+typedef struct CK_WTLS_KEY_MAT_PARAMS {
+ CK_MECHANISM_TYPE DigestMechanism;
+ CK_ULONG ulMacSizeInBits;
+ CK_ULONG ulKeySizeInBits;
+ CK_ULONG ulIVSizeInBits;
+ CK_ULONG ulSequenceNumber;
+ CK_BBOOL bIsExport;
+ CK_WTLS_RANDOM_DATA RandomInfo;
+ CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
+} CK_WTLS_KEY_MAT_PARAMS;
+
+typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
+
+/* CMS is new for version 2.20 */
+typedef struct CK_CMS_SIG_PARAMS {
+ CK_OBJECT_HANDLE certificateHandle;
+ CK_MECHANISM_PTR pSigningMechanism;
+ CK_MECHANISM_PTR pDigestMechanism;
+ CK_UTF8CHAR_PTR pContentType;
+ CK_BYTE_PTR pRequestedAttributes;
+ CK_ULONG ulRequestedAttributesLen;
+ CK_BYTE_PTR pRequiredAttributes;
+ CK_ULONG ulRequiredAttributesLen;
+} CK_CMS_SIG_PARAMS;
+
+typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
+
+typedef struct CK_KEY_DERIVATION_STRING_DATA {
+ CK_BYTE_PTR pData;
+ CK_ULONG ulLen;
+} CK_KEY_DERIVATION_STRING_DATA;
+
+typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
+ CK_KEY_DERIVATION_STRING_DATA_PTR;
+
+
+/* The CK_EXTRACT_PARAMS is used for the
+ * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit
+ * of the base key should be used as the first bit of the
+ * derived key */
+/* CK_EXTRACT_PARAMS is new for v2.0 */
+typedef CK_ULONG CK_EXTRACT_PARAMS;
+
+typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
+
+/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
+ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
+ * indicate the Pseudo-Random Function (PRF) used to generate
+ * key bits using PKCS #5 PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
+
+typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
+
+/* The following PRFs are defined in PKCS #5 v2.0. */
+#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
+
+
+/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
+ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
+ * source of the salt value when deriving a key using PKCS #5
+ * PBKDF2. */
+typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
+
+typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
+
+/* The following salt value sources are defined in PKCS #5 v2.0. */
+#define CKZ_SALT_SPECIFIED 0x00000001
+
+/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
+ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
+ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
+typedef struct CK_PKCS5_PBKD2_PARAMS {
+ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
+ CK_VOID_PTR pSaltSourceData;
+ CK_ULONG ulSaltSourceDataLen;
+ CK_ULONG iterations;
+ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
+ CK_VOID_PTR pPrfData;
+ CK_ULONG ulPrfDataLen;
+ CK_UTF8CHAR_PTR pPassword;
+ CK_ULONG_PTR ulPasswordLen;
+} CK_PKCS5_PBKD2_PARAMS;
+
+typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
+
+/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */
+
+typedef CK_ULONG CK_OTP_PARAM_TYPE;
+typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */
+
+typedef struct CK_OTP_PARAM {
+ CK_OTP_PARAM_TYPE type;
+ CK_VOID_PTR pValue;
+ CK_ULONG ulValueLen;
+} CK_OTP_PARAM;
+
+typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
+
+typedef struct CK_OTP_PARAMS {
+ CK_OTP_PARAM_PTR pParams;
+ CK_ULONG ulCount;
+} CK_OTP_PARAMS;
+
+typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
+
+typedef struct CK_OTP_SIGNATURE_INFO {
+ CK_OTP_PARAM_PTR pParams;
+ CK_ULONG ulCount;
+} CK_OTP_SIGNATURE_INFO;
+
+typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
+#define CK_OTP_VALUE 0
+#define CK_OTP_PIN 1
+#define CK_OTP_CHALLENGE 2
+#define CK_OTP_TIME 3
+#define CK_OTP_COUNTER 4
+#define CK_OTP_FLAGS 5
+#define CK_OTP_OUTPUT_LENGTH 6
+#define CK_OTP_OUTPUT_FORMAT 7
+
+/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
+#define CKF_NEXT_OTP 0x00000001
+#define CKF_EXCLUDE_TIME 0x00000002
+#define CKF_EXCLUDE_COUNTER 0x00000004
+#define CKF_EXCLUDE_CHALLENGE 0x00000008
+#define CKF_EXCLUDE_PIN 0x00000010
+#define CKF_USER_FRIENDLY_OTP 0x00000020
+
+/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */
+typedef struct CK_KIP_PARAMS {
+ CK_MECHANISM_PTR pMechanism;
+ CK_OBJECT_HANDLE hKey;
+ CK_BYTE_PTR pSeed;
+ CK_ULONG ulSeedLen;
+} CK_KIP_PARAMS;
+
+typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
+
+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_AES_CTR_PARAMS {
+ CK_ULONG ulCounterBits;
+ CK_BYTE cb[16];
+} CK_AES_CTR_PARAMS;
+
+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CTR_PARAMS {
+ CK_ULONG ulCounterBits;
+ CK_BYTE cb[16];
+} CK_CAMELLIA_CTR_PARAMS;
+
+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
+
+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
+ CK_BYTE iv[16];
+ CK_BYTE_PTR pData;
+ CK_ULONG length;
+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
+
+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
+
+#endif
--- /dev/null
+Index: openssl/Configure
+diff -u openssl/Configure:1.1.3.1 openssl/Configure:1.7
+--- openssl/Configure:1.1.3.1 Mon Feb 16 08:44:22 2009
++++ openssl/Configure Mon Oct 5 13:16:50 2009
+@@ -12,7 +12,7 @@
+
+ # see INSTALL for instructions.
+
+-my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
++my $usage="Usage: Configure --pk11-libname=PK11_LIB_LOCATION --pk11-flavor=FLAVOR [no-<cipher> ...] [enable-<cipher> ...] [experimental-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [enable-montasm] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+
+ # Options:
+ #
+@@ -21,6 +21,12 @@
+ # --prefix prefix for the OpenSSL include, lib and bin directories
+ # (Default: the OPENSSLDIR directory)
+ #
++# --pk11-libname PKCS#11 library name.
++# (No default)
++#
++# --pk11-flavor either crypto-accelerator or sign-only
++# (No default)
++#
+ # --install_prefix Additional prefix for package builders (empty by
+ # default). This needn't be set in advance, you can
+ # just as well use "make INSTALL_PREFIX=/whatever install".
+@@ -329,7 +335,7 @@
+ "linux-ppc", "gcc:-DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc32.o::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### IA-32 targets...
+ "linux-ia32-icc", "icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-elf", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-aout", "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+ ####
+ "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+@@ -337,7 +343,7 @@
+ "linux-ia64", "gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ "linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+-"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
++"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT -pthread::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+ #### SPARC Linux setups
+ # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
+ # assisted with debugging of following two configs.
+@@ -580,6 +586,10 @@
+ my $idx_ranlib = $idx++;
+ my $idx_arflags = $idx++;
+
++# PKCS#11 engine patch
++my $pk11_libname="";
++my $pk11_flavor="";
++
+ my $prefix="";
+ my $openssldir="";
+ my $exe_ext="";
+@@ -812,6 +822,14 @@
+ {
+ $flags.=$_." ";
+ }
++ elsif (/^--pk11-libname=(.*)$/)
++ {
++ $pk11_libname=$1;
++ }
++ elsif (/^--pk11-flavor=(.*)$/)
++ {
++ $pk11_flavor=$1;
++ }
+ elsif (/^--prefix=(.*)$/)
+ {
+ $prefix=$1;
+@@ -943,6 +961,22 @@
+ exit 0;
+ }
+
++if (! $pk11_libname)
++ {
++ print STDERR "You must set --pk11-libname for PKCS#11 library.\n";
++ print STDERR "See README.pkcs11 for more information.\n";
++ exit 1;
++ }
++
++if (! $pk11_flavor
++ || !($pk11_flavor eq "crypto-accelerator" || $pk11_flavor eq "sign-only"))
++ {
++ print STDERR "You must set --pk11-flavor.\n";
++ print STDERR "Choices are crypto-accelerator and sign-only.\n";
++ print STDERR "See README.pkcs11 for more information.\n";
++ exit 1;
++ }
++
+ if ($target =~ m/^CygWin32(-.*)$/) {
+ $target = "Cygwin".$1;
+ }
+@@ -1057,6 +1091,25 @@
+ print "\n";
+ }
+
++if ($pk11_flavor eq "crypto-accelerator")
++ {
++ $openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11SO\n";
++ $default_depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
++ $depflags .= " -DOPENSSL_NO_HW_PKCS11SO";
++ $options .= " no-hw-pkcs11so";
++ print " no-hw-pkcs11so [pk11-flavor]";
++ print " OPENSSL_NO_HW_PKCS11SO\n";
++ }
++else
++ {
++ $openssl_other_defines .= "#define OPENSSL_NO_HW_PKCS11CA\n";
++ $default_depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
++ $depflags .= " -DOPENSSL_NO_HW_PKCS11CA";
++ $options .= " no-hw-pkcs11ca";
++ print " no-hw-pkcs11ca [pk11-flavor]";
++ print " OPENSSL_NO_HW_PKCS11CA\n";
++}
++
+ my $IsMK1MF=scalar grep /^$target$/,@MK1MF_Builds;
+
+ $IsMK1MF=1 if ($target eq "mingw" && $^O ne "cygwin" && !is_msys());
+@@ -1103,6 +1156,8 @@
+ if ($flags ne "") { $cflags="$flags$cflags"; }
+ else { $no_user_cflags=1; }
+
++$cflags="-DPK11_LIB_LOCATION=\"$pk11_libname\" $cflags";
++
+ # Kerberos settings. The flavor must be provided from outside, either through
+ # the script "config" or manually.
+ if (!$no_krb5)
+@@ -1456,6 +1511,7 @@
+ s/^VERSION=.*/VERSION=$version/;
+ s/^MAJOR=.*/MAJOR=$major/;
+ s/^MINOR=.*/MINOR=$minor/;
++ s/^PK11_LIB_LOCATION=.*/PK11_LIB_LOCATION=$pk11_libname/;
+ s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
+ s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
+ s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
+Index: openssl/Makefile.org
+diff -u openssl/Makefile.org:1.1.3.1 openssl/Makefile.org:1.3
+--- openssl/Makefile.org:1.1.3.1 Tue Mar 3 22:40:29 2009
++++ openssl/Makefile.org Fri Sep 4 10:43:21 2009
+@@ -26,6 +26,9 @@
+ INSTALL_PREFIX=
+ INSTALLTOP=/usr/local/ssl
+
++# You must set this through --pk11-libname configure option.
++PK11_LIB_LOCATION=
++
+ # Do not edit this manually. Use Configure --openssldir=DIR do change this!
+ OPENSSLDIR=/usr/local/ssl
+
+Index: openssl/README.pkcs11
+diff -u /dev/null openssl/README.pkcs11:1.6
+--- /dev/null Mon Oct 5 13:17:23 2009
++++ openssl/README.pkcs11 Mon Oct 5 13:16:50 2009
+@@ -0,0 +1,247 @@
++ISC modified
++============
++
++The PKCS#11 engine exists in two flavors, crypto-accelerator and
++sign-only. The first one is from the Solaris patch and uses the
++PKCS#11 device for all crypto operations it supports. The second
++is a stripped down version which provides only the useful
++function (i.e., signature with a RSA private key in the device
++protected key store and key loading).
++
++As a hint PKCS#11 boards should use the crypto-accelerator flavor,
++external PKCS#11 devices the sign-only. SCA 6000 is an example
++of the first, AEP Keyper of the second.
++
++Note it is mandatory to set a pk11-flavor (and only one) in
++config/Configure.
++
++PKCS#11 engine support for OpenSSL 0.9.8j
++=========================================
++
++[March 11, 2009]
++
++Contents:
++
++Overview
++Revisions of the patch for 0.9.8 branch
++FAQs
++Feedback
++
++Overview
++========
++
++This patch containing code available in OpenSolaris adds support for PKCS#11
++engine into OpenSSL and implements PKCS#11 v2.20. It is to be applied against
++OpenSSL 0.9.8j source code distribution as shipped by OpenSSL.Org. Your system
++must provide PKCS#11 backend otherwise the patch is useless. You provide the
++PKCS#11 library name during the build configuration phase, see below.
++
++Patch can be applied like this:
++
++ # NOTE: use gtar if on Solaris
++ tar xfzv openssl-0.9.8j.tar.gz
++ # now download the patch to the current directory
++ # ...
++ cd openssl-0.9.8j
++ # NOTE: must use gpatch if on Solaris (is part of the system)
++ patch -p1 < path-to/pkcs11_engine-0.9.8j.patch.2009-03-11
++
++It is designed to support pure acceleration for RSA, DSA, DH and all the
++symetric ciphers and message digest algorithms that PKCS#11 and OpenSSL share
++except for missing support for patented algorithms MDC2, RC3, RC5 and IDEA.
++
++According to the PKCS#11 providers installed on your machine, it can support
++following mechanisms:
++
++ RSA, DSA, DH, RAND, DES-CBC, DES-EDE3-CBC, DES-ECB, DES-EDE3, RC4,
++ AES-128-CBC, AES-192-CBC, AES-256-CBC, AES-128-ECB, AES-192-ECB,
++ AES-256-ECB, AES-128-CTR, AES-192-CTR, AES-256-CTR, MD5, SHA1, SHA224,
++ SHA256, SHA384, SHA512
++
++Note that for AES counter mode the application must provide their own EVP
++functions since OpenSSL doesn't support counter mode through EVP yet. You may
++see OpenSSH source code (cipher.c) to get the idea how to do that. SunSSH is an
++example of code that uses the PKCS#11 engine and deals with the fork-safety
++problem (see engine.c and packet.c files if interested).
++
+++------------------------------------------------------------------------------+
++| NOTE: this patch version does NOT contain experimental code for accessing |
++| RSA keys stored in PKCS#11 key stores by reference. Some problems were found |
++| (thanks to all who wrote me!) and due to my ENOTIME problem I may address |
++| those issues in a future version of the patch that will have that code back, |
++| hopefully fixed. |
+++------------------------------------------------------------------------------+
++
++You must provide the location of PKCS#11 library in your system to the
++configure script. You will be instructed to do that when you try to run the
++config script:
++
++ $ ./config
++ Operating system: i86pc-whatever-solaris2
++ Configuring for solaris-x86-cc
++ You must set --pk11-libname for PKCS#11 library.
++ See README.pkcs11 for more information.
++
++Taking openCryptoki project on Linux AMD64 box as an example, you would run
++configure script like this:
++
++ ./config --pk11-libname=/usr/lib64/pkcs11/PKCS11_API.so
++
++To check whether newly built openssl really supports PKCS#11 it's enough to run
++"apps/openssl engine" and look for "(pkcs11) PKCS #11 engine support" in the
++output. If you see no PKCS#11 engine support check that the built openssl binary
++and the PKCS#11 library from --pk11-libname don't conflict on 32/64 bits.
++
++This patch was tested on Solaris against PKCS#11 engine available from Solaris
++Cryptographic Framework (Solaris 10 and OpenSolaris) and also on Linux using
++PKCS#11 libraries from openCryptoki project (see openCryptoki website
++http://sourceforge.net/projects/opencryptoki for more information). Some Linux
++distributions even ship those libraries with the system. The patch should work
++on any system that is supported by OpenSSL itself and has functional PKCS#11
++library.
++
++The patch contains "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++(Cryptoki)" - files cryptoki.h, pkcs11.h, pkcs11f.h and pkcs11t.h which are
++copyrighted by RSA Security Inc., see pkcs11.h for more information.
++
++Other added/modified code in this patch is copyrighted by Sun Microsystems,
++Inc. and is released under the OpenSSL license (see LICENSE file for more
++information).
++
++Revisions of the patch for 0.9.8 branch
++=======================================
++
++2009-03-11
++- adjusted for OpenSSL version 0.9.8j
++
++- README.pkcs11 moved out of the patch, and is shipped together with it in a
++ tarball instead so that it can be read before the patch is applied.
++
++- fixed bugs:
++
++ 6804216 pkcs#11 engine should support a key length range for RC4
++ 6734038 Apache SSL web server using the pkcs11 engine fails to start if
++ meta slot is disabled
++
++2008-12-02
++- fixed bugs and RFEs (most of the work done by Vladimir Kotal)
++
++ 6723504 more granular locking in PKCS#11 engine
++ 6667128 CRYPTO_LOCK_PK11_ENGINE assumption does not hold true
++ 6710420 PKCS#11 engine source should be lint clean
++ 6747327 PKCS#11 engine atfork handlers need to be aware of guys who take
++ it seriously
++ 6746712 PKCS#11 engine source code should be cstyle clean
++ 6731380 return codes of several functions are not checked in the PKCS#11
++ engine code
++ 6746735 PKCS#11 engine should use extended FILE space API
++ 6734038 Apache SSL web server using the pkcs11 engine fails to start if
++ meta slot is disabled
++
++2008-08-01
++- fixed bug
++
++ 6731839 OpenSSL PKCS#11 engine no longer uses n2cp for symmetric ciphers
++ and digests
++
++- Solaris specific code for slot selection made automatic
++
++2008-07-29
++- update the patch to OpenSSL 0.9.8h version
++- pkcs11t.h updated to the latest version:
++
++ 6545665 make CKM_AES_CTR available to non-kernel users
++
++- fixed bugs in the engine code:
++
++ 6602801 PK11_SESSION cache has to employ reference counting scheme for
++ asymmetric key operations
++ 6605538 pkcs11 functions C_FindObjects[{Init,Final}]() not called
++ atomically
++ 6607307 pkcs#11 engine can't read RSA private keys
++ 6652362 pk11_RSA_finish() is cutting corners
++ 6662112 pk11_destroy_{rsa,dsa,dh}_key_objects() use locking in
++ suboptimal way
++ 6666625 pk11_destroy_{rsa,dsa,dh}_key_objects() should be more
++ resilient to destroy failures
++ 6667273 OpenSSL engine should not use free() but OPENSSL_free()
++ 6670363 PKCS#11 engine fails to reuse existing symmetric keys
++ 6678135 memory corruption in pk11_DH_generate_key() in pkcs#11 engine
++ 6678503 DSA signature conversion in pk11_dsa_do_verify() ignores size
++ of big numbers leading to failures
++ 6706562 pk11_DH_compute_key() returns 0 in case of failure instead of
++ -1
++ 6706622 pk11_load_{pub,priv}key create corrupted RSA key references
++ 6707129 return values from BN_new() in pk11_DH_generate_key() are not
++ checked
++ 6707274 DSA/RSA/DH PKCS#11 engine operations need to be resistant to
++ structure reuse
++ 6707782 OpenSSL PKCS#11 engine pretends to be aware of
++ OPENSSL_NO_{RSA,DSA,DH}
++ defines but fails miserably
++ 6709966 make check_new_*() to return values to indicate cache hit/miss
++ 6705200 pk11_dh struct initialization in PKCS#11 engine is missing
++ generate_params parameter
++ 6709513 PKCS#11 engine sets IV length even for ECB modes
++ 6728296 buffer length not initialized for C_(En|De)crypt_Final() in the
++ PKCS#11 engine
++ 6728871 PKCS#11 engine must reset global_session in pk11_finish()
++
++- new features and enhancements:
++
++ 6562155 OpenSSL pkcs#11 engine needs support for SHA224/256/384/512
++ 6685012 OpenSSL pkcs#11 engine needs support for new cipher modes
++ 6725903 OpenSSL PKCS#11 engine shouldn't use soft token for symmetric
++ ciphers and digests
++
++2007-10-15
++- update for 0.9.8f version
++- update for "6607670 teach pkcs#11 engine how to use keys be reference"
++
++2007-10-02
++- draft for "6607670 teach pkcs#11 engine how to use keys be reference"
++- draft for "6607307 pkcs#11 engine can't read RSA private keys"
++
++2007-09-26
++- 6375348 Using pkcs11 as the SSLCryptoDevice with Apache/OpenSSL causes
++ significant performance drop
++- 6573196 memory is leaked when OpenSSL is used with PKCS#11 engine
++
++2007-05-25
++- 6558630 race in OpenSSL pkcs11 engine when using symetric block ciphers
++
++2007-05-19
++- initial patch for 0.9.8e using latest OpenSolaris code
++
++FAQs
++====
++
++(1) my build failed on Linux distro with this error:
++
++../libcrypto.a(hw_pk11.o): In function `pk11_library_init':
++hw_pk11.c:(.text+0x20f5): undefined reference to `pthread_atfork'
++
++ - don't use "no-threads" when configuring
++ - if you didn't then OpenSSL failed to create a threaded library by
++ default. You may manually edit Configure and try again. Look for the
++ architecture that Configure printed, for example:
++
++Configured for linux-elf.
++
++ - then edit Configure, find string "linux-elf" (inluding the quotes),
++ and add flags to support threads to the 4th column of the 2nd string.
++ If you build with GCC then adding "-pthread" should be enough. With
++ "linux-elf" as an example, you would add " -pthread" right after
++ "-D_REENTRANT", like this:
++
++....-O3 -fomit-frame-pointer -Wall::-D_REENTRANT -pthread::-ldl:.....
++
++
++Feedback
++========
++
++Please send feedback to security-discuss@opensolaris.org. The patch was
++created by Jan.Pechanec@Sun.COM from code available in OpenSolaris.
++
++Latest version should be always available on http://blogs.sun.com/janp.
++
+Index: openssl/crypto/opensslconf.h
+diff -u openssl/crypto/opensslconf.h:1.1.3.1 openssl/crypto/opensslconf.h:1.5
+--- openssl/crypto/opensslconf.h:1.1.3.1 Wed Mar 25 13:11:43 2009
++++ openssl/crypto/opensslconf.h Fri Sep 4 10:43:21 2009
+@@ -38,6 +38,9 @@
+
+ #endif /* OPENSSL_DOING_MAKEDEPEND */
+
++#ifndef OPENSSL_THREADS
++# define OPENSSL_THREADS
++#endif
+ #ifndef OPENSSL_NO_DYNAMIC_ENGINE
+ # define OPENSSL_NO_DYNAMIC_ENGINE
+ #endif
+@@ -79,6 +82,8 @@
+ # endif
+ #endif
+
++#define OPENSSL_CPUID_OBJ
++
+ /* crypto/opensslconf.h.in */
+
+ #ifdef OPENSSL_DOING_MAKEDEPEND
+@@ -140,7 +145,7 @@
+ * This enables code handling data aligned at natural CPU word
+ * boundary. See crypto/rc4/rc4_enc.c for further details.
+ */
+-#undef RC4_CHUNK
++#define RC4_CHUNK unsigned long
+ #endif
+ #endif
+
+@@ -148,7 +153,7 @@
+ /* If this is set to 'unsigned int' on a DEC Alpha, this gives about a
+ * %20 speed up (longs are 8 bytes, int's are 4). */
+ #ifndef DES_LONG
+-#define DES_LONG unsigned long
++#define DES_LONG unsigned int
+ #endif
+ #endif
+
+@@ -162,9 +167,9 @@
+ /* The prime number generation stuff may not work when
+ * EIGHT_BIT but I don't care since I've only used this mode
+ * for debuging the bignum libraries */
+-#undef SIXTY_FOUR_BIT_LONG
++#define SIXTY_FOUR_BIT_LONG
+ #undef SIXTY_FOUR_BIT
+-#define THIRTY_TWO_BIT
++#undef THIRTY_TWO_BIT
+ #undef SIXTEEN_BIT
+ #undef EIGHT_BIT
+ #endif
+@@ -178,7 +183,7 @@
+
+ #if defined(HEADER_BF_LOCL_H) && !defined(CONFIG_HEADER_BF_LOCL_H)
+ #define CONFIG_HEADER_BF_LOCL_H
+-#undef BF_PTR
++#define BF_PTR2
+ #endif /* HEADER_BF_LOCL_H */
+
+ #if defined(HEADER_DES_LOCL_H) && !defined(CONFIG_HEADER_DES_LOCL_H)
+@@ -208,7 +213,7 @@
+ /* Unroll the inner loop, this sometimes helps, sometimes hinders.
+ * Very mucy CPU dependant */
+ #ifndef DES_UNROLL
+-#undef DES_UNROLL
++#define DES_UNROLL
+ #endif
+
+ /* These default values were supplied by
+Index: openssl/crypto/engine/Makefile
+diff -u openssl/crypto/engine/Makefile:1.1.3.1 openssl/crypto/engine/Makefile:1.5
+--- openssl/crypto/engine/Makefile:1.1.3.1 Wed Sep 17 17:10:59 2008
++++ openssl/crypto/engine/Makefile Mon Oct 5 13:16:50 2009
+@@ -21,12 +21,14 @@
+ eng_table.c eng_pkey.c eng_fat.c eng_all.c \
+ tb_rsa.c tb_dsa.c tb_ecdsa.c tb_dh.c tb_ecdh.c tb_rand.c tb_store.c \
+ tb_cipher.c tb_digest.c \
+- eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c
++ eng_openssl.c eng_cnf.c eng_dyn.c eng_cryptodev.c eng_padlock.c \
++ hw_pk11.c hw_pk11_pub.c hw_pk11so.c hw_pk11so_pub.c
+ LIBOBJ= eng_err.o eng_lib.o eng_list.o eng_init.o eng_ctrl.o \
+ eng_table.o eng_pkey.o eng_fat.o eng_all.o \
+ tb_rsa.o tb_dsa.o tb_ecdsa.o tb_dh.o tb_ecdh.o tb_rand.o tb_store.o \
+ tb_cipher.o tb_digest.o \
+- eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o
++ eng_openssl.o eng_cnf.o eng_dyn.o eng_cryptodev.o eng_padlock.o \
++ hw_pk11.o hw_pk11_pub.o hw_pk11so.o hw_pk11so_pub.o
+
+ SRC= $(LIBSRC)
+
+@@ -286,6 +288,102 @@
+ eng_table.o: ../../include/openssl/symhacks.h ../../include/openssl/x509.h
+ eng_table.o: ../../include/openssl/x509_vfy.h ../cryptlib.h eng_int.h
+ eng_table.o: eng_table.c
++hw_pk11.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
++hw_pk11.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
++hw_pk11.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
++hw_pk11.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++hw_pk11.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
++hw_pk11.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
++hw_pk11.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
++hw_pk11.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
++hw_pk11.o: ../../include/openssl/ui.h ../../include/openssl/err.h
++hw_pk11.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
++hw_pk11.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
++hw_pk11.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
++hw_pk11.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
++hw_pk11.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
++hw_pk11.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
++hw_pk11.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
++hw_pk11.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
++hw_pk11.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
++hw_pk11.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
++hw_pk11.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
++hw_pk11.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
++hw_pk11.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
++hw_pk11.o: ../../include/openssl/pem2.h ../cryptlib.h
++hw_pk11.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11.c
++hw_pk11_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
++hw_pk11_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
++hw_pk11_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
++hw_pk11_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++hw_pk11_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
++hw_pk11_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
++hw_pk11_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
++hw_pk11_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
++hw_pk11_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
++hw_pk11_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
++hw_pk11_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
++hw_pk11_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
++hw_pk11_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
++hw_pk11_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
++hw_pk11_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
++hw_pk11_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
++hw_pk11_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
++hw_pk11_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
++hw_pk11_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
++hw_pk11_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
++hw_pk11_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
++hw_pk11_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
++hw_pk11_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
++hw_pk11_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11_pub.c
++hw_pk11so.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
++hw_pk11so.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
++hw_pk11so.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
++hw_pk11so.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++hw_pk11so.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
++hw_pk11so.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
++hw_pk11so.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
++hw_pk11so.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
++hw_pk11so.o: ../../include/openssl/ui.h ../../include/openssl/err.h
++hw_pk11so.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
++hw_pk11so.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
++hw_pk11so.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
++hw_pk11so.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
++hw_pk11so.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
++hw_pk11so.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
++hw_pk11so.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
++hw_pk11so.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
++hw_pk11so.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
++hw_pk11so.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
++hw_pk11so.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
++hw_pk11so.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
++hw_pk11so.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
++hw_pk11so.o: ../../include/openssl/pem2.h ../cryptlib.h
++hw_pk11so.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so.c
++hw_pk11so_pub.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
++hw_pk11so_pub.o: ../../include/openssl/engine.h ../../include/openssl/ossl_typ.h
++hw_pk11so_pub.o: ../../include/openssl/bn.h ../../include/openssl/rsa.h
++hw_pk11so_pub.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
++hw_pk11so_pub.o: ../../include/openssl/crypto.h ../../include/openssl/stack.h
++hw_pk11so_pub.o: ../../include/openssl/safestack.h ../../include/openssl/opensslv.h
++hw_pk11so_pub.o: ../../include/openssl/symhacks.h ../../include/openssl/dsa.h
++hw_pk11so_pub.o: ../../include/openssl/dh.h ../../include/openssl/rand.h
++hw_pk11so_pub.o: ../../include/openssl/ui.h ../../include/openssl/err.h
++hw_pk11so_pub.o: ../../include/openssl/lhash.h ../../include/openssl/dso.h
++hw_pk11so_pub.o: ../../include/openssl/pem.h ../../include/openssl/evp.h
++hw_pk11so_pub.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
++hw_pk11so_pub.o: ../../include/openssl/md5.h ../../include/openssl/sha.h
++hw_pk11so_pub.o: ../../include/openssl/ripemd.h ../../include/openssl/des.h
++hw_pk11so_pub.o: ../../include/openssl/des_old.h ../../include/openssl/ui_compat.h
++hw_pk11so_pub.o: ../../include/openssl/rc4.h ../../include/openssl/rc2.h
++hw_pk11so_pub.o: ../../crypto/rc5/rc5.h ../../include/openssl/blowfish.h
++hw_pk11so_pub.o: ../../include/openssl/cast.h ../../include/openssl/idea.h
++hw_pk11so_pub.o: ../../crypto/mdc2/mdc2.h ../../include/openssl/aes.h
++hw_pk11so_pub.o: ../../include/openssl/objects.h ../../include/openssl/obj_mac.h
++hw_pk11so_pub.o: ../../include/openssl/x509.h ../../include/openssl/buffer.h
++hw_pk11so_pub.o: ../../include/openssl/x509_vfy.h ../../include/openssl/pkcs7.h
++hw_pk11so_pub.o: ../../include/openssl/pem2.h ../cryptlib.h
++hw_pk11so_pub.o: ../../e_os.h hw_pk11_err.c hw_pk11_err.h hw_pk11so_pub.c
+ tb_cipher.o: ../../e_os.h ../../include/openssl/asn1.h
+ tb_cipher.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+ tb_cipher.o: ../../include/openssl/crypto.h ../../include/openssl/e_os2.h
+Index: openssl/crypto/engine/cryptoki.h
+diff -u /dev/null openssl/crypto/engine/cryptoki.h:1.4
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/cryptoki.h Thu Dec 18 00:14:12 2008
+@@ -0,0 +1,103 @@
++/*
++ * CDDL HEADER START
++ *
++ * The contents of this file are subject to the terms of the
++ * Common Development and Distribution License, Version 1.0 only
++ * (the "License"). You may not use this file except in compliance
++ * with the License.
++ *
++ * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
++ * or http://www.opensolaris.org/os/licensing.
++ * See the License for the specific language governing permissions
++ * and limitations under the License.
++ *
++ * When distributing Covered Code, include this CDDL HEADER in each
++ * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
++ * If applicable, add the following below this CDDL HEADER, with the
++ * fields enclosed by brackets "[]" replaced with your own identifying
++ * information: Portions Copyright [yyyy] [name of copyright owner]
++ *
++ * CDDL HEADER END
++ */
++/*
++ * Copyright 2003 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++#ifndef _CRYPTOKI_H
++#define _CRYPTOKI_H
++
++/* ident "@(#)cryptoki.h 1.2 05/06/08 SMI" */
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++#ifndef CK_PTR
++#define CK_PTR *
++#endif
++
++#ifndef CK_DEFINE_FUNCTION
++#define CK_DEFINE_FUNCTION(returnType, name) returnType name
++#endif
++
++#ifndef CK_DECLARE_FUNCTION
++#define CK_DECLARE_FUNCTION(returnType, name) returnType name
++#endif
++
++#ifndef CK_DECLARE_FUNCTION_POINTER
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) returnType (* name)
++#endif
++
++#ifndef CK_CALLBACK_FUNCTION
++#define CK_CALLBACK_FUNCTION(returnType, name) returnType (* name)
++#endif
++
++#ifndef NULL_PTR
++#include <unistd.h> /* For NULL */
++#define NULL_PTR NULL
++#endif
++
++/*
++ * pkcs11t.h defines TRUE and FALSE in a way that upsets lint
++ */
++#ifndef CK_DISABLE_TRUE_FALSE
++#define CK_DISABLE_TRUE_FALSE
++#ifndef TRUE
++#define TRUE 1
++#endif /* TRUE */
++#ifndef FALSE
++#define FALSE 0
++#endif /* FALSE */
++#endif /* CK_DISABLE_TRUE_FALSE */
++
++#undef CK_PKCS11_FUNCTION_INFO
++
++#include "pkcs11.h"
++
++/* Solaris specific functions */
++
++#include <stdlib.h>
++
++/*
++ * SUNW_C_GetMechSession will initialize the framework and do all
++ * the necessary PKCS#11 calls to create a session capable of
++ * providing operations on the requested mechanism
++ */
++CK_RV SUNW_C_GetMechSession(CK_MECHANISM_TYPE mech,
++ CK_SESSION_HANDLE_PTR hSession);
++
++/*
++ * SUNW_C_KeyToObject will create a secret key object for the given
++ * mechanism from the rawkey data.
++ */
++CK_RV SUNW_C_KeyToObject(CK_SESSION_HANDLE hSession,
++ CK_MECHANISM_TYPE mech, const void *rawkey, size_t rawkey_len,
++ CK_OBJECT_HANDLE_PTR obj);
++
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif /* _CRYPTOKI_H */
+Index: openssl/crypto/engine/eng_all.c
+diff -u openssl/crypto/engine/eng_all.c:1.1.3.1 openssl/crypto/engine/eng_all.c:1.3
+--- openssl/crypto/engine/eng_all.c:1.1.3.1 Wed Jun 4 18:01:39 2008
++++ openssl/crypto/engine/eng_all.c Mon Oct 5 13:16:50 2009
+@@ -110,6 +110,14 @@
+ #if defined(OPENSSL_SYS_WIN32) && !defined(OPENSSL_NO_CAPIENG)
+ ENGINE_load_capi();
+ #endif
++#ifndef OPENSSL_NO_HW_PKCS11
++#ifndef OPENSSL_NO_HW_PKCS11CA
++ ENGINE_load_pk11ca();
++#endif
++#ifndef OPENSSL_NO_HW_PKCS11SO
++ ENGINE_load_pk11so();
++#endif
++#endif
+ #endif
+ }
+
+Index: openssl/crypto/engine/eng_list.c
+diff -u openssl/crypto/engine/eng_list.c:1.1.3.1 openssl/crypto/engine/eng_list.c:1.2
+--- openssl/crypto/engine/eng_list.c:1.1.3.1 Sat Aug 6 10:34:35 2005
++++ openssl/crypto/engine/eng_list.c Mon Oct 5 13:16:50 2009
+@@ -408,7 +408,11 @@
+ !ENGINE_ctrl_cmd_string(iterator, "DIR_ADD",
+ load_dir, 0) ||
+ !ENGINE_ctrl_cmd_string(iterator, "LOAD", NULL, 0))
++ {
++ if (iterator)
++ ENGINE_free(iterator);
+ goto notfound;
++ }
+ return iterator;
+ }
+ notfound:
+Index: openssl/crypto/engine/engine.h
+diff -u openssl/crypto/engine/engine.h:1.1.3.1 openssl/crypto/engine/engine.h:1.3
+--- openssl/crypto/engine/engine.h:1.1.3.1 Wed Jun 4 18:01:40 2008
++++ openssl/crypto/engine/engine.h Mon Oct 5 13:16:50 2009
+@@ -337,6 +337,12 @@
+ void ENGINE_load_ubsec(void);
+ #endif
+ void ENGINE_load_cryptodev(void);
++#ifndef OPENSSL_NO_HW_PKCS11CA
++void ENGINE_load_pk11ca(void);
++#endif
++#ifndef OPENSSL_NO_HW_PKCS11SO
++void ENGINE_load_pk11so(void);
++#endif
+ void ENGINE_load_padlock(void);
+ void ENGINE_load_builtin_engines(void);
+ #ifndef OPENSSL_NO_CAPIENG
+Index: openssl/crypto/engine/hw_pk11.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11.c:1.26
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11.c Mon Oct 5 13:16:50 2009
+@@ -0,0 +1,3927 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/types.h>
++
++#include <openssl/e_os2.h>
++#include <openssl/crypto.h>
++#include <cryptlib.h>
++#include <openssl/engine.h>
++#include <openssl/dso.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/md5.h>
++#include <openssl/pem.h>
++#ifndef OPENSSL_NO_RSA
++#include <openssl/rsa.h>
++#endif
++#ifndef OPENSSL_NO_DSA
++#include <openssl/dsa.h>
++#endif
++#ifndef OPENSSL_NO_DH
++#include <openssl/dh.h>
++#endif
++#include <openssl/rand.h>
++#include <openssl/objects.h>
++#include <openssl/x509.h>
++#include <openssl/aes.h>
++
++#ifdef OPENSSL_SYS_WIN32
++typedef int pid_t;
++#define getpid() GetCurrentProcessId()
++#define NOPTHREADS
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++ returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++ returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ returnType __declspec(dllimport) (* name)
++#else
++#include <signal.h>
++#include <unistd.h>
++#include <dlfcn.h>
++#endif
++
++#ifndef NOPTHREADS
++#include <pthread.h>
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11CA
++
++/* label for debug messages printed on stderr */
++#define PK11_DBG "PKCS#11 ENGINE DEBUG"
++/* prints a lot of debug messages on stderr about slot selection process */
++/* #undef DEBUG_SLOT_SELECTION */
++/*
++ * Solaris specific code. See comment at check_hw_mechanisms() for more
++ * information.
++ */
++#if defined (__SVR4) && defined (__sun)
++#undef SOLARIS_HW_SLOT_SELECTION
++#endif
++
++/*
++ * AES counter mode is not supported in the OpenSSL EVP API yet and neither
++ * there are official OIDs for mechanisms based on this mode. With our changes,
++ * an application can define its own EVP calls for AES counter mode and then
++ * it can make use of hardware acceleration through this engine. However, it's
++ * better if we keep AES CTR support code under ifdef's.
++ */
++#define SOLARIS_AES_CTR
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11ca.h"
++#include "hw_pk11_err.c"
++
++#ifdef SOLARIS_AES_CTR
++/*
++ * NIDs for AES counter mode that will be defined during the engine
++ * initialization.
++ */
++static int NID_aes_128_ctr = NID_undef;
++static int NID_aes_192_ctr = NID_undef;
++static int NID_aes_256_ctr = NID_undef;
++#endif /* SOLARIS_AES_CTR */
++
++#ifdef SOLARIS_HW_SLOT_SELECTION
++/*
++ * Tables for symmetric ciphers and digest mechs found in the pkcs11_kernel
++ * library. See comment at check_hw_mechanisms() for more information.
++ */
++static int *hw_cnids;
++static int *hw_dnids;
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++
++/* PKCS#11 session caches and their locks for all operation types */
++static PK11_CACHE session_cache[OP_MAX];
++
++/*
++ * As stated in v2.20, 11.7 Object Management Function, in section for
++ * C_FindObjectsInit(), at most one search operation may be active at a given
++ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
++ * grouped together to form one atomic search operation. This is already
++ * ensured by the property of unique PKCS#11 session handle used for each
++ * PK11_SESSION object.
++ *
++ * This is however not the biggest concern - maintaining consistency of the
++ * underlying object store is more important. The same section of the spec also
++ * says that one thread can be in the middle of a search operation while another
++ * thread destroys the object matching the search template which would result in
++ * invalid handle returned from the search operation.
++ *
++ * Hence, the following locks are used for both protection of the object stores.
++ * They are also used for active list protection.
++ */
++#ifndef NOPTHREADS
++pthread_mutex_t *find_lock[OP_MAX] = { NULL };
++#endif
++
++/*
++ * lists of asymmetric key handles which are active (referenced by at least one
++ * PK11_SESSION structure, either held by a thread or present in free_session
++ * list) for given algorithm type
++ */
++PK11_active *active_list[OP_MAX] = { NULL };
++
++/*
++ * Create all secret key objects in a global session so that they are available
++ * to use for other sessions. These other sessions may be opened or closed
++ * without losing the secret key objects.
++ */
++static CK_SESSION_HANDLE global_session = CK_INVALID_HANDLE;
++
++/* ENGINE level stuff */
++static int pk11_init(ENGINE *e);
++static int pk11_library_init(ENGINE *e);
++static int pk11_finish(ENGINE *e);
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
++static int pk11_destroy(ENGINE *e);
++
++/* RAND stuff */
++static void pk11_rand_seed(const void *buf, int num);
++static void pk11_rand_add(const void *buf, int num, double add_entropy);
++static void pk11_rand_cleanup(void);
++static int pk11_rand_bytes(unsigned char *buf, int num);
++static int pk11_rand_status(void);
++
++/* These functions are also used in other files */
++PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++/* active list manipulation functions used in this file */
++extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
++extern void pk11_free_active_list(PK11_OPTYPE type);
++
++#ifndef OPENSSL_NO_RSA
++int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++#endif
++#ifndef OPENSSL_NO_DSA
++int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++#endif
++#ifndef OPENSSL_NO_DH
++int pk11_destroy_dh_key_objects(PK11_SESSION *session);
++int pk11_destroy_dh_object(PK11_SESSION *session, CK_BBOOL uselock);
++#endif
++
++/* Local helper functions */
++static int pk11_free_all_sessions(void);
++static int pk11_free_session_list(PK11_OPTYPE optype);
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++static int pk11_destroy_cipher_key_objects(PK11_SESSION *session);
++static int pk11_destroy_object(CK_SESSION_HANDLE session,
++ CK_OBJECT_HANDLE oh);
++static const char *get_PK11_LIBNAME(void);
++static void free_PK11_LIBNAME(void);
++static long set_PK11_LIBNAME(const char *name);
++
++/* Symmetric cipher and digest support functions */
++static int cipher_nid_to_pk11(int nid);
++#ifdef SOLARIS_AES_CTR
++static int pk11_add_NID(char *sn, char *ln);
++static int pk11_add_aes_ctr_NIDs(void);
++#endif /* SOLARIS_AES_CTR */
++static int pk11_usable_ciphers(const int **nids);
++static int pk11_usable_digests(const int **nids);
++static int pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc);
++static int pk11_cipher_final(PK11_SESSION *sp);
++static int pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, unsigned int inl);
++static int pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx);
++static int pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
++ const int **nids, int nid);
++static int pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
++ const int **nids, int nid);
++static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
++ const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp);
++static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
++ int key_len);
++static int md_nid_to_pk11(int nid);
++static int pk11_digest_init(EVP_MD_CTX *ctx);
++static int pk11_digest_update(EVP_MD_CTX *ctx, const void *data,
++ size_t count);
++static int pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md);
++static int pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from);
++static int pk11_digest_cleanup(EVP_MD_CTX *ctx);
++
++static int pk11_choose_slots(int *any_slot_found);
++static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
++ CK_SLOT_ID current_slot, int *current_slot_n_cipher,
++ int *local_cipher_nids);
++static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
++ CK_SLOT_ID current_slot, int *current_slot_n_digest,
++ int *local_digest_nids);
++static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR, int slot_id,
++ CK_MECHANISM_TYPE mech, int *current_slot_n_cipher, int *local_cipher_nids,
++ int id);
++static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
++ CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
++ int id);
++
++static int pk11_init_all_locks(void);
++static void pk11_free_all_locks(void);
++
++#ifdef SOLARIS_HW_SLOT_SELECTION
++static int check_hw_mechanisms(void);
++static int nid_in_table(int nid, int *nid_table);
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++
++/* Index for the supported ciphers */
++enum pk11_cipher_id {
++ PK11_DES_CBC,
++ PK11_DES3_CBC,
++ PK11_DES_ECB,
++ PK11_DES3_ECB,
++ PK11_RC4,
++ PK11_AES_128_CBC,
++ PK11_AES_192_CBC,
++ PK11_AES_256_CBC,
++ PK11_AES_128_ECB,
++ PK11_AES_192_ECB,
++ PK11_AES_256_ECB,
++ PK11_BLOWFISH_CBC,
++#ifdef SOLARIS_AES_CTR
++ PK11_AES_128_CTR,
++ PK11_AES_192_CTR,
++ PK11_AES_256_CTR,
++#endif /* SOLARIS_AES_CTR */
++ PK11_CIPHER_MAX
++};
++
++/* Index for the supported digests */
++enum pk11_digest_id {
++ PK11_MD5,
++ PK11_SHA1,
++ PK11_SHA224,
++ PK11_SHA256,
++ PK11_SHA384,
++ PK11_SHA512,
++ PK11_DIGEST_MAX
++};
++
++#define TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type) \
++ { \
++ if (uselock) \
++ LOCK_OBJSTORE(alg_type); \
++ if (pk11_active_delete(obj_hdl, alg_type) == 1) \
++ { \
++ retval = pk11_destroy_object(sess_hdl, obj_hdl); \
++ } \
++ if (uselock) \
++ UNLOCK_OBJSTORE(alg_type); \
++ }
++
++#define TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type) \
++ { \
++ if (uselock) \
++ LOCK_OBJSTORE(alg_type); \
++ (void) pk11_active_delete(obj_hdl, alg_type); \
++ if (uselock) \
++ UNLOCK_OBJSTORE(alg_type); \
++ }
++
++static int cipher_nids[PK11_CIPHER_MAX];
++static int digest_nids[PK11_DIGEST_MAX];
++static int cipher_count = 0;
++static int digest_count = 0;
++static CK_BBOOL pk11_have_rsa = CK_FALSE;
++static CK_BBOOL pk11_have_recover = CK_FALSE;
++static CK_BBOOL pk11_have_dsa = CK_FALSE;
++static CK_BBOOL pk11_have_dh = CK_FALSE;
++static CK_BBOOL pk11_have_random = CK_FALSE;
++
++typedef struct PK11_CIPHER_st
++ {
++ enum pk11_cipher_id id;
++ int nid;
++ int iv_len;
++ int min_key_len;
++ int max_key_len;
++ CK_KEY_TYPE key_type;
++ CK_MECHANISM_TYPE mech_type;
++ } PK11_CIPHER;
++
++static PK11_CIPHER ciphers[] =
++ {
++ { PK11_DES_CBC, NID_des_cbc, 8, 8, 8,
++ CKK_DES, CKM_DES_CBC, },
++ { PK11_DES3_CBC, NID_des_ede3_cbc, 8, 24, 24,
++ CKK_DES3, CKM_DES3_CBC, },
++ { PK11_DES_ECB, NID_des_ecb, 0, 8, 8,
++ CKK_DES, CKM_DES_ECB, },
++ { PK11_DES3_ECB, NID_des_ede3_ecb, 0, 24, 24,
++ CKK_DES3, CKM_DES3_ECB, },
++ { PK11_RC4, NID_rc4, 0, 16, 256,
++ CKK_RC4, CKM_RC4, },
++ { PK11_AES_128_CBC, NID_aes_128_cbc, 16, 16, 16,
++ CKK_AES, CKM_AES_CBC, },
++ { PK11_AES_192_CBC, NID_aes_192_cbc, 16, 24, 24,
++ CKK_AES, CKM_AES_CBC, },
++ { PK11_AES_256_CBC, NID_aes_256_cbc, 16, 32, 32,
++ CKK_AES, CKM_AES_CBC, },
++ { PK11_AES_128_ECB, NID_aes_128_ecb, 0, 16, 16,
++ CKK_AES, CKM_AES_ECB, },
++ { PK11_AES_192_ECB, NID_aes_192_ecb, 0, 24, 24,
++ CKK_AES, CKM_AES_ECB, },
++ { PK11_AES_256_ECB, NID_aes_256_ecb, 0, 32, 32,
++ CKK_AES, CKM_AES_ECB, },
++ { PK11_BLOWFISH_CBC, NID_bf_cbc, 8, 16, 16,
++ CKK_BLOWFISH, CKM_BLOWFISH_CBC, },
++#ifdef SOLARIS_AES_CTR
++ /* we don't know the correct NIDs until the engine is initialized */
++ { PK11_AES_128_CTR, NID_undef, 16, 16, 16,
++ CKK_AES, CKM_AES_CTR, },
++ { PK11_AES_192_CTR, NID_undef, 16, 24, 24,
++ CKK_AES, CKM_AES_CTR, },
++ { PK11_AES_256_CTR, NID_undef, 16, 32, 32,
++ CKK_AES, CKM_AES_CTR, },
++#endif /* SOLARIS_AES_CTR */
++ };
++
++typedef struct PK11_DIGEST_st
++ {
++ enum pk11_digest_id id;
++ int nid;
++ CK_MECHANISM_TYPE mech_type;
++ } PK11_DIGEST;
++
++static PK11_DIGEST digests[] =
++ {
++ {PK11_MD5, NID_md5, CKM_MD5, },
++ {PK11_SHA1, NID_sha1, CKM_SHA_1, },
++ {PK11_SHA224, NID_sha224, CKM_SHA224, },
++ {PK11_SHA256, NID_sha256, CKM_SHA256, },
++ {PK11_SHA384, NID_sha384, CKM_SHA384, },
++ {PK11_SHA512, NID_sha512, CKM_SHA512, },
++ {0, NID_undef, 0xFFFF, },
++ };
++
++/*
++ * Structure to be used for the cipher_data/md_data in
++ * EVP_CIPHER_CTX/EVP_MD_CTX structures in order to use the same pk11
++ * session in multiple cipher_update calls
++ */
++typedef struct PK11_CIPHER_STATE_st
++ {
++ PK11_SESSION *sp;
++ } PK11_CIPHER_STATE;
++
++
++/*
++ * libcrypto EVP stuff - this is how we get wired to EVP so the engine gets
++ * called when libcrypto requests a cipher NID.
++ *
++ * Note how the PK11_CIPHER_STATE is used here.
++ */
++
++/* DES CBC EVP */
++static const EVP_CIPHER pk11_des_cbc =
++ {
++ NID_des_cbc,
++ 8, 8, 8,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++/* 3DES CBC EVP */
++static const EVP_CIPHER pk11_3des_cbc =
++ {
++ NID_des_ede3_cbc,
++ 8, 24, 8,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++/*
++ * ECB modes don't use an Initial Vector so that's why set_asn1_parameters and
++ * get_asn1_parameters fields are set to NULL.
++ */
++static const EVP_CIPHER pk11_des_ecb =
++ {
++ NID_des_ecb,
++ 8, 8, 8,
++ EVP_CIPH_ECB_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ NULL,
++ NULL,
++ NULL
++ };
++
++static const EVP_CIPHER pk11_3des_ecb =
++ {
++ NID_des_ede3_ecb,
++ 8, 24, 8,
++ EVP_CIPH_ECB_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ NULL,
++ NULL,
++ NULL
++ };
++
++
++static const EVP_CIPHER pk11_aes_128_cbc =
++ {
++ NID_aes_128_cbc,
++ 16, 16, 16,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++static const EVP_CIPHER pk11_aes_192_cbc =
++ {
++ NID_aes_192_cbc,
++ 16, 24, 16,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++static const EVP_CIPHER pk11_aes_256_cbc =
++ {
++ NID_aes_256_cbc,
++ 16, 32, 16,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++/*
++ * ECB modes don't use IV so that's why set_asn1_parameters and
++ * get_asn1_parameters are set to NULL.
++ */
++static const EVP_CIPHER pk11_aes_128_ecb =
++ {
++ NID_aes_128_ecb,
++ 16, 16, 0,
++ EVP_CIPH_ECB_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ NULL,
++ NULL,
++ NULL
++ };
++
++static const EVP_CIPHER pk11_aes_192_ecb =
++ {
++ NID_aes_192_ecb,
++ 16, 24, 0,
++ EVP_CIPH_ECB_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ NULL,
++ NULL,
++ NULL
++ };
++
++static const EVP_CIPHER pk11_aes_256_ecb =
++ {
++ NID_aes_256_ecb,
++ 16, 32, 0,
++ EVP_CIPH_ECB_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ NULL,
++ NULL,
++ NULL
++ };
++
++#ifdef SOLARIS_AES_CTR
++/*
++ * NID_undef's will be changed to the AES counter mode NIDs as soon they are
++ * created in pk11_library_init(). Note that the need to change these structures
++ * is the reason why we don't define them with the const keyword.
++ */
++static EVP_CIPHER pk11_aes_128_ctr =
++ {
++ NID_undef,
++ 16, 16, 16,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++static EVP_CIPHER pk11_aes_192_ctr =
++ {
++ NID_undef,
++ 16, 24, 16,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++static EVP_CIPHER pk11_aes_256_ctr =
++ {
++ NID_undef,
++ 16, 32, 16,
++ EVP_CIPH_CBC_MODE,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++#endif /* SOLARIS_AES_CTR */
++
++static const EVP_CIPHER pk11_bf_cbc =
++ {
++ NID_bf_cbc,
++ 8, 16, 8,
++ EVP_CIPH_VARIABLE_LENGTH,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ EVP_CIPHER_set_asn1_iv,
++ EVP_CIPHER_get_asn1_iv,
++ NULL
++ };
++
++static const EVP_CIPHER pk11_rc4 =
++ {
++ NID_rc4,
++ 1, 16, 0,
++ EVP_CIPH_VARIABLE_LENGTH,
++ pk11_cipher_init,
++ pk11_cipher_do_cipher,
++ pk11_cipher_cleanup,
++ sizeof (PK11_CIPHER_STATE),
++ NULL,
++ NULL,
++ NULL
++ };
++
++static const EVP_MD pk11_md5 =
++ {
++ NID_md5,
++ NID_md5WithRSAEncryption,
++ MD5_DIGEST_LENGTH,
++ 0,
++ pk11_digest_init,
++ pk11_digest_update,
++ pk11_digest_final,
++ pk11_digest_copy,
++ pk11_digest_cleanup,
++ EVP_PKEY_RSA_method,
++ MD5_CBLOCK,
++ sizeof (PK11_CIPHER_STATE),
++ };
++
++static const EVP_MD pk11_sha1 =
++ {
++ NID_sha1,
++ NID_sha1WithRSAEncryption,
++ SHA_DIGEST_LENGTH,
++ 0,
++ pk11_digest_init,
++ pk11_digest_update,
++ pk11_digest_final,
++ pk11_digest_copy,
++ pk11_digest_cleanup,
++ EVP_PKEY_RSA_method,
++ SHA_CBLOCK,
++ sizeof (PK11_CIPHER_STATE),
++ };
++
++static const EVP_MD pk11_sha224 =
++ {
++ NID_sha224,
++ NID_sha224WithRSAEncryption,
++ SHA224_DIGEST_LENGTH,
++ 0,
++ pk11_digest_init,
++ pk11_digest_update,
++ pk11_digest_final,
++ pk11_digest_copy,
++ pk11_digest_cleanup,
++ EVP_PKEY_RSA_method,
++ /* SHA-224 uses the same cblock size as SHA-256 */
++ SHA256_CBLOCK,
++ sizeof (PK11_CIPHER_STATE),
++ };
++
++static const EVP_MD pk11_sha256 =
++ {
++ NID_sha256,
++ NID_sha256WithRSAEncryption,
++ SHA256_DIGEST_LENGTH,
++ 0,
++ pk11_digest_init,
++ pk11_digest_update,
++ pk11_digest_final,
++ pk11_digest_copy,
++ pk11_digest_cleanup,
++ EVP_PKEY_RSA_method,
++ SHA256_CBLOCK,
++ sizeof (PK11_CIPHER_STATE),
++ };
++
++static const EVP_MD pk11_sha384 =
++ {
++ NID_sha384,
++ NID_sha384WithRSAEncryption,
++ SHA384_DIGEST_LENGTH,
++ 0,
++ pk11_digest_init,
++ pk11_digest_update,
++ pk11_digest_final,
++ pk11_digest_copy,
++ pk11_digest_cleanup,
++ EVP_PKEY_RSA_method,
++ /* SHA-384 uses the same cblock size as SHA-512 */
++ SHA512_CBLOCK,
++ sizeof (PK11_CIPHER_STATE),
++ };
++
++static const EVP_MD pk11_sha512 =
++ {
++ NID_sha512,
++ NID_sha512WithRSAEncryption,
++ SHA512_DIGEST_LENGTH,
++ 0,
++ pk11_digest_init,
++ pk11_digest_update,
++ pk11_digest_final,
++ pk11_digest_copy,
++ pk11_digest_cleanup,
++ EVP_PKEY_RSA_method,
++ SHA512_CBLOCK,
++ sizeof (PK11_CIPHER_STATE),
++ };
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * The definitions for control commands specific to this engine
++ */
++#define PK11_CMD_SO_PATH ENGINE_CMD_BASE
++#define PK11_CMD_PIN (ENGINE_CMD_BASE+1)
++#define PK11_CMD_SLOT (ENGINE_CMD_BASE+2)
++static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
++ {
++ {
++ PK11_CMD_SO_PATH,
++ "SO_PATH",
++ "Specifies the path to the 'pkcs#11' shared library",
++ ENGINE_CMD_FLAG_STRING
++ },
++ {
++ PK11_CMD_PIN,
++ "PIN",
++ "Specifies the pin code",
++ ENGINE_CMD_FLAG_STRING
++ },
++ {
++ PK11_CMD_SLOT,
++ "SLOT",
++ "Specifies the slot (default is auto select)",
++ ENGINE_CMD_FLAG_NUMERIC,
++ },
++ {0, NULL, NULL, 0}
++ };
++
++
++static RAND_METHOD pk11_random =
++ {
++ pk11_rand_seed,
++ pk11_rand_bytes,
++ pk11_rand_cleanup,
++ pk11_rand_add,
++ pk11_rand_bytes,
++ pk11_rand_status
++ };
++
++
++/* Constants used when creating the ENGINE */
++#ifdef OPENSSL_NO_HW_PK11SO
++#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
++#endif
++static const char *engine_pk11_id = "pkcs11";
++static const char *engine_pk11_name =
++ "PKCS #11 engine support (crypto accelerator)";
++
++CK_FUNCTION_LIST_PTR pFuncList = NULL;
++static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
++
++/*
++ * These is the static string constant for the DSO file name and the function
++ * symbol names to bind to.
++ */
++static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
++
++static CK_BBOOL true = TRUE;
++static CK_BBOOL false = FALSE;
++static CK_SLOT_ID pubkey_SLOTID = 0;
++static CK_SLOT_ID rand_SLOTID = 0;
++static CK_SLOT_ID SLOTID = 0;
++char *pk11_pin = NULL;
++static CK_BBOOL pk11_library_initialized = FALSE;
++static CK_BBOOL pk11_atfork_initialized = FALSE;
++static int pk11_pid = 0;
++
++static DSO *pk11_dso = NULL;
++
++/* allocate and initialize all locks used by the engine itself */
++static int pk11_init_all_locks(void)
++ {
++#ifndef NOPTHREADS
++ int type;
++
++#ifndef OPENSSL_NO_RSA
++ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++ if (find_lock[OP_RSA] == NULL)
++ goto malloc_err;
++ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++#endif /* OPENSSL_NO_RSA */
++
++#ifndef OPENSSL_NO_DSA
++ find_lock[OP_DSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++ if (find_lock[OP_DSA] == NULL)
++ goto malloc_err;
++ (void) pthread_mutex_init(find_lock[OP_DSA], NULL);
++#endif /* OPENSSL_NO_DSA */
++
++#ifndef OPENSSL_NO_DH
++ find_lock[OP_DH] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++ if (find_lock[OP_DH] == NULL)
++ goto malloc_err;
++ (void) pthread_mutex_init(find_lock[OP_DH], NULL);
++#endif /* OPENSSL_NO_DH */
++
++ for (type = 0; type < OP_MAX; type++)
++ {
++ session_cache[type].lock =
++ OPENSSL_malloc(sizeof (pthread_mutex_t));
++ if (session_cache[type].lock == NULL)
++ goto malloc_err;
++ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ }
++
++ return (1);
++
++malloc_err:
++ pk11_free_all_locks();
++ PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
++ return (0);
++#else
++ return (1);
++#endif
++ }
++
++static void pk11_free_all_locks(void)
++ {
++#ifndef NOPTHREADS
++ int type;
++
++#ifndef OPENSSL_NO_RSA
++ if (find_lock[OP_RSA] != NULL)
++ {
++ (void) pthread_mutex_destroy(find_lock[OP_RSA]);
++ OPENSSL_free(find_lock[OP_RSA]);
++ find_lock[OP_RSA] = NULL;
++ }
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++ if (find_lock[OP_DSA] != NULL)
++ {
++ (void) pthread_mutex_destroy(find_lock[OP_DSA]);
++ OPENSSL_free(find_lock[OP_DSA]);
++ find_lock[OP_DSA] = NULL;
++ }
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++ if (find_lock[OP_DH] != NULL)
++ {
++ (void) pthread_mutex_destroy(find_lock[OP_DH]);
++ OPENSSL_free(find_lock[OP_DH]);
++ find_lock[OP_DH] = NULL;
++ }
++#endif /* OPENSSL_NO_DH */
++
++ for (type = 0; type < OP_MAX; type++)
++ {
++ if (session_cache[type].lock != NULL)
++ {
++ (void) pthread_mutex_destroy(session_cache[type].lock);
++ OPENSSL_free(session_cache[type].lock);
++ session_cache[type].lock = NULL;
++ }
++ }
++#endif
++ }
++
++/*
++ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
++ */
++static int bind_pk11(ENGINE *e)
++ {
++#ifndef OPENSSL_NO_RSA
++ const RSA_METHOD *rsa = NULL;
++ RSA_METHOD *pk11_rsa = PK11_RSA();
++#endif /* OPENSSL_NO_RSA */
++ if (!pk11_library_initialized)
++ if (!pk11_library_init(e))
++ return (0);
++
++ if (!ENGINE_set_id(e, engine_pk11_id) ||
++ !ENGINE_set_name(e, engine_pk11_name) ||
++ !ENGINE_set_ciphers(e, pk11_engine_ciphers) ||
++ !ENGINE_set_digests(e, pk11_engine_digests))
++ return (0);
++#ifndef OPENSSL_NO_RSA
++ if (pk11_have_rsa == CK_TRUE)
++ {
++ if (!ENGINE_set_RSA(e, PK11_RSA()) ||
++ !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
++ !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
++ return (0);
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ }
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++ if (pk11_have_dsa == CK_TRUE)
++ {
++ if (!ENGINE_set_DSA(e, PK11_DSA()))
++ return (0);
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: registered DSA\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ }
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++ if (pk11_have_dh == CK_TRUE)
++ {
++ if (!ENGINE_set_DH(e, PK11_DH()))
++ return (0);
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: registered DH\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ }
++#endif /* OPENSSL_NO_DH */
++ if (pk11_have_random)
++ {
++ if (!ENGINE_set_RAND(e, &pk11_random))
++ return (0);
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: registered random\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ }
++ if (!ENGINE_set_init_function(e, pk11_init) ||
++ !ENGINE_set_destroy_function(e, pk11_destroy) ||
++ !ENGINE_set_finish_function(e, pk11_finish) ||
++ !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
++ !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
++ return (0);
++
++/*
++ * Apache calls OpenSSL function RSA_blinding_on() once during startup
++ * which in turn calls bn_mod_exp. Since we do not implement bn_mod_exp
++ * here, we wire it back to the OpenSSL software implementation.
++ * Since it is used only once, performance is not a concern.
++ */
++#ifndef OPENSSL_NO_RSA
++ rsa = RSA_PKCS1_SSLeay();
++ pk11_rsa->rsa_mod_exp = rsa->rsa_mod_exp;
++ pk11_rsa->bn_mod_exp = rsa->bn_mod_exp;
++ if (pk11_have_recover != CK_TRUE)
++ pk11_rsa->rsa_pub_dec = rsa->rsa_pub_dec;
++#endif /* OPENSSL_NO_RSA */
++
++ /* Ensure the pk11 error handling is set up */
++ ERR_load_pk11_strings();
++
++ return (1);
++ }
++
++/* Dynamic engine support is disabled at a higher level for Solaris */
++#ifdef ENGINE_DYNAMIC_SUPPORT
++#error "dynamic engine not supported"
++static int bind_helper(ENGINE *e, const char *id)
++ {
++ if (id && (strcmp(id, engine_pk11_id) != 0))
++ return (0);
++
++ if (!bind_pk11(e))
++ return (0);
++
++ return (1);
++ }
++
++IMPLEMENT_DYNAMIC_CHECK_FN()
++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
++
++#else
++static ENGINE *engine_pk11(void)
++ {
++ ENGINE *ret = ENGINE_new();
++
++ if (!ret)
++ return (NULL);
++
++ if (!bind_pk11(ret))
++ {
++ ENGINE_free(ret);
++ return (NULL);
++ }
++
++ return (ret);
++ }
++
++void
++ENGINE_load_pk11(void)
++ {
++ ENGINE *e_pk11 = NULL;
++
++ /*
++ * Do not use dynamic PKCS#11 library on Solaris due to
++ * security reasons. We will link it in statically.
++ */
++ /* Attempt to load PKCS#11 library */
++ if (!pk11_dso)
++ pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
++
++ if (pk11_dso == NULL)
++ {
++ PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
++ return;
++ }
++
++ e_pk11 = engine_pk11();
++ if (!e_pk11)
++ {
++ DSO_free(pk11_dso);
++ pk11_dso = NULL;
++ return;
++ }
++
++ /*
++ * At this point, the pk11 shared library is either dynamically
++ * loaded or statically linked in. So, initialize the pk11
++ * library before calling ENGINE_set_default since the latter
++ * needs cipher and digest algorithm information
++ */
++ if (!pk11_library_init(e_pk11))
++ {
++ DSO_free(pk11_dso);
++ pk11_dso = NULL;
++ ENGINE_free(e_pk11);
++ return;
++ }
++
++ ENGINE_add(e_pk11);
++
++ ENGINE_free(e_pk11);
++ ERR_clear_error();
++ }
++#endif /* ENGINE_DYNAMIC_SUPPORT */
++
++/*
++ * These are the static string constants for the DSO file name and
++ * the function symbol names to bind to.
++ */
++static const char *PK11_LIBNAME = NULL;
++
++static const char *get_PK11_LIBNAME(void)
++ {
++ if (PK11_LIBNAME)
++ return (PK11_LIBNAME);
++
++ return (def_PK11_LIBNAME);
++ }
++
++static void free_PK11_LIBNAME(void)
++ {
++ if (PK11_LIBNAME)
++ OPENSSL_free((void*)PK11_LIBNAME);
++
++ PK11_LIBNAME = NULL;
++ }
++
++static long set_PK11_LIBNAME(const char *name)
++ {
++ free_PK11_LIBNAME();
++
++ return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
++ }
++
++/* acquire all engine specific mutexes before fork */
++static void pk11_fork_prepare(void)
++ {
++#ifndef NOPTHREADS
++ int i;
++
++ if (!pk11_library_initialized)
++ return;
++
++ LOCK_OBJSTORE(OP_RSA);
++ LOCK_OBJSTORE(OP_DSA);
++ LOCK_OBJSTORE(OP_DH);
++ for (i = 0; i < OP_MAX; i++)
++ {
++ (void) pthread_mutex_lock(session_cache[i].lock);
++ }
++#endif
++ }
++
++/* release all engine specific mutexes */
++static void pk11_fork_parent(void)
++ {
++#ifndef NOPTHREADS
++ int i;
++
++ if (!pk11_library_initialized)
++ return;
++
++ for (i = OP_MAX - 1; i >= 0; i--)
++ {
++ (void) pthread_mutex_unlock(session_cache[i].lock);
++ }
++ UNLOCK_OBJSTORE(OP_DH);
++ UNLOCK_OBJSTORE(OP_DSA);
++ UNLOCK_OBJSTORE(OP_RSA);
++#endif
++ }
++
++/*
++ * same situation as in parent - we need to unlock all locks to make them
++ * accessible to all threads.
++ */
++static void pk11_fork_child(void)
++ {
++#ifndef NOPTHREADS
++ int i;
++
++ if (!pk11_library_initialized)
++ return;
++
++ for (i = OP_MAX - 1; i >= 0; i--)
++ {
++ (void) pthread_mutex_unlock(session_cache[i].lock);
++ }
++ UNLOCK_OBJSTORE(OP_DH);
++ UNLOCK_OBJSTORE(OP_DSA);
++ UNLOCK_OBJSTORE(OP_RSA);
++#endif
++ }
++
++/* Initialization function for the pk11 engine */
++static int pk11_init(ENGINE *e)
++{
++ return (pk11_library_init(e));
++}
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * It selects a slot based on predefined critiera. In the process, it also
++ * count how many ciphers and digests to support. Since the cipher and
++ * digest information is needed when setting default engine, this function
++ * needs to be called before calling ENGINE_set_default.
++ */
++/* ARGSUSED */
++static int pk11_library_init(ENGINE *e)
++ {
++ CK_C_GetFunctionList p;
++ CK_RV rv = CKR_OK;
++ CK_INFO info;
++ CK_ULONG ul_state_len;
++ int any_slot_found;
++ int i;
++#ifndef OPENSSL_SYS_WIN32
++ struct sigaction sigint_act, sigterm_act, sighup_act;
++#endif
++
++ /*
++ * pk11_library_initialized is set to 0 in pk11_finish() which is called
++ * from ENGINE_finish(). However, if there is still at least one
++ * existing functional reference to the engine (see engine(3) for more
++ * information), pk11_finish() is skipped. For example, this can happen
++ * if an application forgets to clear one cipher context. In case of a
++ * fork() when the application is finishing the engine so that it can be
++ * reinitialized in the child, forgotten functional reference causes
++ * pk11_library_initialized to stay 1. In that case we need the PID
++ * check so that we properly initialize the engine again.
++ */
++ if (pk11_library_initialized)
++ {
++ if (pk11_pid == getpid())
++ {
++ return (1);
++ }
++ else
++ {
++ global_session = CK_INVALID_HANDLE;
++ /*
++ * free the locks first to prevent memory leak in case
++ * the application calls fork() without finishing the
++ * engine first.
++ */
++ pk11_free_all_locks();
++ }
++ }
++
++ if (pk11_dso == NULL)
++ {
++ PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++#ifdef SOLARIS_AES_CTR
++ /*
++ * We must do this before we start working with slots since we need all
++ * NIDs there.
++ */
++ if (pk11_add_aes_ctr_NIDs() == 0)
++ goto err;
++#endif /* SOLARIS_AES_CTR */
++
++#ifdef SOLARIS_HW_SLOT_SELECTION
++ if (check_hw_mechanisms() == 0)
++ goto err;
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++
++ /* get the C_GetFunctionList function from the loaded library */
++ p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
++ PK11_GET_FUNCTION_LIST);
++ if (!p)
++ {
++ PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++ /* get the full function list from the loaded library */
++ rv = p(&pFuncList);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
++ goto err;
++ }
++
++#ifndef OPENSSL_SYS_WIN32
++ /* Not all PKCS#11 library are signal safe! */
++
++ (void) memset(&sigint_act, 0, sizeof(sigint_act));
++ (void) memset(&sigterm_act, 0, sizeof(sigterm_act));
++ (void) memset(&sighup_act, 0, sizeof(sighup_act));
++ (void) sigaction(SIGINT, NULL, &sigint_act);
++ (void) sigaction(SIGTERM, NULL, &sigterm_act);
++ (void) sigaction(SIGHUP, NULL, &sighup_act);
++#endif
++ rv = pFuncList->C_Initialize(NULL_PTR);
++#ifndef OPENSSL_SYS_WIN32
++ (void) sigaction(SIGINT, &sigint_act, NULL);
++ (void) sigaction(SIGTERM, &sigterm_act, NULL);
++ (void) sigaction(SIGHUP, &sighup_act, NULL);
++#endif
++ if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_GetInfo(&info);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
++ goto err;
++ }
++
++ if (pk11_choose_slots(&any_slot_found) == 0)
++ goto err;
++
++ /*
++ * The library we use, set in def_PK11_LIBNAME, may not offer any
++ * slot(s). In that case, we must not proceed but we must not return an
++ * error. The reason is that applications that try to set up the PKCS#11
++ * engine don't exit on error during the engine initialization just
++ * because no slot was present.
++ */
++ if (any_slot_found == 0)
++ return (1);
++
++ if (global_session == CK_INVALID_HANDLE)
++ {
++ /* Open the global_session for the new process */
++ rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &global_session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT,
++ PK11_R_OPENSESSION, rv);
++ goto err;
++ }
++ }
++
++ /*
++ * Disable digest if C_GetOperationState is not supported since
++ * this function is required by OpenSSL digest copy function
++ */
++ /* Keyper fails to return CKR_FUNCTION_NOT_SUPPORTED */
++ if (pFuncList->C_GetOperationState(global_session, NULL, &ul_state_len)
++ != CKR_OK) {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: C_GetOperationState() not supported, "
++ "setting digest_count to 0\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ digest_count = 0;
++ }
++
++ pk11_library_initialized = TRUE;
++ pk11_pid = getpid();
++ /*
++ * if initialization of the locks fails pk11_init_all_locks()
++ * will do the cleanup.
++ */
++ if (!pk11_init_all_locks())
++ goto err;
++ for (i = 0; i < OP_MAX; i++)
++ session_cache[i].head = NULL;
++ /*
++ * initialize active lists. We only use active lists
++ * for asymmetric ciphers.
++ */
++ for (i = 0; i < OP_MAX; i++)
++ active_list[i] = NULL;
++
++#ifndef NOPTHREADS
++ if (!pk11_atfork_initialized)
++ {
++ if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
++ pk11_fork_child) != 0)
++ {
++ PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
++ goto err;
++ }
++ pk11_atfork_initialized = TRUE;
++ }
++#endif
++
++ return (1);
++
++err:
++ return (0);
++ }
++
++/* Destructor (complements the "ENGINE_pk11()" constructor) */
++/* ARGSUSED */
++static int pk11_destroy(ENGINE *e)
++ {
++ free_PK11_LIBNAME();
++ ERR_unload_pk11_strings();
++ if (pk11_pin) {
++ memset(pk11_pin, 0, strlen(pk11_pin));
++ OPENSSL_free((void*)pk11_pin);
++ }
++ pk11_pin = NULL;
++ return (1);
++ }
++
++/*
++ * Termination function to clean up the session, the token, and the pk11
++ * library.
++ */
++/* ARGSUSED */
++static int pk11_finish(ENGINE *e)
++ {
++ int i;
++
++ if (pk11_pin) {
++ memset(pk11_pin, 0, strlen(pk11_pin));
++ OPENSSL_free((void*)pk11_pin);
++ }
++ pk11_pin = NULL;
++
++ if (pk11_dso == NULL)
++ {
++ PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
++ goto err;
++ }
++
++ OPENSSL_assert(pFuncList != NULL);
++
++ if (pk11_free_all_sessions() == 0)
++ goto err;
++
++ /* free all active lists */
++ for (i = 0; i < OP_MAX; i++)
++ pk11_free_active_list(i);
++
++ pFuncList->C_CloseSession(global_session);
++ global_session = CK_INVALID_HANDLE;
++
++ /*
++ * Since we are part of a library (libcrypto.so), calling this function
++ * may have side-effects.
++ */
++#if 0
++ pFuncList->C_Finalize(NULL);
++#endif
++
++ if (!DSO_free(pk11_dso))
++ {
++ PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++ pk11_dso = NULL;
++ pFuncList = NULL;
++ pk11_library_initialized = FALSE;
++ pk11_pid = 0;
++ /*
++ * There is no way how to unregister atfork handlers (other than
++ * unloading the library) so we just free the locks. For this reason
++ * the atfork handlers check if the engine is initialized and bail out
++ * immediately if not. This is necessary in case a process finishes
++ * the engine before calling fork().
++ */
++ pk11_free_all_locks();
++
++ return (1);
++
++err:
++ return (0);
++ }
++
++/* Standard engine interface function to set the dynamic library path */
++/* ARGSUSED */
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
++ {
++ int initialized = ((pk11_dso == NULL) ? 0 : 1);
++
++ switch (cmd)
++ {
++ case PK11_CMD_SO_PATH:
++ if (p == NULL)
++ {
++ PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++ return (0);
++ }
++
++ if (initialized)
++ {
++ PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
++ return (0);
++ }
++
++ return (set_PK11_LIBNAME((const char *)p));
++ case PK11_CMD_PIN:
++ if (pk11_pin) {
++ memset(pk11_pin, 0, strlen(pk11_pin));
++ OPENSSL_free((void*)pk11_pin);
++ }
++ pk11_pin = NULL;
++
++ if (p == NULL)
++ {
++ PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++ return (0);
++ }
++
++ pk11_pin = BUF_strdup(p);
++ if (pk11_pin == NULL)
++ {
++ PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
++ return (0);
++ }
++ return (1);
++ case PK11_CMD_SLOT:
++ SLOTID = (CK_SLOT_ID)i;
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: slot set\n", PK11_DBG);
++#endif
++ return (1);
++ default:
++ break;
++ }
++
++ PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
++
++ return (0);
++ }
++
++
++/* Required function by the engine random interface. It does nothing here */
++static void pk11_rand_cleanup(void)
++ {
++ return;
++ }
++
++/* ARGSUSED */
++static void pk11_rand_add(const void *buf, int num, double add)
++ {
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RAND)) == NULL)
++ return;
++
++ /*
++ * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
++ * the calling functions do not care anyway
++ */
++ pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
++ pk11_return_session(sp, OP_RAND);
++
++ return;
++ }
++
++static void pk11_rand_seed(const void *buf, int num)
++ {
++ pk11_rand_add(buf, num, 0);
++ }
++
++static int pk11_rand_bytes(unsigned char *buf, int num)
++ {
++ CK_RV rv;
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RAND)) == NULL)
++ return (0);
++
++ rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
++ pk11_return_session(sp, OP_RAND);
++ return (0);
++ }
++
++ pk11_return_session(sp, OP_RAND);
++ return (1);
++ }
++
++/* Required function by the engine random interface. It does nothing here */
++static int pk11_rand_status(void)
++ {
++ return (1);
++ }
++
++/* Free all BIGNUM structures from PK11_SESSION. */
++static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
++ {
++ switch (optype)
++ {
++#ifndef OPENSSL_NO_RSA
++ case OP_RSA:
++ if (sp->opdata_rsa_n_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_n_num);
++ sp->opdata_rsa_n_num = NULL;
++ }
++ if (sp->opdata_rsa_e_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_e_num);
++ sp->opdata_rsa_e_num = NULL;
++ }
++ if (sp->opdata_rsa_d_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_d_num);
++ sp->opdata_rsa_d_num = NULL;
++ }
++ break;
++#endif
++#ifndef OPENSSL_NO_DSA
++ case OP_DSA:
++ if (sp->opdata_dsa_pub_num != NULL)
++ {
++ BN_free(sp->opdata_dsa_pub_num);
++ sp->opdata_dsa_pub_num = NULL;
++ }
++ if (sp->opdata_dsa_priv_num != NULL)
++ {
++ BN_free(sp->opdata_dsa_priv_num);
++ sp->opdata_dsa_priv_num = NULL;
++ }
++ break;
++#endif
++#ifndef OPENSSL_NO_DH
++ case OP_DH:
++ if (sp->opdata_dh_priv_num != NULL)
++ {
++ BN_free(sp->opdata_dh_priv_num);
++ sp->opdata_dh_priv_num = NULL;
++ }
++ break;
++#endif
++ default:
++ break;
++ }
++ }
++
++/*
++ * Get new PK11_SESSION structure ready for use. Every process must have
++ * its own freelist of PK11_SESSION structures so handle fork() here
++ * by destroying the old and creating new freelist.
++ * The returned PK11_SESSION structure is disconnected from the freelist.
++ */
++PK11_SESSION *
++pk11_get_session(PK11_OPTYPE optype)
++ {
++ PK11_SESSION *sp = NULL, *sp1, *freelist;
++#ifndef NOPTHREADS
++ pthread_mutex_t *freelist_lock = NULL;
++#endif
++ CK_RV rv;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ case OP_RAND:
++ case OP_DIGEST:
++ case OP_CIPHER:
++#ifndef NOPTHREADS
++ freelist_lock = session_cache[optype].lock;
++#endif
++ break;
++ default:
++ PK11err(PK11_F_GET_SESSION,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return (NULL);
++ }
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(freelist_lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ freelist = session_cache[optype].head;
++ sp = freelist;
++
++ /*
++ * If the free list is empty, allocate new unitialized (filled
++ * with zeroes) PK11_SESSION structure otherwise return first
++ * structure from the freelist.
++ */
++ if (sp == NULL)
++ {
++ if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
++ {
++ PK11err(PK11_F_GET_SESSION,
++ PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ (void) memset(sp, 0, sizeof (PK11_SESSION));
++ }
++ else
++ {
++ freelist = sp->next;
++ }
++
++ if (sp->pid != 0 && sp->pid != getpid())
++ {
++ /*
++ * We are a new process and thus need to free any inherited
++ * PK11_SESSION objects.
++ */
++ while ((sp1 = freelist) != NULL)
++ {
++ freelist = sp1->next;
++ /*
++ * NOTE: we do not want to call pk11_free_all_sessions()
++ * here because it would close underlying PKCS#11
++ * sessions and destroy all objects.
++ */
++ pk11_free_nums(sp1, optype);
++ OPENSSL_free(sp1);
++ }
++
++ /* we have to free the active list as well. */
++ pk11_free_active_list(optype);
++
++ /* Initialize the process */
++ rv = pFuncList->C_Initialize(NULL_PTR);
++ if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++ {
++ PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
++ rv);
++ OPENSSL_free(sp);
++ sp = NULL;
++ goto err;
++ }
++
++ /*
++ * Choose slot here since the slot table is different on this
++ * process. If we are here then we must have found at least one
++ * usable slot before so we don't need to check any_slot_found.
++ * See pk11_library_init()'s usage of this function for more
++ * information.
++ */
++#ifdef SOLARIS_HW_SLOT_SELECTION
++ if (check_hw_mechanisms() == 0)
++ goto err;
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++ if (pk11_choose_slots(NULL) == 0)
++ goto err;
++
++ /* Open the global_session for the new process */
++ rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &global_session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
++ rv);
++ OPENSSL_free(sp);
++ sp = NULL;
++ goto err;
++ }
++
++ /* It is an inherited session and needs re-initialization. */
++ if (pk11_setup_session(sp, optype) == 0)
++ {
++ OPENSSL_free(sp);
++ sp = NULL;
++ }
++ }
++ if (sp->pid == 0)
++ {
++ /* It is a new session and needs initialization. */
++ if (pk11_setup_session(sp, optype) == 0)
++ {
++ OPENSSL_free(sp);
++ sp = NULL;
++ }
++ }
++
++ /* set new head for the list of PK11_SESSION objects */
++ session_cache[optype].head = freelist;
++
++err:
++ if (sp != NULL)
++ sp->next = NULL;
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_unlock(freelist_lock);
++#else
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (sp);
++ }
++
++
++void
++pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++ {
++#ifndef NOPTHREADS
++ pthread_mutex_t *freelist_lock;
++#endif
++ PK11_SESSION *freelist;
++
++ if (sp == NULL || sp->pid != getpid())
++ return;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ case OP_RAND:
++ case OP_DIGEST:
++ case OP_CIPHER:
++#ifndef NOPTHREADS
++ freelist_lock = session_cache[optype].lock;
++#endif
++ break;
++ default:
++ PK11err(PK11_F_RETURN_SESSION,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return;
++ }
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(freelist_lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ freelist = session_cache[optype].head;
++ sp->next = freelist;
++ session_cache[optype].head = sp;
++#ifndef NOPTHREADS
++ (void) pthread_mutex_unlock(freelist_lock);
++#else
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ }
++
++
++/* Destroy all objects. This function is called when the engine is finished */
++static int pk11_free_all_sessions()
++ {
++ int ret = 1;
++ int type;
++
++#ifndef OPENSSL_NO_RSA
++ (void) pk11_destroy_rsa_key_objects(NULL);
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++ (void) pk11_destroy_dsa_key_objects(NULL);
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++ (void) pk11_destroy_dh_key_objects(NULL);
++#endif /* OPENSSL_NO_DH */
++ (void) pk11_destroy_cipher_key_objects(NULL);
++
++ /*
++ * We try to release as much as we can but any error means that we will
++ * return 0 on exit.
++ */
++ for (type = 0; type < OP_MAX; type++)
++ {
++ if (pk11_free_session_list(type) == 0)
++ ret = 0;
++ }
++
++ return (ret);
++ }
++
++/*
++ * Destroy session structures from the linked list specified. Free as many
++ * sessions as possible but any failure in C_CloseSession() means that we
++ * return an error on return.
++ */
++static int pk11_free_session_list(PK11_OPTYPE optype)
++ {
++ CK_RV rv;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *freelist = NULL;
++ pid_t mypid = getpid();
++#ifndef NOPTHREADS
++ pthread_mutex_t *freelist_lock;
++#endif
++ int ret = 1;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ case OP_RAND:
++ case OP_DIGEST:
++ case OP_CIPHER:
++#ifndef NOPTHREADS
++ freelist_lock = session_cache[optype].lock;
++#endif
++ break;
++ default:
++ PK11err(PK11_F_FREE_ALL_SESSIONS,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return (0);
++ }
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(freelist_lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ freelist = session_cache[optype].head;
++ while ((sp = freelist) != NULL)
++ {
++ if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
++ {
++ rv = pFuncList->C_CloseSession(sp->session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
++ PK11_R_CLOSESESSION, rv);
++ ret = 0;
++ }
++ }
++ freelist = sp->next;
++ pk11_free_nums(sp, optype);
++ OPENSSL_free(sp);
++ }
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_unlock(freelist_lock);
++#else
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ return (ret);
++ }
++
++
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++ {
++ CK_RV rv;
++ CK_SLOT_ID myslot;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ myslot = pubkey_SLOTID;
++ break;
++ case OP_RAND:
++ myslot = rand_SLOTID;
++ break;
++ case OP_DIGEST:
++ case OP_CIPHER:
++ myslot = SLOTID;
++ break;
++ default:
++ PK11err(PK11_F_SETUP_SESSION,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return (0);
++ }
++
++ sp->session = CK_INVALID_HANDLE;
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
++#endif /* DEBUG_SLOT_SELECTION */
++ rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &sp->session);
++ if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
++ {
++ /*
++ * We are probably a child process so force the
++ * reinitialize of the session
++ */
++ pk11_library_initialized = FALSE;
++ if (!pk11_library_init(NULL))
++ return (0);
++ rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &sp->session);
++ }
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
++ return (0);
++ }
++
++ sp->pid = getpid();
++
++ switch (optype)
++ {
++#ifndef OPENSSL_NO_RSA
++ case OP_RSA:
++ sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_pub = NULL;
++ sp->opdata_rsa_n_num = NULL;
++ sp->opdata_rsa_e_num = NULL;
++ sp->opdata_rsa_priv = NULL;
++ sp->opdata_rsa_d_num = NULL;
++ break;
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++ case OP_DSA:
++ sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
++ sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
++ sp->opdata_dsa_pub = NULL;
++ sp->opdata_dsa_pub_num = NULL;
++ sp->opdata_dsa_priv = NULL;
++ sp->opdata_dsa_priv_num = NULL;
++ break;
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++ case OP_DH:
++ sp->opdata_dh_key = CK_INVALID_HANDLE;
++ sp->opdata_dh = NULL;
++ sp->opdata_dh_priv_num = NULL;
++ break;
++#endif /* OPENSSL_NO_DH */
++ case OP_CIPHER:
++ sp->opdata_cipher_key = CK_INVALID_HANDLE;
++ sp->opdata_encrypt = -1;
++ break;
++ default:
++ break;
++ }
++
++ return (1);
++ }
++
++#ifndef OPENSSL_NO_RSA
++/* Destroy RSA public key from single session. */
++int
++pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
++ {
++ TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
++ ret, uselock, OP_RSA);
++ sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_pub = NULL;
++ if (sp->opdata_rsa_n_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_n_num);
++ sp->opdata_rsa_n_num = NULL;
++ }
++ if (sp->opdata_rsa_e_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_e_num);
++ sp->opdata_rsa_e_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/* Destroy RSA private key from single session. */
++int
++pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
++ {
++ if ((sp->opdata_rsa_priv->flags & RSA_FLAG_EXT_PKEY) != 0)
++ {
++ TRY_OBJ_DELETE(sp->session,
++ sp->opdata_rsa_priv_key,
++ ret, uselock, OP_RSA);
++ }
++ else
++ {
++ TRY_OBJ_DESTROY(sp->session,
++ sp->opdata_rsa_priv_key,
++ ret, uselock, OP_RSA);
++ }
++ sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_priv = NULL;
++ if (sp->opdata_rsa_d_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_d_num);
++ sp->opdata_rsa_d_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/*
++ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_rsa_key_objects(PK11_SESSION *session)
++ {
++ int ret = 1;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *local_free_session;
++ CK_BBOOL uselock = TRUE;
++
++ if (session != NULL)
++ local_free_session = session;
++ else
++ {
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ local_free_session = session_cache[OP_RSA].head;
++ uselock = FALSE;
++ }
++
++ /*
++ * go through the list of sessions and delete key objects
++ */
++ while ((sp = local_free_session) != NULL)
++ {
++ local_free_session = sp->next;
++
++ /*
++ * Do not terminate list traversal if one of the
++ * destroy operations fails.
++ */
++ if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ }
++
++#ifndef NOPTHREADS
++ if (session == NULL)
++ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++#else
++ if (session == NULL)
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (ret);
++ }
++#endif /* OPENSSL_NO_RSA */
++
++#ifndef OPENSSL_NO_DSA
++/* Destroy DSA public key from single session. */
++int
++pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_dsa_pub_key != CK_INVALID_HANDLE)
++ {
++ TRY_OBJ_DESTROY(sp->session, sp->opdata_dsa_pub_key,
++ ret, uselock, OP_DSA);
++ sp->opdata_dsa_pub_key = CK_INVALID_HANDLE;
++ sp->opdata_dsa_pub = NULL;
++ if (sp->opdata_dsa_pub_num != NULL)
++ {
++ BN_free(sp->opdata_dsa_pub_num);
++ sp->opdata_dsa_pub_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/* Destroy DSA private key from single session. */
++int
++pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_dsa_priv_key != CK_INVALID_HANDLE)
++ {
++ TRY_OBJ_DESTROY(sp->session, sp->opdata_dsa_priv_key,
++ ret, uselock, OP_DSA);
++ sp->opdata_dsa_priv_key = CK_INVALID_HANDLE;
++ sp->opdata_dsa_priv = NULL;
++ if (sp->opdata_dsa_priv_num != NULL)
++ {
++ BN_free(sp->opdata_dsa_priv_num);
++ sp->opdata_dsa_priv_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/*
++ * Destroy DSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_dsa_key_objects(PK11_SESSION *session)
++ {
++ int ret = 1;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *local_free_session;
++ CK_BBOOL uselock = TRUE;
++
++ if (session != NULL)
++ local_free_session = session;
++ else
++ {
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(session_cache[OP_DSA].lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ local_free_session = session_cache[OP_DSA].head;
++ uselock = FALSE;
++ }
++
++ /*
++ * go through the list of sessions and delete key objects
++ */
++ while ((sp = local_free_session) != NULL)
++ {
++ local_free_session = sp->next;
++
++ /*
++ * Do not terminate list traversal if one of the
++ * destroy operations fails.
++ */
++ if (pk11_destroy_dsa_object_pub(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ if (pk11_destroy_dsa_object_priv(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ }
++
++#ifndef NOPTHREADS
++ if (session == NULL)
++ (void) pthread_mutex_unlock(session_cache[OP_DSA].lock);
++#else
++ if (session == NULL)
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (ret);
++ }
++#endif /* OPENSSL_NO_DSA */
++
++#ifndef OPENSSL_NO_DH
++/* Destroy DH key from single session. */
++int
++pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_dh_key != CK_INVALID_HANDLE)
++ {
++ TRY_OBJ_DESTROY(sp->session, sp->opdata_dh_key,
++ ret, uselock, OP_DH);
++ sp->opdata_dh_key = CK_INVALID_HANDLE;
++ sp->opdata_dh = NULL;
++ if (sp->opdata_dh_priv_num != NULL)
++ {
++ BN_free(sp->opdata_dh_priv_num);
++ sp->opdata_dh_priv_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/*
++ * Destroy DH key object wrapper.
++ *
++ * arg0: pointer to PKCS#11 engine session structure
++ * if session is NULL, try to destroy all objects in the free list
++ */
++int
++pk11_destroy_dh_key_objects(PK11_SESSION *session)
++ {
++ int ret = 1;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *local_free_session;
++ CK_BBOOL uselock = TRUE;
++
++ if (session != NULL)
++ local_free_session = session;
++ else
++ {
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(session_cache[OP_DH].lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ local_free_session = session_cache[OP_DH].head;
++ uselock = FALSE;
++ }
++
++ while ((sp = local_free_session) != NULL)
++ {
++ local_free_session = sp->next;
++
++ /*
++ * Do not terminate list traversal if one of the
++ * destroy operations fails.
++ */
++ if (pk11_destroy_dh_object(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ }
++
++#ifndef NOPTHREADS
++ if (session == NULL)
++ (void) pthread_mutex_unlock(session_cache[OP_DH].lock);
++#else
++ if (session == NULL)
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (ret);
++ }
++#endif /* OPENSSL_NO_DH */
++
++static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
++ {
++ CK_RV rv;
++ rv = pFuncList->C_DestroyObject(session, oh);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
++ rv);
++ return (0);
++ }
++
++ return (1);
++ }
++
++
++/* Symmetric ciphers and digests support functions */
++
++static int
++cipher_nid_to_pk11(int nid)
++ {
++ int i;
++
++ for (i = 0; i < PK11_CIPHER_MAX; i++)
++ if (ciphers[i].nid == nid)
++ return (ciphers[i].id);
++ return (-1);
++ }
++
++static int
++pk11_usable_ciphers(const int **nids)
++ {
++ if (cipher_count > 0)
++ *nids = cipher_nids;
++ else
++ *nids = NULL;
++ return (cipher_count);
++ }
++
++static int
++pk11_usable_digests(const int **nids)
++ {
++ if (digest_count > 0)
++ *nids = digest_nids;
++ else
++ *nids = NULL;
++ return (digest_count);
++ }
++
++/*
++ * Init context for encryption or decryption using a symmetric key.
++ */
++static int pk11_init_symmetric(EVP_CIPHER_CTX *ctx, PK11_CIPHER *pcipher,
++ PK11_SESSION *sp, CK_MECHANISM_PTR pmech)
++ {
++ CK_RV rv;
++#ifdef SOLARIS_AES_CTR
++ CK_AES_CTR_PARAMS ctr_params;
++#endif /* SOLARIS_AES_CTR */
++
++ /*
++ * We expect pmech->mechanism to be already set and
++ * pParameter/ulParameterLen initialized to NULL/0 before
++ * pk11_init_symetric() is called.
++ */
++ OPENSSL_assert(pmech->mechanism != 0);
++ OPENSSL_assert(pmech->pParameter == NULL);
++ OPENSSL_assert(pmech->ulParameterLen == 0);
++
++#ifdef SOLARIS_AES_CTR
++ if (ctx->cipher->nid == NID_aes_128_ctr ||
++ ctx->cipher->nid == NID_aes_192_ctr ||
++ ctx->cipher->nid == NID_aes_256_ctr)
++ {
++ pmech->pParameter = (void *)(&ctr_params);
++ pmech->ulParameterLen = sizeof (ctr_params);
++ /*
++ * For now, we are limited to the fixed length of the counter,
++ * it covers the whole counter block. That's what RFC 4344
++ * needs. For more information on internal structure of the
++ * counter block, see RFC 3686. If needed in the future, we can
++ * add code so that the counter length can be set via
++ * ENGINE_ctrl() function.
++ */
++ ctr_params.ulCounterBits = AES_BLOCK_SIZE * 8;
++ OPENSSL_assert(pcipher->iv_len == AES_BLOCK_SIZE);
++ (void) memcpy(ctr_params.cb, ctx->iv, AES_BLOCK_SIZE);
++ }
++ else
++#endif /* SOLARIS_AES_CTR */
++ {
++ if (pcipher->iv_len > 0)
++ {
++ pmech->pParameter = (void *)ctx->iv;
++ pmech->ulParameterLen = pcipher->iv_len;
++ }
++ }
++
++ /* if we get here, the encryption needs to be reinitialized */
++ if (ctx->encrypt)
++ rv = pFuncList->C_EncryptInit(sp->session, pmech,
++ sp->opdata_cipher_key);
++ else
++ rv = pFuncList->C_DecryptInit(sp->session, pmech,
++ sp->opdata_cipher_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CIPHER_INIT, ctx->encrypt ?
++ PK11_R_ENCRYPTINIT : PK11_R_DECRYPTINIT, rv);
++ pk11_return_session(sp, OP_CIPHER);
++ return (0);
++ }
++
++ return (1);
++ }
++
++/* ARGSUSED */
++static int
++pk11_cipher_init(EVP_CIPHER_CTX *ctx, const unsigned char *key,
++ const unsigned char *iv, int enc)
++ {
++ CK_MECHANISM mech;
++ int index;
++ PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
++ PK11_SESSION *sp;
++ PK11_CIPHER *p_ciph_table_row;
++
++ state->sp = NULL;
++
++ index = cipher_nid_to_pk11(ctx->cipher->nid);
++ if (index < 0 || index >= PK11_CIPHER_MAX)
++ return (0);
++
++ p_ciph_table_row = &ciphers[index];
++ /*
++ * iv_len in the ctx->cipher structure is the maximum IV length for the
++ * current cipher and it must be less or equal to the IV length in our
++ * ciphers table. The key length must be in the allowed interval. From
++ * all cipher modes that the PKCS#11 engine supports only RC4 allows a
++ * key length to be in some range, all other NIDs have a precise key
++ * length. Every application can define its own EVP functions so this
++ * code serves as a sanity check.
++ *
++ * Note that the reason why the IV length in ctx->cipher might be
++ * greater than the actual length is that OpenSSL uses BLOCK_CIPHER_defs
++ * macro to define functions that return EVP structures for all DES
++ * modes. So, even ECB modes get 8 byte IV.
++ */
++ if (ctx->cipher->iv_len < p_ciph_table_row->iv_len ||
++ ctx->key_len < p_ciph_table_row->min_key_len ||
++ ctx->key_len > p_ciph_table_row->max_key_len) {
++ PK11err(PK11_F_CIPHER_INIT, PK11_R_KEY_OR_IV_LEN_PROBLEM);
++ return (0);
++ }
++
++ if ((sp = pk11_get_session(OP_CIPHER)) == NULL)
++ return (0);
++
++ /* if applicable, the mechanism parameter is used for IV */
++ mech.mechanism = p_ciph_table_row->mech_type;
++ mech.pParameter = NULL;
++ mech.ulParameterLen = 0;
++
++ /* The key object is destroyed here if it is not the current key. */
++ (void) check_new_cipher_key(sp, key, ctx->key_len);
++
++ /*
++ * If the key is the same and the encryption is also the same, then
++ * just reuse it. However, we must not forget to reinitialize the
++ * context that was finalized in pk11_cipher_cleanup().
++ */
++ if (sp->opdata_cipher_key != CK_INVALID_HANDLE &&
++ sp->opdata_encrypt == ctx->encrypt)
++ {
++ state->sp = sp;
++ if (pk11_init_symmetric(ctx, p_ciph_table_row, sp, &mech) == 0)
++ return (0);
++
++ return (1);
++ }
++
++ /*
++ * Check if the key has been invalidated. If so, a new key object
++ * needs to be created.
++ */
++ if (sp->opdata_cipher_key == CK_INVALID_HANDLE)
++ {
++ sp->opdata_cipher_key = pk11_get_cipher_key(
++ ctx, key, p_ciph_table_row->key_type, sp);
++ }
++
++ if (sp->opdata_encrypt != ctx->encrypt && sp->opdata_encrypt != -1)
++ {
++ /*
++ * The previous encryption/decryption is different. Need to
++ * terminate the previous * active encryption/decryption here.
++ */
++ if (!pk11_cipher_final(sp))
++ {
++ pk11_return_session(sp, OP_CIPHER);
++ return (0);
++ }
++ }
++
++ if (sp->opdata_cipher_key == CK_INVALID_HANDLE)
++ {
++ pk11_return_session(sp, OP_CIPHER);
++ return (0);
++ }
++
++ /* now initialize the context with a new key */
++ if (pk11_init_symmetric(ctx, p_ciph_table_row, sp, &mech) == 0)
++ return (0);
++
++ sp->opdata_encrypt = ctx->encrypt;
++ state->sp = sp;
++
++ return (1);
++ }
++
++/*
++ * When reusing the same key in an encryption/decryption session for a
++ * decryption/encryption session, we need to close the active session
++ * and recreate a new one. Note that the key is in the global session so
++ * that it needs not be recreated.
++ *
++ * It is more appropriate to use C_En/DecryptFinish here. At the time of this
++ * development, these two functions in the PKCS#11 libraries used return
++ * unexpected errors when passing in 0 length output. It may be a good
++ * idea to try them again if performance is a problem here and fix
++ * C_En/DecryptFinial if there are bugs there causing the problem.
++ */
++static int
++pk11_cipher_final(PK11_SESSION *sp)
++ {
++ CK_RV rv;
++
++ rv = pFuncList->C_CloseSession(sp->session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CIPHER_FINAL, PK11_R_CLOSESESSION, rv);
++ return (0);
++ }
++
++ rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &sp->session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CIPHER_FINAL, PK11_R_OPENSESSION, rv);
++ return (0);
++ }
++
++ return (1);
++ }
++
++/*
++ * An engine interface function. The calling function allocates sufficient
++ * memory for the output buffer "out" to hold the results.
++ */
++static int
++pk11_cipher_do_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out,
++ const unsigned char *in, unsigned int inl)
++ {
++ PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->cipher_data;
++ PK11_SESSION *sp;
++ CK_RV rv;
++ unsigned long outl = inl;
++
++ if (state == NULL || state->sp == NULL)
++ return (0);
++
++ sp = (PK11_SESSION *) state->sp;
++
++ if (!inl)
++ return (1);
++
++ /* RC4 is the only stream cipher we support */
++ if (ctx->cipher->nid != NID_rc4 && (inl % ctx->cipher->block_size) != 0)
++ return (0);
++
++ if (ctx->encrypt)
++ {
++ rv = pFuncList->C_EncryptUpdate(sp->session,
++ (unsigned char *)in, inl, out, &outl);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CIPHER_DO_CIPHER,
++ PK11_R_ENCRYPTUPDATE, rv);
++ return (0);
++ }
++ }
++ else
++ {
++ rv = pFuncList->C_DecryptUpdate(sp->session,
++ (unsigned char *)in, inl, out, &outl);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CIPHER_DO_CIPHER,
++ PK11_R_DECRYPTUPDATE, rv);
++ return (0);
++ }
++ }
++
++ /*
++ * For DES_CBC, DES3_CBC, AES_CBC, and RC4, the output size is always
++ * the same size of input.
++ * The application has guaranteed to call the block ciphers with
++ * correctly aligned buffers.
++ */
++ if (inl != outl)
++ return (0);
++
++ return (1);
++ }
++
++/*
++ * Return the session to the pool. Calling C_EncryptFinal() and C_DecryptFinal()
++ * here is the right thing because in EVP_DecryptFinal_ex(), engine's
++ * do_cipher() is not even called, and in EVP_EncryptFinal_ex() it is called but
++ * the engine can't find out that it's the finalizing call. We wouldn't
++ * necessarily have to finalize the context here since reinitializing it with
++ * C_(Encrypt|Decrypt)Init() should be fine but for the sake of correctness,
++ * let's do it. Some implementations might leak memory if the previously used
++ * context is initialized without finalizing it first.
++ */
++static int
++pk11_cipher_cleanup(EVP_CIPHER_CTX *ctx)
++ {
++ CK_RV rv;
++ CK_ULONG len = EVP_MAX_BLOCK_LENGTH;
++ CK_BYTE buf[EVP_MAX_BLOCK_LENGTH];
++ PK11_CIPHER_STATE *state = ctx->cipher_data;
++
++ if (state != NULL && state->sp != NULL)
++ {
++ /*
++ * We are not interested in the data here, we just need to get
++ * rid of the context.
++ */
++ if (ctx->encrypt)
++ rv = pFuncList->C_EncryptFinal(
++ state->sp->session, buf, &len);
++ else
++ rv = pFuncList->C_DecryptFinal(
++ state->sp->session, buf, &len);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CIPHER_CLEANUP, ctx->encrypt ?
++ PK11_R_ENCRYPTFINAL : PK11_R_DECRYPTFINAL, rv);
++ pk11_return_session(state->sp, OP_CIPHER);
++ return (0);
++ }
++
++ pk11_return_session(state->sp, OP_CIPHER);
++ state->sp = NULL;
++ }
++
++ return (1);
++ }
++
++/*
++ * Registered by the ENGINE when used to find out how to deal with
++ * a particular NID in the ENGINE. This says what we'll do at the
++ * top level - note, that list is restricted by what we answer with
++ */
++/* ARGSUSED */
++static int
++pk11_engine_ciphers(ENGINE *e, const EVP_CIPHER **cipher,
++ const int **nids, int nid)
++ {
++ if (!cipher)
++ return (pk11_usable_ciphers(nids));
++
++ switch (nid)
++ {
++ case NID_des_ede3_cbc:
++ *cipher = &pk11_3des_cbc;
++ break;
++ case NID_des_cbc:
++ *cipher = &pk11_des_cbc;
++ break;
++ case NID_des_ede3_ecb:
++ *cipher = &pk11_3des_ecb;
++ break;
++ case NID_des_ecb:
++ *cipher = &pk11_des_ecb;
++ break;
++ case NID_aes_128_cbc:
++ *cipher = &pk11_aes_128_cbc;
++ break;
++ case NID_aes_192_cbc:
++ *cipher = &pk11_aes_192_cbc;
++ break;
++ case NID_aes_256_cbc:
++ *cipher = &pk11_aes_256_cbc;
++ break;
++ case NID_aes_128_ecb:
++ *cipher = &pk11_aes_128_ecb;
++ break;
++ case NID_aes_192_ecb:
++ *cipher = &pk11_aes_192_ecb;
++ break;
++ case NID_aes_256_ecb:
++ *cipher = &pk11_aes_256_ecb;
++ break;
++ case NID_bf_cbc:
++ *cipher = &pk11_bf_cbc;
++ break;
++ case NID_rc4:
++ *cipher = &pk11_rc4;
++ break;
++ default:
++#ifdef SOLARIS_AES_CTR
++ /*
++ * These can't be in separated cases because the NIDs
++ * here are not constants.
++ */
++ if (nid == NID_aes_128_ctr)
++ *cipher = &pk11_aes_128_ctr;
++ else if (nid == NID_aes_192_ctr)
++ *cipher = &pk11_aes_192_ctr;
++ else if (nid == NID_aes_256_ctr)
++ *cipher = &pk11_aes_256_ctr;
++ else
++#endif /* SOLARIS_AES_CTR */
++ *cipher = NULL;
++ break;
++ }
++ return (*cipher != NULL);
++ }
++
++/* ARGSUSED */
++static int
++pk11_engine_digests(ENGINE *e, const EVP_MD **digest,
++ const int **nids, int nid)
++ {
++ if (!digest)
++ return (pk11_usable_digests(nids));
++
++ switch (nid)
++ {
++ case NID_md5:
++ *digest = &pk11_md5;
++ break;
++ case NID_sha1:
++ *digest = &pk11_sha1;
++ break;
++ case NID_sha224:
++ *digest = &pk11_sha224;
++ break;
++ case NID_sha256:
++ *digest = &pk11_sha256;
++ break;
++ case NID_sha384:
++ *digest = &pk11_sha384;
++ break;
++ case NID_sha512:
++ *digest = &pk11_sha512;
++ break;
++ default:
++ *digest = NULL;
++ break;
++ }
++ return (*digest != NULL);
++ }
++
++
++/* Create a secret key object in a PKCS#11 session */
++static CK_OBJECT_HANDLE pk11_get_cipher_key(EVP_CIPHER_CTX *ctx,
++ const unsigned char *key, CK_KEY_TYPE key_type, PK11_SESSION *sp)
++ {
++ CK_RV rv;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++ CK_OBJECT_CLASS obj_key = CKO_SECRET_KEY;
++ CK_ULONG ul_key_attr_count = 6;
++
++ CK_ATTRIBUTE a_key_template[] =
++ {
++ {CKA_CLASS, (void*) NULL, sizeof (CK_OBJECT_CLASS)},
++ {CKA_KEY_TYPE, (void*) NULL, sizeof (CK_KEY_TYPE)},
++ {CKA_TOKEN, &false, sizeof (false)},
++ {CKA_ENCRYPT, &true, sizeof (true)},
++ {CKA_DECRYPT, &true, sizeof (true)},
++ {CKA_VALUE, (void*) NULL, 0},
++ };
++
++ /*
++ * Create secret key object in global_session. All other sessions
++ * can use the key handles. Here is why:
++ * OpenSSL will call EncryptInit and EncryptUpdate using a secret key.
++ * It may then call DecryptInit and DecryptUpdate using the same key.
++ * To use the same key object, we need to call EncryptFinal with
++ * a 0 length message. Currently, this does not work for 3DES
++ * mechanism. To get around this problem, we close the session and
++ * then create a new session to use the same key object. When a session
++ * is closed, all the object handles will be invalid. Thus, create key
++ * objects in a global session, an individual session may be closed to
++ * terminate the active operation.
++ */
++ CK_SESSION_HANDLE session = global_session;
++ a_key_template[0].pValue = &obj_key;
++ a_key_template[1].pValue = &key_type;
++ a_key_template[5].pValue = (void *) key;
++ a_key_template[5].ulValueLen = (unsigned long) ctx->key_len;
++
++ rv = pFuncList->C_CreateObject(session,
++ a_key_template, ul_key_attr_count, &h_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_CIPHER_KEY, PK11_R_CREATEOBJECT,
++ rv);
++ goto err;
++ }
++
++ /*
++ * Save the key information used in this session.
++ * The max can be saved is PK11_KEY_LEN_MAX.
++ */
++ sp->opdata_key_len = ctx->key_len > PK11_KEY_LEN_MAX ?
++ PK11_KEY_LEN_MAX : ctx->key_len;
++ (void) memcpy(sp->opdata_key, key, sp->opdata_key_len);
++err:
++
++ return (h_key);
++ }
++
++static int
++md_nid_to_pk11(int nid)
++ {
++ int i;
++
++ for (i = 0; i < PK11_DIGEST_MAX; i++)
++ if (digests[i].nid == nid)
++ return (digests[i].id);
++ return (-1);
++ }
++
++static int
++pk11_digest_init(EVP_MD_CTX *ctx)
++ {
++ CK_RV rv;
++ CK_MECHANISM mech;
++ int index;
++ PK11_SESSION *sp;
++ PK11_DIGEST *pdp;
++ PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
++
++ state->sp = NULL;
++
++ index = md_nid_to_pk11(ctx->digest->type);
++ if (index < 0 || index >= PK11_DIGEST_MAX)
++ return (0);
++
++ pdp = &digests[index];
++ if ((sp = pk11_get_session(OP_DIGEST)) == NULL)
++ return (0);
++
++ /* at present, no parameter is needed for supported digests */
++ mech.mechanism = pdp->mech_type;
++ mech.pParameter = NULL;
++ mech.ulParameterLen = 0;
++
++ rv = pFuncList->C_DigestInit(sp->session, &mech);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DIGEST_INIT, PK11_R_DIGESTINIT, rv);
++ pk11_return_session(sp, OP_DIGEST);
++ return (0);
++ }
++
++ state->sp = sp;
++
++ return (1);
++ }
++
++static int
++pk11_digest_update(EVP_MD_CTX *ctx, const void *data, size_t count)
++ {
++ CK_RV rv;
++ PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
++
++ /* 0 length message will cause a failure in C_DigestFinal */
++ if (count == 0)
++ return (1);
++
++ if (state == NULL || state->sp == NULL)
++ return (0);
++
++ rv = pFuncList->C_DigestUpdate(state->sp->session, (CK_BYTE *) data,
++ count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DIGEST_UPDATE, PK11_R_DIGESTUPDATE, rv);
++ pk11_return_session(state->sp, OP_DIGEST);
++ state->sp = NULL;
++ return (0);
++ }
++
++ return (1);
++ }
++
++static int
++pk11_digest_final(EVP_MD_CTX *ctx, unsigned char *md)
++ {
++ CK_RV rv;
++ unsigned long len;
++ PK11_CIPHER_STATE *state = (PK11_CIPHER_STATE *) ctx->md_data;
++ len = ctx->digest->md_size;
++
++ if (state == NULL || state->sp == NULL)
++ return (0);
++
++ rv = pFuncList->C_DigestFinal(state->sp->session, md, &len);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DIGEST_FINAL, PK11_R_DIGESTFINAL, rv);
++ pk11_return_session(state->sp, OP_DIGEST);
++ state->sp = NULL;
++ return (0);
++ }
++
++ if (ctx->digest->md_size != len)
++ return (0);
++
++ /*
++ * Final is called and digest is returned, so return the session
++ * to the pool
++ */
++ pk11_return_session(state->sp, OP_DIGEST);
++ state->sp = NULL;
++
++ return (1);
++ }
++
++static int
++pk11_digest_copy(EVP_MD_CTX *to, const EVP_MD_CTX *from)
++ {
++ CK_RV rv;
++ int ret = 0;
++ PK11_CIPHER_STATE *state, *state_to;
++ CK_BYTE_PTR pstate = NULL;
++ CK_ULONG ul_state_len;
++
++ /* The copy-from state */
++ state = (PK11_CIPHER_STATE *) from->md_data;
++ if (state == NULL || state->sp == NULL)
++ goto err;
++
++ /* Initialize the copy-to state */
++ if (!pk11_digest_init(to))
++ goto err;
++ state_to = (PK11_CIPHER_STATE *) to->md_data;
++
++ /* Get the size of the operation state of the copy-from session */
++ rv = pFuncList->C_GetOperationState(state->sp->session, NULL,
++ &ul_state_len);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE,
++ rv);
++ goto err;
++ }
++ if (ul_state_len == 0)
++ {
++ goto err;
++ }
++
++ pstate = OPENSSL_malloc(ul_state_len);
++ if (pstate == NULL)
++ {
++ PK11err(PK11_F_DIGEST_COPY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ /* Get the operation state of the copy-from session */
++ rv = pFuncList->C_GetOperationState(state->sp->session, pstate,
++ &ul_state_len);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DIGEST_COPY, PK11_R_GET_OPERATION_STATE,
++ rv);
++ goto err;
++ }
++
++ /* Set the operation state of the copy-to session */
++ rv = pFuncList->C_SetOperationState(state_to->sp->session, pstate,
++ ul_state_len, 0, 0);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DIGEST_COPY,
++ PK11_R_SET_OPERATION_STATE, rv);
++ goto err;
++ }
++
++ ret = 1;
++err:
++ if (pstate != NULL)
++ OPENSSL_free(pstate);
++
++ return (ret);
++ }
++
++/* Return any pending session state to the pool */
++static int
++pk11_digest_cleanup(EVP_MD_CTX *ctx)
++ {
++ PK11_CIPHER_STATE *state = ctx->md_data;
++ unsigned char buf[EVP_MAX_MD_SIZE];
++
++ if (state != NULL && state->sp != NULL)
++ {
++ /*
++ * If state->sp is not NULL then pk11_digest_final() has not
++ * been called yet. We must call it now to free any memory
++ * that might have been allocated in the token when
++ * pk11_digest_init() was called. pk11_digest_final()
++ * will return the session to the cache.
++ */
++ if (!pk11_digest_final(ctx, buf))
++ return (0);
++ }
++
++ return (1);
++ }
++
++/*
++ * Check if the new key is the same as the key object in the session. If the key
++ * is the same, no need to create a new key object. Otherwise, the old key
++ * object needs to be destroyed and a new one will be created. Return 1 for
++ * cache hit, 0 for cache miss. Note that we must check the key length first
++ * otherwise we could end up reusing a different, longer key with the same
++ * prefix.
++ */
++static int check_new_cipher_key(PK11_SESSION *sp, const unsigned char *key,
++ int key_len)
++ {
++ if (sp->opdata_key_len != key_len ||
++ memcmp(sp->opdata_key, key, key_len) != 0)
++ {
++ (void) pk11_destroy_cipher_key_objects(sp);
++ return (0);
++ }
++ return (1);
++ }
++
++/* Destroy one or more secret key objects. */
++static int pk11_destroy_cipher_key_objects(PK11_SESSION *session)
++ {
++ int ret = 0;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *local_free_session;
++
++ if (session != NULL)
++ local_free_session = session;
++ else
++ {
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(session_cache[OP_CIPHER].lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ local_free_session = session_cache[OP_CIPHER].head;
++ }
++
++ while ((sp = local_free_session) != NULL)
++ {
++ local_free_session = sp->next;
++
++ if (sp->opdata_cipher_key != CK_INVALID_HANDLE)
++ {
++ /*
++ * The secret key object is created in the
++ * global_session. See pk11_get_cipher_key
++ */
++ if (pk11_destroy_object(global_session,
++ sp->opdata_cipher_key) == 0)
++ goto err;
++ sp->opdata_cipher_key = CK_INVALID_HANDLE;
++ }
++ }
++ ret = 1;
++err:
++
++#ifndef NOPTHREADS
++ if (session == NULL)
++ (void) pthread_mutex_unlock(session_cache[OP_CIPHER].lock);
++#else
++ if (session == NULL)
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (ret);
++ }
++
++
++/*
++ * Public key mechanisms optionally supported
++ *
++ * CKM_RSA_X_509
++ * CKM_RSA_PKCS
++ * CKM_DSA
++ *
++ * The first slot that supports at least one of those mechanisms is chosen as a
++ * public key slot.
++ *
++ * Symmetric ciphers optionally supported
++ *
++ * CKM_DES3_CBC
++ * CKM_DES_CBC
++ * CKM_AES_CBC
++ * CKM_DES3_ECB
++ * CKM_DES_ECB
++ * CKM_AES_ECB
++ * CKM_AES_CTR
++ * CKM_RC4
++ * CKM_BLOWFISH_CBC
++ *
++ * Digests optionally supported
++ *
++ * CKM_MD5
++ * CKM_SHA_1
++ * CKM_SHA224
++ * CKM_SHA256
++ * CKM_SHA384
++ * CKM_SHA512
++ *
++ * The output of this function is a set of global variables indicating which
++ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
++ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
++ * variables carry information about which slot was chosen for (a) public key
++ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
++ */
++static int
++pk11_choose_slots(int *any_slot_found)
++ {
++ CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++ CK_ULONG ulSlotCount = 0;
++ CK_MECHANISM_INFO mech_info;
++ CK_TOKEN_INFO token_info;
++ unsigned int i;
++ CK_RV rv;
++ CK_SLOT_ID best_slot_sofar = 0;
++ CK_BBOOL found_candidate_slot = CK_FALSE;
++ int slot_n_cipher = 0;
++ int slot_n_digest = 0;
++ CK_SLOT_ID current_slot = 0;
++ int current_slot_n_cipher = 0;
++ int current_slot_n_digest = 0;
++
++ int local_cipher_nids[PK11_CIPHER_MAX];
++ int local_digest_nids[PK11_DIGEST_MAX];
++
++ /* let's initialize the output parameter */
++ if (any_slot_found != NULL)
++ *any_slot_found = 0;
++
++ /* Get slot list for memory allocation */
++ rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++ return (0);
++ }
++
++ /* it's not an error if we didn't find any providers */
++ if (ulSlotCount == 0)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ return (1);
++ }
++
++ pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++
++ if (pSlotList == NULL)
++ {
++ PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
++ return (0);
++ }
++
++ /* Get the slot list for processing */
++ rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++ OPENSSL_free(pSlotList);
++ return (0);
++ }
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
++ fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
++
++ fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ for (i = 0; i < ulSlotCount; i++)
++ {
++ current_slot = pSlotList[i];
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif /* DEBUG_SLOT_SELECTION */
++ /* Check if slot has random support. */
++ rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++ if (rv != CKR_OK)
++ continue;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ if (token_info.flags & CKF_RNG)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ pk11_have_random = CK_TRUE;
++ rand_SLOTID = current_slot;
++ break;
++ }
++ }
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ pubkey_SLOTID = pSlotList[0];
++ for (i = 0; i < ulSlotCount; i++)
++ {
++ CK_BBOOL slot_has_rsa = CK_FALSE;
++ CK_BBOOL slot_has_recover = CK_FALSE;
++ CK_BBOOL slot_has_dsa = CK_FALSE;
++ CK_BBOOL slot_has_dh = CK_FALSE;
++ current_slot = pSlotList[i];
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif /* DEBUG_SLOT_SELECTION */
++ rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++ if (rv != CKR_OK)
++ continue;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif /* DEBUG_SLOT_SELECTION */
++
++#ifndef OPENSSL_NO_RSA
++ /*
++ * Check if this slot is capable of signing and
++ * verifying with CKM_RSA_PKCS.
++ */
++ rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
++ &mech_info);
++
++ if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
++ (mech_info.flags & CKF_VERIFY)))
++ {
++ /*
++ * Check if this slot is capable of encryption,
++ * decryption, sign, and verify with CKM_RSA_X_509.
++ */
++ rv = pFuncList->C_GetMechanismInfo(current_slot,
++ CKM_RSA_X_509, &mech_info);
++
++ if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
++ (mech_info.flags & CKF_VERIFY) &&
++ (mech_info.flags & CKF_ENCRYPT) &&
++ (mech_info.flags & CKF_DECRYPT)))
++ {
++ slot_has_rsa = CK_TRUE;
++ if (mech_info.flags & CKF_VERIFY_RECOVER)
++ {
++ slot_has_recover = CK_TRUE;
++ }
++ }
++ }
++#endif /* OPENSSL_NO_RSA */
++
++#ifndef OPENSSL_NO_DSA
++ /*
++ * Check if this slot is capable of signing and
++ * verifying with CKM_DSA.
++ */
++ rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_DSA,
++ &mech_info);
++ if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN) &&
++ (mech_info.flags & CKF_VERIFY)))
++ {
++ slot_has_dsa = CK_TRUE;
++ }
++
++#endif /* OPENSSL_NO_DSA */
++
++#ifndef OPENSSL_NO_DH
++ /*
++ * Check if this slot is capable of DH key generataion and
++ * derivation.
++ */
++ rv = pFuncList->C_GetMechanismInfo(current_slot,
++ CKM_DH_PKCS_KEY_PAIR_GEN, &mech_info);
++
++ if (rv == CKR_OK && (mech_info.flags & CKF_GENERATE_KEY_PAIR))
++ {
++ rv = pFuncList->C_GetMechanismInfo(current_slot,
++ CKM_DH_PKCS_DERIVE, &mech_info);
++ if (rv == CKR_OK && (mech_info.flags & CKF_DERIVE))
++ {
++ slot_has_dh = CK_TRUE;
++ }
++ }
++#endif /* OPENSSL_NO_DH */
++
++ if (!found_candidate_slot &&
++ (slot_has_rsa || slot_has_dsa || slot_has_dh))
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: potential slot: %d\n", PK11_DBG, current_slot);
++#endif /* DEBUG_SLOT_SELECTION */
++ best_slot_sofar = current_slot;
++ pk11_have_rsa = slot_has_rsa;
++ pk11_have_recover = slot_has_recover;
++ pk11_have_dsa = slot_has_dsa;
++ pk11_have_dh = slot_has_dh;
++ found_candidate_slot = CK_TRUE;
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: setting found_candidate_slot to CK_TRUE\n",
++ PK11_DBG);
++ fprintf(stderr,
++ "%s: best so far slot: %d\n", PK11_DBG,
++ best_slot_sofar);
++ }
++ else
++ {
++ fprintf(stderr,
++ "%s: no rsa/dsa/dh\n", PK11_DBG);
++ }
++#else
++ } /* if */
++#endif /* DEBUG_SLOT_SELECTION */
++ } /* for */
++
++ if (found_candidate_slot)
++ {
++ pubkey_SLOTID = best_slot_sofar;
++ }
++
++ found_candidate_slot = CK_FALSE;
++ best_slot_sofar = 0;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: == checking cipher/digest ==\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ SLOTID = pSlotList[0];
++ for (i = 0; i < ulSlotCount; i++)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ current_slot = pSlotList[i];
++ current_slot_n_cipher = 0;
++ current_slot_n_digest = 0;
++ (void) memset(local_cipher_nids, 0, sizeof (local_cipher_nids));
++ (void) memset(local_digest_nids, 0, sizeof (local_digest_nids));
++
++ pk11_find_symmetric_ciphers(pFuncList, current_slot,
++ ¤t_slot_n_cipher, local_cipher_nids);
++
++ pk11_find_digests(pFuncList, current_slot,
++ ¤t_slot_n_digest, local_digest_nids);
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: current_slot_n_cipher %d\n", PK11_DBG,
++ current_slot_n_cipher);
++ fprintf(stderr, "%s: current_slot_n_digest %d\n", PK11_DBG,
++ current_slot_n_digest);
++ fprintf(stderr, "%s: best so far cipher/digest slot: %d\n",
++ PK11_DBG, best_slot_sofar);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ /*
++ * If the current slot supports more ciphers/digests than
++ * the previous best one we change the current best to this one,
++ * otherwise leave it where it is.
++ */
++ if ((current_slot_n_cipher + current_slot_n_digest) >
++ (slot_n_cipher + slot_n_digest))
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: changing best so far slot to %d\n",
++ PK11_DBG, current_slot);
++#endif /* DEBUG_SLOT_SELECTION */
++ best_slot_sofar = SLOTID = current_slot;
++ cipher_count = slot_n_cipher = current_slot_n_cipher;
++ digest_count = slot_n_digest = current_slot_n_digest;
++ (void) memcpy(cipher_nids, local_cipher_nids,
++ sizeof (local_cipher_nids));
++ (void) memcpy(digest_nids, local_digest_nids,
++ sizeof (local_digest_nids));
++ }
++ }
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
++ fprintf(stderr,
++ "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
++ fprintf(stderr,
++ "%s: chosen cipher/digest slot: %d\n", PK11_DBG, SLOTID);
++ fprintf(stderr,
++ "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
++ fprintf(stderr,
++ "%s: pk11_have_recover %d\n", PK11_DBG, pk11_have_recover);
++ fprintf(stderr,
++ "%s: pk11_have_dsa %d\n", PK11_DBG, pk11_have_dsa);
++ fprintf(stderr,
++ "%s: pk11_have_dh %d\n", PK11_DBG, pk11_have_dh);
++ fprintf(stderr,
++ "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
++ fprintf(stderr,
++ "%s: cipher_count %d\n", PK11_DBG, cipher_count);
++ fprintf(stderr,
++ "%s: digest_count %d\n", PK11_DBG, digest_count);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ if (pSlotList != NULL)
++ OPENSSL_free(pSlotList);
++
++#ifdef SOLARIS_HW_SLOT_SELECTION
++ OPENSSL_free(hw_cnids);
++ OPENSSL_free(hw_dnids);
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++
++ if (any_slot_found != NULL)
++ *any_slot_found = 1;
++ return (1);
++ }
++
++static void pk11_get_symmetric_cipher(CK_FUNCTION_LIST_PTR pflist,
++ int slot_id, CK_MECHANISM_TYPE mech, int *current_slot_n_cipher,
++ int *local_cipher_nids, int id)
++ {
++ CK_MECHANISM_INFO mech_info;
++ CK_RV rv;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
++#endif /* DEBUG_SLOT_SELECTION */
++ rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
++
++ if (rv != CKR_OK)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, " not found\n");
++#endif /* DEBUG_SLOT_SELECTION */
++ return;
++ }
++
++ if ((mech_info.flags & CKF_ENCRYPT) &&
++ (mech_info.flags & CKF_DECRYPT))
++ {
++#ifdef SOLARIS_HW_SLOT_SELECTION
++ if (nid_in_table(ciphers[id].nid, hw_cnids))
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, " usable\n");
++#endif /* DEBUG_SLOT_SELECTION */
++ local_cipher_nids[(*current_slot_n_cipher)++] =
++ ciphers[id].nid;
++ }
++#ifdef SOLARIS_HW_SLOT_SELECTION
++#ifdef DEBUG_SLOT_SELECTION
++ else
++ {
++ fprintf(stderr, " rejected, software implementation only\n");
++ }
++#endif /* DEBUG_SLOT_SELECTION */
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++ }
++#ifdef DEBUG_SLOT_SELECTION
++ else
++ {
++ fprintf(stderr, " unusable\n");
++ }
++#endif /* DEBUG_SLOT_SELECTION */
++
++ return;
++ }
++
++static void pk11_get_digest(CK_FUNCTION_LIST_PTR pflist, int slot_id,
++ CK_MECHANISM_TYPE mech, int *current_slot_n_digest, int *local_digest_nids,
++ int id)
++ {
++ CK_MECHANISM_INFO mech_info;
++ CK_RV rv;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking mech: %x", PK11_DBG, mech);
++#endif /* DEBUG_SLOT_SELECTION */
++ rv = pflist->C_GetMechanismInfo(slot_id, mech, &mech_info);
++
++ if (rv != CKR_OK)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, " not found\n");
++#endif /* DEBUG_SLOT_SELECTION */
++ return;
++ }
++
++ if (mech_info.flags & CKF_DIGEST)
++ {
++#ifdef SOLARIS_HW_SLOT_SELECTION
++ if (nid_in_table(digests[id].nid, hw_dnids))
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, " usable\n");
++#endif /* DEBUG_SLOT_SELECTION */
++ local_digest_nids[(*current_slot_n_digest)++] =
++ digests[id].nid;
++ }
++#ifdef SOLARIS_HW_SLOT_SELECTION
++#ifdef DEBUG_SLOT_SELECTION
++ else
++ {
++ fprintf(stderr, " rejected, software implementation only\n");
++ }
++#endif /* DEBUG_SLOT_SELECTION */
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++ }
++#ifdef DEBUG_SLOT_SELECTION
++ else
++ {
++ fprintf(stderr, " unusable\n");
++ }
++#endif /* DEBUG_SLOT_SELECTION */
++
++ return;
++ }
++
++#ifdef SOLARIS_AES_CTR
++/* create a new NID when we have no OID for that mechanism */
++static int pk11_add_NID(char *sn, char *ln)
++ {
++ ASN1_OBJECT *o;
++ int nid;
++
++ if ((o = ASN1_OBJECT_create(OBJ_new_nid(1), (unsigned char *)"",
++ 1, sn, ln)) == NULL)
++ {
++ return (0);
++ }
++
++ /* will return NID_undef on error */
++ nid = OBJ_add_object(o);
++ ASN1_OBJECT_free(o);
++
++ return (nid);
++ }
++
++/*
++ * Create new NIDs for AES counter mode. OpenSSL doesn't support them now so we
++ * have to help ourselves here.
++ */
++static int pk11_add_aes_ctr_NIDs(void)
++ {
++ /* are we already set? */
++ if (NID_aes_256_ctr != NID_undef)
++ return (1);
++
++ /*
++ * There are no official names for AES counter modes yet so we just
++ * follow the format of those that exist.
++ */
++ if ((NID_aes_128_ctr = pk11_add_NID("AES-128-CTR", "aes-128-ctr")) ==
++ NID_undef)
++ goto err;
++ ciphers[PK11_AES_128_CTR].nid = pk11_aes_128_ctr.nid = NID_aes_128_ctr;
++ if ((NID_aes_192_ctr = pk11_add_NID("AES-192-CTR", "aes-192-ctr")) ==
++ NID_undef)
++ goto err;
++ ciphers[PK11_AES_192_CTR].nid = pk11_aes_192_ctr.nid = NID_aes_192_ctr;
++ if ((NID_aes_256_ctr = pk11_add_NID("AES-256-CTR", "aes-256-ctr")) ==
++ NID_undef)
++ goto err;
++ ciphers[PK11_AES_256_CTR].nid = pk11_aes_256_ctr.nid = NID_aes_256_ctr;
++ return (1);
++
++err:
++ PK11err(PK11_F_ADD_AES_CTR_NIDS, PK11_R_ADD_NID_FAILED);
++ return (0);
++ }
++#endif /* SOLARIS_AES_CTR */
++
++/* Find what symmetric ciphers this slot supports. */
++static void pk11_find_symmetric_ciphers(CK_FUNCTION_LIST_PTR pflist,
++ CK_SLOT_ID current_slot, int *current_slot_n_cipher, int *local_cipher_nids)
++ {
++ int i;
++
++ for (i = 0; i < PK11_CIPHER_MAX; ++i)
++ {
++ pk11_get_symmetric_cipher(pflist, current_slot,
++ ciphers[i].mech_type, current_slot_n_cipher,
++ local_cipher_nids, ciphers[i].id);
++ }
++ }
++
++/* Find what digest algorithms this slot supports. */
++static void pk11_find_digests(CK_FUNCTION_LIST_PTR pflist,
++ CK_SLOT_ID current_slot, int *current_slot_n_digest, int *local_digest_nids)
++ {
++ int i;
++
++ for (i = 0; i < PK11_DIGEST_MAX; ++i)
++ {
++ pk11_get_digest(pflist, current_slot, digests[i].mech_type,
++ current_slot_n_digest, local_digest_nids, digests[i].id);
++ }
++ }
++
++#ifdef SOLARIS_HW_SLOT_SELECTION
++/*
++ * It would be great if we could use pkcs11_kernel directly since this library
++ * offers hardware slots only. That's the easiest way to achieve the situation
++ * where we use the hardware accelerators when present and OpenSSL native code
++ * otherwise. That presumes the fact that OpenSSL native code is faster than the
++ * code in the soft token. It's a logical assumption - Crypto Framework has some
++ * inherent overhead so going there for the software implementation of a
++ * mechanism should be logically slower in contrast to the OpenSSL native code,
++ * presuming that both implementations are of similar speed. For example, the
++ * soft token for AES is roughly three times slower than OpenSSL for 64 byte
++ * blocks and still 20% slower for 8KB blocks. So, if we want to ship products
++ * that use the PKCS#11 engine by default, we must somehow avoid that regression
++ * on machines without hardware acceleration. That's why switching to the
++ * pkcs11_kernel library seems like a very good idea.
++ *
++ * The problem is that OpenSSL built with SunStudio is roughly 2x slower for
++ * asymmetric operations (RSA/DSA/DH) than the soft token built with the same
++ * compiler. That means that if we switched to pkcs11_kernel from the libpkcs11
++ * library, we would have had a performance regression on machines without
++ * hardware acceleration for asymmetric operations for all applications that use
++ * the PKCS#11 engine. There is one such application - Apache web server since
++ * it's shipped configured to use the PKCS#11 engine by default. Having said
++ * that, we can't switch to the pkcs11_kernel library now and have to come with
++ * a solution that, on non-accelerated machines, uses the OpenSSL native code
++ * for all symmetric ciphers and digests while it uses the soft token for
++ * asymmetric operations.
++ *
++ * This is the idea: dlopen() pkcs11_kernel directly and find out what
++ * mechanisms are there. We don't care about duplications (more slots can
++ * support the same mechanism), we just want to know what mechanisms can be
++ * possibly supported in hardware on that particular machine. As said before,
++ * pkcs11_kernel will show you hardware providers only.
++ *
++ * Then, we rely on the fact that since we use libpkcs11 library we will find
++ * the metaslot. When we go through the metaslot's mechanisms for symmetric
++ * ciphers and digests, we check that any found mechanism is in the table
++ * created using the pkcs11_kernel library. So, as a result we have two arrays
++ * of mechanisms that were advertised as supported in hardware which was the
++ * goal of that whole excercise. Thus, we can use libpkcs11 but avoid soft token
++ * code for symmetric ciphers and digests. See pk11_choose_slots() for more
++ * information.
++ *
++ * This is Solaris specific code, if SOLARIS_HW_SLOT_SELECTION is not defined
++ * the code won't be used.
++ */
++#if defined(__sparcv9) || defined(__x86_64) || defined(__amd64)
++static const char pkcs11_kernel[] = "/usr/lib/security/64/pkcs11_kernel.so.1";
++#else
++static const char pkcs11_kernel[] = "/usr/lib/security/pkcs11_kernel.so.1";
++#endif
++
++/*
++ * Check hardware capabilities of the machines. The output are two lists,
++ * hw_cnids and hw_dnids, that contain hardware mechanisms found in all hardware
++ * providers together. They are not sorted and may contain duplicate mechanisms.
++ */
++static int check_hw_mechanisms(void)
++ {
++ int i;
++ CK_RV rv;
++ void *handle;
++ CK_C_GetFunctionList p;
++ CK_TOKEN_INFO token_info;
++ CK_ULONG ulSlotCount = 0;
++ int n_cipher = 0, n_digest = 0;
++ CK_FUNCTION_LIST_PTR pflist = NULL;
++ CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++ int *tmp_hw_cnids = NULL, *tmp_hw_dnids = NULL;
++ int hw_ctable_size, hw_dtable_size;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: SOLARIS_HW_SLOT_SELECTION code running\n",
++ PK11_DBG);
++#endif
++ if ((handle = dlopen(pkcs11_kernel, RTLD_LAZY)) == NULL)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++ if ((p = (CK_C_GetFunctionList)dlsym(handle,
++ PK11_GET_FUNCTION_LIST)) == NULL)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++ /* get the full function list from the loaded library */
++ if (p(&pflist) != CKR_OK)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++ rv = pflist->C_Initialize(NULL_PTR);
++ if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++ {
++ PK11err_add_data(PK11_F_CHECK_HW_MECHANISMS,
++ PK11_R_INITIALIZE, rv);
++ goto err;
++ }
++
++ if (pflist->C_GetSlotList(0, NULL_PTR, &ulSlotCount) != CKR_OK)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_GETSLOTLIST);
++ goto err;
++ }
++
++ /* no slots, set the hw mechanism tables as empty */
++ if (ulSlotCount == 0)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: no hardware mechanisms found\n", PK11_DBG);
++#endif
++ hw_cnids = OPENSSL_malloc(sizeof (int));
++ hw_dnids = OPENSSL_malloc(sizeof (int));
++ if (hw_cnids == NULL || hw_dnids == NULL)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS,
++ PK11_R_MALLOC_FAILURE);
++ return (0);
++ }
++ /* this means empty tables */
++ hw_cnids[0] = NID_undef;
++ hw_dnids[0] = NID_undef;
++ return (1);
++ }
++
++ pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++ if (pSlotList == NULL)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ /* Get the slot list for processing */
++ if (pflist->C_GetSlotList(0, pSlotList, &ulSlotCount) != CKR_OK)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_GETSLOTLIST);
++ goto err;
++ }
++
++ /*
++ * We don't care about duplicit mechanisms in multiple slots and also
++ * reserve one slot for the terminal NID_undef which we use to stop the
++ * search.
++ */
++ hw_ctable_size = ulSlotCount * PK11_CIPHER_MAX + 1;
++ hw_dtable_size = ulSlotCount * PK11_DIGEST_MAX + 1;
++ tmp_hw_cnids = OPENSSL_malloc(hw_ctable_size * sizeof (int));
++ tmp_hw_dnids = OPENSSL_malloc(hw_dtable_size * sizeof (int));
++ if (tmp_hw_cnids == NULL || tmp_hw_dnids == NULL)
++ {
++ PK11err(PK11_F_CHECK_HW_MECHANISMS, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ /*
++ * Do not use memset since we should not rely on the fact that NID_undef
++ * is zero now.
++ */
++ for (i = 0; i < hw_ctable_size; ++i)
++ tmp_hw_cnids[i] = NID_undef;
++ for (i = 0; i < hw_dtable_size; ++i)
++ tmp_hw_dnids[i] = NID_undef;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: provider: %s\n", PK11_DBG, pkcs11_kernel);
++ fprintf(stderr, "%s: found %d hardware slots\n", PK11_DBG, ulSlotCount);
++ fprintf(stderr, "%s: now looking for mechs supported in hw\n",
++ PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ for (i = 0; i < ulSlotCount; i++)
++ {
++ if (pflist->C_GetTokenInfo(pSlotList[i], &token_info) != CKR_OK)
++ continue;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ /*
++ * We are filling the hw mech tables here. Global tables are
++ * still NULL so all mechanisms are put into tmp tables.
++ */
++ pk11_find_symmetric_ciphers(pflist, pSlotList[i],
++ &n_cipher, tmp_hw_cnids);
++ pk11_find_digests(pflist, pSlotList[i],
++ &n_digest, tmp_hw_dnids);
++ }
++
++ /*
++ * Since we are part of a library (libcrypto.so), calling this function
++ * may have side-effects. Also, C_Finalize() is triggered by
++ * dlclose(3C).
++ */
++#if 0
++ pflist->C_Finalize(NULL);
++#endif
++ OPENSSL_free(pSlotList);
++ (void) dlclose(handle);
++ hw_cnids = tmp_hw_cnids;
++ hw_dnids = tmp_hw_dnids;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: hw mechs check complete\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ return (1);
++
++err:
++ if (pSlotList != NULL)
++ OPENSSL_free(pSlotList);
++ if (tmp_hw_cnids != NULL)
++ OPENSSL_free(tmp_hw_cnids);
++ if (tmp_hw_dnids != NULL)
++ OPENSSL_free(tmp_hw_dnids);
++
++ return (0);
++ }
++
++/*
++ * Check presence of a NID in the table of NIDs. The table may be NULL (i.e.,
++ * non-existent).
++ */
++static int nid_in_table(int nid, int *nid_table)
++ {
++ int i = 0;
++
++ /*
++ * a special case. NULL means that we are initializing a new
++ * table.
++ */
++ if (nid_table == NULL)
++ return (1);
++
++ /*
++ * the table is never full, there is always at least one
++ * NID_undef.
++ */
++ while (nid_table[i] != NID_undef)
++ {
++ if (nid_table[i++] == nid)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, " (NID %d in hw table, idx %d)", nid, i);
++#endif /* DEBUG_SLOT_SELECTION */
++ return (1);
++ }
++ }
++
++ return (0);
++ }
++#endif /* SOLARIS_HW_SLOT_SELECTION */
++
++#endif /* OPENSSL_NO_HW_PK11CA */
++#endif /* OPENSSL_NO_HW_PK11 */
++#endif /* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11_err.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.c:1.4
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11_err.c Wed Dec 17 16:14:26 2008
+@@ -0,0 +1,259 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_err.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <openssl/err.h>
++#include "hw_pk11_err.h"
++
++/* BEGIN ERROR CODES */
++#ifndef OPENSSL_NO_ERR
++static ERR_STRING_DATA pk11_str_functs[]=
++{
++{ ERR_PACK(0, PK11_F_INIT, 0), "PK11_INIT"},
++{ ERR_PACK(0, PK11_F_FINISH, 0), "PK11_FINISH"},
++{ ERR_PACK(0, PK11_F_DESTROY, 0), "PK11_DESTROY"},
++{ ERR_PACK(0, PK11_F_CTRL, 0), "PK11_CTRL"},
++{ ERR_PACK(0, PK11_F_RSA_INIT, 0), "PK11_RSA_INIT"},
++{ ERR_PACK(0, PK11_F_RSA_FINISH, 0), "PK11_RSA_FINISH"},
++{ ERR_PACK(0, PK11_F_GET_PUB_RSA_KEY, 0), "PK11_GET_PUB_RSA_KEY"},
++{ ERR_PACK(0, PK11_F_GET_PRIV_RSA_KEY, 0), "PK11_GET_PRIV_RSA_KEY"},
++{ ERR_PACK(0, PK11_F_RSA_GEN_KEY, 0), "PK11_RSA_GEN_KEY"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_ENC, 0), "PK11_RSA_PUB_ENC"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC, 0), "PK11_RSA_PRIV_ENC"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_DEC, 0), "PK11_RSA_PUB_DEC"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC, 0), "PK11_RSA_PRIV_DEC"},
++{ ERR_PACK(0, PK11_F_RSA_SIGN, 0), "PK11_RSA_SIGN"},
++{ ERR_PACK(0, PK11_F_RSA_VERIFY, 0), "PK11_RSA_VERIFY"},
++{ ERR_PACK(0, PK11_F_RAND_ADD, 0), "PK11_RAND_ADD"},
++{ ERR_PACK(0, PK11_F_RAND_BYTES, 0), "PK11_RAND_BYTES"},
++{ ERR_PACK(0, PK11_F_GET_SESSION, 0), "PK11_GET_SESSION"},
++{ ERR_PACK(0, PK11_F_FREE_SESSION, 0), "PK11_FREE_SESSION"},
++{ ERR_PACK(0, PK11_F_LOAD_PUBKEY, 0), "PK11_LOAD_PUBKEY"},
++{ ERR_PACK(0, PK11_F_LOAD_PRIVKEY, 0), "PK11_LOAD_PRIV_KEY"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_ENC_LOW, 0), "PK11_RSA_PUB_ENC_LOW"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_ENC_LOW, 0), "PK11_RSA_PRIV_ENC_LOW"},
++{ ERR_PACK(0, PK11_F_RSA_PUB_DEC_LOW, 0), "PK11_RSA_PUB_DEC_LOW"},
++{ ERR_PACK(0, PK11_F_RSA_PRIV_DEC_LOW, 0), "PK11_RSA_PRIV_DEC_LOW"},
++{ ERR_PACK(0, PK11_F_DSA_SIGN, 0), "PK11_DSA_SIGN"},
++{ ERR_PACK(0, PK11_F_DSA_VERIFY, 0), "PK11_DSA_VERIFY"},
++{ ERR_PACK(0, PK11_F_DSA_INIT, 0), "PK11_DSA_INIT"},
++{ ERR_PACK(0, PK11_F_DSA_FINISH, 0), "PK11_DSA_FINISH"},
++{ ERR_PACK(0, PK11_F_GET_PUB_DSA_KEY, 0), "PK11_GET_PUB_DSA_KEY"},
++{ ERR_PACK(0, PK11_F_GET_PRIV_DSA_KEY, 0), "PK11_GET_PRIV_DSA_KEY"},
++{ ERR_PACK(0, PK11_F_DH_INIT, 0), "PK11_DH_INIT"},
++{ ERR_PACK(0, PK11_F_DH_FINISH, 0), "PK11_DH_FINISH"},
++{ ERR_PACK(0, PK11_F_MOD_EXP_DH, 0), "PK11_MOD_EXP_DH"},
++{ ERR_PACK(0, PK11_F_GET_DH_KEY, 0), "PK11_GET_DH_KEY"},
++{ ERR_PACK(0, PK11_F_FREE_ALL_SESSIONS, 0), "PK11_FREE_ALL_SESSIONS"},
++{ ERR_PACK(0, PK11_F_SETUP_SESSION, 0), "PK11_SETUP_SESSION"},
++{ ERR_PACK(0, PK11_F_DESTROY_OBJECT, 0), "PK11_DESTROY_OBJECT"},
++{ ERR_PACK(0, PK11_F_CIPHER_INIT, 0), "PK11_CIPHER_INIT"},
++{ ERR_PACK(0, PK11_F_CIPHER_DO_CIPHER, 0), "PK11_CIPHER_DO_CIPHER"},
++{ ERR_PACK(0, PK11_F_GET_CIPHER_KEY, 0), "PK11_GET_CIPHER_KEY"},
++{ ERR_PACK(0, PK11_F_DIGEST_INIT, 0), "PK11_DIGEST_INIT"},
++{ ERR_PACK(0, PK11_F_DIGEST_UPDATE, 0), "PK11_DIGEST_UPDATE"},
++{ ERR_PACK(0, PK11_F_DIGEST_FINAL, 0), "PK11_DIGEST_FINAL"},
++{ ERR_PACK(0, PK11_F_CHOOSE_SLOT, 0), "PK11_CHOOSE_SLOT"},
++{ ERR_PACK(0, PK11_F_CIPHER_FINAL, 0), "PK11_CIPHER_FINAL"},
++{ ERR_PACK(0, PK11_F_LIBRARY_INIT, 0), "PK11_LIBRARY_INIT"},
++{ ERR_PACK(0, PK11_F_LOAD, 0), "ENGINE_LOAD_PK11"},
++{ ERR_PACK(0, PK11_F_DH_GEN_KEY, 0), "PK11_DH_GEN_KEY"},
++{ ERR_PACK(0, PK11_F_DH_COMP_KEY, 0), "PK11_DH_COMP_KEY"},
++{ ERR_PACK(0, PK11_F_DIGEST_COPY, 0), "PK11_DIGEST_COPY"},
++{ ERR_PACK(0, PK11_F_CIPHER_CLEANUP, 0), "PK11_CIPHER_CLEANUP"},
++{ ERR_PACK(0, PK11_F_ACTIVE_ADD, 0), "PK11_ACTIVE_ADD"},
++{ ERR_PACK(0, PK11_F_ACTIVE_DELETE, 0), "PK11_ACTIVE_DELETE"},
++{ ERR_PACK(0, PK11_F_CHECK_HW_MECHANISMS, 0), "PK11_CHECK_HW_MECHANISMS"},
++{ ERR_PACK(0, PK11_F_INIT_SYMMETRIC, 0), "PK11_INIT_SYMMETRIC"},
++{ ERR_PACK(0, PK11_F_ADD_AES_CTR_NIDS, 0), "PK11_ADD_AES_CTR_NIDS"},
++{ 0, NULL}
++};
++
++static ERR_STRING_DATA pk11_str_reasons[]=
++{
++{ PK11_R_ALREADY_LOADED, "PKCS#11 DSO already loaded"},
++{ PK11_R_DSO_FAILURE, "unable to load PKCS#11 DSO"},
++{ PK11_R_NOT_LOADED, "PKCS#11 DSO not loaded"},
++{ PK11_R_PASSED_NULL_PARAMETER, "null parameter passed"},
++{ PK11_R_COMMAND_NOT_IMPLEMENTED, "command not implemented"},
++{ PK11_R_INITIALIZE, "C_Initialize failed"},
++{ PK11_R_FINALIZE, "C_Finalize failed"},
++{ PK11_R_GETINFO, "C_GetInfo faile"},
++{ PK11_R_GETSLOTLIST, "C_GetSlotList failed"},
++{ PK11_R_NO_MODULUS_OR_NO_EXPONENT, "no modulus or no exponent"},
++{ PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID, "attr sensitive or invalid"},
++{ PK11_R_GETATTRIBUTVALUE, "C_GetAttributeValue failed"},
++{ PK11_R_NO_MODULUS, "no modulus"},
++{ PK11_R_NO_EXPONENT, "no exponent"},
++{ PK11_R_FINDOBJECTSINIT, "C_FindObjectsInit failed"},
++{ PK11_R_FINDOBJECTS, "C_FindObjects failed"},
++{ PK11_R_FINDOBJECTSFINAL, "C_FindObjectsFinal failed"},
++{ PK11_R_CREATEOBJECT, "C_CreateObject failed"},
++{ PK11_R_DESTROYOBJECT, "C_DestroyObject failed"},
++{ PK11_R_OPENSESSION, "C_OpenSession failed"},
++{ PK11_R_CLOSESESSION, "C_CloseSession failed"},
++{ PK11_R_ENCRYPTINIT, "C_EncryptInit failed"},
++{ PK11_R_ENCRYPT, "C_Encrypt failed"},
++{ PK11_R_SIGNINIT, "C_SignInit failed"},
++{ PK11_R_SIGN, "C_Sign failed"},
++{ PK11_R_DECRYPTINIT, "C_DecryptInit failed"},
++{ PK11_R_DECRYPT, "C_Decrypt failed"},
++{ PK11_R_VERIFYINIT, "C_VerifyRecover failed"},
++{ PK11_R_VERIFY, "C_Verify failed"},
++{ PK11_R_VERIFYRECOVERINIT, "C_VerifyRecoverInit failed"},
++{ PK11_R_VERIFYRECOVER, "C_VerifyRecover failed"},
++{ PK11_R_GEN_KEY, "C_GenerateKeyPair failed"},
++{ PK11_R_SEEDRANDOM, "C_SeedRandom failed"},
++{ PK11_R_GENERATERANDOM, "C_GenerateRandom failed"},
++{ PK11_R_INVALID_MESSAGE_LENGTH, "invalid message length"},
++{ PK11_R_UNKNOWN_ALGORITHM_TYPE, "unknown algorithm type"},
++{ PK11_R_UNKNOWN_ASN1_OBJECT_ID, "unknown asn1 onject id"},
++{ PK11_R_UNKNOWN_PADDING_TYPE, "unknown padding type"},
++{ PK11_R_PADDING_CHECK_FAILED, "padding check failed"},
++{ PK11_R_DIGEST_TOO_BIG, "digest too big"},
++{ PK11_R_MALLOC_FAILURE, "malloc failure"},
++{ PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED, "ctl command not implemented"},
++{ PK11_R_DATA_GREATER_THAN_MOD_LEN, "data is bigger than mod"},
++{ PK11_R_DATA_TOO_LARGE_FOR_MODULUS, "data is too larger for mod"},
++{ PK11_R_MISSING_KEY_COMPONENT, "a dsa component is missing"},
++{ PK11_R_INVALID_SIGNATURE_LENGTH, "invalid signature length"},
++{ PK11_R_INVALID_DSA_SIGNATURE_R, "missing r in dsa verify"},
++{ PK11_R_INVALID_DSA_SIGNATURE_S, "missing s in dsa verify"},
++{ PK11_R_INCONSISTENT_KEY, "inconsistent key type"},
++{ PK11_R_ENCRYPTUPDATE, "C_EncryptUpdate failed"},
++{ PK11_R_DECRYPTUPDATE, "C_DecryptUpdate failed"},
++{ PK11_R_DIGESTINIT, "C_DigestInit failed"},
++{ PK11_R_DIGESTUPDATE, "C_DigestUpdate failed"},
++{ PK11_R_DIGESTFINAL, "C_DigestFinal failed"},
++{ PK11_R_ENCRYPTFINAL, "C_EncryptFinal failed"},
++{ PK11_R_DECRYPTFINAL, "C_DecryptFinal failed"},
++{ PK11_R_NO_PRNG_SUPPORT, "Slot does not support PRNG"},
++{ PK11_R_GETTOKENINFO, "C_GetTokenInfo failed"},
++{ PK11_R_DERIVEKEY, "C_DeriveKey failed"},
++{ PK11_R_GET_OPERATION_STATE, "C_GetOperationState failed"},
++{ PK11_R_SET_OPERATION_STATE, "C_SetOperationState failed"},
++{ PK11_R_INVALID_PIN, "invalid PIN"},
++{ PK11_R_TOO_MANY_OBJECTS, "too many objects"},
++{ PK11_R_OBJECT_NOT_FOUND, "object not found"},
++{ PK11_R_INVALID_HANDLE, "invalid PKCS#11 object handle"},
++{ PK11_R_KEY_OR_IV_LEN_PROBLEM, "IV or key length incorrect"},
++{ PK11_R_INVALID_OPERATION_TYPE, "invalid operation type"},
++{ PK11_R_ADD_NID_FAILED, "failed to add NID" },
++{ 0, NULL}
++};
++#endif /* OPENSSL_NO_ERR */
++
++static int pk11_lib_error_code = 0;
++static int pk11_error_init = 1;
++
++static void
++ERR_load_pk11_strings(void)
++ {
++ if (pk11_lib_error_code == 0)
++ pk11_lib_error_code = ERR_get_next_error_library();
++
++ if (pk11_error_init)
++ {
++ pk11_error_init = 0;
++#ifndef OPENSSL_NO_ERR
++ ERR_load_strings(pk11_lib_error_code, pk11_str_functs);
++ ERR_load_strings(pk11_lib_error_code, pk11_str_reasons);
++#endif
++ }
++}
++
++static void
++ERR_unload_pk11_strings(void)
++ {
++ if (pk11_error_init == 0)
++ {
++#ifndef OPENSSL_NO_ERR
++ ERR_unload_strings(pk11_lib_error_code, pk11_str_functs);
++ ERR_unload_strings(pk11_lib_error_code, pk11_str_reasons);
++#endif
++ pk11_error_init = 1;
++ }
++}
++
++void
++ERR_pk11_error(int function, int reason, char *file, int line)
++{
++ if (pk11_lib_error_code == 0)
++ pk11_lib_error_code = ERR_get_next_error_library();
++ ERR_PUT_error(pk11_lib_error_code, function, reason, file, line);
++}
++
++void
++PK11err_add_data(int function, int reason, CK_RV rv)
++{
++ char tmp_buf[20];
++
++ PK11err(function, reason);
++ (void) BIO_snprintf(tmp_buf, sizeof (tmp_buf), "%lx", rv);
++ ERR_add_error_data(2, "PK11 CK_RV=0X", tmp_buf);
++}
+Index: openssl/crypto/engine/hw_pk11_err.h
+diff -u /dev/null openssl/crypto/engine/hw_pk11_err.h:1.9
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11_err.h Wed Dec 17 15:01:45 2008
+@@ -0,0 +1,402 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_err.h */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#ifndef HW_PK11_ERR_H
++#define HW_PK11_ERR_H
++
++void ERR_pk11_error(int function, int reason, char *file, int line);
++void PK11err_add_data(int function, int reason, CK_RV rv);
++#define PK11err(f, r) ERR_pk11_error((f), (r), __FILE__, __LINE__)
++
++/* Error codes for the PK11 functions. */
++
++/* Function codes. */
++
++#define PK11_F_INIT 100
++#define PK11_F_FINISH 101
++#define PK11_F_DESTROY 102
++#define PK11_F_CTRL 103
++#define PK11_F_RSA_INIT 104
++#define PK11_F_RSA_FINISH 105
++#define PK11_F_GET_PUB_RSA_KEY 106
++#define PK11_F_GET_PRIV_RSA_KEY 107
++#define PK11_F_RSA_GEN_KEY 108
++#define PK11_F_RSA_PUB_ENC 109
++#define PK11_F_RSA_PRIV_ENC 110
++#define PK11_F_RSA_PUB_DEC 111
++#define PK11_F_RSA_PRIV_DEC 112
++#define PK11_F_RSA_SIGN 113
++#define PK11_F_RSA_VERIFY 114
++#define PK11_F_RAND_ADD 115
++#define PK11_F_RAND_BYTES 116
++#define PK11_F_GET_SESSION 117
++#define PK11_F_FREE_SESSION 118
++#define PK11_F_LOAD_PUBKEY 119
++#define PK11_F_LOAD_PRIVKEY 120
++#define PK11_F_RSA_PUB_ENC_LOW 121
++#define PK11_F_RSA_PRIV_ENC_LOW 122
++#define PK11_F_RSA_PUB_DEC_LOW 123
++#define PK11_F_RSA_PRIV_DEC_LOW 124
++#define PK11_F_DSA_SIGN 125
++#define PK11_F_DSA_VERIFY 126
++#define PK11_F_DSA_INIT 127
++#define PK11_F_DSA_FINISH 128
++#define PK11_F_GET_PUB_DSA_KEY 129
++#define PK11_F_GET_PRIV_DSA_KEY 130
++#define PK11_F_DH_INIT 131
++#define PK11_F_DH_FINISH 132
++#define PK11_F_MOD_EXP_DH 133
++#define PK11_F_GET_DH_KEY 134
++#define PK11_F_FREE_ALL_SESSIONS 135
++#define PK11_F_SETUP_SESSION 136
++#define PK11_F_DESTROY_OBJECT 137
++#define PK11_F_CIPHER_INIT 138
++#define PK11_F_CIPHER_DO_CIPHER 139
++#define PK11_F_GET_CIPHER_KEY 140
++#define PK11_F_DIGEST_INIT 141
++#define PK11_F_DIGEST_UPDATE 142
++#define PK11_F_DIGEST_FINAL 143
++#define PK11_F_CHOOSE_SLOT 144
++#define PK11_F_CIPHER_FINAL 145
++#define PK11_F_LIBRARY_INIT 146
++#define PK11_F_LOAD 147
++#define PK11_F_DH_GEN_KEY 148
++#define PK11_F_DH_COMP_KEY 149
++#define PK11_F_DIGEST_COPY 150
++#define PK11_F_CIPHER_CLEANUP 151
++#define PK11_F_ACTIVE_ADD 152
++#define PK11_F_ACTIVE_DELETE 153
++#define PK11_F_CHECK_HW_MECHANISMS 154
++#define PK11_F_INIT_SYMMETRIC 155
++#define PK11_F_ADD_AES_CTR_NIDS 156
++#define PK11_F_INIT_ALL_LOCKS 157
++#define PK11_F_RETURN_SESSION 158
++
++/* Reason codes. */
++#define PK11_R_ALREADY_LOADED 100
++#define PK11_R_DSO_FAILURE 101
++#define PK11_R_NOT_LOADED 102
++#define PK11_R_PASSED_NULL_PARAMETER 103
++#define PK11_R_COMMAND_NOT_IMPLEMENTED 104
++#define PK11_R_INITIALIZE 105
++#define PK11_R_FINALIZE 106
++#define PK11_R_GETINFO 107
++#define PK11_R_GETSLOTLIST 108
++#define PK11_R_NO_MODULUS_OR_NO_EXPONENT 109
++#define PK11_R_ATTRIBUT_SENSITIVE_OR_INVALID 110
++#define PK11_R_GETATTRIBUTVALUE 111
++#define PK11_R_NO_MODULUS 112
++#define PK11_R_NO_EXPONENT 113
++#define PK11_R_FINDOBJECTSINIT 114
++#define PK11_R_FINDOBJECTS 115
++#define PK11_R_FINDOBJECTSFINAL 116
++#define PK11_R_CREATEOBJECT 118
++#define PK11_R_DESTROYOBJECT 119
++#define PK11_R_OPENSESSION 120
++#define PK11_R_CLOSESESSION 121
++#define PK11_R_ENCRYPTINIT 122
++#define PK11_R_ENCRYPT 123
++#define PK11_R_SIGNINIT 124
++#define PK11_R_SIGN 125
++#define PK11_R_DECRYPTINIT 126
++#define PK11_R_DECRYPT 127
++#define PK11_R_VERIFYINIT 128
++#define PK11_R_VERIFY 129
++#define PK11_R_VERIFYRECOVERINIT 130
++#define PK11_R_VERIFYRECOVER 131
++#define PK11_R_GEN_KEY 132
++#define PK11_R_SEEDRANDOM 133
++#define PK11_R_GENERATERANDOM 134
++#define PK11_R_INVALID_MESSAGE_LENGTH 135
++#define PK11_R_UNKNOWN_ALGORITHM_TYPE 136
++#define PK11_R_UNKNOWN_ASN1_OBJECT_ID 137
++#define PK11_R_UNKNOWN_PADDING_TYPE 138
++#define PK11_R_PADDING_CHECK_FAILED 139
++#define PK11_R_DIGEST_TOO_BIG 140
++#define PK11_R_MALLOC_FAILURE 141
++#define PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED 142
++#define PK11_R_DATA_GREATER_THAN_MOD_LEN 143
++#define PK11_R_DATA_TOO_LARGE_FOR_MODULUS 144
++#define PK11_R_MISSING_KEY_COMPONENT 145
++#define PK11_R_INVALID_SIGNATURE_LENGTH 146
++#define PK11_R_INVALID_DSA_SIGNATURE_R 147
++#define PK11_R_INVALID_DSA_SIGNATURE_S 148
++#define PK11_R_INCONSISTENT_KEY 149
++#define PK11_R_ENCRYPTUPDATE 150
++#define PK11_R_DECRYPTUPDATE 151
++#define PK11_R_DIGESTINIT 152
++#define PK11_R_DIGESTUPDATE 153
++#define PK11_R_DIGESTFINAL 154
++#define PK11_R_ENCRYPTFINAL 155
++#define PK11_R_DECRYPTFINAL 156
++#define PK11_R_NO_PRNG_SUPPORT 157
++#define PK11_R_GETTOKENINFO 158
++#define PK11_R_DERIVEKEY 159
++#define PK11_R_GET_OPERATION_STATE 160
++#define PK11_R_SET_OPERATION_STATE 161
++#define PK11_R_INVALID_HANDLE 162
++#define PK11_R_KEY_OR_IV_LEN_PROBLEM 163
++#define PK11_R_INVALID_OPERATION_TYPE 164
++#define PK11_R_ADD_NID_FAILED 165
++#define PK11_R_ATFORK_FAILED 166
++#define PK11_R_INVALID_PIN 167
++#define PK11_R_TOO_MANY_OBJECTS 168
++#define PK11_R_OBJECT_NOT_FOUND 169
++
++/* max byte length of a symetric key we support */
++#define PK11_KEY_LEN_MAX 32
++
++#ifdef NOPTHREADS
++/*
++ * CRYPTO_LOCK_PK11_ENGINE lock is primarily used for the protection of the
++ * free_session list and active_list but generally serves as a global
++ * per-process lock for the whole engine.
++ *
++ * We reuse CRYPTO_LOCK_EC lock (which is defined in OpenSSL for EC method) as
++ * the global engine lock. This is not optimal w.r.t. performance but
++ * it's safe.
++ */
++#define CRYPTO_LOCK_PK11_ENGINE CRYPTO_LOCK_EC
++#endif
++
++/*
++ * This structure encapsulates all reusable information for a PKCS#11
++ * session. A list of these objects is created on behalf of the
++ * calling application using an on-demand method. Each operation
++ * type (see PK11_OPTYPE below) has its own per-process list.
++ * Each of the lists is basically a cache for faster PKCS#11 object
++ * access to avoid expensive C_Find{,Init,Final}Object() calls.
++ *
++ * When a new request comes in, an object will be taken from the list
++ * (if there is one) or a new one is created to handle the request
++ * (if the list is empty). See pk11_get_session() on how it is done.
++ */
++typedef struct PK11_st_SESSION
++ {
++ struct PK11_st_SESSION *next;
++ CK_SESSION_HANDLE session; /* PK11 session handle */
++ pid_t pid; /* Current process ID */
++ union
++ {
++#ifndef OPENSSL_NO_RSA
++ struct
++ {
++ CK_OBJECT_HANDLE rsa_pub_key; /* pub handle */
++ CK_OBJECT_HANDLE rsa_priv_key; /* priv handle */
++ RSA *rsa_pub; /* pub key addr */
++ BIGNUM *rsa_n_num; /* pub modulus */
++ BIGNUM *rsa_e_num; /* pub exponent */
++ RSA *rsa_priv; /* priv key addr */
++ BIGNUM *rsa_d_num; /* priv exponent */
++ } u_RSA;
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++ struct
++ {
++ CK_OBJECT_HANDLE dsa_pub_key; /* pub handle */
++ CK_OBJECT_HANDLE dsa_priv_key; /* priv handle */
++ DSA *dsa_pub; /* pub key addr */
++ BIGNUM *dsa_pub_num; /* pub key */
++ DSA *dsa_priv; /* priv key addr */
++ BIGNUM *dsa_priv_num; /* priv key */
++ } u_DSA;
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++ struct
++ {
++ CK_OBJECT_HANDLE dh_key; /* key handle */
++ DH *dh; /* dh key addr */
++ BIGNUM *dh_priv_num; /* priv dh key */
++ } u_DH;
++#endif /* OPENSSL_NO_DH */
++ struct
++ {
++ CK_OBJECT_HANDLE cipher_key; /* key handle */
++ unsigned char key[PK11_KEY_LEN_MAX];
++ int key_len; /* priv key len */
++ int encrypt; /* 1/0 enc/decr */
++ } u_cipher;
++ } opdata_u;
++ } PK11_SESSION;
++
++#define opdata_rsa_pub_key opdata_u.u_RSA.rsa_pub_key
++#define opdata_rsa_priv_key opdata_u.u_RSA.rsa_priv_key
++#define opdata_rsa_pub opdata_u.u_RSA.rsa_pub
++#define opdata_rsa_priv opdata_u.u_RSA.rsa_priv
++#define opdata_rsa_n_num opdata_u.u_RSA.rsa_n_num
++#define opdata_rsa_e_num opdata_u.u_RSA.rsa_e_num
++#define opdata_rsa_d_num opdata_u.u_RSA.rsa_d_num
++#define opdata_dsa_pub_key opdata_u.u_DSA.dsa_pub_key
++#define opdata_dsa_priv_key opdata_u.u_DSA.dsa_priv_key
++#define opdata_dsa_pub opdata_u.u_DSA.dsa_pub
++#define opdata_dsa_pub_num opdata_u.u_DSA.dsa_pub_num
++#define opdata_dsa_priv opdata_u.u_DSA.dsa_priv
++#define opdata_dsa_priv_num opdata_u.u_DSA.dsa_priv_num
++#define opdata_dh_key opdata_u.u_DH.dh_key
++#define opdata_dh opdata_u.u_DH.dh
++#define opdata_dh_priv_num opdata_u.u_DH.dh_priv_num
++#define opdata_cipher_key opdata_u.u_cipher.cipher_key
++#define opdata_key opdata_u.u_cipher.key
++#define opdata_key_len opdata_u.u_cipher.key_len
++#define opdata_encrypt opdata_u.u_cipher.encrypt
++
++/*
++ * We have 3 different groups of operation types:
++ * 1) asymmetric operations
++ * 2) random operations
++ * 3) symmetric and digest operations
++ *
++ * This division into groups stems from the fact that it's common that hardware
++ * providers may support operations from one group only. For example, hardware
++ * providers on UltraSPARC T2, n2rng(7d), ncp(7d), and n2cp(7d), each support
++ * only a single group of operations.
++ *
++ * For every group a different slot can be chosen. That means that we must have
++ * at least 3 different lists of cached PKCS#11 sessions since sessions from
++ * different groups may be initialized in different slots.
++ *
++ * To provide locking granularity in multithreaded environment, the groups are
++ * further splitted into types with each type having a separate session cache.
++ */
++typedef enum PK11_OPTYPE_ENUM
++ {
++ OP_RAND,
++ OP_RSA,
++ OP_DSA,
++ OP_DH,
++ OP_CIPHER,
++ OP_DIGEST,
++ OP_MAX
++ } PK11_OPTYPE;
++
++/*
++ * This structure contains the heads of the lists forming the object caches
++ * and locks associated with the lists.
++ */
++typedef struct PK11_st_CACHE
++ {
++ PK11_SESSION *head;
++#ifndef NOPTHREADS
++ pthread_mutex_t *lock;
++#endif
++ } PK11_CACHE;
++
++/* structure for tracking handles of asymmetric key objects */
++typedef struct PK11_active_st
++ {
++ CK_OBJECT_HANDLE h;
++ unsigned int refcnt;
++ struct PK11_active_st *prev;
++ struct PK11_active_st *next;
++ } PK11_active;
++
++#ifndef NOPTHREADS
++extern pthread_mutex_t *find_lock[];
++#endif
++extern PK11_active *active_list[];
++
++#ifndef NOPTHREADS
++#define LOCK_OBJSTORE(alg_type) \
++ (void) pthread_mutex_lock(find_lock[alg_type])
++#define UNLOCK_OBJSTORE(alg_type) \
++ (void) pthread_mutex_unlock(find_lock[alg_type])
++#else
++#define LOCK_OBJSTORE(alg_type) \
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE)
++#define UNLOCK_OBJSTORE(alg_type) \
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE)
++#endif
++
++extern PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++extern void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++#ifndef OPENSSL_NO_RSA
++extern int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++extern int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++extern int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++extern EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data);
++extern EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data);
++extern RSA_METHOD *PK11_RSA(void);
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++extern int pk11_destroy_dsa_key_objects(PK11_SESSION *session);
++extern int pk11_destroy_dsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++extern int pk11_destroy_dsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++extern DSA_METHOD *PK11_DSA(void);
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++extern int pk11_destroy_dh_key_objects(PK11_SESSION *session);
++extern int pk11_destroy_dh_object(PK11_SESSION *sp, CK_BBOOL uselock);
++extern DH_METHOD *PK11_DH(void);
++#endif /* OPENSSL_NO_DH */
++
++extern CK_FUNCTION_LIST_PTR pFuncList;
++
++#endif /* HW_PK11_ERR_H */
+Index: openssl/crypto/engine/hw_pk11_pub.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11_pub.c:1.32
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11_pub.c Mon Oct 5 13:16:55 2009
+@@ -0,0 +1,3140 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_pub.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/types.h>
++
++#include <openssl/e_os2.h>
++#include <openssl/crypto.h>
++#include <cryptlib.h>
++#include <openssl/engine.h>
++#include <openssl/dso.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/pem.h>
++#ifndef OPENSSL_NO_RSA
++#include <openssl/rsa.h>
++#endif /* OPENSSL_NO_RSA */
++#ifndef OPENSSL_NO_DSA
++#include <openssl/dsa.h>
++#endif /* OPENSSL_NO_DSA */
++#ifndef OPENSSL_NO_DH
++#include <openssl/dh.h>
++#endif /* OPENSSL_NO_DH */
++#include <openssl/rand.h>
++#include <openssl/objects.h>
++#include <openssl/x509.h>
++
++#ifdef OPENSSL_SYS_WIN32
++#define NOPTHREADS
++typedef int pid_t;
++#define HAVE_GETPASSPHRASE
++static char *getpassphrase(const char *prompt);
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++ returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++ returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ returnType __declspec(dllimport) (* name)
++#else
++#include <unistd.h>
++#endif
++
++#ifndef NOPTHREADS
++#include <pthread.h>
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11CA
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11ca.h"
++#include "hw_pk11_err.h"
++
++#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
++#define getpassphrase(x) getpass(x)
++#endif
++
++#ifndef OPENSSL_NO_RSA
++/* RSA stuff */
++static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding);
++static int pk11_RSA_init(RSA *rsa);
++static int pk11_RSA_finish(RSA *rsa);
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++ unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
++static int pk11_RSA_verify(int dtype, const unsigned char *m,
++ unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
++ const RSA *rsa);
++EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data);
++EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data);
++
++static int pk11_RSA_public_encrypt_low(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa);
++static int pk11_RSA_private_encrypt_low(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa);
++static int pk11_RSA_public_decrypt_low(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa);
++static int pk11_RSA_private_decrypt_low(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa);
++
++static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA* rsa, RSA** key_ptr,
++ BIGNUM **rsa_n_num, BIGNUM **rsa_e_num, CK_SESSION_HANDLE session);
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
++ BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
++
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
++#endif
++
++/* DSA stuff */
++#ifndef OPENSSL_NO_DSA
++static int pk11_DSA_init(DSA *dsa);
++static int pk11_DSA_finish(DSA *dsa);
++static DSA_SIG *pk11_dsa_do_sign(const unsigned char *dgst, int dlen,
++ DSA *dsa);
++static int pk11_dsa_do_verify(const unsigned char *dgst, int dgst_len,
++ DSA_SIG *sig, DSA *dsa);
++
++static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa, DSA **key_ptr,
++ BIGNUM **dsa_pub_num, CK_SESSION_HANDLE session);
++static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa, DSA **key_ptr,
++ BIGNUM **dsa_priv_num, CK_SESSION_HANDLE session);
++
++static int check_new_dsa_key_pub(PK11_SESSION *sp, DSA *dsa);
++static int check_new_dsa_key_priv(PK11_SESSION *sp, DSA *dsa);
++#endif
++
++/* DH stuff */
++#ifndef OPENSSL_NO_DH
++static int pk11_DH_init(DH *dh);
++static int pk11_DH_finish(DH *dh);
++static int pk11_DH_generate_key(DH *dh);
++static int pk11_DH_compute_key(unsigned char *key,
++ const BIGNUM *pub_key, DH *dh);
++
++static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh, DH **key_ptr,
++ BIGNUM **priv_key, CK_SESSION_HANDLE session);
++
++static int check_new_dh_key(PK11_SESSION *sp, DH *dh);
++#endif
++
++static int init_template_value(BIGNUM *bn, CK_VOID_PTR *pValue,
++ CK_ULONG *ulValueLen);
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
++
++/* Read mode string to be used for fopen() */
++#if SOLARIS_OPENSSL
++static char *read_mode_flags = "rF";
++#else
++static char *read_mode_flags = "r";
++#endif
++
++/*
++ * increment/create reference for an asymmetric key handle via active list
++ * manipulation. If active list operation fails, unlock (if locked), set error
++ * variable and jump to the specified label.
++ */
++#define KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label) \
++ { \
++ if (pk11_active_add(key_handle, alg_type) < 0) \
++ { \
++ var = TRUE; \
++ if (unlock) \
++ UNLOCK_OBJSTORE(alg_type); \
++ goto label; \
++ } \
++ }
++
++/*
++ * Find active list entry according to object handle and return pointer to the
++ * entry otherwise return NULL.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++ {
++ PK11_active *entry;
++
++ for (entry = active_list[type]; entry != NULL; entry = entry->next)
++ if (entry->h == h)
++ return (entry);
++
++ return (NULL);
++ }
++
++/*
++ * Search for an entry in the active list using PKCS#11 object handle as a
++ * search key and return refcnt of the found/created entry or -1 in case of
++ * failure.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++ {
++ PK11_active *entry = NULL;
++
++ if (h == CK_INVALID_HANDLE)
++ {
++ PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
++ return (-1);
++ }
++
++ /* search for entry in the active list */
++ if ((entry = pk11_active_find(h, type)) != NULL)
++ entry->refcnt++;
++ else
++ {
++ /* not found, create new entry and add it to the list */
++ entry = OPENSSL_malloc(sizeof (PK11_active));
++ if (entry == NULL)
++ {
++ PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
++ return (-1);
++ }
++ entry->h = h;
++ entry->refcnt = 1;
++ entry->prev = NULL;
++ entry->next = NULL;
++ /* connect the newly created entry to the list */
++ if (active_list[type] == NULL)
++ active_list[type] = entry;
++ else /* make the entry first in the list */
++ {
++ entry->next = active_list[type];
++ active_list[type]->prev = entry;
++ active_list[type] = entry;
++ }
++ }
++
++ return (entry->refcnt);
++ }
++
++/*
++ * Remove active list entry from the list and free it.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++void
++pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
++ {
++ PK11_active *prev_entry;
++
++ /* remove the entry from the list and free it */
++ if ((prev_entry = entry->prev) != NULL)
++ {
++ prev_entry->next = entry->next;
++ if (entry->next != NULL)
++ entry->next->prev = prev_entry;
++ }
++ else
++ {
++ active_list[type] = entry->next;
++ /* we were the first but not the only one */
++ if (entry->next != NULL)
++ entry->next->prev = NULL;
++ }
++
++ /* sanitization */
++ entry->h = CK_INVALID_HANDLE;
++ entry->prev = NULL;
++ entry->next = NULL;
++ OPENSSL_free(entry);
++ }
++
++/* Free all entries from the active list. */
++void
++pk11_free_active_list(PK11_OPTYPE type)
++ {
++ PK11_active *entry;
++
++ /* only for asymmetric types since only they have C_Find* locks. */
++ switch (type)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ break;
++ default:
++ return;
++ }
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(type);
++ while ((entry = active_list[type]) != NULL)
++ pk11_active_remove(entry, type);
++ UNLOCK_OBJSTORE(type);
++ }
++
++/*
++ * Search for active list entry associated with given PKCS#11 object handle,
++ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
++ *
++ * Return 1 if the PKCS#11 object associated with the entry has no references,
++ * return 0 if there is at least one reference, -1 on error.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++ {
++ PK11_active *entry = NULL;
++
++ if ((entry = pk11_active_find(h, type)) == NULL)
++ {
++ PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
++ return (-1);
++ }
++
++ OPENSSL_assert(entry->refcnt > 0);
++ entry->refcnt--;
++ if (entry->refcnt == 0)
++ {
++ pk11_active_remove(entry, type);
++ return (1);
++ }
++
++ return (0);
++ }
++
++#ifndef OPENSSL_NO_RSA
++/* Our internal RSA_METHOD that we provide pointers to */
++static RSA_METHOD pk11_rsa =
++ {
++ "PKCS#11 RSA method",
++ pk11_RSA_public_encrypt, /* rsa_pub_encrypt */
++ pk11_RSA_public_decrypt, /* rsa_pub_decrypt */
++ pk11_RSA_private_encrypt, /* rsa_priv_encrypt */
++ pk11_RSA_private_decrypt, /* rsa_priv_decrypt */
++ NULL, /* rsa_mod_exp */
++ NULL, /* bn_mod_exp */
++ pk11_RSA_init, /* init */
++ pk11_RSA_finish, /* finish */
++ RSA_FLAG_SIGN_VER, /* flags */
++ NULL, /* app_data */
++ pk11_RSA_sign, /* rsa_sign */
++ pk11_RSA_verify /* rsa_verify */
++ };
++
++RSA_METHOD *
++PK11_RSA(void)
++ {
++ return (&pk11_rsa);
++ }
++#endif
++
++#ifndef OPENSSL_NO_DSA
++/* Our internal DSA_METHOD that we provide pointers to */
++static DSA_METHOD pk11_dsa =
++ {
++ "PKCS#11 DSA method",
++ pk11_dsa_do_sign, /* dsa_do_sign */
++ NULL, /* dsa_sign_setup */
++ pk11_dsa_do_verify, /* dsa_do_verify */
++ NULL, /* dsa_mod_exp */
++ NULL, /* bn_mod_exp */
++ pk11_DSA_init, /* init */
++ pk11_DSA_finish, /* finish */
++ 0, /* flags */
++ NULL /* app_data */
++ };
++
++DSA_METHOD *
++PK11_DSA(void)
++ {
++ return (&pk11_dsa);
++ }
++#endif
++
++#ifndef OPENSSL_NO_DH
++/*
++ * PKCS #11 V2.20, section 11.2 specifies that the number of bytes needed for
++ * output buffer may somewhat exceed the precise number of bytes needed, but
++ * should not exceed it by a large amount. That may be caused, for example, by
++ * rounding it up to multiple of X in the underlying bignum library. 8 should be
++ * enough.
++ */
++#define DH_BUF_RESERVE 8
++
++/* Our internal DH_METHOD that we provide pointers to */
++static DH_METHOD pk11_dh =
++ {
++ "PKCS#11 DH method",
++ pk11_DH_generate_key, /* generate_key */
++ pk11_DH_compute_key, /* compute_key */
++ NULL, /* bn_mod_exp */
++ pk11_DH_init, /* init */
++ pk11_DH_finish, /* finish */
++ 0, /* flags */
++ NULL, /* app_data */
++ NULL /* generate_params */
++ };
++
++DH_METHOD *
++PK11_DH(void)
++ {
++ return (&pk11_dh);
++ }
++#endif
++
++/* Size of an SSL signature: MD5+SHA1 */
++#define SSL_SIG_LENGTH 36
++
++/* Lengths of DSA data and signature */
++#define DSA_DATA_LEN 20
++#define DSA_SIGNATURE_LEN 40
++
++static CK_BBOOL true = TRUE;
++static CK_BBOOL false = FALSE;
++
++#ifndef OPENSSL_NO_RSA
++/*
++ * Similiar to OpenSSL to take advantage of the paddings. The goal is to
++ * support all paddings in this engine although PK11 library does not
++ * support all the paddings used in OpenSSL.
++ * The input errors should have been checked in the padding functions.
++ */
++static int pk11_RSA_public_encrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding)
++ {
++ int i, num = 0, r = -1;
++ unsigned char *buf = NULL;
++
++ num = BN_num_bytes(rsa->n);
++ if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
++ {
++ RSAerr(PK11_F_RSA_PUB_ENC, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ switch (padding)
++ {
++ case RSA_PKCS1_PADDING:
++ i = RSA_padding_add_PKCS1_type_2(buf, num, from, flen);
++ break;
++#ifndef OPENSSL_NO_SHA
++ case RSA_PKCS1_OAEP_PADDING:
++ i = RSA_padding_add_PKCS1_OAEP(buf, num, from, flen, NULL, 0);
++ break;
++#endif
++ case RSA_SSLV23_PADDING:
++ i = RSA_padding_add_SSLv23(buf, num, from, flen);
++ break;
++ case RSA_NO_PADDING:
++ i = RSA_padding_add_none(buf, num, from, flen);
++ break;
++ default:
++ RSAerr(PK11_F_RSA_PUB_ENC, PK11_R_UNKNOWN_PADDING_TYPE);
++ goto err;
++ }
++ if (i <= 0) goto err;
++
++ /* PK11 functions are called here */
++ r = pk11_RSA_public_encrypt_low(num, buf, to, rsa);
++err:
++ if (buf != NULL)
++ {
++ OPENSSL_cleanse(buf, num);
++ OPENSSL_free(buf);
++ }
++ return (r);
++ }
++
++
++/*
++ * Similar to Openssl to take advantage of the paddings. The input errors
++ * should be catched in the padding functions
++ */
++static int pk11_RSA_private_encrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding)
++ {
++ int i, num = 0, r = -1;
++ unsigned char *buf = NULL;
++
++ num = BN_num_bytes(rsa->n);
++ if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
++ {
++ RSAerr(PK11_F_RSA_PRIV_ENC, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ switch (padding)
++ {
++ case RSA_PKCS1_PADDING:
++ i = RSA_padding_add_PKCS1_type_1(buf, num, from, flen);
++ break;
++ case RSA_NO_PADDING:
++ i = RSA_padding_add_none(buf, num, from, flen);
++ break;
++ case RSA_SSLV23_PADDING:
++ default:
++ RSAerr(PK11_F_RSA_PRIV_ENC, PK11_R_UNKNOWN_PADDING_TYPE);
++ goto err;
++ }
++ if (i <= 0) goto err;
++
++ /* PK11 functions are called here */
++ r = pk11_RSA_private_encrypt_low(num, buf, to, rsa);
++err:
++ if (buf != NULL)
++ {
++ OPENSSL_cleanse(buf, num);
++ OPENSSL_free(buf);
++ }
++ return (r);
++ }
++
++/* Similar to OpenSSL code. Input errors are also checked here */
++static int pk11_RSA_private_decrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding)
++ {
++ BIGNUM f;
++ int j, num = 0, r = -1;
++ unsigned char *p;
++ unsigned char *buf = NULL;
++
++ BN_init(&f);
++
++ num = BN_num_bytes(rsa->n);
++
++ if ((buf = (unsigned char *)OPENSSL_malloc(num)) == NULL)
++ {
++ RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ /*
++ * This check was for equality but PGP does evil things
++ * and chops off the top '0' bytes
++ */
++ if (flen > num)
++ {
++ RSAerr(PK11_F_RSA_PRIV_DEC,
++ PK11_R_DATA_GREATER_THAN_MOD_LEN);
++ goto err;
++ }
++
++ /* make data into a big number */
++ if (BN_bin2bn(from, (int)flen, &f) == NULL)
++ goto err;
++
++ if (BN_ucmp(&f, rsa->n) >= 0)
++ {
++ RSAerr(PK11_F_RSA_PRIV_DEC,
++ PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
++ goto err;
++ }
++
++ /* PK11 functions are called here */
++ r = pk11_RSA_private_decrypt_low(flen, from, buf, rsa);
++
++ /*
++ * PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
++ * Needs to skip these 0's paddings here.
++ */
++ for (j = 0; j < r; j++)
++ if (buf[j] != 0)
++ break;
++
++ p = buf + j;
++ j = r - j; /* j is only used with no-padding mode */
++
++ switch (padding)
++ {
++ case RSA_PKCS1_PADDING:
++ r = RSA_padding_check_PKCS1_type_2(to, num, p, j, num);
++ break;
++#ifndef OPENSSL_NO_SHA
++ case RSA_PKCS1_OAEP_PADDING:
++ r = RSA_padding_check_PKCS1_OAEP(to, num, p, j, num, NULL, 0);
++ break;
++#endif
++ case RSA_SSLV23_PADDING:
++ r = RSA_padding_check_SSLv23(to, num, p, j, num);
++ break;
++ case RSA_NO_PADDING:
++ r = RSA_padding_check_none(to, num, p, j, num);
++ break;
++ default:
++ RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_UNKNOWN_PADDING_TYPE);
++ goto err;
++ }
++ if (r < 0)
++ RSAerr(PK11_F_RSA_PRIV_DEC, PK11_R_PADDING_CHECK_FAILED);
++
++err:
++ BN_clear_free(&f);
++ if (buf != NULL)
++ {
++ OPENSSL_cleanse(buf, num);
++ OPENSSL_free(buf);
++ }
++ return (r);
++ }
++
++/* Similar to OpenSSL code. Input errors are also checked here */
++static int pk11_RSA_public_decrypt(int flen, const unsigned char *from,
++ unsigned char *to, RSA *rsa, int padding)
++ {
++ BIGNUM f;
++ int i, num = 0, r = -1;
++ unsigned char *p;
++ unsigned char *buf = NULL;
++
++ BN_init(&f);
++ num = BN_num_bytes(rsa->n);
++ buf = (unsigned char *)OPENSSL_malloc(num);
++ if (buf == NULL)
++ {
++ RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ /*
++ * This check was for equality but PGP does evil things
++ * and chops off the top '0' bytes
++ */
++ if (flen > num)
++ {
++ RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_DATA_GREATER_THAN_MOD_LEN);
++ goto err;
++ }
++
++ if (BN_bin2bn(from, flen, &f) == NULL)
++ goto err;
++
++ if (BN_ucmp(&f, rsa->n) >= 0)
++ {
++ RSAerr(PK11_F_RSA_PUB_DEC,
++ PK11_R_DATA_TOO_LARGE_FOR_MODULUS);
++ goto err;
++ }
++
++ /* PK11 functions are called here */
++ r = pk11_RSA_public_decrypt_low(flen, from, buf, rsa);
++
++ /*
++ * PK11 CKM_RSA_X_509 mechanism pads 0's at the beginning.
++ * Needs to skip these 0's here
++ */
++ for (i = 0; i < r; i++)
++ if (buf[i] != 0)
++ break;
++
++ p = buf + i;
++ i = r - i; /* i is only used with no-padding mode */
++
++ switch (padding)
++ {
++ case RSA_PKCS1_PADDING:
++ r = RSA_padding_check_PKCS1_type_1(to, num, p, i, num);
++ break;
++ case RSA_NO_PADDING:
++ r = RSA_padding_check_none(to, num, p, i, num);
++ break;
++ default:
++ RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_UNKNOWN_PADDING_TYPE);
++ goto err;
++ }
++ if (r < 0)
++ RSAerr(PK11_F_RSA_PUB_DEC, PK11_R_PADDING_CHECK_FAILED);
++
++err:
++ BN_clear_free(&f);
++ if (buf != NULL)
++ {
++ OPENSSL_cleanse(buf, num);
++ OPENSSL_free(buf);
++ }
++ return (r);
++ }
++
++/*
++ * This function implements RSA public encryption using C_EncryptInit and
++ * C_Encrypt pk11 interfaces. Note that the CKM_RSA_X_509 is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_public_encrypt_low(int flen,
++ const unsigned char *from, unsigned char *to, RSA *rsa)
++ {
++ CK_ULONG bytes_encrypted = flen;
++ int retval = -1;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (-1);
++
++ (void) check_new_rsa_key_pub(sp, rsa);
++
++ h_pub_key = sp->opdata_rsa_pub_key;
++ if (h_pub_key == CK_INVALID_HANDLE)
++ h_pub_key = sp->opdata_rsa_pub_key =
++ pk11_get_public_rsa_key(rsa, &sp->opdata_rsa_pub,
++ &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
++ sp->session);
++
++ if (h_pub_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_EncryptInit(sp->session, p_mech,
++ h_pub_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PUB_ENC_LOW,
++ PK11_R_ENCRYPTINIT, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++
++ rv = pFuncList->C_Encrypt(sp->session,
++ (unsigned char *)from, flen, to, &bytes_encrypted);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PUB_ENC_LOW,
++ PK11_R_ENCRYPT, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++ retval = bytes_encrypted;
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (retval);
++ }
++
++
++/*
++ * This function implements RSA private encryption using C_SignInit and
++ * C_Sign pk11 APIs. Note that CKM_RSA_X_509 is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_private_encrypt_low(int flen,
++ const unsigned char *from, unsigned char *to, RSA *rsa)
++ {
++ CK_ULONG ul_sig_len = flen;
++ int retval = -1;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (-1);
++
++ (void) check_new_rsa_key_priv(sp, rsa);
++
++ h_priv_key = sp->opdata_rsa_priv_key;
++ if (h_priv_key == CK_INVALID_HANDLE)
++ h_priv_key = sp->opdata_rsa_priv_key =
++ pk11_get_private_rsa_key(rsa, &sp->opdata_rsa_priv,
++ &sp->opdata_rsa_d_num, sp->session);
++
++ if (h_priv_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_SignInit(sp->session, p_mech,
++ h_priv_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PRIV_ENC_LOW,
++ PK11_R_SIGNINIT, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++
++ rv = pFuncList->C_Sign(sp->session,
++ (unsigned char *)from, flen, to, &ul_sig_len);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PRIV_ENC_LOW, PK11_R_SIGN,
++ rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++
++ retval = ul_sig_len;
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (retval);
++ }
++
++
++/*
++ * This function implements RSA private decryption using C_DecryptInit and
++ * C_Decrypt pk11 APIs. Note that CKM_RSA_X_509 mechanism is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_private_decrypt_low(int flen,
++ const unsigned char *from, unsigned char *to, RSA *rsa)
++ {
++ CK_ULONG bytes_decrypted = flen;
++ int retval = -1;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_priv_key;
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (-1);
++
++ (void) check_new_rsa_key_priv(sp, rsa);
++
++ h_priv_key = sp->opdata_rsa_priv_key;
++ if (h_priv_key == CK_INVALID_HANDLE)
++ h_priv_key = sp->opdata_rsa_priv_key =
++ pk11_get_private_rsa_key(rsa, &sp->opdata_rsa_priv,
++ &sp->opdata_rsa_d_num, sp->session);
++
++ if (h_priv_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_DecryptInit(sp->session, p_mech,
++ h_priv_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PRIV_DEC_LOW,
++ PK11_R_DECRYPTINIT, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++
++ rv = pFuncList->C_Decrypt(sp->session,
++ (unsigned char *)from, flen, to, &bytes_decrypted);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PRIV_DEC_LOW,
++ PK11_R_DECRYPT, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++ retval = bytes_decrypted;
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (retval);
++ }
++
++
++/*
++ * This function implements RSA public decryption using C_VerifyRecoverInit
++ * and C_VerifyRecover pk11 APIs. Note that CKM_RSA_X_509 is used here.
++ * The calling function allocated sufficient memory in "to" to store results.
++ */
++static int pk11_RSA_public_decrypt_low(int flen,
++ const unsigned char *from, unsigned char *to, RSA *rsa)
++ {
++ CK_ULONG bytes_decrypted = flen;
++ int retval = -1;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_X_509, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (-1);
++
++ (void) check_new_rsa_key_pub(sp, rsa);
++
++ h_pub_key = sp->opdata_rsa_pub_key;
++ if (h_pub_key == CK_INVALID_HANDLE)
++ h_pub_key = sp->opdata_rsa_pub_key =
++ pk11_get_public_rsa_key(rsa, &sp->opdata_rsa_pub,
++ &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
++ sp->session);
++
++ if (h_pub_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_VerifyRecoverInit(sp->session,
++ p_mech, h_pub_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PUB_DEC_LOW,
++ PK11_R_VERIFYRECOVERINIT, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++
++ rv = pFuncList->C_VerifyRecover(sp->session,
++ (unsigned char *)from, flen, to, &bytes_decrypted);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_PUB_DEC_LOW,
++ PK11_R_VERIFYRECOVER, rv);
++ pk11_return_session(sp, OP_RSA);
++ return (-1);
++ }
++ retval = bytes_decrypted;
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (retval);
++ }
++
++static int pk11_RSA_init(RSA *rsa)
++ {
++ /*
++ * This flag in the RSA_METHOD enables the new rsa_sign,
++ * rsa_verify functions. See rsa.h for details.
++ */
++ rsa->flags |= RSA_FLAG_SIGN_VER;
++
++ return (1);
++ }
++
++static int pk11_RSA_finish(RSA *rsa)
++ {
++ /*
++ * Since we are overloading OpenSSL's native RSA_eay_finish() we need
++ * to do the same as in the original function, i.e. to free bignum
++ * structures.
++ */
++ if (rsa->_method_mod_n != NULL)
++ BN_MONT_CTX_free(rsa->_method_mod_n);
++ if (rsa->_method_mod_p != NULL)
++ BN_MONT_CTX_free(rsa->_method_mod_p);
++ if (rsa->_method_mod_q != NULL)
++ BN_MONT_CTX_free(rsa->_method_mod_q);
++
++ return (1);
++ }
++
++/*
++ * Standard engine interface function. Majority codes here are from
++ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
++ * See more details in rsa/rsa_sign.c
++ */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++ unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
++ {
++ X509_SIG sig;
++ ASN1_TYPE parameter;
++ int i, j = 0;
++ unsigned char *p, *s = NULL;
++ X509_ALGOR algor;
++ ASN1_OCTET_STRING digest;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_priv_key;
++ PK11_SESSION *sp = NULL;
++ int ret = 0;
++ unsigned long ulsiglen;
++
++ /* Encode the digest */
++ /* Special case: SSL signature, just check the length */
++ if (type == NID_md5_sha1)
++ {
++ if (m_len != SSL_SIG_LENGTH)
++ {
++ PK11err(PK11_F_RSA_SIGN,
++ PK11_R_INVALID_MESSAGE_LENGTH);
++ goto err;
++ }
++ i = SSL_SIG_LENGTH;
++ s = (unsigned char *)m;
++ }
++ else
++ {
++ sig.algor = &algor;
++ sig.algor->algorithm = OBJ_nid2obj(type);
++ if (sig.algor->algorithm == NULL)
++ {
++ PK11err(PK11_F_RSA_SIGN,
++ PK11_R_UNKNOWN_ALGORITHM_TYPE);
++ goto err;
++ }
++ if (sig.algor->algorithm->length == 0)
++ {
++ PK11err(PK11_F_RSA_SIGN,
++ PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++ goto err;
++ }
++ parameter.type = V_ASN1_NULL;
++ parameter.value.ptr = NULL;
++ sig.algor->parameter = ¶meter;
++
++ sig.digest = &digest;
++ sig.digest->data = (unsigned char *)m;
++ sig.digest->length = m_len;
++
++ i = i2d_X509_SIG(&sig, NULL);
++ }
++
++ j = RSA_size(rsa);
++ if ((i - RSA_PKCS1_PADDING) > j)
++ {
++ PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
++ goto err;
++ }
++
++ if (type != NID_md5_sha1)
++ {
++ s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++ if (s == NULL)
++ {
++ PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ p = s;
++ (void) i2d_X509_SIG(&sig, &p);
++ }
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ goto err;
++
++ (void) check_new_rsa_key_priv(sp, rsa);
++
++ h_priv_key = sp->opdata_rsa_priv_key;
++ if (h_priv_key == CK_INVALID_HANDLE)
++ h_priv_key = sp->opdata_rsa_priv_key =
++ pk11_get_private_rsa_key((RSA *)rsa,
++ &sp->opdata_rsa_priv,
++ &sp->opdata_rsa_d_num, sp->session);
++
++ if (h_priv_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
++ goto err;
++ }
++
++ ulsiglen = j;
++ rv = pFuncList->C_Sign(sp->session, s, i, sigret,
++ (CK_ULONG_PTR) &ulsiglen);
++ *siglen = ulsiglen;
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
++ goto err;
++ }
++ ret = 1;
++ }
++
++err:
++ if ((type != NID_md5_sha1) && (s != NULL))
++ {
++ (void) memset(s, 0, (unsigned int)(j + 1));
++ OPENSSL_free(s);
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (ret);
++ }
++
++static int pk11_RSA_verify(int type, const unsigned char *m,
++ unsigned int m_len, unsigned char *sigbuf, unsigned int siglen,
++ const RSA *rsa)
++ {
++ X509_SIG sig;
++ ASN1_TYPE parameter;
++ int i, j = 0;
++ unsigned char *p, *s = NULL;
++ X509_ALGOR algor;
++ ASN1_OCTET_STRING digest;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_pub_key;
++ PK11_SESSION *sp = NULL;
++ int ret = 0;
++
++ /* Encode the digest */
++ /* Special case: SSL signature, just check the length */
++ if (type == NID_md5_sha1)
++ {
++ if (m_len != SSL_SIG_LENGTH)
++ {
++ PK11err(PK11_F_RSA_VERIFY,
++ PK11_R_INVALID_MESSAGE_LENGTH);
++ goto err;
++ }
++ i = SSL_SIG_LENGTH;
++ s = (unsigned char *)m;
++ }
++ else
++ {
++ sig.algor = &algor;
++ sig.algor->algorithm = OBJ_nid2obj(type);
++ if (sig.algor->algorithm == NULL)
++ {
++ PK11err(PK11_F_RSA_VERIFY,
++ PK11_R_UNKNOWN_ALGORITHM_TYPE);
++ goto err;
++ }
++ if (sig.algor->algorithm->length == 0)
++ {
++ PK11err(PK11_F_RSA_VERIFY,
++ PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++ goto err;
++ }
++ parameter.type = V_ASN1_NULL;
++ parameter.value.ptr = NULL;
++ sig.algor->parameter = ¶meter;
++ sig.digest = &digest;
++ sig.digest->data = (unsigned char *)m;
++ sig.digest->length = m_len;
++ i = i2d_X509_SIG(&sig, NULL);
++ }
++
++ j = RSA_size(rsa);
++ if ((i - RSA_PKCS1_PADDING) > j)
++ {
++ PK11err(PK11_F_RSA_VERIFY, PK11_R_DIGEST_TOO_BIG);
++ goto err;
++ }
++
++ if (type != NID_md5_sha1)
++ {
++ s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++ if (s == NULL)
++ {
++ PK11err(PK11_F_RSA_VERIFY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ p = s;
++ (void) i2d_X509_SIG(&sig, &p);
++ }
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ goto err;
++
++ (void) check_new_rsa_key_pub(sp, rsa);
++
++ h_pub_key = sp->opdata_rsa_pub_key;
++ if (h_pub_key == CK_INVALID_HANDLE)
++ h_pub_key = sp->opdata_rsa_pub_key =
++ pk11_get_public_rsa_key((RSA *)rsa, &sp->opdata_rsa_pub,
++ &sp->opdata_rsa_n_num, &sp->opdata_rsa_e_num,
++ sp->session);
++
++ if (h_pub_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_VerifyInit(sp->session, p_mech,
++ h_pub_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_VERIFY, PK11_R_VERIFYINIT,
++ rv);
++ goto err;
++ }
++ rv = pFuncList->C_Verify(sp->session, s, i, sigbuf,
++ (CK_ULONG)siglen);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_VERIFY, PK11_R_VERIFY, rv);
++ goto err;
++ }
++ ret = 1;
++ }
++
++err:
++ if ((type != NID_md5_sha1) && (s != NULL))
++ {
++ (void) memset(s, 0, (unsigned int)(j + 1));
++ OPENSSL_free(s);
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (ret);
++ }
++
++static int hndidx_rsa = -1;
++
++/* load RSA private key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
++ UI_METHOD *ui_method, void *callback_data)
++ {
++ EVP_PKEY *pkey = NULL;
++ FILE *privkey;
++ CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
++ RSA *rsa;
++ PK11_SESSION *sp;
++ /* everything else below needed for key by reference extension */
++ CK_RV rv;
++ CK_ULONG objcnt = 0;
++ CK_BBOOL is_token = TRUE;
++ CK_BYTE attr_data[2][1024];
++ CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
++ CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE; /* key in keystore */
++ extern char *pk11_pin;
++
++ /* we look for private keys only */
++ CK_ATTRIBUTE search_templ[] =
++ {
++ {CKA_TOKEN, &is_token, sizeof(is_token)},
++ {CKA_CLASS, &key_class, sizeof(key_class)},
++ {CKA_LABEL, NULL, 0}
++ };
++
++ /* these attributes are needed to initialize OpenSSL RSA structure */
++ CK_ATTRIBUTE get_templ[] =
++ {
++ {CKA_MODULUS, (void *)attr_data[0], 1024}, /* n */
++ {CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024}, /* e */
++ };
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (NULL);
++
++ /*
++ * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
++ */
++ if (strstr(privkey_file, "pkcs11:") == privkey_file)
++ {
++ search_templ[2].pValue = strstr(privkey_file, ":") + 1;
++ search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++ if (pk11_pin == NULL)
++ {
++ pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++ if (pk11_pin == NULL)
++ {
++ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ }
++ if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++ strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++ {
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_INVALID_PIN, rv);
++ goto err;
++ }
++
++ LOCK_OBJSTORE(OP_RSA);
++ if ((rv = pFuncList->C_FindObjectsInit(sp->session,
++ search_templ, 3)) != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++ if (rv != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ if (objcnt > 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
++ goto err;
++ }
++
++ if (objcnt != 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
++ goto err;
++ }
++
++ (void) pFuncList->C_FindObjectsFinal(sp->session);
++ UNLOCK_OBJSTORE(OP_RSA);
++
++ if (hndidx_rsa == -1)
++ hndidx_rsa = RSA_get_ex_new_index(0,
++ "pkcs11 RSA HSM key handle",
++ NULL, NULL, NULL);
++
++ pkey = EVP_PKEY_new();
++ if (pkey == NULL)
++ goto err;
++
++ rsa = RSA_new_method(e);
++ if (rsa == NULL) {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ goto err;
++ }
++ EVP_PKEY_assign_RSA(pkey, rsa);
++
++ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
++ get_templ, 2)) != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ goto err;
++ }
++
++ /*
++ * Now we have to initialize an OpenSSL RSA structure,
++ * everything else is 0 or NULL.
++ */
++ rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
++ RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
++ (void) check_new_rsa_key_priv(sp, rsa);
++ sp->opdata_rsa_priv = rsa;
++ sp->opdata_rsa_priv_key = ks_key;
++
++ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++ }
++ else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
++ {
++ pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
++ (void) fclose(privkey);
++ if (pkey != NULL)
++ {
++ rsa = EVP_PKEY_get1_RSA(pkey);
++ if (rsa != NULL)
++ {
++ (void) check_new_rsa_key_priv(sp, rsa);
++
++ h_priv_key = sp->opdata_rsa_priv_key =
++ pk11_get_private_rsa_key(rsa,
++ &sp->opdata_rsa_priv, &sp->opdata_rsa_d_num,
++ sp->session);
++ if (h_priv_key == CK_INVALID_HANDLE)
++ {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ }
++ }
++ else
++ {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ }
++ }
++ }
++
++err:
++ pk11_return_session(sp, OP_RSA);
++ return (pkey);
++ }
++
++/* load RSA public key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data)
++ {
++ EVP_PKEY *pkey = NULL;
++ FILE *pubkey;
++ CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++ RSA *rsa;
++ PK11_SESSION *sp;
++ /* everything else below needed for key by reference extension */
++ CK_RV rv;
++ CK_ULONG objcnt = 0;
++ CK_BBOOL is_token = TRUE;
++ CK_BYTE attr_data[2][1024];
++ CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
++ CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE; /* key in keystore */
++ extern char *pk11_pin;
++
++ /* we look for public keys only */
++ CK_ATTRIBUTE search_templ[] =
++ {
++ {CKA_TOKEN, &is_token, sizeof(is_token)},
++ {CKA_CLASS, &key_class, sizeof(key_class)},
++ {CKA_LABEL, NULL, 0}
++ };
++
++ /* these attributes are needed to initialize OpenSSL RSA structure */
++ CK_ATTRIBUTE get_templ[] =
++ {
++ {CKA_MODULUS, (void *)attr_data[0], 1024}, /* n */
++ {CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024}, /* e */
++ };
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (NULL);
++
++ /*
++ * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
++ */
++ if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
++ {
++ search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
++ search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++#define ALLWAYS_LOGIN
++#ifdef ALLWAYS_LOGIN
++ if (pk11_pin == NULL)
++ {
++ pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++ if (pk11_pin == NULL)
++ {
++ PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ }
++ if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++ strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++ {
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_INVALID_PIN, rv);
++ goto err;
++ }
++#endif
++
++ LOCK_OBJSTORE(OP_RSA);
++ if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++ rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++ if (rv != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ if (objcnt > 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
++ goto err;
++ }
++
++ if (objcnt != 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
++ goto err;
++ }
++
++ (void) pFuncList->C_FindObjectsFinal(sp->session);
++ UNLOCK_OBJSTORE(OP_RSA);
++
++ sp->opdata_rsa_pub_key = ks_key;
++ pkey = EVP_PKEY_new();
++ if (pkey == NULL)
++ goto err;
++
++ rsa = RSA_new_method(e);
++ if (rsa == NULL) {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ goto err;
++ }
++ EVP_PKEY_assign_RSA(pkey, rsa);
++
++ if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
++ get_templ, 2) != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ goto err;
++ }
++
++ /*
++ * Now we have to initialize an OpenSSL RSA structure,
++ * everything else is 0 or NULL.
++ */
++ rsa->flags = RSA_FLAG_SIGN_VER;
++ (void) check_new_rsa_key_pub(sp, rsa);
++ sp->opdata_rsa_pub = rsa;
++
++ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++ }
++ else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
++ {
++ pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
++ (void) fclose(pubkey);
++ if (pkey != NULL)
++ {
++ rsa = EVP_PKEY_get1_RSA(pkey);
++ if (rsa != NULL)
++ {
++ (void) check_new_rsa_key_pub(sp, rsa);
++
++ h_pub_key = sp->opdata_rsa_pub_key =
++ pk11_get_public_rsa_key(rsa,
++ &sp->opdata_rsa_pub, &sp->opdata_rsa_n_num,
++ &sp->opdata_rsa_e_num, sp->session);
++ if (h_pub_key == CK_INVALID_HANDLE)
++ {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ }
++ }
++ else
++ {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ }
++ }
++ }
++
++err:
++ pk11_return_session(sp, OP_RSA);
++ return (pkey);
++ }
++
++/*
++ * Create a public key object in a session from a given rsa structure.
++ * The *rsa_n_num and *rsa_e_num pointers are non-NULL for RSA public keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_public_rsa_key(RSA *rsa,
++ RSA **key_ptr, BIGNUM **rsa_n_num, BIGNUM **rsa_e_num,
++ CK_SESSION_HANDLE session)
++ {
++ CK_RV rv;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++ CK_ULONG found;
++ CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
++ CK_KEY_TYPE k_type = CKK_RSA;
++ CK_ULONG ul_key_attr_count = 8;
++ CK_BBOOL rollback = FALSE;
++
++ CK_ATTRIBUTE a_key_template[] =
++ {
++ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++ {CKA_TOKEN, &false, sizeof (true)},
++ {CKA_ENCRYPT, &true, sizeof (true)},
++ {CKA_VERIFY, &true, sizeof (true)},
++ {CKA_VERIFY_RECOVER, &true, sizeof (true)},
++ {CKA_MODULUS, (void *)NULL, 0},
++ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0}
++ };
++
++ int i;
++
++ a_key_template[0].pValue = &o_key;
++ a_key_template[1].pValue = &k_type;
++
++ a_key_template[6].ulValueLen = BN_num_bytes(rsa->n);
++ a_key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++ (size_t)a_key_template[6].ulValueLen);
++ if (a_key_template[6].pValue == NULL)
++ {
++ PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ BN_bn2bin(rsa->n, a_key_template[6].pValue);
++
++ a_key_template[7].ulValueLen = BN_num_bytes(rsa->e);
++ a_key_template[7].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++ (size_t)a_key_template[7].ulValueLen);
++ if (a_key_template[7].pValue == NULL)
++ {
++ PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ BN_bn2bin(rsa->e, a_key_template[7].pValue);
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++ ul_key_attr_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY, PK11_R_FINDOBJECTSINIT,
++ rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjectsFinal(session);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
++ PK11_R_FINDOBJECTSFINAL, rv);
++ goto err;
++ }
++
++ if (found == 0)
++ {
++ rv = pFuncList->C_CreateObject(session,
++ a_key_template, ul_key_attr_count, &h_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_RSA_KEY,
++ PK11_R_CREATEOBJECT, rv);
++ goto err;
++ }
++ }
++
++ if (rsa_n_num != NULL)
++ if ((*rsa_n_num = BN_dup(rsa->n)) == NULL)
++ {
++ PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ rollback = TRUE;
++ goto err;
++ }
++ if (rsa_e_num != NULL)
++ if ((*rsa_e_num = BN_dup(rsa->e)) == NULL)
++ {
++ PK11err(PK11_F_GET_PUB_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ BN_free(*rsa_n_num);
++ *rsa_n_num = NULL;
++ rollback = TRUE;
++ goto err;
++ }
++
++ /* LINTED: E_CONSTANT_CONDITION */
++ KEY_HANDLE_REFHOLD(h_key, OP_RSA, FALSE, rollback, err);
++ if (key_ptr != NULL)
++ *key_ptr = rsa;
++
++err:
++ if (rollback)
++ {
++ /*
++ * We do not care about the return value from C_DestroyObject()
++ * since we are doing rollback.
++ */
++ if (found == 0)
++ (void) pFuncList->C_DestroyObject(session, h_key);
++ h_key = CK_INVALID_HANDLE;
++ }
++
++ UNLOCK_OBJSTORE(OP_RSA);
++
++malloc_err:
++ for (i = 6; i <= 7; i++)
++ {
++ if (a_key_template[i].pValue != NULL)
++ {
++ OPENSSL_free(a_key_template[i].pValue);
++ a_key_template[i].pValue = NULL;
++ }
++ }
++
++ return (h_key);
++ }
++
++/*
++ * Create a private key object in the session from a given rsa structure.
++ * The *rsa_d_num pointer is non-NULL for RSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
++ RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
++ {
++ CK_RV rv;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++ int i;
++ CK_ULONG found;
++ CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
++ CK_KEY_TYPE k_type = CKK_RSA;
++ CK_ULONG ul_key_attr_count = 14;
++ CK_BBOOL rollback = FALSE;
++
++ /* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys */
++ CK_ATTRIBUTE a_key_template[] =
++ {
++ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++ {CKA_TOKEN, &false, sizeof (true)},
++ {CKA_SENSITIVE, &false, sizeof (true)},
++ {CKA_DECRYPT, &true, sizeof (true)},
++ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_MODULUS, (void *)NULL, 0},
++ {CKA_PUBLIC_EXPONENT, (void *)NULL, 0},
++ {CKA_PRIVATE_EXPONENT, (void *)NULL, 0},
++ {CKA_PRIME_1, (void *)NULL, 0},
++ {CKA_PRIME_2, (void *)NULL, 0},
++ {CKA_EXPONENT_1, (void *)NULL, 0},
++ {CKA_EXPONENT_2, (void *)NULL, 0},
++ {CKA_COEFFICIENT, (void *)NULL, 0}
++ };
++
++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) {
++ h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
++ LOCK_OBJSTORE(OP_RSA);
++ goto set;
++ }
++
++ a_key_template[0].pValue = &o_key;
++ a_key_template[1].pValue = &k_type;
++
++ /* Put the private key components into the template */
++ if (init_template_value(rsa->n, &a_key_template[6].pValue,
++ &a_key_template[6].ulValueLen) == 0 ||
++ init_template_value(rsa->e, &a_key_template[7].pValue,
++ &a_key_template[7].ulValueLen) == 0 ||
++ init_template_value(rsa->d, &a_key_template[8].pValue,
++ &a_key_template[8].ulValueLen) == 0 ||
++ init_template_value(rsa->p, &a_key_template[9].pValue,
++ &a_key_template[9].ulValueLen) == 0 ||
++ init_template_value(rsa->q, &a_key_template[10].pValue,
++ &a_key_template[10].ulValueLen) == 0 ||
++ init_template_value(rsa->dmp1, &a_key_template[11].pValue,
++ &a_key_template[11].ulValueLen) == 0 ||
++ init_template_value(rsa->dmq1, &a_key_template[12].pValue,
++ &a_key_template[12].ulValueLen) == 0 ||
++ init_template_value(rsa->iqmp, &a_key_template[13].pValue,
++ &a_key_template[13].ulValueLen) == 0)
++ {
++ PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(OP_RSA);
++ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++ ul_key_attr_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++ PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjectsFinal(session);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++ PK11_R_FINDOBJECTSFINAL, rv);
++ goto err;
++ }
++
++ if (found == 0)
++ {
++ rv = pFuncList->C_CreateObject(session,
++ a_key_template, ul_key_attr_count, &h_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_RSA_KEY,
++ PK11_R_CREATEOBJECT, rv);
++ goto err;
++ }
++ }
++
++set:
++ if (rsa_d_num != NULL)
++ {
++ if (rsa->d == NULL)
++ *rsa_d_num = NULL;
++ else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
++ {
++ PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ rollback = TRUE;
++ goto err;
++ }
++ }
++
++ /* LINTED: E_CONSTANT_CONDITION */
++ KEY_HANDLE_REFHOLD(h_key, OP_RSA, FALSE, rollback, err);
++ if (key_ptr != NULL)
++ *key_ptr = rsa;
++
++err:
++ if (rollback)
++ {
++ /*
++ * We do not care about the return value from C_DestroyObject()
++ * since we are doing rollback.
++ */
++ if (found == 0 &&
++ (rsa->flags & RSA_FLAG_EXT_PKEY) == 0)
++ (void) pFuncList->C_DestroyObject(session, h_key);
++ h_key = CK_INVALID_HANDLE;
++ }
++
++ UNLOCK_OBJSTORE(OP_RSA);
++
++malloc_err:
++ /*
++ * 6 to 13 entries in the key template are key components.
++ * They need to be freed apon exit or error.
++ */
++ for (i = 6; i <= 13; i++)
++ {
++ if (a_key_template[i].pValue != NULL)
++ {
++ (void) memset(a_key_template[i].pValue, 0,
++ a_key_template[i].ulValueLen);
++ OPENSSL_free(a_key_template[i].pValue);
++ a_key_template[i].pValue = NULL;
++ }
++ }
++
++ return (h_key);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
++ {
++ /*
++ * Provide protection against RSA structure reuse by making the
++ * check for cache hit stronger. Only public components of RSA
++ * key matter here so it is sufficient to compare them with values
++ * cached in PK11_SESSION structure.
++ */
++ if ((sp->opdata_rsa_pub != rsa) ||
++ (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
++ (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
++ {
++ /*
++ * Provide protection against RSA structure reuse by making the
++ * check for cache hit stronger. Comparing private exponent of RSA
++ * key with value cached in PK11_SESSION structure should
++ * be sufficient.
++ */
++ if ((sp->opdata_rsa_priv != rsa) ||
++ (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
++ ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++#endif
++
++#ifndef OPENSSL_NO_DSA
++/* The DSA function implementation */
++/* ARGSUSED */
++static int pk11_DSA_init(DSA *dsa)
++ {
++ return (1);
++ }
++
++/* ARGSUSED */
++static int pk11_DSA_finish(DSA *dsa)
++ {
++ return (1);
++ }
++
++
++static DSA_SIG *
++pk11_dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
++ {
++ BIGNUM *r = NULL, *s = NULL;
++ int i;
++ DSA_SIG *dsa_sig = NULL;
++
++ CK_RV rv;
++ CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
++ CK_MECHANISM *p_mech = &Mechanism_dsa;
++ CK_OBJECT_HANDLE h_priv_key;
++
++ /*
++ * The signature is the concatenation of r and s,
++ * each is 20 bytes long
++ */
++ unsigned char sigret[DSA_SIGNATURE_LEN];
++ unsigned long siglen = DSA_SIGNATURE_LEN;
++ unsigned int siglen2 = DSA_SIGNATURE_LEN / 2;
++
++ PK11_SESSION *sp = NULL;
++
++ if ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))
++ {
++ PK11err(PK11_F_DSA_SIGN, PK11_R_MISSING_KEY_COMPONENT);
++ goto ret;
++ }
++
++ i = BN_num_bytes(dsa->q); /* should be 20 */
++ if (dlen > i)
++ {
++ PK11err(PK11_F_DSA_SIGN, PK11_R_INVALID_SIGNATURE_LENGTH);
++ goto ret;
++ }
++
++ if ((sp = pk11_get_session(OP_DSA)) == NULL)
++ goto ret;
++
++ (void) check_new_dsa_key_priv(sp, dsa);
++
++ h_priv_key = sp->opdata_dsa_priv_key;
++ if (h_priv_key == CK_INVALID_HANDLE)
++ h_priv_key = sp->opdata_dsa_priv_key =
++ pk11_get_private_dsa_key((DSA *)dsa,
++ &sp->opdata_dsa_priv,
++ &sp->opdata_dsa_priv_num, sp->session);
++
++ if (h_priv_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DSA_SIGN, PK11_R_SIGNINIT, rv);
++ goto ret;
++ }
++
++ (void) memset(sigret, 0, siglen);
++ rv = pFuncList->C_Sign(sp->session,
++ (unsigned char*) dgst, dlen, sigret,
++ (CK_ULONG_PTR) &siglen);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DSA_SIGN, PK11_R_SIGN, rv);
++ goto ret;
++ }
++ }
++
++
++ if ((s = BN_new()) == NULL)
++ {
++ PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ if ((r = BN_new()) == NULL)
++ {
++ PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ if ((dsa_sig = DSA_SIG_new()) == NULL)
++ {
++ PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ if (BN_bin2bn(sigret, siglen2, r) == NULL ||
++ BN_bin2bn(&sigret[siglen2], siglen2, s) == NULL)
++ {
++ PK11err(PK11_F_DSA_SIGN, PK11_R_MALLOC_FAILURE);
++ goto ret;
++ }
++
++ dsa_sig->r = r;
++ dsa_sig->s = s;
++
++ret:
++ if (dsa_sig == NULL)
++ {
++ if (r != NULL)
++ BN_free(r);
++ if (s != NULL)
++ BN_free(s);
++ }
++
++ pk11_return_session(sp, OP_DSA);
++ return (dsa_sig);
++ }
++
++static int
++pk11_dsa_do_verify(const unsigned char *dgst, int dlen, DSA_SIG *sig,
++ DSA *dsa)
++ {
++ int i;
++ CK_RV rv;
++ int retval = 0;
++ CK_MECHANISM Mechanism_dsa = {CKM_DSA, NULL, 0};
++ CK_MECHANISM *p_mech = &Mechanism_dsa;
++ CK_OBJECT_HANDLE h_pub_key;
++
++ unsigned char sigbuf[DSA_SIGNATURE_LEN];
++ unsigned long siglen = DSA_SIGNATURE_LEN;
++ unsigned long siglen2 = DSA_SIGNATURE_LEN/2;
++
++ PK11_SESSION *sp = NULL;
++
++ if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
++ {
++ PK11err(PK11_F_DSA_VERIFY,
++ PK11_R_INVALID_DSA_SIGNATURE_R);
++ goto ret;
++ }
++
++ if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
++ {
++ PK11err(PK11_F_DSA_VERIFY,
++ PK11_R_INVALID_DSA_SIGNATURE_S);
++ goto ret;
++ }
++
++ i = BN_num_bytes(dsa->q); /* should be 20 */
++
++ if (dlen > i)
++ {
++ PK11err(PK11_F_DSA_VERIFY,
++ PK11_R_INVALID_SIGNATURE_LENGTH);
++ goto ret;
++ }
++
++ if ((sp = pk11_get_session(OP_DSA)) == NULL)
++ goto ret;
++
++ (void) check_new_dsa_key_pub(sp, dsa);
++
++ h_pub_key = sp->opdata_dsa_pub_key;
++ if (h_pub_key == CK_INVALID_HANDLE)
++ h_pub_key = sp->opdata_dsa_pub_key =
++ pk11_get_public_dsa_key((DSA *)dsa, &sp->opdata_dsa_pub,
++ &sp->opdata_dsa_pub_num, sp->session);
++
++ if (h_pub_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_VerifyInit(sp->session, p_mech,
++ h_pub_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DSA_VERIFY, PK11_R_VERIFYINIT,
++ rv);
++ goto ret;
++ }
++
++ /*
++ * The representation of each of the two big numbers could
++ * be shorter than DSA_SIGNATURE_LEN/2 bytes so we need
++ * to act accordingly and shift if necessary.
++ */
++ (void) memset(sigbuf, 0, siglen);
++ BN_bn2bin(sig->r, sigbuf + siglen2 - BN_num_bytes(sig->r));
++ BN_bn2bin(sig->s, &sigbuf[siglen2] + siglen2 -
++ BN_num_bytes(sig->s));
++
++ rv = pFuncList->C_Verify(sp->session,
++ (unsigned char *) dgst, dlen, sigbuf, (CK_ULONG)siglen);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DSA_VERIFY, PK11_R_VERIFY, rv);
++ goto ret;
++ }
++ }
++
++ retval = 1;
++ret:
++
++ pk11_return_session(sp, OP_DSA);
++ return (retval);
++ }
++
++
++/*
++ * Create a public key object in a session from a given dsa structure.
++ * The *dsa_pub_num pointer is non-NULL for DSA public keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_public_dsa_key(DSA* dsa,
++ DSA **key_ptr, BIGNUM **dsa_pub_num, CK_SESSION_HANDLE session)
++ {
++ CK_RV rv;
++ CK_OBJECT_CLASS o_key = CKO_PUBLIC_KEY;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++ CK_ULONG found;
++ CK_KEY_TYPE k_type = CKK_DSA;
++ CK_ULONG ul_key_attr_count = 8;
++ CK_BBOOL rollback = FALSE;
++ int i;
++
++ CK_ATTRIBUTE a_key_template[] =
++ {
++ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++ {CKA_TOKEN, &false, sizeof (true)},
++ {CKA_VERIFY, &true, sizeof (true)},
++ {CKA_PRIME, (void *)NULL, 0}, /* p */
++ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
++ {CKA_BASE, (void *)NULL, 0}, /* g */
++ {CKA_VALUE, (void *)NULL, 0} /* pub_key - y */
++ };
++
++ a_key_template[0].pValue = &o_key;
++ a_key_template[1].pValue = &k_type;
++
++ if (init_template_value(dsa->p, &a_key_template[4].pValue,
++ &a_key_template[4].ulValueLen) == 0 ||
++ init_template_value(dsa->q, &a_key_template[5].pValue,
++ &a_key_template[5].ulValueLen) == 0 ||
++ init_template_value(dsa->g, &a_key_template[6].pValue,
++ &a_key_template[6].ulValueLen) == 0 ||
++ init_template_value(dsa->pub_key, &a_key_template[7].pValue,
++ &a_key_template[7].ulValueLen) == 0)
++ {
++ PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(OP_DSA);
++ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++ ul_key_attr_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY, PK11_R_FINDOBJECTSINIT,
++ rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjectsFinal(session);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
++ PK11_R_FINDOBJECTSFINAL, rv);
++ goto err;
++ }
++
++ if (found == 0)
++ {
++ rv = pFuncList->C_CreateObject(session,
++ a_key_template, ul_key_attr_count, &h_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PUB_DSA_KEY,
++ PK11_R_CREATEOBJECT, rv);
++ goto err;
++ }
++ }
++
++ if (dsa_pub_num != NULL)
++ if ((*dsa_pub_num = BN_dup(dsa->pub_key)) == NULL)
++ {
++ PK11err(PK11_F_GET_PUB_DSA_KEY, PK11_R_MALLOC_FAILURE);
++ rollback = TRUE;
++ goto err;
++ }
++
++ /* LINTED: E_CONSTANT_CONDITION */
++ KEY_HANDLE_REFHOLD(h_key, OP_DSA, FALSE, rollback, err);
++ if (key_ptr != NULL)
++ *key_ptr = dsa;
++
++err:
++ if (rollback)
++ {
++ /*
++ * We do not care about the return value from C_DestroyObject()
++ * since we are doing rollback.
++ */
++ if (found == 0)
++ (void) pFuncList->C_DestroyObject(session, h_key);
++ h_key = CK_INVALID_HANDLE;
++ }
++
++ UNLOCK_OBJSTORE(OP_DSA);
++
++malloc_err:
++ for (i = 4; i <= 7; i++)
++ {
++ if (a_key_template[i].pValue != NULL)
++ {
++ OPENSSL_free(a_key_template[i].pValue);
++ a_key_template[i].pValue = NULL;
++ }
++ }
++
++ return (h_key);
++ }
++
++/*
++ * Create a private key object in the session from a given dsa structure
++ * The *dsa_priv_num pointer is non-NULL for DSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_dsa_key(DSA* dsa,
++ DSA **key_ptr, BIGNUM **dsa_priv_num, CK_SESSION_HANDLE session)
++ {
++ CK_RV rv;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++ CK_OBJECT_CLASS o_key = CKO_PRIVATE_KEY;
++ int i;
++ CK_ULONG found;
++ CK_KEY_TYPE k_type = CKK_DSA;
++ CK_ULONG ul_key_attr_count = 9;
++ CK_BBOOL rollback = FALSE;
++
++ /* Both CKA_TOKEN and CKA_SENSITIVE have to be FALSE for session keys */
++ CK_ATTRIBUTE a_key_template[] =
++ {
++ {CKA_CLASS, (void *) NULL, sizeof (CK_OBJECT_CLASS)},
++ {CKA_KEY_TYPE, (void *) NULL, sizeof (CK_KEY_TYPE)},
++ {CKA_TOKEN, &false, sizeof (true)},
++ {CKA_SENSITIVE, &false, sizeof (true)},
++ {CKA_SIGN, &true, sizeof (true)},
++ {CKA_PRIME, (void *)NULL, 0}, /* p */
++ {CKA_SUBPRIME, (void *)NULL, 0}, /* q */
++ {CKA_BASE, (void *)NULL, 0}, /* g */
++ {CKA_VALUE, (void *)NULL, 0} /* priv_key - x */
++ };
++
++ a_key_template[0].pValue = &o_key;
++ a_key_template[1].pValue = &k_type;
++
++ /* Put the private key components into the template */
++ if (init_template_value(dsa->p, &a_key_template[5].pValue,
++ &a_key_template[5].ulValueLen) == 0 ||
++ init_template_value(dsa->q, &a_key_template[6].pValue,
++ &a_key_template[6].ulValueLen) == 0 ||
++ init_template_value(dsa->g, &a_key_template[7].pValue,
++ &a_key_template[7].ulValueLen) == 0 ||
++ init_template_value(dsa->priv_key, &a_key_template[8].pValue,
++ &a_key_template[8].ulValueLen) == 0)
++ {
++ PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(OP_DSA);
++ rv = pFuncList->C_FindObjectsInit(session, a_key_template,
++ ul_key_attr_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++ PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjectsFinal(session);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++ PK11_R_FINDOBJECTSFINAL, rv);
++ goto err;
++ }
++
++ if (found == 0)
++ {
++ rv = pFuncList->C_CreateObject(session,
++ a_key_template, ul_key_attr_count, &h_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_PRIV_DSA_KEY,
++ PK11_R_CREATEOBJECT, rv);
++ goto err;
++ }
++ }
++
++ if (dsa_priv_num != NULL)
++ if ((*dsa_priv_num = BN_dup(dsa->priv_key)) == NULL)
++ {
++ PK11err(PK11_F_GET_PRIV_DSA_KEY, PK11_R_MALLOC_FAILURE);
++ rollback = TRUE;
++ goto err;
++ }
++
++ /* LINTED: E_CONSTANT_CONDITION */
++ KEY_HANDLE_REFHOLD(h_key, OP_DSA, FALSE, rollback, err);
++ if (key_ptr != NULL)
++ *key_ptr = dsa;
++
++err:
++ if (rollback)
++ {
++ /*
++ * We do not care about the return value from C_DestroyObject()
++ * since we are doing rollback.
++ */
++ if (found == 0)
++ (void) pFuncList->C_DestroyObject(session, h_key);
++ h_key = CK_INVALID_HANDLE;
++ }
++
++ UNLOCK_OBJSTORE(OP_DSA);
++
++malloc_err:
++ /*
++ * 5 to 8 entries in the key template are key components.
++ * They need to be freed apon exit or error.
++ */
++ for (i = 5; i <= 8; i++)
++ {
++ if (a_key_template[i].pValue != NULL)
++ {
++ (void) memset(a_key_template[i].pValue, 0,
++ a_key_template[i].ulValueLen);
++ OPENSSL_free(a_key_template[i].pValue);
++ a_key_template[i].pValue = NULL;
++ }
++ }
++
++ return (h_key);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_dsa_key_pub(PK11_SESSION *sp, DSA *dsa)
++ {
++ /*
++ * Provide protection against DSA structure reuse by making the
++ * check for cache hit stronger. Only public key component of DSA
++ * key matters here so it is sufficient to compare it with value
++ * cached in PK11_SESSION structure.
++ */
++ if ((sp->opdata_dsa_pub != dsa) ||
++ (BN_cmp(sp->opdata_dsa_pub_num, dsa->pub_key) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_dsa_object_pub(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_dsa_key_priv(PK11_SESSION *sp, DSA *dsa)
++ {
++ /*
++ * Provide protection against DSA structure reuse by making the
++ * check for cache hit stronger. Only private key component of DSA
++ * key matters here so it is sufficient to compare it with value
++ * cached in PK11_SESSION structure.
++ */
++ if ((sp->opdata_dsa_priv != dsa) ||
++ (BN_cmp(sp->opdata_dsa_priv_num, dsa->priv_key) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_dsa_object_priv(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++#endif
++
++
++#ifndef OPENSSL_NO_DH
++/* The DH function implementation */
++/* ARGSUSED */
++static int pk11_DH_init(DH *dh)
++ {
++ return (1);
++ }
++
++/* ARGSUSED */
++static int pk11_DH_finish(DH *dh)
++ {
++ return (1);
++ }
++
++/*
++ * Generate DH key-pair.
++ *
++ * Warning: Unlike OpenSSL's DH_generate_key(3) we ignore dh->priv_key
++ * and override it even if it is set. OpenSSL does not touch dh->priv_key
++ * if set and just computes dh->pub_key. It looks like PKCS#11 standard
++ * is not capable of providing this functionality. This could be a problem
++ * for applications relying on OpenSSL's semantics.
++ */
++static int pk11_DH_generate_key(DH *dh)
++ {
++ CK_ULONG i;
++ CK_RV rv, rv1;
++ int reuse_mem_len = 0, ret = 0;
++ PK11_SESSION *sp = NULL;
++ CK_BYTE_PTR reuse_mem;
++
++ CK_MECHANISM mechanism = {CKM_DH_PKCS_KEY_PAIR_GEN, NULL_PTR, 0};
++ CK_OBJECT_HANDLE h_pub_key = CK_INVALID_HANDLE;
++ CK_OBJECT_HANDLE h_priv_key = CK_INVALID_HANDLE;
++
++ CK_ULONG ul_pub_key_attr_count = 3;
++ CK_ATTRIBUTE pub_key_template[] =
++ {
++ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_PRIME, (void *)NULL, 0},
++ {CKA_BASE, (void *)NULL, 0}
++ };
++
++ CK_ULONG ul_priv_key_attr_count = 3;
++ CK_ATTRIBUTE priv_key_template[] =
++ {
++ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_SENSITIVE, &false, sizeof (false)},
++ {CKA_DERIVE, &true, sizeof (true)}
++ };
++
++ CK_ULONG pub_key_attr_result_count = 1;
++ CK_ATTRIBUTE pub_key_result[] =
++ {
++ {CKA_VALUE, (void *)NULL, 0}
++ };
++
++ CK_ULONG priv_key_attr_result_count = 1;
++ CK_ATTRIBUTE priv_key_result[] =
++ {
++ {CKA_VALUE, (void *)NULL, 0}
++ };
++
++ pub_key_template[1].ulValueLen = BN_num_bytes(dh->p);
++ if (pub_key_template[1].ulValueLen > 0)
++ {
++ /*
++ * We must not increase ulValueLen by DH_BUF_RESERVE since that
++ * could cause the same rounding problem. See definition of
++ * DH_BUF_RESERVE above.
++ */
++ pub_key_template[1].pValue =
++ OPENSSL_malloc(pub_key_template[1].ulValueLen +
++ DH_BUF_RESERVE);
++ if (pub_key_template[1].pValue == NULL)
++ {
++ PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ i = BN_bn2bin(dh->p, pub_key_template[1].pValue);
++ }
++ else
++ goto err;
++
++ pub_key_template[2].ulValueLen = BN_num_bytes(dh->g);
++ if (pub_key_template[2].ulValueLen > 0)
++ {
++ pub_key_template[2].pValue =
++ OPENSSL_malloc(pub_key_template[2].ulValueLen +
++ DH_BUF_RESERVE);
++ if (pub_key_template[2].pValue == NULL)
++ {
++ PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ i = BN_bn2bin(dh->g, pub_key_template[2].pValue);
++ }
++ else
++ goto err;
++
++ /*
++ * Note: we are only using PK11_SESSION structure for getting
++ * a session handle. The objects created in this function are
++ * destroyed before return and thus not cached.
++ */
++ if ((sp = pk11_get_session(OP_DH)) == NULL)
++ goto err;
++
++ rv = pFuncList->C_GenerateKeyPair(sp->session,
++ &mechanism,
++ pub_key_template,
++ ul_pub_key_attr_count,
++ priv_key_template,
++ ul_priv_key_attr_count,
++ &h_pub_key,
++ &h_priv_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_GEN_KEY, PK11_R_GEN_KEY, rv);
++ goto err;
++ }
++
++ /*
++ * Reuse the larger memory allocated. We know the larger memory
++ * should be sufficient for reuse.
++ */
++ if (pub_key_template[1].ulValueLen > pub_key_template[2].ulValueLen)
++ {
++ reuse_mem = pub_key_template[1].pValue;
++ reuse_mem_len = pub_key_template[1].ulValueLen + DH_BUF_RESERVE;
++ }
++ else
++ {
++ reuse_mem = pub_key_template[2].pValue;
++ reuse_mem_len = pub_key_template[2].ulValueLen + DH_BUF_RESERVE;
++ }
++
++ rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key,
++ pub_key_result, pub_key_attr_result_count);
++ rv1 = pFuncList->C_GetAttributeValue(sp->session, h_priv_key,
++ priv_key_result, priv_key_attr_result_count);
++
++ if (rv != CKR_OK || rv1 != CKR_OK)
++ {
++ rv = (rv != CKR_OK) ? rv : rv1;
++ PK11err_add_data(PK11_F_DH_GEN_KEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ goto err;
++ }
++
++ if (((CK_LONG) pub_key_result[0].ulValueLen) <= 0 ||
++ ((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
++ {
++ PK11err(PK11_F_DH_GEN_KEY, PK11_R_GETATTRIBUTVALUE);
++ goto err;
++ }
++
++ /* Reuse the memory allocated */
++ pub_key_result[0].pValue = reuse_mem;
++ pub_key_result[0].ulValueLen = reuse_mem_len;
++
++ rv = pFuncList->C_GetAttributeValue(sp->session, h_pub_key,
++ pub_key_result, pub_key_attr_result_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_GEN_KEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ goto err;
++ }
++
++ if (pub_key_result[0].type == CKA_VALUE)
++ {
++ if (dh->pub_key == NULL)
++ if ((dh->pub_key = BN_new()) == NULL)
++ {
++ PK11err(PK11_F_DH_GEN_KEY,
++ PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ dh->pub_key = BN_bin2bn(pub_key_result[0].pValue,
++ pub_key_result[0].ulValueLen, dh->pub_key);
++ if (dh->pub_key == NULL)
++ {
++ PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ }
++
++ /* Reuse the memory allocated */
++ priv_key_result[0].pValue = reuse_mem;
++ priv_key_result[0].ulValueLen = reuse_mem_len;
++
++ rv = pFuncList->C_GetAttributeValue(sp->session, h_priv_key,
++ priv_key_result, priv_key_attr_result_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_GEN_KEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ goto err;
++ }
++
++ if (priv_key_result[0].type == CKA_VALUE)
++ {
++ if (dh->priv_key == NULL)
++ if ((dh->priv_key = BN_new()) == NULL)
++ {
++ PK11err(PK11_F_DH_GEN_KEY,
++ PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ dh->priv_key = BN_bin2bn(priv_key_result[0].pValue,
++ priv_key_result[0].ulValueLen, dh->priv_key);
++ if (dh->priv_key == NULL)
++ {
++ PK11err(PK11_F_DH_GEN_KEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ }
++
++ ret = 1;
++
++err:
++
++ if (h_pub_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_DestroyObject(sp->session, h_pub_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_GEN_KEY,
++ PK11_R_DESTROYOBJECT, rv);
++ }
++ }
++
++ if (h_priv_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_DestroyObject(sp->session, h_priv_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_GEN_KEY,
++ PK11_R_DESTROYOBJECT, rv);
++ }
++ }
++
++ for (i = 1; i <= 2; i++)
++ {
++ if (pub_key_template[i].pValue != NULL)
++ {
++ OPENSSL_free(pub_key_template[i].pValue);
++ pub_key_template[i].pValue = NULL;
++ }
++ }
++
++ pk11_return_session(sp, OP_DH);
++ return (ret);
++ }
++
++static int pk11_DH_compute_key(unsigned char *key, const BIGNUM *pub_key,
++ DH *dh)
++ {
++ unsigned int i;
++ CK_MECHANISM mechanism = {CKM_DH_PKCS_DERIVE, NULL_PTR, 0};
++ CK_OBJECT_CLASS key_class = CKO_SECRET_KEY;
++ CK_KEY_TYPE key_type = CKK_GENERIC_SECRET;
++ CK_OBJECT_HANDLE h_derived_key = CK_INVALID_HANDLE;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++
++ CK_ULONG ul_priv_key_attr_count = 2;
++ CK_ATTRIBUTE priv_key_template[] =
++ {
++ {CKA_CLASS, (void*) NULL, sizeof (key_class)},
++ {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++ };
++
++ CK_ULONG priv_key_attr_result_count = 1;
++ CK_ATTRIBUTE priv_key_result[] =
++ {
++ {CKA_VALUE, (void *)NULL, 0}
++ };
++
++ CK_RV rv;
++ int ret = -1;
++ PK11_SESSION *sp = NULL;
++
++ if (dh->priv_key == NULL)
++ goto err;
++
++ priv_key_template[0].pValue = &key_class;
++ priv_key_template[1].pValue = &key_type;
++
++ if ((sp = pk11_get_session(OP_DH)) == NULL)
++ goto err;
++
++ mechanism.ulParameterLen = BN_num_bytes(pub_key);
++ mechanism.pParameter = OPENSSL_malloc(mechanism.ulParameterLen);
++ if (mechanism.pParameter == NULL)
++ {
++ PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ BN_bn2bin(pub_key, mechanism.pParameter);
++
++ (void) check_new_dh_key(sp, dh);
++
++ h_key = sp->opdata_dh_key;
++ if (h_key == CK_INVALID_HANDLE)
++ h_key = sp->opdata_dh_key =
++ pk11_get_dh_key((DH*) dh, &sp->opdata_dh,
++ &sp->opdata_dh_priv_num, sp->session);
++
++ if (h_key == CK_INVALID_HANDLE)
++ {
++ PK11err(PK11_F_DH_COMP_KEY, PK11_R_CREATEOBJECT);
++ goto err;
++ }
++
++ rv = pFuncList->C_DeriveKey(sp->session,
++ &mechanism,
++ h_key,
++ priv_key_template,
++ ul_priv_key_attr_count,
++ &h_derived_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_DERIVEKEY, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key,
++ priv_key_result, priv_key_attr_result_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE,
++ rv);
++ goto err;
++ }
++
++ if (((CK_LONG) priv_key_result[0].ulValueLen) <= 0)
++ {
++ PK11err(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE);
++ goto err;
++ }
++ priv_key_result[0].pValue =
++ OPENSSL_malloc(priv_key_result[0].ulValueLen);
++ if (!priv_key_result[0].pValue)
++ {
++ PK11err(PK11_F_DH_COMP_KEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++
++ rv = pFuncList->C_GetAttributeValue(sp->session, h_derived_key,
++ priv_key_result, priv_key_attr_result_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_COMP_KEY, PK11_R_GETATTRIBUTVALUE,
++ rv);
++ goto err;
++ }
++
++ /*
++ * OpenSSL allocates the output buffer 'key' which is the same
++ * length of the public key. It is long enough for the derived key
++ */
++ if (priv_key_result[0].type == CKA_VALUE)
++ {
++ /*
++ * CKM_DH_PKCS_DERIVE mechanism is not supposed to strip
++ * leading zeros from a computed shared secret. However,
++ * OpenSSL always did it so we must do the same here. The
++ * vagueness of the spec regarding leading zero bytes was
++ * finally cleared with TLS 1.1 (RFC 4346) saying that leading
++ * zeros are stripped before the computed data is used as the
++ * pre-master secret.
++ */
++ for (i = 0; i < priv_key_result[0].ulValueLen; ++i)
++ {
++ if (((char *)priv_key_result[0].pValue)[i] != 0)
++ break;
++ }
++
++ (void) memcpy(key, ((char *)priv_key_result[0].pValue) + i,
++ priv_key_result[0].ulValueLen - i);
++ ret = priv_key_result[0].ulValueLen - i;
++ }
++
++err:
++
++ if (h_derived_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_DestroyObject(sp->session, h_derived_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DH_COMP_KEY,
++ PK11_R_DESTROYOBJECT, rv);
++ }
++ }
++ if (priv_key_result[0].pValue)
++ {
++ OPENSSL_free(priv_key_result[0].pValue);
++ priv_key_result[0].pValue = NULL;
++ }
++
++ if (mechanism.pParameter)
++ {
++ OPENSSL_free(mechanism.pParameter);
++ mechanism.pParameter = NULL;
++ }
++
++ pk11_return_session(sp, OP_DH);
++ return (ret);
++ }
++
++
++static CK_OBJECT_HANDLE pk11_get_dh_key(DH* dh,
++ DH **key_ptr, BIGNUM **dh_priv_num, CK_SESSION_HANDLE session)
++ {
++ CK_RV rv;
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++ CK_OBJECT_CLASS class = CKO_PRIVATE_KEY;
++ CK_KEY_TYPE key_type = CKK_DH;
++ CK_ULONG found;
++ CK_BBOOL rollback = FALSE;
++ int i;
++
++ CK_ULONG ul_key_attr_count = 7;
++ CK_ATTRIBUTE key_template[] =
++ {
++ {CKA_CLASS, (void*) NULL, sizeof (class)},
++ {CKA_KEY_TYPE, (void*) NULL, sizeof (key_type)},
++ {CKA_DERIVE, &true, sizeof (true)},
++ {CKA_PRIVATE, &false, sizeof (false)},
++ {CKA_PRIME, (void *) NULL, 0},
++ {CKA_BASE, (void *) NULL, 0},
++ {CKA_VALUE, (void *) NULL, 0},
++ };
++
++ key_template[0].pValue = &class;
++ key_template[1].pValue = &key_type;
++
++ key_template[4].ulValueLen = BN_num_bytes(dh->p);
++ key_template[4].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++ (size_t)key_template[4].ulValueLen);
++ if (key_template[4].pValue == NULL)
++ {
++ PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ BN_bn2bin(dh->p, key_template[4].pValue);
++
++ key_template[5].ulValueLen = BN_num_bytes(dh->g);
++ key_template[5].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++ (size_t)key_template[5].ulValueLen);
++ if (key_template[5].pValue == NULL)
++ {
++ PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ BN_bn2bin(dh->g, key_template[5].pValue);
++
++ key_template[6].ulValueLen = BN_num_bytes(dh->priv_key);
++ key_template[6].pValue = (CK_VOID_PTR)OPENSSL_malloc(
++ (size_t)key_template[6].ulValueLen);
++ if (key_template[6].pValue == NULL)
++ {
++ PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++ goto malloc_err;
++ }
++
++ BN_bn2bin(dh->priv_key, key_template[6].pValue);
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(OP_DH);
++ rv = pFuncList->C_FindObjectsInit(session, key_template,
++ ul_key_attr_count);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(session, &h_key, 1, &found);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjectsFinal(session);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_FINDOBJECTSFINAL,
++ rv);
++ goto err;
++ }
++
++ if (found == 0)
++ {
++ rv = pFuncList->C_CreateObject(session,
++ key_template, ul_key_attr_count, &h_key);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_DH_KEY, PK11_R_CREATEOBJECT,
++ rv);
++ goto err;
++ }
++ }
++
++ if (dh_priv_num != NULL)
++ if ((*dh_priv_num = BN_dup(dh->priv_key)) == NULL)
++ {
++ PK11err(PK11_F_GET_DH_KEY, PK11_R_MALLOC_FAILURE);
++ rollback = TRUE;
++ goto err;
++ }
++
++ /* LINTED: E_CONSTANT_CONDITION */
++ KEY_HANDLE_REFHOLD(h_key, OP_DH, FALSE, rollback, err);
++ if (key_ptr != NULL)
++ *key_ptr = dh;
++
++err:
++ if (rollback)
++ {
++ /*
++ * We do not care about the return value from C_DestroyObject()
++ * since we are doing rollback.
++ */
++ if (found == 0)
++ (void) pFuncList->C_DestroyObject(session, h_key);
++ h_key = CK_INVALID_HANDLE;
++ }
++
++ UNLOCK_OBJSTORE(OP_DH);
++
++malloc_err:
++ for (i = 4; i <= 6; i++)
++ {
++ if (key_template[i].pValue != NULL)
++ {
++ OPENSSL_free(key_template[i].pValue);
++ key_template[i].pValue = NULL;
++ }
++ }
++
++ return (h_key);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ *
++ * Note: we rely on pk11_destroy_dh_key_objects() to set sp->opdata_dh
++ * to CK_INVALID_HANDLE even when it fails to destroy the object.
++ */
++static int check_new_dh_key(PK11_SESSION *sp, DH *dh)
++ {
++ /*
++ * Provide protection against DH structure reuse by making the
++ * check for cache hit stronger. Private key component of DH key
++ * is unique so it is sufficient to compare it with value cached
++ * in PK11_SESSION structure.
++ */
++ if ((sp->opdata_dh != dh) ||
++ (BN_cmp(sp->opdata_dh_priv_num, dh->priv_key) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_dh_object(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++#endif
++
++/*
++ * Local function to simplify key template population
++ * Return 0 -- error, 1 -- no error
++ */
++static int init_template_value(BIGNUM *bn, CK_VOID_PTR *p_value,
++ CK_ULONG *ul_value_len)
++ {
++ CK_ULONG len = BN_num_bytes(bn);
++ if (len == 0)
++ return (1);
++
++ *ul_value_len = len;
++ *p_value = (CK_VOID_PTR)OPENSSL_malloc((size_t)*ul_value_len);
++ if (*p_value == NULL)
++ return (0);
++
++ BN_bn2bin(bn, *p_value);
++
++ return (1);
++ }
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
++ {
++ if (attr->ulValueLen > 0)
++ {
++ *bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
++ }
++ }
++#ifdef OPENSSL_SYS_WIN32
++char *getpassphrase(const char *prompt)
++ {
++ static char buf[128];
++ HANDLE h;
++ DWORD cc, mode;
++ int cnt;
++
++ h = GetStdHandle(STD_INPUT_HANDLE);
++ fputs(prompt, stderr);
++ fflush(stderr);
++ fflush(stdout);
++ FlushConsoleInputBuffer(h);
++ GetConsoleMode(h, &mode);
++ SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
++
++ for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
++ {
++ ReadFile(h, buf + cnt, 1, &cc, NULL);
++ if (buf[cnt] == '\r')
++ break;
++ fputc('*', stdout);
++ fflush(stderr);
++ fflush(stdout);
++ }
++
++ SetConsoleMode(h, mode);
++ buf[cnt] = '\0';
++ fputs("\n", stderr);
++ return buf;
++ }
++#endif /* OPENSSL_SYS_WIN32 */
++#endif /* OPENSSL_NO_HW_PK11CA */
++#endif /* OPENSSL_NO_HW_PK11 */
++#endif /* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11ca.h
+diff -u /dev/null openssl/crypto/engine/hw_pk11ca.h:1.2
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11ca.h Mon Oct 5 13:17:03 2009
+@@ -0,0 +1,28 @@
++/* Redefine all pk11/PK11 external symbols to pk11ca/PK11CA */
++
++#define find_lock pk11ca_find_lock
++#define active_list pk11ca_active_list
++#define ERR_pk11_error ERR_pk11ca_error
++#define PK11err_add_data PK11CAerr_add_data
++#define pk11_get_session pk11ca_get_session
++#define pk11_return_session pk11ca_return_session
++#define pk11_active_add pk11ca_active_add
++#define pk11_active_delete pk11ca_active_delete
++#define pk11_active_remove pk11ca_active_remove
++#define pk11_free_active_list pk11ca_free_active_list
++#define pk11_destroy_rsa_key_objects pk11ca_destroy_rsa_key_objects
++#define pk11_destroy_rsa_object_pub pk11ca_destroy_rsa_object_pub
++#define pk11_destroy_rsa_object_priv pk11ca_destroy_rsa_object_priv
++#define pk11_load_privkey pk11ca_load_privkey
++#define pk11_load_pubkey pk11ca_load_pubkey
++#define PK11_RSA PK11CA_RSA
++#define pk11_destroy_dsa_key_objects pk11ca_destroy_dsa_key_objects
++#define pk11_destroy_dsa_object_pub pk11ca_destroy_dsa_object_pub
++#define pk11_destroy_dsa_object_priv pk11ca_destroy_dsa_object_priv
++#define PK11_DSA PK11CA_DSA
++#define pk11_destroy_dh_key_objects pk11ca_destroy_dh_key_objects
++#define pk11_destroy_dh_object pk11ca_destroy_dh_object
++#define PK11_DH PK11CA_DH
++#define pFuncList pk11ca_pFuncList
++#define pk11_pin pk11ca_pin
++#define ENGINE_load_pk11 ENGINE_load_pk11ca
+Index: openssl/crypto/engine/hw_pk11so.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.c:1.2
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11so.c Mon Oct 5 13:17:03 2009
+@@ -0,0 +1,1618 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Modified to keep only RNG and RSA Sign */
++
++#ifdef OPENSSL_NO_RSA
++#error RSA is disabled
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/types.h>
++
++#include <openssl/e_os2.h>
++#include <openssl/crypto.h>
++#include <cryptlib.h>
++#include <openssl/engine.h>
++#include <openssl/dso.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/md5.h>
++#include <openssl/pem.h>
++#include <openssl/rsa.h>
++#include <openssl/rand.h>
++#include <openssl/objects.h>
++#include <openssl/x509.h>
++
++#ifdef OPENSSL_SYS_WIN32
++typedef int pid_t;
++#define getpid() GetCurrentProcessId()
++#define NOPTHREADS
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++ returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++ returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ returnType __declspec(dllimport) (* name)
++#else
++#include <signal.h>
++#include <unistd.h>
++#include <dlfcn.h>
++#endif
++
++#ifndef NOPTHREADS
++#include <pthread.h>
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11SO
++
++/* label for debug messages printed on stderr */
++#define PK11_DBG "PKCS#11 ENGINE DEBUG"
++/* prints a lot of debug messages on stderr about slot selection process */
++/*#undef DEBUG_SLOT_SELECTION */
++
++#ifndef OPENSSL_NO_DSA
++#define OPENSSL_NO_DSA
++#endif
++#ifndef OPENSSL_NO_DH
++#define OPENSSL_NO_DH
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11so.h"
++#include "hw_pk11_err.c"
++
++/* PKCS#11 session caches and their locks for all operation types */
++static PK11_CACHE session_cache[OP_MAX];
++
++/*
++ * As stated in v2.20, 11.7 Object Management Function, in section for
++ * C_FindObjectsInit(), at most one search operation may be active at a given
++ * time in a given session. Therefore, C_Find{,Init,Final}Objects() should be
++ * grouped together to form one atomic search operation. This is already
++ * ensured by the property of unique PKCS#11 session handle used for each
++ * PK11_SESSION object.
++ *
++ * This is however not the biggest concern - maintaining consistency of the
++ * underlying object store is more important. The same section of the spec also
++ * says that one thread can be in the middle of a search operation while another
++ * thread destroys the object matching the search template which would result in
++ * invalid handle returned from the search operation.
++ *
++ * Hence, the following locks are used for both protection of the object stores.
++ * They are also used for active list protection.
++ */
++#ifndef NOPTHREADS
++pthread_mutex_t *find_lock[OP_MAX] = { NULL };
++#endif
++
++/*
++ * lists of asymmetric key handles which are active (referenced by at least one
++ * PK11_SESSION structure, either held by a thread or present in free_session
++ * list) for given algorithm type
++ */
++PK11_active *active_list[OP_MAX] = { NULL };
++
++/*
++ * Create all secret key objects in a global session so that they are available
++ * to use for other sessions. These other sessions may be opened or closed
++ * without losing the secret key objects.
++ */
++static CK_SESSION_HANDLE global_session = CK_INVALID_HANDLE;
++
++/* ENGINE level stuff */
++static int pk11_init(ENGINE *e);
++static int pk11_library_init(ENGINE *e);
++static int pk11_finish(ENGINE *e);
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void));
++static int pk11_destroy(ENGINE *e);
++
++/* RAND stuff */
++static void pk11_rand_seed(const void *buf, int num);
++static void pk11_rand_add(const void *buf, int num, double add_entropy);
++static void pk11_rand_cleanup(void);
++static int pk11_rand_bytes(unsigned char *buf, int num);
++static int pk11_rand_status(void);
++
++/* These functions are also used in other files */
++PK11_SESSION *pk11_get_session(PK11_OPTYPE optype);
++void pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++
++/* active list manipulation functions used in this file */
++extern int pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type);
++extern void pk11_free_active_list(PK11_OPTYPE type);
++
++int pk11_destroy_rsa_key_objects(PK11_SESSION *session);
++int pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock);
++int pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock);
++
++/* Local helper functions */
++static int pk11_free_all_sessions(void);
++static int pk11_free_session_list(PK11_OPTYPE optype);
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype);
++static int pk11_destroy_object(CK_SESSION_HANDLE session,
++ CK_OBJECT_HANDLE oh);
++static const char *get_PK11_LIBNAME(void);
++static void free_PK11_LIBNAME(void);
++static long set_PK11_LIBNAME(const char *name);
++
++static int pk11_choose_slots(int *any_slot_found);
++
++static int pk11_init_all_locks(void);
++static void pk11_free_all_locks(void);
++
++#define TRY_OBJ_DESTROY(sess_hdl, obj_hdl, retval, uselock, alg_type) \
++ { \
++ if (uselock) \
++ LOCK_OBJSTORE(alg_type); \
++ if (pk11_active_delete(obj_hdl, alg_type) == 1) \
++ { \
++ retval = pk11_destroy_object(sess_hdl, obj_hdl); \
++ } \
++ if (uselock) \
++ UNLOCK_OBJSTORE(alg_type); \
++ }
++
++#define TRY_OBJ_DELETE(sess_hdl, obj_hdl, retval, uselock, alg_type) \
++ { \
++ if (uselock) \
++ LOCK_OBJSTORE(alg_type); \
++ (void) pk11_active_delete(obj_hdl, alg_type); \
++ if (uselock) \
++ UNLOCK_OBJSTORE(alg_type); \
++ }
++
++static CK_BBOOL pk11_have_rsa = CK_FALSE;
++static CK_BBOOL pk11_have_random = CK_FALSE;
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * The definitions for control commands specific to this engine
++ */
++#define PK11_CMD_SO_PATH ENGINE_CMD_BASE
++#define PK11_CMD_PIN (ENGINE_CMD_BASE+1)
++#define PK11_CMD_SLOT (ENGINE_CMD_BASE+2)
++static const ENGINE_CMD_DEFN pk11_cmd_defns[] =
++ {
++ {
++ PK11_CMD_SO_PATH,
++ "SO_PATH",
++ "Specifies the path to the 'pkcs#11' shared library",
++ ENGINE_CMD_FLAG_STRING
++ },
++ {
++ PK11_CMD_PIN,
++ "PIN",
++ "Specifies the pin code",
++ ENGINE_CMD_FLAG_STRING
++ },
++ {
++ PK11_CMD_SLOT,
++ "SLOT",
++ "Specifies the slot (default is auto select)",
++ ENGINE_CMD_FLAG_NUMERIC,
++ },
++ {0, NULL, NULL, 0}
++ };
++
++
++static RAND_METHOD pk11_random =
++ {
++ pk11_rand_seed,
++ pk11_rand_bytes,
++ pk11_rand_cleanup,
++ pk11_rand_add,
++ pk11_rand_bytes,
++ pk11_rand_status
++ };
++
++
++/* Constants used when creating the ENGINE */
++#ifdef OPENSSL_NO_HW_PK11CA
++#error "can't load both crypto-accelerator and sign-only PKCS#11 engines"
++#endif
++static const char *engine_pk11_id = "pkcs11";
++static const char *engine_pk11_name = "PKCS #11 engine support (sign only)";
++
++CK_FUNCTION_LIST_PTR pFuncList = NULL;
++static const char PK11_GET_FUNCTION_LIST[] = "C_GetFunctionList";
++
++/*
++ * These is the static string constant for the DSO file name and the function
++ * symbol names to bind to.
++ */
++static const char def_PK11_LIBNAME[] = PK11_LIB_LOCATION;
++
++static CK_SLOT_ID pubkey_SLOTID = 0;
++static CK_SLOT_ID rand_SLOTID = 0;
++static CK_SLOT_ID SLOTID = 0;
++char *pk11_pin = NULL;
++static CK_BBOOL pk11_library_initialized = FALSE;
++static CK_BBOOL pk11_atfork_initialized = FALSE;
++static int pk11_pid = 0;
++
++static DSO *pk11_dso = NULL;
++
++/* allocate and initialize all locks used by the engine itself */
++static int pk11_init_all_locks(void)
++ {
++#ifndef NOPTHREADS
++ int type;
++
++ find_lock[OP_RSA] = OPENSSL_malloc(sizeof (pthread_mutex_t));
++ if (find_lock[OP_RSA] == NULL)
++ goto malloc_err;
++ (void) pthread_mutex_init(find_lock[OP_RSA], NULL);
++
++ for (type = 0; type < OP_MAX; type++)
++ {
++ session_cache[type].lock =
++ OPENSSL_malloc(sizeof (pthread_mutex_t));
++ if (session_cache[type].lock == NULL)
++ goto malloc_err;
++ (void) pthread_mutex_init(session_cache[type].lock, NULL);
++ }
++
++ return (1);
++
++malloc_err:
++ pk11_free_all_locks();
++ PK11err(PK11_F_INIT_ALL_LOCKS, PK11_R_MALLOC_FAILURE);
++ return (0);
++#else
++ return (1);
++#endif
++ }
++
++static void pk11_free_all_locks(void)
++ {
++#ifndef NOPTHREADS
++ int type;
++
++ if (find_lock[OP_RSA] != NULL)
++ {
++ (void) pthread_mutex_destroy(find_lock[OP_RSA]);
++ OPENSSL_free(find_lock[OP_RSA]);
++ find_lock[OP_RSA] = NULL;
++ }
++
++ for (type = 0; type < OP_MAX; type++)
++ {
++ if (session_cache[type].lock != NULL)
++ {
++ (void) pthread_mutex_destroy(session_cache[type].lock);
++ OPENSSL_free(session_cache[type].lock);
++ session_cache[type].lock = NULL;
++ }
++ }
++#endif
++ }
++
++/*
++ * This internal function is used by ENGINE_pk11() and "dynamic" ENGINE support.
++ */
++static int bind_pk11(ENGINE *e)
++ {
++ if (!pk11_library_initialized)
++ if (!pk11_library_init(e))
++ return (0);
++
++ if (!ENGINE_set_id(e, engine_pk11_id) ||
++ !ENGINE_set_name(e, engine_pk11_name))
++ return (0);
++
++ if (pk11_have_rsa == CK_TRUE)
++ {
++ if (!ENGINE_set_RSA(e, PK11_RSA()) ||
++ !ENGINE_set_load_privkey_function(e, pk11_load_privkey) ||
++ !ENGINE_set_load_pubkey_function(e, pk11_load_pubkey))
++ return (0);
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: registered RSA\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ }
++
++ if (pk11_have_random)
++ {
++ if (!ENGINE_set_RAND(e, &pk11_random))
++ return (0);
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: registered random\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ }
++ if (!ENGINE_set_init_function(e, pk11_init) ||
++ !ENGINE_set_destroy_function(e, pk11_destroy) ||
++ !ENGINE_set_finish_function(e, pk11_finish) ||
++ !ENGINE_set_ctrl_function(e, pk11_ctrl) ||
++ !ENGINE_set_cmd_defns(e, pk11_cmd_defns))
++ return (0);
++
++ /* Ensure the pk11 error handling is set up */
++ ERR_load_pk11_strings();
++
++ return (1);
++ }
++
++/* Dynamic engine support is disabled at a higher level for Solaris */
++#ifdef ENGINE_DYNAMIC_SUPPORT
++#error "dynamic engine not supported"
++static int bind_helper(ENGINE *e, const char *id)
++ {
++ if (id && (strcmp(id, engine_pk11_id) != 0))
++ return (0);
++
++ if (!bind_pk11(e))
++ return (0);
++
++ return (1);
++ }
++
++IMPLEMENT_DYNAMIC_CHECK_FN()
++IMPLEMENT_DYNAMIC_BIND_FN(bind_helper)
++
++#else
++static ENGINE *engine_pk11(void)
++ {
++ ENGINE *ret = ENGINE_new();
++
++ if (!ret)
++ return (NULL);
++
++ if (!bind_pk11(ret))
++ {
++ ENGINE_free(ret);
++ return (NULL);
++ }
++
++ return (ret);
++ }
++
++void
++ENGINE_load_pk11(void)
++ {
++ ENGINE *e_pk11 = NULL;
++
++ /*
++ * Do not use dynamic PKCS#11 library on Solaris due to
++ * security reasons. We will link it in statically.
++ */
++ /* Attempt to load PKCS#11 library */
++ if (!pk11_dso)
++ pk11_dso = DSO_load(NULL, get_PK11_LIBNAME(), NULL, 0);
++
++ if (pk11_dso == NULL)
++ {
++ PK11err(PK11_F_LOAD, PK11_R_DSO_FAILURE);
++ return;
++ }
++
++ e_pk11 = engine_pk11();
++ if (!e_pk11)
++ {
++ DSO_free(pk11_dso);
++ pk11_dso = NULL;
++ return;
++ }
++
++ /*
++ * At this point, the pk11 shared library is either dynamically
++ * loaded or statically linked in. So, initialize the pk11
++ * library before calling ENGINE_set_default since the latter
++ * needs cipher and digest algorithm information
++ */
++ if (!pk11_library_init(e_pk11))
++ {
++ DSO_free(pk11_dso);
++ pk11_dso = NULL;
++ ENGINE_free(e_pk11);
++ return;
++ }
++
++ ENGINE_add(e_pk11);
++
++ ENGINE_free(e_pk11);
++ ERR_clear_error();
++ }
++#endif /* ENGINE_DYNAMIC_SUPPORT */
++
++/*
++ * These are the static string constants for the DSO file name and
++ * the function symbol names to bind to.
++ */
++static const char *PK11_LIBNAME = NULL;
++
++static const char *get_PK11_LIBNAME(void)
++ {
++ if (PK11_LIBNAME)
++ return (PK11_LIBNAME);
++
++ return (def_PK11_LIBNAME);
++ }
++
++static void free_PK11_LIBNAME(void)
++ {
++ if (PK11_LIBNAME)
++ OPENSSL_free((void*)PK11_LIBNAME);
++
++ PK11_LIBNAME = NULL;
++ }
++
++static long set_PK11_LIBNAME(const char *name)
++ {
++ free_PK11_LIBNAME();
++
++ return ((PK11_LIBNAME = BUF_strdup(name)) != NULL ? 1 : 0);
++ }
++
++/* acquire all engine specific mutexes before fork */
++static void pk11_fork_prepare(void)
++ {
++#ifndef NOPTHREADS
++ int i;
++
++ if (!pk11_library_initialized)
++ return;
++
++ LOCK_OBJSTORE(OP_RSA);
++ for (i = 0; i < OP_MAX; i++)
++ {
++ (void) pthread_mutex_lock(session_cache[i].lock);
++ }
++#endif
++ }
++
++/* release all engine specific mutexes */
++static void pk11_fork_parent(void)
++ {
++#ifndef NOPTHREADS
++ int i;
++
++ if (!pk11_library_initialized)
++ return;
++
++ for (i = OP_MAX - 1; i >= 0; i--)
++ {
++ (void) pthread_mutex_unlock(session_cache[i].lock);
++ }
++ UNLOCK_OBJSTORE(OP_RSA);
++#endif
++ }
++
++/*
++ * same situation as in parent - we need to unlock all locks to make them
++ * accessible to all threads.
++ */
++static void pk11_fork_child(void)
++ {
++#ifndef NOPTHREADS
++ int i;
++
++ if (!pk11_library_initialized)
++ return;
++
++ for (i = OP_MAX - 1; i >= 0; i--)
++ {
++ (void) pthread_mutex_unlock(session_cache[i].lock);
++ }
++ UNLOCK_OBJSTORE(OP_RSA);
++#endif
++ }
++
++/* Initialization function for the pk11 engine */
++static int pk11_init(ENGINE *e)
++{
++ return (pk11_library_init(e));
++}
++
++/*
++ * Initialization function. Sets up various PKCS#11 library components.
++ * It selects a slot based on predefined critiera. In the process, it also
++ * count how many ciphers and digests to support. Since the cipher and
++ * digest information is needed when setting default engine, this function
++ * needs to be called before calling ENGINE_set_default.
++ */
++/* ARGSUSED */
++static int pk11_library_init(ENGINE *e)
++ {
++ CK_C_GetFunctionList p;
++ CK_RV rv = CKR_OK;
++ CK_INFO info;
++ int any_slot_found;
++ int i;
++#ifndef OPENSSL_SYS_WIN32
++ struct sigaction sigint_act, sigterm_act, sighup_act;
++#endif
++
++ /*
++ * pk11_library_initialized is set to 0 in pk11_finish() which is called
++ * from ENGINE_finish(). However, if there is still at least one
++ * existing functional reference to the engine (see engine(3) for more
++ * information), pk11_finish() is skipped. For example, this can happen
++ * if an application forgets to clear one cipher context. In case of a
++ * fork() when the application is finishing the engine so that it can be
++ * reinitialized in the child, forgotten functional reference causes
++ * pk11_library_initialized to stay 1. In that case we need the PID
++ * check so that we properly initialize the engine again.
++ */
++ if (pk11_library_initialized)
++ {
++ if (pk11_pid == getpid())
++ {
++ return (1);
++ }
++ else
++ {
++ global_session = CK_INVALID_HANDLE;
++ /*
++ * free the locks first to prevent memory leak in case
++ * the application calls fork() without finishing the
++ * engine first.
++ */
++ pk11_free_all_locks();
++ }
++ }
++
++ if (pk11_dso == NULL)
++ {
++ PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++ /* get the C_GetFunctionList function from the loaded library */
++ p = (CK_C_GetFunctionList)DSO_bind_func(pk11_dso,
++ PK11_GET_FUNCTION_LIST);
++ if (!p)
++ {
++ PK11err(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++
++ /* get the full function list from the loaded library */
++ rv = p(&pFuncList);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_DSO_FAILURE, rv);
++ goto err;
++ }
++
++#ifndef OPENSSL_SYS_WIN32
++ /* Not all PKCS#11 library are signal safe! */
++
++ (void) memset(&sigint_act, 0, sizeof(sigint_act));
++ (void) memset(&sigterm_act, 0, sizeof(sigterm_act));
++ (void) memset(&sighup_act, 0, sizeof(sighup_act));
++ (void) sigaction(SIGINT, NULL, &sigint_act);
++ (void) sigaction(SIGTERM, NULL, &sigterm_act);
++ (void) sigaction(SIGHUP, NULL, &sighup_act);
++#endif
++ rv = pFuncList->C_Initialize(NULL_PTR);
++#ifndef OPENSSL_SYS_WIN32
++ (void) sigaction(SIGINT, &sigint_act, NULL);
++ (void) sigaction(SIGTERM, &sigterm_act, NULL);
++ (void) sigaction(SIGHUP, &sighup_act, NULL);
++#endif
++ if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_INITIALIZE, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_GetInfo(&info);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT, PK11_R_GETINFO, rv);
++ goto err;
++ }
++
++ if (pk11_choose_slots(&any_slot_found) == 0)
++ goto err;
++
++ /*
++ * The library we use, set in def_PK11_LIBNAME, may not offer any
++ * slot(s). In that case, we must not proceed but we must not return an
++ * error. The reason is that applications that try to set up the PKCS#11
++ * engine don't exit on error during the engine initialization just
++ * because no slot was present.
++ */
++ if (any_slot_found == 0)
++ return (1);
++
++ if (global_session == CK_INVALID_HANDLE)
++ {
++ /* Open the global_session for the new process */
++ rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &global_session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LIBRARY_INIT,
++ PK11_R_OPENSESSION, rv);
++ goto err;
++ }
++ }
++
++ pk11_library_initialized = TRUE;
++ pk11_pid = getpid();
++ /*
++ * if initialization of the locks fails pk11_init_all_locks()
++ * will do the cleanup.
++ */
++ if (!pk11_init_all_locks())
++ goto err;
++ for (i = 0; i < OP_MAX; i++)
++ session_cache[i].head = NULL;
++ /*
++ * initialize active lists. We only use active lists
++ * for asymmetric ciphers.
++ */
++ for (i = 0; i < OP_MAX; i++)
++ active_list[i] = NULL;
++
++#ifndef NOPTHREADS
++ if (!pk11_atfork_initialized)
++ {
++ if (pthread_atfork(pk11_fork_prepare, pk11_fork_parent,
++ pk11_fork_child) != 0)
++ {
++ PK11err(PK11_F_LIBRARY_INIT, PK11_R_ATFORK_FAILED);
++ goto err;
++ }
++ pk11_atfork_initialized = TRUE;
++ }
++#endif
++
++ return (1);
++
++err:
++ return (0);
++ }
++
++/* Destructor (complements the "ENGINE_pk11()" constructor) */
++/* ARGSUSED */
++static int pk11_destroy(ENGINE *e)
++ {
++ free_PK11_LIBNAME();
++ ERR_unload_pk11_strings();
++ if (pk11_pin) {
++ memset(pk11_pin, 0, strlen(pk11_pin));
++ OPENSSL_free((void*)pk11_pin);
++ }
++ pk11_pin = NULL;
++ return (1);
++ }
++
++/*
++ * Termination function to clean up the session, the token, and the pk11
++ * library.
++ */
++/* ARGSUSED */
++static int pk11_finish(ENGINE *e)
++ {
++ int i;
++
++ if (pk11_pin) {
++ memset(pk11_pin, 0, strlen(pk11_pin));
++ OPENSSL_free((void*)pk11_pin);
++ }
++ pk11_pin = NULL;
++
++ if (pk11_dso == NULL)
++ {
++ PK11err(PK11_F_FINISH, PK11_R_NOT_LOADED);
++ goto err;
++ }
++
++ OPENSSL_assert(pFuncList != NULL);
++
++ if (pk11_free_all_sessions() == 0)
++ goto err;
++
++ /* free all active lists */
++ for (i = 0; i < OP_MAX; i++)
++ pk11_free_active_list(i);
++
++ pFuncList->C_CloseSession(global_session);
++ global_session = CK_INVALID_HANDLE;
++
++ /*
++ * Since we are part of a library (libcrypto.so), calling this function
++ * may have side-effects.
++ */
++#if 0
++ pFuncList->C_Finalize(NULL);
++#endif
++
++ if (!DSO_free(pk11_dso))
++ {
++ PK11err(PK11_F_FINISH, PK11_R_DSO_FAILURE);
++ goto err;
++ }
++ pk11_dso = NULL;
++ pFuncList = NULL;
++ pk11_library_initialized = FALSE;
++ pk11_pid = 0;
++ /*
++ * There is no way how to unregister atfork handlers (other than
++ * unloading the library) so we just free the locks. For this reason
++ * the atfork handlers check if the engine is initialized and bail out
++ * immediately if not. This is necessary in case a process finishes
++ * the engine before calling fork().
++ */
++ pk11_free_all_locks();
++
++ return (1);
++
++err:
++ return (0);
++ }
++
++/* Standard engine interface function to set the dynamic library path */
++/* ARGSUSED */
++static int pk11_ctrl(ENGINE *e, int cmd, long i, void *p, void (*f)(void))
++ {
++ int initialized = ((pk11_dso == NULL) ? 0 : 1);
++
++ switch (cmd)
++ {
++ case PK11_CMD_SO_PATH:
++ if (p == NULL)
++ {
++ PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++ return (0);
++ }
++
++ if (initialized)
++ {
++ PK11err(PK11_F_CTRL, PK11_R_ALREADY_LOADED);
++ return (0);
++ }
++
++ return (set_PK11_LIBNAME((const char *)p));
++ case PK11_CMD_PIN:
++ if (pk11_pin) {
++ memset(pk11_pin, 0, strlen(pk11_pin));
++ OPENSSL_free((void*)pk11_pin);
++ }
++ pk11_pin = NULL;
++
++ if (p == NULL)
++ {
++ PK11err(PK11_F_CTRL, ERR_R_PASSED_NULL_PARAMETER);
++ return (0);
++ }
++
++ pk11_pin = BUF_strdup(p);
++ if (pk11_pin == NULL)
++ {
++ PK11err(PK11_F_GET_SESSION, PK11_R_MALLOC_FAILURE);
++ return (0);
++ }
++ return (1);
++ case PK11_CMD_SLOT:
++ SLOTID = (CK_SLOT_ID)i;
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: slot set\n", PK11_DBG);
++#endif
++ return (1);
++ default:
++ break;
++ }
++
++ PK11err(PK11_F_CTRL, PK11_R_CTRL_COMMAND_NOT_IMPLEMENTED);
++
++ return (0);
++ }
++
++
++/* Required function by the engine random interface. It does nothing here */
++static void pk11_rand_cleanup(void)
++ {
++ return;
++ }
++
++/* ARGSUSED */
++static void pk11_rand_add(const void *buf, int num, double add)
++ {
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RAND)) == NULL)
++ return;
++
++ /*
++ * Ignore any errors (e.g. CKR_RANDOM_SEED_NOT_SUPPORTED) since
++ * the calling functions do not care anyway
++ */
++ pFuncList->C_SeedRandom(sp->session, (unsigned char *) buf, num);
++ pk11_return_session(sp, OP_RAND);
++
++ return;
++ }
++
++static void pk11_rand_seed(const void *buf, int num)
++ {
++ pk11_rand_add(buf, num, 0);
++ }
++
++static int pk11_rand_bytes(unsigned char *buf, int num)
++ {
++ CK_RV rv;
++ PK11_SESSION *sp;
++
++ if ((sp = pk11_get_session(OP_RAND)) == NULL)
++ return (0);
++
++ rv = pFuncList->C_GenerateRandom(sp->session, buf, num);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RAND_BYTES, PK11_R_GENERATERANDOM, rv);
++ pk11_return_session(sp, OP_RAND);
++ return (0);
++ }
++
++ pk11_return_session(sp, OP_RAND);
++ return (1);
++ }
++
++/* Required function by the engine random interface. It does nothing here */
++static int pk11_rand_status(void)
++ {
++ return (1);
++ }
++
++/* Free all BIGNUM structures from PK11_SESSION. */
++static void pk11_free_nums(PK11_SESSION *sp, PK11_OPTYPE optype)
++ {
++ switch (optype)
++ {
++ case OP_RSA:
++ if (sp->opdata_rsa_n_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_n_num);
++ sp->opdata_rsa_n_num = NULL;
++ }
++ if (sp->opdata_rsa_e_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_e_num);
++ sp->opdata_rsa_e_num = NULL;
++ }
++ if (sp->opdata_rsa_d_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_d_num);
++ sp->opdata_rsa_d_num = NULL;
++ }
++ break;
++ default:
++ break;
++ }
++ }
++
++/*
++ * Get new PK11_SESSION structure ready for use. Every process must have
++ * its own freelist of PK11_SESSION structures so handle fork() here
++ * by destroying the old and creating new freelist.
++ * The returned PK11_SESSION structure is disconnected from the freelist.
++ */
++PK11_SESSION *
++pk11_get_session(PK11_OPTYPE optype)
++ {
++ PK11_SESSION *sp = NULL, *sp1, *freelist;
++#ifndef NOPTHREADS
++ pthread_mutex_t *freelist_lock = NULL;
++#endif
++ CK_RV rv;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ case OP_RAND:
++ case OP_DIGEST:
++ case OP_CIPHER:
++#ifndef NOPTHREADS
++ freelist_lock = session_cache[optype].lock;
++#endif
++ break;
++ default:
++ PK11err(PK11_F_GET_SESSION,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return (NULL);
++ }
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(freelist_lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ freelist = session_cache[optype].head;
++ sp = freelist;
++
++ /*
++ * If the free list is empty, allocate new unitialized (filled
++ * with zeroes) PK11_SESSION structure otherwise return first
++ * structure from the freelist.
++ */
++ if (sp == NULL)
++ {
++ if ((sp = OPENSSL_malloc(sizeof (PK11_SESSION))) == NULL)
++ {
++ PK11err(PK11_F_GET_SESSION,
++ PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ (void) memset(sp, 0, sizeof (PK11_SESSION));
++ }
++ else
++ {
++ freelist = sp->next;
++ }
++
++ if (sp->pid != 0 && sp->pid != getpid())
++ {
++ /*
++ * We are a new process and thus need to free any inherited
++ * PK11_SESSION objects.
++ */
++ while ((sp1 = freelist) != NULL)
++ {
++ freelist = sp1->next;
++ /*
++ * NOTE: we do not want to call pk11_free_all_sessions()
++ * here because it would close underlying PKCS#11
++ * sessions and destroy all objects.
++ */
++ pk11_free_nums(sp1, optype);
++ OPENSSL_free(sp1);
++ }
++
++ /* we have to free the active list as well. */
++ pk11_free_active_list(optype);
++
++ /* Initialize the process */
++ rv = pFuncList->C_Initialize(NULL_PTR);
++ if ((rv != CKR_OK) && (rv != CKR_CRYPTOKI_ALREADY_INITIALIZED))
++ {
++ PK11err_add_data(PK11_F_GET_SESSION, PK11_R_INITIALIZE,
++ rv);
++ OPENSSL_free(sp);
++ sp = NULL;
++ goto err;
++ }
++
++ /*
++ * Choose slot here since the slot table is different on this
++ * process. If we are here then we must have found at least one
++ * usable slot before so we don't need to check any_slot_found.
++ * See pk11_library_init()'s usage of this function for more
++ * information.
++ */
++ if (pk11_choose_slots(NULL) == 0)
++ goto err;
++
++ /* Open the global_session for the new process */
++ rv = pFuncList->C_OpenSession(SLOTID, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &global_session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_GET_SESSION, PK11_R_OPENSESSION,
++ rv);
++ OPENSSL_free(sp);
++ sp = NULL;
++ goto err;
++ }
++
++ /* It is an inherited session and needs re-initialization. */
++ if (pk11_setup_session(sp, optype) == 0)
++ {
++ OPENSSL_free(sp);
++ sp = NULL;
++ }
++ }
++ if (sp->pid == 0)
++ {
++ /* It is a new session and needs initialization. */
++ if (pk11_setup_session(sp, optype) == 0)
++ {
++ OPENSSL_free(sp);
++ sp = NULL;
++ }
++ }
++
++ /* set new head for the list of PK11_SESSION objects */
++ session_cache[optype].head = freelist;
++
++err:
++ if (sp != NULL)
++ sp->next = NULL;
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_unlock(freelist_lock);
++#else
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (sp);
++ }
++
++
++void
++pk11_return_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++ {
++#ifndef NOPTHREADS
++ pthread_mutex_t *freelist_lock;
++#endif
++ PK11_SESSION *freelist;
++
++ if (sp == NULL || sp->pid != getpid())
++ return;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ case OP_RAND:
++ case OP_DIGEST:
++ case OP_CIPHER:
++#ifndef NOPTHREADS
++ freelist_lock = session_cache[optype].lock;
++#endif
++ break;
++ default:
++ PK11err(PK11_F_RETURN_SESSION,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return;
++ }
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(freelist_lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ freelist = session_cache[optype].head;
++ sp->next = freelist;
++ session_cache[optype].head = sp;
++#ifndef NOPTHREADS
++ (void) pthread_mutex_unlock(freelist_lock);
++#else
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ }
++
++
++/* Destroy all objects. This function is called when the engine is finished */
++static int pk11_free_all_sessions()
++ {
++ int ret = 1;
++ int type;
++
++ (void) pk11_destroy_rsa_key_objects(NULL);
++
++ /*
++ * We try to release as much as we can but any error means that we will
++ * return 0 on exit.
++ */
++ for (type = 0; type < OP_MAX; type++)
++ {
++ if (pk11_free_session_list(type) == 0)
++ ret = 0;
++ }
++
++ return (ret);
++ }
++
++/*
++ * Destroy session structures from the linked list specified. Free as many
++ * sessions as possible but any failure in C_CloseSession() means that we
++ * return an error on return.
++ */
++static int pk11_free_session_list(PK11_OPTYPE optype)
++ {
++ CK_RV rv;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *freelist = NULL;
++ pid_t mypid = getpid();
++#ifndef NOPTHREADS
++ pthread_mutex_t *freelist_lock;
++#endif
++ int ret = 1;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ case OP_DSA:
++ case OP_DH:
++ case OP_RAND:
++ case OP_DIGEST:
++ case OP_CIPHER:
++#ifndef NOPTHREADS
++ freelist_lock = session_cache[optype].lock;
++#endif
++ break;
++ default:
++ PK11err(PK11_F_FREE_ALL_SESSIONS,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return (0);
++ }
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(freelist_lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ freelist = session_cache[optype].head;
++ while ((sp = freelist) != NULL)
++ {
++ if (sp->session != CK_INVALID_HANDLE && sp->pid == mypid)
++ {
++ rv = pFuncList->C_CloseSession(sp->session);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_FREE_ALL_SESSIONS,
++ PK11_R_CLOSESESSION, rv);
++ ret = 0;
++ }
++ }
++ freelist = sp->next;
++ pk11_free_nums(sp, optype);
++ OPENSSL_free(sp);
++ }
++
++#ifndef NOPTHREADS
++ (void) pthread_mutex_unlock(freelist_lock);
++#else
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ return (ret);
++ }
++
++
++static int pk11_setup_session(PK11_SESSION *sp, PK11_OPTYPE optype)
++ {
++ CK_RV rv;
++ CK_SLOT_ID myslot;
++
++ switch (optype)
++ {
++ case OP_RSA:
++ myslot = pubkey_SLOTID;
++ break;
++ case OP_RAND:
++ myslot = rand_SLOTID;
++ break;
++ default:
++ PK11err(PK11_F_SETUP_SESSION,
++ PK11_R_INVALID_OPERATION_TYPE);
++ return (0);
++ }
++
++ sp->session = CK_INVALID_HANDLE;
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: myslot=%d optype=%d\n", PK11_DBG, myslot, optype);
++#endif /* DEBUG_SLOT_SELECTION */
++ rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &sp->session);
++ if (rv == CKR_CRYPTOKI_NOT_INITIALIZED)
++ {
++ /*
++ * We are probably a child process so force the
++ * reinitialize of the session
++ */
++ pk11_library_initialized = FALSE;
++ if (!pk11_library_init(NULL))
++ return (0);
++ rv = pFuncList->C_OpenSession(myslot, CKF_SERIAL_SESSION,
++ NULL_PTR, NULL_PTR, &sp->session);
++ }
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_SETUP_SESSION, PK11_R_OPENSESSION, rv);
++ return (0);
++ }
++
++ sp->pid = getpid();
++
++ if (optype == OP_RSA)
++ {
++ sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_pub = NULL;
++ sp->opdata_rsa_n_num = NULL;
++ sp->opdata_rsa_e_num = NULL;
++ sp->opdata_rsa_priv = NULL;
++ sp->opdata_rsa_d_num = NULL;
++ }
++
++ return (1);
++ }
++
++/* Destroy RSA public key from single session. */
++int
++pk11_destroy_rsa_object_pub(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_rsa_pub_key != CK_INVALID_HANDLE)
++ {
++ TRY_OBJ_DESTROY(sp->session, sp->opdata_rsa_pub_key,
++ ret, uselock, OP_RSA);
++ sp->opdata_rsa_pub_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_pub = NULL;
++ if (sp->opdata_rsa_n_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_n_num);
++ sp->opdata_rsa_n_num = NULL;
++ }
++ if (sp->opdata_rsa_e_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_e_num);
++ sp->opdata_rsa_e_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/* Destroy RSA private key from single session. */
++int
++pk11_destroy_rsa_object_priv(PK11_SESSION *sp, CK_BBOOL uselock)
++ {
++ int ret = 0;
++
++ if (sp->opdata_rsa_priv_key != CK_INVALID_HANDLE)
++ {
++ TRY_OBJ_DELETE(sp->session,
++ sp->opdata_rsa_priv_key,
++ ret, uselock, OP_RSA);
++ sp->opdata_rsa_priv_key = CK_INVALID_HANDLE;
++ sp->opdata_rsa_priv = NULL;
++ if (sp->opdata_rsa_d_num != NULL)
++ {
++ BN_free(sp->opdata_rsa_d_num);
++ sp->opdata_rsa_d_num = NULL;
++ }
++ }
++
++ return (ret);
++ }
++
++/*
++ * Destroy RSA key object wrapper. If session is NULL, try to destroy all
++ * objects in the free list.
++ */
++int
++pk11_destroy_rsa_key_objects(PK11_SESSION *session)
++ {
++ int ret = 1;
++ PK11_SESSION *sp = NULL;
++ PK11_SESSION *local_free_session;
++ CK_BBOOL uselock = TRUE;
++
++ if (session != NULL)
++ local_free_session = session;
++ else
++ {
++#ifndef NOPTHREADS
++ (void) pthread_mutex_lock(session_cache[OP_RSA].lock);
++#else
++ CRYPTO_w_lock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++ local_free_session = session_cache[OP_RSA].head;
++ uselock = FALSE;
++ }
++
++ /*
++ * go through the list of sessions and delete key objects
++ */
++ while ((sp = local_free_session) != NULL)
++ {
++ local_free_session = sp->next;
++
++ /*
++ * Do not terminate list traversal if one of the
++ * destroy operations fails.
++ */
++ if (pk11_destroy_rsa_object_pub(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ if (pk11_destroy_rsa_object_priv(sp, uselock) == 0)
++ {
++ ret = 0;
++ continue;
++ }
++ }
++
++#ifndef NOPTHREADS
++ if (session == NULL)
++ (void) pthread_mutex_unlock(session_cache[OP_RSA].lock);
++#else
++ if (session == NULL)
++ CRYPTO_w_unlock(CRYPTO_LOCK_PK11_ENGINE);
++#endif
++
++ return (ret);
++ }
++
++static int pk11_destroy_object(CK_SESSION_HANDLE session, CK_OBJECT_HANDLE oh)
++ {
++ CK_RV rv;
++ rv = pFuncList->C_DestroyObject(session, oh);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_DESTROY_OBJECT, PK11_R_DESTROYOBJECT,
++ rv);
++ return (0);
++ }
++
++ return (1);
++ }
++
++
++/*
++ * Public key mechanisms optionally supported
++ *
++ * CKM_RSA_X_509
++ * CKM_RSA_PKCS
++ *
++ * The first slot that supports at least one of those mechanisms is chosen as a
++ * public key slot.
++ *
++ * The output of this function is a set of global variables indicating which
++ * mechanisms from RSA, DSA, DH and RAND are present, and also two arrays of
++ * mechanisms, one for symmetric ciphers and one for digests. Also, 3 global
++ * variables carry information about which slot was chosen for (a) public key
++ * mechanisms, (b) random operations, and (c) symmetric ciphers and digests.
++ */
++static int
++pk11_choose_slots(int *any_slot_found)
++ {
++ CK_SLOT_ID_PTR pSlotList = NULL_PTR;
++ CK_ULONG ulSlotCount = 0;
++ CK_MECHANISM_INFO mech_info;
++ CK_TOKEN_INFO token_info;
++ unsigned int i;
++ CK_RV rv;
++ CK_SLOT_ID best_slot_sofar = 0;
++ CK_BBOOL found_candidate_slot = CK_FALSE;
++ CK_SLOT_ID current_slot = 0;
++
++ /* let's initialize the output parameter */
++ if (any_slot_found != NULL)
++ *any_slot_found = 0;
++
++ /* Get slot list for memory allocation */
++ rv = pFuncList->C_GetSlotList(0, NULL_PTR, &ulSlotCount);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++ return (0);
++ }
++
++ /* it's not an error if we didn't find any providers */
++ if (ulSlotCount == 0)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: no crypto providers found\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ return (1);
++ }
++
++ pSlotList = OPENSSL_malloc(ulSlotCount * sizeof (CK_SLOT_ID));
++
++ if (pSlotList == NULL)
++ {
++ PK11err(PK11_F_CHOOSE_SLOT, PK11_R_MALLOC_FAILURE);
++ return (0);
++ }
++
++ /* Get the slot list for processing */
++ rv = pFuncList->C_GetSlotList(0, pSlotList, &ulSlotCount);
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_CHOOSE_SLOT, PK11_R_GETSLOTLIST, rv);
++ OPENSSL_free(pSlotList);
++ return (0);
++ }
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: provider: %s\n", PK11_DBG, def_PK11_LIBNAME);
++ fprintf(stderr, "%s: number of slots: %d\n", PK11_DBG, ulSlotCount);
++
++ fprintf(stderr, "%s: == checking rand slots ==\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ for (i = 0; i < ulSlotCount; i++)
++ {
++ current_slot = pSlotList[i];
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif /* DEBUG_SLOT_SELECTION */
++ /* Check if slot has random support. */
++ rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++ if (rv != CKR_OK)
++ continue;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ if (token_info.flags & CKF_RNG)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: this token has CKF_RNG flag\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++ pk11_have_random = CK_TRUE;
++ rand_SLOTID = current_slot;
++ break;
++ }
++ }
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: == checking pubkey slots ==\n", PK11_DBG);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ pubkey_SLOTID = pSlotList[0];
++ for (i = 0; i < ulSlotCount; i++)
++ {
++ CK_BBOOL slot_has_rsa = CK_FALSE;
++ current_slot = pSlotList[i];
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: checking slot: %d\n", PK11_DBG, i);
++#endif /* DEBUG_SLOT_SELECTION */
++ rv = pFuncList->C_GetTokenInfo(current_slot, &token_info);
++ if (rv != CKR_OK)
++ continue;
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr, "%s: token label: %.32s\n", PK11_DBG, token_info.label);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ /*
++ * Check if this slot is capable of signing with CKM_RSA_PKCS.
++ */
++ rv = pFuncList->C_GetMechanismInfo(current_slot, CKM_RSA_PKCS,
++ &mech_info);
++
++ if (rv == CKR_OK && ((mech_info.flags & CKF_SIGN)))
++ {
++ slot_has_rsa = CK_TRUE;
++ }
++
++ if (!found_candidate_slot && slot_has_rsa)
++ {
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: potential slot: %d\n", PK11_DBG, current_slot);
++#endif /* DEBUG_SLOT_SELECTION */
++ best_slot_sofar = current_slot;
++ pk11_have_rsa = slot_has_rsa;
++ found_candidate_slot = CK_TRUE;
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: setting found_candidate_slot to CK_TRUE\n",
++ PK11_DBG);
++ fprintf(stderr,
++ "%s: best so far slot: %d\n", PK11_DBG,
++ best_slot_sofar);
++ }
++ else
++ {
++ fprintf(stderr,
++ "%s: no rsa\n", PK11_DBG);
++ }
++#else
++ } /* if */
++#endif /* DEBUG_SLOT_SELECTION */
++ } /* for */
++
++ if (found_candidate_slot)
++ {
++ pubkey_SLOTID = best_slot_sofar;
++ }
++
++ /*SLOTID = pSlotList[0];*/
++
++#ifdef DEBUG_SLOT_SELECTION
++ fprintf(stderr,
++ "%s: chosen pubkey slot: %d\n", PK11_DBG, pubkey_SLOTID);
++ fprintf(stderr,
++ "%s: chosen rand slot: %d\n", PK11_DBG, rand_SLOTID);
++ fprintf(stderr,
++ "%s: pk11_have_rsa %d\n", PK11_DBG, pk11_have_rsa);
++ fprintf(stderr,
++ "%s: pk11_have_random %d\n", PK11_DBG, pk11_have_random);
++#endif /* DEBUG_SLOT_SELECTION */
++
++ if (pSlotList != NULL)
++ OPENSSL_free(pSlotList);
++
++ if (any_slot_found != NULL)
++ *any_slot_found = 1;
++ return (1);
++ }
++
++#endif /* OPENSSL_NO_HW_PK11SO */
++#endif /* OPENSSL_NO_HW_PK11 */
++#endif /* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/hw_pk11so.h
+diff -u /dev/null openssl/crypto/engine/hw_pk11so.h:1.2
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11so.h Mon Oct 5 13:17:03 2009
+@@ -0,0 +1,28 @@
++/* Redefine all pk11/PK11 external symbols to pk11so/PK11SO */
++
++#define find_lock pk11so_find_lock
++#define active_list pk11so_active_list
++#define ERR_pk11_error ERR_pk11so_error
++#define PK11err_add_data PK11SOerr_add_data
++#define pk11_get_session pk11so_get_session
++#define pk11_return_session pk11so_return_session
++#define pk11_active_add pk11so_active_add
++#define pk11_active_delete pk11so_active_delete
++#define pk11_active_remove pk11so_active_remove
++#define pk11_free_active_list pk11so_free_active_list
++#define pk11_destroy_rsa_key_objects pk11so_destroy_rsa_key_objects
++#define pk11_destroy_rsa_object_pub pk11so_destroy_rsa_object_pub
++#define pk11_destroy_rsa_object_priv pk11so_destroy_rsa_object_priv
++#define pk11_load_privkey pk11so_load_privkey
++#define pk11_load_pubkey pk11so_load_pubkey
++#define PK11_RSA PK11SO_RSA
++#define pk11_destroy_dsa_key_objects pk11so_destroy_dsa_key_objects
++#define pk11_destroy_dsa_object_pub pk11so_destroy_dsa_object_pub
++#define pk11_destroy_dsa_object_priv pk11so_destroy_dsa_object_priv
++#define PK11_DSA PK11SO_DSA
++#define pk11_destroy_dh_key_objects pk11so_destroy_dh_key_objects
++#define pk11_destroy_dh_object pk11so_destroy_dh_object
++#define PK11_DH PK11SO_DH
++#define pFuncList pk11so_pFuncList
++#define pk11_pin pk11so_pin
++#define ENGINE_load_pk11 ENGINE_load_pk11so
+Index: openssl/crypto/engine/hw_pk11so_pub.c
+diff -u /dev/null openssl/crypto/engine/hw_pk11so_pub.c:1.2
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/hw_pk11so_pub.c Mon Oct 5 13:17:03 2009
+@@ -0,0 +1,899 @@
++/*
++ * Copyright 2008 Sun Microsystems, Inc. All rights reserved.
++ * Use is subject to license terms.
++ */
++
++/* crypto/engine/hw_pk11_pub.c */
++/*
++ * This product includes software developed by the OpenSSL Project for
++ * use in the OpenSSL Toolkit (http://www.openssl.org/).
++ *
++ * This project also referenced hw_pkcs11-0.9.7b.patch written by
++ * Afchine Madjlessi.
++ */
++/*
++ * ====================================================================
++ * Copyright (c) 2000-2001 The OpenSSL Project. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ *
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, this list of conditions and the following disclaimer.
++ *
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in
++ * the documentation and/or other materials provided with the
++ * distribution.
++ *
++ * 3. All advertising materials mentioning features or use of this
++ * software must display the following acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
++ *
++ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
++ * endorse or promote products derived from this software without
++ * prior written permission. For written permission, please contact
++ * licensing@OpenSSL.org.
++ *
++ * 5. Products derived from this software may not be called "OpenSSL"
++ * nor may "OpenSSL" appear in their names without prior written
++ * permission of the OpenSSL Project.
++ *
++ * 6. Redistributions of any form whatsoever must retain the following
++ * acknowledgment:
++ * "This product includes software developed by the OpenSSL Project
++ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
++ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
++ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
++ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ * ====================================================================
++ *
++ * This product includes cryptographic software written by Eric Young
++ * (eay@cryptsoft.com). This product includes software written by Tim
++ * Hudson (tjh@cryptsoft.com).
++ *
++ */
++
++/* Modified to keep only RNG and RSA Sign */
++
++#ifdef OPENSSL_NO_RSA
++#error RSA is disabled
++#endif
++
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/types.h>
++
++#include <openssl/e_os2.h>
++#include <openssl/crypto.h>
++#include <cryptlib.h>
++#include <openssl/engine.h>
++#include <openssl/dso.h>
++#include <openssl/err.h>
++#include <openssl/bn.h>
++#include <openssl/pem.h>
++#include <openssl/rsa.h>
++#include <openssl/rand.h>
++#include <openssl/objects.h>
++#include <openssl/x509.h>
++
++#ifdef OPENSSL_SYS_WIN32
++#define NOPTHREADS
++typedef int pid_t;
++#define HAVE_GETPASSPHRASE
++static char *getpassphrase(const char *prompt);
++#ifndef NULL_PTR
++#define NULL_PTR NULL
++#endif
++#define CK_DEFINE_FUNCTION(returnType, name) \
++ returnType __declspec(dllexport) name
++#define CK_DECLARE_FUNCTION(returnType, name) \
++ returnType __declspec(dllimport) name
++#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ returnType __declspec(dllimport) (* name)
++#else
++#include <unistd.h>
++#endif
++
++#ifndef NOPTHREADS
++#include <pthread.h>
++#endif
++
++#ifndef OPENSSL_NO_HW
++#ifndef OPENSSL_NO_HW_PK11
++#ifndef OPENSSL_NO_HW_PK11SO
++
++#ifndef OPENSSL_NO_DSA
++#define OPENSSL_NO_DSA
++#endif
++#ifndef OPENSSL_NO_DH
++#define OPENSSL_NO_DH
++#endif
++
++#ifdef OPENSSL_SYS_WIN32
++#pragma pack(push, cryptoki, 1)
++#include "cryptoki.h"
++#include "pkcs11.h"
++#pragma pack(pop, cryptoki)
++#else
++#include "cryptoki.h"
++#include "pkcs11.h"
++#endif
++#include "hw_pk11so.h"
++#include "hw_pk11_err.h"
++
++#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
++#define getpassphrase(x) getpass(x)
++#endif
++
++/* RSA stuff */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++ unsigned char *sigret, unsigned int *siglen, const RSA *rsa);
++EVP_PKEY *pk11_load_privkey(ENGINE*, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data);
++EVP_PKEY *pk11_load_pubkey(ENGINE*, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data);
++
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA* rsa, RSA** key_ptr,
++ BIGNUM **rsa_d_num, CK_SESSION_HANDLE session);
++
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa);
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa);
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn);
++
++/* Read mode string to be used for fopen() */
++#if SOLARIS_OPENSSL
++static char *read_mode_flags = "rF";
++#else
++static char *read_mode_flags = "r";
++#endif
++
++/*
++ * increment/create reference for an asymmetric key handle via active list
++ * manipulation. If active list operation fails, unlock (if locked), set error
++ * variable and jump to the specified label.
++ */
++#define KEY_HANDLE_REFHOLD(key_handle, alg_type, unlock, var, label) \
++ { \
++ if (pk11_active_add(key_handle, alg_type) < 0) \
++ { \
++ var = TRUE; \
++ if (unlock) \
++ UNLOCK_OBJSTORE(alg_type); \
++ goto label; \
++ } \
++ }
++
++/*
++ * Find active list entry according to object handle and return pointer to the
++ * entry otherwise return NULL.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++static PK11_active *pk11_active_find(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++ {
++ PK11_active *entry;
++
++ for (entry = active_list[type]; entry != NULL; entry = entry->next)
++ if (entry->h == h)
++ return (entry);
++
++ return (NULL);
++ }
++
++/*
++ * Search for an entry in the active list using PKCS#11 object handle as a
++ * search key and return refcnt of the found/created entry or -1 in case of
++ * failure.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_add(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++ {
++ PK11_active *entry = NULL;
++
++ if (h == CK_INVALID_HANDLE)
++ {
++ PK11err(PK11_F_ACTIVE_ADD, PK11_R_INVALID_HANDLE);
++ return (-1);
++ }
++
++ /* search for entry in the active list */
++ if ((entry = pk11_active_find(h, type)) != NULL)
++ entry->refcnt++;
++ else
++ {
++ /* not found, create new entry and add it to the list */
++ entry = OPENSSL_malloc(sizeof (PK11_active));
++ if (entry == NULL)
++ {
++ PK11err(PK11_F_ACTIVE_ADD, PK11_R_MALLOC_FAILURE);
++ return (-1);
++ }
++ entry->h = h;
++ entry->refcnt = 1;
++ entry->prev = NULL;
++ entry->next = NULL;
++ /* connect the newly created entry to the list */
++ if (active_list[type] == NULL)
++ active_list[type] = entry;
++ else /* make the entry first in the list */
++ {
++ entry->next = active_list[type];
++ active_list[type]->prev = entry;
++ active_list[type] = entry;
++ }
++ }
++
++ return (entry->refcnt);
++ }
++
++/*
++ * Remove active list entry from the list and free it.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++void
++pk11_active_remove(PK11_active *entry, PK11_OPTYPE type)
++ {
++ PK11_active *prev_entry;
++
++ /* remove the entry from the list and free it */
++ if ((prev_entry = entry->prev) != NULL)
++ {
++ prev_entry->next = entry->next;
++ if (entry->next != NULL)
++ entry->next->prev = prev_entry;
++ }
++ else
++ {
++ active_list[type] = entry->next;
++ /* we were the first but not the only one */
++ if (entry->next != NULL)
++ entry->next->prev = NULL;
++ }
++
++ /* sanitization */
++ entry->h = CK_INVALID_HANDLE;
++ entry->prev = NULL;
++ entry->next = NULL;
++ OPENSSL_free(entry);
++ }
++
++/* Free all entries from the active list. */
++void
++pk11_free_active_list(PK11_OPTYPE type)
++ {
++ PK11_active *entry;
++
++ /* only for asymmetric types since only they have C_Find* locks. */
++ switch (type)
++ {
++ case OP_RSA:
++ break;
++ default:
++ return;
++ }
++
++ /* see find_lock array definition for more info on object locking */
++ LOCK_OBJSTORE(type);
++ while ((entry = active_list[type]) != NULL)
++ pk11_active_remove(entry, type);
++ UNLOCK_OBJSTORE(type);
++ }
++
++/*
++ * Search for active list entry associated with given PKCS#11 object handle,
++ * decrement its refcnt and if it drops to 0, disconnect the entry and free it.
++ *
++ * Return 1 if the PKCS#11 object associated with the entry has no references,
++ * return 0 if there is at least one reference, -1 on error.
++ *
++ * This function presumes it is called with lock protecting the active list
++ * held.
++ */
++int
++pk11_active_delete(CK_OBJECT_HANDLE h, PK11_OPTYPE type)
++ {
++ PK11_active *entry = NULL;
++
++ if ((entry = pk11_active_find(h, type)) == NULL)
++ {
++ PK11err(PK11_F_ACTIVE_DELETE, PK11_R_INVALID_HANDLE);
++ return (-1);
++ }
++
++ OPENSSL_assert(entry->refcnt > 0);
++ entry->refcnt--;
++ if (entry->refcnt == 0)
++ {
++ pk11_active_remove(entry, type);
++ return (1);
++ }
++
++ return (0);
++ }
++
++/* Our internal RSA_METHOD that we provide pointers to */
++static RSA_METHOD pk11_rsa;
++
++RSA_METHOD *
++PK11_RSA(void)
++ {
++ const RSA_METHOD *rsa;
++
++ if (pk11_rsa.name == NULL)
++ {
++ rsa = RSA_PKCS1_SSLeay();
++ memcpy(&pk11_rsa, rsa, sizeof(*rsa));
++ pk11_rsa.name = "PKCS#11 RSA method";
++ pk11_rsa.rsa_sign = pk11_RSA_sign;
++ }
++ return (&pk11_rsa);
++ }
++
++/* Size of an SSL signature: MD5+SHA1 */
++#define SSL_SIG_LENGTH 36
++
++/*
++ * Standard engine interface function. Majority codes here are from
++ * rsa/rsa_sign.c. We replaced the decrypt function call by C_Sign of PKCS#11.
++ * See more details in rsa/rsa_sign.c
++ */
++static int pk11_RSA_sign(int type, const unsigned char *m, unsigned int m_len,
++ unsigned char *sigret, unsigned int *siglen, const RSA *rsa)
++ {
++ X509_SIG sig;
++ ASN1_TYPE parameter;
++ int i, j = 0;
++ unsigned char *p, *s = NULL;
++ X509_ALGOR algor;
++ ASN1_OCTET_STRING digest;
++ CK_RV rv;
++ CK_MECHANISM mech_rsa = {CKM_RSA_PKCS, NULL, 0};
++ CK_MECHANISM *p_mech = &mech_rsa;
++ CK_OBJECT_HANDLE h_priv_key;
++ PK11_SESSION *sp = NULL;
++ int ret = 0;
++ unsigned long ulsiglen;
++
++ /* Encode the digest */
++ /* Special case: SSL signature, just check the length */
++ if (type == NID_md5_sha1)
++ {
++ if (m_len != SSL_SIG_LENGTH)
++ {
++ PK11err(PK11_F_RSA_SIGN,
++ PK11_R_INVALID_MESSAGE_LENGTH);
++ goto err;
++ }
++ i = SSL_SIG_LENGTH;
++ s = (unsigned char *)m;
++ }
++ else
++ {
++ sig.algor = &algor;
++ sig.algor->algorithm = OBJ_nid2obj(type);
++ if (sig.algor->algorithm == NULL)
++ {
++ PK11err(PK11_F_RSA_SIGN,
++ PK11_R_UNKNOWN_ALGORITHM_TYPE);
++ goto err;
++ }
++ if (sig.algor->algorithm->length == 0)
++ {
++ PK11err(PK11_F_RSA_SIGN,
++ PK11_R_UNKNOWN_ASN1_OBJECT_ID);
++ goto err;
++ }
++ parameter.type = V_ASN1_NULL;
++ parameter.value.ptr = NULL;
++ sig.algor->parameter = ¶meter;
++
++ sig.digest = &digest;
++ sig.digest->data = (unsigned char *)m;
++ sig.digest->length = m_len;
++
++ i = i2d_X509_SIG(&sig, NULL);
++ }
++
++ j = RSA_size(rsa);
++ if ((i - RSA_PKCS1_PADDING) > j)
++ {
++ PK11err(PK11_F_RSA_SIGN, PK11_R_DIGEST_TOO_BIG);
++ goto err;
++ }
++
++ if (type != NID_md5_sha1)
++ {
++ s = (unsigned char *)OPENSSL_malloc((unsigned int)(j + 1));
++ if (s == NULL)
++ {
++ PK11err(PK11_F_RSA_SIGN, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ p = s;
++ (void) i2d_X509_SIG(&sig, &p);
++ }
++
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ goto err;
++
++ (void) check_new_rsa_key_priv(sp, rsa);
++
++ h_priv_key = sp->opdata_rsa_priv_key;
++ if (h_priv_key == CK_INVALID_HANDLE)
++ h_priv_key = sp->opdata_rsa_priv_key =
++ pk11_get_private_rsa_key((RSA *)rsa,
++ &sp->opdata_rsa_priv,
++ &sp->opdata_rsa_d_num, sp->session);
++
++ if (h_priv_key != CK_INVALID_HANDLE)
++ {
++ rv = pFuncList->C_SignInit(sp->session, p_mech, h_priv_key);
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGNINIT, rv);
++ goto err;
++ }
++
++ ulsiglen = j;
++ rv = pFuncList->C_Sign(sp->session, s, i, sigret,
++ (CK_ULONG_PTR) &ulsiglen);
++ *siglen = ulsiglen;
++
++ if (rv != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_RSA_SIGN, PK11_R_SIGN, rv);
++ goto err;
++ }
++ ret = 1;
++ }
++
++err:
++ if ((type != NID_md5_sha1) && (s != NULL))
++ {
++ (void) memset(s, 0, (unsigned int)(j + 1));
++ OPENSSL_free(s);
++ }
++
++ pk11_return_session(sp, OP_RSA);
++ return (ret);
++ }
++
++static int hndidx_rsa = -1;
++
++/* load RSA private key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_privkey(ENGINE *e, const char *privkey_file,
++ UI_METHOD *ui_method, void *callback_data)
++ {
++ EVP_PKEY *pkey = NULL;
++ FILE *privkey;
++ RSA *rsa;
++ PK11_SESSION *sp = NULL;
++ /* everything else below needed for key by reference extension */
++ CK_RV rv;
++ CK_ULONG objcnt = 0;
++ CK_BBOOL is_token = TRUE;
++ CK_BYTE attr_data[2][1024];
++ CK_OBJECT_CLASS key_class = CKO_PRIVATE_KEY;
++ CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE; /* key in keystore */
++ extern char *pk11_pin;
++
++ /* we look for private keys only */
++ CK_ATTRIBUTE search_templ[] =
++ {
++ {CKA_TOKEN, &is_token, sizeof(is_token)},
++ {CKA_CLASS, &key_class, sizeof(key_class)},
++ {CKA_LABEL, NULL, 0}
++ };
++
++ /* these attributes are needed to initialize OpenSSL RSA structure */
++ CK_ATTRIBUTE get_templ[] =
++ {
++ {CKA_MODULUS, (void *)attr_data[0], 1024}, /* n */
++ {CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024}, /* e */
++ };
++
++ /*
++ * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
++ */
++ if (strstr(privkey_file, "pkcs11:") == privkey_file)
++ {
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (NULL);
++
++ search_templ[2].pValue = strstr(privkey_file, ":") + 1;
++ search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++ if (pk11_pin == NULL)
++ {
++ pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++ if (pk11_pin == NULL)
++ {
++ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ }
++ if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++ strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++ {
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_INVALID_PIN, rv);
++ goto err;
++ }
++
++ LOCK_OBJSTORE(OP_RSA);
++ if ((rv = pFuncList->C_FindObjectsInit(sp->session,
++ search_templ, 3)) != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++
++ rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++ if (rv != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ if (objcnt > 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_TOO_MANY_OBJECTS);
++ goto err;
++ }
++
++ if (objcnt != 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PRIVKEY, PK11_R_OBJECT_NOT_FOUND);
++ goto err;
++ }
++
++ (void) pFuncList->C_FindObjectsFinal(sp->session);
++ UNLOCK_OBJSTORE(OP_RSA);
++
++ if (hndidx_rsa == -1)
++ hndidx_rsa = RSA_get_ex_new_index(0,
++ "pkcs11 RSA HSM key handle",
++ NULL, NULL, NULL);
++
++ pkey = EVP_PKEY_new();
++ if (pkey == NULL)
++ goto err;
++
++ rsa = RSA_new_method(e);
++ if (rsa == NULL) {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ goto err;
++ }
++ EVP_PKEY_assign_RSA(pkey, rsa);
++
++ if ((rv = pFuncList->C_GetAttributeValue(sp->session, ks_key,
++ get_templ, 2)) != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LOAD_PRIVKEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ goto err;
++ }
++
++ /* Note: these flags are critical! */
++ rsa->flags = RSA_FLAG_SIGN_VER | RSA_FLAG_EXT_PKEY;
++ RSA_set_ex_data(rsa, hndidx_rsa, (void *) ks_key);
++ (void) check_new_rsa_key_priv(sp, rsa);
++ sp->opdata_rsa_priv = rsa;
++ sp->opdata_rsa_priv_key = ks_key;
++
++ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++ }
++ else if ((privkey = fopen(privkey_file, read_mode_flags)) != NULL)
++ {
++ pkey = PEM_read_PrivateKey(privkey, NULL, NULL, NULL);
++ (void) fclose(privkey);
++ }
++
++err:
++ if (sp != NULL)
++ pk11_return_session(sp, OP_RSA);
++ return (pkey);
++ }
++
++/* load RSA public key from a file */
++/* ARGSUSED */
++EVP_PKEY *pk11_load_pubkey(ENGINE *e, const char *pubkey_file,
++ UI_METHOD *ui_method, void *callback_data)
++ {
++ EVP_PKEY *pkey = NULL;
++ FILE *pubkey;
++ RSA *rsa;
++ PK11_SESSION *sp = NULL;
++ /* everything else below needed for key by reference extension */
++ CK_RV rv;
++ CK_ULONG objcnt = 0;
++ CK_BBOOL is_token = TRUE;
++ CK_BYTE attr_data[2][1024];
++ CK_OBJECT_CLASS key_class = CKO_PUBLIC_KEY;
++ CK_OBJECT_HANDLE ks_key = CK_INVALID_HANDLE; /* key in keystore */
++ extern char *pk11_pin;
++
++ /* we look for public keys only */
++ CK_ATTRIBUTE search_templ[] =
++ {
++ {CKA_TOKEN, &is_token, sizeof(is_token)},
++ {CKA_CLASS, &key_class, sizeof(key_class)},
++ {CKA_LABEL, NULL, 0}
++ };
++
++ /* these attributes are needed to initialize OpenSSL RSA structure */
++ CK_ATTRIBUTE get_templ[] =
++ {
++ {CKA_MODULUS, (void *)attr_data[0], 1024}, /* n */
++ {CKA_PUBLIC_EXPONENT, (void *)attr_data[1], 1024}, /* e */
++ };
++
++ /*
++ * Use simple scheme "pkcs11:<KEY_LABEL>" for now.
++ */
++ if (strstr(pubkey_file, "pkcs11:") == pubkey_file)
++ {
++ if ((sp = pk11_get_session(OP_RSA)) == NULL)
++ return (NULL);
++
++ search_templ[2].pValue = strstr(pubkey_file, ":") + 1;
++ search_templ[2].ulValueLen = strlen(search_templ[2].pValue);
++
++#define ALLWAYS_LOGIN
++#ifdef ALLWAYS_LOGIN
++ if (pk11_pin == NULL)
++ {
++ pk11_pin = BUF_strdup(getpassphrase("Enter PIN: "));
++
++ if (pk11_pin == NULL)
++ {
++ PK11err(PK11_F_LOAD_PUBKEY, PK11_R_MALLOC_FAILURE);
++ goto err;
++ }
++ }
++ if ((rv = pFuncList->C_Login(sp->session, CKU_USER, (CK_UTF8CHAR*)pk11_pin,
++ strlen(pk11_pin))) != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN)
++ {
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_INVALID_PIN, rv);
++ goto err;
++ }
++#endif
++
++ LOCK_OBJSTORE(OP_RSA);
++ if (pFuncList->C_FindObjectsInit(sp->session, search_templ, 3) != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_FINDOBJECTSINIT, rv);
++ goto err;
++ }
++ rv = pFuncList->C_FindObjects(sp->session, &ks_key, 1, &objcnt);
++ if (rv != CKR_OK)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_FINDOBJECTS, rv);
++ goto err;
++ }
++
++ if (objcnt > 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PUBKEY, PK11_R_TOO_MANY_OBJECTS);
++ goto err;
++ }
++
++ if (objcnt != 1)
++ {
++ UNLOCK_OBJSTORE(OP_RSA);
++ PK11err(PK11_F_LOAD_PUBKEY, PK11_R_OBJECT_NOT_FOUND);
++ goto err;
++ }
++
++ (void) pFuncList->C_FindObjectsFinal(sp->session);
++ UNLOCK_OBJSTORE(OP_RSA);
++
++ sp->opdata_rsa_pub_key = ks_key;
++ pkey = EVP_PKEY_new();
++ if (pkey == NULL)
++ goto err;
++
++ rsa = RSA_new_method(e);
++ if (rsa == NULL) {
++ EVP_PKEY_free(pkey);
++ pkey = NULL;
++ goto err;
++ }
++ EVP_PKEY_assign_RSA(pkey, rsa);
++
++ if (pFuncList->C_GetAttributeValue(sp->session, ks_key,
++ get_templ, 2) != CKR_OK)
++ {
++ PK11err_add_data(PK11_F_LOAD_PUBKEY,
++ PK11_R_GETATTRIBUTVALUE, rv);
++ goto err;
++ }
++
++ (void) check_new_rsa_key_pub(sp, rsa);
++ sp->opdata_rsa_pub = rsa;
++
++ attr_to_BN(&get_templ[0], attr_data[0], &rsa->n);
++ attr_to_BN(&get_templ[1], attr_data[1], &rsa->e);
++ }
++ else if ((pubkey = fopen(pubkey_file, read_mode_flags)) != NULL)
++ {
++ pkey = PEM_read_PUBKEY(pubkey, NULL, NULL, NULL);
++ (void) fclose(pubkey);
++ }
++
++err:
++ if (sp != NULL)
++ pk11_return_session(sp, OP_RSA);
++ return (pkey);
++ }
++
++/*
++ * Create a private key object in the session from a given rsa structure.
++ * The *rsa_d_num pointer is non-NULL for RSA private keys.
++ */
++static CK_OBJECT_HANDLE pk11_get_private_rsa_key(RSA *rsa,
++ RSA **key_ptr, BIGNUM **rsa_d_num, CK_SESSION_HANDLE session)
++ {
++ CK_OBJECT_HANDLE h_key = CK_INVALID_HANDLE;
++
++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) == 0) {
++ PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_INCONSISTENT_KEY);
++ return (h_key);
++ }
++
++ h_key = (CK_OBJECT_HANDLE)RSA_get_ex_data(rsa, hndidx_rsa);
++ (void) pk11_active_add(h_key, OP_RSA);
++ if (key_ptr != NULL)
++ *key_ptr = rsa;
++ if (rsa_d_num != NULL)
++ {
++ if (rsa->d == NULL)
++ *rsa_d_num = NULL;
++ else if ((*rsa_d_num = BN_dup(rsa->d)) == NULL)
++ {
++ PK11err(PK11_F_GET_PRIV_RSA_KEY, PK11_R_MALLOC_FAILURE);
++ return (h_key);
++ }
++ }
++ return (h_key);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_pub(PK11_SESSION *sp, const RSA *rsa)
++ {
++ /*
++ * Provide protection against RSA structure reuse by making the
++ * check for cache hit stronger. Only public components of RSA
++ * key matter here so it is sufficient to compare them with values
++ * cached in PK11_SESSION structure.
++ */
++ if ((sp->opdata_rsa_pub != rsa) ||
++ (BN_cmp(sp->opdata_rsa_n_num, rsa->n) != 0) ||
++ (BN_cmp(sp->opdata_rsa_e_num, rsa->e) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_rsa_object_pub(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++
++/*
++ * Check for cache miss and clean the object pointer and handle
++ * in such case. Return 1 for cache hit, 0 for cache miss.
++ */
++static int check_new_rsa_key_priv(PK11_SESSION *sp, const RSA *rsa)
++ {
++ /*
++ * Provide protection against RSA structure reuse by making the
++ * check for cache hit stronger. Comparing private exponent of RSA
++ * key with value cached in PK11_SESSION structure should
++ * be sufficient.
++ */
++ if ((sp->opdata_rsa_priv != rsa) ||
++ (BN_cmp(sp->opdata_rsa_d_num, rsa->d) != 0) ||
++ ((rsa->flags & RSA_FLAG_EXT_PKEY) != 0))
++ {
++ /*
++ * We do not check the return value because even in case of
++ * failure the sp structure will have both key pointer
++ * and object handle cleaned and pk11_destroy_object()
++ * reports the failure to the OpenSSL error message buffer.
++ */
++ (void) pk11_destroy_rsa_object_priv(sp, TRUE);
++ return (0);
++ }
++ return (1);
++ }
++
++static void attr_to_BN(CK_ATTRIBUTE_PTR attr, CK_BYTE attr_data[], BIGNUM **bn)
++ {
++ if (attr->ulValueLen > 0)
++ {
++ *bn = BN_bin2bn(attr_data, attr->ulValueLen, NULL);
++ }
++ }
++
++#ifdef OPENSSL_SYS_WIN32
++char *getpassphrase(const char *prompt)
++ {
++ static char buf[128];
++ HANDLE h;
++ DWORD cc, mode;
++ int cnt;
++
++ h = GetStdHandle(STD_INPUT_HANDLE);
++ fputs(prompt, stderr);
++ fflush(stderr);
++ fflush(stdout);
++ FlushConsoleInputBuffer(h);
++ GetConsoleMode(h, &mode);
++ SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
++
++ for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
++ {
++ ReadFile(h, buf + cnt, 1, &cc, NULL);
++ if (buf[cnt] == '\r')
++ break;
++ fputc('*', stdout);
++ fflush(stderr);
++ fflush(stdout);
++ }
++
++ SetConsoleMode(h, mode);
++ buf[cnt] = '\0';
++ fputs("\n", stderr);
++ return buf;
++ }
++#endif /* OPENSSL_SYS_WIN32 */
++#endif /* OPENSSL_NO_HW_PK11SO */
++#endif /* OPENSSL_NO_HW_PK11 */
++#endif /* OPENSSL_NO_HW */
+Index: openssl/crypto/engine/pkcs11.h
+diff -u /dev/null openssl/crypto/engine/pkcs11.h:1.1.1.1
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/pkcs11.h Wed Oct 24 23:27:09 2007
+@@ -0,0 +1,299 @@
++/* pkcs11.h include file for PKCS #11. */
++/* $Revision: 1.1 $ */
++
++/* License to copy and use this software is granted provided that it is
++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++ * (Cryptoki)" in all material mentioning or referencing this software.
++
++ * License is also granted to make and use derivative works provided that
++ * such works are identified as "derived from the RSA Security Inc. PKCS #11
++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
++ * referencing the derived work.
++
++ * RSA Security Inc. makes no representations concerning either the
++ * merchantability of this software or the suitability of this software for
++ * any particular purpose. It is provided "as is" without express or implied
++ * warranty of any kind.
++ */
++
++#ifndef _PKCS11_H_
++#define _PKCS11_H_ 1
++
++#ifdef __cplusplus
++extern "C" {
++#endif
++
++/* Before including this file (pkcs11.h) (or pkcs11t.h by
++ * itself), 6 platform-specific macros must be defined. These
++ * macros are described below, and typical definitions for them
++ * are also given. Be advised that these definitions can depend
++ * on both the platform and the compiler used (and possibly also
++ * on whether a Cryptoki library is linked statically or
++ * dynamically).
++ *
++ * In addition to defining these 6 macros, the packing convention
++ * for Cryptoki structures should be set. The Cryptoki
++ * convention on packing is that structures should be 1-byte
++ * aligned.
++ *
++ * If you're using Microsoft Developer Studio 5.0 to produce
++ * Win32 stuff, this might be done by using the following
++ * preprocessor directive before including pkcs11.h or pkcs11t.h:
++ *
++ * #pragma pack(push, cryptoki, 1)
++ *
++ * and using the following preprocessor directive after including
++ * pkcs11.h or pkcs11t.h:
++ *
++ * #pragma pack(pop, cryptoki)
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to produce Win16 stuff, this might be done by using
++ * the following preprocessor directive before including
++ * pkcs11.h or pkcs11t.h:
++ *
++ * #pragma pack(1)
++ *
++ * In a UNIX environment, you're on your own for this. You might
++ * not need to do (or be able to do!) anything.
++ *
++ *
++ * Now for the macros:
++ *
++ *
++ * 1. CK_PTR: The indirection string for making a pointer to an
++ * object. It can be used like this:
++ *
++ * typedef CK_BYTE CK_PTR CK_BYTE_PTR;
++ *
++ * If you're using Microsoft Developer Studio 5.0 to produce
++ * Win32 stuff, it might be defined by:
++ *
++ * #define CK_PTR *
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to produce Win16 stuff, it might be defined by:
++ *
++ * #define CK_PTR far *
++ *
++ * In a typical UNIX environment, it might be defined by:
++ *
++ * #define CK_PTR *
++ *
++ *
++ * 2. CK_DEFINE_FUNCTION(returnType, name): A macro which makes
++ * an exportable Cryptoki library function definition out of a
++ * return type and a function name. It should be used in the
++ * following fashion to define the exposed Cryptoki functions in
++ * a Cryptoki library:
++ *
++ * CK_DEFINE_FUNCTION(CK_RV, C_Initialize)(
++ * CK_VOID_PTR pReserved
++ * )
++ * {
++ * ...
++ * }
++ *
++ * If you're using Microsoft Developer Studio 5.0 to define a
++ * function in a Win32 Cryptoki .dll, it might be defined by:
++ *
++ * #define CK_DEFINE_FUNCTION(returnType, name) \
++ * returnType __declspec(dllexport) name
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to define a function in a Win16 Cryptoki .dll, it
++ * might be defined by:
++ *
++ * #define CK_DEFINE_FUNCTION(returnType, name) \
++ * returnType __export _far _pascal name
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_DEFINE_FUNCTION(returnType, name) \
++ * returnType name
++ *
++ *
++ * 3. CK_DECLARE_FUNCTION(returnType, name): A macro which makes
++ * an importable Cryptoki library function declaration out of a
++ * return type and a function name. It should be used in the
++ * following fashion:
++ *
++ * extern CK_DECLARE_FUNCTION(CK_RV, C_Initialize)(
++ * CK_VOID_PTR pReserved
++ * );
++ *
++ * If you're using Microsoft Developer Studio 5.0 to declare a
++ * function in a Win32 Cryptoki .dll, it might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION(returnType, name) \
++ * returnType __declspec(dllimport) name
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to declare a function in a Win16 Cryptoki .dll, it
++ * might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION(returnType, name) \
++ * returnType __export _far _pascal name
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION(returnType, name) \
++ * returnType name
++ *
++ *
++ * 4. CK_DECLARE_FUNCTION_POINTER(returnType, name): A macro
++ * which makes a Cryptoki API function pointer declaration or
++ * function pointer type declaration out of a return type and a
++ * function name. It should be used in the following fashion:
++ *
++ * // Define funcPtr to be a pointer to a Cryptoki API function
++ * // taking arguments args and returning CK_RV.
++ * CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtr)(args);
++ *
++ * or
++ *
++ * // Define funcPtrType to be the type of a pointer to a
++ * // Cryptoki API function taking arguments args and returning
++ * // CK_RV, and then define funcPtr to be a variable of type
++ * // funcPtrType.
++ * typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, funcPtrType)(args);
++ * funcPtrType funcPtr;
++ *
++ * If you're using Microsoft Developer Studio 5.0 to access
++ * functions in a Win32 Cryptoki .dll, in might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ * returnType __declspec(dllimport) (* name)
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to access functions in a Win16 Cryptoki .dll, it might
++ * be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ * returnType __export _far _pascal (* name)
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
++ * returnType (* name)
++ *
++ *
++ * 5. CK_CALLBACK_FUNCTION(returnType, name): A macro which makes
++ * a function pointer type for an application callback out of
++ * a return type for the callback and a name for the callback.
++ * It should be used in the following fashion:
++ *
++ * CK_CALLBACK_FUNCTION(CK_RV, myCallback)(args);
++ *
++ * to declare a function pointer, myCallback, to a callback
++ * which takes arguments args and returns a CK_RV. It can also
++ * be used like this:
++ *
++ * typedef CK_CALLBACK_FUNCTION(CK_RV, myCallbackType)(args);
++ * myCallbackType myCallback;
++ *
++ * If you're using Microsoft Developer Studio 5.0 to do Win32
++ * Cryptoki development, it might be defined by:
++ *
++ * #define CK_CALLBACK_FUNCTION(returnType, name) \
++ * returnType (* name)
++ *
++ * If you're using an earlier version of Microsoft Developer
++ * Studio to do Win16 development, it might be defined by:
++ *
++ * #define CK_CALLBACK_FUNCTION(returnType, name) \
++ * returnType _far _pascal (* name)
++ *
++ * In a UNIX environment, it might be defined by:
++ *
++ * #define CK_CALLBACK_FUNCTION(returnType, name) \
++ * returnType (* name)
++ *
++ *
++ * 6. NULL_PTR: This macro is the value of a NULL pointer.
++ *
++ * In any ANSI/ISO C environment (and in many others as well),
++ * this should best be defined by
++ *
++ * #ifndef NULL_PTR
++ * #define NULL_PTR 0
++ * #endif
++ */
++
++
++/* All the various Cryptoki types and #define'd values are in the
++ * file pkcs11t.h. */
++#include "pkcs11t.h"
++
++#define __PASTE(x,y) x##y
++
++
++/* ==============================================================
++ * Define the "extern" form of all the entry points.
++ * ==============================================================
++ */
++
++#define CK_NEED_ARG_LIST 1
++#define CK_PKCS11_FUNCTION_INFO(name) \
++ extern CK_DECLARE_FUNCTION(CK_RV, name)
++
++/* pkcs11f.h has all the information about the Cryptoki
++ * function prototypes. */
++#include "pkcs11f.h"
++
++#undef CK_NEED_ARG_LIST
++#undef CK_PKCS11_FUNCTION_INFO
++
++
++/* ==============================================================
++ * Define the typedef form of all the entry points. That is, for
++ * each Cryptoki function C_XXX, define a type CK_C_XXX which is
++ * a pointer to that kind of function.
++ * ==============================================================
++ */
++
++#define CK_NEED_ARG_LIST 1
++#define CK_PKCS11_FUNCTION_INFO(name) \
++ typedef CK_DECLARE_FUNCTION_POINTER(CK_RV, __PASTE(CK_,name))
++
++/* pkcs11f.h has all the information about the Cryptoki
++ * function prototypes. */
++#include "pkcs11f.h"
++
++#undef CK_NEED_ARG_LIST
++#undef CK_PKCS11_FUNCTION_INFO
++
++
++/* ==============================================================
++ * Define structed vector of entry points. A CK_FUNCTION_LIST
++ * contains a CK_VERSION indicating a library's Cryptoki version
++ * and then a whole slew of function pointers to the routines in
++ * the library. This type was declared, but not defined, in
++ * pkcs11t.h.
++ * ==============================================================
++ */
++
++#define CK_PKCS11_FUNCTION_INFO(name) \
++ __PASTE(CK_,name) name;
++
++struct CK_FUNCTION_LIST {
++
++ CK_VERSION version; /* Cryptoki version */
++
++/* Pile all the function pointers into the CK_FUNCTION_LIST. */
++/* pkcs11f.h has all the information about the Cryptoki
++ * function prototypes. */
++#include "pkcs11f.h"
++
++};
++
++#undef CK_PKCS11_FUNCTION_INFO
++
++
++#undef __PASTE
++
++#ifdef __cplusplus
++}
++#endif
++
++#endif
+Index: openssl/crypto/engine/pkcs11f.h
+diff -u /dev/null openssl/crypto/engine/pkcs11f.h:1.1.1.1
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/pkcs11f.h Wed Oct 24 23:27:09 2007
+@@ -0,0 +1,912 @@
++/* pkcs11f.h include file for PKCS #11. */
++/* $Revision: 1.1 $ */
++
++/* License to copy and use this software is granted provided that it is
++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++ * (Cryptoki)" in all material mentioning or referencing this software.
++
++ * License is also granted to make and use derivative works provided that
++ * such works are identified as "derived from the RSA Security Inc. PKCS #11
++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
++ * referencing the derived work.
++
++ * RSA Security Inc. makes no representations concerning either the
++ * merchantability of this software or the suitability of this software for
++ * any particular purpose. It is provided "as is" without express or implied
++ * warranty of any kind.
++ */
++
++/* This header file contains pretty much everything about all the */
++/* Cryptoki function prototypes. Because this information is */
++/* used for more than just declaring function prototypes, the */
++/* order of the functions appearing herein is important, and */
++/* should not be altered. */
++
++/* General-purpose */
++
++/* C_Initialize initializes the Cryptoki library. */
++CK_PKCS11_FUNCTION_INFO(C_Initialize)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_VOID_PTR pInitArgs /* if this is not NULL_PTR, it gets
++ * cast to CK_C_INITIALIZE_ARGS_PTR
++ * and dereferenced */
++);
++#endif
++
++
++/* C_Finalize indicates that an application is done with the
++ * Cryptoki library. */
++CK_PKCS11_FUNCTION_INFO(C_Finalize)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_VOID_PTR pReserved /* reserved. Should be NULL_PTR */
++);
++#endif
++
++
++/* C_GetInfo returns general information about Cryptoki. */
++CK_PKCS11_FUNCTION_INFO(C_GetInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_INFO_PTR pInfo /* location that receives information */
++);
++#endif
++
++
++/* C_GetFunctionList returns the function list. */
++CK_PKCS11_FUNCTION_INFO(C_GetFunctionList)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_FUNCTION_LIST_PTR_PTR ppFunctionList /* receives pointer to
++ * function list */
++);
++#endif
++
++
++
++/* Slot and token management */
++
++/* C_GetSlotList obtains a list of slots in the system. */
++CK_PKCS11_FUNCTION_INFO(C_GetSlotList)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_BBOOL tokenPresent, /* only slots with tokens? */
++ CK_SLOT_ID_PTR pSlotList, /* receives array of slot IDs */
++ CK_ULONG_PTR pulCount /* receives number of slots */
++);
++#endif
++
++
++/* C_GetSlotInfo obtains information about a particular slot in
++ * the system. */
++CK_PKCS11_FUNCTION_INFO(C_GetSlotInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SLOT_ID slotID, /* the ID of the slot */
++ CK_SLOT_INFO_PTR pInfo /* receives the slot information */
++);
++#endif
++
++
++/* C_GetTokenInfo obtains information about a particular token
++ * in the system. */
++CK_PKCS11_FUNCTION_INFO(C_GetTokenInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SLOT_ID slotID, /* ID of the token's slot */
++ CK_TOKEN_INFO_PTR pInfo /* receives the token information */
++);
++#endif
++
++
++/* C_GetMechanismList obtains a list of mechanism types
++ * supported by a token. */
++CK_PKCS11_FUNCTION_INFO(C_GetMechanismList)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SLOT_ID slotID, /* ID of token's slot */
++ CK_MECHANISM_TYPE_PTR pMechanismList, /* gets mech. array */
++ CK_ULONG_PTR pulCount /* gets # of mechs. */
++);
++#endif
++
++
++/* C_GetMechanismInfo obtains information about a particular
++ * mechanism possibly supported by a token. */
++CK_PKCS11_FUNCTION_INFO(C_GetMechanismInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SLOT_ID slotID, /* ID of the token's slot */
++ CK_MECHANISM_TYPE type, /* type of mechanism */
++ CK_MECHANISM_INFO_PTR pInfo /* receives mechanism info */
++);
++#endif
++
++
++/* C_InitToken initializes a token. */
++CK_PKCS11_FUNCTION_INFO(C_InitToken)
++#ifdef CK_NEED_ARG_LIST
++/* pLabel changed from CK_CHAR_PTR to CK_UTF8CHAR_PTR for v2.10 */
++(
++ CK_SLOT_ID slotID, /* ID of the token's slot */
++ CK_UTF8CHAR_PTR pPin, /* the SO's initial PIN */
++ CK_ULONG ulPinLen, /* length in bytes of the PIN */
++ CK_UTF8CHAR_PTR pLabel /* 32-byte token label (blank padded) */
++);
++#endif
++
++
++/* C_InitPIN initializes the normal user's PIN. */
++CK_PKCS11_FUNCTION_INFO(C_InitPIN)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_UTF8CHAR_PTR pPin, /* the normal user's PIN */
++ CK_ULONG ulPinLen /* length in bytes of the PIN */
++);
++#endif
++
++
++/* C_SetPIN modifies the PIN of the user who is logged in. */
++CK_PKCS11_FUNCTION_INFO(C_SetPIN)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_UTF8CHAR_PTR pOldPin, /* the old PIN */
++ CK_ULONG ulOldLen, /* length of the old PIN */
++ CK_UTF8CHAR_PTR pNewPin, /* the new PIN */
++ CK_ULONG ulNewLen /* length of the new PIN */
++);
++#endif
++
++
++
++/* Session management */
++
++/* C_OpenSession opens a session between an application and a
++ * token. */
++CK_PKCS11_FUNCTION_INFO(C_OpenSession)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SLOT_ID slotID, /* the slot's ID */
++ CK_FLAGS flags, /* from CK_SESSION_INFO */
++ CK_VOID_PTR pApplication, /* passed to callback */
++ CK_NOTIFY Notify, /* callback function */
++ CK_SESSION_HANDLE_PTR phSession /* gets session handle */
++);
++#endif
++
++
++/* C_CloseSession closes a session between an application and a
++ * token. */
++CK_PKCS11_FUNCTION_INFO(C_CloseSession)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession /* the session's handle */
++);
++#endif
++
++
++/* C_CloseAllSessions closes all sessions with a token. */
++CK_PKCS11_FUNCTION_INFO(C_CloseAllSessions)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SLOT_ID slotID /* the token's slot */
++);
++#endif
++
++
++/* C_GetSessionInfo obtains information about the session. */
++CK_PKCS11_FUNCTION_INFO(C_GetSessionInfo)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_SESSION_INFO_PTR pInfo /* receives session info */
++);
++#endif
++
++
++/* C_GetOperationState obtains the state of the cryptographic operation
++ * in a session. */
++CK_PKCS11_FUNCTION_INFO(C_GetOperationState)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pOperationState, /* gets state */
++ CK_ULONG_PTR pulOperationStateLen /* gets state length */
++);
++#endif
++
++
++/* C_SetOperationState restores the state of the cryptographic
++ * operation in a session. */
++CK_PKCS11_FUNCTION_INFO(C_SetOperationState)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pOperationState, /* holds state */
++ CK_ULONG ulOperationStateLen, /* holds state length */
++ CK_OBJECT_HANDLE hEncryptionKey, /* en/decryption key */
++ CK_OBJECT_HANDLE hAuthenticationKey /* sign/verify key */
++);
++#endif
++
++
++/* C_Login logs a user into a token. */
++CK_PKCS11_FUNCTION_INFO(C_Login)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_USER_TYPE userType, /* the user type */
++ CK_UTF8CHAR_PTR pPin, /* the user's PIN */
++ CK_ULONG ulPinLen /* the length of the PIN */
++);
++#endif
++
++
++/* C_Logout logs a user out from a token. */
++CK_PKCS11_FUNCTION_INFO(C_Logout)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession /* the session's handle */
++);
++#endif
++
++
++
++/* Object management */
++
++/* C_CreateObject creates a new object. */
++CK_PKCS11_FUNCTION_INFO(C_CreateObject)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_ATTRIBUTE_PTR pTemplate, /* the object's template */
++ CK_ULONG ulCount, /* attributes in template */
++ CK_OBJECT_HANDLE_PTR phObject /* gets new object's handle. */
++);
++#endif
++
++
++/* C_CopyObject copies an object, creating a new object for the
++ * copy. */
++CK_PKCS11_FUNCTION_INFO(C_CopyObject)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_OBJECT_HANDLE hObject, /* the object's handle */
++ CK_ATTRIBUTE_PTR pTemplate, /* template for new object */
++ CK_ULONG ulCount, /* attributes in template */
++ CK_OBJECT_HANDLE_PTR phNewObject /* receives handle of copy */
++);
++#endif
++
++
++/* C_DestroyObject destroys an object. */
++CK_PKCS11_FUNCTION_INFO(C_DestroyObject)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_OBJECT_HANDLE hObject /* the object's handle */
++);
++#endif
++
++
++/* C_GetObjectSize gets the size of an object in bytes. */
++CK_PKCS11_FUNCTION_INFO(C_GetObjectSize)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_OBJECT_HANDLE hObject, /* the object's handle */
++ CK_ULONG_PTR pulSize /* receives size of object */
++);
++#endif
++
++
++/* C_GetAttributeValue obtains the value of one or more object
++ * attributes. */
++CK_PKCS11_FUNCTION_INFO(C_GetAttributeValue)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_OBJECT_HANDLE hObject, /* the object's handle */
++ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs; gets vals */
++ CK_ULONG ulCount /* attributes in template */
++);
++#endif
++
++
++/* C_SetAttributeValue modifies the value of one or more object
++ * attributes */
++CK_PKCS11_FUNCTION_INFO(C_SetAttributeValue)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_OBJECT_HANDLE hObject, /* the object's handle */
++ CK_ATTRIBUTE_PTR pTemplate, /* specifies attrs and values */
++ CK_ULONG ulCount /* attributes in template */
++);
++#endif
++
++
++/* C_FindObjectsInit initializes a search for token and session
++ * objects that match a template. */
++CK_PKCS11_FUNCTION_INFO(C_FindObjectsInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_ATTRIBUTE_PTR pTemplate, /* attribute values to match */
++ CK_ULONG ulCount /* attrs in search template */
++);
++#endif
++
++
++/* C_FindObjects continues a search for token and session
++ * objects that match a template, obtaining additional object
++ * handles. */
++CK_PKCS11_FUNCTION_INFO(C_FindObjects)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_OBJECT_HANDLE_PTR phObject, /* gets obj. handles */
++ CK_ULONG ulMaxObjectCount, /* max handles to get */
++ CK_ULONG_PTR pulObjectCount /* actual # returned */
++);
++#endif
++
++
++/* C_FindObjectsFinal finishes a search for token and session
++ * objects. */
++CK_PKCS11_FUNCTION_INFO(C_FindObjectsFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession /* the session's handle */
++);
++#endif
++
++
++
++/* Encryption and decryption */
++
++/* C_EncryptInit initializes an encryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_EncryptInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the encryption mechanism */
++ CK_OBJECT_HANDLE hKey /* handle of encryption key */
++);
++#endif
++
++
++/* C_Encrypt encrypts single-part data. */
++CK_PKCS11_FUNCTION_INFO(C_Encrypt)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pData, /* the plaintext data */
++ CK_ULONG ulDataLen, /* bytes of plaintext */
++ CK_BYTE_PTR pEncryptedData, /* gets ciphertext */
++ CK_ULONG_PTR pulEncryptedDataLen /* gets c-text size */
++);
++#endif
++
++
++/* C_EncryptUpdate continues a multiple-part encryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_EncryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pPart, /* the plaintext data */
++ CK_ULONG ulPartLen, /* plaintext data len */
++ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
++ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text size */
++);
++#endif
++
++
++/* C_EncryptFinal finishes a multiple-part encryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_EncryptFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session handle */
++ CK_BYTE_PTR pLastEncryptedPart, /* last c-text */
++ CK_ULONG_PTR pulLastEncryptedPartLen /* gets last size */
++);
++#endif
++
++
++/* C_DecryptInit initializes a decryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the decryption mechanism */
++ CK_OBJECT_HANDLE hKey /* handle of decryption key */
++);
++#endif
++
++
++/* C_Decrypt decrypts encrypted data in a single part. */
++CK_PKCS11_FUNCTION_INFO(C_Decrypt)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pEncryptedData, /* ciphertext */
++ CK_ULONG ulEncryptedDataLen, /* ciphertext length */
++ CK_BYTE_PTR pData, /* gets plaintext */
++ CK_ULONG_PTR pulDataLen /* gets p-text size */
++);
++#endif
++
++
++/* C_DecryptUpdate continues a multiple-part decryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pEncryptedPart, /* encrypted data */
++ CK_ULONG ulEncryptedPartLen, /* input length */
++ CK_BYTE_PTR pPart, /* gets plaintext */
++ CK_ULONG_PTR pulPartLen /* p-text size */
++);
++#endif
++
++
++/* C_DecryptFinal finishes a multiple-part decryption
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pLastPart, /* gets plaintext */
++ CK_ULONG_PTR pulLastPartLen /* p-text size */
++);
++#endif
++
++
++
++/* Message digesting */
++
++/* C_DigestInit initializes a message-digesting operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism /* the digesting mechanism */
++);
++#endif
++
++
++/* C_Digest digests data in a single part. */
++CK_PKCS11_FUNCTION_INFO(C_Digest)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pData, /* data to be digested */
++ CK_ULONG ulDataLen, /* bytes of data to digest */
++ CK_BYTE_PTR pDigest, /* gets the message digest */
++ CK_ULONG_PTR pulDigestLen /* gets digest length */
++);
++#endif
++
++
++/* C_DigestUpdate continues a multiple-part message-digesting
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pPart, /* data to be digested */
++ CK_ULONG ulPartLen /* bytes of data to be digested */
++);
++#endif
++
++
++/* C_DigestKey continues a multi-part message-digesting
++ * operation, by digesting the value of a secret key as part of
++ * the data already digested. */
++CK_PKCS11_FUNCTION_INFO(C_DigestKey)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_OBJECT_HANDLE hKey /* secret key to digest */
++);
++#endif
++
++
++/* C_DigestFinal finishes a multiple-part message-digesting
++ * operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pDigest, /* gets the message digest */
++ CK_ULONG_PTR pulDigestLen /* gets byte count of digest */
++);
++#endif
++
++
++
++/* Signing and MACing */
++
++/* C_SignInit initializes a signature (private key encryption)
++ * operation, where the signature is (will be) an appendix to
++ * the data, and plaintext cannot be recovered from the
++ *signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
++ CK_OBJECT_HANDLE hKey /* handle of signature key */
++);
++#endif
++
++
++/* C_Sign signs (encrypts with private key) data in a single
++ * part, where the signature is (will be) an appendix to the
++ * data, and plaintext cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_Sign)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pData, /* the data to sign */
++ CK_ULONG ulDataLen, /* count of bytes to sign */
++ CK_BYTE_PTR pSignature, /* gets the signature */
++ CK_ULONG_PTR pulSignatureLen /* gets signature length */
++);
++#endif
++
++
++/* C_SignUpdate continues a multiple-part signature operation,
++ * where the signature is (will be) an appendix to the data,
++ * and plaintext cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pPart, /* the data to sign */
++ CK_ULONG ulPartLen /* count of bytes to sign */
++);
++#endif
++
++
++/* C_SignFinal finishes a multiple-part signature operation,
++ * returning the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pSignature, /* gets the signature */
++ CK_ULONG_PTR pulSignatureLen /* gets signature length */
++);
++#endif
++
++
++/* C_SignRecoverInit initializes a signature operation, where
++ * the data can be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignRecoverInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the signature mechanism */
++ CK_OBJECT_HANDLE hKey /* handle of the signature key */
++);
++#endif
++
++
++/* C_SignRecover signs data in a single operation, where the
++ * data can be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_SignRecover)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pData, /* the data to sign */
++ CK_ULONG ulDataLen, /* count of bytes to sign */
++ CK_BYTE_PTR pSignature, /* gets the signature */
++ CK_ULONG_PTR pulSignatureLen /* gets signature length */
++);
++#endif
++
++
++
++/* Verifying signatures and MACs */
++
++/* C_VerifyInit initializes a verification operation, where the
++ * signature is an appendix to the data, and plaintext cannot
++ * cannot be recovered from the signature (e.g. DSA). */
++CK_PKCS11_FUNCTION_INFO(C_VerifyInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
++ CK_OBJECT_HANDLE hKey /* verification key */
++);
++#endif
++
++
++/* C_Verify verifies a signature in a single-part operation,
++ * where the signature is an appendix to the data, and plaintext
++ * cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_Verify)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pData, /* signed data */
++ CK_ULONG ulDataLen, /* length of signed data */
++ CK_BYTE_PTR pSignature, /* signature */
++ CK_ULONG ulSignatureLen /* signature length*/
++);
++#endif
++
++
++/* C_VerifyUpdate continues a multiple-part verification
++ * operation, where the signature is an appendix to the data,
++ * and plaintext cannot be recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pPart, /* signed data */
++ CK_ULONG ulPartLen /* length of signed data */
++);
++#endif
++
++
++/* C_VerifyFinal finishes a multiple-part verification
++ * operation, checking the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyFinal)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pSignature, /* signature to verify */
++ CK_ULONG ulSignatureLen /* signature length */
++);
++#endif
++
++
++/* C_VerifyRecoverInit initializes a signature verification
++ * operation, where the data is recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyRecoverInit)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the verification mechanism */
++ CK_OBJECT_HANDLE hKey /* verification key */
++);
++#endif
++
++
++/* C_VerifyRecover verifies a signature in a single-part
++ * operation, where the data is recovered from the signature. */
++CK_PKCS11_FUNCTION_INFO(C_VerifyRecover)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pSignature, /* signature to verify */
++ CK_ULONG ulSignatureLen, /* signature length */
++ CK_BYTE_PTR pData, /* gets signed data */
++ CK_ULONG_PTR pulDataLen /* gets signed data len */
++);
++#endif
++
++
++
++/* Dual-function cryptographic operations */
++
++/* C_DigestEncryptUpdate continues a multiple-part digesting
++ * and encryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_DigestEncryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pPart, /* the plaintext data */
++ CK_ULONG ulPartLen, /* plaintext length */
++ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
++ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
++);
++#endif
++
++
++/* C_DecryptDigestUpdate continues a multiple-part decryption and
++ * digesting operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptDigestUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
++ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
++ CK_BYTE_PTR pPart, /* gets plaintext */
++ CK_ULONG_PTR pulPartLen /* gets plaintext len */
++);
++#endif
++
++
++/* C_SignEncryptUpdate continues a multiple-part signing and
++ * encryption operation. */
++CK_PKCS11_FUNCTION_INFO(C_SignEncryptUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pPart, /* the plaintext data */
++ CK_ULONG ulPartLen, /* plaintext length */
++ CK_BYTE_PTR pEncryptedPart, /* gets ciphertext */
++ CK_ULONG_PTR pulEncryptedPartLen /* gets c-text length */
++);
++#endif
++
++
++/* C_DecryptVerifyUpdate continues a multiple-part decryption and
++ * verify operation. */
++CK_PKCS11_FUNCTION_INFO(C_DecryptVerifyUpdate)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_BYTE_PTR pEncryptedPart, /* ciphertext */
++ CK_ULONG ulEncryptedPartLen, /* ciphertext length */
++ CK_BYTE_PTR pPart, /* gets plaintext */
++ CK_ULONG_PTR pulPartLen /* gets p-text length */
++);
++#endif
++
++
++
++/* Key management */
++
++/* C_GenerateKey generates a secret key, creating a new key
++ * object. */
++CK_PKCS11_FUNCTION_INFO(C_GenerateKey)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* key generation mech. */
++ CK_ATTRIBUTE_PTR pTemplate, /* template for new key */
++ CK_ULONG ulCount, /* # of attrs in template */
++ CK_OBJECT_HANDLE_PTR phKey /* gets handle of new key */
++);
++#endif
++
++
++/* C_GenerateKeyPair generates a public-key/private-key pair,
++ * creating new key objects. */
++CK_PKCS11_FUNCTION_INFO(C_GenerateKeyPair)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session
++ * handle */
++ CK_MECHANISM_PTR pMechanism, /* key-gen
++ * mech. */
++ CK_ATTRIBUTE_PTR pPublicKeyTemplate, /* template
++ * for pub.
++ * key */
++ CK_ULONG ulPublicKeyAttributeCount, /* # pub.
++ * attrs. */
++ CK_ATTRIBUTE_PTR pPrivateKeyTemplate, /* template
++ * for priv.
++ * key */
++ CK_ULONG ulPrivateKeyAttributeCount, /* # priv.
++ * attrs. */
++ CK_OBJECT_HANDLE_PTR phPublicKey, /* gets pub.
++ * key
++ * handle */
++ CK_OBJECT_HANDLE_PTR phPrivateKey /* gets
++ * priv. key
++ * handle */
++);
++#endif
++
++
++/* C_WrapKey wraps (i.e., encrypts) a key. */
++CK_PKCS11_FUNCTION_INFO(C_WrapKey)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_MECHANISM_PTR pMechanism, /* the wrapping mechanism */
++ CK_OBJECT_HANDLE hWrappingKey, /* wrapping key */
++ CK_OBJECT_HANDLE hKey, /* key to be wrapped */
++ CK_BYTE_PTR pWrappedKey, /* gets wrapped key */
++ CK_ULONG_PTR pulWrappedKeyLen /* gets wrapped key size */
++);
++#endif
++
++
++/* C_UnwrapKey unwraps (decrypts) a wrapped key, creating a new
++ * key object. */
++CK_PKCS11_FUNCTION_INFO(C_UnwrapKey)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_MECHANISM_PTR pMechanism, /* unwrapping mech. */
++ CK_OBJECT_HANDLE hUnwrappingKey, /* unwrapping key */
++ CK_BYTE_PTR pWrappedKey, /* the wrapped key */
++ CK_ULONG ulWrappedKeyLen, /* wrapped key len */
++ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
++ CK_ULONG ulAttributeCount, /* template length */
++ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
++);
++#endif
++
++
++/* C_DeriveKey derives a key from a base key, creating a new key
++ * object. */
++CK_PKCS11_FUNCTION_INFO(C_DeriveKey)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* session's handle */
++ CK_MECHANISM_PTR pMechanism, /* key deriv. mech. */
++ CK_OBJECT_HANDLE hBaseKey, /* base key */
++ CK_ATTRIBUTE_PTR pTemplate, /* new key template */
++ CK_ULONG ulAttributeCount, /* template length */
++ CK_OBJECT_HANDLE_PTR phKey /* gets new handle */
++);
++#endif
++
++
++
++/* Random number generation */
++
++/* C_SeedRandom mixes additional seed material into the token's
++ * random number generator. */
++CK_PKCS11_FUNCTION_INFO(C_SeedRandom)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR pSeed, /* the seed material */
++ CK_ULONG ulSeedLen /* length of seed material */
++);
++#endif
++
++
++/* C_GenerateRandom generates random data. */
++CK_PKCS11_FUNCTION_INFO(C_GenerateRandom)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_BYTE_PTR RandomData, /* receives the random data */
++ CK_ULONG ulRandomLen /* # of bytes to generate */
++);
++#endif
++
++
++
++/* Parallel function management */
++
++/* C_GetFunctionStatus is a legacy function; it obtains an
++ * updated status of a function running in parallel with an
++ * application. */
++CK_PKCS11_FUNCTION_INFO(C_GetFunctionStatus)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession /* the session's handle */
++);
++#endif
++
++
++/* C_CancelFunction is a legacy function; it cancels a function
++ * running in parallel. */
++CK_PKCS11_FUNCTION_INFO(C_CancelFunction)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_SESSION_HANDLE hSession /* the session's handle */
++);
++#endif
++
++
++
++/* Functions added in for Cryptoki Version 2.01 or later */
++
++/* C_WaitForSlotEvent waits for a slot event (token insertion,
++ * removal, etc.) to occur. */
++CK_PKCS11_FUNCTION_INFO(C_WaitForSlotEvent)
++#ifdef CK_NEED_ARG_LIST
++(
++ CK_FLAGS flags, /* blocking/nonblocking flag */
++ CK_SLOT_ID_PTR pSlot, /* location that receives the slot ID */
++ CK_VOID_PTR pRserved /* reserved. Should be NULL_PTR */
++);
++#endif
+Index: openssl/crypto/engine/pkcs11t.h
+diff -u /dev/null openssl/crypto/engine/pkcs11t.h:1.2
+--- /dev/null Mon Oct 5 13:17:24 2009
++++ openssl/crypto/engine/pkcs11t.h Sat Aug 30 11:58:07 2008
+@@ -0,0 +1,1885 @@
++/* pkcs11t.h include file for PKCS #11. */
++/* $Revision: 1.1 $ */
++
++/* License to copy and use this software is granted provided that it is
++ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
++ * (Cryptoki)" in all material mentioning or referencing this software.
++
++ * License is also granted to make and use derivative works provided that
++ * such works are identified as "derived from the RSA Security Inc. PKCS #11
++ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
++ * referencing the derived work.
++
++ * RSA Security Inc. makes no representations concerning either the
++ * merchantability of this software or the suitability of this software for
++ * any particular purpose. It is provided "as is" without express or implied
++ * warranty of any kind.
++ */
++
++/* See top of pkcs11.h for information about the macros that
++ * must be defined and the structure-packing conventions that
++ * must be set before including this file. */
++
++#ifndef _PKCS11T_H_
++#define _PKCS11T_H_ 1
++
++#define CRYPTOKI_VERSION_MAJOR 2
++#define CRYPTOKI_VERSION_MINOR 20
++#define CRYPTOKI_VERSION_AMENDMENT 3
++
++#define CK_TRUE 1
++#define CK_FALSE 0
++
++#ifndef CK_DISABLE_TRUE_FALSE
++#ifndef FALSE
++#define FALSE CK_FALSE
++#endif
++
++#ifndef TRUE
++#define TRUE CK_TRUE
++#endif
++#endif
++
++/* an unsigned 8-bit value */
++typedef unsigned char CK_BYTE;
++
++/* an unsigned 8-bit character */
++typedef CK_BYTE CK_CHAR;
++
++/* an 8-bit UTF-8 character */
++typedef CK_BYTE CK_UTF8CHAR;
++
++/* a BYTE-sized Boolean flag */
++typedef CK_BYTE CK_BBOOL;
++
++/* an unsigned value, at least 32 bits long */
++typedef unsigned long int CK_ULONG;
++
++/* a signed value, the same size as a CK_ULONG */
++/* CK_LONG is new for v2.0 */
++typedef long int CK_LONG;
++
++/* at least 32 bits; each bit is a Boolean flag */
++typedef CK_ULONG CK_FLAGS;
++
++
++/* some special values for certain CK_ULONG variables */
++#define CK_UNAVAILABLE_INFORMATION (~0UL)
++#define CK_EFFECTIVELY_INFINITE 0
++
++
++typedef CK_BYTE CK_PTR CK_BYTE_PTR;
++typedef CK_CHAR CK_PTR CK_CHAR_PTR;
++typedef CK_UTF8CHAR CK_PTR CK_UTF8CHAR_PTR;
++typedef CK_ULONG CK_PTR CK_ULONG_PTR;
++typedef void CK_PTR CK_VOID_PTR;
++
++/* Pointer to a CK_VOID_PTR-- i.e., pointer to pointer to void */
++typedef CK_VOID_PTR CK_PTR CK_VOID_PTR_PTR;
++
++
++/* The following value is always invalid if used as a session */
++/* handle or object handle */
++#define CK_INVALID_HANDLE 0
++
++
++typedef struct CK_VERSION {
++ CK_BYTE major; /* integer portion of version number */
++ CK_BYTE minor; /* 1/100ths portion of version number */
++} CK_VERSION;
++
++typedef CK_VERSION CK_PTR CK_VERSION_PTR;
++
++
++typedef struct CK_INFO {
++ /* manufacturerID and libraryDecription have been changed from
++ * CK_CHAR to CK_UTF8CHAR for v2.10 */
++ CK_VERSION cryptokiVersion; /* Cryptoki interface ver */
++ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
++ CK_FLAGS flags; /* must be zero */
++
++ /* libraryDescription and libraryVersion are new for v2.0 */
++ CK_UTF8CHAR libraryDescription[32]; /* blank padded */
++ CK_VERSION libraryVersion; /* version of library */
++} CK_INFO;
++
++typedef CK_INFO CK_PTR CK_INFO_PTR;
++
++
++/* CK_NOTIFICATION enumerates the types of notifications that
++ * Cryptoki provides to an application */
++/* CK_NOTIFICATION has been changed from an enum to a CK_ULONG
++ * for v2.0 */
++typedef CK_ULONG CK_NOTIFICATION;
++#define CKN_SURRENDER 0
++
++/* The following notification is new for PKCS #11 v2.20 amendment 3 */
++#define CKN_OTP_CHANGED 1
++
++
++typedef CK_ULONG CK_SLOT_ID;
++
++typedef CK_SLOT_ID CK_PTR CK_SLOT_ID_PTR;
++
++
++/* CK_SLOT_INFO provides information about a slot */
++typedef struct CK_SLOT_INFO {
++ /* slotDescription and manufacturerID have been changed from
++ * CK_CHAR to CK_UTF8CHAR for v2.10 */
++ CK_UTF8CHAR slotDescription[64]; /* blank padded */
++ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
++ CK_FLAGS flags;
++
++ /* hardwareVersion and firmwareVersion are new for v2.0 */
++ CK_VERSION hardwareVersion; /* version of hardware */
++ CK_VERSION firmwareVersion; /* version of firmware */
++} CK_SLOT_INFO;
++
++/* flags: bit flags that provide capabilities of the slot
++ * Bit Flag Mask Meaning
++ */
++#define CKF_TOKEN_PRESENT 0x00000001 /* a token is there */
++#define CKF_REMOVABLE_DEVICE 0x00000002 /* removable devices*/
++#define CKF_HW_SLOT 0x00000004 /* hardware slot */
++
++typedef CK_SLOT_INFO CK_PTR CK_SLOT_INFO_PTR;
++
++
++/* CK_TOKEN_INFO provides information about a token */
++typedef struct CK_TOKEN_INFO {
++ /* label, manufacturerID, and model have been changed from
++ * CK_CHAR to CK_UTF8CHAR for v2.10 */
++ CK_UTF8CHAR label[32]; /* blank padded */
++ CK_UTF8CHAR manufacturerID[32]; /* blank padded */
++ CK_UTF8CHAR model[16]; /* blank padded */
++ CK_CHAR serialNumber[16]; /* blank padded */
++ CK_FLAGS flags; /* see below */
++
++ /* ulMaxSessionCount, ulSessionCount, ulMaxRwSessionCount,
++ * ulRwSessionCount, ulMaxPinLen, and ulMinPinLen have all been
++ * changed from CK_USHORT to CK_ULONG for v2.0 */
++ CK_ULONG ulMaxSessionCount; /* max open sessions */
++ CK_ULONG ulSessionCount; /* sess. now open */
++ CK_ULONG ulMaxRwSessionCount; /* max R/W sessions */
++ CK_ULONG ulRwSessionCount; /* R/W sess. now open */
++ CK_ULONG ulMaxPinLen; /* in bytes */
++ CK_ULONG ulMinPinLen; /* in bytes */
++ CK_ULONG ulTotalPublicMemory; /* in bytes */
++ CK_ULONG ulFreePublicMemory; /* in bytes */
++ CK_ULONG ulTotalPrivateMemory; /* in bytes */
++ CK_ULONG ulFreePrivateMemory; /* in bytes */
++
++ /* hardwareVersion, firmwareVersion, and time are new for
++ * v2.0 */
++ CK_VERSION hardwareVersion; /* version of hardware */
++ CK_VERSION firmwareVersion; /* version of firmware */
++ CK_CHAR utcTime[16]; /* time */
++} CK_TOKEN_INFO;
++
++/* The flags parameter is defined as follows:
++ * Bit Flag Mask Meaning
++ */
++#define CKF_RNG 0x00000001 /* has random #
++ * generator */
++#define CKF_WRITE_PROTECTED 0x00000002 /* token is
++ * write-
++ * protected */
++#define CKF_LOGIN_REQUIRED 0x00000004 /* user must
++ * login */
++#define CKF_USER_PIN_INITIALIZED 0x00000008 /* normal user's
++ * PIN is set */
++
++/* CKF_RESTORE_KEY_NOT_NEEDED is new for v2.0. If it is set,
++ * that means that *every* time the state of cryptographic
++ * operations of a session is successfully saved, all keys
++ * needed to continue those operations are stored in the state */
++#define CKF_RESTORE_KEY_NOT_NEEDED 0x00000020
++
++/* CKF_CLOCK_ON_TOKEN is new for v2.0. If it is set, that means
++ * that the token has some sort of clock. The time on that
++ * clock is returned in the token info structure */
++#define CKF_CLOCK_ON_TOKEN 0x00000040
++
++/* CKF_PROTECTED_AUTHENTICATION_PATH is new for v2.0. If it is
++ * set, that means that there is some way for the user to login
++ * without sending a PIN through the Cryptoki library itself */
++#define CKF_PROTECTED_AUTHENTICATION_PATH 0x00000100
++
++/* CKF_DUAL_CRYPTO_OPERATIONS is new for v2.0. If it is true,
++ * that means that a single session with the token can perform
++ * dual simultaneous cryptographic operations (digest and
++ * encrypt; decrypt and digest; sign and encrypt; and decrypt
++ * and sign) */
++#define CKF_DUAL_CRYPTO_OPERATIONS 0x00000200
++
++/* CKF_TOKEN_INITIALIZED if new for v2.10. If it is true, the
++ * token has been initialized using C_InitializeToken or an
++ * equivalent mechanism outside the scope of PKCS #11.
++ * Calling C_InitializeToken when this flag is set will cause
++ * the token to be reinitialized. */
++#define CKF_TOKEN_INITIALIZED 0x00000400
++
++/* CKF_SECONDARY_AUTHENTICATION if new for v2.10. If it is
++ * true, the token supports secondary authentication for
++ * private key objects. This flag is deprecated in v2.11 and
++ onwards. */
++#define CKF_SECONDARY_AUTHENTICATION 0x00000800
++
++/* CKF_USER_PIN_COUNT_LOW if new for v2.10. If it is true, an
++ * incorrect user login PIN has been entered at least once
++ * since the last successful authentication. */
++#define CKF_USER_PIN_COUNT_LOW 0x00010000
++
++/* CKF_USER_PIN_FINAL_TRY if new for v2.10. If it is true,
++ * supplying an incorrect user PIN will it to become locked. */
++#define CKF_USER_PIN_FINAL_TRY 0x00020000
++
++/* CKF_USER_PIN_LOCKED if new for v2.10. If it is true, the
++ * user PIN has been locked. User login to the token is not
++ * possible. */
++#define CKF_USER_PIN_LOCKED 0x00040000
++
++/* CKF_USER_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
++ * the user PIN value is the default value set by token
++ * initialization or manufacturing, or the PIN has been
++ * expired by the card. */
++#define CKF_USER_PIN_TO_BE_CHANGED 0x00080000
++
++/* CKF_SO_PIN_COUNT_LOW if new for v2.10. If it is true, an
++ * incorrect SO login PIN has been entered at least once since
++ * the last successful authentication. */
++#define CKF_SO_PIN_COUNT_LOW 0x00100000
++
++/* CKF_SO_PIN_FINAL_TRY if new for v2.10. If it is true,
++ * supplying an incorrect SO PIN will it to become locked. */
++#define CKF_SO_PIN_FINAL_TRY 0x00200000
++
++/* CKF_SO_PIN_LOCKED if new for v2.10. If it is true, the SO
++ * PIN has been locked. SO login to the token is not possible.
++ */
++#define CKF_SO_PIN_LOCKED 0x00400000
++
++/* CKF_SO_PIN_TO_BE_CHANGED if new for v2.10. If it is true,
++ * the SO PIN value is the default value set by token
++ * initialization or manufacturing, or the PIN has been
++ * expired by the card. */
++#define CKF_SO_PIN_TO_BE_CHANGED 0x00800000
++
++typedef CK_TOKEN_INFO CK_PTR CK_TOKEN_INFO_PTR;
++
++
++/* CK_SESSION_HANDLE is a Cryptoki-assigned value that
++ * identifies a session */
++typedef CK_ULONG CK_SESSION_HANDLE;
++
++typedef CK_SESSION_HANDLE CK_PTR CK_SESSION_HANDLE_PTR;
++
++
++/* CK_USER_TYPE enumerates the types of Cryptoki users */
++/* CK_USER_TYPE has been changed from an enum to a CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG CK_USER_TYPE;
++/* Security Officer */
++#define CKU_SO 0
++/* Normal user */
++#define CKU_USER 1
++/* Context specific (added in v2.20) */
++#define CKU_CONTEXT_SPECIFIC 2
++
++/* CK_STATE enumerates the session states */
++/* CK_STATE has been changed from an enum to a CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG CK_STATE;
++#define CKS_RO_PUBLIC_SESSION 0
++#define CKS_RO_USER_FUNCTIONS 1
++#define CKS_RW_PUBLIC_SESSION 2
++#define CKS_RW_USER_FUNCTIONS 3
++#define CKS_RW_SO_FUNCTIONS 4
++
++
++/* CK_SESSION_INFO provides information about a session */
++typedef struct CK_SESSION_INFO {
++ CK_SLOT_ID slotID;
++ CK_STATE state;
++ CK_FLAGS flags; /* see below */
++
++ /* ulDeviceError was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++ CK_ULONG ulDeviceError; /* device-dependent error code */
++} CK_SESSION_INFO;
++
++/* The flags are defined in the following table:
++ * Bit Flag Mask Meaning
++ */
++#define CKF_RW_SESSION 0x00000002 /* session is r/w */
++#define CKF_SERIAL_SESSION 0x00000004 /* no parallel */
++
++typedef CK_SESSION_INFO CK_PTR CK_SESSION_INFO_PTR;
++
++
++/* CK_OBJECT_HANDLE is a token-specific identifier for an
++ * object */
++typedef CK_ULONG CK_OBJECT_HANDLE;
++
++typedef CK_OBJECT_HANDLE CK_PTR CK_OBJECT_HANDLE_PTR;
++
++
++/* CK_OBJECT_CLASS is a value that identifies the classes (or
++ * types) of objects that Cryptoki recognizes. It is defined
++ * as follows: */
++/* CK_OBJECT_CLASS was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG CK_OBJECT_CLASS;
++
++/* The following classes of objects are defined: */
++/* CKO_HW_FEATURE is new for v2.10 */
++/* CKO_DOMAIN_PARAMETERS is new for v2.11 */
++/* CKO_MECHANISM is new for v2.20 */
++#define CKO_DATA 0x00000000
++#define CKO_CERTIFICATE 0x00000001
++#define CKO_PUBLIC_KEY 0x00000002
++#define CKO_PRIVATE_KEY 0x00000003
++#define CKO_SECRET_KEY 0x00000004
++#define CKO_HW_FEATURE 0x00000005
++#define CKO_DOMAIN_PARAMETERS 0x00000006
++#define CKO_MECHANISM 0x00000007
++
++/* CKO_OTP_KEY is new for PKCS #11 v2.20 amendment 1 */
++#define CKO_OTP_KEY 0x00000008
++
++#define CKO_VENDOR_DEFINED 0x80000000
++
++typedef CK_OBJECT_CLASS CK_PTR CK_OBJECT_CLASS_PTR;
++
++/* CK_HW_FEATURE_TYPE is new for v2.10. CK_HW_FEATURE_TYPE is a
++ * value that identifies the hardware feature type of an object
++ * with CK_OBJECT_CLASS equal to CKO_HW_FEATURE. */
++typedef CK_ULONG CK_HW_FEATURE_TYPE;
++
++/* The following hardware feature types are defined */
++/* CKH_USER_INTERFACE is new for v2.20 */
++#define CKH_MONOTONIC_COUNTER 0x00000001
++#define CKH_CLOCK 0x00000002
++#define CKH_USER_INTERFACE 0x00000003
++#define CKH_VENDOR_DEFINED 0x80000000
++
++/* CK_KEY_TYPE is a value that identifies a key type */
++/* CK_KEY_TYPE was changed from CK_USHORT to CK_ULONG for v2.0 */
++typedef CK_ULONG CK_KEY_TYPE;
++
++/* the following key types are defined: */
++#define CKK_RSA 0x00000000
++#define CKK_DSA 0x00000001
++#define CKK_DH 0x00000002
++
++/* CKK_ECDSA and CKK_KEA are new for v2.0 */
++/* CKK_ECDSA is deprecated in v2.11, CKK_EC is preferred. */
++#define CKK_ECDSA 0x00000003
++#define CKK_EC 0x00000003
++#define CKK_X9_42_DH 0x00000004
++#define CKK_KEA 0x00000005
++
++#define CKK_GENERIC_SECRET 0x00000010
++#define CKK_RC2 0x00000011
++#define CKK_RC4 0x00000012
++#define CKK_DES 0x00000013
++#define CKK_DES2 0x00000014
++#define CKK_DES3 0x00000015
++
++/* all these key types are new for v2.0 */
++#define CKK_CAST 0x00000016
++#define CKK_CAST3 0x00000017
++/* CKK_CAST5 is deprecated in v2.11, CKK_CAST128 is preferred. */
++#define CKK_CAST5 0x00000018
++#define CKK_CAST128 0x00000018
++#define CKK_RC5 0x00000019
++#define CKK_IDEA 0x0000001A
++#define CKK_SKIPJACK 0x0000001B
++#define CKK_BATON 0x0000001C
++#define CKK_JUNIPER 0x0000001D
++#define CKK_CDMF 0x0000001E
++#define CKK_AES 0x0000001F
++
++/* BlowFish and TwoFish are new for v2.20 */
++#define CKK_BLOWFISH 0x00000020
++#define CKK_TWOFISH 0x00000021
++
++/* SecurID, HOTP, and ACTI are new for PKCS #11 v2.20 amendment 1 */
++#define CKK_SECURID 0x00000022
++#define CKK_HOTP 0x00000023
++#define CKK_ACTI 0x00000024
++
++/* Camellia is new for PKCS #11 v2.20 amendment 3 */
++#define CKK_CAMELLIA 0x00000025
++/* ARIA is new for PKCS #11 v2.20 amendment 3 */
++#define CKK_ARIA 0x00000026
++
++
++#define CKK_VENDOR_DEFINED 0x80000000
++
++
++/* CK_CERTIFICATE_TYPE is a value that identifies a certificate
++ * type */
++/* CK_CERTIFICATE_TYPE was changed from CK_USHORT to CK_ULONG
++ * for v2.0 */
++typedef CK_ULONG CK_CERTIFICATE_TYPE;
++
++/* The following certificate types are defined: */
++/* CKC_X_509_ATTR_CERT is new for v2.10 */
++/* CKC_WTLS is new for v2.20 */
++#define CKC_X_509 0x00000000
++#define CKC_X_509_ATTR_CERT 0x00000001
++#define CKC_WTLS 0x00000002
++#define CKC_VENDOR_DEFINED 0x80000000
++
++
++/* CK_ATTRIBUTE_TYPE is a value that identifies an attribute
++ * type */
++/* CK_ATTRIBUTE_TYPE was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG CK_ATTRIBUTE_TYPE;
++
++/* The CKF_ARRAY_ATTRIBUTE flag identifies an attribute which
++ consists of an array of values. */
++#define CKF_ARRAY_ATTRIBUTE 0x40000000
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
++ and relates to the CKA_OTP_FORMAT attribute */
++#define CK_OTP_FORMAT_DECIMAL 0
++#define CK_OTP_FORMAT_HEXADECIMAL 1
++#define CK_OTP_FORMAT_ALPHANUMERIC 2
++#define CK_OTP_FORMAT_BINARY 3
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1
++ and relates to the CKA_OTP_..._REQUIREMENT attributes */
++#define CK_OTP_PARAM_IGNORED 0
++#define CK_OTP_PARAM_OPTIONAL 1
++#define CK_OTP_PARAM_MANDATORY 2
++
++/* The following attribute types are defined: */
++#define CKA_CLASS 0x00000000
++#define CKA_TOKEN 0x00000001
++#define CKA_PRIVATE 0x00000002
++#define CKA_LABEL 0x00000003
++#define CKA_APPLICATION 0x00000010
++#define CKA_VALUE 0x00000011
++
++/* CKA_OBJECT_ID is new for v2.10 */
++#define CKA_OBJECT_ID 0x00000012
++
++#define CKA_CERTIFICATE_TYPE 0x00000080
++#define CKA_ISSUER 0x00000081
++#define CKA_SERIAL_NUMBER 0x00000082
++
++/* CKA_AC_ISSUER, CKA_OWNER, and CKA_ATTR_TYPES are new
++ * for v2.10 */
++#define CKA_AC_ISSUER 0x00000083
++#define CKA_OWNER 0x00000084
++#define CKA_ATTR_TYPES 0x00000085
++
++/* CKA_TRUSTED is new for v2.11 */
++#define CKA_TRUSTED 0x00000086
++
++/* CKA_CERTIFICATE_CATEGORY ...
++ * CKA_CHECK_VALUE are new for v2.20 */
++#define CKA_CERTIFICATE_CATEGORY 0x00000087
++#define CKA_JAVA_MIDP_SECURITY_DOMAIN 0x00000088
++#define CKA_URL 0x00000089
++#define CKA_HASH_OF_SUBJECT_PUBLIC_KEY 0x0000008A
++#define CKA_HASH_OF_ISSUER_PUBLIC_KEY 0x0000008B
++#define CKA_CHECK_VALUE 0x00000090
++
++#define CKA_KEY_TYPE 0x00000100
++#define CKA_SUBJECT 0x00000101
++#define CKA_ID 0x00000102
++#define CKA_SENSITIVE 0x00000103
++#define CKA_ENCRYPT 0x00000104
++#define CKA_DECRYPT 0x00000105
++#define CKA_WRAP 0x00000106
++#define CKA_UNWRAP 0x00000107
++#define CKA_SIGN 0x00000108
++#define CKA_SIGN_RECOVER 0x00000109
++#define CKA_VERIFY 0x0000010A
++#define CKA_VERIFY_RECOVER 0x0000010B
++#define CKA_DERIVE 0x0000010C
++#define CKA_START_DATE 0x00000110
++#define CKA_END_DATE 0x00000111
++#define CKA_MODULUS 0x00000120
++#define CKA_MODULUS_BITS 0x00000121
++#define CKA_PUBLIC_EXPONENT 0x00000122
++#define CKA_PRIVATE_EXPONENT 0x00000123
++#define CKA_PRIME_1 0x00000124
++#define CKA_PRIME_2 0x00000125
++#define CKA_EXPONENT_1 0x00000126
++#define CKA_EXPONENT_2 0x00000127
++#define CKA_COEFFICIENT 0x00000128
++#define CKA_PRIME 0x00000130
++#define CKA_SUBPRIME 0x00000131
++#define CKA_BASE 0x00000132
++
++/* CKA_PRIME_BITS and CKA_SUB_PRIME_BITS are new for v2.11 */
++#define CKA_PRIME_BITS 0x00000133
++#define CKA_SUBPRIME_BITS 0x00000134
++#define CKA_SUB_PRIME_BITS CKA_SUBPRIME_BITS
++/* (To retain backwards-compatibility) */
++
++#define CKA_VALUE_BITS 0x00000160
++#define CKA_VALUE_LEN 0x00000161
++
++/* CKA_EXTRACTABLE, CKA_LOCAL, CKA_NEVER_EXTRACTABLE,
++ * CKA_ALWAYS_SENSITIVE, CKA_MODIFIABLE, CKA_ECDSA_PARAMS,
++ * and CKA_EC_POINT are new for v2.0 */
++#define CKA_EXTRACTABLE 0x00000162
++#define CKA_LOCAL 0x00000163
++#define CKA_NEVER_EXTRACTABLE 0x00000164
++#define CKA_ALWAYS_SENSITIVE 0x00000165
++
++/* CKA_KEY_GEN_MECHANISM is new for v2.11 */
++#define CKA_KEY_GEN_MECHANISM 0x00000166
++
++#define CKA_MODIFIABLE 0x00000170
++
++/* CKA_ECDSA_PARAMS is deprecated in v2.11,
++ * CKA_EC_PARAMS is preferred. */
++#define CKA_ECDSA_PARAMS 0x00000180
++#define CKA_EC_PARAMS 0x00000180
++
++#define CKA_EC_POINT 0x00000181
++
++/* CKA_SECONDARY_AUTH, CKA_AUTH_PIN_FLAGS,
++ * are new for v2.10. Deprecated in v2.11 and onwards. */
++#define CKA_SECONDARY_AUTH 0x00000200
++#define CKA_AUTH_PIN_FLAGS 0x00000201
++
++/* CKA_ALWAYS_AUTHENTICATE ...
++ * CKA_UNWRAP_TEMPLATE are new for v2.20 */
++#define CKA_ALWAYS_AUTHENTICATE 0x00000202
++
++#define CKA_WRAP_WITH_TRUSTED 0x00000210
++#define CKA_WRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000211)
++#define CKA_UNWRAP_TEMPLATE (CKF_ARRAY_ATTRIBUTE|0x00000212)
++
++/* CKA_OTP... atttributes are new for PKCS #11 v2.20 amendment 3. */
++#define CKA_OTP_FORMAT 0x00000220
++#define CKA_OTP_LENGTH 0x00000221
++#define CKA_OTP_TIME_INTERVAL 0x00000222
++#define CKA_OTP_USER_FRIENDLY_MODE 0x00000223
++#define CKA_OTP_CHALLENGE_REQUIREMENT 0x00000224
++#define CKA_OTP_TIME_REQUIREMENT 0x00000225
++#define CKA_OTP_COUNTER_REQUIREMENT 0x00000226
++#define CKA_OTP_PIN_REQUIREMENT 0x00000227
++#define CKA_OTP_COUNTER 0x0000022E
++#define CKA_OTP_TIME 0x0000022F
++#define CKA_OTP_USER_IDENTIFIER 0x0000022A
++#define CKA_OTP_SERVICE_IDENTIFIER 0x0000022B
++#define CKA_OTP_SERVICE_LOGO 0x0000022C
++#define CKA_OTP_SERVICE_LOGO_TYPE 0x0000022D
++
++
++/* CKA_HW_FEATURE_TYPE, CKA_RESET_ON_INIT, and CKA_HAS_RESET
++ * are new for v2.10 */
++#define CKA_HW_FEATURE_TYPE 0x00000300
++#define CKA_RESET_ON_INIT 0x00000301
++#define CKA_HAS_RESET 0x00000302
++
++/* The following attributes are new for v2.20 */
++#define CKA_PIXEL_X 0x00000400
++#define CKA_PIXEL_Y 0x00000401
++#define CKA_RESOLUTION 0x00000402
++#define CKA_CHAR_ROWS 0x00000403
++#define CKA_CHAR_COLUMNS 0x00000404
++#define CKA_COLOR 0x00000405
++#define CKA_BITS_PER_PIXEL 0x00000406
++#define CKA_CHAR_SETS 0x00000480
++#define CKA_ENCODING_METHODS 0x00000481
++#define CKA_MIME_TYPES 0x00000482
++#define CKA_MECHANISM_TYPE 0x00000500
++#define CKA_REQUIRED_CMS_ATTRIBUTES 0x00000501
++#define CKA_DEFAULT_CMS_ATTRIBUTES 0x00000502
++#define CKA_SUPPORTED_CMS_ATTRIBUTES 0x00000503
++#define CKA_ALLOWED_MECHANISMS (CKF_ARRAY_ATTRIBUTE|0x00000600)
++
++#define CKA_VENDOR_DEFINED 0x80000000
++
++/* CK_ATTRIBUTE is a structure that includes the type, length
++ * and value of an attribute */
++typedef struct CK_ATTRIBUTE {
++ CK_ATTRIBUTE_TYPE type;
++ CK_VOID_PTR pValue;
++
++ /* ulValueLen went from CK_USHORT to CK_ULONG for v2.0 */
++ CK_ULONG ulValueLen; /* in bytes */
++} CK_ATTRIBUTE;
++
++typedef CK_ATTRIBUTE CK_PTR CK_ATTRIBUTE_PTR;
++
++
++/* CK_DATE is a structure that defines a date */
++typedef struct CK_DATE{
++ CK_CHAR year[4]; /* the year ("1900" - "9999") */
++ CK_CHAR month[2]; /* the month ("01" - "12") */
++ CK_CHAR day[2]; /* the day ("01" - "31") */
++} CK_DATE;
++
++
++/* CK_MECHANISM_TYPE is a value that identifies a mechanism
++ * type */
++/* CK_MECHANISM_TYPE was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++typedef CK_ULONG CK_MECHANISM_TYPE;
++
++/* the following mechanism types are defined: */
++#define CKM_RSA_PKCS_KEY_PAIR_GEN 0x00000000
++#define CKM_RSA_PKCS 0x00000001
++#define CKM_RSA_9796 0x00000002
++#define CKM_RSA_X_509 0x00000003
++
++/* CKM_MD2_RSA_PKCS, CKM_MD5_RSA_PKCS, and CKM_SHA1_RSA_PKCS
++ * are new for v2.0. They are mechanisms which hash and sign */
++#define CKM_MD2_RSA_PKCS 0x00000004
++#define CKM_MD5_RSA_PKCS 0x00000005
++#define CKM_SHA1_RSA_PKCS 0x00000006
++
++/* CKM_RIPEMD128_RSA_PKCS, CKM_RIPEMD160_RSA_PKCS, and
++ * CKM_RSA_PKCS_OAEP are new for v2.10 */
++#define CKM_RIPEMD128_RSA_PKCS 0x00000007
++#define CKM_RIPEMD160_RSA_PKCS 0x00000008
++#define CKM_RSA_PKCS_OAEP 0x00000009
++
++/* CKM_RSA_X9_31_KEY_PAIR_GEN, CKM_RSA_X9_31, CKM_SHA1_RSA_X9_31,
++ * CKM_RSA_PKCS_PSS, and CKM_SHA1_RSA_PKCS_PSS are new for v2.11 */
++#define CKM_RSA_X9_31_KEY_PAIR_GEN 0x0000000A
++#define CKM_RSA_X9_31 0x0000000B
++#define CKM_SHA1_RSA_X9_31 0x0000000C
++#define CKM_RSA_PKCS_PSS 0x0000000D
++#define CKM_SHA1_RSA_PKCS_PSS 0x0000000E
++
++#define CKM_DSA_KEY_PAIR_GEN 0x00000010
++#define CKM_DSA 0x00000011
++#define CKM_DSA_SHA1 0x00000012
++#define CKM_DH_PKCS_KEY_PAIR_GEN 0x00000020
++#define CKM_DH_PKCS_DERIVE 0x00000021
++
++/* CKM_X9_42_DH_KEY_PAIR_GEN, CKM_X9_42_DH_DERIVE,
++ * CKM_X9_42_DH_HYBRID_DERIVE, and CKM_X9_42_MQV_DERIVE are new for
++ * v2.11 */
++#define CKM_X9_42_DH_KEY_PAIR_GEN 0x00000030
++#define CKM_X9_42_DH_DERIVE 0x00000031
++#define CKM_X9_42_DH_HYBRID_DERIVE 0x00000032
++#define CKM_X9_42_MQV_DERIVE 0x00000033
++
++/* CKM_SHA256/384/512 are new for v2.20 */
++#define CKM_SHA256_RSA_PKCS 0x00000040
++#define CKM_SHA384_RSA_PKCS 0x00000041
++#define CKM_SHA512_RSA_PKCS 0x00000042
++#define CKM_SHA256_RSA_PKCS_PSS 0x00000043
++#define CKM_SHA384_RSA_PKCS_PSS 0x00000044
++#define CKM_SHA512_RSA_PKCS_PSS 0x00000045
++
++/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */
++#define CKM_SHA224_RSA_PKCS 0x00000046
++#define CKM_SHA224_RSA_PKCS_PSS 0x00000047
++
++#define CKM_RC2_KEY_GEN 0x00000100
++#define CKM_RC2_ECB 0x00000101
++#define CKM_RC2_CBC 0x00000102
++#define CKM_RC2_MAC 0x00000103
++
++/* CKM_RC2_MAC_GENERAL and CKM_RC2_CBC_PAD are new for v2.0 */
++#define CKM_RC2_MAC_GENERAL 0x00000104
++#define CKM_RC2_CBC_PAD 0x00000105
++
++#define CKM_RC4_KEY_GEN 0x00000110
++#define CKM_RC4 0x00000111
++#define CKM_DES_KEY_GEN 0x00000120
++#define CKM_DES_ECB 0x00000121
++#define CKM_DES_CBC 0x00000122
++#define CKM_DES_MAC 0x00000123
++
++/* CKM_DES_MAC_GENERAL and CKM_DES_CBC_PAD are new for v2.0 */
++#define CKM_DES_MAC_GENERAL 0x00000124
++#define CKM_DES_CBC_PAD 0x00000125
++
++#define CKM_DES2_KEY_GEN 0x00000130
++#define CKM_DES3_KEY_GEN 0x00000131
++#define CKM_DES3_ECB 0x00000132
++#define CKM_DES3_CBC 0x00000133
++#define CKM_DES3_MAC 0x00000134
++
++/* CKM_DES3_MAC_GENERAL, CKM_DES3_CBC_PAD, CKM_CDMF_KEY_GEN,
++ * CKM_CDMF_ECB, CKM_CDMF_CBC, CKM_CDMF_MAC,
++ * CKM_CDMF_MAC_GENERAL, and CKM_CDMF_CBC_PAD are new for v2.0 */
++#define CKM_DES3_MAC_GENERAL 0x00000135
++#define CKM_DES3_CBC_PAD 0x00000136
++#define CKM_CDMF_KEY_GEN 0x00000140
++#define CKM_CDMF_ECB 0x00000141
++#define CKM_CDMF_CBC 0x00000142
++#define CKM_CDMF_MAC 0x00000143
++#define CKM_CDMF_MAC_GENERAL 0x00000144
++#define CKM_CDMF_CBC_PAD 0x00000145
++
++/* the following four DES mechanisms are new for v2.20 */
++#define CKM_DES_OFB64 0x00000150
++#define CKM_DES_OFB8 0x00000151
++#define CKM_DES_CFB64 0x00000152
++#define CKM_DES_CFB8 0x00000153
++
++#define CKM_MD2 0x00000200
++
++/* CKM_MD2_HMAC and CKM_MD2_HMAC_GENERAL are new for v2.0 */
++#define CKM_MD2_HMAC 0x00000201
++#define CKM_MD2_HMAC_GENERAL 0x00000202
++
++#define CKM_MD5 0x00000210
++
++/* CKM_MD5_HMAC and CKM_MD5_HMAC_GENERAL are new for v2.0 */
++#define CKM_MD5_HMAC 0x00000211
++#define CKM_MD5_HMAC_GENERAL 0x00000212
++
++#define CKM_SHA_1 0x00000220
++
++/* CKM_SHA_1_HMAC and CKM_SHA_1_HMAC_GENERAL are new for v2.0 */
++#define CKM_SHA_1_HMAC 0x00000221
++#define CKM_SHA_1_HMAC_GENERAL 0x00000222
++
++/* CKM_RIPEMD128, CKM_RIPEMD128_HMAC,
++ * CKM_RIPEMD128_HMAC_GENERAL, CKM_RIPEMD160, CKM_RIPEMD160_HMAC,
++ * and CKM_RIPEMD160_HMAC_GENERAL are new for v2.10 */
++#define CKM_RIPEMD128 0x00000230
++#define CKM_RIPEMD128_HMAC 0x00000231
++#define CKM_RIPEMD128_HMAC_GENERAL 0x00000232
++#define CKM_RIPEMD160 0x00000240
++#define CKM_RIPEMD160_HMAC 0x00000241
++#define CKM_RIPEMD160_HMAC_GENERAL 0x00000242
++
++/* CKM_SHA256/384/512 are new for v2.20 */
++#define CKM_SHA256 0x00000250
++#define CKM_SHA256_HMAC 0x00000251
++#define CKM_SHA256_HMAC_GENERAL 0x00000252
++
++/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_SHA224 0x00000255
++#define CKM_SHA224_HMAC 0x00000256
++#define CKM_SHA224_HMAC_GENERAL 0x00000257
++
++#define CKM_SHA384 0x00000260
++#define CKM_SHA384_HMAC 0x00000261
++#define CKM_SHA384_HMAC_GENERAL 0x00000262
++#define CKM_SHA512 0x00000270
++#define CKM_SHA512_HMAC 0x00000271
++#define CKM_SHA512_HMAC_GENERAL 0x00000272
++
++/* SecurID is new for PKCS #11 v2.20 amendment 1 */
++#define CKM_SECURID_KEY_GEN 0x00000280
++#define CKM_SECURID 0x00000282
++
++/* HOTP is new for PKCS #11 v2.20 amendment 1 */
++#define CKM_HOTP_KEY_GEN 0x00000290
++#define CKM_HOTP 0x00000291
++
++/* ACTI is new for PKCS #11 v2.20 amendment 1 */
++#define CKM_ACTI 0x000002A0
++#define CKM_ACTI_KEY_GEN 0x000002A1
++
++/* All of the following mechanisms are new for v2.0 */
++/* Note that CAST128 and CAST5 are the same algorithm */
++#define CKM_CAST_KEY_GEN 0x00000300
++#define CKM_CAST_ECB 0x00000301
++#define CKM_CAST_CBC 0x00000302
++#define CKM_CAST_MAC 0x00000303
++#define CKM_CAST_MAC_GENERAL 0x00000304
++#define CKM_CAST_CBC_PAD 0x00000305
++#define CKM_CAST3_KEY_GEN 0x00000310
++#define CKM_CAST3_ECB 0x00000311
++#define CKM_CAST3_CBC 0x00000312
++#define CKM_CAST3_MAC 0x00000313
++#define CKM_CAST3_MAC_GENERAL 0x00000314
++#define CKM_CAST3_CBC_PAD 0x00000315
++#define CKM_CAST5_KEY_GEN 0x00000320
++#define CKM_CAST128_KEY_GEN 0x00000320
++#define CKM_CAST5_ECB 0x00000321
++#define CKM_CAST128_ECB 0x00000321
++#define CKM_CAST5_CBC 0x00000322
++#define CKM_CAST128_CBC 0x00000322
++#define CKM_CAST5_MAC 0x00000323
++#define CKM_CAST128_MAC 0x00000323
++#define CKM_CAST5_MAC_GENERAL 0x00000324
++#define CKM_CAST128_MAC_GENERAL 0x00000324
++#define CKM_CAST5_CBC_PAD 0x00000325
++#define CKM_CAST128_CBC_PAD 0x00000325
++#define CKM_RC5_KEY_GEN 0x00000330
++#define CKM_RC5_ECB 0x00000331
++#define CKM_RC5_CBC 0x00000332
++#define CKM_RC5_MAC 0x00000333
++#define CKM_RC5_MAC_GENERAL 0x00000334
++#define CKM_RC5_CBC_PAD 0x00000335
++#define CKM_IDEA_KEY_GEN 0x00000340
++#define CKM_IDEA_ECB 0x00000341
++#define CKM_IDEA_CBC 0x00000342
++#define CKM_IDEA_MAC 0x00000343
++#define CKM_IDEA_MAC_GENERAL 0x00000344
++#define CKM_IDEA_CBC_PAD 0x00000345
++#define CKM_GENERIC_SECRET_KEY_GEN 0x00000350
++#define CKM_CONCATENATE_BASE_AND_KEY 0x00000360
++#define CKM_CONCATENATE_BASE_AND_DATA 0x00000362
++#define CKM_CONCATENATE_DATA_AND_BASE 0x00000363
++#define CKM_XOR_BASE_AND_DATA 0x00000364
++#define CKM_EXTRACT_KEY_FROM_KEY 0x00000365
++#define CKM_SSL3_PRE_MASTER_KEY_GEN 0x00000370
++#define CKM_SSL3_MASTER_KEY_DERIVE 0x00000371
++#define CKM_SSL3_KEY_AND_MAC_DERIVE 0x00000372
++
++/* CKM_SSL3_MASTER_KEY_DERIVE_DH, CKM_TLS_PRE_MASTER_KEY_GEN,
++ * CKM_TLS_MASTER_KEY_DERIVE, CKM_TLS_KEY_AND_MAC_DERIVE, and
++ * CKM_TLS_MASTER_KEY_DERIVE_DH are new for v2.11 */
++#define CKM_SSL3_MASTER_KEY_DERIVE_DH 0x00000373
++#define CKM_TLS_PRE_MASTER_KEY_GEN 0x00000374
++#define CKM_TLS_MASTER_KEY_DERIVE 0x00000375
++#define CKM_TLS_KEY_AND_MAC_DERIVE 0x00000376
++#define CKM_TLS_MASTER_KEY_DERIVE_DH 0x00000377
++
++/* CKM_TLS_PRF is new for v2.20 */
++#define CKM_TLS_PRF 0x00000378
++
++#define CKM_SSL3_MD5_MAC 0x00000380
++#define CKM_SSL3_SHA1_MAC 0x00000381
++#define CKM_MD5_KEY_DERIVATION 0x00000390
++#define CKM_MD2_KEY_DERIVATION 0x00000391
++#define CKM_SHA1_KEY_DERIVATION 0x00000392
++
++/* CKM_SHA256/384/512 are new for v2.20 */
++#define CKM_SHA256_KEY_DERIVATION 0x00000393
++#define CKM_SHA384_KEY_DERIVATION 0x00000394
++#define CKM_SHA512_KEY_DERIVATION 0x00000395
++
++/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_SHA224_KEY_DERIVATION 0x00000396
++
++#define CKM_PBE_MD2_DES_CBC 0x000003A0
++#define CKM_PBE_MD5_DES_CBC 0x000003A1
++#define CKM_PBE_MD5_CAST_CBC 0x000003A2
++#define CKM_PBE_MD5_CAST3_CBC 0x000003A3
++#define CKM_PBE_MD5_CAST5_CBC 0x000003A4
++#define CKM_PBE_MD5_CAST128_CBC 0x000003A4
++#define CKM_PBE_SHA1_CAST5_CBC 0x000003A5
++#define CKM_PBE_SHA1_CAST128_CBC 0x000003A5
++#define CKM_PBE_SHA1_RC4_128 0x000003A6
++#define CKM_PBE_SHA1_RC4_40 0x000003A7
++#define CKM_PBE_SHA1_DES3_EDE_CBC 0x000003A8
++#define CKM_PBE_SHA1_DES2_EDE_CBC 0x000003A9
++#define CKM_PBE_SHA1_RC2_128_CBC 0x000003AA
++#define CKM_PBE_SHA1_RC2_40_CBC 0x000003AB
++
++/* CKM_PKCS5_PBKD2 is new for v2.10 */
++#define CKM_PKCS5_PBKD2 0x000003B0
++
++#define CKM_PBA_SHA1_WITH_SHA1_HMAC 0x000003C0
++
++/* WTLS mechanisms are new for v2.20 */
++#define CKM_WTLS_PRE_MASTER_KEY_GEN 0x000003D0
++#define CKM_WTLS_MASTER_KEY_DERIVE 0x000003D1
++#define CKM_WTLS_MASTER_KEY_DERIVE_DH_ECC 0x000003D2
++#define CKM_WTLS_PRF 0x000003D3
++#define CKM_WTLS_SERVER_KEY_AND_MAC_DERIVE 0x000003D4
++#define CKM_WTLS_CLIENT_KEY_AND_MAC_DERIVE 0x000003D5
++
++#define CKM_KEY_WRAP_LYNKS 0x00000400
++#define CKM_KEY_WRAP_SET_OAEP 0x00000401
++
++/* CKM_CMS_SIG is new for v2.20 */
++#define CKM_CMS_SIG 0x00000500
++
++/* CKM_KIP mechanisms are new for PKCS #11 v2.20 amendment 2 */
++#define CKM_KIP_DERIVE 0x00000510
++#define CKM_KIP_WRAP 0x00000511
++#define CKM_KIP_MAC 0x00000512
++
++/* Camellia is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_CAMELLIA_KEY_GEN 0x00000550
++#define CKM_CAMELLIA_ECB 0x00000551
++#define CKM_CAMELLIA_CBC 0x00000552
++#define CKM_CAMELLIA_MAC 0x00000553
++#define CKM_CAMELLIA_MAC_GENERAL 0x00000554
++#define CKM_CAMELLIA_CBC_PAD 0x00000555
++#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556
++#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557
++#define CKM_CAMELLIA_CTR 0x00000558
++
++/* ARIA is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_ARIA_KEY_GEN 0x00000560
++#define CKM_ARIA_ECB 0x00000561
++#define CKM_ARIA_CBC 0x00000562
++#define CKM_ARIA_MAC 0x00000563
++#define CKM_ARIA_MAC_GENERAL 0x00000564
++#define CKM_ARIA_CBC_PAD 0x00000565
++#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566
++#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567
++
++/* Fortezza mechanisms */
++#define CKM_SKIPJACK_KEY_GEN 0x00001000
++#define CKM_SKIPJACK_ECB64 0x00001001
++#define CKM_SKIPJACK_CBC64 0x00001002
++#define CKM_SKIPJACK_OFB64 0x00001003
++#define CKM_SKIPJACK_CFB64 0x00001004
++#define CKM_SKIPJACK_CFB32 0x00001005
++#define CKM_SKIPJACK_CFB16 0x00001006
++#define CKM_SKIPJACK_CFB8 0x00001007
++#define CKM_SKIPJACK_WRAP 0x00001008
++#define CKM_SKIPJACK_PRIVATE_WRAP 0x00001009
++#define CKM_SKIPJACK_RELAYX 0x0000100a
++#define CKM_KEA_KEY_PAIR_GEN 0x00001010
++#define CKM_KEA_KEY_DERIVE 0x00001011
++#define CKM_FORTEZZA_TIMESTAMP 0x00001020
++#define CKM_BATON_KEY_GEN 0x00001030
++#define CKM_BATON_ECB128 0x00001031
++#define CKM_BATON_ECB96 0x00001032
++#define CKM_BATON_CBC128 0x00001033
++#define CKM_BATON_COUNTER 0x00001034
++#define CKM_BATON_SHUFFLE 0x00001035
++#define CKM_BATON_WRAP 0x00001036
++
++/* CKM_ECDSA_KEY_PAIR_GEN is deprecated in v2.11,
++ * CKM_EC_KEY_PAIR_GEN is preferred */
++#define CKM_ECDSA_KEY_PAIR_GEN 0x00001040
++#define CKM_EC_KEY_PAIR_GEN 0x00001040
++
++#define CKM_ECDSA 0x00001041
++#define CKM_ECDSA_SHA1 0x00001042
++
++/* CKM_ECDH1_DERIVE, CKM_ECDH1_COFACTOR_DERIVE, and CKM_ECMQV_DERIVE
++ * are new for v2.11 */
++#define CKM_ECDH1_DERIVE 0x00001050
++#define CKM_ECDH1_COFACTOR_DERIVE 0x00001051
++#define CKM_ECMQV_DERIVE 0x00001052
++
++#define CKM_JUNIPER_KEY_GEN 0x00001060
++#define CKM_JUNIPER_ECB128 0x00001061
++#define CKM_JUNIPER_CBC128 0x00001062
++#define CKM_JUNIPER_COUNTER 0x00001063
++#define CKM_JUNIPER_SHUFFLE 0x00001064
++#define CKM_JUNIPER_WRAP 0x00001065
++#define CKM_FASTHASH 0x00001070
++
++/* CKM_AES_KEY_GEN, CKM_AES_ECB, CKM_AES_CBC, CKM_AES_MAC,
++ * CKM_AES_MAC_GENERAL, CKM_AES_CBC_PAD, CKM_DSA_PARAMETER_GEN,
++ * CKM_DH_PKCS_PARAMETER_GEN, and CKM_X9_42_DH_PARAMETER_GEN are
++ * new for v2.11 */
++#define CKM_AES_KEY_GEN 0x00001080
++#define CKM_AES_ECB 0x00001081
++#define CKM_AES_CBC 0x00001082
++#define CKM_AES_MAC 0x00001083
++#define CKM_AES_MAC_GENERAL 0x00001084
++#define CKM_AES_CBC_PAD 0x00001085
++
++/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */
++#define CKM_AES_CTR 0x00001086
++
++/* BlowFish and TwoFish are new for v2.20 */
++#define CKM_BLOWFISH_KEY_GEN 0x00001090
++#define CKM_BLOWFISH_CBC 0x00001091
++#define CKM_TWOFISH_KEY_GEN 0x00001092
++#define CKM_TWOFISH_CBC 0x00001093
++
++
++/* CKM_xxx_ENCRYPT_DATA mechanisms are new for v2.20 */
++#define CKM_DES_ECB_ENCRYPT_DATA 0x00001100
++#define CKM_DES_CBC_ENCRYPT_DATA 0x00001101
++#define CKM_DES3_ECB_ENCRYPT_DATA 0x00001102
++#define CKM_DES3_CBC_ENCRYPT_DATA 0x00001103
++#define CKM_AES_ECB_ENCRYPT_DATA 0x00001104
++#define CKM_AES_CBC_ENCRYPT_DATA 0x00001105
++
++#define CKM_DSA_PARAMETER_GEN 0x00002000
++#define CKM_DH_PKCS_PARAMETER_GEN 0x00002001
++#define CKM_X9_42_DH_PARAMETER_GEN 0x00002002
++
++#define CKM_VENDOR_DEFINED 0x80000000
++
++typedef CK_MECHANISM_TYPE CK_PTR CK_MECHANISM_TYPE_PTR;
++
++
++/* CK_MECHANISM is a structure that specifies a particular
++ * mechanism */
++typedef struct CK_MECHANISM {
++ CK_MECHANISM_TYPE mechanism;
++ CK_VOID_PTR pParameter;
++
++ /* ulParameterLen was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++ CK_ULONG ulParameterLen; /* in bytes */
++} CK_MECHANISM;
++
++typedef CK_MECHANISM CK_PTR CK_MECHANISM_PTR;
++
++
++/* CK_MECHANISM_INFO provides information about a particular
++ * mechanism */
++typedef struct CK_MECHANISM_INFO {
++ CK_ULONG ulMinKeySize;
++ CK_ULONG ulMaxKeySize;
++ CK_FLAGS flags;
++} CK_MECHANISM_INFO;
++
++/* The flags are defined as follows:
++ * Bit Flag Mask Meaning */
++#define CKF_HW 0x00000001 /* performed by HW */
++
++/* The flags CKF_ENCRYPT, CKF_DECRYPT, CKF_DIGEST, CKF_SIGN,
++ * CKG_SIGN_RECOVER, CKF_VERIFY, CKF_VERIFY_RECOVER,
++ * CKF_GENERATE, CKF_GENERATE_KEY_PAIR, CKF_WRAP, CKF_UNWRAP,
++ * and CKF_DERIVE are new for v2.0. They specify whether or not
++ * a mechanism can be used for a particular task */
++#define CKF_ENCRYPT 0x00000100
++#define CKF_DECRYPT 0x00000200
++#define CKF_DIGEST 0x00000400
++#define CKF_SIGN 0x00000800
++#define CKF_SIGN_RECOVER 0x00001000
++#define CKF_VERIFY 0x00002000
++#define CKF_VERIFY_RECOVER 0x00004000
++#define CKF_GENERATE 0x00008000
++#define CKF_GENERATE_KEY_PAIR 0x00010000
++#define CKF_WRAP 0x00020000
++#define CKF_UNWRAP 0x00040000
++#define CKF_DERIVE 0x00080000
++
++/* CKF_EC_F_P, CKF_EC_F_2M, CKF_EC_ECPARAMETERS, CKF_EC_NAMEDCURVE,
++ * CKF_EC_UNCOMPRESS, and CKF_EC_COMPRESS are new for v2.11. They
++ * describe a token's EC capabilities not available in mechanism
++ * information. */
++#define CKF_EC_F_P 0x00100000
++#define CKF_EC_F_2M 0x00200000
++#define CKF_EC_ECPARAMETERS 0x00400000
++#define CKF_EC_NAMEDCURVE 0x00800000
++#define CKF_EC_UNCOMPRESS 0x01000000
++#define CKF_EC_COMPRESS 0x02000000
++
++#define CKF_EXTENSION 0x80000000 /* FALSE for this version */
++
++typedef CK_MECHANISM_INFO CK_PTR CK_MECHANISM_INFO_PTR;
++
++
++/* CK_RV is a value that identifies the return value of a
++ * Cryptoki function */
++/* CK_RV was changed from CK_USHORT to CK_ULONG for v2.0 */
++typedef CK_ULONG CK_RV;
++
++#define CKR_OK 0x00000000
++#define CKR_CANCEL 0x00000001
++#define CKR_HOST_MEMORY 0x00000002
++#define CKR_SLOT_ID_INVALID 0x00000003
++
++/* CKR_FLAGS_INVALID was removed for v2.0 */
++
++/* CKR_GENERAL_ERROR and CKR_FUNCTION_FAILED are new for v2.0 */
++#define CKR_GENERAL_ERROR 0x00000005
++#define CKR_FUNCTION_FAILED 0x00000006
++
++/* CKR_ARGUMENTS_BAD, CKR_NO_EVENT, CKR_NEED_TO_CREATE_THREADS,
++ * and CKR_CANT_LOCK are new for v2.01 */
++#define CKR_ARGUMENTS_BAD 0x00000007
++#define CKR_NO_EVENT 0x00000008
++#define CKR_NEED_TO_CREATE_THREADS 0x00000009
++#define CKR_CANT_LOCK 0x0000000A
++
++#define CKR_ATTRIBUTE_READ_ONLY 0x00000010
++#define CKR_ATTRIBUTE_SENSITIVE 0x00000011
++#define CKR_ATTRIBUTE_TYPE_INVALID 0x00000012
++#define CKR_ATTRIBUTE_VALUE_INVALID 0x00000013
++#define CKR_DATA_INVALID 0x00000020
++#define CKR_DATA_LEN_RANGE 0x00000021
++#define CKR_DEVICE_ERROR 0x00000030
++#define CKR_DEVICE_MEMORY 0x00000031
++#define CKR_DEVICE_REMOVED 0x00000032
++#define CKR_ENCRYPTED_DATA_INVALID 0x00000040
++#define CKR_ENCRYPTED_DATA_LEN_RANGE 0x00000041
++#define CKR_FUNCTION_CANCELED 0x00000050
++#define CKR_FUNCTION_NOT_PARALLEL 0x00000051
++
++/* CKR_FUNCTION_NOT_SUPPORTED is new for v2.0 */
++#define CKR_FUNCTION_NOT_SUPPORTED 0x00000054
++
++#define CKR_KEY_HANDLE_INVALID 0x00000060
++
++/* CKR_KEY_SENSITIVE was removed for v2.0 */
++
++#define CKR_KEY_SIZE_RANGE 0x00000062
++#define CKR_KEY_TYPE_INCONSISTENT 0x00000063
++
++/* CKR_KEY_NOT_NEEDED, CKR_KEY_CHANGED, CKR_KEY_NEEDED,
++ * CKR_KEY_INDIGESTIBLE, CKR_KEY_FUNCTION_NOT_PERMITTED,
++ * CKR_KEY_NOT_WRAPPABLE, and CKR_KEY_UNEXTRACTABLE are new for
++ * v2.0 */
++#define CKR_KEY_NOT_NEEDED 0x00000064
++#define CKR_KEY_CHANGED 0x00000065
++#define CKR_KEY_NEEDED 0x00000066
++#define CKR_KEY_INDIGESTIBLE 0x00000067
++#define CKR_KEY_FUNCTION_NOT_PERMITTED 0x00000068
++#define CKR_KEY_NOT_WRAPPABLE 0x00000069
++#define CKR_KEY_UNEXTRACTABLE 0x0000006A
++
++#define CKR_MECHANISM_INVALID 0x00000070
++#define CKR_MECHANISM_PARAM_INVALID 0x00000071
++
++/* CKR_OBJECT_CLASS_INCONSISTENT and CKR_OBJECT_CLASS_INVALID
++ * were removed for v2.0 */
++#define CKR_OBJECT_HANDLE_INVALID 0x00000082
++#define CKR_OPERATION_ACTIVE 0x00000090
++#define CKR_OPERATION_NOT_INITIALIZED 0x00000091
++#define CKR_PIN_INCORRECT 0x000000A0
++#define CKR_PIN_INVALID 0x000000A1
++#define CKR_PIN_LEN_RANGE 0x000000A2
++
++/* CKR_PIN_EXPIRED and CKR_PIN_LOCKED are new for v2.0 */
++#define CKR_PIN_EXPIRED 0x000000A3
++#define CKR_PIN_LOCKED 0x000000A4
++
++#define CKR_SESSION_CLOSED 0x000000B0
++#define CKR_SESSION_COUNT 0x000000B1
++#define CKR_SESSION_HANDLE_INVALID 0x000000B3
++#define CKR_SESSION_PARALLEL_NOT_SUPPORTED 0x000000B4
++#define CKR_SESSION_READ_ONLY 0x000000B5
++#define CKR_SESSION_EXISTS 0x000000B6
++
++/* CKR_SESSION_READ_ONLY_EXISTS and
++ * CKR_SESSION_READ_WRITE_SO_EXISTS are new for v2.0 */
++#define CKR_SESSION_READ_ONLY_EXISTS 0x000000B7
++#define CKR_SESSION_READ_WRITE_SO_EXISTS 0x000000B8
++
++#define CKR_SIGNATURE_INVALID 0x000000C0
++#define CKR_SIGNATURE_LEN_RANGE 0x000000C1
++#define CKR_TEMPLATE_INCOMPLETE 0x000000D0
++#define CKR_TEMPLATE_INCONSISTENT 0x000000D1
++#define CKR_TOKEN_NOT_PRESENT 0x000000E0
++#define CKR_TOKEN_NOT_RECOGNIZED 0x000000E1
++#define CKR_TOKEN_WRITE_PROTECTED 0x000000E2
++#define CKR_UNWRAPPING_KEY_HANDLE_INVALID 0x000000F0
++#define CKR_UNWRAPPING_KEY_SIZE_RANGE 0x000000F1
++#define CKR_UNWRAPPING_KEY_TYPE_INCONSISTENT 0x000000F2
++#define CKR_USER_ALREADY_LOGGED_IN 0x00000100
++#define CKR_USER_NOT_LOGGED_IN 0x00000101
++#define CKR_USER_PIN_NOT_INITIALIZED 0x00000102
++#define CKR_USER_TYPE_INVALID 0x00000103
++
++/* CKR_USER_ANOTHER_ALREADY_LOGGED_IN and CKR_USER_TOO_MANY_TYPES
++ * are new to v2.01 */
++#define CKR_USER_ANOTHER_ALREADY_LOGGED_IN 0x00000104
++#define CKR_USER_TOO_MANY_TYPES 0x00000105
++
++#define CKR_WRAPPED_KEY_INVALID 0x00000110
++#define CKR_WRAPPED_KEY_LEN_RANGE 0x00000112
++#define CKR_WRAPPING_KEY_HANDLE_INVALID 0x00000113
++#define CKR_WRAPPING_KEY_SIZE_RANGE 0x00000114
++#define CKR_WRAPPING_KEY_TYPE_INCONSISTENT 0x00000115
++#define CKR_RANDOM_SEED_NOT_SUPPORTED 0x00000120
++
++/* These are new to v2.0 */
++#define CKR_RANDOM_NO_RNG 0x00000121
++
++/* These are new to v2.11 */
++#define CKR_DOMAIN_PARAMS_INVALID 0x00000130
++
++/* These are new to v2.0 */
++#define CKR_BUFFER_TOO_SMALL 0x00000150
++#define CKR_SAVED_STATE_INVALID 0x00000160
++#define CKR_INFORMATION_SENSITIVE 0x00000170
++#define CKR_STATE_UNSAVEABLE 0x00000180
++
++/* These are new to v2.01 */
++#define CKR_CRYPTOKI_NOT_INITIALIZED 0x00000190
++#define CKR_CRYPTOKI_ALREADY_INITIALIZED 0x00000191
++#define CKR_MUTEX_BAD 0x000001A0
++#define CKR_MUTEX_NOT_LOCKED 0x000001A1
++
++/* The following return values are new for PKCS #11 v2.20 amendment 3 */
++#define CKR_NEW_PIN_MODE 0x000001B0
++#define CKR_NEXT_OTP 0x000001B1
++
++/* This is new to v2.20 */
++#define CKR_FUNCTION_REJECTED 0x00000200
++
++#define CKR_VENDOR_DEFINED 0x80000000
++
++
++/* CK_NOTIFY is an application callback that processes events */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_NOTIFY)(
++ CK_SESSION_HANDLE hSession, /* the session's handle */
++ CK_NOTIFICATION event,
++ CK_VOID_PTR pApplication /* passed to C_OpenSession */
++);
++
++
++/* CK_FUNCTION_LIST is a structure holding a Cryptoki spec
++ * version and pointers of appropriate types to all the
++ * Cryptoki functions */
++/* CK_FUNCTION_LIST is new for v2.0 */
++typedef struct CK_FUNCTION_LIST CK_FUNCTION_LIST;
++
++typedef CK_FUNCTION_LIST CK_PTR CK_FUNCTION_LIST_PTR;
++
++typedef CK_FUNCTION_LIST_PTR CK_PTR CK_FUNCTION_LIST_PTR_PTR;
++
++
++/* CK_CREATEMUTEX is an application callback for creating a
++ * mutex object */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_CREATEMUTEX)(
++ CK_VOID_PTR_PTR ppMutex /* location to receive ptr to mutex */
++);
++
++
++/* CK_DESTROYMUTEX is an application callback for destroying a
++ * mutex object */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_DESTROYMUTEX)(
++ CK_VOID_PTR pMutex /* pointer to mutex */
++);
++
++
++/* CK_LOCKMUTEX is an application callback for locking a mutex */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_LOCKMUTEX)(
++ CK_VOID_PTR pMutex /* pointer to mutex */
++);
++
++
++/* CK_UNLOCKMUTEX is an application callback for unlocking a
++ * mutex */
++typedef CK_CALLBACK_FUNCTION(CK_RV, CK_UNLOCKMUTEX)(
++ CK_VOID_PTR pMutex /* pointer to mutex */
++);
++
++
++/* CK_C_INITIALIZE_ARGS provides the optional arguments to
++ * C_Initialize */
++typedef struct CK_C_INITIALIZE_ARGS {
++ CK_CREATEMUTEX CreateMutex;
++ CK_DESTROYMUTEX DestroyMutex;
++ CK_LOCKMUTEX LockMutex;
++ CK_UNLOCKMUTEX UnlockMutex;
++ CK_FLAGS flags;
++ CK_VOID_PTR pReserved;
++} CK_C_INITIALIZE_ARGS;
++
++/* flags: bit flags that provide capabilities of the slot
++ * Bit Flag Mask Meaning
++ */
++#define CKF_LIBRARY_CANT_CREATE_OS_THREADS 0x00000001
++#define CKF_OS_LOCKING_OK 0x00000002
++
++typedef CK_C_INITIALIZE_ARGS CK_PTR CK_C_INITIALIZE_ARGS_PTR;
++
++
++/* additional flags for parameters to functions */
++
++/* CKF_DONT_BLOCK is for the function C_WaitForSlotEvent */
++#define CKF_DONT_BLOCK 1
++
++/* CK_RSA_PKCS_OAEP_MGF_TYPE is new for v2.10.
++ * CK_RSA_PKCS_OAEP_MGF_TYPE is used to indicate the Message
++ * Generation Function (MGF) applied to a message block when
++ * formatting a message block for the PKCS #1 OAEP encryption
++ * scheme. */
++typedef CK_ULONG CK_RSA_PKCS_MGF_TYPE;
++
++typedef CK_RSA_PKCS_MGF_TYPE CK_PTR CK_RSA_PKCS_MGF_TYPE_PTR;
++
++/* The following MGFs are defined */
++/* CKG_MGF1_SHA256, CKG_MGF1_SHA384, and CKG_MGF1_SHA512
++ * are new for v2.20 */
++#define CKG_MGF1_SHA1 0x00000001
++#define CKG_MGF1_SHA256 0x00000002
++#define CKG_MGF1_SHA384 0x00000003
++#define CKG_MGF1_SHA512 0x00000004
++/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */
++#define CKG_MGF1_SHA224 0x00000005
++
++/* CK_RSA_PKCS_OAEP_SOURCE_TYPE is new for v2.10.
++ * CK_RSA_PKCS_OAEP_SOURCE_TYPE is used to indicate the source
++ * of the encoding parameter when formatting a message block
++ * for the PKCS #1 OAEP encryption scheme. */
++typedef CK_ULONG CK_RSA_PKCS_OAEP_SOURCE_TYPE;
++
++typedef CK_RSA_PKCS_OAEP_SOURCE_TYPE CK_PTR CK_RSA_PKCS_OAEP_SOURCE_TYPE_PTR;
++
++/* The following encoding parameter sources are defined */
++#define CKZ_DATA_SPECIFIED 0x00000001
++
++/* CK_RSA_PKCS_OAEP_PARAMS is new for v2.10.
++ * CK_RSA_PKCS_OAEP_PARAMS provides the parameters to the
++ * CKM_RSA_PKCS_OAEP mechanism. */
++typedef struct CK_RSA_PKCS_OAEP_PARAMS {
++ CK_MECHANISM_TYPE hashAlg;
++ CK_RSA_PKCS_MGF_TYPE mgf;
++ CK_RSA_PKCS_OAEP_SOURCE_TYPE source;
++ CK_VOID_PTR pSourceData;
++ CK_ULONG ulSourceDataLen;
++} CK_RSA_PKCS_OAEP_PARAMS;
++
++typedef CK_RSA_PKCS_OAEP_PARAMS CK_PTR CK_RSA_PKCS_OAEP_PARAMS_PTR;
++
++/* CK_RSA_PKCS_PSS_PARAMS is new for v2.11.
++ * CK_RSA_PKCS_PSS_PARAMS provides the parameters to the
++ * CKM_RSA_PKCS_PSS mechanism(s). */
++typedef struct CK_RSA_PKCS_PSS_PARAMS {
++ CK_MECHANISM_TYPE hashAlg;
++ CK_RSA_PKCS_MGF_TYPE mgf;
++ CK_ULONG sLen;
++} CK_RSA_PKCS_PSS_PARAMS;
++
++typedef CK_RSA_PKCS_PSS_PARAMS CK_PTR CK_RSA_PKCS_PSS_PARAMS_PTR;
++
++/* CK_EC_KDF_TYPE is new for v2.11. */
++typedef CK_ULONG CK_EC_KDF_TYPE;
++
++/* The following EC Key Derivation Functions are defined */
++#define CKD_NULL 0x00000001
++#define CKD_SHA1_KDF 0x00000002
++
++/* CK_ECDH1_DERIVE_PARAMS is new for v2.11.
++ * CK_ECDH1_DERIVE_PARAMS provides the parameters to the
++ * CKM_ECDH1_DERIVE and CKM_ECDH1_COFACTOR_DERIVE mechanisms,
++ * where each party contributes one key pair.
++ */
++typedef struct CK_ECDH1_DERIVE_PARAMS {
++ CK_EC_KDF_TYPE kdf;
++ CK_ULONG ulSharedDataLen;
++ CK_BYTE_PTR pSharedData;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++} CK_ECDH1_DERIVE_PARAMS;
++
++typedef CK_ECDH1_DERIVE_PARAMS CK_PTR CK_ECDH1_DERIVE_PARAMS_PTR;
++
++
++/* CK_ECDH2_DERIVE_PARAMS is new for v2.11.
++ * CK_ECDH2_DERIVE_PARAMS provides the parameters to the
++ * CKM_ECMQV_DERIVE mechanism, where each party contributes two key pairs. */
++typedef struct CK_ECDH2_DERIVE_PARAMS {
++ CK_EC_KDF_TYPE kdf;
++ CK_ULONG ulSharedDataLen;
++ CK_BYTE_PTR pSharedData;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++ CK_ULONG ulPrivateDataLen;
++ CK_OBJECT_HANDLE hPrivateData;
++ CK_ULONG ulPublicDataLen2;
++ CK_BYTE_PTR pPublicData2;
++} CK_ECDH2_DERIVE_PARAMS;
++
++typedef CK_ECDH2_DERIVE_PARAMS CK_PTR CK_ECDH2_DERIVE_PARAMS_PTR;
++
++typedef struct CK_ECMQV_DERIVE_PARAMS {
++ CK_EC_KDF_TYPE kdf;
++ CK_ULONG ulSharedDataLen;
++ CK_BYTE_PTR pSharedData;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++ CK_ULONG ulPrivateDataLen;
++ CK_OBJECT_HANDLE hPrivateData;
++ CK_ULONG ulPublicDataLen2;
++ CK_BYTE_PTR pPublicData2;
++ CK_OBJECT_HANDLE publicKey;
++} CK_ECMQV_DERIVE_PARAMS;
++
++typedef CK_ECMQV_DERIVE_PARAMS CK_PTR CK_ECMQV_DERIVE_PARAMS_PTR;
++
++/* Typedefs and defines for the CKM_X9_42_DH_KEY_PAIR_GEN and the
++ * CKM_X9_42_DH_PARAMETER_GEN mechanisms (new for PKCS #11 v2.11) */
++typedef CK_ULONG CK_X9_42_DH_KDF_TYPE;
++typedef CK_X9_42_DH_KDF_TYPE CK_PTR CK_X9_42_DH_KDF_TYPE_PTR;
++
++/* The following X9.42 DH key derivation functions are defined
++ (besides CKD_NULL already defined : */
++#define CKD_SHA1_KDF_ASN1 0x00000003
++#define CKD_SHA1_KDF_CONCATENATE 0x00000004
++
++/* CK_X9_42_DH1_DERIVE_PARAMS is new for v2.11.
++ * CK_X9_42_DH1_DERIVE_PARAMS provides the parameters to the
++ * CKM_X9_42_DH_DERIVE key derivation mechanism, where each party
++ * contributes one key pair */
++typedef struct CK_X9_42_DH1_DERIVE_PARAMS {
++ CK_X9_42_DH_KDF_TYPE kdf;
++ CK_ULONG ulOtherInfoLen;
++ CK_BYTE_PTR pOtherInfo;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++} CK_X9_42_DH1_DERIVE_PARAMS;
++
++typedef struct CK_X9_42_DH1_DERIVE_PARAMS CK_PTR CK_X9_42_DH1_DERIVE_PARAMS_PTR;
++
++/* CK_X9_42_DH2_DERIVE_PARAMS is new for v2.11.
++ * CK_X9_42_DH2_DERIVE_PARAMS provides the parameters to the
++ * CKM_X9_42_DH_HYBRID_DERIVE and CKM_X9_42_MQV_DERIVE key derivation
++ * mechanisms, where each party contributes two key pairs */
++typedef struct CK_X9_42_DH2_DERIVE_PARAMS {
++ CK_X9_42_DH_KDF_TYPE kdf;
++ CK_ULONG ulOtherInfoLen;
++ CK_BYTE_PTR pOtherInfo;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++ CK_ULONG ulPrivateDataLen;
++ CK_OBJECT_HANDLE hPrivateData;
++ CK_ULONG ulPublicDataLen2;
++ CK_BYTE_PTR pPublicData2;
++} CK_X9_42_DH2_DERIVE_PARAMS;
++
++typedef CK_X9_42_DH2_DERIVE_PARAMS CK_PTR CK_X9_42_DH2_DERIVE_PARAMS_PTR;
++
++typedef struct CK_X9_42_MQV_DERIVE_PARAMS {
++ CK_X9_42_DH_KDF_TYPE kdf;
++ CK_ULONG ulOtherInfoLen;
++ CK_BYTE_PTR pOtherInfo;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++ CK_ULONG ulPrivateDataLen;
++ CK_OBJECT_HANDLE hPrivateData;
++ CK_ULONG ulPublicDataLen2;
++ CK_BYTE_PTR pPublicData2;
++ CK_OBJECT_HANDLE publicKey;
++} CK_X9_42_MQV_DERIVE_PARAMS;
++
++typedef CK_X9_42_MQV_DERIVE_PARAMS CK_PTR CK_X9_42_MQV_DERIVE_PARAMS_PTR;
++
++/* CK_KEA_DERIVE_PARAMS provides the parameters to the
++ * CKM_KEA_DERIVE mechanism */
++/* CK_KEA_DERIVE_PARAMS is new for v2.0 */
++typedef struct CK_KEA_DERIVE_PARAMS {
++ CK_BBOOL isSender;
++ CK_ULONG ulRandomLen;
++ CK_BYTE_PTR pRandomA;
++ CK_BYTE_PTR pRandomB;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++} CK_KEA_DERIVE_PARAMS;
++
++typedef CK_KEA_DERIVE_PARAMS CK_PTR CK_KEA_DERIVE_PARAMS_PTR;
++
++
++/* CK_RC2_PARAMS provides the parameters to the CKM_RC2_ECB and
++ * CKM_RC2_MAC mechanisms. An instance of CK_RC2_PARAMS just
++ * holds the effective keysize */
++typedef CK_ULONG CK_RC2_PARAMS;
++
++typedef CK_RC2_PARAMS CK_PTR CK_RC2_PARAMS_PTR;
++
++
++/* CK_RC2_CBC_PARAMS provides the parameters to the CKM_RC2_CBC
++ * mechanism */
++typedef struct CK_RC2_CBC_PARAMS {
++ /* ulEffectiveBits was changed from CK_USHORT to CK_ULONG for
++ * v2.0 */
++ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
++
++ CK_BYTE iv[8]; /* IV for CBC mode */
++} CK_RC2_CBC_PARAMS;
++
++typedef CK_RC2_CBC_PARAMS CK_PTR CK_RC2_CBC_PARAMS_PTR;
++
++
++/* CK_RC2_MAC_GENERAL_PARAMS provides the parameters for the
++ * CKM_RC2_MAC_GENERAL mechanism */
++/* CK_RC2_MAC_GENERAL_PARAMS is new for v2.0 */
++typedef struct CK_RC2_MAC_GENERAL_PARAMS {
++ CK_ULONG ulEffectiveBits; /* effective bits (1-1024) */
++ CK_ULONG ulMacLength; /* Length of MAC in bytes */
++} CK_RC2_MAC_GENERAL_PARAMS;
++
++typedef CK_RC2_MAC_GENERAL_PARAMS CK_PTR \
++ CK_RC2_MAC_GENERAL_PARAMS_PTR;
++
++
++/* CK_RC5_PARAMS provides the parameters to the CKM_RC5_ECB and
++ * CKM_RC5_MAC mechanisms */
++/* CK_RC5_PARAMS is new for v2.0 */
++typedef struct CK_RC5_PARAMS {
++ CK_ULONG ulWordsize; /* wordsize in bits */
++ CK_ULONG ulRounds; /* number of rounds */
++} CK_RC5_PARAMS;
++
++typedef CK_RC5_PARAMS CK_PTR CK_RC5_PARAMS_PTR;
++
++
++/* CK_RC5_CBC_PARAMS provides the parameters to the CKM_RC5_CBC
++ * mechanism */
++/* CK_RC5_CBC_PARAMS is new for v2.0 */
++typedef struct CK_RC5_CBC_PARAMS {
++ CK_ULONG ulWordsize; /* wordsize in bits */
++ CK_ULONG ulRounds; /* number of rounds */
++ CK_BYTE_PTR pIv; /* pointer to IV */
++ CK_ULONG ulIvLen; /* length of IV in bytes */
++} CK_RC5_CBC_PARAMS;
++
++typedef CK_RC5_CBC_PARAMS CK_PTR CK_RC5_CBC_PARAMS_PTR;
++
++
++/* CK_RC5_MAC_GENERAL_PARAMS provides the parameters for the
++ * CKM_RC5_MAC_GENERAL mechanism */
++/* CK_RC5_MAC_GENERAL_PARAMS is new for v2.0 */
++typedef struct CK_RC5_MAC_GENERAL_PARAMS {
++ CK_ULONG ulWordsize; /* wordsize in bits */
++ CK_ULONG ulRounds; /* number of rounds */
++ CK_ULONG ulMacLength; /* Length of MAC in bytes */
++} CK_RC5_MAC_GENERAL_PARAMS;
++
++typedef CK_RC5_MAC_GENERAL_PARAMS CK_PTR \
++ CK_RC5_MAC_GENERAL_PARAMS_PTR;
++
++
++/* CK_MAC_GENERAL_PARAMS provides the parameters to most block
++ * ciphers' MAC_GENERAL mechanisms. Its value is the length of
++ * the MAC */
++/* CK_MAC_GENERAL_PARAMS is new for v2.0 */
++typedef CK_ULONG CK_MAC_GENERAL_PARAMS;
++
++typedef CK_MAC_GENERAL_PARAMS CK_PTR CK_MAC_GENERAL_PARAMS_PTR;
++
++/* CK_DES/AES_ECB/CBC_ENCRYPT_DATA_PARAMS are new for v2.20 */
++typedef struct CK_DES_CBC_ENCRYPT_DATA_PARAMS {
++ CK_BYTE iv[8];
++ CK_BYTE_PTR pData;
++ CK_ULONG length;
++} CK_DES_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_DES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_DES_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++typedef struct CK_AES_CBC_ENCRYPT_DATA_PARAMS {
++ CK_BYTE iv[16];
++ CK_BYTE_PTR pData;
++ CK_ULONG length;
++} CK_AES_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_AES_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_AES_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS provides the parameters to the
++ * CKM_SKIPJACK_PRIVATE_WRAP mechanism */
++/* CK_SKIPJACK_PRIVATE_WRAP_PARAMS is new for v2.0 */
++typedef struct CK_SKIPJACK_PRIVATE_WRAP_PARAMS {
++ CK_ULONG ulPasswordLen;
++ CK_BYTE_PTR pPassword;
++ CK_ULONG ulPublicDataLen;
++ CK_BYTE_PTR pPublicData;
++ CK_ULONG ulPAndGLen;
++ CK_ULONG ulQLen;
++ CK_ULONG ulRandomLen;
++ CK_BYTE_PTR pRandomA;
++ CK_BYTE_PTR pPrimeP;
++ CK_BYTE_PTR pBaseG;
++ CK_BYTE_PTR pSubprimeQ;
++} CK_SKIPJACK_PRIVATE_WRAP_PARAMS;
++
++typedef CK_SKIPJACK_PRIVATE_WRAP_PARAMS CK_PTR \
++ CK_SKIPJACK_PRIVATE_WRAP_PTR;
++
++
++/* CK_SKIPJACK_RELAYX_PARAMS provides the parameters to the
++ * CKM_SKIPJACK_RELAYX mechanism */
++/* CK_SKIPJACK_RELAYX_PARAMS is new for v2.0 */
++typedef struct CK_SKIPJACK_RELAYX_PARAMS {
++ CK_ULONG ulOldWrappedXLen;
++ CK_BYTE_PTR pOldWrappedX;
++ CK_ULONG ulOldPasswordLen;
++ CK_BYTE_PTR pOldPassword;
++ CK_ULONG ulOldPublicDataLen;
++ CK_BYTE_PTR pOldPublicData;
++ CK_ULONG ulOldRandomLen;
++ CK_BYTE_PTR pOldRandomA;
++ CK_ULONG ulNewPasswordLen;
++ CK_BYTE_PTR pNewPassword;
++ CK_ULONG ulNewPublicDataLen;
++ CK_BYTE_PTR pNewPublicData;
++ CK_ULONG ulNewRandomLen;
++ CK_BYTE_PTR pNewRandomA;
++} CK_SKIPJACK_RELAYX_PARAMS;
++
++typedef CK_SKIPJACK_RELAYX_PARAMS CK_PTR \
++ CK_SKIPJACK_RELAYX_PARAMS_PTR;
++
++
++typedef struct CK_PBE_PARAMS {
++ CK_BYTE_PTR pInitVector;
++ CK_UTF8CHAR_PTR pPassword;
++ CK_ULONG ulPasswordLen;
++ CK_BYTE_PTR pSalt;
++ CK_ULONG ulSaltLen;
++ CK_ULONG ulIteration;
++} CK_PBE_PARAMS;
++
++typedef CK_PBE_PARAMS CK_PTR CK_PBE_PARAMS_PTR;
++
++
++/* CK_KEY_WRAP_SET_OAEP_PARAMS provides the parameters to the
++ * CKM_KEY_WRAP_SET_OAEP mechanism */
++/* CK_KEY_WRAP_SET_OAEP_PARAMS is new for v2.0 */
++typedef struct CK_KEY_WRAP_SET_OAEP_PARAMS {
++ CK_BYTE bBC; /* block contents byte */
++ CK_BYTE_PTR pX; /* extra data */
++ CK_ULONG ulXLen; /* length of extra data in bytes */
++} CK_KEY_WRAP_SET_OAEP_PARAMS;
++
++typedef CK_KEY_WRAP_SET_OAEP_PARAMS CK_PTR \
++ CK_KEY_WRAP_SET_OAEP_PARAMS_PTR;
++
++
++typedef struct CK_SSL3_RANDOM_DATA {
++ CK_BYTE_PTR pClientRandom;
++ CK_ULONG ulClientRandomLen;
++ CK_BYTE_PTR pServerRandom;
++ CK_ULONG ulServerRandomLen;
++} CK_SSL3_RANDOM_DATA;
++
++
++typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS {
++ CK_SSL3_RANDOM_DATA RandomInfo;
++ CK_VERSION_PTR pVersion;
++} CK_SSL3_MASTER_KEY_DERIVE_PARAMS;
++
++typedef struct CK_SSL3_MASTER_KEY_DERIVE_PARAMS CK_PTR \
++ CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR;
++
++
++typedef struct CK_SSL3_KEY_MAT_OUT {
++ CK_OBJECT_HANDLE hClientMacSecret;
++ CK_OBJECT_HANDLE hServerMacSecret;
++ CK_OBJECT_HANDLE hClientKey;
++ CK_OBJECT_HANDLE hServerKey;
++ CK_BYTE_PTR pIVClient;
++ CK_BYTE_PTR pIVServer;
++} CK_SSL3_KEY_MAT_OUT;
++
++typedef CK_SSL3_KEY_MAT_OUT CK_PTR CK_SSL3_KEY_MAT_OUT_PTR;
++
++
++typedef struct CK_SSL3_KEY_MAT_PARAMS {
++ CK_ULONG ulMacSizeInBits;
++ CK_ULONG ulKeySizeInBits;
++ CK_ULONG ulIVSizeInBits;
++ CK_BBOOL bIsExport;
++ CK_SSL3_RANDOM_DATA RandomInfo;
++ CK_SSL3_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
++} CK_SSL3_KEY_MAT_PARAMS;
++
++typedef CK_SSL3_KEY_MAT_PARAMS CK_PTR CK_SSL3_KEY_MAT_PARAMS_PTR;
++
++/* CK_TLS_PRF_PARAMS is new for version 2.20 */
++typedef struct CK_TLS_PRF_PARAMS {
++ CK_BYTE_PTR pSeed;
++ CK_ULONG ulSeedLen;
++ CK_BYTE_PTR pLabel;
++ CK_ULONG ulLabelLen;
++ CK_BYTE_PTR pOutput;
++ CK_ULONG_PTR pulOutputLen;
++} CK_TLS_PRF_PARAMS;
++
++typedef CK_TLS_PRF_PARAMS CK_PTR CK_TLS_PRF_PARAMS_PTR;
++
++/* WTLS is new for version 2.20 */
++typedef struct CK_WTLS_RANDOM_DATA {
++ CK_BYTE_PTR pClientRandom;
++ CK_ULONG ulClientRandomLen;
++ CK_BYTE_PTR pServerRandom;
++ CK_ULONG ulServerRandomLen;
++} CK_WTLS_RANDOM_DATA;
++
++typedef CK_WTLS_RANDOM_DATA CK_PTR CK_WTLS_RANDOM_DATA_PTR;
++
++typedef struct CK_WTLS_MASTER_KEY_DERIVE_PARAMS {
++ CK_MECHANISM_TYPE DigestMechanism;
++ CK_WTLS_RANDOM_DATA RandomInfo;
++ CK_BYTE_PTR pVersion;
++} CK_WTLS_MASTER_KEY_DERIVE_PARAMS;
++
++typedef CK_WTLS_MASTER_KEY_DERIVE_PARAMS CK_PTR \
++ CK_WTLS_MASTER_KEY_DERIVE_PARAMS_PTR;
++
++typedef struct CK_WTLS_PRF_PARAMS {
++ CK_MECHANISM_TYPE DigestMechanism;
++ CK_BYTE_PTR pSeed;
++ CK_ULONG ulSeedLen;
++ CK_BYTE_PTR pLabel;
++ CK_ULONG ulLabelLen;
++ CK_BYTE_PTR pOutput;
++ CK_ULONG_PTR pulOutputLen;
++} CK_WTLS_PRF_PARAMS;
++
++typedef CK_WTLS_PRF_PARAMS CK_PTR CK_WTLS_PRF_PARAMS_PTR;
++
++typedef struct CK_WTLS_KEY_MAT_OUT {
++ CK_OBJECT_HANDLE hMacSecret;
++ CK_OBJECT_HANDLE hKey;
++ CK_BYTE_PTR pIV;
++} CK_WTLS_KEY_MAT_OUT;
++
++typedef CK_WTLS_KEY_MAT_OUT CK_PTR CK_WTLS_KEY_MAT_OUT_PTR;
++
++typedef struct CK_WTLS_KEY_MAT_PARAMS {
++ CK_MECHANISM_TYPE DigestMechanism;
++ CK_ULONG ulMacSizeInBits;
++ CK_ULONG ulKeySizeInBits;
++ CK_ULONG ulIVSizeInBits;
++ CK_ULONG ulSequenceNumber;
++ CK_BBOOL bIsExport;
++ CK_WTLS_RANDOM_DATA RandomInfo;
++ CK_WTLS_KEY_MAT_OUT_PTR pReturnedKeyMaterial;
++} CK_WTLS_KEY_MAT_PARAMS;
++
++typedef CK_WTLS_KEY_MAT_PARAMS CK_PTR CK_WTLS_KEY_MAT_PARAMS_PTR;
++
++/* CMS is new for version 2.20 */
++typedef struct CK_CMS_SIG_PARAMS {
++ CK_OBJECT_HANDLE certificateHandle;
++ CK_MECHANISM_PTR pSigningMechanism;
++ CK_MECHANISM_PTR pDigestMechanism;
++ CK_UTF8CHAR_PTR pContentType;
++ CK_BYTE_PTR pRequestedAttributes;
++ CK_ULONG ulRequestedAttributesLen;
++ CK_BYTE_PTR pRequiredAttributes;
++ CK_ULONG ulRequiredAttributesLen;
++} CK_CMS_SIG_PARAMS;
++
++typedef CK_CMS_SIG_PARAMS CK_PTR CK_CMS_SIG_PARAMS_PTR;
++
++typedef struct CK_KEY_DERIVATION_STRING_DATA {
++ CK_BYTE_PTR pData;
++ CK_ULONG ulLen;
++} CK_KEY_DERIVATION_STRING_DATA;
++
++typedef CK_KEY_DERIVATION_STRING_DATA CK_PTR \
++ CK_KEY_DERIVATION_STRING_DATA_PTR;
++
++
++/* The CK_EXTRACT_PARAMS is used for the
++ * CKM_EXTRACT_KEY_FROM_KEY mechanism. It specifies which bit
++ * of the base key should be used as the first bit of the
++ * derived key */
++/* CK_EXTRACT_PARAMS is new for v2.0 */
++typedef CK_ULONG CK_EXTRACT_PARAMS;
++
++typedef CK_EXTRACT_PARAMS CK_PTR CK_EXTRACT_PARAMS_PTR;
++
++/* CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is new for v2.10.
++ * CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE is used to
++ * indicate the Pseudo-Random Function (PRF) used to generate
++ * key bits using PKCS #5 PBKDF2. */
++typedef CK_ULONG CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE;
++
++typedef CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE CK_PTR CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE_PTR;
++
++/* The following PRFs are defined in PKCS #5 v2.0. */
++#define CKP_PKCS5_PBKD2_HMAC_SHA1 0x00000001
++
++
++/* CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is new for v2.10.
++ * CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE is used to indicate the
++ * source of the salt value when deriving a key using PKCS #5
++ * PBKDF2. */
++typedef CK_ULONG CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE;
++
++typedef CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE CK_PTR CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE_PTR;
++
++/* The following salt value sources are defined in PKCS #5 v2.0. */
++#define CKZ_SALT_SPECIFIED 0x00000001
++
++/* CK_PKCS5_PBKD2_PARAMS is new for v2.10.
++ * CK_PKCS5_PBKD2_PARAMS is a structure that provides the
++ * parameters to the CKM_PKCS5_PBKD2 mechanism. */
++typedef struct CK_PKCS5_PBKD2_PARAMS {
++ CK_PKCS5_PBKDF2_SALT_SOURCE_TYPE saltSource;
++ CK_VOID_PTR pSaltSourceData;
++ CK_ULONG ulSaltSourceDataLen;
++ CK_ULONG iterations;
++ CK_PKCS5_PBKD2_PSEUDO_RANDOM_FUNCTION_TYPE prf;
++ CK_VOID_PTR pPrfData;
++ CK_ULONG ulPrfDataLen;
++ CK_UTF8CHAR_PTR pPassword;
++ CK_ULONG_PTR ulPasswordLen;
++} CK_PKCS5_PBKD2_PARAMS;
++
++typedef CK_PKCS5_PBKD2_PARAMS CK_PTR CK_PKCS5_PBKD2_PARAMS_PTR;
++
++/* All CK_OTP structs are new for PKCS #11 v2.20 amendment 3 */
++
++typedef CK_ULONG CK_OTP_PARAM_TYPE;
++typedef CK_OTP_PARAM_TYPE CK_PARAM_TYPE; /* B/w compatibility */
++
++typedef struct CK_OTP_PARAM {
++ CK_OTP_PARAM_TYPE type;
++ CK_VOID_PTR pValue;
++ CK_ULONG ulValueLen;
++} CK_OTP_PARAM;
++
++typedef CK_OTP_PARAM CK_PTR CK_OTP_PARAM_PTR;
++
++typedef struct CK_OTP_PARAMS {
++ CK_OTP_PARAM_PTR pParams;
++ CK_ULONG ulCount;
++} CK_OTP_PARAMS;
++
++typedef CK_OTP_PARAMS CK_PTR CK_OTP_PARAMS_PTR;
++
++typedef struct CK_OTP_SIGNATURE_INFO {
++ CK_OTP_PARAM_PTR pParams;
++ CK_ULONG ulCount;
++} CK_OTP_SIGNATURE_INFO;
++
++typedef CK_OTP_SIGNATURE_INFO CK_PTR CK_OTP_SIGNATURE_INFO_PTR;
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
++#define CK_OTP_VALUE 0
++#define CK_OTP_PIN 1
++#define CK_OTP_CHALLENGE 2
++#define CK_OTP_TIME 3
++#define CK_OTP_COUNTER 4
++#define CK_OTP_FLAGS 5
++#define CK_OTP_OUTPUT_LENGTH 6
++#define CK_OTP_OUTPUT_FORMAT 7
++
++/* The following OTP-related defines are new for PKCS #11 v2.20 amendment 1 */
++#define CKF_NEXT_OTP 0x00000001
++#define CKF_EXCLUDE_TIME 0x00000002
++#define CKF_EXCLUDE_COUNTER 0x00000004
++#define CKF_EXCLUDE_CHALLENGE 0x00000008
++#define CKF_EXCLUDE_PIN 0x00000010
++#define CKF_USER_FRIENDLY_OTP 0x00000020
++
++/* CK_KIP_PARAMS is new for PKCS #11 v2.20 amendment 2 */
++typedef struct CK_KIP_PARAMS {
++ CK_MECHANISM_PTR pMechanism;
++ CK_OBJECT_HANDLE hKey;
++ CK_BYTE_PTR pSeed;
++ CK_ULONG ulSeedLen;
++} CK_KIP_PARAMS;
++
++typedef CK_KIP_PARAMS CK_PTR CK_KIP_PARAMS_PTR;
++
++/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_AES_CTR_PARAMS {
++ CK_ULONG ulCounterBits;
++ CK_BYTE cb[16];
++} CK_AES_CTR_PARAMS;
++
++typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR;
++
++/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_CAMELLIA_CTR_PARAMS {
++ CK_ULONG ulCounterBits;
++ CK_BYTE cb[16];
++} CK_CAMELLIA_CTR_PARAMS;
++
++typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR;
++
++/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS {
++ CK_BYTE iv[16];
++ CK_BYTE_PTR pData;
++ CK_ULONG length;
++} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */
++typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS {
++ CK_BYTE iv[16];
++ CK_BYTE_PTR pData;
++ CK_ULONG length;
++} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS;
++
++typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR;
++
++#endif
+Index: openssl/util/libeay.num
+diff -u openssl/util/libeay.num:1.1.3.1 openssl/util/libeay.num:1.6
+--- openssl/util/libeay.num:1.1.3.1 Mon Feb 2 00:27:56 2009
++++ openssl/util/libeay.num Mon Oct 5 13:17:03 2009
+@@ -3725,3 +3725,5 @@
+ JPAKE_STEP3A_init 4111 EXIST::FUNCTION:JPAKE
+ ERR_load_JPAKE_strings 4112 EXIST::FUNCTION:JPAKE
+ JPAKE_STEP2_init 4113 EXIST::FUNCTION:JPAKE
++ENGINE_load_pk11ca 4114 EXIST::FUNCTION:HW_PKCS11CA,ENGINE
++ENGINE_load_pk11so 4114 EXIST::FUNCTION:HW_PKCS11SO,ENGINE
+Index: openssl/util/mk1mf.pl
+diff -u openssl/util/mk1mf.pl:1.1.3.1 openssl/util/mk1mf.pl:1.7
+--- openssl/util/mk1mf.pl:1.1.3.1 Tue Dec 2 23:50:21 2008
++++ openssl/util/mk1mf.pl Mon Oct 5 13:17:05 2009
+@@ -87,6 +87,8 @@
+ no-ecdh - No ECDH
+ no-engine - No engine
+ no-hw - No hw
++ no-hw-pkcs11ca - No hw PKCS#11 CA flavor
++ no-hw-pkcs11so - No hw PKCS#11 SO flavor
+ nasm - Use NASM for x86 asm
+ nw-nasm - Use NASM x86 asm for NetWare
+ nw-mwasm - Use Metrowerks x86 asm for NetWare
+@@ -242,6 +244,8 @@
+ $cflags.=" -DOPENSSL_NO_ECDH" if $no_ecdh;
+ $cflags.=" -DOPENSSL_NO_ENGINE" if $no_engine;
+ $cflags.=" -DOPENSSL_NO_HW" if $no_hw;
++$cflags.=" -DOPENSSL_NO_HW_PKCS11CA" if $no_hw_pkcs11ca;
++$cflags.=" -DOPENSSL_NO_HW_PKCS11SO" if $no_hw_pkcs11so;
+ $cflags.=" -DOPENSSL_FIPS" if $fips;
+ $cflags.= " -DZLIB" if $zlib_opt;
+ $cflags.= " -DZLIB_SHARED" if $zlib_opt == 2;
+@@ -322,6 +326,9 @@
+ if ($key eq "ZLIB_INCLUDE")
+ { $cflags .= " $val" if $val ne "";}
+
++ if ($key eq "PK11_LIB_LOCATION")
++ { $cflags .= " -D$key=\\\"$val\\\"" if $val ne "";}
++
+ if ($key eq "LIBZLIB")
+ { $zlib_lib = "$val" if $val ne "";}
+
+@@ -1300,6 +1307,8 @@
+ "no-ecdh" => \$no_ecdh,
+ "no-engine" => \$no_engine,
+ "no-hw" => \$no_hw,
++ "no-hw-pkcs11ca" => \$no_hw_pkcs11ca,
++ "no-hw-pkcs11so" => \$no_hw_pkcs11so,
+ "just-ssl" =>
+ [\$no_rc2, \$no_idea, \$no_des, \$no_bf, \$no_cast,
+ \$no_md2, \$no_sha, \$no_mdc2, \$no_dsa, \$no_dh,
+Index: openssl/util/mkdef.pl
+diff -u openssl/util/mkdef.pl:1.1.3.1 openssl/util/mkdef.pl:1.5
+--- openssl/util/mkdef.pl:1.1.3.1 Mon Nov 24 16:14:15 2008
++++ openssl/util/mkdef.pl Mon Oct 5 13:17:05 2009
+@@ -93,7 +93,7 @@
+ # External "algorithms"
+ "FP_API", "STDIO", "SOCK", "KRB5", "DGRAM",
+ # Engines
+- "STATIC_ENGINE", "ENGINE", "HW", "GMP",
++ "STATIC_ENGINE", "ENGINE", "HW", "GMP", "HW_PKCS11CA", "HW_PKCS11SO",
+ # RFC3779 support
+ "RFC3779",
+ # TLS extension support
+@@ -122,6 +122,7 @@
+ my $no_md2; my $no_md4; my $no_md5; my $no_sha; my $no_ripemd; my $no_mdc2;
+ my $no_rsa; my $no_dsa; my $no_dh; my $no_hmac=0; my $no_aes; my $no_krb5;
+ my $no_ec; my $no_ecdsa; my $no_ecdh; my $no_engine; my $no_hw; my $no_camellia;
++my $no_pkcs11ca; my $no_pkcs11so;
+ my $no_seed;
+ my $no_fp_api; my $no_static_engine; my $no_gmp; my $no_deprecated;
+ my $no_rfc3779; my $no_tlsext; my $no_cms; my $no_capieng; my $no_jpake;
+@@ -214,6 +215,8 @@
+ elsif (/^no-cms$/) { $no_cms=1; }
+ elsif (/^no-capieng$/) { $no_capieng=1; }
+ elsif (/^no-jpake$/) { $no_jpake=1; }
++ elsif (/^no-hw-pkcs11ca$/) { $no_pkcs11ca=1; }
++ elsif (/^no-hw-pkcs11so$/) { $no_pkcs11so=1; }
+ }
+
+
+@@ -1138,6 +1141,8 @@
+ if ($keyword eq "KRB5" && $no_krb5) { return 0; }
+ if ($keyword eq "ENGINE" && $no_engine) { return 0; }
+ if ($keyword eq "HW" && $no_hw) { return 0; }
++ if ($keyword eq "HW_PKCS11CA" && $no_pkcs11ca) { return 0; }
++ if ($keyword eq "HW_PKCS11SO" && $no_pkcs11so) { return 0; }
+ if ($keyword eq "FP_API" && $no_fp_api) { return 0; }
+ if ($keyword eq "STATIC_ENGINE" && $no_static_engine) { return 0; }
+ if ($keyword eq "GMP" && $no_gmp) { return 0; }
+Index: openssl/util/pl/VC-32.pl
+diff -u openssl/util/pl/VC-32.pl:1.1.3.1 openssl/util/pl/VC-32.pl:1.5
+--- openssl/util/pl/VC-32.pl:1.1.3.1 Mon Mar 9 12:14:08 2009
++++ openssl/util/pl/VC-32.pl Fri Sep 4 10:43:23 2009
+@@ -113,7 +113,7 @@
+ my $f = $shlib || $fips ?' /MD':' /MT';
+ $lib_cflag='/Zl' if (!$shlib); # remove /DEFAULTLIBs from static lib
+ $opt_cflags=$f.' /Ox /O2 /Ob2';
+- $dbg_cflags=$f.'d /Od -DDEBUG -D_DEBUG';
++ $dbg_cflags=$f.'d /Od /Zi -DDEBUG -D_DEBUG';
+ $lflags="/nologo /subsystem:console /opt:ref";
+ }
+ $mlflags='';
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-destroy.8,v 1.3 2009/10/06 04:40:14 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-destroy
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Sep 18, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "PKCS11\-DESTROY" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-destroy \- destroy PKCS#11 objects
+.SH "SYNOPSIS"
+.HP 15
+\fBpkcs11\-destroy\fR [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] {\-i\ \fIID\fR | \-l\ \fIlabel\fR} [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-destroy\fR
+destroys keys stored in a PKCS#11 device, identified by their
+\fBID\fR
+or
+\fBlabel\fR.
+.PP
+Matching keys are displayed before being destroyed. There is a five second delay to allow the user to interrupt the process before the destruction takes place.
+.SH "ARGUMENTS"
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-i \fIID\fR
+.RS 4
+Destroy keys with the given object ID.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Destroy keys with the given label.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-destroy\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-list\fR(3),
+\fBpkcs11\-keygen\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: pkcs11-destroy.c,v 1.7.36.1 2010/01/13 21:21:33 fdupont Exp $ */
+
+/* pkcs11-destroy [-m module] [-s $slot] [-i $id | -l $label] [-p $pin] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include "cryptoki.h"
+
+#ifdef WIN32
+#define sleep(x) Sleep(x)
+#include "win32.c"
+#else
+#ifndef FORCE_STATIC_PROVIDER
+#include "unix.c"
+#endif
+#endif
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+int
+main(int argc, char *argv[])
+{
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession;
+ CK_UTF8CHAR *pin = NULL;
+ CK_BYTE attr_id[2];
+ CK_OBJECT_HANDLE akey[50];
+ char *label = NULL;
+ int error = 0;
+ unsigned int id = 0, i = 0;
+ int c, errflg = 0;
+ CK_ULONG ulObjectCount;
+ CK_ATTRIBUTE search_template[] = {
+ {CKA_ID, &attr_id, sizeof(attr_id)}
+ };
+ char *pk11_provider;
+ unsigned int j, len;
+ extern char *optarg;
+ extern int optopt;
+
+ pk11_provider = getenv("PKCS11_PROVIDER");
+ if (pk11_provider != NULL)
+ pk11_libname = pk11_provider;
+
+ while ((c = getopt(argc, argv, ":m:s:i:l:p:")) != -1) {
+ switch (c) {
+ case 'm':
+ pk11_libname = optarg;
+ break;
+ case 's':
+ slot = atoi(optarg);
+ break;
+ case 'i':
+ id = atoi(optarg);
+ id &= 0xffff;
+ break;
+ case 'l':
+ label = optarg;
+ break;
+ case 'p':
+ pin = (CK_UTF8CHAR *)optarg;
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ optopt);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+ errflg++;
+ }
+ }
+
+ if (errflg || (id && (label != NULL))) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\tpkcs11-destroy [-m module] [-s slot] "
+ "[-i id | -l label] [-p pin]\n");
+ exit(1);
+ }
+
+ if (id) {
+ printf("id %i\n", id);
+ attr_id[0] = (id >> 8) & 0xff;
+ attr_id[1] = id & 0xff;
+ } else if (label) {
+ printf("label %s\n", label);
+ search_template[0].type = CKA_LABEL;
+ search_template[0].pValue = label;
+ search_template[0].ulValueLen = strlen(label);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ rv = C_Initialize(NULL_PTR);
+ if (rv != CKR_OK) {
+ if (rv == 0xfe)
+ fprintf(stderr,
+ "Can't load or link module \"%s\"\n",
+ pk11_libname);
+ else
+ fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+ exit(1);
+ }
+
+ /* Open a session on the slot found */
+ rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
+ NULL_PTR, NULL_PTR, &hSession);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_program;
+ }
+
+ if (pin == NULL)
+ pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+
+ /* Login to the Token (Keystore) */
+ rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+ memset(pin, 0, strlen((char *)pin));
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+
+ rv = C_FindObjectsInit(hSession, search_template,
+ ((id != 0) || (label != NULL)) ? 1 : 0);
+
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+
+ rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_search;
+ }
+
+ for (i = 0; i < ulObjectCount; i++) {
+ CK_OBJECT_CLASS oclass = 0;
+ CK_BYTE labelbuf[64 + 1];
+ CK_BYTE idbuf[64];
+ CK_ATTRIBUTE attr_template[] = {
+ {CKA_CLASS, &oclass, sizeof(oclass)},
+ {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
+ {CKA_ID, idbuf, sizeof(idbuf)}
+ };
+
+ memset(labelbuf, 0, sizeof(labelbuf));
+ memset(idbuf, 0, sizeof(idbuf));
+
+ rv = C_GetAttributeValue(hSession, akey[i], attr_template, 3);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GetAttributeValue[%u]: rv = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ goto exit_search;
+ }
+ len = attr_template[2].ulValueLen;
+ printf("object[%u]: class %lu label '%s' id[%lu] ",
+ i, oclass, labelbuf, attr_template[2].ulValueLen);
+ if (len > 4)
+ len = 4;
+ if (len > 0)
+ printf("0x");
+ for (j = 0; j < len; j++)
+ printf("%02x", idbuf[j]);
+ if (attr_template[2].ulValueLen > len)
+ printf("...\n");
+ else
+ printf("\n");
+ }
+
+ /* give a chance to kill this */
+ printf("sleeping 5 seconds...\n");
+ sleep(5);
+
+ for (i = 0; i < ulObjectCount; i++) {
+ rv = C_DestroyObject(hSession, akey[i]);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_DestroyObject[%u]: rv = 0x%.8lX\n",
+ i, rv);
+ error = 1;
+ }
+ }
+
+ exit_search:
+ rv = C_FindObjectsFinal(hSession);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+ error = 1;
+ }
+
+ exit_session:
+ (void)C_CloseSession(hSession);
+
+ exit_program:
+ (void)C_Finalize(NULL_PTR);
+
+ exit(error);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: pkcs11-destroy.docbook,v 1.2 2009/10/05 12:07:08 fdupont Exp $ -->
+<refentry id="man.pkcs11-destroy">
+ <refentryinfo>
+ <date>Sep 18, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>pkcs11-destroy</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>pkcs11-destroy</application></refname>
+ <refpurpose>destroy PKCS#11 objects</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>pkcs11-destroy</command>
+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+ <group choice="req">
+ <arg choice="plain">-i <replaceable class="parameter">ID</replaceable></arg>
+ <arg choice="plain">-l <replaceable class="parameter">label</replaceable></arg>
+ </group>
+ <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>pkcs11-destroy</command> destroys keys stored in a
+ PKCS#11 device, identified by their <option>ID</option> or
+ <option>label</option>.
+ </para>
+ <para>
+ Matching keys are displayed before being destroyed. There is a
+ five second delay to allow the user to interrupt the process
+ before the destruction takes place.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>ARGUMENTS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-m <replaceable class="parameter">module</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">slot</replaceable></term>
+ <listitem>
+ <para>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">ID</replaceable></term>
+ <listitem>
+ <para>
+ Destroy keys with the given object ID.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l <replaceable class="parameter">label</replaceable></term>
+ <listitem>
+ <para>
+ Destroy keys with the given label.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">PIN</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, <command>pkcs11-destroy</command> will prompt for it.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pkcs11-list</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: pkcs11-destroy.html,v 1.3 2009/10/06 04:40:14 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>pkcs11-destroy</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.pkcs11-destroy"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">pkcs11-destroy</span> — destroy PKCS#11 objects</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-destroy</code> [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] { -i <em class="replaceable"><code>ID</code></em> | -l <em class="replaceable"><code>label</code></em> } [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543384"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">pkcs11-destroy</strong></span> destroys keys stored in a
+ PKCS#11 device, identified by their <code class="option">ID</code> or
+ <code class="option">label</code>.
+ </p>
+<p>
+ Matching keys are displayed before being destroyed. There is a
+ five second delay to allow the user to interrupt the process
+ before the destruction takes place.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543406"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
+<dd><p>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
+<dd><p>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
+<dd><p>
+ Destroy keys with the given object ID.
+ </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd><p>
+ Destroy keys with the given label.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
+<dd><p>
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, <span><strong class="command">pkcs11-destroy</strong></span> will prompt for it.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543507"></a><h2>SEE ALSO</h2>
+<p>
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>,
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(3)</span>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543533"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-keygen.8,v 1.4 2009/10/06 04:40:14 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-keygen
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Sep 18, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "PKCS11\-KEYGEN" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-keygen \- generate RSA keys on a PKCS#11 device
+.SH "SYNOPSIS"
+.HP 14
+\fBpkcs11\-keygen\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\fB\-e\fR] {\-b\ \fIkeysize\fR} {\-l\ \fIlabel\fR} [\fB\-i\ \fR\fB\fIid\fR\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-keygen\fR
+causes a PKCS#11 device to generate a new RSA key pair with the specified
+\fBlabel\fR
+and with
+\fBkeysize\fR
+bits of modulus.
+.SH "ARGUMENTS"
+.PP
+\-P
+.RS 4
+Set the new private key to be non\-sensitive and extractable. The allows the private key data to be read from the PKCS#11 device. The default is for private keys to be sensitive and non\-extractable.
+.RE
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-e
+.RS 4
+Use a large exponent.
+.RE
+.PP
+\-b \fIkeysize\fR
+.RS 4
+Create the key pair with
+\fBkeysize\fR
+bits of modulus.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+Create key objects with the given label. This name must be unique.
+.RE
+.PP
+\-i \fIid\fR
+.RS 4
+Create key objects with id. The id is either an unsigned short 2 byte or an unsigned long 4 byte number.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-keygen\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-list\fR(3),
+\fBpkcs11\-destroy\fR(3),
+\fBdnssec\-keyfromlabel\fR(3),
+.SH "CAVEAT"
+.PP
+Some PKCS#11 providers crash with big public exponent.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: pkcs11-keygen.c,v 1.9 2009/10/26 23:36:53 each Exp $ */
+
+/* pkcs11-keygen - pkcs11 rsa key generator
+*
+* create RSASHA1 key in the keystore of an SCA6000
+* The calculation of key tag is left to the script
+* that converts the key into a DNSKEY RR and inserts
+* it into a zone file.
+*
+* usage:
+* pkcs11-keygen [-P] [-m module] [-s slot] [-e] -b keysize
+* -l label [-i id] [-p pin]
+*
+*/
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include "cryptoki.h"
+
+#ifdef WIN32
+#include "win32.c"
+#else
+#ifndef FORCE_STATIC_PROVIDER
+#include "unix.c"
+#endif
+#endif
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+/* Define static key template values */
+static CK_BBOOL truevalue = TRUE;
+static CK_BBOOL falsevalue = FALSE;
+
+int
+main(int argc, char *argv[])
+{
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_MECHANISM genmech;
+ CK_SESSION_HANDLE hSession;
+ CK_UTF8CHAR *pin = NULL;
+ CK_ULONG modulusbits = 0;
+ CK_CHAR *label = NULL;
+ CK_OBJECT_HANDLE privatekey, publickey;
+ CK_BYTE public_exponent[5];
+ CK_ULONG expsize = 3;
+ int error = 0;
+ int c, errflg = 0;
+ int hide = 1;
+ int idlen = 0;
+ unsigned long id = 0;
+ CK_BYTE idbuf[4];
+ CK_ULONG ulObjectCount;
+ /* Set search template */
+ CK_ATTRIBUTE search_template[] = {
+ {CKA_LABEL, NULL_PTR, 0}
+ };
+ CK_ATTRIBUTE publickey_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_VERIFY, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_MODULUS_BITS, &modulusbits, sizeof(modulusbits)},
+ {CKA_PUBLIC_EXPONENT, &public_exponent, expsize},
+ {CKA_ID, &idbuf, idlen}
+ };
+ CK_ULONG publickey_attrcnt = 6;
+ CK_ATTRIBUTE privatekey_template[] = {
+ {CKA_LABEL, NULL_PTR, 0},
+ {CKA_SIGN, &truevalue, sizeof(truevalue)},
+ {CKA_TOKEN, &truevalue, sizeof(truevalue)},
+ {CKA_PRIVATE, &truevalue, sizeof(truevalue)},
+ {CKA_SENSITIVE, &truevalue, sizeof(truevalue)},
+ {CKA_EXTRACTABLE, &falsevalue, sizeof(falsevalue)},
+ {CKA_ID, &idbuf, idlen}
+ };
+ CK_ULONG privatekey_attrcnt = 7;
+ char *pk11_provider;
+ extern char *optarg;
+ extern int optopt;
+
+ pk11_provider = getenv("PKCS11_PROVIDER");
+ if (pk11_provider != NULL)
+ pk11_libname = pk11_provider;
+
+ while ((c = getopt(argc, argv, ":Pm:s:b:ei:l:p:")) != -1) {
+ switch (c) {
+ case 'P':
+ hide = 0;
+ break;
+ case 'm':
+ pk11_libname = optarg;
+ break;
+ case 's':
+ slot = atoi(optarg);
+ break;
+ case 'e':
+ expsize = 5;
+ break;
+ case 'b':
+ modulusbits = atoi(optarg);
+ break;
+ case 'l':
+ label = (CK_CHAR *)optarg;
+ break;
+ case 'i':
+ id = strtoul(optarg, NULL, 0);
+ idlen = 4;
+ break;
+ case 'p':
+ pin = (CK_UTF8CHAR *)optarg;
+ break;
+ case ':':
+ fprintf(stderr,
+ "Option -%c requires an operand\n",
+ optopt);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+ errflg++;
+ }
+ }
+
+ if (errflg || !modulusbits || (label == NULL)) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\tpkcs11-keygen -b keysize -l label\n");
+ fprintf(stderr, "\t [-P] [-m module] "
+ "[-s slot] [-e] [-i id] [-p PIN]\n");
+ exit(2);
+ }
+
+ search_template[0].pValue = label;
+ search_template[0].ulValueLen = strlen((char *)label);
+ publickey_template[0].pValue = label;
+ publickey_template[0].ulValueLen = strlen((char *)label);
+ privatekey_template[0].pValue = label;
+ privatekey_template[0].ulValueLen = strlen((char *)label);
+
+ /* Set public exponent to F4 or F5 */
+ public_exponent[0] = 0x01;
+ public_exponent[1] = 0x00;
+ if (expsize == 3)
+ public_exponent[2] = 0x01;
+ else {
+ publickey_template[4].ulValueLen = expsize;
+ public_exponent[2] = 0x00;
+ public_exponent[3] = 0x00;
+ public_exponent[4] = 0x01;
+ }
+
+ /* Set up mechanism for generating key pair */
+ genmech.mechanism = CKM_RSA_PKCS_KEY_PAIR_GEN;
+ genmech.pParameter = NULL_PTR;
+ genmech.ulParameterLen = 0;
+
+ if (idlen == 0) {
+ publickey_attrcnt--;
+ privatekey_attrcnt--;
+ } else if (id <= 0xffff) {
+ idlen = 2;
+ publickey_template[5].ulValueLen = idlen;
+ privatekey_template[6].ulValueLen = idlen;
+ idbuf[0] = (CK_BYTE)(id >> 8);
+ idbuf[1] = (CK_BYTE)id;
+ } else {
+ idbuf[0] = (CK_BYTE)(id >> 24);
+ idbuf[1] = (CK_BYTE)(id >> 16);
+ idbuf[2] = (CK_BYTE)(id >> 8);
+ idbuf[3] = (CK_BYTE)id;
+ }
+
+ /* Initialize the CRYPTOKI library */
+ rv = C_Initialize(NULL_PTR);
+
+ if (rv != CKR_OK) {
+ if (rv == 0xfe)
+ fprintf(stderr,
+ "Can't load or link module \"%s\"\n",
+ pk11_libname);
+ else
+ fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+ exit(1);
+ }
+
+ /* Open a session on the slot found */
+ rv = C_OpenSession(slot, CKF_RW_SESSION+CKF_SERIAL_SESSION,
+ NULL_PTR, NULL_PTR, &hSession);
+
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_program;
+ }
+
+ /* Login to the Token (Keystore) */
+ if (pin == NULL)
+ pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+
+ rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+ memset(pin, 0, strlen((char *)pin));
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+
+ /* check if a key with the same id already exists */
+ rv = C_FindObjectsInit(hSession, search_template, 1);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+ rv = C_FindObjects(hSession, &privatekey, 1, &ulObjectCount);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjects: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_search;
+ }
+ if (ulObjectCount != 0) {
+ fprintf(stderr, "Key already exists.\n");
+ error = 1;
+ goto exit_search;
+ }
+
+ /* Set attributes if the key is not to be hidden */
+ if (!hide) {
+ privatekey_template[4].pValue = &falsevalue;
+ privatekey_template[5].pValue = &truevalue;
+ }
+
+ /* Generate Key pair for signing/verifying */
+ rv = C_GenerateKeyPair(hSession, &genmech,
+ publickey_template, publickey_attrcnt,
+ privatekey_template, privatekey_attrcnt,
+ &publickey, &privatekey);
+
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_GenerateKeyPair: Error = 0x%.8lX\n", rv);
+ error = 1;
+ }
+
+ exit_search:
+ rv = C_FindObjectsFinal(hSession);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+ error = 1;
+ }
+
+ exit_session:
+ (void)C_CloseSession(hSession);
+
+ exit_program:
+ (void)C_Finalize(NULL_PTR);
+
+ exit(error);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: pkcs11-keygen.docbook,v 1.3 2009/10/05 12:23:11 fdupont Exp $ -->
+<refentry id="man.pkcs11-keygen">
+ <refentryinfo>
+ <date>Sep 18, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>pkcs11-keygen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>pkcs11-keygen</application></refname>
+ <refpurpose>generate RSA keys on a PKCS#11 device</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>pkcs11-keygen</command>
+ <arg><option>-P</option></arg>
+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+ <arg><option>-e</option></arg>
+ <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
+ <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
+ <arg><option>-i <replaceable class="parameter">id</replaceable></option></arg>
+ <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>pkcs11-keygen</command> causes a PKCS#11 device to generate
+ a new RSA key pair with the specified <option>label</option> and
+ with <option>keysize</option> bits of modulus.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>ARGUMENTS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-P</term>
+ <listitem>
+ <para>
+ Set the new private key to be non-sensitive and extractable.
+ The allows the private key data to be read from the PKCS#11
+ device. The default is for private keys to be sensitive and
+ non-extractable.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-m <replaceable class="parameter">module</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">slot</replaceable></term>
+ <listitem>
+ <para>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e</term>
+ <listitem>
+ <para>
+ Use a large exponent.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-b <replaceable class="parameter">keysize</replaceable></term>
+ <listitem>
+ <para>
+ Create the key pair with <option>keysize</option> bits of
+ modulus.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l <replaceable class="parameter">label</replaceable></term>
+ <listitem>
+ <para>
+ Create key objects with the given label.
+ This name must be unique.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">id</replaceable></term>
+ <listitem>
+ <para>
+ Create key objects with id. The id is either
+ an unsigned short 2 byte or an unsigned long 4 byte number.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">PIN</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, <command>pkcs11-keygen</command> will prompt for it.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pkcs11-list</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-keyfromlabel</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>CAVEAT</title>
+ <para>Some PKCS#11 providers crash with big public exponent.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: pkcs11-keygen.html,v 1.4 2009/10/06 04:40:14 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>pkcs11-keygen</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.pkcs11-keygen"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">pkcs11-keygen</span> — generate RSA keys on a PKCS#11 device</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-keygen</code> [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [<code class="option">-e</code>] {-b <em class="replaceable"><code>keysize</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-i <em class="replaceable"><code>id</code></em></code>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543397"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">pkcs11-keygen</strong></span> causes a PKCS#11 device to generate
+ a new RSA key pair with the specified <code class="option">label</code> and
+ with <code class="option">keysize</code> bits of modulus.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543416"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-P</span></dt>
+<dd><p>
+ Set the new private key to be non-sensitive and extractable.
+ The allows the private key data to be read from the PKCS#11
+ device. The default is for private keys to be sensitive and
+ non-extractable.
+ </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
+<dd><p>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
+<dd><p>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </p></dd>
+<dt><span class="term">-e</span></dt>
+<dd><p>
+ Use a large exponent.
+ </p></dd>
+<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
+<dd><p>
+ Create the key pair with <code class="option">keysize</code> bits of
+ modulus.
+ </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd><p>
+ Create key objects with the given label.
+ This name must be unique.
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>id</code></em></span></dt>
+<dd><p>
+ Create key objects with id. The id is either
+ an unsigned short 2 byte or an unsigned long 4 byte number.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
+<dd><p>
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, <span><strong class="command">pkcs11-keygen</strong></span> will prompt for it.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543563"></a><h2>SEE ALSO</h2>
+<p>
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-list</span>(3)</span>,
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(3)</span>,
+ <span class="citerefentry"><span class="refentrytitle">dnssec-keyfromlabel</span>(3)</span>,
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543598"></a><h2>CAVEAT</h2>
+<p>Some PKCS#11 providers crash with big public exponent.</p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543609"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: pkcs11-list.8,v 1.3 2009/10/06 04:40:14 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: pkcs11\-list
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Sep 18, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "PKCS11\-LIST" "8" "Sep 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+pkcs11\-list \- list PKCS#11 objects
+.SH "SYNOPSIS"
+.HP 12
+\fBpkcs11\-list\fR [\fB\-P\fR] [\fB\-m\ \fR\fB\fImodule\fR\fR] [\fB\-s\ \fR\fB\fIslot\fR\fR] [\-i\ \fIID\fR] [\-l\ \fIlabel\fR] [\fB\-p\ \fR\fB\fIPIN\fR\fR]
+.SH "DESCRIPTION"
+.PP
+\fBpkcs11\-list\fR
+lists the PKCS#11 objects with
+\fBID\fR
+or
+\fBlabel\fR
+or by default all objects.
+.SH "ARGUMENTS"
+.PP
+\-P
+.RS 4
+List only the public objects. (Note that on some PKCS#11 devices, all objects are private.)
+.RE
+.PP
+\-m \fImodule\fR
+.RS 4
+Specify the PKCS#11 provider module. This must be the full path to a shared library object implementing the PKCS#11 API for the device.
+.RE
+.PP
+\-s \fIslot\fR
+.RS 4
+Open the session with the given PKCS#11 slot. The default is slot 0.
+.RE
+.PP
+\-i \fIID\fR
+.RS 4
+List only key objects with the given object ID.
+.RE
+.PP
+\-l \fIlabel\fR
+.RS 4
+List only key objects with the given label.
+.RE
+.PP
+\-p \fIPIN\fR
+.RS 4
+Specify the PIN for the device. If no PIN is provided on the command line,
+\fBpkcs11\-list\fR
+will prompt for it.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBpkcs11\-keygen\fR(3),
+\fBpkcs11\-destroy\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/*
+ * Portions copyright (c) 2008 Nominet UK. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* $Id: pkcs11-list.c,v 1.7 2009/10/26 23:36:53 each Exp $ */
+
+/* pkcs11-list [-P] [-m module] [-s slot] [-i $id | -l $label] [-p $pin] */
+
+/*! \file */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <fcntl.h>
+#include <errno.h>
+#include <string.h>
+#include <sys/types.h>
+#include "cryptoki.h"
+
+#ifdef WIN32
+#include "win32.c"
+#else
+#ifndef FORCE_STATIC_PROVIDER
+#include "unix.c"
+#endif
+#endif
+
+#if !(defined(HAVE_GETPASSPHRASE) || (defined (__SVR4) && defined (__sun)))
+#define getpassphrase(x) getpass(x)
+#endif
+
+int
+main(int argc, char *argv[])
+{
+ CK_RV rv;
+ CK_SLOT_ID slot = 0;
+ CK_SESSION_HANDLE hSession;
+ CK_UTF8CHAR *pin = NULL;
+ CK_BYTE attr_id[2];
+ CK_OBJECT_HANDLE akey[50];
+ char *label = NULL;
+ int error = 0, public = 0, all = 0;
+ unsigned int i = 0, id = 0;
+ int c, errflg = 0;
+ CK_ULONG ulObjectCount;
+ CK_ATTRIBUTE search_template[] = {
+ {CKA_ID, &attr_id, sizeof(attr_id)}
+ };
+ char *pk11_provider;
+ extern char *optarg;
+ extern int optopt;
+
+ pk11_provider = getenv("PKCS11_PROVIDER");
+ if (pk11_provider != NULL)
+ pk11_libname = pk11_provider;
+
+ while ((c = getopt(argc, argv, ":m:s:i:l:p:P")) != -1) {
+ switch (c) {
+ case 'P':
+ public = 1;
+ break;
+ case 'm':
+ pk11_libname = optarg;
+ break;
+ case 's':
+ slot = atoi(optarg);
+ break;
+ case 'i':
+ id = atoi(optarg);
+ id &= 0xffff;
+ break;
+ case 'l':
+ label = optarg;
+ break;
+ case 'p':
+ pin = (CK_UTF8CHAR *)optarg;
+ break;
+ case ':':
+ fprintf(stderr, "Option -%c requires an operand\n",
+ optopt);
+ errflg++;
+ break;
+ case '?':
+ default:
+ fprintf(stderr, "Unrecognised option: -%c\n", optopt);
+ errflg++;
+ }
+ }
+
+ if (errflg) {
+ fprintf(stderr, "Usage:\n");
+ fprintf(stderr, "\tpkcs11-list [-P] [-m module] [-s slot] "
+ "[-i id | -l label] [-p pin]\n");
+ exit(1);
+ }
+
+ if (!id && (label == NULL))
+ all = 1;
+
+ if (slot)
+ printf("slot %lu\n", slot);
+
+ if (id) {
+ printf("id %i\n", id);
+ attr_id[0] = (id >> 8) & 0xff;
+ attr_id[1] = id & 0xff;
+ } else if (label != NULL) {
+ printf("label %s\n", label);
+ search_template[0].type = CKA_LABEL;
+ search_template[0].pValue = label;
+ search_template[0].ulValueLen = strlen(label);
+ }
+
+ /* Initialize the CRYPTOKI library */
+ rv = C_Initialize(NULL_PTR);
+ if (rv != CKR_OK) {
+ if (rv == 0xfe)
+ fprintf(stderr,
+ "Can't load or link module \"%s\"\n",
+ pk11_libname);
+ else
+ fprintf(stderr, "C_Initialize: Error = 0x%.8lX\n", rv);
+ exit(1);
+ }
+
+ /* Open a session on the slot found */
+ rv = C_OpenSession(slot, CKF_SERIAL_SESSION,
+ NULL_PTR, NULL_PTR, &hSession);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_OpenSession: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_program;
+ }
+
+ /* Login to the Token (Keystore) */
+ if (!public) {
+ if (pin == NULL)
+ pin = (CK_UTF8CHAR *)getpassphrase("Enter Pin: ");
+ rv = C_Login(hSession, CKU_USER, pin, strlen((char *)pin));
+ memset(pin, 0, strlen((char *)pin));
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_Login: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+ }
+
+ rv = C_FindObjectsInit(hSession, search_template, all ? 0 : 1);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjectsInit: Error = 0x%.8lX\n", rv);
+ error = 1;
+ goto exit_session;
+ }
+
+ ulObjectCount = 1;
+ while (ulObjectCount) {
+ rv = C_FindObjects(hSession, akey, 50, &ulObjectCount);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_FindObjects: Error = 0x%.8lX\n",
+ rv);
+ error = 1;
+ goto exit_search;
+ }
+
+ for (i = 0; i < ulObjectCount; i++) {
+ unsigned int j, len;
+
+ CK_OBJECT_CLASS oclass = 0;
+ CK_BYTE labelbuf[64 + 1];
+ CK_BYTE idbuf[64];
+ CK_ATTRIBUTE template[] = {
+ {CKA_CLASS, &oclass, sizeof(oclass)},
+ {CKA_LABEL, labelbuf, sizeof(labelbuf) - 1},
+ {CKA_ID, idbuf, sizeof(idbuf)}
+ };
+
+ memset(labelbuf, 0, sizeof(labelbuf));
+ memset(idbuf, 0, sizeof(idbuf));
+
+ rv = C_GetAttributeValue(hSession, akey[i],
+ template, 3);
+ if (rv != CKR_OK) {
+ fprintf(stderr,
+ "C_GetAttributeValue[%u]: "
+ "rv = 0x%.8lX\n",
+ i, rv);
+ if (rv == CKR_BUFFER_TOO_SMALL)
+ fprintf(stderr,
+ "%u too small: %lu %lu %lu\n",
+ i,
+ template[0].ulValueLen,
+ template[1].ulValueLen,
+ template[2].ulValueLen);
+ error = 1;
+ continue;
+ }
+
+ len = template[2].ulValueLen;
+ printf("object[%u]: handle %lu class %lu "
+ "label[%lu] '%s' id[%lu] ",
+ i, akey[i], oclass,
+ template[1].ulValueLen,
+ labelbuf,
+ template[2].ulValueLen);
+ if (len == 2) {
+ id = (idbuf[0] << 8) & 0xff00;
+ id |= idbuf[1] & 0xff;
+ printf("%u\n", id);
+ } else {
+ if (len > 8)
+ len = 8;
+ if (len > 0)
+ printf("0x");
+ for (j = 0; j < len; j++)
+ printf("%02x", idbuf[j]);
+ if (template[2].ulValueLen > len)
+ printf("...\n");
+ else
+ printf("\n");
+ }
+ }
+ }
+
+ exit_search:
+ rv = C_FindObjectsFinal(hSession);
+ if (rv != CKR_OK) {
+ fprintf(stderr, "C_FindObjectsFinal: Error = 0x%.8lX\n", rv);
+ error = 1;
+ }
+
+ exit_session:
+ (void)C_CloseSession(hSession);
+
+ exit_program:
+ (void)C_Finalize(NULL_PTR);
+
+ exit(error);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: pkcs11-list.docbook,v 1.2 2009/10/05 12:07:08 fdupont Exp $ -->
+<refentry id="man.pkcs11-list">
+ <refentryinfo>
+ <date>Sep 18, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>pkcs11-list</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>pkcs11-list</application></refname>
+ <refpurpose>list PKCS#11 objects</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>pkcs11-list</command>
+ <arg><option>-P</option></arg>
+ <arg><option>-m <replaceable class="parameter">module</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">slot</replaceable></option></arg>
+ <arg choice="opt">-i <replaceable class="parameter">ID</replaceable></arg>
+ <arg choice="opt">-l <replaceable class="parameter">label</replaceable></arg>
+ <arg><option>-p <replaceable class="parameter">PIN</replaceable></option></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>pkcs11-list</command>
+ lists the PKCS#11 objects with <option>ID</option> or
+ <option>label</option> or by default all objects.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>ARGUMENTS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-P</term>
+ <listitem>
+ <para>
+ List only the public objects. (Note that on some PKCS#11
+ devices, all objects are private.)
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-m <replaceable class="parameter">module</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">slot</replaceable></term>
+ <listitem>
+ <para>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">ID</replaceable></term>
+ <listitem>
+ <para>
+ List only key objects with the given object ID.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-l <replaceable class="parameter">label</replaceable></term>
+ <listitem>
+ <para>
+ List only key objects with the given label.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">PIN</replaceable></term>
+ <listitem>
+ <para>
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, <command>pkcs11-list</command> will prompt for it.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: pkcs11-list.html,v 1.3 2009/10/06 04:40:14 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>pkcs11-list</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.pkcs11-list"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">pkcs11-list</span> — list PKCS#11 objects</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">pkcs11-list</code> [<code class="option">-P</code>] [<code class="option">-m <em class="replaceable"><code>module</code></em></code>] [<code class="option">-s <em class="replaceable"><code>slot</code></em></code>] [-i <em class="replaceable"><code>ID</code></em>] [-l <em class="replaceable"><code>label</code></em>] [<code class="option">-p <em class="replaceable"><code>PIN</code></em></code>]</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543383"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">pkcs11-list</strong></span>
+ lists the PKCS#11 objects with <code class="option">ID</code> or
+ <code class="option">label</code> or by default all objects.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543404"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-P</span></dt>
+<dd><p>
+ List only the public objects. (Note that on some PKCS#11
+ devices, all objects are private.)
+ </p></dd>
+<dt><span class="term">-m <em class="replaceable"><code>module</code></em></span></dt>
+<dd><p>
+ Specify the PKCS#11 provider module. This must be the full
+ path to a shared library object implementing the PKCS#11 API
+ for the device.
+ </p></dd>
+<dt><span class="term">-s <em class="replaceable"><code>slot</code></em></span></dt>
+<dd><p>
+ Open the session with the given PKCS#11 slot. The default is
+ slot 0.
+ </p></dd>
+<dt><span class="term">-i <em class="replaceable"><code>ID</code></em></span></dt>
+<dd><p>
+ List only key objects with the given object ID.
+ </p></dd>
+<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
+<dd><p>
+ List only key objects with the given label.
+ </p></dd>
+<dt><span class="term">-p <em class="replaceable"><code>PIN</code></em></span></dt>
+<dd><p>
+ Specify the PIN for the device. If no PIN is provided on the
+ command line, <span><strong class="command">pkcs11-list</strong></span> will prompt for it.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543515"></a><h2>SEE ALSO</h2>
+<p>
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-keygen</span>(3)</span>,
+ <span class="citerefentry"><span class="refentrytitle">pkcs11-destroy</span>(3)</span>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543542"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+/* cryptoki.h include file for PKCS #11. */
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
+ * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
+ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+/* $Revision: 1.3 $ */
+
+/*
+ * Portions Copyright RSA Security Inc.
+ *
+ * License to copy and use this software is granted provided that it is
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface
+ * (Cryptoki)" in all material mentioning or referencing this software.
+
+ * License is also granted to make and use derivative works provided that
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or
+ * referencing the derived work.
+
+ * RSA Security Inc. makes no representations concerning either the
+ * merchantability of this software or the suitability of this software for
+ * any particular purpose. It is provided "as is" without express or implied
+ * warranty of any kind.
+ */
+
+/* This is a sample file containing the top level include directives
+ * for building Unix Cryptoki libraries and applications.
+ */
+
+#ifndef ___CRYPTOKI_H_INC___
+#define ___CRYPTOKI_H_INC___
+
+#define CK_PTR *
+
+#define CK_DEFINE_FUNCTION(returnType, name) \
+ returnType name
+
+#define CK_DECLARE_FUNCTION(returnType, name) \
+ returnType name
+
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \
+ returnType (* name)
+
+#define CK_CALLBACK_FUNCTION(returnType, name) \
+ returnType (* name)
+
+/* NULL is in unistd.h */
+#include <unistd.h>
+#define NULL_PTR NULL
+
+#undef CK_PKCS11_FUNCTION_INFO
+
+#include "pkcs11.h"
+
+#endif /* ___CRYPTOKI_H_INC___ */
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: unix.c,v 1.4 2009/10/26 23:47:35 tbox Exp $ */
+
+/* $Id */
+
+/*! \file */
+
+/* dynamic loader (ifndef FORCE_STATIC_PROVIDER) */
+
+#include <dlfcn.h>
+
+/* load PKCS11 dynamic object */
+
+#ifndef PK11_LIB_LOCATION
+#error "PK11_LIB_LOCATION is not set"
+#endif
+
+const char *pk11_libname = PK11_LIB_LOCATION;
+
+void *hPK11 = NULL;
+
+#define C_Initialize isc_C_Initialize
+
+CK_RV
+C_Initialize(CK_VOID_PTR pReserved);
+
+CK_RV
+C_Initialize(CK_VOID_PTR pReserved)
+{
+ CK_C_Initialize sym;
+
+ hPK11 = dlopen(pk11_libname, RTLD_NOW);
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_Initialize)dlsym(hPK11, "C_Initialize");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(pReserved);
+}
+
+#define C_Finalize isc_C_Finalize
+
+CK_RV
+C_Finalize(CK_VOID_PTR pReserved);
+
+CK_RV
+C_Finalize(CK_VOID_PTR pReserved)
+{
+ CK_C_Finalize sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_Finalize)dlsym(hPK11, "C_Finalize");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(pReserved);
+}
+
+#define C_OpenSession isc_C_OpenSession
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+ CK_FLAGS flags,
+ CK_VOID_PTR pApplication,
+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication),
+ CK_SESSION_HANDLE_PTR phSession);
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+ CK_FLAGS flags,
+ CK_VOID_PTR pApplication,
+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication),
+ CK_SESSION_HANDLE_PTR phSession)
+{
+ CK_C_OpenSession sym;
+
+ if (hPK11 == NULL)
+ hPK11 = dlopen(pk11_libname, RTLD_NOW);
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_OpenSession)dlsym(hPK11, "C_OpenSession");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+#define C_CloseSession isc_C_CloseSession
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession);
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession)
+{
+ CK_C_CloseSession sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_CloseSession)dlsym(hPK11, "C_CloseSession");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession);
+}
+
+#define C_Login isc_C_Login
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+ CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin,
+ CK_ULONG usPinLen);
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+ CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin,
+ CK_ULONG usPinLen)
+{
+ CK_C_Login sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_Login)dlsym(hPK11, "C_Login");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+#define C_CreateObject isc_C_CreateObject
+
+CK_RV
+C_CreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount,
+ CK_OBJECT_HANDLE_PTR phObject);
+
+CK_RV
+C_CreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount,
+ CK_OBJECT_HANDLE_PTR phObject)
+{
+ CK_C_CreateObject sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_CreateObject)dlsym(hPK11, "C_CreateObject");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+#define C_DestroyObject isc_C_DestroyObject
+
+CK_RV
+C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject);
+
+CK_RV
+C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+ CK_C_DestroyObject sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_DestroyObject)dlsym(hPK11, "C_DestroyObject");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, hObject);
+}
+
+#define C_GetAttributeValue isc_C_GetAttributeValue
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount);
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ CK_C_GetAttributeValue sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_GetAttributeValue)dlsym(hPK11, "C_GetAttributeValue");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_SetAttributeValue isc_C_SetAttributeValue
+
+CK_RV
+C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount);
+
+CK_RV
+C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ CK_C_SetAttributeValue sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_SetAttributeValue)dlsym(hPK11, "C_SetAttributeValue");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_FindObjectsInit isc_C_FindObjectsInit
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount);
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ CK_C_FindObjectsInit sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_FindObjectsInit)dlsym(hPK11, "C_FindObjectsInit");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, pTemplate, usCount);
+}
+
+#define C_FindObjects isc_C_FindObjects
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE_PTR phObject,
+ CK_ULONG usMaxObjectCount,
+ CK_ULONG_PTR pusObjectCount);
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE_PTR phObject,
+ CK_ULONG usMaxObjectCount,
+ CK_ULONG_PTR pusObjectCount)
+{
+ CK_C_FindObjects sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_FindObjects)dlsym(hPK11, "C_FindObjects");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+#define C_FindObjectsFinal isc_C_FindObjectsFinal
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession);
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+ CK_C_FindObjectsFinal sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_FindObjectsFinal)dlsym(hPK11, "C_FindObjectsFinal");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession);
+}
+
+#define C_GenerateKeyPair isc_C_GenerateKeyPair
+
+CK_RV
+C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPrivateKey,
+ CK_OBJECT_HANDLE_PTR phPublicKey);
+
+CK_RV
+C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPrivateKey,
+ CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+ CK_C_GenerateKeyPair sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_GenerateKeyPair)dlsym(hPK11, "C_GenerateKeyPair");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession,
+ pMechanism,
+ pPublicKeyTemplate,
+ usPublicKeyAttributeCount,
+ pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount,
+ phPrivateKey,
+ phPublicKey);
+}
--- /dev/null
+/* cryptoki.h include file for PKCS #11. */\r
+/* $Revision: 1.2 $ */\r
+\r
+/* License to copy and use this software is granted provided that it is\r
+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface\r
+ * (Cryptoki)" in all material mentioning or referencing this software.\r
+\r
+ * License is also granted to make and use derivative works provided that\r
+ * such works are identified as "derived from the RSA Security Inc. PKCS #11\r
+ * Cryptographic Token Interface (Cryptoki)" in all material mentioning or \r
+ * referencing the derived work.\r
+\r
+ * RSA Security Inc. makes no representations concerning either the \r
+ * merchantability of this software or the suitability of this software for\r
+ * any particular purpose. It is provided "as is" without express or implied\r
+ * warranty of any kind.\r
+ */\r
+\r
+/* This is a sample file containing the top level include directives\r
+ * for building Win32 Cryptoki libraries and applications.\r
+ */\r
+\r
+#ifndef ___CRYPTOKI_H_INC___\r
+#define ___CRYPTOKI_H_INC___\r
+\r
+#pragma pack(push, cryptoki, 1)\r
+\r
+/* Specifies that the function is a DLL entry point. */\r
+#define CK_IMPORT_SPEC __declspec(dllimport)\r
+\r
+/* Define CRYPTOKI_EXPORTS during the build of cryptoki libraries. Do\r
+ * not define it in applications.\r
+ */\r
+#ifdef CRYPTOKI_EXPORTS\r
+/* Specified that the function is an exported DLL entry point. */\r
+#define CK_EXPORT_SPEC __declspec(dllexport) \r
+#else\r
+#define CK_EXPORT_SPEC CK_IMPORT_SPEC \r
+#endif\r
+\r
+/* Ensures the calling convention for Win32 builds */\r
+#define CK_CALL_SPEC __cdecl\r
+\r
+#define CK_PTR *\r
+\r
+#define CK_DEFINE_FUNCTION(returnType, name) \\r
+ returnType CK_EXPORT_SPEC CK_CALL_SPEC name\r
+\r
+#define CK_DECLARE_FUNCTION(returnType, name) \\r
+ returnType CK_EXPORT_SPEC CK_CALL_SPEC name\r
+\r
+#define CK_DECLARE_FUNCTION_POINTER(returnType, name) \\r
+ returnType CK_IMPORT_SPEC (CK_CALL_SPEC CK_PTR name)\r
+\r
+#define CK_CALLBACK_FUNCTION(returnType, name) \\r
+ returnType (CK_CALL_SPEC CK_PTR name)\r
+\r
+#ifndef NULL_PTR\r
+#define NULL_PTR 0\r
+#endif\r
+\r
+#include "pkcs11.h"\r
+\r
+#pragma pack(pop, cryptoki)\r
+\r
+#endif /* ___CRYPTOKI_H_INC___ */\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="pk11destroy" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=pk11destroy - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11destroy.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11destroy.mak" CFG="pk11destroy - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11destroy - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "pk11destroy - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "pk11destroy - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/pkcs11-destroy.exe"\r
+\r
+!ELSEIF "$(CFG)" == "pk11destroy - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "pk11destroy - Win32 Release"\r
+# Name "pk11destroy - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\pkcs11-destroy.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# Begin Source File\r
+\r
+SOURCE=".\cryptoki.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11t.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11f.h"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "pk11destroy"=".\pk11destroy.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11destroy.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=pk11destroy - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to pk11destroy - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "pk11destroy - Win32 Release" && "$(CFG)" != "pk11destroy - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11destroy.mak" CFG="pk11destroy - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11destroy - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "pk11destroy - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "pk11destroy - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "pk11destroy - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\pkcs11-destroy.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-destroy.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\pkcs11-destroy.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11destroy.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11destroy.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /machine:I386 /out:"../../../Build/Release/pkcs11-destroy.exe" \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"\r
+\r
+"..\..\..\Build\Release\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "pk11destroy - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\pkcs11-destroy.exe" "$(OUTDIR)\pk11destroy.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-destroy.obj"\r
+ -@erase "$(INTDIR)\pkcs11-destroy.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\pkcs11-destroy.pdb"\r
+ -@erase "$(OUTDIR)\pk11destroy.bsc"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-destroy.exe"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-destroy.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11destroy.bsc" \r
+BSC32_SBRS= "$(INTDIR)\pkcs11-destroy.sbr"\r
+\r
+"$(OUTDIR)\pk11destroy.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-destroy.pdb" /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-destroy.exe" /pdbtype:sept \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-destroy.obj"\r
+\r
+"..\..\..\Build\Debug\pkcs11-destroy.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("pk11destroy.dep")\r
+!INCLUDE "pk11destroy.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "pk11destroy.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "pk11destroy - Win32 Release" || "$(CFG)" == "pk11destroy - Win32 Debug"\r
+SOURCE="..\pkcs11-destroy.c"\r
+\r
+!IF "$(CFG)" == "pk11destroy - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\pkcs11-destroy.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "pk11destroy - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\pkcs11-destroy.obj" "$(INTDIR)\pkcs11-destroy.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="pk11keygen" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=pk11keygen - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11keygen.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11keygen.mak" CFG="pk11keygen - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11keygen - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "pk11keygen - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "pk11keygen - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/pkcs11-keygen.exe"\r
+\r
+!ELSEIF "$(CFG)" == "pk11keygen - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "pk11keygen - Win32 Release"\r
+# Name "pk11keygen - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\pkcs11-keygen.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# Begin Source File\r
+\r
+SOURCE=".\cryptoki.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11t.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11f.h"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "pk11keygen"=".\pk11keygen.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11keygen.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=pk11keygen - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to pk11keygen - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "pk11keygen - Win32 Release" && "$(CFG)" != "pk11keygen - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11keygen.mak" CFG="pk11keygen - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11keygen - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "pk11keygen - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "pk11keygen - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "pk11keygen - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\pkcs11-keygen.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-keygen.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\pkcs11-keygen.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11keygen.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11keygen.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /machine:I386 /out:"../../../Build/Release/pkcs11-keygen.exe" \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"\r
+\r
+"..\..\..\Build\Release\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "pk11keygen - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\pkcs11-keygen.exe" "$(OUTDIR)\pk11keygen.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-keygen.obj"\r
+ -@erase "$(INTDIR)\pkcs11-keygen.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\pkcs11-keygen.pdb"\r
+ -@erase "$(OUTDIR)\pk11keygen.bsc"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-keygen.exe"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-keygen.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11keygen.bsc" \r
+BSC32_SBRS= "$(INTDIR)\pkcs11-keygen.sbr"\r
+\r
+"$(OUTDIR)\pk11keygen.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-keygen.pdb" /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-keygen.exe" /pdbtype:sept \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-keygen.obj"\r
+\r
+"..\..\..\Build\Debug\pkcs11-keygen.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("pk11keygen.dep")\r
+!INCLUDE "pk11keygen.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "pk11keygen.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "pk11keygen - Win32 Release" || "$(CFG)" == "pk11keygen - Win32 Debug"\r
+SOURCE="..\pkcs11-keygen.c"\r
+\r
+!IF "$(CFG)" == "pk11keygen - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\pkcs11-keygen.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "pk11keygen - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\pkcs11-keygen.obj" "$(INTDIR)\pkcs11-keygen.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="pk11list" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=pk11list - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11list.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11list.mak" CFG="pk11list - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11list - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "pk11list - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "pk11list - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/pkcs11-list.exe"\r
+\r
+!ELSEIF "$(CFG)" == "pk11list - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "pk11list - Win32 Release"\r
+# Name "pk11list - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\pkcs11-list.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# Begin Source File\r
+\r
+SOURCE=".\cryptoki.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11t.h"\r
+# End Source File\r
+# Begin Source File\r
+\r
+SOURCE="..\include\pkcs11f.h"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "pk11list"=".\pk11list.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on pk11list.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=pk11list - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to pk11list - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "pk11list - Win32 Release" && "$(CFG)" != "pk11list - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "pk11list.mak" CFG="pk11list - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "pk11list - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "pk11list - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "pk11list - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "pk11list - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\pkcs11-list.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-list.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\pkcs11-list.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /Fp"$(INTDIR)\pk11list.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11list.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\pkcs11-list.pdb" /machine:I386 /out:"../../../Build/Release/pkcs11-list.exe" \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"\r
+\r
+"..\..\..\Build\Release\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "pk11list - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\pkcs11-list.exe" "$(OUTDIR)\pk11list.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\pkcs11-list.obj"\r
+ -@erase "$(INTDIR)\pkcs11-list.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\pkcs11-list.pdb"\r
+ -@erase "$(OUTDIR)\pk11list.bsc"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-list.exe"\r
+ -@erase "..\..\..\Build\Debug\pkcs11-list.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../.." /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /D "PK11_LIB_LOCATION=\"unknown_provider\"" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\pk11list.bsc" \r
+BSC32_SBRS= "$(INTDIR)\pkcs11-list.sbr"\r
+\r
+"$(OUTDIR)\pk11list.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\pkcs11-list.pdb" /debug /machine:I386 /out:"../../../Build/Debug/pkcs11-list.exe" /pdbtype:sept \r
+LINK32_OBJS= "$(INTDIR)\pkcs11-list.obj"\r
+\r
+"..\..\..\Build\Debug\pkcs11-list.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("pk11list.dep")\r
+!INCLUDE "pk11list.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "pk11list.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "pk11list - Win32 Release" || "$(CFG)" == "pk11list - Win32 Debug"\r
+SOURCE="..\pkcs11-list.c"\r
+\r
+!IF "$(CFG)" == "pk11list - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\pkcs11-list.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "pk11list - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\pkcs11-list.obj" "$(INTDIR)\pkcs11-list.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: win32.c,v 1.5 2009/10/26 23:47:35 tbox Exp $ */
+
+/* $Id */
+
+/*! \file */
+
+/* missing code for WIN32 */
+
+#include <windows.h>
+#include <string.h>
+
+#define HAVE_GETPASSPHRASE
+
+char *
+getpassphrase(const char *prompt)
+{
+ static char buf[128];
+ HANDLE h;
+ DWORD cc, mode;
+ int cnt;
+
+ h = GetStdHandle(STD_INPUT_HANDLE);
+ fputs(prompt, stderr);
+ fflush(stderr);
+ fflush(stdout);
+ FlushConsoleInputBuffer(h);
+ GetConsoleMode(h, &mode);
+ SetConsoleMode(h, ENABLE_PROCESSED_INPUT);
+
+ for (cnt = 0; cnt < sizeof(buf) - 1; cnt++)
+ {
+ ReadFile(h, buf + cnt, 1, &cc, NULL);
+ if (buf[cnt] == '\r')
+ break;
+ fputc('*', stdout);
+ fflush(stderr);
+ fflush(stdout);
+ }
+
+ SetConsoleMode(h, mode);
+ buf[cnt] = '\0';
+ fputs("\n", stderr);
+ return buf;
+}
+
+/* From ISC isc_commandline_parse() */
+
+int optind = 1; /* index into parent argv vector */
+int optopt; /* character checked for validity */
+char *optarg; /* argument associated with option */
+static char endopt = '\0';
+
+#define BADOPT (int)'?'
+#define BADARG (int)':'
+#define ENDOPT &endopt
+
+int
+getopt(int nargc, char * const nargv[], const char *ostr)
+{
+ static char *place = ENDOPT; /* option letter processing */
+ char *option; /* option letter list index */
+
+ if (*place == '\0') { /* update scanning pointer */
+ place = nargv[optind];
+ if (optind >= nargc || *place++ != '-') {
+ /* index out of range or points to non-option */
+ place = ENDOPT;
+ return (-1);
+ }
+ optopt = *place++;
+ if (optopt == '-' && *place == '\0') {
+ /* "--" signals end of options */
+ ++optind;
+ place = ENDOPT;
+ return (-1);
+ }
+ } else
+ optopt = *place++;
+
+ /* See if option letter is one the caller wanted... */
+ if (optopt == ':' || (option = strchr(ostr, optopt)) == NULL) {
+ if (*place == '\0')
+ ++optind;
+ return (BADOPT);
+ }
+
+ if (*++option != ':') {
+ /* option doesn't take an argument */
+ optarg = NULL;
+ if (*place == '\0')
+ ++optind;
+ } else {
+ /* option needs an argument */
+ if (*place != '\0')
+ /* -D1 style */
+ optarg = place;
+ else if (nargc > ++optind)
+ /* -D 1 style */
+ optarg = nargv[optind];
+ else {
+ /* needed but absent */
+ place = ENDOPT;
+ if (*ostr == ':')
+ return (BADARG);
+ return (BADOPT);
+ }
+ place = ENDOPT;
+ ++optind;
+ }
+ return (optopt);
+}
+
+/* load PKCS11 DLL */
+
+#ifndef PK11_LIB_LOCATION
+#error "PK11_LIB_LOCATION is not defined"
+#endif
+
+const char *pk11_libname = PK11_LIB_LOCATION ".dll";
+
+HINSTANCE hPK11 = NULL;
+
+#define C_Initialize isc_C_Initialize
+
+CK_RV
+C_Initialize(CK_VOID_PTR pReserved)
+{
+ CK_C_Initialize sym;
+
+ if (pk11_libname == NULL)
+ return 0xfe;
+ /* Visual Studio convertion issue... */
+ if (*pk11_libname == ' ')
+ pk11_libname++;
+
+ hPK11 = LoadLibraryA(pk11_libname);
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_Initialize)GetProcAddress(hPK11, "C_Initialize");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(pReserved);
+}
+
+#define C_Finalize isc_C_Finalize
+
+CK_RV
+C_Finalize(CK_VOID_PTR pReserved)
+{
+ CK_C_Finalize sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_Finalize)GetProcAddress(hPK11, "C_Finalize");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(pReserved);
+}
+
+#define C_OpenSession isc_C_OpenSession
+
+CK_RV
+C_OpenSession(CK_SLOT_ID slotID,
+ CK_FLAGS flags,
+ CK_VOID_PTR pApplication,
+ CK_RV (*Notify) (CK_SESSION_HANDLE hSession,
+ CK_NOTIFICATION event,
+ CK_VOID_PTR pApplication),
+ CK_SESSION_HANDLE_PTR phSession)
+{
+ CK_C_OpenSession sym;
+
+ if (hPK11 == NULL)
+ hPK11 = LoadLibraryA(pk11_libname);
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_OpenSession)GetProcAddress(hPK11, "C_OpenSession");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(slotID, flags, pApplication, Notify, phSession);
+}
+
+#define C_CloseSession isc_C_CloseSession
+
+CK_RV
+C_CloseSession(CK_SESSION_HANDLE hSession)
+{
+ CK_C_CloseSession sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_CloseSession)GetProcAddress(hPK11, "C_CloseSession");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession);
+}
+
+#define C_Login isc_C_Login
+
+CK_RV
+C_Login(CK_SESSION_HANDLE hSession,
+ CK_USER_TYPE userType,
+ CK_CHAR_PTR pPin,
+ CK_ULONG usPinLen)
+{
+ CK_C_Login sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_Login)GetProcAddress(hPK11, "C_Login");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, userType, pPin, usPinLen);
+}
+
+#define C_CreateObject isc_C_CreateObject
+
+CK_RV
+C_CreateObject(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount,
+ CK_OBJECT_HANDLE_PTR phObject)
+{
+ CK_C_CreateObject sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_CreateObject)GetProcAddress(hPK11, "C_CreateObject");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, pTemplate, usCount, phObject);
+}
+
+#define C_DestroyObject isc_C_DestroyObject
+
+CK_RV
+C_DestroyObject(CK_SESSION_HANDLE hSession, CK_OBJECT_HANDLE hObject)
+{
+ CK_C_DestroyObject sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_DestroyObject)GetProcAddress(hPK11, "C_DestroyObject");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, hObject);
+}
+
+#define C_GetAttributeValue isc_C_GetAttributeValue
+
+CK_RV
+C_GetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ CK_C_GetAttributeValue sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_GetAttributeValue)GetProcAddress(hPK11,
+ "C_GetAttributeValue");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_SetAttributeValue isc_C_SetAttributeValue
+
+CK_RV
+C_SetAttributeValue(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE hObject,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ CK_C_SetAttributeValue sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_SetAttributeValue)GetProcAddress(hPK11,
+ "C_SetAttributeValue");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, hObject, pTemplate, usCount);
+}
+
+#define C_FindObjectsInit isc_C_FindObjectsInit
+
+CK_RV
+C_FindObjectsInit(CK_SESSION_HANDLE hSession,
+ CK_ATTRIBUTE_PTR pTemplate,
+ CK_ULONG usCount)
+{
+ CK_C_FindObjectsInit sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_FindObjectsInit)GetProcAddress(hPK11,
+ "C_FindObjectsInit");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, pTemplate, usCount);
+}
+
+#define C_FindObjects isc_C_FindObjects
+
+CK_RV
+C_FindObjects(CK_SESSION_HANDLE hSession,
+ CK_OBJECT_HANDLE_PTR phObject,
+ CK_ULONG usMaxObjectCount,
+ CK_ULONG_PTR pusObjectCount)
+{
+ CK_C_FindObjects sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_FindObjects)GetProcAddress(hPK11, "C_FindObjects");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession, phObject, usMaxObjectCount, pusObjectCount);
+}
+
+#define C_FindObjectsFinal isc_C_FindObjectsFinal
+
+CK_RV
+C_FindObjectsFinal(CK_SESSION_HANDLE hSession)
+{
+ CK_C_FindObjectsFinal sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_FindObjectsFinal)GetProcAddress(hPK11,
+ "C_FindObjectsFinal");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession);
+}
+
+#define C_GenerateKeyPair isc_C_GenerateKeyPair
+
+CK_RV
+C_GenerateKeyPair(CK_SESSION_HANDLE hSession,
+ CK_MECHANISM_PTR pMechanism,
+ CK_ATTRIBUTE_PTR pPublicKeyTemplate,
+ CK_ULONG usPublicKeyAttributeCount,
+ CK_ATTRIBUTE_PTR pPrivateKeyTemplate,
+ CK_ULONG usPrivateKeyAttributeCount,
+ CK_OBJECT_HANDLE_PTR phPrivateKey,
+ CK_OBJECT_HANDLE_PTR phPublicKey)
+{
+ CK_C_GenerateKeyPair sym;
+
+ if (hPK11 == NULL)
+ return 0xfe;
+ sym = (CK_C_GenerateKeyPair)GetProcAddress(hPK11,
+ "C_GenerateKeyPair");
+ if (sym == NULL)
+ return 0xff;
+ return (*sym)(hSession,
+ pMechanism,
+ pPublicKeyTemplate,
+ usPublicKeyAttributeCount,
+ pPrivateKeyTemplate,
+ usPrivateKeyAttributeCount,
+ phPrivateKey,
+ phPublicKey);
+}
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: backtrace_test.c,v 1.4 2009/09/02 23:48:01 tbox Exp $ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <string.h>
+
+#include <isc/backtrace.h>
+#include <isc/result.h>
+
+const char *expected_symbols[] = {
+ "func3",
+ "func2",
+ "func1",
+ "main"
+};
+
+static int
+func3() {
+ void *tracebuf[16];
+ int i, nframes;
+ int error = 0;
+ const char *fname;
+ isc_result_t result;
+ unsigned long offset;
+
+ result = isc_backtrace_gettrace(tracebuf, 16, &nframes);
+ if (result != ISC_R_SUCCESS) {
+ printf("isc_backtrace_gettrace failed: %s\n",
+ isc_result_totext(result));
+ return (1);
+ }
+
+ if (nframes < 4)
+ error++;
+
+ for (i = 0; i < 4 && i < nframes; i++) {
+ fname = NULL;
+ result = isc_backtrace_getsymbol(tracebuf[i], &fname, &offset);
+ if (result != ISC_R_SUCCESS) {
+ error++;
+ continue;
+ }
+ if (strcmp(fname, expected_symbols[i]) != 0)
+ error++;
+ }
+
+ if (error) {
+ printf("Unexpected result:\n");
+ printf(" # of frames: %d (expected: at least 4)\n", nframes);
+ printf(" symbols:\n");
+ for (i = 0; i < nframes; i++) {
+ fname = NULL;
+ result = isc_backtrace_getsymbol(tracebuf[i], &fname,
+ &offset);
+ if (result == ISC_R_SUCCESS)
+ printf(" [%d] %s\n", i, fname);
+ else {
+ printf(" [%d] getsymbol failed: %s\n", i,
+ isc_result_totext(result));
+ }
+ }
+ }
+
+ return (error);
+}
+
+static int
+func2() {
+ return (func3());
+}
+
+static int
+func1() {
+ return (func2());
+}
+
+int
+main() {
+ return (func1());
+}
--- /dev/null
+example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpZ
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: oXTPXsN2QEAqJhJxU2rOypfDtXP8LHk4LDtP/pGdT8qIa/zXmSUfahvLBFlfZlwSD1HxJTNCI/3KBjSzXEXkgViLfYexZ+01XtX+A3A2sycYLSBXZ7c5rCxDYJhZllXA5uv9+Zwohe5jp5F0m3I6KUxGGW+ugl1dnDUJB2JzGlk=
+PublicExponent: AQAB
+PrivateExponent: QrbJmRabHiFlSSYFvbo8iGn9bFTotlfAZkZ732y72+SMSlLHo3g7atThJoLncJxKuhnZ0s1DXyvW9omAM3iN2lxfVDW58at1amj/lWRDYkjI0fM8z6eyrF4U2lHKDM2YEstg+sGAAs5DUZBbli4Y7+zHjhxSKLYvRf4AJvX8aoE=
+Prime1: 0259CgdF0JW+miedRZXC6tn3FijZJ4/j5edzd8IpTpdUSZupQg9hMP1ot7crreNq7MnzO0Z2ImbowUx8CDOuXQ==
+Prime2: w31/WLM2275Z1tsHEOhrntUQCUk55B4PNOCmM4hjp0vAvA/SVSgAYRNb7rc/ujaLf0DnxnDsnVsFAS2PmvQELQ==
+Exponent1: yKPhJNMh/X8dEUzmglJMVnHheLXq3RA/RL0PZmZqrJoO8os1Y+sUYFkaNr0sRie6IFrE50tGb/8YgdcDHQVuQQ==
+Exponent2: lVhDuGy5RSjnk1eiz0zwIthctutlOZupPFk/P3E7yGv74vAnXH0BxSe3/Oer3MOc0GuyZYyRhyko6px28AbpRQ==
+Coefficient: Hjup1nDnPFkQrxU2qLQBJrDz+ipw0RkNhsjWs6IgAq1Mq4sFV50bR9hOTLDd9oNhhtAwVjF+Oc0WIq+M1Mi6Ow==
--- /dev/null
+example.com. IN DNSKEY 257 3 5 AwEAAbuWh5W3eGwixISqPwxszotQ0246KqhUB2Mb6JqNMJd6cWR66IrX YnevpIHsb6oanqJmVzOcJ6Yj3rXOIYtYYXgLbT7EJ8x7BNCZPHxG+w5C 7I1WsDbT6eGf//FLn2c4odKLOXaWCVITeNy61w43IlteIT9Q1egKdt+8 a7X9605j
--- /dev/null
+Private-key-format: v1.2
+Algorithm: 5 (RSASHA1)
+Modulus: u5aHlbd4bCLEhKo/DGzOi1DTbjoqqFQHYxvomo0wl3pxZHroitdid6+kgexvqhqeomZXM5wnpiPetc4hi1hheAttPsQnzHsE0Jk8fEb7DkLsjVawNtPp4Z//8UufZzih0os5dpYJUhN43LrXDjciW14hP1DV6Ap237xrtf3rTmM=
+PublicExponent: AQAB
+PrivateExponent: XZSssv3CL3/wtZYQuewV5d4+e8C8wxiYTtL/aQqCcS7+HnhKRelJEBgpYz9GPX/mH3Iakn6WMQW39s6MYW2HwXUnqhsvHoyabGX0Dbc/1LcY4J2VPgzVHwSXYm+j4unOByOOS4KoBtUAQxJsTBokVZrZ5pKsLUK9X2gdywYw+PE=
+Prime1: 9fB7PaygjKoT1nbbeEMy1KYNqetg3zmN49Mk6ilEWxzJXKSSjTIhdkiLGXtYmE8rDBLBiYm8YWNe7YdA9PbQ7Q==
+Prime2: w0L7mTOLDecH3XAkC/wvALv8K9KSoZ31ajidKBxV15u8awj5AxDG7gjerYgCLjU1fq1GulMr11j8r4ftQn3Cjw==
+Exponent1: Up52yEE1rgt0npdPIxdv+//Ml0h7QoITKHXF8OPsEq+Y9YZTtRsiIpo8IFNPb9somuWyHoImxpCbUzAcoi5IAQ==
+Exponent2: uYTbvYx+UsAt9dOFPCnnkqAJEK3qCUomET0m/CQn30mldGC7DpGTIDgnMeLmh3agk/IYIBHDtsBinHfeEe2guw==
+Coefficient: FiHAet8On9Yaz1ksEAlCWulwck3zPWIsgqJBM2J4kHhgHTm17mZyxtVxIzLAMBNMIBcFl40FCpmPmTLY5QK5mw==
--- /dev/null
+;
+; This is a bogus key. It will not have a .private file.
+;
+; This will be key id 7091
+;
+example.com. IN DNSKEY 257 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
--- /dev/null
+;
+; This is a bogus key. It will not have a .private file.
+;
+; This will be key id 7092
+;
+example.com. IN DNSKEY 256 3 5 AwEAAaF0z17DdkBAKiYScVNqzsqXw7Vz/Cx5OCw7T/6RnU/KiGv815kl H2obywRZX2ZcEg9R8SUzQiP9ygY0s1xF5IFYi32HsWftNV7V/gNwNrMn GC0gV2e3OawsQ2CYWZZVwObr/fmcKIXuY6eRdJtyOilMRhlvroJdXZw1 CQdicxpz
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: run-test.sh,v 1.3 2009/06/04 02:56:47 tbox Exp $
+
+
+sign="../../dnssec/dnssec-signzone -f signed.zone -o example.com."
+
+signit() {
+ rm -f signed.zone
+ grep '^;' $zone
+ $sign $zone
+}
+
+expect_success() {
+ if ! test -f signed.zone ; then
+ echo "Error: expected success, but sign failed for $zone."
+ else
+ echo "Success: Sign succeeded for $zone."
+ fi
+}
+
+expect_failure() {
+ if test -f signed.zone ; then
+ echo "Error: expected failure, but sign succeeded for $zone."
+ else
+ echo "Success: Sign failed (expected) for $zone"
+ fi
+}
+
+zone="test1.zone" ; signit ; expect_success
+zone="test2.zone" ; signit ; expect_failure
+zone="test3.zone" ; signit ; expect_failure
+zone="test4.zone" ; signit ; expect_success
+zone="test5.zone" ; signit ; expect_failure
+zone="test6.zone" ; signit ; expect_failure
+zone="test7.zone" ; signit ; expect_failure
+zone="test8.zone" ; signit ; expect_failure
--- /dev/null
+;
+; This is a zone which has two DNSKEY records, both of which have
+; existing private key files available. They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
--- /dev/null
+;
+; This is a zone which has one non-KSK DNSKEY record for which the
+; private key file exists. It should be loaded automatically and the zone
+; correctly signed.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
--- /dev/null
+;
+; This is a zone which has one KSK DNSKEY record for which the
+; private key file exists. It should be loaded automatically. As there
+; is no non-KSK DNSKEY the resulting zone should be rejected.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+23362.key
--- /dev/null
+;
+; This is a zone which has three DNSKEY records, two (KSK + ZSK) of
+; which have existing private key files available. The third is a
+; pre-published ZSK.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
+$include bogus-zsk.key
--- /dev/null
+;
+; This is a zone which has three DNSKEY records, two (KSK +ZSK) of which
+; have existing private key files available. The third is a KSK.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
+$include bogus-ksk.key
--- /dev/null
+;
+; This is a zone which has four DNSKEY records, two (KK + ZSK) of which
+; have existing private key files available. There are also a KSK and ZSK
+; for which there will be no signatures.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+07065.key
+$include Kexample.com.+005+23362.key
+$include bogus-ksk.key
+$include bogus-zsk.key
--- /dev/null
+;
+; This is a zone which has two DNSKEY records, none of which have
+; existing private key files available. The resulting zone should fail
+; the consistancy tests.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include bogus-ksk.key
+$include bogus-zsk.key
--- /dev/null
+;
+; This is a zone which has two DNSKEY records, one of which,
+; the KSK, has a private key. The resulting zone should be rejected as
+; it has no ZSK signatures.
+;
+$TTL 3600
+example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300
+$include Kexample.com.+005+23362.key
+$include bogus-zsk.key
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.3.6.3 2010/05/19 07:47:11 marka Exp $
+
+rm -f */K* */dsset-* */*.signed */trusted.conf */tmp* */*.jnl */*.bk
+rm -f active.key inact.key del.key unpub.key standby.key rev.key
+rm -f nopriv.key vanishing.key del1.key del2.key
+rm -f nsupdate.out
+rm -f */core
+rm -f */example.bk
+rm -f */named.memstats
+rm -f dig.out.*
+rm -f random.data
+rm -f ns1/root.db
+rm -f ns2/example.db
+rm -f ns2/private.secure.example.db ns2/bar.db
+rm -f ns3/nsec.example.db
+rm -f ns3/nsec3.example.db
+rm -f ns3/nsec3.nsec3.example.db
+rm -f ns3/nsec3.optout.example.db
+rm -f ns3/nsec3-to-nsec.example.db
+rm -f ns3/oldsigs.example.db
+rm -f ns3/optout.example.db
+rm -f ns3/optout.nsec3.example.db
+rm -f ns3/optout.optout.example.db
+rm -f ns3/rsasha256.example.db ns3/rsasha512.example.db
+rm -f ns3/secure.example.db
+rm -f ns3/secure.nsec3.example.db
+rm -f ns3/secure.optout.example.db
+rm -f ns3/secure-to-insecure.example.db
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: keygen.sh,v 1.3.6.3 2010/01/18 23:48:01 tbox Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+zonefile=root.db
+infile=root.db.in
+
+(cd ../ns2 && sh keygen.sh )
+
+cat $infile ../ns2/dsset-example. > $zonefile
+
+zskact=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskvanish=`$KEYGEN -3 -q -r $RANDFILE $zone`
+zskdel=`$KEYGEN -3 -q -r $RANDFILE -D now $zone`
+zskinact=`$KEYGEN -3 -q -r $RANDFILE -I now $zone`
+zskunpub=`$KEYGEN -3 -q -r $RANDFILE -G $zone`
+zsksby=`$KEYGEN -3 -q -r $RANDFILE -A none $zone`
+zsknopriv=`$KEYGEN -3 -q -r $RANDFILE $zone`
+rm $zsknopriv.private
+
+ksksby=`$KEYGEN -3 -q -r $RANDFILE -P now -A now+15s -fk $zone`
+kskrev=`$KEYGEN -3 -q -r $RANDFILE -R now+15s -fk $zone`
+
+cat $ksksby.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+ "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
+
+cat $kskrev.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+ "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns5/trusted.conf
+
+echo $zskact > ../active.key
+echo $zskvanish > ../vanishing.key
+echo $zskdel > ../del.key
+echo $zskinact > ../inact.key
+echo $zskunpub > ../unpub.key
+echo $zsknopriv > ../nopriv.key
+echo $zsksby > ../standby.key
+echo $kskrev > ../rev.key
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+
+// NS1
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.1 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type master;
+ file "root.db";
+ allow-transfer { any; };
+ allow-query { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+include "trusted.conf";
--- /dev/null
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db.in,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 30
+. IN SOA a.root.servers.nil. each.isc.org. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+example. NS ns2.example.
+bar. NS ns2.example.
+ns2.example. A 10.53.0.2
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: bar.db.in,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+
+; Used for testing ANY queries
+foo TXT "testing"
+foo A 10.0.1.0
+
+; Used for testing CNAME queries
+cname1 CNAME cname1-target
+cname1-target TXT "testing cname"
+
+cname2 CNAME cname2-target
+cname2-target TXT "testing cname"
+
+; Used for testing DNAME queries
+dname1 DNAME dname1-target
+foo.dname1-target TXT "testing dname"
+
+dname2 DNAME dname2-target
+foo.dname2-target TXT "testing dname"
+
+; A secure subdomain
+secure NS ns.secure
+ns.secure A 10.53.0.3
+
+; An insecure subdomain
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+
+; A insecure subdomain
+mustbesecure NS ns.mustbesecure
+ns.mustbesecure A 10.53.0.3
+
+z A 10.0.0.26
+
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+
+optout NS ns.optout
+ns.optout A 10.53.0.3
+
+nsec3-unknown NS ns.nsec3-unknown
+ns.nsec3-unknown A 10.53.0.3
+
+optout-unknown NS ns.optout-unknown
+ns.optout-unknown A 10.53.0.3
+
+multiple NS ns.multiple
+ns.multiple A 10.53.0.3
+
+rsasha256 NS ns.rsasha256
+ns.rsasha256 A 10.53.0.3
+
+rsasha512 NS ns.rsasha512
+ns.rsasha512 A 10.53.0.3
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.nsec3.example.db,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2006081400 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+@ IN NS ns2.example.
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.optout.example.db,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2006081400 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+@ IN NS ns2.example.
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: dst.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2.example.
+a A 10.0.0.1
--- /dev/null
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ NS ns3
+ns2 A 10.53.0.2
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+
+; Used for testing ANY queries
+foo TXT "testing"
+foo A 10.0.1.0
+
+; Used for testing CNAME queries
+cname1 CNAME cname1-target
+cname1-target TXT "testing cname"
+
+cname2 CNAME cname2-target
+cname2-target TXT "testing cname"
+
+; Used for testing DNAME queries
+dname1 DNAME dname1-target
+foo.dname1-target TXT "testing dname"
+
+dname2 DNAME dname2-target
+foo.dname2-target TXT "testing dname"
+
+; A secure subdomain
+secure NS ns.secure
+ns.secure A 10.53.0.3
+
+; An insecure subdomain
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+
+; A insecure subdomain
+mustbesecure NS ns.mustbesecure
+ns.mustbesecure A 10.53.0.3
+
+z A 10.0.0.26
+
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+
+optout NS ns.optout
+ns.optout A 10.53.0.3
+
+nsec3-unknown NS ns.nsec3-unknown
+ns.nsec3-unknown A 10.53.0.3
+
+optout-unknown NS ns.optout-unknown
+ns.optout-unknown A 10.53.0.3
+
+multiple NS ns.multiple
+ns.multiple A 10.53.0.3
+
+rsasha256 NS ns.rsasha256
+ns.rsasha256 A 10.53.0.3
+
+rsasha512 NS ns.rsasha512
+ns.rsasha512 A 10.53.0.3
+
+nsec3-to-nsec NS ns.nsec3-to-nsec
+ns.nsec3-to-nsec A 10.53.0.3
+
+oldsigs NS ns.oldsigs
+ns.oldsigs A 10.53.0.3
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: insecure.secure.example.db,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: keygen.sh,v 1.3.6.3 2010/01/18 23:48:01 tbox Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+# Have the child generate subdomain keys and pass DS sets to us.
+( cd ../ns3 && sh keygen.sh )
+
+for subdomain in secure nsec3 optout rsasha256 rsasha512 nsec3-to-nsec oldsigs
+do
+ cp ../ns3/dsset-$subdomain.example. .
+done
+
+# Create keys and pass the DS to the parent.
+zone=example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile dsset-*.example. > $zonefile
+
+kskname=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $kskname.key > dsset-${zone}.
+
+# Create keys for a private secure zone.
+zone=private.secure.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+$KEYGEN -3 -q -r $RANDFILE -fk $zone > /dev/null
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+
+# Extract saved keys for the revoke-to-duplicate-key test
+zone=bar
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile > $zonefile
+sh revkeys.shar > /dev/null
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY Kbar.+005+30804.key > dsset-bar.
--- /dev/null
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "example" {
+ type master;
+ file "example.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "bar" {
+ type master;
+ file "bar.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+ dnssec-dnskey-kskonly yes;
+};
+
+zone "private.secure.example" {
+ type master;
+ file "private.secure.example.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "insecure.secure.example" {
+ type master;
+ file "insecure.secure.example.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "child.nsec3.example" {
+ type master;
+ file "child.nsec3.example.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "child.optout.example" {
+ type master;
+ file "child.optout.example.db";
+ allow-query { any; };
+ allow-transfer { any; };
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+include "trusted.conf";
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: private.secure.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.2
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+private2secure-nxdomain CNAME r.example.
--- /dev/null
+#!/bin/sh
+# This is a shell archive (produced by GNU sharutils 4.6.3).
+# To extract the files from this archive, save it to some FILE, remove
+# everything before the `#!/bin/sh' line above, then type `sh FILE'.
+#
+lock_dir=_sh31052
+# Made on 2010-01-08 23:17 PST by <each@pisces>.
+# Source directory was `/home/each/isc/bind9/bin/tests/system/autosign/ns2/keys'.
+#
+# Existing files will *not* be overwritten, unless `-c' is specified.
+#
+# This shar contains:
+# length mode name
+# ------ ---------- ------------------------------------------
+# 538 -rw-r--r-- Kbar.+005+30676.key
+# 1774 -rw-r--r-- Kbar.+005+30676.private
+# 538 -rw-r--r-- Kbar.+005+30804.key
+# 1774 -rw-r--r-- Kbar.+005+30804.private
+#
+MD5SUM=${MD5SUM-md5sum}
+f=`${MD5SUM} --version | egrep '^md5sum .*(core|text)utils'`
+test -n "${f}" && md5check=true || md5check=false
+${md5check} || \
+ echo 'Note: not verifying md5sums. Consider installing GNU coreutils.'
+save_IFS="${IFS}"
+IFS="${IFS}:"
+gettext_dir=FAILED
+locale_dir=FAILED
+first_param="$1"
+for dir in $PATH
+do
+ if test "$gettext_dir" = FAILED && test -f $dir/gettext \
+ && ($dir/gettext --version >/dev/null 2>&1)
+ then
+ case `$dir/gettext --version 2>&1 | sed 1q` in
+ *GNU*) gettext_dir=$dir ;;
+ esac
+ fi
+ if test "$locale_dir" = FAILED && test -f $dir/shar \
+ && ($dir/shar --print-text-domain-dir >/dev/null 2>&1)
+ then
+ locale_dir=`$dir/shar --print-text-domain-dir`
+ fi
+done
+IFS="$save_IFS"
+if test "$locale_dir" = FAILED || test "$gettext_dir" = FAILED
+then
+ echo=echo
+else
+ TEXTDOMAINDIR=$locale_dir
+ export TEXTDOMAINDIR
+ TEXTDOMAIN=sharutils
+ export TEXTDOMAIN
+ echo="$gettext_dir/gettext -s"
+fi
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null
+then if (echo -n test; echo 1,2,3) | grep n >/dev/null
+ then shar_n= shar_c='
+'
+ else shar_n=-n shar_c= ; fi
+else shar_n= shar_c='\c' ; fi
+f=shar-touch.$$
+st1=200112312359.59
+st2=123123592001.59
+st2tr=123123592001.5 # old SysV 14-char limit
+st3=1231235901
+
+if touch -am -t ${st1} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st1} && test -f ${f}; then
+ shar_touch='touch -am -t $1$2$3$4$5$6.$7 "$8"'
+
+elif touch -am ${st2} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st2} && test ! -f ${st2tr} && test -f ${f}; then
+ shar_touch='touch -am $3$4$5$6$1$2.$7 "$8"'
+
+elif touch -am ${st3} ${f} >/dev/null 2>&1 && \
+ test ! -f ${st3} && test -f ${f}; then
+ shar_touch='touch -am $3$4$5$6$2 "$8"'
+
+else
+ shar_touch=:
+ echo
+ ${echo} 'WARNING: not restoring timestamps. Consider getting and'
+ ${echo} 'installing GNU `touch'\'', distributed in GNU coreutils...'
+ echo
+fi
+rm -f ${st1} ${st2} ${st2tr} ${st3} ${f}
+#
+if test ! -d ${lock_dir}
+then : ; else ${echo} 'lock directory '${lock_dir}' exists'
+ exit 1
+fi
+if mkdir ${lock_dir}
+then ${echo} 'x - created lock directory `'${lock_dir}\''.'
+else ${echo} 'x - failed to create lock directory `'${lock_dir}\''.'
+ exit 1
+fi
+# ============= Kbar.+005+30676.key ==============
+if test -f 'Kbar.+005+30676.key' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30676.key (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30676.key (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.key' &&
+; This is a key-signing key, keyid 30676, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAAc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30676.key'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30676.key'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30676.key failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.key: MD5 check failed'
+ ) << SHAR_EOF
+9c89adb7c9e6d5e2fd34f694b8752c95 Kbar.+005+30676.key
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30676.key'` -ne 538 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30676.key is not 538'
+ fi
+fi
+# ============= Kbar.+005+30676.private ==============
+if test -f 'Kbar.+005+30676.private' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30676.private (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30676.private (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30676.private' &&
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQAB
+PrivateExponent: BcfjYsFCjuH1x4ucdbW09ncOv8ppJXbiJkt9AoP0hFOT2c5wrJ1hNOGnrdvYd2CMBlpUOR+w5BxDP+cF78Q97ogXpcjjTwj+5PuqJLg4+qx8thvacrAkdXIKEsgMytjD2d4/ksQmeBiQ7zgiGyCHC7CYzvxnzXEKlgl4FuzLRy4SH1YiSTxKfw1ANKKHxmw8Xvav9ljubrzNdBEQNs6eJNkC6c3aGqiPFyTWGa90s6t1mwTXSxFqBUR1WlbfyYfuiAK2CAvFHeNo7VuC934ri7ceEq8jeOSuY0IqDq2pA3gVWVOyR4NFLXJWeDA3pjqi109t/WGg9IGydD/hsleP4Q==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: NLeXHRUrJ0fdCSRIt1iwRDeEoPn5OA7GEUtgCcp5i3eSjhb0ZxTaQc/l+NHJCW4vwApWSi9cRy99LUpbResKM1ZGN8EE9rDStqgnQnDXztFTWcDKm+e8VNhGtPtHuARDbqNnJRK3Y+Gz0iAGc8Mpo14qE9IEcoeHXKKVUf+x3BE=
+Exponent2: dKCbJB+SdM/u5IXH+TZyGKkMSLIMATKfucfqV6vs+86rv5Yb0zUEvPNqPNAQe0+LoMF2L7YWblY+71wumHXgOaobAP3u8W2pVGUjuTOtfRPU8x1QAwfV9vye87oTINaxFXkBuNtITuBXNiY2bfprpw9WB4zXxuWpiruPjQsumiE=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30676.private'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30676.private'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30676.private failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30676.private: MD5 check failed'
+ ) << SHAR_EOF
+c85dfac0b5c0cf2972878a65717af9ea Kbar.+005+30676.private
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30676.private'` -ne 1774 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30676.private is not 1774'
+ fi
+fi
+# ============= Kbar.+005+30804.key ==============
+if test -f 'Kbar.+005+30804.key' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30804.key (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30804.key (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.key' &&
+; This is a key-signing key, keyid 30804, for bar.
+; Created: Sat Dec 26 03:13:10 2009
+; Publish: Sat Dec 26 03:13:10 2009
+; Activate: Sat Dec 26 03:13:10 2009
+bar. IN DNSKEY 257 3 5 AwEAgc7ppysDZjlldTwsvcXcTTOYJd5TvW5RUWWYKRsee+ozwY6C7vNI 0Xp1PiY+H31GhcnNMCjQU00y8Vezo42oJ4kpRTDevL0STksExXi1/wG+ M4j1CFMh2wgJ/9XLFzHaEWzt4sflVBAVZVXa/qNkRWDXYjsr30MWyylA wHCIxEuyA+NxAL6UL+ZuFo1j84AvfwkGcMbXTcOBSCaHT6AJToSXAcCa X4fnKJIzG4RyJoN2GK4TVdj4qSzLxL1lRkYHNqJvcmMjezxUs9A5fHNI iBEBRPs7NKrQJxegAGVn9ALylKHyhJW6uyBjleOWUDom4ej2J1vGrpQT /KCA35toCvU=
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30804.key'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30804.key'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30804.key failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.key: MD5 check failed'
+ ) << SHAR_EOF
+825116de64b44b14893cb3b8a48475bc Kbar.+005+30804.key
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30804.key'` -ne 538 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30804.key is not 538'
+ fi
+fi
+# ============= Kbar.+005+30804.private ==============
+if test -f 'Kbar.+005+30804.private' && test "$first_param" != -c; then
+ ${echo} 'x -SKIPPING Kbar.+005+30804.private (file already exists)'
+else
+${echo} 'x - extracting Kbar.+005+30804.private (text)'
+ sed 's/^X//' << 'SHAR_EOF' > 'Kbar.+005+30804.private' &&
+Private-key-format: v1.3
+Algorithm: 5 (RSASHA1)
+Modulus: zumnKwNmOWV1PCy9xdxNM5gl3lO9blFRZZgpGx576jPBjoLu80jRenU+Jj4ffUaFyc0wKNBTTTLxV7OjjagniSlFMN68vRJOSwTFeLX/Ab4ziPUIUyHbCAn/1csXMdoRbO3ix+VUEBVlVdr+o2RFYNdiOyvfQxbLKUDAcIjES7ID43EAvpQv5m4WjWPzgC9/CQZwxtdNw4FIJodPoAlOhJcBwJpfh+cokjMbhHImg3YYrhNV2PipLMvEvWVGRgc2om9yYyN7PFSz0Dl8c0iIEQFE+zs0qtAnF6AAZWf0AvKUofKElbq7IGOV45ZQOibh6PYnW8aulBP8oIDfm2gK9Q==
+PublicExponent: AQCB
+PrivateExponent: I5TcRq2sbSi1u5a+jL6VVBBu3nyY7p3NXeD1WYYYD66b8RWbgJdTtsZxgixD5sKKrW/xT68d3FUsIjs36w7yp5+g99q7lJ3v35VcMuLXbaKitS/LJdTZF/GIWwRs+DHdt+chh0QeNLzclq8ZfBeTAycFxwC7zVDLsqqcL6/JHiJhHT+dNEqj6/AIOgSYJzVeBI34LtZLW94IKf4dHLzREnLK6+64PFjpwjOG12O9klKfwHRIRN9WUsDG4AuzDSABH+qo2Zc6uJusC/D6HADbiG7tXmLYL6IxanWTbTrx4Hfp01fF+JQCuyOCRmN47X/nCumvDXKMn9Ve5+OlYi0vAQ==
+Prime1: /hz+WxAL+9bO1l/857ME/OhxImSp86Xi7eA920sAo5ukOIQAQ6hbaKemYxyUbwBmGHEX9d0GOU+xAgZWUU9PbZgXw0fdf+uw6Hrgfce0rWY+uJpUcVHfjLPFgMC/XYrfcVQ8tsCXqRsIbqL+ynsEkQ4vybLhlSAyFqGqYFk/Qt0=
+Prime2: 0HLxXynoSxUcNW15cbuMRHD34ri8sUQsqCtezofPWcCo/17jqf42W7X9YGO70+BvmG3awSr3LaLf862ovCR5+orwE2MqamAV6JZMyR7nvMNGSHTdg3Kk7Jv7T5Gu7Cg6K+on8pMRW3aIms4gs/Z16j0Gxz74ES9IP3vsvC+q6vk=
+Exponent1: JDLRyjRz53hTP7H2oaKgQYADs/UDswN2lwWpuag0wsPwQmeRAZZY2TiISPSu+3Mvh4XJ6r5UHQd5FbAN1v2mG4aYgWwoYwoxyvdTLcnQXciX2z+7877GcEyKHPno4fYXRqhVH4i1QjKaQl8dw9LFvzbVvGvvwsHGwQeqPprw7hk=
+Exponent2: vbnob7AZKqKhiVdEcnnhbeZBGcaKkTpE+RAkUL7spNQDiTPvJgo5fcTk/h6G7ijAXK0j62ZHZ3RS7RnaRa+KhO7usPcYMFiJ/VdAyRlIivhyi+WNQ2x4vSygwDy2VV9elljFeNe4dV1Cb+ssE8kAmbP52JjJD6MkhvVLd0u/jMk=
+Coefficient: qk8HX5fy74Sx6z3niBfTM/SUEjcsnJCTTmsXy6e7nOXWBK5ihKkmMw7LDhaY4OwjXvaVQH0Z190dfyOkWYTbXInIyNNnqCD+xZXkuzuvsUwLNgvXEFhVnzrrj3ozNiizZsyeAhFCKcITz3ci15HB3y8ZLChGYBPFU1ui7MsSkc8=
+Created: 20091226021310
+Publish: 20091226021310
+Activate: 20091226021310
+SHAR_EOF
+ (set 20 10 01 08 23 14 29 'Kbar.+005+30804.private'; eval "$shar_touch") &&
+ chmod 0644 'Kbar.+005+30804.private'
+if test $? -ne 0
+then ${echo} 'restore of Kbar.+005+30804.private failed'
+fi
+ if ${md5check}
+ then (
+ ${MD5SUM} -c >/dev/null 2>&1 || ${echo} 'Kbar.+005+30804.private: MD5 check failed'
+ ) << SHAR_EOF
+580cfb43bac6ed945896b464923676e7 Kbar.+005+30804.private
+SHAR_EOF
+ else
+test `LC_ALL=C wc -c < 'Kbar.+005+30804.private'` -ne 1774 && \
+ ${echo} 'restoration warning: size of Kbar.+005+30804.private is not 1774'
+ fi
+fi
+if rm -fr ${lock_dir}
+then ${echo} 'x - removed lock directory `'${lock_dir}\''.'
+else ${echo} 'x - failed to remove lock directory `'${lock_dir}\''.'
+ exit 1
+fi
+exit 0
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: insecure.example.db,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: keygen.sh,v 1.3.6.4 2010/05/19 07:47:11 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=secure.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -3 -q -r $RANDFILE -fk $zone`
+$KEYGEN -3 -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# NSEC3/NSEC test zone
+#
+zone=secure.nsec3.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# NSEC3/NSEC3 test zone
+#
+zone=nsec3.nsec3.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# OPTOUT/NSEC3 test zone
+#
+zone=optout.nsec3.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# A nsec3 zone (non-optout).
+#
+zone=nsec3.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile dsset-*.${zone}. > $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# OPTOUT/NSEC test zone
+#
+zone=secure.optout.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# OPTOUT/NSEC3 test zone
+#
+zone=nsec3.optout.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# OPTOUT/OPTOUT test zone
+#
+zone=optout.optout.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# A optout nsec3 zone.
+#
+zone=optout.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cat $infile dsset-*.${zone}. > $zonefile
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+$KEYGEN -q -3 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# A RSASHA256 zone.
+#
+zone=rsasha256.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA256 -b 2048 -r $RANDFILE -fk $zone`
+$KEYGEN -q -a RSASHA256 -b 1024 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# A RSASHA512 zone.
+#
+zone=rsasha512.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
+$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# NSEC-only zone.
+#
+zone=nsec.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$DSFROMKEY $ksk.key > dsset-${zone}.
+
+#
+# Signature refresh test zone. Signatures are set to expire long
+# in the past; they should be updated by autosign.
+#
+zone=oldsigs.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# NSEC3->NSEC transition test zone.
+#
+zone=nsec3-to-nsec.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+cp $infile $zonefile
+ksk=`$KEYGEN -q -a RSASHA512 -b 2048 -r $RANDFILE -fk $zone`
+$KEYGEN -q -a RSASHA512 -b 1024 -r $RANDFILE $zone > /dev/null
+$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# secure-to-insecure transition test zone; used to test removal of
+# keys via nsupdate
+#
+zone=secure-to-insecure.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+ksk=`$KEYGEN -q -r $RANDFILE -fk $zone`
+$KEYGEN -q -r $RANDFILE $zone > /dev/null
+$SIGNER -S -o $zone -f $zonefile $infile > /dev/null 2>&1
+
+#
+# another secure-to-insecure transition test zone; used to test
+# removal of keys on schedule.
+#
+zone=secure-to-insecure2.example
+zonefile="${zone}.db"
+infile="${zonefile}.in"
+ksk=`$KEYGEN -q -3 -r $RANDFILE -fk $zone`
+echo $ksk > ../del1.key
+zsk=`$KEYGEN -q -3 -r $RANDFILE $zone`
+echo $zsk > ../del2.key
+$SIGNER -S -3 beef -o $zone -f $zonefile $infile > /dev/null 2>&1
--- /dev/null
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3.6.3 2010/05/19 07:47:11 marka Exp $ */
+
+// NS3
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-md5;
+};
+
+controls {
+ inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; };
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "example" {
+ type slave;
+ masters { 10.53.0.2; };
+ file "example.bk";
+};
+
+zone "bar" {
+ type slave;
+ masters { 10.53.0.2; };
+ file "bar.bk";
+};
+
+zone "secure.example" {
+ type master;
+ file "secure.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "insecure.example" {
+ type master;
+ file "insecure.example.db";
+};
+
+zone "nsec3.example" {
+ type master;
+ file "nsec3.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "optout.nsec3.example" {
+ type master;
+ file "optout.nsec3.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec3.nsec3.example" {
+ type master;
+ file "nsec3.nsec3.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "secure.nsec3.example" {
+ type master;
+ file "secure.nsec3.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "optout.example" {
+ type master;
+ file "optout.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "secure.optout.example" {
+ type master;
+ file "secure.optout.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec3.optout.example" {
+ type master;
+ file "nsec3.optout.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "optout.optout.example" {
+ type master;
+ file "optout.optout.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "rsasha256.example" {
+ type master;
+ file "rsasha256.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "rsasha512.example" {
+ type master;
+ file "rsasha512.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec.example" {
+ type master;
+ file "nsec.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "nsec3-to-nsec.example" {
+ type master;
+ file "nsec3-to-nsec.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+zone "secure-to-insecure.example" {
+ type master;
+ file "secure-to-insecure.example.db";
+ allow-update { any; };
+ dnssec-secure-to-insecure yes;
+};
+
+zone "secure-to-insecure2.example" {
+ type master;
+ file "secure-to-insecure2.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+ dnssec-secure-to-insecure yes;
+};
+
+zone "oldsigs.example" {
+ type master;
+ file "oldsigs.example.db";
+ allow-update { any; };
+ auto-dnssec maintain;
+};
+
+include "trusted.conf";
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec3-to-nsec.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec3.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a A 10.0.0.3
+child NS ns2.example.
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+secure NS ns.secure
+ns.secure A 10.53.0.3
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+optout NS ns.optout
+ns.optout A 10.53.0.3
+02HC3EM7BDD011A0GMS3HKKJT2IF5VP8 A 10.0.0.17
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec3.nsec3.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nsec3.optout.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: oldsigs.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: optout.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a A 10.0.0.3
+insecure NS ns.insecure
+ns.insecure A 10.53.0.3
+secure NS ns.secure
+ns.secure A 10.53.0.3
+nsec3 NS ns.nsec3
+ns.nsec3 A 10.53.0.3
+optout NS ns.optout
+ns.optout A 10.53.0.3
+child NS ns2.example.
+insecure.empty NS ns.insecure.empty
+ns.insecure.empty A 10.53.0.3
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: optout.nsec3.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: optout.optout.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha256.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha512.example.db.in,v 1.2 2009/11/30 21:00:47 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: secure-to-insecure.example.db.in,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: secure-to-insecure2.example.db.in,v 1.2.2.1 2010/05/19 07:47:11 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: secure.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: secure.nsec3.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: secure.optout.example.db.in,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2000042407 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
+
+private NS ns.private
+ns.private A 10.53.0.2
+
+insecure NS ns.insecure
+ns.insecure A 10.53.0.2
+
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+
+// NS4
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion yes;
+ acache-enable yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+ dnssec-must-be-secure mustbesecure.example yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+include "trusted.conf";
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3 2009/11/30 23:48:02 tbox Exp $ */
+
+// NS5
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.5;
+ notify-source 10.53.0.5;
+ transfer-source 10.53.0.5;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.5; };
+ listen-on-v6 { none; };
+ recursion yes;
+ acache-enable yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+include "trusted.conf";
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.3.6.2 2010/01/18 23:48:01 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
+echo "I:generating keys and preparing zones"
+
+../../../tools/genrandom 400 random.data
+
+cd ns1 && sh keygen.sh
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.4.6.5 2010/05/19 07:47:11 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=0
+
+
+DIGOPTS="+tcp +noadd +nosea +nostat +nocmd +dnssec -p 5300"
+
+echo "I:waiting 30 seconds for autosign changes to take effect"
+sleep 30
+
+echo "I:checking that zone transfer worked ($n)"
+ret=0
+$DIG $DIGOPTS a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS a.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns3.test$n || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion prerequisites ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC3->NSEC conversion prerequisites ($n)"
+ret=0
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:converting zones from nsec to nsec3"
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.3 5300
+zone nsec3.nsec3.example.
+update add nsec3.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+zone optout.nsec3.example.
+update add optout.nsec3.example. 3600 NSEC3PARAM 1 1 10 BEEF
+send
+zone nsec3.example.
+update add nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+zone nsec3.optout.example.
+update add nsec3.optout.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+zone optout.optout.example.
+update add optout.optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
+send
+zone optout.example.
+update add optout.example. 3600 NSEC3PARAM 1 1 10 BEEF
+send
+END
+
+# try to convert nsec.example; this should fail due to non-NSEC key
+$NSUPDATE > nsupdate.out 2>&1 <<END
+server 10.53.0.3 5300
+zone nsec.example.
+update add nsec.example. 3600 NSEC3PARAM 1 0 10 BEEF
+send
+END
+
+echo "I:waiting for changes to take effect"
+sleep 3
+
+echo "I:converting zone from nsec3 to nsec"
+$NSUPDATE > /dev/null 2>&1 << END || status=1
+server 10.53.0.3 5300
+zone nsec3-to-nsec.example.
+update delete nsec3-to-nsec.example. NSEC3PARAM
+send
+END
+
+echo "I:waiting for change to take effect"
+sleep 3
+
+# Send rndc freeze command to ns1, ns2 and ns3, to force the dynamically
+# signed zones to be dumped to their zone files
+echo "I:dumping zone files"
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 freeze 2>&1 | sed 's/^/I:ns1 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 thaw 2>&1 | sed 's/^/I:ns1 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 freeze 2>&1 | sed 's/^/I:ns2 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 thaw 2>&1 | sed 's/^/I:ns2 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze 2>&1 | sed 's/^/I:ns3 /'
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 thaw 2>&1 | sed 's/^/I:ns3 /'
+
+echo "I:checking expired signatures were updated ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion succeeded ($n)"
+ret=0
+$DIG $DIGOPTS nsec3.example. nsec3param @10.53.0.3 > dig.out.ns3.ok.test$n || ret=1
+grep "status: NOERROR" dig.out.ns3.ok.test$n > /dev/null || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC->NSEC3 conversion failed with NSEC-only key ($n)"
+ret=0
+grep "failed: REFUSED" nsupdate.out > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking NSEC3->NSEC conversion succeeded ($n)"
+ret=0
+# this command should result in an empty file:
+$DIG $DIGOPTS +noall +answer nsec3-to-nsec.example. nsec3param @10.53.0.3 > dig.out.ns3.nx.test$n || ret=1
+grep "NSEC3PARAM" dig.out.ns3.nx.test$n > /dev/null && ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3-to-nsec.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation NXDOMAIN NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.example. @10.53.0.2 a > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation NXDOMAIN NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.nsec3.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.nsec3.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation NXDOMAIN OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth q.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation NODATA NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.example. @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation NODATA NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+ @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+ @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking negative validation NODATA OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+ @10.53.0.3 txt > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+ @10.53.0.4 txt > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "ANSWER: 0" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Check the insecure.example domain
+
+echo "I:checking 1-server insecurity proof NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking 1-server negative insecurity proof NSEC ($n)"
+ret=0
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.3 \
+ > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS q.insecure.example. a @10.53.0.4 \
+ > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Check the secure.example domain
+
+echo "I:checking multi-stage positive validation NSEC/NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.secure.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.secure.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation NSEC/NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation NSEC/OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation NSEC3/NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.secure.nsec3.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation NSEC3/NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.nsec3.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation NSEC3/OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.nsec3.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation OPTOUT/NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.secure.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.secure.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation OPTOUT/NSEC3 ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.nsec3.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking multi-stage positive validation OPTOUT/OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.optout.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.optout.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking empty NODATA OPTOUT ($n)"
+ret=0
+$DIG $DIGOPTS +noauth empty.optout.example. \
+ @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth empty.optout.example. \
+ @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+#grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Check the insecure.secure.example domain (insecurity proof)
+
+echo "I:checking 2-server insecurity proof ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.2 a \
+ > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.insecure.secure.example. @10.53.0.4 a \
+ > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Check a negative response in insecure.secure.example
+
+echo "I:checking 2-server insecurity proof with a negative answer ($n)"
+ret=0
+$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.2 a > dig.out.ns2.test$n \
+ || ret=1
+$DIG $DIGOPTS q.insecure.secure.example. @10.53.0.4 a > dig.out.ns4.test$n \
+ || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "status: NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking security root query ($n)"
+ret=0
+$DIG $DIGOPTS . @10.53.0.4 key > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation RSASHA256 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha256.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking positive validation RSASHA512 NSEC ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1
+$DIG $DIGOPTS +noauth a.rsasha512.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns3.test$n dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that positive validation in a privately secure zone works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.2 \
+ > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth a.private.secure.example. a @10.53.0.4 \
+ > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that negative validation in a privately secure zone works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.2 \
+ > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth q.private.secure.example. a @10.53.0.4 \
+ > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+grep "NXDOMAIN" dig.out.ns4.test$n > /dev/null || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking privately secure to nxdomain works ($n)"
+ret=0
+$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.2 \
+ > dig.out.ns2.test$n || ret=1
+$DIG $DIGOPTS +noauth private2secure-nxdomain.private.secure.example. SOA @10.53.0.4 \
+ > dig.out.ns4.test$n || ret=1
+$PERL ../digcomp.pl dig.out.ns2.test$n dig.out.ns4.test$n || ret=1
+# Note - this is looking for failure, hence the &&
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+# Try validating with a revoked trusted key.
+# This should fail.
+
+echo "I:checking that validation returns insecure due to revoked trusted key ($n)"
+ret=0
+$DIG $DIGOPTS example. soa @10.53.0.5 > dig.out.ns5.test$n || ret=1
+grep "flags:.*; QUERY" dig.out.ns5.test$n > /dev/null || ret=1
+grep "flags:.* ad.*; QUERY" dig.out.ns5.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that revoked key is present ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < rev.key`
+id=`expr $id + 128 % 65536`
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that revoked key self-signs ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < rev.key`
+id=`expr $id + 128 % 65536`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking for unpublished key ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < unpub.key`
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that standby key does not sign records ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < standby.key`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that deactivated key does not sign records ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < inact.key`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking insertion of public-only key ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < nopriv.key`
+file="ns1/`cat nopriv.key`.key"
+keydata=`grep DNSKEY $file`
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.1 5300
+zone .
+ttl 3600
+update add $keydata
+send
+END
+sleep 1
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking key deletion ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < del.key`
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking secure-to-insecure transition, nsupdate ($n)"
+$NSUPDATE > /dev/null 2>&1 <<END || status=1
+server 10.53.0.3 5300
+zone secure-to-insecure.example
+update delete secure-to-insecure.example dnskey
+send
+END
+sleep 2
+$DIG $DIGOPTS axfr secure-to-insecure.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
+egrep '(DNSKEY|NSEC)' dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking secure-to-insecure transition, scheduled ($n)"
+file="ns3/`cat del1.key`.key"
+$SETTIME -I now -D now $file > /dev/null
+file="ns3/`cat del2.key`.key"
+$SETTIME -I now -D now $file > /dev/null
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 sign secure-to-insecure2.example. 2>&1 | sed 's/^/I:ns3 /'
+sleep 2
+$DIG $DIGOPTS axfr secure-to-insecure2.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
+egrep 'RRSIG.*'" $newid "'\. ' dig.out.ns3.test$n > /dev/null && ret=1
+egrep '(DNSKEY|NSEC3)' dig.out.ns3.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:preparing to test key change corner cases"
+echo "I:removing a private key file"
+file="ns1/`cat vanishing.key`.private"
+rm -f $file
+
+echo "I:preparing ZSK roll"
+newid=`sed 's/^K.+007+0*//' < standby.key`
+file="ns1/`cat standby.key`.key"
+$SETTIME -A now $file > /dev/null
+oldid=`sed 's/^K.+007+0*//' < active.key`
+file="ns1/`cat active.key`.key"
+$SETTIME -I now -D now+10 $file > /dev/null
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 sign . 2>&1 | sed 's/^/I:ns1 /'
+
+echo "I:revoking key to duplicated key ID"
+$SETTIME -R now ns2/Kbar.+005+30676.key > /dev/null
+
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 sign bar. 2>&1 | sed 's/^/I:ns2 /'
+
+echo "I:waiting for changes to take effect"
+sleep 5
+
+echo "I:checking former standby key is now active ($n)"
+ret=0
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting for former active key to be removed"
+sleep 10
+
+echo "I:checking key was removed ($n)"
+ret=0
+$DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep '; key id =.*'"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking private key file removal caused no immediate harm ($n)"
+ret=0
+id=`sed 's/^K.+007+0*//' < vanishing.key`
+$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1
+grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking revoked key with duplicate key ID (failure expected) ($n)"
+lret=0
+id=30676
+$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
+grep '; key id =.*'"$id"'$' dig.out.ns2.test$n || lret=1
+$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
+n=`expr $n + 1`
+if [ $lret != 0 ]; then echo "I:failed"; fi
+
+echo "I:exit status: $status"
+
+exit $status
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db.in,v 1.2.2.1 2010/05/26 06:30:43 marka Exp $
+
+$TTL 120
+@ SOA ns hostmaster.ns6 1 3600 1200 604800 60
+@ NS ns
+ns A 10.53.0.6
+foo TXT foo
+bar TXT bar
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hints,v 1.2.2.2 2010/05/26 23:49:35 tbox Exp $
+
+. 0 NS ns.rootservers.utld.
+ns.rootservers.utld. 0 A 10.53.0.1
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2.2.2 2010/05/27 23:49:55 tbox Exp $ */
+
+controls { /* empty */ };
+
+options {
+ query-source address 10.53.0.6;
+ notify-source 10.53.0.6;
+ transfer-source 10.53.0.6;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.6; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-enable yes;
+};
+
+zone "." { type hint; file "hints"; };
+zone "grand.child1.utld" { type master; file "grand.child1.signed"; };
+zone "grand.child3.utld" { type master; file "grand.child3.signed"; };
+zone "grand.child4.utld" { type master; file "grand.child4.signed"; };
+zone "grand.child5.utld" { type master; file "grand.child5.signed"; };
+zone "grand.child7.utld" { type master; file "grand.child7.signed"; };
+zone "grand.child8.utld" { type master; file "grand.child8.signed"; };
+zone "grand.child9.utld" { type master; file "grand.child9.signed"; };
+zone "grand.child10.utld" { type master; file "grand.child.db.in"; };
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.2.2 2010/05/27 23:49:55 tbox Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=grand.child1.utld.
+infile=child.db.in
+zonefile=grand.child1.utld.db
+outfile=grand.child1.signed
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child3.utld.
+infile=child.db.in
+zonefile=grand.child3.utld.db
+outfile=grand.child3.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child4.utld.
+infile=child.db.in
+zonefile=grand.child4.utld.db
+outfile=grand.child4.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child5.utld.
+infile=child.db.in
+zonefile=grand.child5.utld.db
+outfile=grand.child5.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child7.utld.
+infile=child.db.in
+zonefile=grand.child7.utld.db
+outfile=grand.child7.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child8.utld.
+infile=child.db.in
+zonefile=grand.child8.utld.db
+outfile=grand.child8.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+
+zone=grand.child9.utld.
+infile=child.db.in
+zonefile=grand.child9.utld.db
+outfile=grand.child9.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
+
+zone=grand.child10.utld.
+infile=child.db.in
+zonefile=grand.child10.utld.db
+outfile=grand.child10.signed
+dlvzone=dlv.utld.
+
+keyname1=`$KEYGEN -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+keyname2=`$KEYGEN -f KSK -r $RANDFILE -a DSA -b 768 -n zone $zone 2> /dev/null`
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone -f $outfile $zonefile > /dev/null 2> signer.err || cat signer.err
+echo "I: signed $zone"
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: kskonly.example.db.in,v 1.1.4.1 2010/01/18 19:18:35 each Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+x CNAME a
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha256.example.db.in,v 1.2 2009/10/27 22:25:37 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: rsasha512.example.db.in,v 1.2 2009/10/27 22:25:37 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2009102722 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns
+ns A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+d A 10.0.0.4
+z A 10.0.0.26
+a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27
+x CNAME a
--- /dev/null
+Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
+
+$Id: named.nosoa,v 1.2.6.3 2010/06/26 23:46:40 tbox Exp $
+
+Add -T nosoa.
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: nosoa.secure.example.db,v 1.2.6.2 2010/06/26 00:00:58 marka Exp $
+
+$TTL 300 ; 5 minutes
+@ IN SOA mname1. . (
+ 2010062400 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+@ IN NS ns
+ns IN A 10.53.0.7
+a IN A 1.2.3.4
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$ORIGIN .
+$TTL 20
+child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns.child.parent.nil.
+$ORIGIN child.parent.nil.
+$TTL 300 ; 5 minutes
+ns A 10.53.0.3
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+rm -f K* dsset-* *.signed *.new random.data
+rm -f zsk.key ksk.key parent.ksk.key parent.zsk.key
+rm -f pending.key rolling.key standby.key inact.key
+rm -f prerev.key postrev.key
+rm -f keys sigs
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: parent.db,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+$ORIGIN .
+$TTL 300 ; 5 minutes
+parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns1.parent.nil.
+ NS ns2.parent.nil.
+$ORIGIN parent.nil.
+$TTL 3600 ; 1 hour
+a A 1.1.1.1
+$TTL 300 ; 5 minutes
+ns1 A 10.53.0.1
+ns2 A 10.53.0.2
+
+child NS ns.child
+ns.child A 10.53.0.3
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.3 2009/11/30 23:48:02 tbox Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+. ./clean.sh
+
+RANDFILE=./random.data
+
+pzone=parent.nil
+czone=child.parent.nil
+
+../../../tools/genrandom 400 $RANDFILE
+
+echo "I:generating keys"
+
+# active zsk
+zsk=`$KEYGEN -q -r $RANDFILE $czone`
+echo $zsk > zsk.key
+
+# not yet published or active
+pending=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
+echo $pending > pending.key
+
+# published but not active
+standby=`$KEYGEN -q -r $RANDFILE -A none $czone`
+echo $standby > standby.key
+
+# inactive
+inact=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+echo $inact > inact.key
+
+# active ksk
+ksk=`$KEYGEN -q -r $RANDFILE -fk $czone`
+echo $ksk > ksk.key
+
+# published but not YET active; will be active in 15 seconds
+rolling=`$KEYGEN -q -r $RANDFILE -fk $czone`
+$SETTIME -A now+15s $rolling > /dev/null
+echo $rolling > rolling.key
+
+# revoked
+revoke1=`$KEYGEN -q -r $RANDFILE -fk $czone`
+echo $revoke1 > prerev.key
+revoke2=`$REVOKE $revoke1`
+echo $revoke2 | sed -e 's#\./##' -e "s/\.key.*$//" > postrev.key
+
+pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
+echo $pzsk > parent.zsk.key
+
+pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
+echo $pksk > parent.ksk.key
+
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.5 2009/12/02 17:54:45 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=./random.data
+pzone=parent.nil pfile=parent.db
+czone=child.parent.nil cfile=child.db
+status=0
+n=0
+
+echo "I:setting key timers"
+$SETTIME -A now+15s `cat rolling.key` > /dev/null
+
+inact=`sed 's/^K'${czone}'.+005+0*//' < inact.key`
+ksk=`sed 's/^K'${czone}'.+005+0*//' < ksk.key`
+pending=`sed 's/^K'${czone}'.+005+0*//' < pending.key`
+postrev=`sed 's/^K'${czone}'.+005+0*//' < postrev.key`
+prerev=`sed 's/^K'${czone}'.+005+0*//' < prerev.key`
+rolling=`sed 's/^K'${czone}'.+005+0*//' < rolling.key`
+standby=`sed 's/^K'${czone}'.+005+0*//' < standby.key`
+zsk=`sed 's/^K'${czone}'.+005+0*//' < zsk.key`
+
+../../../tools/genrandom 400 $RANDFILE
+
+echo "I:signing zones"
+$SIGNER -Sg -o $czone $cfile > /dev/null 2>&1
+$SIGNER -Sg -o $pzone $pfile > /dev/null 2>&1
+
+awk '$2 ~ /RRSIG/ {
+ type = $3;
+ getline;
+ id = $2;
+ if ($3 ~ /'${czone}'/) {
+ print type, id
+ }
+}' < ${cfile}.signed > sigs
+
+awk '$2 ~ /DNSKEY/ {
+ flags = $3;
+ while ($0 !~ /key id =/)
+ getline;
+ id = $6;
+ print flags, id;
+}' < ${cfile}.signed > keys
+
+echo "I:checking that KSK signed DNSKEY only ($n)"
+ret=0
+grep "DNSKEY $ksk"'$' sigs > /dev/null || ret=1
+grep "SOA $ksk"'$' sigs > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that ZSK signed ($n)"
+ret=0
+grep "SOA $zsk"'$' sigs > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that standby ZSK did not sign ($n)"
+ret=0
+grep " $standby"'$' sigs > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that inactive key did not sign ($n)"
+ret=0
+grep " $inact"'$' sigs > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that pending key was not published ($n)"
+ret=0
+grep " $pending"'$' keys > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that standby KSK did not sign but is delegated ($n)"
+ret=0
+grep " $rolling"'$' sigs > /dev/null && ret=1
+grep " $rolling"'$' keys > /dev/null || ret=1
+egrep "DS[ ]*$rolling[ ]" ${pfile}.signed > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that key was revoked ($n)"
+ret=0
+grep " $prerev"'$' keys > /dev/null && ret=1
+grep " $postrev"'$' keys > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking that revoked key self-signed ($n)"
+ret=0
+grep "DNSKEY $postrev"'$' sigs > /dev/null || ret=1
+grep "SOA $postrev"'$' sigs > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting 20 seconds for key changes to occur"
+sleep 20
+
+echo "I:re-signing zone"
+$SIGNER -Sg -o $czone -f ${cfile}.new ${cfile}.signed > /dev/null 2>&1
+
+echo "I:checking that standby KSK is now active ($n)"
+ret=0
+grep "DNSKEY $rolling"'$' sigs > /dev/null && ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.3.6.1 2009/12/30 08:33:40 jinmei Exp $
+
+rm -rf */*.signed
+rm -rf */*.jnl
+rm -rf */K*
+rm -rf */dsset-*
+rm -rf */named.memstats
+rm -rf */named.run
+rm -rf */trusted.conf
+rm -rf ns1/root.db
+rm -rf ns2/example.db
+rm -rf ns2/example.com.db
+rm -rf random.data
+rm -rf nsupdate.out.test
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2009/11/17 23:55:18 marka Exp $ */
+
+controls { /* empty */ };
+
+include "trusted.conf";
+
+options {
+ query-source address 10.53.0.1;
+ notify-source 10.53.0.1;
+ transfer-source 10.53.0.1;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.1; };
+ listen-on-v6 { none; };
+ recursion no;
+};
+
+zone "." {
+ type master;
+ file "root.db.signed";
+};
+
--- /dev/null
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db.in,v 1.3.16.3 2010/01/07 23:48:15 tbox Exp $
+
+$TTL 30
+. IN SOA marka.isc.org. a.root.servers.nil. (
+ 2000042100 ; serial
+ 600 ; refresh
+ 600 ; retry
+ 1200 ; expire
+ 600 ; minimum
+ )
+. NS a.root-servers.nil.
+a.root-servers.nil. A 10.53.0.1
+
+example. NS ns2.example.
+ns2.example. A 10.53.0.2
+example.com. NS ns2.example.com.
+ns2.example.com. A 10.53.0.2
+hostile. NS ns3.hostile.
+ns3.hostile. A 10.53.0.3
+nice.good. A 10.10.10.10
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2.22.3 2010/01/07 23:48:15 tbox Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+infile=root.db.in
+zonefile=root.db
+
+(cd ../ns2 && sh -e sign.sh )
+
+cp ../ns2/dsset-example. .
+cp ../ns2/dsset-example.com. .
+
+keyname1=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
+keyname2=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 2048 -f KSK -n zone $zone`
+cat $infile $keyname1.key $keyname2.key > $zonefile
+
+$SIGNER -g -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+
+# Configure the resolving server with a trusted key.
+
+cat $keyname2.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+ "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+cp trusted.conf ../ns2/trusted.conf
+cp trusted.conf ../ns3/trusted.conf
+cp trusted.conf ../ns4/trusted.conf
--- /dev/null
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.com.db.in,v 1.2.2.3 2010/01/18 23:48:01 tbox Exp $
+
+$TTL 30
+@ IN SOA mname1. . (
+ 2009110300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ MX 10 mail
+ns2 A 10.53.0.2
+mail A 192.0.2.2
+ AAAA 2001:db8::2
+pending-ok A 192.0.2.2
+pending-ng A 192.0.2.102
+removed A 10.9.8.7
--- /dev/null
+; Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: example.db.in,v 1.2.22.2 2010/01/07 23:48:15 tbox Exp $
+
+$TTL 30
+$ORIGIN example.
+@ IN SOA mname1. . (
+ 2009110300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ MX 10 mail
+ns2 A 10.53.0.2
+mail A 10.0.0.2
+bad CNAME nice.good.
+worse A 6.6.6.6
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: forgery.db,v 1.2.2.2 2010/01/07 23:48:15 tbox Exp $
+
+$TTL 30
+$ORIGIN good.
+@ IN SOA mname1. . (
+ 2009110300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns2
+ns2 A 10.53.0.2
+
+nice.good. CNAME worse.example.
--- /dev/null
+/*
+ * Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3.16.3 2010/01/07 23:48:15 tbox Exp $ */
+
+// NS2
+
+controls { /* empty */ };
+
+include "trusted.conf";
+
+options {
+ query-source address 10.53.0.2;
+ notify-source 10.53.0.2;
+ transfer-source 10.53.0.2;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.2; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify yes;
+ dnssec-enable yes;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "example" {
+ type master;
+ file "example.db.signed";
+};
+
+zone "example.com" {
+ type master;
+ file "example.com.db.signed";
+ allow-update { 10.53.0.0/8; };
+};
+
+zone "good" {
+ type master;
+ file "forgery.db";
+ allow-query { any; };
+};
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.3.16.4 2010/01/18 19:18:35 each Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+for domain in example example.com; do
+ zone=${domain}.
+ infile=${domain}.db.in
+ zonefile=${domain}.db
+
+ keyname1=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 768 -n zone $zone`
+ keyname2=`$KEYGEN -q -r $RANDFILE -a NSEC3RSASHA1 -b 1024 -f KSK -n zone $zone`
+
+ cat $infile $keyname1.key $keyname2.key > $zonefile
+
+ $SIGNER -3 bebe -r $RANDFILE -o $zone $zonefile > /dev/null 2>&1
+done
+
+# remove "removed" record from example.com, causing the server to
+# send an apparently-invalid NXDOMAIN
+sed '/^removed/d' example.com.db.signed > example.com.db.new
+rm -f example.com.db.signed
+mv example.com.db.new example.com.db.signed
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: hostile.db,v 1.2 2009/11/17 23:55:18 marka Exp $
+
+$TTL 30
+@ IN SOA mname1. . (
+ 2009110500 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns3
+ MX 10 mail.example.
+ns3 A 10.53.0.3
--- /dev/null
+; Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: mail.example.db,v 1.2 2009/11/17 23:55:18 marka Exp $
+
+$TTL 30
+@ IN SOA mname1. . (
+ 2009110300 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+@ NS ns3
+ns3 A 10.53.0.3
+;mail A 10.0.0.2 // the correct record
+@ A 10.0.0.3
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.3 2009/11/18 23:48:07 tbox Exp $ */
+
+// NS2
+
+controls { /* empty */ };
+
+include "trusted.conf";
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ recursion no;
+ notify no;
+ dnssec-enable yes;
+ dnssec-validation yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
+
+zone "mail.example" {
+ type master;
+ file "mail.example.db";
+};
+
+zone "hostile" {
+ type master;
+ file "hostile.db";
+};
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2009/11/17 23:55:18 marka Exp $ */
+
+controls { /* empty */ };
+
+include "trusted.conf";
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port 5300;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ recursion yes;
+};
+
+zone "." {
+ type hint;
+ file "../../common/root.hint";
+};
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.3 2009/11/18 23:48:06 tbox Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -a RSAMD5 -b 512 -n zone -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.2 2009/11/17 23:55:18 marka Exp $
+
+../../../tools/genrandom 400 random.data
+
+cd ns1 && sh -e sign.sh
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.3.16.4 2010/01/18 19:18:35 each Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+# replace_data dname RR old_data new_data
+replace_data()
+{
+ if [ $# -ne 4 ]; then
+ echo I:unexpected input for replace_data
+ return 1
+ fi
+
+ _dname=$1
+ _rr=$2
+ _olddata=$3
+ _newdata=$4
+
+ _ret=0
+ $NSUPDATE -d <<END>> nsupdate.out.test 2>&1 || _ret=1
+server 10.53.0.2 5300
+update delete ${_dname} 30 ${_rr} ${_olddata}
+update add ${_dname} 30 ${_rr} ${_newdata}
+send
+END
+
+ if [ $_ret != 0 ]; then
+ echo I:failed to update the test data
+ return 1
+ fi
+
+ return 0
+}
+
+status=0
+n=0
+
+DIGOPTS="+short +tcp -p 5300"
+DIGOPTS_CD="$DIGOPTS +cd"
+
+echo I:Priming cache.
+ret=0
+expect="10 mail.example."
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 hostile MX` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Checking that bogus additional is not returned with +CD.
+ret=0
+expect="10.0.0.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with pending additional records. These should not be promoted
+# to answer.
+#
+echo "I:Priming cache (pending additional A and AAAA)"
+ret=0
+expect="10 mail.example.com."
+ans=`$DIG $DIGOPTS @10.53.0.4 example.com MX` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo "I:Replacing pending A"
+ret=0
+replace_data mail.example.com. A 192.0.2.2 192.0.2.3 || ret=1
+status=`expr $status + $ret`
+
+echo "I:Replacing pending AAAA"
+ret=0
+replace_data mail.example.com. AAAA 2001:db8::2 2001:db8::3 || ret=1
+status=`expr $status + $ret`
+
+echo "I:Checking updated data to be returned (without CD)"
+ret=0
+expect="192.0.2.3"
+ans=`$DIG $DIGOPTS @10.53.0.4 mail.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo "I:Checking updated data to be returned (with CD)"
+ret=0
+expect="2001:db8::3"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 mail.example.com AAAA` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with a pending answer record. It can be returned (without
+# validation) with +CD.
+#
+echo "I:Priming cache (pending answer)"
+ret=0
+expect="192.0.2.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Replacing pending data
+ret=0
+replace_data pending-ok.example.com. A 192.0.2.2 192.0.2.3 || ret=1
+status=`expr $status + $ret`
+
+echo I:Confirming cached pending data to be returned with CD
+ret=0
+expect="192.0.2.2"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ok.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Prime cache with a pending answer record. It should not be returned
+# to no-DNSSEC clients.
+#
+echo "I:Priming cache (pending answer)"
+ret=0
+expect="192.0.2.102"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 pending-ng.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Replacing pending data
+ret=0
+replace_data pending-ng.example.com. A 192.0.2.102 192.0.2.103 || ret=1
+status=`expr $status + $ret`
+
+echo I:Confirming updated data returned, not the cached one, without CD
+ret=0
+expect="192.0.2.103"
+ans=`$DIG $DIGOPTS @10.53.0.4 pending-ng.example.com A` || ret=1
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Try to fool the resolver with an out-of-bailiwick CNAME
+#
+echo I:Trying to Prime out-of-bailiwick pending answer with CD
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 bad.example. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Confirming the out-of-bailiwick answer is not cached or reused with CD
+ret=0
+expect="10.10.10.10"
+ans=`$DIG $DIGOPTS_CD @10.53.0.4 nice.good. A` || ret=1
+ans=`echo $ans | awk '{print $NF}'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+#
+# Make sure the resolver doesn't cache bogus NXDOMAIN
+#
+echo I:Trying to Prime bogus NXDOMAIN
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo I:Confirming the bogus NXDOMAIN was not cached
+ret=0
+expect="SERVFAIL"
+ans=`$DIG +tcp -p 5300 @10.53.0.4 removed.example.com. A` || ret=1
+ans=`echo $ans | sed 's/^.*status: \([A-Z][A-Z]*\).*$/\1/'`
+test "$ans" = "$expect" || ret=1
+test $ret = 0 || echo I:failed, got "'""$ans""'", expected "'""$expect""'"
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: child.db,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$ORIGIN .
+$TTL 60 ; 1 minute
+child.parent.nil IN SOA ns.child.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns.child.parent.nil.
+$ORIGIN child.parent.nil.
+$TTL 300 ; 5 minutes
+ns A 10.53.0.3
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: clean.sh,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+rm -f K* dsset-* *.signed random.data dnskey.sigs other.sigs dsset.out
--- /dev/null
+; Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: parent.db,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+$ORIGIN .
+$TTL 300 ; 5 minutes
+parent.nil IN SOA ns1.parent.nil. hostmaster.parent.nil. (
+ 1 ; serial
+ 2000 ; refresh (33 minutes 20 seconds)
+ 2000 ; retry (33 minutes 20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns1.parent.nil.
+ NS ns2.parent.nil.
+$ORIGIN parent.nil.
+$TTL 3600 ; 1 hour
+a A 1.1.1.1
+$TTL 300 ; 5 minutes
+ns1 A 10.53.0.1
+ns2 A 10.53.0.2
+
+child NS ns.child
+ns.child A 10.53.0.3
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: prereq.sh,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+../../../tools/genrandom 400 random.data
+
+if $KEYGEN -q -r random.data foo > /dev/null 2>&1
+then
+ rm -f Kfoo*
+else
+ echo "I:This test requires that --with-openssl was used." >&2
+ exit 1
+fi
--- /dev/null
+#!/bin/sh -e
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: setup.sh,v 1.1.4.2 2010/01/18 23:48:01 tbox Exp $
+
+sh clean.sh
+../../../tools/genrandom 400 random.data
--- /dev/null
+#!/bin/sh
+#
+# Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: tests.sh,v 1.1.4.4 2010/05/06 11:27:38 marka Exp $
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+
+RANDFILE=./random.data
+
+pzone=parent.nil
+pfile=parent.db
+
+czone=child.parent.nil
+cfile=child.db
+
+echo I:generating keys
+# active zsk
+czsk1=`$KEYGEN -q -r $RANDFILE $czone`
+
+# not yet published or active
+czsk2=`$KEYGEN -q -r $RANDFILE -P none -A none $czone`
+
+# published but not active
+czsk3=`$KEYGEN -q -r $RANDFILE -A none $czone`
+
+# inactive
+czsk4=`$KEYGEN -q -r $RANDFILE -P now-24h -A now-24h -I now $czone`
+
+# active ksk
+cksk1=`$KEYGEN -q -r $RANDFILE -fk $czone`
+
+# published but not YET active; will be active in 20 seconds
+cksk2=`$KEYGEN -q -r $RANDFILE -fk $czone`
+# $SETTIME moved after other $KEYGENs
+
+echo I:revoking key
+# revoking key changes its ID
+cksk3=`$KEYGEN -q -r $RANDFILE -fk $czone`
+cksk4=`$REVOKE $cksk3`
+$SETTIME -A now+20s $cksk2 > /dev/null
+
+echo I:signing child zone
+czoneout=`$SIGNER -Sg -r $RANDFILE -o $czone $cfile 2>&1`
+
+echo I:generating keys
+pzsk=`$KEYGEN -q -r $RANDFILE $pzone`
+pksk=`$KEYGEN -q -r $RANDFILE -fk $pzone`
+
+echo I:signing parent zone
+pzoneout=`$SIGNER -Sg -r $RANDFILE -o $pzone $pfile 2>&1`
+
+czactive=`echo $czsk1 | sed 's/^K.*+005+0*//'`
+czgenerated=`echo $czsk2 | sed 's/^K.*+005+0*//'`
+czpublished=`echo $czsk3 | sed 's/^K.*+005+0*//'`
+czinactive=`echo $czsk4 | sed 's/^K.*+005+0*//'`
+ckactive=`echo $cksk1 | sed 's/^K.*+005+0*//'`
+ckpublished=`echo $cksk2 | sed 's/^K.*+005+0*//'`
+ckprerevoke=`echo $cksk3 | sed 's/^K.*+005+0*//'`
+ckrevoked=`echo $cksk4 | sed 's/.*+005+0*\([0-9]*\)/\1/'`
+
+pzid=`echo $pzsk | sed 's/^K.*+005+0*//'`
+pkid=`echo $pksk | sed 's/^K.*+005+0*//'`
+
+echo "I:checking dnssec-signzone output matches expectations"
+ret=0
+echo "$pzoneout" | grep 'KSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$pzoneout" | grep 'ZSKs: 1 active, 0 stand-by, 0 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'KSKs: 1 active, 1 stand-by, 1 revoked' > /dev/null || ret=1
+echo "$czoneout" | grep 'ZSKs: 1 active, 2 stand-by, 0 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking parent zone DNSKEY set"
+ret=0
+grep "key id = $pzid" $pfile.signed > /dev/null || ret=1
+grep "key id = $pkid" $pfile.signed > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking parent zone DS records"
+ret=0
+awk '$2 == "DS" {print $3}' $pfile.signed > dsset.out
+grep "$ckactive" dsset.out > /dev/null || ret=1
+grep "$ckpublished" dsset.out > /dev/null || ret=1
+# revoked key should not be there, hence the &&
+grep "$ckprerevoke" dsset.out > /dev/null && ret=1
+grep "$ckrevoked" dsset.out > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone DNSKEY set"
+ret=0
+grep "key id = $ckactive" $cfile.signed > /dev/null || ret=1
+grep "key id = $ckpublished" $cfile.signed > /dev/null || ret=1
+grep "key id = $ckrevoked" $cfile.signed > /dev/null || ret=1
+grep "key id = $czactive" $cfile.signed > /dev/null || ret=1
+grep "key id = $czpublished" $cfile.signed > /dev/null || ret=1
+grep "key id = $czinactive" $cfile.signed > /dev/null || ret=1
+# should not be there, hence the &&
+grep "key id = $ckprerevoke" $cfile.signed > /dev/null && ret=1
+grep "key id = $czgenerated" $cfile.signed > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone signatures"
+ret=0
+# check DNSKEY signatures first
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
+grep "$ckactive" dnskey.sigs > /dev/null || ret=1
+grep "$ckrevoked" dnskey.sigs > /dev/null || ret=1
+grep "$czactive" dnskey.sigs > /dev/null || ret=1
+# should not be there:
+grep "$ckprerevoke" dnskey.sigs > /dev/null && ret=1
+grep "$ckpublished" dnskey.sigs > /dev/null && ret=1
+grep "$czpublished" dnskey.sigs > /dev/null && ret=1
+grep "$czinactive" dnskey.sigs > /dev/null && ret=1
+grep "$czgenerated" dnskey.sigs > /dev/null && ret=1
+# now check other signatures first
+awk '$2 == "RRSIG" && $3 != "DNSKEY" { getline; print $2 }' $cfile.signed | sort -un > other.sigs
+# should not be there:
+grep "$ckactive" other.sigs > /dev/null && ret=1
+grep "$ckpublished" other.sigs > /dev/null && ret=1
+grep "$ckprerevoke" other.sigs > /dev/null && ret=1
+grep "$ckrevoked" other.sigs > /dev/null && ret=1
+grep "$czpublished" other.sigs > /dev/null && ret=1
+grep "$czinactive" other.sigs > /dev/null && ret=1
+grep "$czgenerated" other.sigs > /dev/null && ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:waiting 20 seconds for key activation"
+sleep 20
+echo "I:re-signing child zone"
+czoneout2=`$SIGNER -Sg -r $RANDFILE -o $czone -f $cfile.new $cfile.signed 2>&1`
+mv $cfile.new $cfile.signed
+
+echo "I:checking dnssec-signzone output matches expectations"
+ret=0
+echo "$czoneout2" | grep 'KSKs: 2 active, 0 stand-by, 1 revoked' > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:checking child zone signatures again"
+ret=0
+awk '$2 == "RRSIG" && $3 == "DNSKEY" { getline; print $2 }' $cfile.signed > dnskey.sigs
+grep "$ckpublished" dnskey.sigs > /dev/null || ret=1
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+echo "I:exit status: $status"
+exit $status
--- /dev/null
+# Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: Makefile.in,v 1.11.2.2 2010/01/07 23:48:15 tbox Exp $
+
+srcdir = @srcdir@
+VPATH = @srcdir@
+top_srcdir = @top_srcdir@
+
+@BIND9_MAKE_INCLUDES@
+
+CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
+ ${LWRES_INCLUDES} ${OMAPI_INCLUDES}
+
+CDEFINES =
+CWARNINGS =
+
+DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
+ISCLIBS = ../../lib/isc/libisc.@A@ @DNS_CRYPTO_LIBS@
+ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
+ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
+LWRESLIBS = ../../lib/lwres/liblwres.@A@
+
+DNSDEPLIBS = ../../lib/dns/libdns.@A@
+ISCDEPLIBS = ../../lib/isc/libisc.@A@
+ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
+LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
+
+LIBS = ${ISCLIBS} @LIBS@
+NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
+
+SUBDIRS =
+
+TARGETS = arpaname@EXEEXT@ named-journalprint@EXEEXT@ nsec3hash@EXEEXT@ \
+ genrandom@EXEEXT@ isc-hmac-fixup@EXEEXT@
+SRCS = arpaname.c named-journalprint.c nsec3hash.c genrandom.c \
+ isc-hmac-fixup.c
+
+MANPAGES = arpaname.1 named-journalprint.8 nsec3hash.8 genrandom.8 \
+ isc-hmac-fixup.8
+HTMLPAGES = arpaname.html named-journalprint.html nsec3hash.html \
+ genrandom.html isc-hmac-fixup.html
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
+@BIND9_MAKE_RULES@
+
+arpaname@EXEEXT@: arpaname.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ arpaname.@O@ \
+ ${ISCLIBS} ${LIBS}
+
+named-journalprint@EXEEXT@: named-journalprint.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ export BASEOBJS="named-journalprint.@O@"; \
+ export LIBS0="${DNSLIBS}"; \
+ ${FINALBUILDCMD}
+
+nsec3hash@EXEEXT@: nsec3hash.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS}
+ export BASEOBJS="nsec3hash.@O@"; \
+ export LIBS0="${DNSLIBS}"; \
+ ${FINALBUILDCMD}
+
+isc-hmac-fixup@EXEEXT@: isc-hmac-fixup.@O@ ${ISCDEPLIBS}
+ export BASEOBJS="isc-hmac-fixup.@O@"; \
+ export LIBS0="${ISCLIBS}"; \
+ ${FINALBUILDCMD}
+
+genrandom@EXEEXT@: genrandom.@O@
+ ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ genrandom.@O@ @GENRANDOMLIB@ ${LIBS}
+
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
+
+installdirs:
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man1
+ $(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${mandir}/man8
+
+install:: ${TARGETS} installdirs
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} arpaname@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} named-journalprint@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} nsec3hash@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} genrandom@EXEEXT@ ${DESTDIR}${sbindir}
+ ${LIBTOOL_MODE_INSTALL} ${INSTALL_PROGRAM} isc-hmac-fixup@EXEEXT@ ${DESTDIR}${sbindir}
+ ${INSTALL_DATA} ${srcdir}/arpaname.1 ${DESTDIR}${mandir}/man1
+ ${INSTALL_DATA} ${srcdir}/isc-hmac-fixup.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/named-journalprint.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/nsec3hash.8 ${DESTDIR}${mandir}/man8
+ ${INSTALL_DATA} ${srcdir}/genrandom.8 ${DESTDIR}${mandir}/man8
+
+clean distclean::
+ rm -f ${TARGETS}
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: arpaname.1,v 1.3.152.1 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: arpaname
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: March 4, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "ARPANAME" "1" "March 4, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+arpaname \- translate IP addresses to the corresponding ARPA names
+.SH "SYNOPSIS"
+.HP 9
+\fBarpaname\fR {\fIipaddress\ \fR...}
+.SH "DESCRIPTION"
+.PP
+\fBarpaname\fR
+translates IP addresses (IPv4 and IPv6) to the corresponding IN\-ADDR.ARPA or IP6.ARPA names.
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: arpaname.c,v 1.4 2009/10/27 03:05:33 marka Exp $ */
+
+#include "config.h"
+
+#include <isc/net.h>
+
+#include <stdio.h>
+
+#define UNUSED(x) (void)(x)
+
+int
+main(int argc, char *argv[]) {
+ unsigned char buf[16];
+ int i;
+
+ UNUSED(argc);
+
+ while (argv[1]) {
+ if (inet_pton(AF_INET6, argv[1], buf) == 1) {
+ for (i = 15; i >= 0; i--)
+ fprintf(stdout, "%X.%X.", buf[i] & 0xf,
+ (buf[i] >> 4) & 0xf);
+ fprintf(stdout, "IP6.ARPA\n");
+ argv++;
+ continue;
+ }
+ if (inet_pton(AF_INET, argv[1], buf) == 1) {
+ fprintf(stdout, "%u.%u.%u.%u.IN-ADDR.ARPA\n",
+ buf[3], buf[2], buf[1], buf[0]);
+ argv++;
+ continue;
+ }
+ return (1);
+ }
+ fflush(stdout);
+ return(ferror(stdout));
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: arpaname.docbook,v 1.1 2009/03/04 01:30:27 marka Exp $ -->
+<refentry id="man.arpaname">
+ <refentryinfo>
+ <date>March 4, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>arpaname</application></refentrytitle>
+ <manvolnum>1</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>arpaname</application></refname>
+ <refpurpose>translate IP addresses to the corresponding ARPA names</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>arpaname</command>
+ <arg choice="req" rep="repeat"><replaceable class="parameter">ipaddress </replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>arpaname</command> translates IP addresses (IPv4 and
+ IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: arpaname.html,v 1.3.152.1 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>arpaname</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.arpaname"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">arpaname</span> — translate IP addresses to the corresponding ARPA names</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">arpaname</code> {<em class="replaceable"><code>ipaddress </code></em>...}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543345"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">arpaname</strong></span> translates IP addresses (IPv4 and
+ IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543357"></a><h2>SEE ALSO</h2>
+<p>
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543371"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: genrandom.8,v 1.5.86.2 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: genrandom
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Feb 19, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "GENRANDOM" "8" "Feb 19, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+genrandom \- generate a file containing random data
+.SH "SYNOPSIS"
+.HP 10
+\fBgenrandom\fR [\fB\-n\ \fR\fB\fInumber\fR\fR] {\fIsize\fR} {\fIfilename\fR}
+.SH "DESCRIPTION"
+.PP
+\fBgenrandom\fR
+generates a file or a set of files containing a specified quantity of pseudo\-random data, which can be used as a source of entropy for other commands on systems with no random device.
+.SH "ARGUMENTS"
+.PP
+\-n \fInumber\fR
+.RS 4
+In place of generating one file, generates
+\fBnumber\fR
+(from 2 to 9) files, appending
+\fBnumber\fR
+to the name.
+.RE
+.PP
+size
+.RS 4
+The size of the file, in kilobytes, to generate.
+.RE
+.PP
+domain
+.RS 4
+The file name into which random data should be written.
+.RE
+.SH "SEE ALSO"
+.PP
+\fBrand\fR(3),
+\fBarc4random\fR(3)
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2004, 2005, 2007, 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000-2003 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: genrandom.c,v 1.4.152.3 2010/05/17 23:49:51 tbox Exp $ */
+
+/*! \file */
+#include <config.h>
+
+#include <isc/commandline.h>
+#include <isc/print.h>
+#include <isc/stdlib.h>
+#include <isc/util.h>
+
+#include <stdio.h>
+#include <string.h>
+
+const char *program = "genrandom";
+
+ISC_PLATFORM_NORETURN_PRE static void
+usage(void) ISC_PLATFORM_NORETURN_POST;
+
+static void
+usage(void) {
+ fprintf(stderr, "usage: %s [-n 2..9] k file\n", program);
+ exit(1);
+}
+
+static void
+generate(char *filename, unsigned int bytes) {
+ FILE *fp;
+
+ fp = fopen(filename, "w");
+ if (fp == NULL) {
+ printf("failed to open %s\n", filename);
+ exit(1);
+ }
+
+ while (bytes > 0) {
+#ifndef HAVE_ARC4RANDOM
+ unsigned short int x = (rand() & 0xFFFF);
+#else
+ unsigned short int x = (arc4random() & 0xFFFF);
+#endif
+ unsigned char c = x & 0xFF;
+ if (putc(c, fp) == EOF) {
+ printf("error writing to %s\n", filename);
+ exit(1);
+ }
+ c = x >> 8;
+ if (putc(c, fp) == EOF) {
+ printf("error writing to %s\n", filename);
+ exit(1);
+ }
+ bytes -= 2;
+ }
+ fclose(fp);
+}
+
+int
+main(int argc, char **argv) {
+ unsigned int bytes;
+ unsigned int k;
+ char *endp;
+ int c, i, n = 1;
+ size_t len;
+ char *name;
+
+ isc_commandline_errprint = ISC_FALSE;
+
+ while ((c = isc_commandline_parse(argc, argv, "hn:")) != EOF) {
+ switch (c) {
+ case 'n':
+ n = strtol(isc_commandline_argument, &endp, 10);
+ if ((*endp != 0) || (n <= 1) || (n > 9))
+ usage();
+ break;
+
+ case '?':
+ if (isc_commandline_option != '?')
+ fprintf(stderr, "%s: invalid argument -%c\n",
+ program, isc_commandline_option);
+ case 'h':
+ usage();
+
+ default:
+ fprintf(stderr, "%s: unhandled option -%c\n",
+ program, isc_commandline_option);
+ exit(1);
+ }
+ }
+
+ if (isc_commandline_index + 2 != argc)
+ usage();
+
+ k = strtoul(argv[isc_commandline_index++], &endp, 10);
+ if (*endp != 0)
+ usage();
+ bytes = k << 10;
+
+#ifndef HAVE_ARC4RANDOM
+ srand(0x12345678);
+#endif
+ if (n == 1) {
+ generate(argv[isc_commandline_index], bytes);
+ return (0);
+ }
+
+ len = strlen(argv[isc_commandline_index]) + 2;
+ name = (char *) malloc(len);
+ if (name == NULL) {
+ perror("malloc");
+ exit(1);
+ }
+
+ for (i = 1; i <= n; i++) {
+ snprintf(name, len, "%s%d", argv[isc_commandline_index], i);
+ generate(name, bytes);
+ }
+ free(name);
+
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: genrandom.docbook,v 1.4.88.2 2010/05/17 23:49:51 tbox Exp $ -->
+<refentry id="man.genrandom">
+ <refentryinfo>
+ <date>Feb 19, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>genrandom</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>genrandom</application></refname>
+ <refpurpose>generate a file containing random data</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <year>2010</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>genrandom</command>
+ <arg><option>-n <replaceable class="parameter">number</replaceable></option></arg>
+ <arg choice="req"><replaceable class="parameter">size</replaceable></arg>
+ <arg choice="req"><replaceable class="parameter">filename</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>genrandom</command>
+ generates a file or a set of files containing a specified quantity
+ of pseudo-random data, which can be used as a source of entropy for
+ other commands on systems with no random device.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>ARGUMENTS</title>
+ <variablelist>
+ <varlistentry>
+ <term>-n <replaceable class="parameter">number</replaceable></term>
+ <listitem>
+ <para>
+ In place of generating one file, generates <option>number</option>
+ (from 2 to 9) files, appending <option>number</option> to the name.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>size</term>
+ <listitem>
+ <para>
+ The size of the file, in kilobytes, to generate.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>domain</term>
+ <listitem>
+ <para>
+ The file name into which random data should be written.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>arc4random</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: genrandom.html,v 1.5.86.2 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>genrandom</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.genrandom"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">genrandom</span> — generate a file containing random data</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">genrandom</code> [<code class="option">-n <em class="replaceable"><code>number</code></em></code>] {<em class="replaceable"><code>size</code></em>} {<em class="replaceable"><code>filename</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543363"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">genrandom</strong></span>
+ generates a file or a set of files containing a specified quantity
+ of pseudo-random data, which can be used as a source of entropy for
+ other commands on systems with no random device.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543376"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">-n <em class="replaceable"><code>number</code></em></span></dt>
+<dd><p>
+ In place of generating one file, generates <code class="option">number</code>
+ (from 2 to 9) files, appending <code class="option">number</code> to the name.
+ </p></dd>
+<dt><span class="term">size</span></dt>
+<dd><p>
+ The size of the file, in kilobytes, to generate.
+ </p></dd>
+<dt><span class="term">domain</span></dt>
+<dd><p>
+ The file name into which random data should be written.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543436"></a><h2>SEE ALSO</h2>
+<p>
+ <span class="citerefentry"><span class="refentrytitle">rand</span>(3)</span>,
+ <span class="citerefentry"><span class="refentrytitle">arc4random</span>(3)</span>
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543463"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: isc-hmac-fixup.8,v 1.1.2.4 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: isc\-hmac\-fixup
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: January 5, 2010
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "ISC\-HMAC\-FIXUP" "1" "January 5, 2010" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+isc\-hmac\-fixup \- fixes HMAC keys generated by older versions of BIND
+.SH "SYNOPSIS"
+.HP 15
+\fBisc\-hmac\-fixup\fR {\fIalgorithm\fR} {\fIsecret\fR}
+.SH "DESCRIPTION"
+.PP
+Versions of BIND 9 up to and including BIND 9.6 had a bug causing HMAC\-SHA* TSIG keys which were longer than the digest length of the hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys longer than 256 bits, etc) to be used incorrectly, generating a message authentication code that was incompatible with other DNS implementations.
+.PP
+This bug has been fixed in BIND 9.7. However, the fix may cause incompatibility between older and newer versions of BIND, when using long keys.
+\fBisc\-hmac\-fixup\fR
+modifies those keys to restore compatibility.
+.PP
+To modify a key, run
+\fBisc\-hmac\-fixup\fR
+and specify the key's algorithm and secret on the command line. If the secret is longer than the digest length of the algorithm (64 bytes for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a new secret will be generated consisting of a hash digest of the old secret. (If the secret did not require conversion, then it will be printed without modification.)
+.SH "SECURITY CONSIDERATIONS"
+.PP
+Secrets that have been converted by
+\fBisc\-hmac\-fixup\fR
+are shortened, but as this is how the HMAC protocol works in operation anyway, it does not affect security. RFC 2104 notes, "Keys longer than [the digest length] are acceptable but the extra length would not significantly increase the function strength."
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual,
+RFC 2104.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2010 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: isc-hmac-fixup.c,v 1.2.2.3 2010/03/10 02:19:08 marka Exp $ */
+
+#include <config.h>
+
+#include <isc/base64.h>
+#include <isc/buffer.h>
+#include <isc/md5.h>
+#include <isc/region.h>
+#include <isc/result.h>
+#include <isc/sha1.h>
+#include <isc/sha2.h>
+#include <isc/stdio.h>
+#include <isc/string.h>
+
+#define HMAC_LEN 64
+
+int
+main(int argc, char **argv) {
+ isc_buffer_t buf;
+ unsigned char key[1024];
+ char secret[1024];
+ char base64[(1024*4)/3];
+ isc_region_t r;
+ isc_result_t result;
+
+ if (argc != 3) {
+ fprintf(stderr, "Usage:\t%s algorithm secret\n", argv[0]);
+ fprintf(stderr, "\talgorithm: (MD5 | SHA1 | SHA224 | "
+ "SHA256 | SHA384 | SHA512)\n");
+ return (1);
+ }
+
+ isc_buffer_init(&buf, secret, sizeof(secret));
+ result = isc_base64_decodestring(argv[2], &buf);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "error: %s\n", isc_result_totext(result));
+ return (1);
+ }
+ isc__buffer_usedregion(&buf, &r);
+
+ if (!strcasecmp(argv[1], "md5") ||
+ !strcasecmp(argv[1], "hmac-md5")) {
+ if (r.length > HMAC_LEN) {
+ isc_md5_t md5ctx;
+ isc_md5_init(&md5ctx);
+ isc_md5_update(&md5ctx, r.base, r.length);
+ isc_md5_final(&md5ctx, key);
+
+ r.base = key;
+ r.length = ISC_MD5_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha1") ||
+ !strcasecmp(argv[1], "hmac-sha1")) {
+ if (r.length > ISC_SHA1_DIGESTLENGTH) {
+ isc_sha1_t sha1ctx;
+ isc_sha1_init(&sha1ctx);
+ isc_sha1_update(&sha1ctx, r.base, r.length);
+ isc_sha1_final(&sha1ctx, key);
+
+ r.base = key;
+ r.length = ISC_SHA1_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha224") ||
+ !strcasecmp(argv[1], "hmac-sha224")) {
+ if (r.length > ISC_SHA224_DIGESTLENGTH) {
+ isc_sha224_t sha224ctx;
+ isc_sha224_init(&sha224ctx);
+ isc_sha224_update(&sha224ctx, r.base, r.length);
+ isc_sha224_final(key, &sha224ctx);
+
+ r.base = key;
+ r.length = ISC_SHA224_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha256") ||
+ !strcasecmp(argv[1], "hmac-sha256")) {
+ if (r.length > ISC_SHA256_DIGESTLENGTH) {
+ isc_sha256_t sha256ctx;
+ isc_sha256_init(&sha256ctx);
+ isc_sha256_update(&sha256ctx, r.base, r.length);
+ isc_sha256_final(key, &sha256ctx);
+
+ r.base = key;
+ r.length = ISC_SHA256_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha384") ||
+ !strcasecmp(argv[1], "hmac-sha384")) {
+ if (r.length > ISC_SHA384_DIGESTLENGTH) {
+ isc_sha384_t sha384ctx;
+ isc_sha384_init(&sha384ctx);
+ isc_sha384_update(&sha384ctx, r.base, r.length);
+ isc_sha384_final(key, &sha384ctx);
+
+ r.base = key;
+ r.length = ISC_SHA384_DIGESTLENGTH;
+ }
+ } else if (!strcasecmp(argv[1], "sha512") ||
+ !strcasecmp(argv[1], "hmac-sha512")) {
+ if (r.length > ISC_SHA512_DIGESTLENGTH) {
+ isc_sha512_t sha512ctx;
+ isc_sha512_init(&sha512ctx);
+ isc_sha512_update(&sha512ctx, r.base, r.length);
+ isc_sha512_final(key, &sha512ctx);
+
+ r.base = key;
+ r.length = ISC_SHA512_DIGESTLENGTH;
+ }
+ } else {
+ fprintf(stderr, "unknown hmac/digest algorithm: %s\n", argv[1]);
+ return (1);
+ }
+
+ isc_buffer_init(&buf, base64, sizeof(base64));
+ result = isc_base64_totext(&r, 0, "", &buf);
+ if (result != ISC_R_SUCCESS) {
+ fprintf(stderr, "error: %s\n", isc_result_totext(result));
+ return (1);
+ }
+ fprintf(stdout, "%.*s\n", (int)isc_buffer_usedlength(&buf), base64);
+ return (0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: isc-hmac-fixup.docbook,v 1.2.2.1 2010/01/07 21:53:04 each Exp $ -->
+<refentry id="man.isc-hmac-fixup">
+ <refentryinfo>
+ <date>January 5, 2010</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>isc-hmac-fixup</application></refentrytitle>
+ <manvolnum>1</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>isc-hmac-fixup</application></refname>
+ <refpurpose>fixes HMAC keys generated by older versions of BIND</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2010</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>isc-hmac-fixup</command>
+ <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+ <arg choice="req"><replaceable class="parameter">secret</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+ HMAC-SHA* TSIG keys which were longer than the digest length of the
+ hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+ longer than 256 bits, etc) to be used incorrectly, generating a
+ message authentication code that was incompatible with other DNS
+ implementations.
+ </para>
+ <para>
+ This bug has been fixed in BIND 9.7. However, the fix may
+ cause incompatibility between older and newer versions of
+ BIND, when using long keys. <command>isc-hmac-fixup</command>
+ modifies those keys to restore compatibility.
+ </para>
+ <para>
+ To modify a key, run <command>isc-hmac-fixup</command> and
+ specify the key's algorithm and secret on the command line. If the
+ secret is longer than the digest length of the algorithm (64 bytes
+ for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+ new secret will be generated consisting of a hash digest of the old
+ secret. (If the secret did not require conversion, then it will be
+ printed without modification.)
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SECURITY CONSIDERATIONS</title>
+ <para>
+ Secrets that have been converted by <command>isc-hmac-fixup</command>
+ are shortened, but as this is how the HMAC protocol works in
+ operation anyway, it does not affect security. RFC 2104 notes,
+ "Keys longer than [the digest length] are acceptable but the
+ extra length would not significantly increase the function
+ strength."
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2104</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2010 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: isc-hmac-fixup.html,v 1.1.2.4 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>isc-hmac-fixup</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.isc-hmac-fixup"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">isc-hmac-fixup</span> — fixes HMAC keys generated by older versions of BIND</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">isc-hmac-fixup</code> {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>secret</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543351"></a><h2>DESCRIPTION</h2>
+<p>
+ Versions of BIND 9 up to and including BIND 9.6 had a bug causing
+ HMAC-SHA* TSIG keys which were longer than the digest length of the
+ hash algorithm (i.e., SHA1 keys longer than 160 bits, SHA256 keys
+ longer than 256 bits, etc) to be used incorrectly, generating a
+ message authentication code that was incompatible with other DNS
+ implementations.
+ </p>
+<p>
+ This bug has been fixed in BIND 9.7. However, the fix may
+ cause incompatibility between older and newer versions of
+ BIND, when using long keys. <span><strong class="command">isc-hmac-fixup</strong></span>
+ modifies those keys to restore compatibility.
+ </p>
+<p>
+ To modify a key, run <span><strong class="command">isc-hmac-fixup</strong></span> and
+ specify the key's algorithm and secret on the command line. If the
+ secret is longer than the digest length of the algorithm (64 bytes
+ for SHA1 through SHA256, or 128 bytes for SHA384 and SHA512), then a
+ new secret will be generated consisting of a hash digest of the old
+ secret. (If the secret did not require conversion, then it will be
+ printed without modification.)
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543374"></a><h2>SECURITY CONSIDERATIONS</h2>
+<p>
+ Secrets that have been converted by <span><strong class="command">isc-hmac-fixup</strong></span>
+ are shortened, but as this is how the HMAC protocol works in
+ operation anyway, it does not affect security. RFC 2104 notes,
+ "Keys longer than [the digest length] are acceptable but the
+ extra length would not significantly increase the function
+ strength."
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543388"></a><h2>SEE ALSO</h2>
+<p>
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 2104</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543405"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: named-journalprint.8,v 1.3.4.1 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: named\-journalprint
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Feb 18, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "NAMED\-JOURNALPRINT" "8" "Feb 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+named\-journalprint \- print zone journal in human\-readable form
+.SH "SYNOPSIS"
+.HP 19
+\fBnamed\-journalprint\fR {\fIjournal\fR}
+.SH "DESCRIPTION"
+.PP
+\fBnamed\-journalprint\fR
+prints the contents of a zone journal file in a human\-readable form.
+.PP
+Journal files are automatically created by
+\fBnamed\fR
+when changes are made to dynamic zones (e.g., by
+\fBnsupdate\fR). They record each addition or deletion of a resource record, in binary format, allowing the changes to be re\-applied to the zone when the server is restarted after a shutdown or crash. By default, the name of the journal file is formed by appending the extension
+\fI.jnl\fR
+to the name of the corresponding zone file.
+.PP
+\fBnamed\-journalprint\fR
+converts the contents of a given journal file into a human\-readable text format. Each line begins with "add" or "del", to indicate whether the record was added or deleted, and continues with the resource record in master\-file format.
+.SH "SEE ALSO"
+.PP
+\fBnamed\fR(8),
+\fBnsupdate\fR(8),
+BIND 9 Administrator Reference Manual.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2000, 2001 Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named-journalprint.c,v 1.2 2009/12/04 21:59:23 marka Exp $ */
+
+/*! \file */
+#include <config.h>
+
+#include <isc/log.h>
+#include <isc/mem.h>
+#include <isc/util.h>
+
+#include <dns/journal.h>
+#include <dns/log.h>
+#include <dns/result.h>
+#include <dns/types.h>
+
+#include <stdlib.h>
+
+/*
+ * Setup logging to use stderr.
+ */
+static isc_result_t
+setup_logging(isc_mem_t *mctx, FILE *errout, isc_log_t **logp) {
+ isc_logdestination_t destination;
+ isc_logconfig_t *logconfig = NULL;
+ isc_log_t *log = NULL;
+
+ RUNTIME_CHECK(isc_log_create(mctx, &log, &logconfig) == ISC_R_SUCCESS);
+ isc_log_setcontext(log);
+ dns_log_init(log);
+ dns_log_setcontext(log);
+
+ destination.file.stream = errout;
+ destination.file.name = NULL;
+ destination.file.versions = ISC_LOG_ROLLNEVER;
+ destination.file.maximum_size = 0;
+ RUNTIME_CHECK(isc_log_createchannel(logconfig, "stderr",
+ ISC_LOG_TOFILEDESC,
+ ISC_LOG_DYNAMIC,
+ &destination, 0) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(isc_log_usechannel(logconfig, "stderr",
+ NULL, NULL) == ISC_R_SUCCESS);
+
+ *logp = log;
+ return (ISC_R_SUCCESS);
+}
+
+int
+main(int argc, char **argv) {
+ char *file;
+ isc_mem_t *mctx = NULL;
+ isc_result_t result;
+ isc_log_t *lctx = NULL;
+
+ if (argc != 2) {
+ printf("usage: %s journal\n", argv[0]);
+ return(1);
+ }
+
+ file = argv[1];
+
+ RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(setup_logging(mctx, stderr, &lctx) == ISC_R_SUCCESS);
+
+ result = dns_journal_print(mctx, file, stdout);
+ if (result == DNS_R_NOJOURNAL)
+ fprintf(stderr, "%s\n", dns_result_totext(result));
+ isc_log_destroy(&lctx);
+ isc_mem_detach(&mctx);
+ return(result != ISC_R_SUCCESS ? 1 : 0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: named-journalprint.docbook,v 1.2 2009/12/04 21:59:23 marka Exp $ -->
+<refentry id="man.named-journalprint">
+ <refentryinfo>
+ <date>Feb 18, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>named-journalprint</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>named-journalprint</application></refname>
+ <refpurpose>print zone journal in human-readable form</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>named-journalprint</command>
+ <arg choice="req"><replaceable class="parameter">journal</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>named-journalprint</command>
+ prints the contents of a zone journal file in a human-readable
+ form.
+ </para>
+ <para>
+ Journal files are automatically created by <command>named</command>
+ when changes are made to dynamic zones (e.g., by
+ <command>nsupdate</command>). They record each addition
+ or deletion of a resource record, in binary format, allowing the
+ changes to be re-applied to the zone when the server is
+ restarted after a shutdown or crash. By default, the name of
+ the journal file is formed by appending the extension
+ <filename>.jnl</filename> to the name of the corresponding
+ zone file.
+ </para>
+ <para>
+ <command>named-journalprint</command> converts the contents of a given
+ journal file into a human-readable text format. Each line begins
+ with "add" or "del", to indicate whether the record was added or
+ deleted, and continues with the resource record in master-file
+ format.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>nsupdate</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: named-journalprint.html,v 1.3.4.1 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>named-journalprint</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.named-journalprint"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">named-journalprint</span> — print zone journal in human-readable form</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">named-journalprint</code> {<em class="replaceable"><code>journal</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543342"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">named-journalprint</strong></span>
+ prints the contents of a zone journal file in a human-readable
+ form.
+ </p>
+<p>
+ Journal files are automatically created by <span><strong class="command">named</strong></span>
+ when changes are made to dynamic zones (e.g., by
+ <span><strong class="command">nsupdate</strong></span>). They record each addition
+ or deletion of a resource record, in binary format, allowing the
+ changes to be re-applied to the zone when the server is
+ restarted after a shutdown or crash. By default, the name of
+ the journal file is formed by appending the extension
+ <code class="filename">.jnl</code> to the name of the corresponding
+ zone file.
+ </p>
+<p>
+ <span><strong class="command">named-journalprint</strong></span> converts the contents of a given
+ journal file into a human-readable text format. Each line begins
+ with "add" or "del", to indicate whether the record was added or
+ deleted, and continues with the resource record in master-file
+ format.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543378"></a><h2>SEE ALSO</h2>
+<p>
+ <span class="citerefentry"><span class="refentrytitle">named</span>(8)</span>,
+ <span class="citerefentry"><span class="refentrytitle">nsupdate</span>(8)</span>,
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543409"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+.\" Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+.\"
+.\" Permission to use, copy, modify, and/or distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+.\" PERFORMANCE OF THIS SOFTWARE.
+.\"
+.\" $Id: nsec3hash.8,v 1.4.154.1 2010/05/18 04:04:36 tbox Exp $
+.\"
+.hy 0
+.ad l
+.\" Title: nsec3hash
+.\" Author:
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\" Date: Feb 18, 2009
+.\" Manual: BIND9
+.\" Source: BIND9
+.\"
+.TH "NSEC3HASH" "8" "Feb 18, 2009" "BIND9" "BIND9"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
+nsec3hash \- generate NSEC3 hash
+.SH "SYNOPSIS"
+.HP 10
+\fBnsec3hash\fR {\fIsalt\fR} {\fIalgorithm\fR} {\fIiterations\fR} {\fIdomain\fR}
+.SH "DESCRIPTION"
+.PP
+\fBnsec3hash\fR
+generates an NSEC3 hash based on a set of NSEC3 parameters. This can be used to check the validity of NSEC3 records in a signed zone.
+.SH "ARGUMENTS"
+.PP
+salt
+.RS 4
+The salt provided to the hash algorithm.
+.RE
+.PP
+algorithm
+.RS 4
+A number indicating the hash algorithm. Currently the only supported hash algorithm for NSEC3 is SHA\-1, which is indicated by the number 1; consequently "1" is the only useful value for this argument.
+.RE
+.PP
+iterations
+.RS 4
+The number of additional times the hash should be performed.
+.RE
+.PP
+domain
+.RS 4
+The domain name to be hashed.
+.RE
+.SH "SEE ALSO"
+.PP
+BIND 9 Administrator Reference Manual,
+RFC 5155.
+.SH "AUTHOR"
+.PP
+Internet Systems Consortium
+.SH "COPYRIGHT"
+Copyright \(co 2009 Internet Systems Consortium, Inc. ("ISC")
+.br
--- /dev/null
+/*
+ * Copyright (C) 2006, 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: nsec3hash.c,v 1.6 2009/10/06 21:20:44 each Exp $ */
+
+#include <config.h>
+
+#include <stdlib.h>
+#include <stdarg.h>
+
+#include <isc/base32.h>
+#include <isc/buffer.h>
+#include <isc/hex.h>
+#include <isc/iterated_hash.h>
+#include <isc/print.h>
+#include <isc/result.h>
+#include <isc/string.h>
+#include <isc/types.h>
+
+#include <dns/fixedname.h>
+#include <dns/name.h>
+#include <dns/nsec3.h>
+#include <dns/types.h>
+
+const char *program = "nsec3hash";
+
+ISC_PLATFORM_NORETURN_PRE static void
+fatal(const char *format, ...) ISC_PLATFORM_NORETURN_POST;
+
+static void
+fatal(const char *format, ...) {
+ va_list args;
+
+ fprintf(stderr, "%s: ", program);
+ va_start(args, format);
+ vfprintf(stderr, format, args);
+ va_end(args);
+ fprintf(stderr, "\n");
+ exit(1);
+}
+
+static void
+check_result(isc_result_t result, const char *message) {
+ if (result != ISC_R_SUCCESS)
+ fatal("%s: %s", message, isc_result_totext(result));
+}
+
+static void
+usage() {
+ fatal("salt hash iterations domain");
+}
+
+int
+main(int argc, char **argv) {
+ dns_fixedname_t fixed;
+ dns_name_t *name;
+ isc_buffer_t buffer;
+ isc_region_t region;
+ isc_result_t result;
+ unsigned char hash[NSEC3_MAX_HASH_LENGTH];
+ unsigned char salt[DNS_NSEC3_SALTSIZE];
+ unsigned char text[1024];
+ unsigned int hash_alg;
+ unsigned int length;
+ unsigned int iterations;
+ unsigned int salt_length;
+
+ if (argc != 5)
+ usage();
+
+ if (strcmp(argv[1], "-") == 0) {
+ salt_length = 0;
+ salt[0] = 0;
+ } else {
+ isc_buffer_init(&buffer, salt, sizeof(salt));
+ result = isc_hex_decodestring(argv[1], &buffer);
+ check_result(result, "isc_hex_decodestring(salt)");
+ salt_length = isc_buffer_usedlength(&buffer);
+ if (salt_length > DNS_NSEC3_SALTSIZE)
+ fatal("salt too long");
+ }
+ hash_alg = atoi(argv[2]);
+ if (hash_alg > 255U)
+ fatal("hash algorithm too large");
+ iterations = atoi(argv[3]);
+ if (iterations > 0xffffU)
+ fatal("iterations to large");
+
+ dns_fixedname_init(&fixed);
+ name = dns_fixedname_name(&fixed);
+ isc_buffer_init(&buffer, argv[4], strlen(argv[4]));
+ isc_buffer_add(&buffer, strlen(argv[4]));
+ result = dns_name_fromtext(name, &buffer, dns_rootname, 0, NULL);
+ check_result(result, "dns_name_fromtext() failed");
+
+ dns_name_downcase(name, name, NULL);
+ length = isc_iterated_hash(hash, hash_alg, iterations, salt,
+ salt_length, name->ndata, name->length);
+ if (length == 0)
+ fatal("isc_iterated_hash failed");
+ region.base = hash;
+ region.length = length;
+ isc_buffer_init(&buffer, text, sizeof(text));
+ isc_base32hex_totext(®ion, 1, "", &buffer);
+ fprintf(stdout, "%.*s (salt=%s, hash=%u, iterations=%u)\n",
+ (int)isc_buffer_usedlength(&buffer), text, argv[1], hash_alg, iterations);
+ return(0);
+}
--- /dev/null
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
+ [<!ENTITY mdash "—">]>
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+
+<!-- $Id: nsec3hash.docbook,v 1.3 2009/03/02 23:47:43 tbox Exp $ -->
+<refentry id="man.nsec3hash">
+ <refentryinfo>
+ <date>Feb 18, 2009</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>nsec3hash</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>nsec3hash</application></refname>
+ <refpurpose>generate NSEC3 hash</refpurpose>
+ </refnamediv>
+
+ <docinfo>
+ <copyright>
+ <year>2009</year>
+ <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
+ </copyright>
+ </docinfo>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>nsec3hash</command>
+ <arg choice="req"><replaceable class="parameter">salt</replaceable></arg>
+ <arg choice="req"><replaceable class="parameter">algorithm</replaceable></arg>
+ <arg choice="req"><replaceable class="parameter">iterations</replaceable></arg>
+ <arg choice="req"><replaceable class="parameter">domain</replaceable></arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>nsec3hash</command> generates an NSEC3 hash based on
+ a set of NSEC3 parameters. This can be used to check the validity
+ of NSEC3 records in a signed zone.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>ARGUMENTS</title>
+ <variablelist>
+ <varlistentry>
+ <term>salt</term>
+ <listitem>
+ <para>
+ The salt provided to the hash algorithm.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>algorithm</term>
+ <listitem>
+ <para>
+ A number indicating the hash algorithm. Currently the
+ only supported hash algorithm for NSEC3 is SHA-1, which is
+ indicated by the number 1; consequently "1" is the only
+ useful value for this argument.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>iterations</term>
+ <listitem>
+ <para>
+ The number of additional times the hash should be performed.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>domain</term>
+ <listitem>
+ <para>
+ The domain name to be hashed.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 5155</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para><corpauthor>Internet Systems Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry><!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
+ -
+ - Permission to use, copy, modify, and/or distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ - PERFORMANCE OF THIS SOFTWARE.
+-->
+<!-- $Id: nsec3hash.html,v 1.4.154.1 2010/05/18 04:04:36 tbox Exp $ -->
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
+<title>nsec3hash</title>
+<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
+</head>
+<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
+<a name="man.nsec3hash"></a><div class="titlepage"></div>
+<div class="refnamediv">
+<h2>Name</h2>
+<p><span class="application">nsec3hash</span> — generate NSEC3 hash</p>
+</div>
+<div class="refsynopsisdiv">
+<h2>Synopsis</h2>
+<div class="cmdsynopsis"><p><code class="command">nsec3hash</code> {<em class="replaceable"><code>salt</code></em>} {<em class="replaceable"><code>algorithm</code></em>} {<em class="replaceable"><code>iterations</code></em>} {<em class="replaceable"><code>domain</code></em>}</p></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543367"></a><h2>DESCRIPTION</h2>
+<p>
+ <span><strong class="command">nsec3hash</strong></span> generates an NSEC3 hash based on
+ a set of NSEC3 parameters. This can be used to check the validity
+ of NSEC3 records in a signed zone.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543380"></a><h2>ARGUMENTS</h2>
+<div class="variablelist"><dl>
+<dt><span class="term">salt</span></dt>
+<dd><p>
+ The salt provided to the hash algorithm.
+ </p></dd>
+<dt><span class="term">algorithm</span></dt>
+<dd><p>
+ A number indicating the hash algorithm. Currently the
+ only supported hash algorithm for NSEC3 is SHA-1, which is
+ indicated by the number 1; consequently "1" is the only
+ useful value for this argument.
+ </p></dd>
+<dt><span class="term">iterations</span></dt>
+<dd><p>
+ The number of additional times the hash should be performed.
+ </p></dd>
+<dt><span class="term">domain</span></dt>
+<dd><p>
+ The domain name to be hashed.
+ </p></dd>
+</dl></div>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543442"></a><h2>SEE ALSO</h2>
+<p>
+ <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
+ <em class="citetitle">RFC 5155</em>.
+ </p>
+</div>
+<div class="refsect1" lang="en">
+<a name="id2543459"></a><h2>AUTHOR</h2>
+<p><span class="corpauthor">Internet Systems Consortium</span>
+ </p>
+</div>
+</div></body>
+</html>
--- /dev/null
+# Microsoft Developer Studio Project File - Name="arpaname" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=arpaname - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "arpaname.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "arpaname.mak" CFG="arpaname - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "arpaname - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "arpaname - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "arpaname - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/arpaname.exe"\r
+\r
+!ELSEIF "$(CFG)" == "arpaname - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/arpaname.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "arpaname - Win32 Release"\r
+# Name "arpaname - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\arpaname.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "arpaname"=".\arpaname.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on arpaname.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=arpaname - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to arpaname - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "arpaname - Win32 Release" && "$(CFG)" != "arpaname - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "arpaname.mak" CFG="arpaname - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "arpaname - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "arpaname - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "arpaname - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "arpaname - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\arpaname.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\arpaname.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\arpaname.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\arpaname.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\arpaname.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\arpaname.pdb" /machine:I386 /out:"../../../Build/Release/arpaname.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\arpaname.obj"\r
+\r
+"..\..\..\Build\Release\arpaname.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "arpaname - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\arpaname.exe" "$(OUTDIR)\arpaname.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\arpaname.obj"\r
+ -@erase "$(INTDIR)\arpaname.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\arpaname.pdb"\r
+ -@erase "$(OUTDIR)\arpaname.bsc"\r
+ -@erase "..\..\..\Build\Debug\arpaname.exe"\r
+ -@erase "..\..\..\Build\Debug\arpaname.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\arpaname.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\arpaname.sbr"\r
+\r
+"$(OUTDIR)\arpaname.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\arpaname.pdb" /debug /machine:I386 /out:"../../../Build/Debug/arpaname.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\arpaname.obj"\r
+\r
+"..\..\..\Build\Debug\arpaname.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("arpaname.dep")\r
+!INCLUDE "arpaname.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "arpaname.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "arpaname - Win32 Release" || "$(CFG)" == "arpaname - Win32 Debug"\r
+SOURCE="..\arpaname.c"\r
+\r
+!IF "$(CFG)" == "arpaname - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\arpaname.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "arpaname - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\arpaname.obj" "$(INTDIR)\arpaname.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="genrandom" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=genrandom - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "genrandom.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "genrandom.mak" CFG="genrandom - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "genrandom - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "genrandom - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "genrandom - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/genrandom.exe"\r
+\r
+!ELSEIF "$(CFG)" == "genrandom - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/genrandom.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "genrandom - Win32 Release"\r
+# Name "genrandom - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\genrandom.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "genrandom"=".\genrandom.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on genrandom.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=genrandom - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to genrandom - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "genrandom - Win32 Release" && "$(CFG)" != "genrandom - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "genrandom.mak" CFG="genrandom - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "genrandom - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "genrandom - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "genrandom - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "genrandom - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\genrandom.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\genrandom.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\genrandom.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\genrandom.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\genrandom.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\genrandom.pdb" /machine:I386 /out:"../../../Build/Release/genrandom.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\genrandom.obj" \\r
+\r
+"..\..\..\Build\Release\genrandom.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "genrandom - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\genrandom.exe" "$(OUTDIR)\genrandom.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\genrandom.obj"\r
+ -@erase "$(INTDIR)\genrandom.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\genrandom.pdb"\r
+ -@erase "$(OUTDIR)\genrandom.bsc"\r
+ -@erase "..\..\..\Build\Debug\genrandom.exe"\r
+ -@erase "..\..\..\Build\Debug\genrandom.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\genrandom.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\genrandom.sbr" \r
+\r
+"$(OUTDIR)\genrandom.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\genrandom.pdb" /debug /machine:I386 /out:"../../../Build/Debug/genrandom.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\genrandom.obj"\r
+\r
+"..\..\..\Build\Debug\genrandom.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("genrandom.dep")\r
+!INCLUDE "genrandom.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "genrandom.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "genrandom - Win32 Release" || "$(CFG)" == "genrandom - Win32 Debug"\r
+SOURCE="..\genrandom.c"\r
+\r
+!IF "$(CFG)" == "genrandom - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\genrandom.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "genrandom - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\genrandom.obj" "$(INTDIR)\genrandom.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="ischmacfixup" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=ischmacfixup - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "ischmacfixup.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe"\r
+\r
+!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "ischmacfixup - Win32 Release"\r
+# Name "ischmacfixup - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\isc-hmac-fixup.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "ischmacfixup"=".\ischmacfixup.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on ischmacfixup.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=ischmacfixup - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to ischmacfixup - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "ischmacfixup - Win32 Release" && "$(CFG)" != "ischmacfixup - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "ischmacfixup.mak" CFG="ischmacfixup - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "ischmacfixup - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "ischmacfixup - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\isc-hmac-fixup.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\isc-hmac-fixup.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\isc-hmac-fixup.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\isc-hmac-fixup.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /machine:I386 /out:"../../../Build/Release/isc-hmac-fixup.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\isc-hmac-fixup.obj"\r
+\r
+"..\..\..\Build\Release\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\isc-hmac-fixup.exe" "$(OUTDIR)\isc-hmac-fixup.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\isc-hmac-fixup.obj"\r
+ -@erase "$(INTDIR)\isc-hmac-fixup.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\isc-hmac-fixup.pdb"\r
+ -@erase "$(OUTDIR)\isc-hmac-fixup.bsc"\r
+ -@erase "..\..\..\Build\Debug\isc-hmac-fixup.exe"\r
+ -@erase "..\..\..\Build\Debug\isc-hmac-fixup.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\isc-hmac-fixup.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\isc-hmac-fixup.sbr"\r
+\r
+"$(OUTDIR)\isc-hmac-fixup.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\isc-hmac-fixup.pdb" /debug /machine:I386 /out:"../../../Build/Debug/isc-hmac-fixup.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\isc-hmac-fixup.obj"\r
+\r
+"..\..\..\Build\Debug\isc-hmac-fixup.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("isc-hmac-fixup.dep")\r
+!INCLUDE "isc-hmac-fixup.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "isc-hmac-fixup.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "ischmacfixup - Win32 Release" || "$(CFG)" == "ischmacfixup - Win32 Debug"\r
+SOURCE="..\isc-hmac-fixup.c"\r
+\r
+!IF "$(CFG)" == "ischmacfixup - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\isc-hmac-fixup.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "ischmacfixup - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\isc-hmac-fixup.obj" "$(INTDIR)\isc-hmac-fixup.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="journalprint" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=journalprint - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "journalprint.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "journalprint.mak" CFG="journalprint - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "journalprint - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "journalprint - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "journalprint - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/named-journalprint.exe"\r
+\r
+!ELSEIF "$(CFG)" == "journalprint - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/named-journalprint.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "journalprint - Win32 Release"\r
+# Name "journalprint - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\named-journalprint.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "journalprint"=".\journalprint.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on journalprint.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=journalprint - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to journalprint - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "journalprint - Win32 Release" && "$(CFG)" != "journalprint - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "journalprint.mak" CFG="journalprint - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "journalprint - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "journalprint - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "journalprint - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "journalprint - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\named-journalprint.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\named-journalprint.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\named-journalprint.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\journalprint.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\journalprint.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\named-journalprint.pdb" /machine:I386 /out:"../../../Build/Release/named-journalprint.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\named-journalprint.obj"\r
+\r
+"..\..\..\Build\Release\named-journalprint.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "journalprint - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\named-journalprint.exe" "$(OUTDIR)\journalprint.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\named-journalprint.obj"\r
+ -@erase "$(INTDIR)\named-journalprint.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\named-journalprint.pdb"\r
+ -@erase "$(OUTDIR)\journalprint.bsc"\r
+ -@erase "..\..\..\Build\Debug\named-journalprint.exe"\r
+ -@erase "..\..\..\Build\Debug\named-journalprint.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\journalprint.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\named-journalprint.sbr"\r
+\r
+"$(OUTDIR)\journalprint.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\named-journalprint.pdb" /debug /machine:I386 /out:"../../../Build/Debug/named-journalprint.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\named-journalprint.obj" \r
+\r
+"..\..\..\Build\Debug\named-journalprint.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("journalprint.dep")\r
+!INCLUDE "journalprint.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "journalprint.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "journalprint - Win32 Release" || "$(CFG)" == "journalprint - Win32 Debug"\r
+SOURCE="..\named-journalprint.c"\r
+\r
+!IF "$(CFG)" == "journalprint - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\named-journalprint.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "journalprint - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\named-journalprint.obj" "$(INTDIR)\named-journalprint.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
--- /dev/null
+# Microsoft Developer Studio Project File - Name="nsec3hash" - Package Owner=<4>\r
+# Microsoft Developer Studio Generated Build File, Format Version 6.00\r
+# ** DO NOT EDIT **\r
+\r
+# TARGTYPE "Win32 (x86) Console Application" 0x0103\r
+\r
+CFG=nsec3hash - Win32 Debug\r
+!MESSAGE This is not a valid makefile. To build this project using NMAKE,\r
+!MESSAGE use the Export Makefile command and run\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "nsec3hash.mak".\r
+!MESSAGE \r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "nsec3hash.mak" CFG="nsec3hash - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "nsec3hash - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "nsec3hash - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+\r
+# Begin Project\r
+# PROP AllowPerConfigDependencies 0\r
+# PROP Scc_ProjName ""\r
+# PROP Scc_LocalPath ""\r
+CPP=cl.exe\r
+RSC=rc.exe\r
+\r
+!IF "$(CFG)" == "nsec3hash - Win32 Release"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 0\r
+# PROP BASE Output_Dir "Release"\r
+# PROP BASE Intermediate_Dir "Release"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 0\r
+# PROP Output_Dir "Release"\r
+# PROP Intermediate_Dir "Release"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD CPP /nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /YX /FD /c\r
+# ADD BASE RSC /l 0x409 /d "NDEBUG"\r
+# ADD RSC /l 0x409 /d "NDEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /machine:I386 /out:"../../../Build/Release/nsec3hash.exe"\r
+\r
+!ELSEIF "$(CFG)" == "nsec3hash - Win32 Debug"\r
+\r
+# PROP BASE Use_MFC 0\r
+# PROP BASE Use_Debug_Libraries 1\r
+# PROP BASE Output_Dir "Debug"\r
+# PROP BASE Intermediate_Dir "Debug"\r
+# PROP BASE Target_Dir ""\r
+# PROP Use_MFC 0\r
+# PROP Use_Debug_Libraries 1\r
+# PROP Output_Dir "Debug"\r
+# PROP Intermediate_Dir "Debug"\r
+# PROP Ignore_Export_Lib 0\r
+# PROP Target_Dir ""\r
+# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c\r
+# ADD CPP /nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR /FD /GZ /c\r
+# SUBTRACT CPP /X /YX\r
+# ADD BASE RSC /l 0x409 /d "_DEBUG"\r
+# ADD RSC /l 0x409 /d "_DEBUG"\r
+BSC32=bscmake.exe\r
+# ADD BASE BSC32 /nologo\r
+# ADD BSC32 /nologo\r
+LINK32=link.exe\r
+# ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept\r
+# ADD LINK32 user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /debug /machine:I386 /out:"../../../Build/Debug/nsec3hash.exe" /pdbtype:sept\r
+\r
+!ENDIF \r
+\r
+# Begin Target\r
+\r
+# Name "nsec3hash - Win32 Release"\r
+# Name "nsec3hash - Win32 Debug"\r
+# Begin Group "Source Files"\r
+\r
+# PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat"\r
+# Begin Source File\r
+\r
+SOURCE="..\nsec3hash.c"\r
+# End Source File\r
+# End Group\r
+# Begin Group "Header Files"\r
+\r
+# PROP Default_Filter "h;hpp;hxx;hm;inl"\r
+# End Group\r
+# Begin Group "Resource Files"\r
+\r
+# PROP Default_Filter "ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe"\r
+# End Group\r
+# End Target\r
+# End Project\r
--- /dev/null
+Microsoft Developer Studio Workspace File, Format Version 6.00\r
+# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!\r
+\r
+###############################################################################\r
+\r
+Project: "nsec3hash"=".\nsec3hash.dsp" - Package Owner=<4>\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<4>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
+Global:\r
+\r
+Package=<5>\r
+{{{\r
+}}}\r
+\r
+Package=<3>\r
+{{{\r
+}}}\r
+\r
+###############################################################################\r
+\r
--- /dev/null
+# Microsoft Developer Studio Generated NMAKE File, Based on nsec3hash.dsp\r
+!IF "$(CFG)" == ""\r
+CFG=nsec3hash - Win32 Debug\r
+!MESSAGE No configuration specified. Defaulting to nsec3hash - Win32 Debug.\r
+!ENDIF \r
+\r
+!IF "$(CFG)" != "nsec3hash - Win32 Release" && "$(CFG)" != "nsec3hash - Win32 Debug"\r
+!MESSAGE Invalid configuration "$(CFG)" specified.\r
+!MESSAGE You can specify a configuration when running NMAKE\r
+!MESSAGE by defining the macro CFG on the command line. For example:\r
+!MESSAGE \r
+!MESSAGE NMAKE /f "nsec3hash.mak" CFG="nsec3hash - Win32 Debug"\r
+!MESSAGE \r
+!MESSAGE Possible choices for configuration are:\r
+!MESSAGE \r
+!MESSAGE "nsec3hash - Win32 Release" (based on "Win32 (x86) Console Application")\r
+!MESSAGE "nsec3hash - Win32 Debug" (based on "Win32 (x86) Console Application")\r
+!MESSAGE \r
+!ERROR An invalid configuration is specified.\r
+!ENDIF \r
+\r
+!IF "$(OS)" == "Windows_NT"\r
+NULL=\r
+!ELSE \r
+NULL=nul\r
+!ENDIF \r
+\r
+!IF "$(CFG)" == "nsec3hash - Win32 Release"\r
+_VC_MANIFEST_INC=0\r
+_VC_MANIFEST_BASENAME=__VC80\r
+!ELSE\r
+_VC_MANIFEST_INC=1\r
+_VC_MANIFEST_BASENAME=__VC80.Debug\r
+!ENDIF\r
+\r
+####################################################\r
+# Specifying name of temporary resource file used only in incremental builds:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+_VC_MANIFEST_AUTO_RES=$(_VC_MANIFEST_BASENAME).auto.res\r
+!else\r
+_VC_MANIFEST_AUTO_RES=\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_EXE - command to embed manifest in EXE:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;1\r
+\r
+!endif\r
+\r
+####################################################\r
+# _VC_MANIFEST_EMBED_DLL - command to embed manifest in DLL:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+#MT_SPECIAL_RETURN=1090650113\r
+#MT_SPECIAL_SWITCH=-notify_resource_update\r
+MT_SPECIAL_RETURN=0\r
+MT_SPECIAL_SWITCH=\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -out:$(_VC_MANIFEST_BASENAME).auto.manifest $(MT_SPECIAL_SWITCH) & \\r
+if "%ERRORLEVEL%" == "$(MT_SPECIAL_RETURN)" \\r
+rc /r $(_VC_MANIFEST_BASENAME).auto.rc & \\r
+link $** /out:$@ $(LFLAGS)\r
+\r
+!else\r
+\r
+_VC_MANIFEST_EMBED_EXE= \\r
+if exist $@.manifest mt.exe -manifest $@.manifest -outputresource:$@;2\r
+\r
+!endif\r
+####################################################\r
+# _VC_MANIFEST_CLEAN - command to clean resources files generated temporarily:\r
+\r
+!if "$(_VC_MANIFEST_INC)" == "1"\r
+\r
+_VC_MANIFEST_CLEAN=-del $(_VC_MANIFEST_BASENAME).auto.res \\r
+ $(_VC_MANIFEST_BASENAME).auto.rc \\r
+ $(_VC_MANIFEST_BASENAME).auto.manifest\r
+\r
+!else\r
+\r
+_VC_MANIFEST_CLEAN=\r
+\r
+!endif\r
+\r
+!IF "$(CFG)" == "nsec3hash - Win32 Release"\r
+\r
+OUTDIR=.\Release\r
+INTDIR=.\Release\r
+\r
+ALL : "..\..\..\Build\Release\nsec3hash.exe"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\nsec3hash.obj"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "..\..\..\Build\Release\nsec3hash.exe"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MD /W3 /GX /O2 /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "NDEBUG" /D "__STDC__" /D "WIN32" /D "_CONSOLE" /D "_MBCS" /Fp"$(INTDIR)\nsec3hash.pch" /YX /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsec3hash.bsc" \r
+BSC32_SBRS= \\r
+ \r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Release/libisc.lib ../../../lib/dns/win32/Release/libdns.lib /nologo /subsystem:console /incremental:no /pdb:"$(OUTDIR)\nsec3hash.pdb" /machine:I386 /out:"../../../Build/Release/nsec3hash.exe" \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\nsec3hash.obj"\r
+\r
+"..\..\..\Build\Release\nsec3hash.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ELSEIF "$(CFG)" == "nsec3hash - Win32 Debug"\r
+\r
+OUTDIR=.\Debug\r
+INTDIR=.\Debug\r
+# Begin Custom Macros\r
+OutDir=.\Debug\r
+# End Custom Macros\r
+\r
+ALL : "..\..\..\Build\Debug\nsec3hash.exe" "$(OUTDIR)\nsec3hash.bsc"\r
+\r
+\r
+CLEAN :\r
+ -@erase "$(INTDIR)\nsec3hash.obj"\r
+ -@erase "$(INTDIR)\nsec3hash.sbr"\r
+ -@erase "$(INTDIR)\vc60.idb"\r
+ -@erase "$(INTDIR)\vc60.pdb"\r
+ -@erase "$(OUTDIR)\nsec3hash.pdb"\r
+ -@erase "$(OUTDIR)\nsec3hash.bsc"\r
+ -@erase "..\..\..\Build\Debug\nsec3hash.exe"\r
+ -@erase "..\..\..\Build\Debug\nsec3hash.ilk"\r
+ -@$(_VC_MANIFEST_CLEAN)\r
+\r
+"$(OUTDIR)" :\r
+ if not exist "$(OUTDIR)/$(NULL)" mkdir "$(OUTDIR)"\r
+\r
+CPP=cl.exe\r
+CPP_PROJ=/nologo /MDd /W3 /Gm /GX /ZI /Od /I "./" /I "../../../" /I "../../../../libxml2-2.7.3/include" /I "../../../lib/isc/win32" /I "../../../lib/isc/win32/include" /I "../../../lib/isc/include" /I "../../../lib/isc/noatomic/include" /I "../../../lib/dns/include" /D "_DEBUG" /D "WIN32" /D "__STDC__" /D "_CONSOLE" /D "_MBCS" /FR"$(INTDIR)\\" /Fo"$(INTDIR)\\" /Fd"$(INTDIR)\\" /FD /GZ /c \r
+\r
+.c{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.obj::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.c{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cpp{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+.cxx{$(INTDIR)}.sbr::\r
+ $(CPP) @<<\r
+ $(CPP_PROJ) $< \r
+<<\r
+\r
+RSC=rc.exe\r
+BSC32=bscmake.exe\r
+BSC32_FLAGS=/nologo /o"$(OUTDIR)\nsec3hash.bsc" \r
+BSC32_SBRS= \\r
+ "$(INTDIR)\nsec3hash.sbr"\r
+\r
+"$(OUTDIR)\nsec3hash.bsc" : "$(OUTDIR)" $(BSC32_SBRS)\r
+ $(BSC32) @<<\r
+ $(BSC32_FLAGS) $(BSC32_SBRS)\r
+<<\r
+\r
+LINK32=link.exe\r
+LINK32_FLAGS=user32.lib advapi32.lib ../../../lib/isc/win32/Debug/libisc.lib ../../../lib/dns/win32/Debug/libdns.lib /nologo /subsystem:console /incremental:yes /pdb:"$(OUTDIR)\nsec3hash.pdb" /debug /machine:I386 /out:"../../../Build/Debug/nsec3hash.exe" /pdbtype:sept \r
+LINK32_OBJS= \\r
+ "$(INTDIR)\nsec3hash.obj"\r
+\r
+"..\..\..\Build\Debug\nsec3hash.exe" : "$(OUTDIR)" $(DEF_FILE) $(LINK32_OBJS)\r
+ $(LINK32) @<<\r
+ $(LINK32_FLAGS) $(LINK32_OBJS)\r
+<<\r
+ $(_VC_MANIFEST_EMBED_EXE)\r
+\r
+!ENDIF \r
+\r
+\r
+!IF "$(NO_EXTERNAL_DEPS)" != "1"\r
+!IF EXISTS("nsec3hash.dep")\r
+!INCLUDE "nsec3hash.dep"\r
+!ELSE \r
+!MESSAGE Warning: cannot find "nsec3hash.dep"\r
+!ENDIF \r
+!ENDIF \r
+\r
+\r
+!IF "$(CFG)" == "nsec3hash - Win32 Release" || "$(CFG)" == "nsec3hash - Win32 Debug"\r
+SOURCE="..\nsec3hash.c"\r
+\r
+!IF "$(CFG)" == "nsec3hash - Win32 Release"\r
+\r
+\r
+"$(INTDIR)\nsec3hash.obj" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ELSEIF "$(CFG)" == "nsec3hash - Win32 Debug"\r
+\r
+\r
+"$(INTDIR)\nsec3hash.obj" "$(INTDIR)\nsec3hash.sbr" : $(SOURCE) "$(INTDIR)"\r
+ $(CPP) $(CPP_PROJ) $(SOURCE)\r
+\r
+\r
+!ENDIF \r
+\r
+!ENDIF \r
+\r
+####################################################\r
+# Commands to generate initial empty manifest file and the RC file\r
+# that references it, and for generating the .res file:\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.res : $(_VC_MANIFEST_BASENAME).auto.rc\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.rc : $(_VC_MANIFEST_BASENAME).auto.manifest\r
+ type <<$@\r
+#include <winuser.h>\r
+1RT_MANIFEST"$(_VC_MANIFEST_BASENAME).auto.manifest"\r
+<< KEEP\r
+\r
+$(_VC_MANIFEST_BASENAME).auto.manifest :\r
+ type <<$@\r
+<?xml version='1.0' encoding='UTF-8' standalone='yes'?>\r
+<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>\r
+</assembly>\r
+<< KEEP\r
git.samba.org / tridge / bind9.git / commitdiff