[master] native PKCS#11 support

3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]
This commit is contained in:
Evan Hunt
2014-01-14 15:40:56 -08:00
parent 1f4c645185
commit ba751492fc
244 changed files with 20979 additions and 3294 deletions

View File

@@ -45,8 +45,14 @@
#include <dst/dst.h>
#include <dst/gssapi.h>
#include "dst_internal.h"
#define TKEY_RANDOM_AMOUNT 16
#ifdef PKCS11CRYPTO
#include <iscpk11/pk11.h>
#endif
#define RETERR(x) do { \
result = (x); \
if (result != ISC_R_SUCCESS) \
@@ -382,8 +388,8 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
if (randomdata == NULL)
goto failure;
result = isc_entropy_getdata(tctx->ectx, randomdata,
TKEY_RANDOM_AMOUNT, NULL, 0);
result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
ISC_FALSE);
if (result != ISC_R_SUCCESS) {
tkey_log("process_dhtkey: failed to obtain entropy: %s",
isc_result_totext(result));