From: Debian DNS Packaging <pkg-dns-devel@lists.alioth.debian.org>
Date: Fri, 24 Nov 2017 16:26:54 +0000
Subject: _prepare_native_pkcs11

---
 bin/Makefile.in        |  2 +-
 bin/dnssec/Makefile.in |  2 +-
 bin/named/Makefile.in  |  2 +-
 bin/pkcs11/Makefile.in |  6 +++---
 configure.in           | 51 +++++++++++++++++++++++++++++++++++---------------
 lib/Makefile.in        |  2 +-
 make/includes.in       | 10 ++++++++++
 7 files changed, 53 insertions(+), 22 deletions(-)

diff --git a/bin/Makefile.in b/bin/Makefile.in
index f0c504a..ef6bf5f 100644
--- a/bin/Makefile.in
+++ b/bin/Makefile.in
@@ -11,7 +11,7 @@ srcdir =	@srcdir@
 VPATH =		@srcdir@
 top_srcdir =	@top_srcdir@
 
-SUBDIRS =	named rndc dig delv dnssec tools nsupdate check confgen \
+SUBDIRS =	named named-pkcs11 rndc dig delv dnssec dnssec-pkcs11 tools nsupdate check confgen \
 		@NZD_TOOLS@ @PYTHON_TOOLS@ @PKCS11_TOOLS@ tests
 TARGETS =
 
diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 2239ad1..1ded1fa 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -19,7 +19,7 @@ VERSION=@BIND9_VERSION@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
+CDEFINES =	-DVERSION=\"${VERSION}\" \
 		@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
 CWARNINGS =
 
diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in
index 1c41397..5e6e84c 100644
--- a/bin/named/Makefile.in
+++ b/bin/named/Makefile.in
@@ -47,7 +47,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} @DST_OPENSSL_INC@
 
-CDEFINES =      @CONTRIB_DLZ@ @USE_PKCS11@ @PKCS11_ENGINE@ @CRYPTO@
+CDEFINES =      @CONTRIB_DLZ@ @CRYPTO@
 
 CWARNINGS =
 
diff --git a/bin/pkcs11/Makefile.in b/bin/pkcs11/Makefile.in
index ae90616..4bc1256 100644
--- a/bin/pkcs11/Makefile.in
+++ b/bin/pkcs11/Makefile.in
@@ -15,13 +15,13 @@ top_srcdir =	@top_srcdir@
 
 @BIND9_MAKE_INCLUDES@
 
-CINCLUDES =	${ISC_INCLUDES}
+CINCLUDES =	${ISC_PKCS11_INCLUDES}
 
 CDEFINES =
 
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@ @ISC_OPENSSL_LIBS@
 
-ISCDEPLIBS =	../../lib/isc/libisc.@A@
+ISCDEPLIBS =	../../lib/isc-pkcs11/libisc-pkcs11.@A@
 
 DEPLIBS =	${ISCDEPLIBS}
 
diff --git a/configure.in b/configure.in
index bf028fe..f8603b8 100644
--- a/configure.in
+++ b/configure.in
@@ -1109,12 +1109,14 @@ AC_SUBST(USE_GSSAPI)
 AC_SUBST(DST_GSSAPI_INC)
 AC_SUBST(DNS_GSSAPI_LIBS)
 DNS_CRYPTO_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_GSSAPI_LIBS $DNS_CRYPTO_PK11_LIBS"
 
 #
 # Applications linking with libdns also need to link with these libraries.
 #
 
 AC_SUBST(DNS_CRYPTO_LIBS)
+AC_SUBST(DNS_CRYPTO_PK11_LIBS)
 
 #
 # was --with-randomdev specified?
@@ -1499,11 +1501,6 @@ fi
 AC_MSG_CHECKING(for OpenSSL library)
 OPENSSL_WARNING=
 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"
-if test "yes" = "$want_native_pkcs11"
-then
-	use_openssl="native_pkcs11"
-	AC_MSG_RESULT(use of native PKCS11 instead)
-fi
 
 if test "auto" = "$use_openssl"
 then
@@ -1516,6 +1513,7 @@ then
 		fi
 	done
 fi
+CRYPTO_PK11=""
 OPENSSL_ECDSA=""
 OPENSSL_GOST=""
 OPENSSL_ED25519=""
@@ -1537,11 +1535,10 @@ case "$with_gost" in
 		;;
 esac
 
-case "$use_openssl" in
-	native_pkcs11)
-		AC_MSG_RESULT(disabled because of native PKCS11)
+if test "$want_native_pkcs11" = "yes"
+then
 		DST_OPENSSL_INC=""
-		CRYPTO="-DPKCS11CRYPTO"
+		CRYPTO_PK11="-DPKCS11CRYPTO"
 		OPENSSLECDSALINKOBJS=""
 		OPENSSLECDSALINKSRCS=""
 		OPENSSLEDDSALINKOBJS=""
@@ -1550,7 +1547,9 @@ case "$use_openssl" in
 		OPENSSLGOSTLINKSRCS=""
 		OPENSSLLINKOBJS=""
 		OPENSSLLINKSRCS=""
-		;;
+fi
+
+case "$use_openssl" in
 	no)
 		AC_MSG_RESULT(no)
 		DST_OPENSSL_INC=""
@@ -1580,11 +1579,6 @@ case "$use_openssl" in
 If you don't want OpenSSL, use --without-openssl])
 		;;
 	*)
-		if test "yes" = "$want_native_pkcs11"
-		then
-			AC_MSG_RESULT()
-			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])
-		fi
 		if test "yes" = "$use_openssl"
 		then
 			# User did not specify a path - guess it
@@ -2007,6 +2001,7 @@ AC_SUBST(OPENSSL_ED25519)
 AC_SUBST(OPENSSL_GOST)
 
 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DST_OPENSSL_LIBS"
+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"
 
 ISC_PLATFORM_WANTAES="#undef ISC_PLATFORM_WANTAES"
 if test "yes" = "$with_aes"
@@ -2326,6 +2321,7 @@ esac
 AC_SUBST(PKCS11LINKOBJS)
 AC_SUBST(PKCS11LINKSRCS)
 AC_SUBST(CRYPTO)
+AC_SUBST(CRYPTO_PK11)
 AC_SUBST(PKCS11_ECDSA)
 AC_SUBST(PKCS11_GOST)
 AC_SUBST(PKCS11_ED25519)
@@ -5331,8 +5327,11 @@ AC_CONFIG_FILES([
 	bin/delv/Makefile
 	bin/dig/Makefile
 	bin/dnssec/Makefile
+	bin/dnssec-pkcs11/Makefile
 	bin/named/Makefile
 	bin/named/unix/Makefile
+	bin/named-pkcs11/Makefile
+	bin/named-pkcs11/unix/Makefile
 	bin/nsupdate/Makefile
 	bin/pkcs11/Makefile
 	bin/python/Makefile
@@ -5406,6 +5405,10 @@ AC_CONFIG_FILES([
 	lib/dns/include/dns/Makefile
 	lib/dns/include/dst/Makefile
 	lib/dns/tests/Makefile
+	lib/dns-pkcs11/Makefile
+	lib/dns-pkcs11/include/Makefile
+	lib/dns-pkcs11/include/dns/Makefile
+	lib/dns-pkcs11/include/dst/Makefile
 	lib/irs/Makefile
 	lib/irs/include/Makefile
 	lib/irs/include/irs/Makefile
@@ -5430,6 +5433,24 @@ AC_CONFIG_FILES([
 	lib/isc/unix/include/Makefile
 	lib/isc/unix/include/isc/Makefile
 	lib/isc/unix/include/pkcs11/Makefile
+	lib/isc-pkcs11/$arch/Makefile
+	lib/isc-pkcs11/$arch/include/Makefile
+	lib/isc-pkcs11/$arch/include/isc/Makefile
+	lib/isc-pkcs11/$thread_dir/Makefile
+	lib/isc-pkcs11/$thread_dir/include/Makefile
+	lib/isc-pkcs11/$thread_dir/include/isc/Makefile
+	lib/isc-pkcs11/Makefile
+	lib/isc-pkcs11/include/Makefile
+	lib/isc-pkcs11/include/isc/Makefile
+	lib/isc-pkcs11/include/isc/platform.h
+	lib/isc-pkcs11/include/pk11/Makefile
+	lib/isc-pkcs11/include/pkcs11/Makefile
+	lib/isc-pkcs11/tests/Makefile
+	lib/isc-pkcs11/nls/Makefile
+	lib/isc-pkcs11/unix/Makefile
+	lib/isc-pkcs11/unix/include/Makefile
+	lib/isc-pkcs11/unix/include/isc/Makefile
+	lib/isc-pkcs11/unix/include/pkcs11/Makefile
 	lib/isccc/Makefile
 	lib/isccc/include/Makefile
 	lib/isccc/include/isccc/Makefile
diff --git a/lib/Makefile.in b/lib/Makefile.in
index 81270a0..bcb5312 100644
--- a/lib/Makefile.in
+++ b/lib/Makefile.in
@@ -15,7 +15,7 @@ top_srcdir =	@top_srcdir@
 # Attempt to disable parallel processing.
 .NOTPARALLEL:
 .NO_PARALLEL:
-SUBDIRS =	isc isccc dns isccfg bind9 lwres irs samples
+SUBDIRS =	isc isc-pkcs11 isccc dns dns-pkcs11 isccfg bind9 lwres irs samples
 TARGETS =
 
 @BIND9_MAKE_RULES@
diff --git a/make/includes.in b/make/includes.in
index fa86ad1..3cfbe9f 100644
--- a/make/includes.in
+++ b/make/includes.in
@@ -43,3 +43,13 @@ BIND9_INCLUDES = @BIND9_BIND9_BUILDINCLUDE@ \
 
 TEST_INCLUDES = \
 	-I${top_srcdir}/lib/tests/include
+
+ISC_PKCS11_INCLUDES = @BIND9_ISC_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/isc-pkcs11 \
+	-I${top_srcdir}/lib/isc-pkcs11/include \
+	-I${top_srcdir}/lib/isc-pkcs11/unix/include \
+	-I${top_srcdir}/lib/isc-pkcs11/@ISC_THREAD_DIR@/include \
+	-I${top_srcdir}/lib/isc-pkcs11/@ISC_ARCH_DIR@/include
+
+DNS_PKCS11_INCLUDES = @BIND9_DNS_BUILDINCLUDE@ \
+	-I${top_srcdir}/lib/dns-pkcs11/include