+2703. [func] Introduce an OpenSSL "engine" argument with -E
+ for all binaries which can take benefit of
+ crypto hardware. [RT #20230]
+
2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
2701. [doc] Correction to ARM: hmac-md5 is no longer the only
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.40 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.41 2009/10/05 17:30:49 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
-CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\"
+CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\" @USE_PKCS11@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-dsfromkey.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
setup_logging(verbose, mctx, &log);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keyfromlabel.c,v 1.17 2009/10/03 18:03:53 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
fprintf(stderr, "Required options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " -l label: label of the key pair\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " (for instance \"pkcs11:foo\"\n");
+#else
+ fprintf(stderr, " -E enginename\n");
+#endif
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
- fprintf(stderr, " -c <class> (default: IN)\n");
+ fprintf(stderr, " -c class (default: IN)\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E enginename (default: pkcs11)\n");
+#endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
- fprintf(stderr, " -p <protocol>: default: 3 [dnssec]\n");
- fprintf(stderr, " -t <type>: "
+ fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
+ fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
- fprintf(stderr, " -v <verbose level>\n");
+ fprintf(stderr, " -v verbose level\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
const char *directory = NULL;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
char *classname = NULL;
char *endp;
dst_key_t *key = NULL, *oldkey = NULL;
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
- char *label = NULL, *engine = NULL;
+ char *label = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
- "a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+ "a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case 'a':
case 'c':
classname = isc_commandline_argument;
break;
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
case 'f':
if (toupper(isc_commandline_argument[0]) == 'K')
kskflag = DNS_KEYFLAG_KSK;
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- ret = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ ret = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(ret));
setup_logging(verbose, mctx, &log);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.11 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the name of the crypto hardware (OpenSSL engine).
+ When compiled with PKCS#11 support it defaults to pcks11.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
- Specifies the label of keys in the crypto hardware
- (PKCS#11 device).
+ Specifies the label of keys in the crypto hardware (OpenSSL
+ engine). An example for the pkcs11 engine is pkcs11:foo
+ (note the string pkcs11 is in both E and l options.)
</para>
</listitem>
</varlistentry>
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-keygen.c,v 1.98 2009/10/03 18:03:53 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n");
+#else
+ fprintf(stderr, " -E <engine name>\n");
+#endif
fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n");
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
/*
* Process memory debugging argument first.
*/
-#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
if (*endp != '\0' || dbits < 0)
fatal("-d requires a non-negative number");
break;
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
case 'e':
rsa_exp = 1;
break;
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
- ret = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ ret = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(ret));
setup_logging(verbose, mctx, &log);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.29 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
<arg><option>-C</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Uses a crypto hardware (OpenSSL engine) for random number
+ and, when supported, key generation. When compiled with PKCS#11
+ support it defaults to pcks11, the empty name resets it to
+ no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-e</term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-revoke.c,v 1.13 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
+ fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+ "(default is \"pkcs11\")\n");
+#else
+ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -K directory: use directory for key files\n");
fprintf(stderr, " -h: help\n");
int
main(int argc, char **argv) {
isc_result_t result;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
char *filename = NULL, *dir = NULL;
char newname[1024], oldname[1024];
char keystr[KEY_FORMATSIZE];
isc_commandline_errprint = ISC_FALSE;
- while ((ch = isc_commandline_parse(argc, argv, "fK:rhv:")) != -1) {
+ while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) {
switch (ch) {
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
case 'f':
force = ISC_TRUE;
break;
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
- result = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ result = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
- fatal("Could not initialize dst");
+ fatal("Could not initialize dst: %s",
+ isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-revoke.docbook,v 1.5 2009/07/20 11:56:35 fdupont Exp $ -->
+<!-- $Id: dnssec-revoke.docbook,v 1.6 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-revoke">
<refentryinfo>
<date>June 1, 2009</date>
<arg><option>-hr</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pcks11, the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-f</term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-settime.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+ "(default is \"pkcs11\")\n");
+#else
+ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
int
main(int argc, char **argv) {
isc_result_t result;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[KEY_FORMATSIZE];
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
- "fK:uhp:v:P:A:R:I:D:")) != -1) {
+ "EfK:uhp:v:P:A:R:I:D:")) != -1) {
switch (ch) {
+ case 'E':
+ engine = isc_commandline_argument;
+ break;
case 'f':
forceupdate = ISC_TRUE;
break;
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
- result = dst_lib_init(mctx, ectx,
- ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
+ result = dst_lib_init2(mctx, ectx, engine,
+ ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
- fatal("Could not initialize dst");
+ fatal("Could not initialize dst: %s",
+ isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, directory,
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.5 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
</para>
</listitem>
</varlistentry>
+
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Use the given OpenSSL engine. When compiled with PKCS#11 support
+ it defaults to pcks11, the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dnssec-signzone.c,v 1.240 2009/10/03 18:03:54 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
fprintf(stderr, "\t-a:\t");
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
+ fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+ fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+ "(default is \"pkcs11\")\n");
+#else
+ fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
fprintf(stderr, "\t-p:\t");
fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
fprintf(stderr, "\t-P:\t");
isc_result_t result;
isc_log_t *log = NULL;
isc_boolean_t pseudorandom = ISC_FALSE;
+#ifdef USE_PKCS11
+ const char *engine = "pkcs11";
+#else
+ const char *engine = NULL;
+#endif
unsigned int eflags;
isc_boolean_t free_output = ISC_FALSE;
int tempfilelen;
isc_boolean_t set_iter = ISC_FALSE;
#define CMDLINE_FLAGS \
- "3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
+ "3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
/*
* Process memory debugging argument first.
fatal("DS directory must be non-empty string");
break;
- case 'K':
- directory = isc_commandline_argument;
+ case 'E':
+ engine = isc_commandline_argument;
break;
case 'e':
usage();
break;
+ case 'I':
+ inputformatstr = isc_commandline_argument;
+ break;
+
case 'i':
endp = NULL;
cycle = strtol(isc_commandline_argument, &endp, 0);
"positive");
break;
- case 'I':
- inputformatstr = isc_commandline_argument;
- break;
-
case 'j':
endp = NULL;
jitter = strtol(isc_commandline_argument, &endp, 0);
fatal("jitter must be numeric and positive");
break;
+ case 'K':
+ directory = isc_commandline_argument;
+ break;
+
case 'k':
if (ndskeys == MAXDSKEYS)
fatal("too many key-signing keys specified");
case 'm':
break;
+ case 'N':
+ serialformatstr = isc_commandline_argument;
+ break;
+
case 'n':
endp = NULL;
ntasks = strtol(isc_commandline_argument, &endp, 0);
fatal("number of cpus must be numeric");
break;
- case 'N':
- serialformatstr = isc_commandline_argument;
+ case 'O':
+ outputformatstr = isc_commandline_argument;
break;
case 'o':
origin = isc_commandline_argument;
break;
- case 'O':
- outputformatstr = isc_commandline_argument;
+ case 'P':
+ disable_zone_check = ISC_TRUE;
break;
case 'p':
pseudorandom = ISC_TRUE;
break;
- case 'P':
- disable_zone_check = ISC_TRUE;
- break;
-
case 'r':
setup_entropy(mctx, isc_commandline_argument, &ectx);
break;
- case 's':
- startstr = isc_commandline_argument;
- break;
-
case 'S':
smartsign = ISC_TRUE;
generateds = ISC_TRUE;
break;
+ case 's':
+ startstr = isc_commandline_argument;
+ break;
+
case 'T':
endp = NULL;
set_keyttl = ISC_TRUE;
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
- result = dst_lib_init(mctx, ectx, eflags);
+ result = dst_lib_init2(mctx, ectx, engine, eflags);
if (result != ISC_R_SUCCESS)
- fatal("could not initialize dst");
+ fatal("could not initialize dst: %s",
+ isc_result_totext(result));
isc_stdtime_get(&now);
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: dnssec-signzone.docbook,v 1.38 2009/09/29 22:17:34 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.39 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg><option>-g</option></arg>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine</replaceable></term>
+ <listitem>
+ <para>
+ Uses a crypto hardware (OpenSSL engine) for the crypto operations
+ it supports, for instance signing with private keys from
+ a secure key store. When compiled with PKCS#11 support
+ it defaults to pcks11, the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-g</term>
<listitem>
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.106 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.107 2009/10/05 17:30:49 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
-CDEFINES = -DBIND9 @USE_DLZ@
+CDEFINES = -DBIND9 @USE_DLZ@ @USE_PKCS11@
CWARNINGS =
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: globals.h,v 1.85 2009/07/14 23:47:53 tbox Exp $ */
+/* $Id: globals.h,v 1.86 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
EXTERN const char * ns_g_username INIT(NULL);
+#ifdef USE_PKCS11
+EXTERN const char * ns_g_engine INIT("pkcs11");
+#else
+EXTERN const char * ns_g_engine INIT(NULL);
+#endif
+
EXTERN int ns_g_listen INIT(3);
EXTERN isc_time_t ns_g_boottime;
EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: main.c,v 1.174 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
}
fprintf(stderr,
"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
- "[-f|-g] [-n number_of_cpus]\n"
- " [-p port] [-s] [-t chrootdir] [-u username]\n"
+ "[-E engine] [-f|-g]\n"
+ " [-n number_of_cpus] [-p port] [-s] "
+ "[-t chrootdir] [-u username]\n"
" [-m {usage|trace|record|size|mctx}]\n");
}
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
- "46c:C:d:fFgi:lm:n:N:p:P:"
+ "46c:C:d:E:fFgi:lm:n:N:p:P:"
"sS:t:T:u:vVx:")) != -1) {
switch (ch) {
case '4':
ns_g_debuglevel = parse_int(isc_commandline_argument,
"debug level");
break;
+ case 'E':
+ ns_g_engine = isc_commandline_argument;
+ break;
case 'f':
ns_g_foreground = ISC_TRUE;
break;
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- $Id: named.docbook,v 1.25 2009/05/21 23:47:28 tbox Exp $ -->
+<!-- $Id: named.docbook,v 1.26 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.named">
<refentryinfo>
<date>May 21, 2009</date>
<arg><option>-6</option></arg>
<arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
+ <arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-g</option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
</para>
</listitem>
</varlistentry>
+
<varlistentry>
<term>-c <replaceable class="parameter">config-file</replaceable></term>
<listitem>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>-E <replaceable class="parameter">engine-name</replaceable></term>
+ <listitem>
+ <para>
+ Use a crypto hardware (OpenSSL engine) for the crypto operations
+ it supports, for instance re-signing with private keys from
+ a secure key store. When compiled with PKCS#11 support
+ <replaceable class="parameter">engine-name</replaceable>
+ defaults to pkcs11, the empty name resets it to no engine.
+ </para>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term>-f</term>
<listitem>
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: server.c,v 1.549 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: server.c,v 1.550 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
ISC_R_NOMEMORY : ISC_R_SUCCESS,
"allocating reload event");
- CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
+ CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
+ ns_g_engine, ISC_ENTROPY_GOODONLY),
"initializing DST");
server->tkeyctx = NULL;
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.166 2009/09/01 00:22:26 jinmei Exp $
+# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} \
${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
-CDEFINES = -DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
+CDEFINES = -DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ \
${USE_ISC_SPNEGO}
CWARNINGS =
/*
* Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.33 2009/09/25 01:42:09 marka Exp $
+ * $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $
*/
/*! \file */
isc_result_t
dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+ return (dst_lib_init2(mctx, ectx, NULL, eflags));
+}
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+ const char *engine, unsigned int eflags) {
isc_result_t result;
REQUIRE(mctx != NULL);
if (result != ISC_R_SUCCESS)
return (result);
isc_mem_setname(dst__memory_pool, "dst", NULL);
+#ifndef OPENSSL_LEAKS
isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
+#endif
#else
isc_mem_attach(mctx, &dst__memory_pool);
#endif
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
#ifdef OPENSSL
- RETERR(dst__openssl_init());
+ RETERR(dst__openssl_init(engine));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
return (ISC_R_SUCCESS);
out:
+ /* avoid immediate crash! */
+ dst_initialized = ISC_TRUE;
dst_lib_destroy();
return (result);
}
unsigned int flags = dst_entropy_flags;
if (pseudo)
flags &= ~ISC_ENTROPY_GOODONLY;
+ else
+ flags |= ISC_ENTROPY_BLOCKING;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
#else
UNUSED(buf);
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_internal.h,v 1.18 2009/09/23 11:16:50 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
/*%
* Initializers
*/
-isc_result_t dst__openssl_init(void);
+isc_result_t dst__openssl_init(const char *engine);
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: dst_openssl.h,v 1.8 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef DST_OPENSSL_H
#define DST_OPENSSL_H 1
dst__openssl_toresult(isc_result_t fallback);
ENGINE *
-dst__openssl_getengine(const char *name);
-
-isc_result_t
-dst__openssl_setdefault(const char *name);
+dst__openssl_getengine(const char *engine);
ISC_LANG_ENDDECLS
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: dst.h,v 1.19 2009/09/23 16:01:57 each Exp $ */
+/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
isc_result_t
dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+ const char *engine, unsigned int eflags);
/*%<
* Initializes the DST subsystem.
*
* Returns:
* \li ISC_R_SUCCESS
* \li ISC_R_NOMEMORY
+ * \li DST_R_NOENGINE
*
* Ensures:
* \li DST is properly initialized.
/*
* Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
+ * $Id: openssl_link.c,v 1.27 2009/10/05 17:30:49 fdupont Exp $
*/
#ifdef OPENSSL
#include <isc/thread.h>
#include <isc/util.h>
+#include <dst/result.h>
+
#include "dst_internal.h"
#include "dst_openssl.h"
#ifdef USE_ENGINE
#include <openssl/engine.h>
-
-#ifdef ENGINE_ID
-const char *engine_id = ENGINE_ID;
-#else
-const char *engine_id;
-#endif
#endif
static RAND_METHOD *rm = NULL;
static int nlocks;
#ifdef USE_ENGINE
-static ENGINE *e;
-static ENGINE *he;
-#endif
-
-#ifdef USE_PKCS11
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
- const char **pre_cmds, int pre_num,
- const char **post_cmds, int post_num);
+static ENGINE *e = NULL;
#endif
static int
static void *
mem_alloc(size_t size) {
+#ifdef OPENSSL_LEAKS
+ void *ptr;
+
+ INSIST(dst__memory_pool != NULL);
+ ptr = isc_mem_allocate(dst__memory_pool, size);
+ return (ptr);
+#else
INSIST(dst__memory_pool != NULL);
return (isc_mem_allocate(dst__memory_pool, size));
+#endif
}
static void
static void *
mem_realloc(void *ptr, size_t size) {
+#ifdef OPENSSL_LEAKS
+ void *rptr;
+
+ INSIST(dst__memory_pool != NULL);
+ rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
+ return (rptr);
+#else
INSIST(dst__memory_pool != NULL);
return (isc_mem_reallocate(dst__memory_pool, ptr, size));
+#endif
}
isc_result_t
-dst__openssl_init() {
+dst__openssl_init(const char *engine) {
isc_result_t result;
#ifdef USE_ENGINE
- /* const char *name; */
ENGINE *re;
+#else
+
+ UNUSED(engine);
#endif
#ifdef DNS_CRYPTO_LEAKS
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
+
#ifdef USE_ENGINE
OPENSSL_config(NULL);
-#ifdef USE_PKCS11
-#ifndef PKCS11_SO_PATH
-#define PKCS11_SO_PATH "/usr/local/lib/engines/engine_pkcs11.so"
-#endif
-#ifndef PKCS11_MODULE_PATH
-#define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so"
-#endif
- {
- /*
- * to use this to config the PIN, add in openssl.cnf:
- * - at the beginning: "openssl_conf = openssl_def"
- * - at any place these sections:
- * [ openssl_def ]
- * engines = engine_section
- * [ engine_section ]
- * pkcs11 = pkcs11_section
- * [ pkcs11_section ]
- * PIN = my___pin
- */
-
- const char *pre_cmds[] = {
- "SO_PATH", PKCS11_SO_PATH,
- "LOAD", NULL,
- "MODULE_PATH", PKCS11_MODULE_PATH
- };
- const char *post_cmds[] = {
- /* "PIN", "my___pin" */
- };
- result = dst__openssl_load_engine("pkcs11", "pkcs11",
- pre_cmds, 0,
- post_cmds, /*1*/ 0);
- if (result != ISC_R_SUCCESS)
- goto cleanup_rm;
- }
-#else /* USE_PKCS11 */
- if (engine_id != NULL) {
- e = ENGINE_by_id(engine_id);
+
+ if (engine != NULL && *engine == '\0')
+ engine = NULL;
+
+ if (engine != NULL) {
+ e = ENGINE_by_id(engine);
if (e == NULL) {
- result = ISC_R_NOTFOUND;
+ result = DST_R_NOENGINE;
goto cleanup_rm;
}
- if (!ENGINE_init(e)) {
- result = ISC_R_FAILURE;
- ENGINE_free(e);
+ /* This will init the engine. */
+ if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
+ result = DST_R_NOENGINE;
goto cleanup_rm;
}
- ENGINE_set_default(e, ENGINE_METHOD_ALL);
- ENGINE_free(e);
- if (he == NULL)
- he = e;
- } else {
- ENGINE_register_all_complete();
- for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
-
- /*
- * Something weird here. If we call ENGINE_finish()
- * ENGINE_get_default_RAND() will fail.
- */
- if (ENGINE_init(e)) {
- if (he == NULL)
- he = e;
- }
- }
}
-#endif /* USE_PKCS11 */
+
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
ENGINE_free(re);
} else
ENGINE_finish(re);
-
#else
RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
#ifdef USE_ENGINE
cleanup_rm:
+ if (e != NULL)
+ ENGINE_free(e);
+ e = NULL;
mem_free(rm);
+ rm = NULL;
#endif
cleanup_mutexinit:
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
cleanup_mutexalloc:
mem_free(locks);
+ locks = NULL;
return (result);
}
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
+ if (rm != NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ RAND_cleanup();
+#endif
+ mem_free(rm);
+ rm = NULL;
+ }
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
- CONF_modules_unload(1);
+ CONF_modules_free();
#endif
+ OBJ_cleanup();
EVP_cleanup();
#if defined(USE_ENGINE)
- if (he != NULL)
- ENGINE_finish(he);
- else if (e != NULL)
- ENGINE_finish(e);
- he = e = NULL;
+ if (e != NULL)
+ ENGINE_free(e);
+ e = NULL;
#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
#endif
ERR_clear_error();
- ERR_free_strings();
ERR_remove_state(0);
+ ERR_free_strings();
#ifdef DNS_CRYPTO_LEAKS
CRYPTO_mem_leaks_fp(stderr);
#endif
- if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
- RAND_cleanup();
-#endif
- mem_free(rm);
- }
if (locks != NULL) {
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
mem_free(locks);
+ locks = NULL;
}
}
}
ENGINE *
-dst__openssl_getengine(const char *name) {
-
- UNUSED(name);
+dst__openssl_getengine(const char *engine) {
+ if (engine == NULL)
+ return (NULL);
#if defined(USE_ENGINE)
- return (he);
-#else
- return (NULL);
-#endif
-}
-
-isc_result_t
-dst__openssl_setdefault(const char *name) {
-
- UNUSED(name);
-
-#if defined(USE_ENGINE)
- ENGINE_set_default(e, ENGINE_METHOD_ALL);
-#endif
- /*
- * XXXMPA If the engine does not have a default RAND method
- * restore our method.
- */
- return (ISC_R_SUCCESS);
-}
-
-#ifdef USE_PKCS11
-/*
- * 'name' is the name the engine is known by to the dst library.
- * This may or may not match the name the engine is known by to
- * openssl. It is the name that is stored in the private key file.
- *
- * 'engine_id' is the openssl engine name.
- *
- * pre_cmds and post_cmds a sequence if command argument pairs
- * pre_num and post_num are a count of those pairs.
- *
- * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
- * "LOAD", NULL
- * "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so")
- */
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
- const char **pre_cmds, int pre_num,
- const char **post_cmds, int post_num)
-{
- ENGINE *e;
-
- UNUSED(name);
-
- if (!strcasecmp(engine_id, "dynamic"))
- ENGINE_load_dynamic();
- e = ENGINE_by_id(engine_id);
if (e == NULL)
- return (ISC_R_NOTFOUND);
- while (pre_num--) {
- if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
- ENGINE_free(e);
- return (ISC_R_FAILURE);
- }
- pre_cmds += 2;
- }
- if (!ENGINE_init(e)) {
- ENGINE_free(e);
- return (ISC_R_FAILURE);
- }
- /*
- * ENGINE_init() returned a functional reference, so free the
- * structural reference from ENGINE_by_id().
- */
- ENGINE_free(e);
- while (post_num--) {
- if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
- ENGINE_free(e);
- return (ISC_R_FAILURE);
- }
- post_cmds += 2;
- }
- if (he != NULL)
- ENGINE_finish(he);
- he = e;
- return (ISC_R_SUCCESS);
+ return (NULL);
+ if (strcmp(engine, ENGINE_get_id(e)) == 0)
+ return (e);
+#endif
+ return (NULL);
}
-#endif /* USE_PKCS11 */
#else /* OPENSSL */
/*
* Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.28 2009/09/23 11:16:50 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.29 2009/10/05 17:30:49 fdupont Exp $
*/
#ifdef OPENSSL
#ifndef USE_EVP
UNUSED(pin);
+ if (engine == NULL)
+ DST_RET(DST_R_NOENGINE);
e = dst__openssl_getengine(engine);
if (e == NULL)
DST_RET(DST_R_NOENGINE);
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: task.c,v 1.110 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: task.c,v 1.111 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file
* \author Principal Author: Bob Halley
#include <isc/util.h>
#include <isc/xml.h>
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
/*%
* For BIND9 internal applications:
* when built with threads we use multiple worker threads shared by the whole
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
ISC_MSG_EXITING, "exiting"));
+#ifdef OPENSSL_LEAKS
+ ERR_remove_state(0);
+#endif
+
return ((isc_threadresult_t)0);
}
#endif /* USE_WORKER_THREADS */
* PERFORMANCE OF THIS SOFTWARE.
*/
-/* $Id: timer.c,v 1.94 2009/09/03 21:55:13 jinmei Exp $ */
+/* $Id: timer.c,v 1.95 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
#include <isc/timer.h>
#include <isc/util.h>
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
/* See task.c about the following definition: */
#ifdef BIND9
#ifdef ISC_PLATFORM_USETHREADS
}
UNLOCK(&manager->lock);
+#ifdef OPENSSL_LEAKS
+ ERR_remove_state(0);
+#endif
+
return ((isc_threadresult_t)0);
}
#endif /* USE_TIMER_THREAD */
projects / thirdparty / bind9.git / commitdiff
