<<: *build_job
system:gcc:bullseye:amd64:
- # Set up environment variables that allow the "keyfromlabel" system test to be run
- variables:
- OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
- SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
<<: *debian_bullseye_amd64_image
<<: *system_test_job
needs:
<<: *build_job
system:clang:bookworm:amd64:
- # Set up environment variables that allow the "keyfromlabel" system test to be run
- variables:
- OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
- SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
<<: *debian_bookworm_amd64_image
<<: *system_test_job
needs:
| `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult |
| `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` |
| `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports |
-| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support |
CHECK(setup_logging(mctx, stdout, &logc));
- CHECK(dst_lib_init(mctx, NULL));
+ CHECK(dst_lib_init(mctx));
cleanup_dst = true;
CHECK(cfg_parser_create(mctx, logc, &parser));
fatal("unsupported algorithm %d\n", alg);
}
- DO("initialize dst library", dst_lib_init(mctx, NULL));
+ DO("initialize dst library", dst_lib_init(mctx));
DO("generate key",
dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
loop = isc_loop_main(loopmgr);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("dst_lib_init failed: %d", result);
}
isc_mem_setname(mctx, "dig");
mainloop = isc_loop_main(loopmgr);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
check_result(result, "dst_lib_init");
is_dst_up = true;
}
setup_logging(mctx, &lctx);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
fatal("extraneous arguments");
}
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
fatal("extraneous arguments");
}
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
" ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
- fprintf(stderr, " -E <engine>:\n");
- fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
- const char *engine = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
classname = isc_commandline_argument;
break;
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
}
}
- ret = dst_lib_init(mctx, engine);
+ ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
- ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
- label, NULL, mctx, &key);
+ ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label,
+ NULL, mctx, &key);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];
Synopsis
~~~~~~~~
-:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
+:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
versions, then the NSEC3 version is used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
-.. option:: -E engine
-
- This option specifies the cryptographic hardware to use.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -l label
This option specifies the label for a key pair in the crypto hardware.
When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
- an arbitrary string that identifies a particular key. It may be
- preceded by an optional OpenSSL engine name, followed by a colon, as
- in ``pkcs11:keylabel``.
+ an arbitrary string that identifies a particular key.
.. option:: -n nametype
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
- fprintf(stderr, " -E <engine>:\n");
- fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f <keyflag>: ZSK | KSK | REVOKE\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
isc_mem_t *mctx = NULL;
isc_result_t ret;
isc_textregion_t r;
- const char *engine = NULL;
unsigned char c;
int ch;
bool set_fips_mode = false;
}
break;
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
}
}
- ret = dst_lib_init(mctx, engine);
+ ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
}
kasp_from_conf(config, mctx, lctx, ctx.policy,
- ctx.directory, engine, &kasp);
+ ctx.directory, &kasp);
if (kasp == NULL) {
fatal("failed to load dnssec-policy '%s'",
ctx.policy);
Synopsis
~~~~~~~~
-:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
+:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
ECDSAP384SHA384, ED25519, and ED448.
-.. option:: -E engine
-
- This option specifies the cryptographic hardware to use, when applicable.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -f flag
This option sets the specified flag in the flag field of the KEY/DNSKEY record.
*/
static isc_log_t *lctx = NULL;
static isc_mem_t *mctx = NULL;
-const char *engine = NULL;
/*
* The domain we are working on
*/
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "\n");
fprintf(stderr, "Options:\n");
- fprintf(stderr, " -E <engine>: name of an OpenSSL engine to use\n");
fprintf(stderr, " -e <date/offset>: end date\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -f: KSR file to sign\n");
fatal("unable to load dnssec-policy '%s' from '%s'",
ksr->policy, ksr->configfile);
}
- kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, engine,
- kasp);
+ kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, kasp);
if (*kasp == NULL) {
fatal("failed to load dnssec-policy '%s'", ksr->policy);
}
while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) {
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'e':
ksr.end = strtotime(isc_commandline_argument, ksr.now,
fatal("must provide a command and zone name");
}
- ret = dst_lib_init(mctx, engine);
+ ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
Synopsis
~~~~~~~~
-:program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
+:program:`dnssec-ksr` [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
Description
~~~~~~~~~~~
Options
~~~~~~~
-.. option:: -E engine
-
- This option specifies the cryptographic hardware to use, when applicable.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -e date/offset
This option sets the end date for which keys or SKRs need to be generated
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
- fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -K directory: use directory for key files\n");
int
main(int argc, char **argv) {
isc_result_t result;
- const char *engine = NULL;
char const *filename = NULL;
char *dir = NULL;
char newname[1024], oldname[1024];
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
switch (ch) {
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
force = true;
}
}
- result = dst_lib_init(mctx, engine);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));
Synopsis
~~~~~~~~
-:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
+:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-f**] [**-R**] {keyfile}
Description
~~~~~~~~~~~
This option prints version information.
-.. option:: -E engine
-
- This option specifies the cryptographic hardware to use, when applicable.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -f
This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair,
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
- fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
int
main(int argc, char **argv) {
isc_result_t result;
- const char *engine = NULL;
const char *filename = NULL;
char *directory = NULL;
char keystr[DST_KEY_FORMATSIZE];
&setdstime);
break;
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
force = true;
fatal("Options -g, -d, -k, -r and -z require -s to be set");
}
- result = dst_lib_init(mctx, engine);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));
Synopsis
~~~~~~~~
-:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
+:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
Description
~~~~~~~~~~~
This option sets the debugging level.
-.. option:: -E engine
-
- This option specifies the cryptographic hardware to use, when applicable.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
Timing Options
~~~~~~~~~~~~~~
fprintf(stderr, "\t-a:\t");
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
- fprintf(stderr, "\t-E engine:\n");
- fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n");
fprintf(stderr, "\t-Q:\t");
dns_dnsseckey_t *key;
isc_result_t result, vresult;
isc_log_t *log = NULL;
- const char *engine = NULL;
bool free_output = false;
int tempfilelen = 0;
dns_rdataclass_t rdclass;
break;
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'e':
}
}
- result = dst_lib_init(mctx, engine);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
Synopsis
~~~~~~~~
-:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
+:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>`
or serial-number updating.
-.. option:: -E engine
-
- This option specifies the hardware to use for cryptographic
- operations, such as a secure key store used for signing, when applicable.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)
fprintf(stderr, "\t-I format:\n");
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
- fprintf(stderr, "\t-E engine:\n");
- fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
- const char *engine = NULL;
char *classname = NULL;
dns_rdataclass_t rdclass;
char *endp;
break;
case 'E':
- engine = isc_commandline_argument;
+ fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'I':
}
}
- result = dst_lib_init(mctx, engine);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));
Synopsis
~~~~~~~~
-:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
+:program:`dnssec-verify` [**-c** class] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
Description
~~~~~~~~~~~
This option specifies the DNS class of the zone.
-.. option:: -E engine
-
- This option specifies the cryptographic hardware to use, when applicable.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -I input-format
This option sets the format of the input zone file. Possible formats are ``text``
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
- const char *name, const char *keydir, const char *engine,
- dns_kasp_t **kaspp) {
+ const char *name, const char *keydir, dns_kasp_t **kaspp) {
isc_result_t result = ISC_R_NOTFOUND;
const cfg_listelt_t *element;
const cfg_obj_t *kasps = NULL;
{
cfg_obj_t *kconfig = cfg_listelt_value(element);
ks = NULL;
- result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine,
- &kslist, NULL);
+ result = cfg_keystore_fromconfig(kconfig, mctx, lctx, &kslist,
+ NULL);
if (result != ISC_R_SUCCESS) {
fatal("failed to configure key-store '%s': %s",
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
}
/* Default key-directory key store. */
ks = NULL;
- (void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
+ (void)cfg_keystore_fromconfig(NULL, mctx, lctx, &kslist, &ks);
INSIST(ks != NULL);
if (keydir != NULL) {
/* '-K keydir' takes priority */
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
- const char *name, const char *keydir, const char *engine,
- dns_kasp_t **kaspp);
+ const char *name, const char *keydir, dns_kasp_t **kaspp);
EXTERN const char *named_g_username INIT(NULL);
-EXTERN const char *named_g_engine INIT(NULL);
-
EXTERN isc_time_t named_g_boottime;
EXTERN isc_time_t named_g_configtime;
EXTERN bool named_g_memstatistics INIT(false);
static void
usage(void) {
fprintf(stderr, "usage: named [-4|-6] [-c conffile] [-d debuglevel] "
- "[-D comment] [-E engine]\n"
+ "[-D comment]\n"
" [-f|-g] [-L logfile] [-n number_of_cpus] "
"[-p port] [-s]\n"
" [-S sockets] [-t chrootdir] [-u "
printf("threads support is enabled\n");
isc_mem_create(&mctx);
- result = dst_lib_init(mctx, named_g_engine);
+ result = dst_lib_init(mctx);
if (result == ISC_R_SUCCESS) {
isc_buffer_init(&b, buf, sizeof(buf));
format_supported_algorithms(printit);
/* Descriptive comment for 'ps'. */
break;
case 'E':
- named_g_engine = isc_commandline_argument;
+ named_main_earlyfatal(
+ "%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
named_g_foreground = true;
Synopsis
~~~~~~~~
-:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ]
+:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ]
Description
~~~~~~~~~~~
This option specifies a string that is used to identify a instance of :program:`named`
in a process listing. The contents of ``string`` are not examined.
-.. option:: -E engine-name
-
- When applicable, this option specifies the hardware to use for cryptographic
- operations, such as a secure key store used for signing.
-
- When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
- engine identifier that drives the cryptographic accelerator or
- hardware service module (usually ``pkcs11``).
-
.. option:: -f
This option runs the server in the foreground (i.e., do not daemonize).
* Create the built-in key store ("key-directory").
*/
result = cfg_keystore_fromconfig(NULL, named_g_mctx, named_g_lctx,
- named_g_engine, &keystorelist, NULL);
+ &keystorelist, NULL);
if (result != ISC_R_SUCCESS) {
goto cleanup_keystorelist;
}
cfg_obj_t *kconfig = cfg_listelt_value(element);
keystore = NULL;
result = cfg_keystore_fromconfig(kconfig, named_g_mctx,
- named_g_lctx, named_g_engine,
- &keystorelist, NULL);
+ named_g_lctx, &keystorelist,
+ NULL);
if (result != ISC_R_SUCCESS) {
goto cleanup_keystorelist;
}
ISC_LIST_INIT(server->viewlist);
/* Must be first. */
- CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
- "initializing DST");
+ CHECKFATAL(dst_lib_init(named_g_mctx), "initializing DST");
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
&server->in_roothints),
result = dns_dispatchmgr_create(gmctx, loopmgr, netmgr, &dispatchmgr);
check_result(result, "dns_dispatchmgr_create");
- result = dst_lib_init(gmctx, NULL);
+ result = dst_lib_init(gmctx);
check_result(result, "dst_lib_init");
is_dst_up = true;
rm -f ns*/dig.out.*
rm -f ns*/K*
rm -f ns*/keygen.out.*
-rm -f ns*/named.conf ns1/named.args ns1/named.run ns1/named.memstats
+rm -f ns*/named.conf ns1/named.run ns1/named.memstats
rm -f ns*/pin
rm -f ns*/update.cmd.*
rm -f ns*/update.log.*
--- /dev/null
+-D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152
+++ /dev/null
-@ENGINE_ARGS@ -D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152
--- /dev/null
+-D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152
+++ /dev/null
-@ENGINE_ARGS@ -D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152
dir="$4"
shift 4
- $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
+ $KEYFRLAB -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
# Setup ns1.
copy_setports ns1/named.conf.in ns1/named.conf
-sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
mkdir ns1/keys
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}"
- $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
+ $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
# Setup ns2 (with views).
copy_setports ns2/named.conf.in ns2/named.conf
-sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns2/named.args.in >ns2/named.args
mkdir ns2/keys
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile1}"
- $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1
+ $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1
test "$ret" -eq 0 || exit 1
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile2}"
- $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1
+ $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
n=$((n + 1))
ret=0
echo_i "Test dnssec-keygen for $zone ($n)"
- $KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
+ $KEYGEN -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
check_keys $zone 2 || ret=1
status=$((status + ret))
int answer;
isc_mem_create(&mctx);
- dst_lib_init(mctx, NULL);
+ dst_lib_init(mctx);
answer = dst_algorithm_supported(DST_ALG_HMACMD5) ? 0 : 1;
dst_lib_destroy();
isc_mem_detach(&mctx);
int answer;
isc_mem_t *mctx = NULL;
isc_mem_create(&mctx);
- dst_lib_init(mctx, NULL);
+ dst_lib_init(mctx);
answer = dst_algorithm_supported(DST_ALG_RSASHA1) ? 0 : 1;
dst_lib_destroy();
isc_mem_detach(&mctx);
"OPENSSL_CONF": os.getenv("OPENSSL_CONF", None),
"SOFTHSM2_CONF": os.getenv("SOFTHSM2_CONF", None),
"SOFTHSM2_MODULE": None,
- "ENGINE_ARG": None,
}
def parse_openssl_config(path: Optional[str]):
if path is None or not os.path.exists(path):
- OPENSSL_VARS["ENGINE_ARG"] = None
OPENSSL_VARS["SOFTHSM2_MODULE"] = None
- os.environ.pop("ENGINE_ARG", None)
os.environ.pop("SOFTHSM2_MODULE", None)
return
assert os.path.isfile(path), f"{path} exists, but it's not a file"
if res:
key = res.group(1).strip()
val = res.group(2).strip()
- if key == "engine_id":
- OPENSSL_VARS["ENGINE_ARG"] = f"-E {val}"
- os.environ["ENGINE_ARG"] = f"-E {val}"
- log.debug("ENGINE_ARG set to {OPENSSL_VARS['ENGINE_ARG']}")
- elif key in ["MODULE_PATH", "pkcs11-module-path"]:
+ if key in ["MODULE_PATH", "pkcs11-module-path"]:
OPENSSL_VARS["SOFTHSM2_MODULE"] = val
os.environ["SOFTHSM2_MODULE"] = val
log.debug(
id="$3"
shift 3
- $KEYFRLAB $ENGINE_ARG -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1
+ $KEYFRLAB -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
echo_i "Sign zone with $ksk $zsk"
ret=0
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
- $SIGNER $ENGINE_ARG -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1
+ $SIGNER -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
fi
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
isc_mem_create(&mctx);
- CHECK(dst_lib_init(mctx, NULL));
+ CHECK(dst_lib_init(mctx));
dst_active = true;
isc_log_create(mctx, &lctx, &logconfig);
isc_log_create(mctx, &lctx, &lcfg);
- RUNCHECK(dst_lib_init(mctx, NULL));
+ RUNCHECK(dst_lib_init(mctx));
RUNCHECK(dns_dispatchmgr_create(mctx, loopmgr, netmgr, &dispatchmgr));
}
isc_mem_create(&mctx);
- CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()");
+ CHECK(dst_lib_init(mctx), "dst_lib_init()");
isc_log_create(mctx, &log_, &logconfig);
isc_log_setcontext(log_);
dns_log_init(log_);
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
isc_log_create(mctx, &lctx, &lcfg);
- RUNCHECK(dst_lib_init(mctx, NULL));
+ RUNCHECK(dst_lib_init(mctx));
isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
ISC_LIST_INIT(queries);
- ``perl``
- ``pkg-config`` / ``pkgconfig`` / ``pkgconf``
-BIND 9.20 requires ``libuv`` 1.34.0 or higher, using ``libuv`` >= 1.40.0
-is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is
-not supported, as this could lead to an assertion failure in the UDP
-receive code. On older systems, an updated ``libuv`` package needs to be
-installed from sources such as EPEL, PPA, or other native sources. The
-other option is to build and install ``libuv`` from source.
-
-OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed
-in a nonstandard location, specify the prefix using
-``--with-openssl=<PREFIX>`` on the ``configure`` command line. To use a
-PKCS#11 hardware service module for cryptographic operations,
-``engine_pkcs11`` from the OpenSC project must be compiled and used.
+BIND 9.20 requires ``libuv`` 1.37.0 or higher, using ``libuv`` >= 1.40.0 is
+recommended. On older systems, an updated ``libuv`` package needs to be
+installed from sources such as EPEL, PPA, or other native sources. The other
+option is to build and install ``libuv`` from source.
+
+OpenSSL 1.1.1 or newer is required. If the OpenSSL library is installed
+in a nonstandard location, specify the prefix using ``PKG_CONFIG_PATH``.
+
+To use a PKCS#11 hardware service module for cryptographic operations,
+PKCS#11 Provider (https://github.com/latchset/pkcs11-provider/tree/main)
+must be compiled, configured and used directly in the OpenSSL 3.x.
The Userspace RCU library ``liburcu`` (https://liburcu.org/) is used
for lock-free data structures and concurrent safe memory reclamation.
hardware. The PKCS#11 provider library comes from the HSM vendor, and it
is specific to the HSM to be controlled.
-BIND 9 access PKCS#11 libraries via OpenSSL extensions. The extension for
-OpenSSL 3 and newer is `pkcs11-provider`_. And for the older OpenSSL versions
-engine_pkcs11 from the `OpenSC`_ project can be used.
+BIND 9 access PKCS#11 libraries via OpenSSL Providers. The provider for
+OpenSSL 3 and newer is `pkcs11-provider`_.
.. _`pkcs11-provider`: https://github.com/latchset/pkcs11-provider
-.. _OpenSC: https://github.com/OpenSC/libp11
In both cases the extension is dynamically loaded into OpenSSL and the HSM is
operated indirectly; any cryptographic operations not supported by the HSM can
$ make install
$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
-OpenSSL 1.x.x with engine_pkcs11
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-OpenSSL engine-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
-
-engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL.
-That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine
-API. One has to register the engine with OpenSSL and one has to provide the
-path to the PKCS#11 module which should be gatewayed to. This can be done by
-editing the OpenSSL configuration file, by engine specific controls, or by using
-the p11-kit proxy module.
-
-It is recommended, that libp11 >= 0.4.12 is used.
-
-For more detailed howto including the examples, we recommend reading:
-
-https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
-
-When using engine_pkcs11, all BIND binaries potentially need the keys require
-'-E pkcs11' argument to activate the engine support.
-
-Even though OpenSSL 3 has compatibility support for Engine API it is not
-recommended to be used due to bugs in OpenSSL and libp11.
-
-It is not possible to generate new keys via the engine_pkcs11 and therefore it
-is not recommended to use it in a ``dnssec-policy`` setup (although it is
-possible to put previously generated keys in the ``key-directory`` and let the
-key manager select those keys when a key rollover is started.
-
-Configuring engine_pkcs11
-^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The canonical documentation for configuring engine_pkcs11 is in the
-`libp11/README.md`_, but here's copy of working configuration for
-your convenience:
-
-.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration
-
-We are going to use our own custom copy of OpenSSL configuration, again it's
-driven by an environment variable, this time called OPENSSL_CONF. We are
-going to copy the global OpenSSL configuration (often found in
-``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
-
-::
-
- cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
-
-and export the environment variable:
-
-::
-
- export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
-
-Now add the following line at the top of file, before any sections (in square
-brackets) are defined:
-
-::
-
- openssl_conf = openssl_init
-
-And make sure there are no other 'openssl_conf = ...' lines in the file.
-
-Add following lines at the bottom of the file:
-
-::
-
- [openssl_init]
- engines=engine_section
-
- [engine_section]
- pkcs11 = pkcs11_section
-
- [pkcs11_section]
- engine_id = pkcs11
- dynamic_path = <PATHTO>/pkcs11.so
- MODULE_PATH = <FULL_PATH_TO_HSM_MODULE>
- # if automatic logging to the token is needed, PIN can be specified as below
- #PIN = 1234
- init = 0
-
-Enabling the OpenSSL Engine in BIND commands
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-When using OpenSSL Engine-based PKCS#11, the "engine" to be used by OpenSSL can be
-specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E
-<engine>`` command line option. This engine name matches the 'engine_id' in the
-``openssl.cnf`` created in previous section.
-
-The zone signing commences as usual, with only one small difference. We need to
-provide the name of the OpenSSL engine using the -E command line option.
-
-::
-
- dnssec-signzone -E pkcs11 -S -o example.net example.net
-
-
OpenSSL 3 with pkcs11-provider
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
pkcs11-provider tries to fit the PKCS#11 API within the Provider API of OpenSSL.
That is, it provides a gateway between PKCS#11 modules and the OpenSSL Provider
-API. One has to register the engine with OpenSSL and one has to provide the
+API. One has to register the provider with OpenSSL and one has to provide the
path to the PKCS#11 module which should be gatewayed to. This can be done by
-editing the OpenSSL configuration file, by engine specific controls, or by using
-the p11-kit proxy module.
+editing the OpenSSL configuration file, using provider specific controls, or
+by using the p11-kit proxy module.
-It is required to use pkcs11-provider git commit
-2e8c26b4157fd21422c66f0b4d7b26cf8c320570 from October 2, 2023 or later.
-
-BIND support for pkcs11-provider is built in and the -E command line option
-explained above should not be used.
+It is required to use pkcs11-provider version 0.3 or later. It is recommended
+to use the lastest version available.
Configuring pkcs11-provider
^^^^^^^^^^^^^^^^^^^^^^^^^^^
have a BIND 9 installed, either from a package, or from the sources, and the
tools are readily available in the ``$PATH``.
-For generating the keys, we are going to use ``pkcs11-tool`` available from the
-OpenSC suite. On both DEB-based and RPM-based distributions, the package is
-called opensc.
+A zone that is configured with ``dnssec-policy`` can generate keys through
+the PKCS#11 Provider API of OpenSSL.
+
+If you want to create keys manually, the ``pkcs11-tool`` available from the
+`OpenSC`_ suite can be used. On both DEB-based and RPM-based distributions,
+the package is called opensc.
+
+.. _OpenSC: https://github.com/OpenSC/libp11
We need to generate at least two RSA keys:
The :iscman:`dnssec-keyfromlabel` tool from BIND 9 can link the raw keys stored in the
HSM with the ``K<zone>+<alg>+<id>`` files.
-You'll need to provide the OpenSSL engine name (``pkcs11``) if using the engine and
-the algorithm (``RSASHA256``). The key is referenced with the PKCS#11 URI scheme and it
-can contain the PKCS#11 token label (we asume that it has been initialized as bind9),
-and the PKCS#11 object label (called label when generating the keys using ``pkcs11-tool``)
-and the HSM PIN. Refer to :rfc:`7512` for the full PKCS#11 URI specification.
+You'll need to provide the algorithm (``RSASHA256``). The key is referenced with
+the PKCS#11 URI scheme and it can contain the PKCS#11 token label (we asume that
+it has been initialized as bind9), and the PKCS#11 object label (called label
+when generating the keys using ``pkcs11-tool``) and the HSM PIN. Refer to
+:rfc:`7512` for the full PKCS#11 URI specification.
Convert the KSK:
::
- dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
+ dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
and ZSK:
::
- dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net
+ dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net
NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
Running :iscman:`named` With Automatic Zone Re-signing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-The zone can also be signed automatically by named. Again, we need to provide
-the name of the OpenSSL engine using the :option:`-E <named -E>` command line option,
-if using OpenSSL 1.x.x with engine_pkcs11, and this is not needed when using OpenSSL 3.x.x providers.
-
-::
-
- named -E pkcs11 -c named.conf
+Once the keys are created, the zone can also be signed automatically by named
+without further requisites.
-and the logs should have lines like:
+The logs should have lines like:
::
isc_mem_create(&mctx);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "dst_lib_init failed: %s\n",
isc_result_totext(result));
} while (0);
isc_result_t
-dst_lib_init(isc_mem_t *mctx, const char *engine) {
+dst_lib_init(isc_mem_t *mctx) {
isc_result_t result;
REQUIRE(mctx != NULL);
REQUIRE(!dst_initialized);
- UNUSED(engine);
-
memset(dst_t_func, 0, sizeof(dst_t_func));
- RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */
+ dst__openssl_init(); /* Sets FIPS mode. */
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
isc_result_t
dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- const char *engine, const char *label, const char *pin,
- isc_mem_t *mctx, dst_key_t **keyp) {
+ const char *label, const char *pin, isc_mem_t *mctx,
+ dst_key_t **keyp) {
dst_key_t *key;
isc_result_t result;
return (DST_R_UNSUPPORTEDALG);
}
- result = key->func->fromlabel(key, engine, label, pin);
+ result = key->func->fromlabel(key, label, pin);
if (result != ISC_R_SUCCESS) {
dst_key_free(&key);
return (result);
if (key->directory != NULL) {
isc_mem_free(mctx, key->directory);
}
- if (key->engine != NULL) {
- isc_mem_free(mctx, key->engine);
- }
if (key->label != NULL) {
isc_mem_free(mctx, key->label);
}
dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */
isc_mem_t *mctx; /*%< memory context */
char *directory; /*%< key directory */
- char *engine; /*%< engine name (HSM) */
- char *label; /*%< engine label (HSM) */
+ char *label; /*%< HSM label */
union {
void *generic;
dns_gss_ctx_id_t gssctx;
/* cleanup */
void (*cleanup)(void);
- isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
- const char *label, const char *pin);
+ isc_result_t (*fromlabel)(dst_key_t *key, const char *label,
+ const char *pin);
isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
int *length);
isc_result_t (*restore)(dst_key_t *key, const char *keystr);
/*%
* Initializers
*/
-isc_result_t
-dst__openssl_init(const char *engine);
+void
+dst__openssl_init(void);
isc_result_t
dst__hmacmd5_init(struct dst_func **funcp);
dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname,
isc_result_t fallback, const char *file, int line);
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-ENGINE *
-dst__openssl_getengine(const char *engine);
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-
isc_result_t
-dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
- const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv);
+dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,
+ EVP_PKEY **ppub, EVP_PKEY **ppriv);
bool
dst__openssl_keypair_compare(const dst_key_t *key1, const dst_key_t *key2);
unsigned int magic;
isc_mem_t *mctx;
const char *name;
- const char *engine;
/* Internals. */
isc_mutex_t lock;
#define DNS_KEYSTORE_KEYDIRECTORY "key-directory"
isc_result_t
-dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine,
- dns_keystore_t **kspp);
+dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp);
/*%<
* Create a key store.
*
*
*\li 'name' is a valid C string.
*
- *\li 'engine' is the name of the OpenSSL engine to use, may be NULL.
- *
*\li kspp != NULL && *kspp == NULL
*
* Returns:
*\li name of 'keystore'.
*/
-const char *
-dns_keystore_engine(dns_keystore_t *keystore);
-/*%<
- * Get keystore engine.
- *
- * Requires:
- *
- *\li 'keystore' is a valid keystore.
- *
- * Returns:
- *
- *\li engine of 'keystore'. May be NULL.
- */
-
const char *
dns_keystore_directory(dns_keystore_t *keystore, const char *keydir);
/*%<
*** Functions
***/
isc_result_t
-dst_lib_init(isc_mem_t *mctx, const char *engine);
+dst_lib_init(isc_mem_t *mctx);
/*%<
* Initializes the DST subsystem.
*
* Returns:
* \li ISC_R_SUCCESS
* \li ISC_R_NOMEMORY
- * \li DST_R_NOENGINE
*
* Ensures:
* \li DST is properly initialized.
isc_result_t
dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
- const char *engine, const char *label, const char *pin,
- isc_mem_t *mctx, dst_key_t **keyp);
+ const char *label, const char *pin, isc_mem_t *mctx,
+ dst_key_t **keyp);
isc_result_t
dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,
#include <dns/keyvalues.h>
isc_result_t
-dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine,
- dns_keystore_t **kspp) {
+dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp) {
dns_keystore_t *keystore;
REQUIRE(name != NULL);
REQUIRE(kspp != NULL && *kspp == NULL);
keystore = isc_mem_get(mctx, sizeof(*keystore));
- keystore->engine = engine;
keystore->mctx = NULL;
isc_mem_attach(mctx, &keystore->mctx);
return (keystore->name);
}
-const char *
-dns_keystore_engine(dns_keystore_t *keystore) {
- REQUIRE(DNS_KEYSTORE_VALID(keystore));
-
- return (keystore->engine);
-}
-
const char *
dns_keystore_directory(dns_keystore_t *keystore, const char *keydir) {
if (keystore == NULL) {
#include "dst_internal.h"
#include "dst_openssl.h"
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-#include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/core_names.h>
#include <openssl/store.h>
goto err; \
}
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-static ENGINE *global_engine = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-
static void
enable_fips_mode(void) {
#if defined(ENABLE_FIPS_MODE)
#endif
}
-isc_result_t
-dst__openssl_init(const char *engine) {
+void
+dst__openssl_init(void) {
enable_fips_mode();
-
- if (engine != NULL && *engine == '\0') {
- engine = NULL;
- }
-
- if (engine == NULL) {
- return (ISC_R_SUCCESS);
- }
-
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- global_engine = ENGINE_by_id(engine);
- if (global_engine == NULL) {
- goto cleanup_rm;
- }
- if (!ENGINE_init(global_engine)) {
- goto cleanup_rm;
- }
- /* This will init the engine. */
- if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) {
- goto cleanup_init;
- }
- return (ISC_R_SUCCESS);
-cleanup_init:
- ENGINE_finish(global_engine);
-cleanup_rm:
- if (global_engine != NULL) {
- ENGINE_free(global_engine);
- }
- ERR_clear_error();
- global_engine = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
- return (DST_R_NOENGINE);
}
void
dst__openssl_destroy(void) {
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- if (global_engine != NULL) {
- ENGINE_finish(global_engine);
- ENGINE_free(global_engine);
- }
- global_engine = NULL;
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
+ /* No-op */
}
static isc_result_t
return (result);
}
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
-ENGINE *
-dst__openssl_getengine(const char *engine) {
- if (engine == NULL) {
- return (NULL);
- }
- if (global_engine == NULL) {
- return (NULL);
- }
- if (strcmp(engine, ENGINE_get_id(global_engine)) == 0) {
- return (global_engine);
- }
- return (NULL);
-}
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-
-static isc_result_t
-dst__openssl_fromlabel_engine(int key_base_id, const char *engine,
- const char *label, const char *pin,
- EVP_PKEY **ppub, EVP_PKEY **ppriv) {
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- isc_result_t ret = ISC_R_SUCCESS;
- ENGINE *e = NULL;
-
- UNUSED(pin);
-
- e = dst__openssl_getengine(engine);
- if (e == NULL) {
- DST_RET(dst__openssl_toresult(DST_R_NOENGINE));
- }
-
- *ppub = ENGINE_load_public_key(e, label, NULL, NULL);
- if (*ppub == NULL) {
- DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_base_id(*ppub) != key_base_id) {
- DST_RET(DST_R_BADKEYTYPE);
- }
-
- *ppriv = ENGINE_load_private_key(e, label, NULL, NULL);
- if (*ppriv == NULL) {
- DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
- DST_R_OPENSSLFAILURE));
- }
- if (EVP_PKEY_base_id(*ppriv) != key_base_id) {
- DST_RET(DST_R_BADKEYTYPE);
- }
-err:
- return (ret);
-#else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
- UNUSED(key_base_id);
- UNUSED(engine);
- UNUSED(label);
- UNUSED(pin);
- UNUSED(ppub);
- UNUSED(ppriv);
- return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-}
-
static isc_result_t
dst__openssl_fromlabel_provider(int key_base_id, const char *label,
const char *pin, EVP_PKEY **ppub,
}
isc_result_t
-dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
- const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) {
- if (engine == NULL) {
- return (dst__openssl_fromlabel_provider(key_base_id, label, pin,
- ppub, ppriv));
- }
-
- if (*ppub != NULL) {
- EVP_PKEY_free(*ppub);
- *ppub = NULL;
- }
-
- if (*ppriv != NULL) {
- EVP_PKEY_free(*ppriv);
- *ppriv = NULL;
- }
-
- return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin,
- ppub, ppriv));
+dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,
+ EVP_PKEY **ppub, EVP_PKEY **ppriv) {
+ return (dst__openssl_fromlabel_provider(key_base_id, label, pin, ppub,
+ ppriv));
}
bool
priv.elements[i].data = buf;
i++;
}
- if (key->engine != NULL) {
- priv.elements[i].tag = TAG_ECDSA_ENGINE;
- priv.elements[i].length = (unsigned short)strlen(key->engine) +
- 1;
- priv.elements[i].data = (unsigned char *)key->engine;
- i++;
- }
if (key->label != NULL) {
priv.elements[i].tag = TAG_ECDSA_LABEL;
}
static isc_result_t
-opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin);
+opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin);
static isc_result_t
opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
EVP_PKEY *pkey = NULL;
- const char *engine = NULL;
const char *label = NULL;
int i, privkey_index = -1;
for (i = 0; i < priv.nelements; i++) {
switch (priv.elements[i].tag) {
case TAG_ECDSA_ENGINE:
- engine = (char *)priv.elements[i].data;
+ /* The Engine: tag is explicitly ignored */
break;
case TAG_ECDSA_LABEL:
label = (char *)priv.elements[i].data;
}
if (label != NULL) {
- ret = opensslecdsa_fromlabel(key, engine, label, NULL);
+ ret = opensslecdsa_fromlabel(key, label, NULL);
if (ret != ISC_R_SUCCESS) {
goto err;
}
}
static isc_result_t
-opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin) {
+opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin) {
EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
REQUIRE(opensslecdsa_valid_key_alg(key->key_alg));
UNUSED(pin);
- ret = dst__openssl_fromlabel(EVP_PKEY_EC, engine, label, pin, &pubpkey,
+ ret = dst__openssl_fromlabel(EVP_PKEY_EC, label, pin, &pubpkey,
&privpkey);
if (ret != ISC_R_SUCCESS) {
goto err;
goto err;
}
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey);
key->keydata.pkeypair.priv = privpkey;
}
static isc_result_t
-openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin);
+openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin);
static isc_result_t
openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
priv.elements[i].data = buf;
i++;
}
- if (key->engine != NULL) {
- priv.elements[i].tag = TAG_EDDSA_ENGINE;
- priv.elements[i].length = (unsigned short)strlen(key->engine) +
- 1;
- priv.elements[i].data = (unsigned char *)key->engine;
- i++;
- }
if (key->label != NULL) {
priv.elements[i].tag = TAG_EDDSA_LABEL;
priv.elements[i].length = (unsigned short)strlen(key->label) +
dst_private_t priv;
isc_result_t ret;
int i, privkey_index = -1;
- const char *engine = NULL, *label = NULL;
+ const char *label = NULL;
EVP_PKEY *pkey = NULL;
size_t len;
isc_mem_t *mctx = key->mctx;
for (i = 0; i < priv.nelements; i++) {
switch (priv.elements[i].tag) {
case TAG_EDDSA_ENGINE:
- engine = (char *)priv.elements[i].data;
+ /* The Engine: tag is explicitly ignored */
break;
case TAG_EDDSA_LABEL:
label = (char *)priv.elements[i].data;
}
if (label != NULL) {
- ret = openssleddsa_fromlabel(key, engine, label, NULL);
+ ret = openssleddsa_fromlabel(key, label, NULL);
if (ret != ISC_R_SUCCESS) {
goto err;
}
}
static isc_result_t
-openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin) {
+openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin) {
const eddsa_alginfo_t *alginfo = openssleddsa_alg_info(key->key_alg);
EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
REQUIRE(alginfo != NULL);
UNUSED(pin);
- ret = dst__openssl_fromlabel(alginfo->pkey_type, engine, label, pin,
- &pubpkey, &privpkey);
+ ret = dst__openssl_fromlabel(alginfo->pkey_type, label, pin, &pubpkey,
+ &privpkey);
if (ret != ISC_R_SUCCESS) {
goto err;
}
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey);
key->keydata.pkeypair.priv = privpkey;
i++;
}
- if (key->engine != NULL) {
- priv.elements[i].tag = TAG_RSA_ENGINE;
- priv.elements[i].length = (unsigned short)strlen(key->engine) +
- 1;
- priv.elements[i].data = (unsigned char *)key->engine;
- i++;
- }
-
if (key->label != NULL) {
priv.elements[i].tag = TAG_RSA_LABEL;
priv.elements[i].length = (unsigned short)strlen(key->label) +
}
static isc_result_t
-opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin);
+opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin);
static isc_result_t
opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
isc_result_t ret;
int i;
isc_mem_t *mctx = NULL;
- const char *engine = NULL, *label = NULL;
+ const char *label = NULL;
EVP_PKEY *pkey = NULL;
rsa_components_t c = { .bnfree = true };
for (i = 0; i < priv.nelements; i++) {
switch (priv.elements[i].tag) {
case TAG_RSA_ENGINE:
- engine = (char *)priv.elements[i].data;
+ /* The Engine: tag is explicitly ignored */
break;
case TAG_RSA_LABEL:
label = (char *)priv.elements[i].data;
* See if we can fetch it.
*/
if (label != NULL) {
- ret = opensslrsa_fromlabel(key, engine, label, NULL);
+ ret = opensslrsa_fromlabel(key, label, NULL);
if (ret != ISC_R_SUCCESS) {
DST_RET(ret);
}
}
static isc_result_t
-opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
- const char *pin) {
+opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin) {
EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
- ret = dst__openssl_fromlabel(EVP_PKEY_RSA, engine, label, pin, &pubpkey,
+ ret = dst__openssl_fromlabel(EVP_PKEY_RSA, label, pin, &pubpkey,
&privpkey);
if (ret != ISC_R_SUCCESS) {
goto err;
DST_RET(ISC_R_RANGE);
}
- if (engine != NULL) {
- key->engine = isc_mem_strdup(key->mctx, engine);
- }
key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey);
key->keydata.pkeypair.priv = privpkey;
#include <string.h>
#include <openssl/crypto.h>
-#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/opensslv.h>
#pragma once
#include <openssl/crypto.h>
-#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/opensslv.h>
[DST_R_COMPUTESECRETFAILURE] = "failure computing a shared secret",
[DST_R_NORANDOMNESS] = "no randomness available",
[DST_R_BADKEYTYPE] = "bad key type",
- [DST_R_NOENGINE] = "no engine",
+ [DST_R_NOENGINE] = "OpenSSL Engine support has been removed; "
+ "use OpenSSL Providers for PKCS#11",
[DST_R_EXTERNALKEY] = "illegal operation for an external key",
[DNS_R_NOERROR] = "NOERROR",
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
0x30000000L */
- uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
- OPENSSL_INIT_LOAD_CONFIG;
+ uint64_t opts = OPENSSL_INIT_LOAD_CONFIG;
+
#if defined(OPENSSL_INIT_NO_ATEXIT)
/*
* We call OPENSSL_cleanup() manually, in a correct order, thus disable
}
}
- ret = cfg_keystore_fromconfig(kconfig, mctx,
- logctx, NULL,
- &kslist, NULL);
+ ret = cfg_keystore_fromconfig(
+ kconfig, mctx, logctx, &kslist, NULL);
if (ret != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = ret;
/*
* Add default key-store "key-directory".
*/
- tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist,
- NULL);
+ tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL);
if (tresult != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = tresult;
element = cfg_list_next(element))
{
cfg_obj_t *kcfg = cfg_listelt_value(element);
- (void)cfg_keystore_fromconfig(kcfg, mctx, logctx, NULL, &kslist,
+ (void)cfg_keystore_fromconfig(kcfg, mctx, logctx, &kslist,
NULL);
}
- (void)cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist, NULL);
+ (void)cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL);
/*
* Look for the dnssec-policy by name, which is the dnssec-policy
isc_result_t
cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
- isc_log_t *logctx, const char *engine,
- dns_keystorelist_t *keystorelist,
- dns_keystore_t **kspp);
+ isc_log_t *logctx, dns_keystorelist_t *keystorelist,
+ dns_keystore_t **kspp);
/*%<
* Create and configure a key store. If a 'keystorelist' is provided, a lookup
* happens and if a keystore already exists with the same name, no new one is
isc_result_t
cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
- isc_log_t *logctx, const char *engine,
- dns_keystorelist_t *keystorelist,
+ isc_log_t *logctx, dns_keystorelist_t *keystorelist,
dns_keystore_t **kspp) {
isc_result_t result;
const cfg_obj_t *maps[2];
* No key-store with configured name was found in list, create new one.
*/
INSIST(keystore == NULL);
- result = dns_keystore_create(mctx, name, engine, &keystore);
+ result = dns_keystore_create(mctx, name, &keystore);
if (result != ISC_R_SUCCESS) {
return (result);
}
setup_test(void **state) {
UNUSED(state);
- dst_lib_init(mctx, NULL);
+ dst_lib_init(mctx);
return (0);
}
UNUSED(state);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
UNUSED(state);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
UNUSED(state);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
UNUSED(state);
- result = dst_lib_init(mctx, NULL);
+ result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);
projects / thirdparty / bind9.git / commitdiff
