upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

explicit engine rt20230a

Browse source
This commit is contained in:
Francis Dupont 2009-10-05 17:30:49 +00:00
parent b56f3f5c66
commit 8b78c993cb
27 changed files with 348 additions and 254 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
CHANGES
View file

@ -1,3 +1,7 @@
2703. [func] Introduce an OpenSSL "engine" argument with -E
for all binaries which can take benefit of
crypto hardware. [RT #20230]
2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
2701. [doc] Correction to ARM: hmac-md5 is no longer the only

4
bin/dnssec/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.40 2009/09/01 18:40:25 jinmei Exp $
# $Id: Makefile.in,v 1.41 2009/10/05 17:30:49 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -25,7 +25,7 @@ top_srcdir = @top_srcdir@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES}
CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\"
CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\" @USE_PKCS11@
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@

5
bin/dnssec/dnssec-dsfromkey.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-dsfromkey.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
/* $Id: dnssec-dsfromkey.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -440,7 +440,8 @@ main(int argc, char **argv) {
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst");
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
setup_logging(verbose, mctx, &log);

37
bin/dnssec/dnssec-keyfromlabel.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.17 2009/10/03 18:03:53 each Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -63,20 +63,28 @@ usage(void) {
fprintf(stderr, "Required options:\n");
fprintf(stderr, " -a algorithm: %s\n", algs);
fprintf(stderr, " -l label: label of the key pair\n");
#ifdef USE_PKCS11
fprintf(stderr, " (for instance \"pkcs11:foo\"\n");
#else
fprintf(stderr, " -E enginename\n");
#endif
fprintf(stderr, " name: owner of the key\n");
fprintf(stderr, "Other options:\n");
fprintf(stderr, " -c <class> (default: IN)\n");
fprintf(stderr, " -c class (default: IN)\n");
#ifdef USE_PKCS11
fprintf(stderr, " -E enginename (default: pkcs11)\n");
#endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
fprintf(stderr, " -k : generate a TYPE=KEY key\n");
fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
fprintf(stderr, " (DNSKEY generation defaults to ZONE\n");
fprintf(stderr, " -p <protocol>: default: 3 [dnssec]\n");
fprintf(stderr, " -t <type>: "
fprintf(stderr, " -p protocol: default: 3 [dnssec]\n");
fprintf(stderr, " -t type: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)\n");
fprintf(stderr, " -v <verbose level>\n");
fprintf(stderr, " -v verbose level\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
@ -97,6 +105,11 @@ int
main(int argc, char **argv) {
char *algname = NULL, *nametype = NULL, *type = NULL;
const char *directory = NULL;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *classname = NULL;
char *endp;
dst_key_t *key = NULL, *oldkey = NULL;
@ -116,7 +129,7 @@ main(int argc, char **argv) {
isc_entropy_t *ectx = NULL;
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL, *engine = NULL;
char *label = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
@ -140,7 +153,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
"a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case 'a':
@ -152,6 +165,9 @@ main(int argc, char **argv) {
case 'c':
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
if (toupper(isc_commandline_argument[0]) == 'K')
kskflag = DNS_KEYFLAG_KSK;
@ -270,10 +286,11 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
ret = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
ret = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
fatal("could not initialize dst");
fatal("could not initialize dst: %s",
isc_result_totext(ret));
setup_logging(verbose, mctx, &log);

18
bin/dnssec/dnssec-keyfromlabel.docbook
View file

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.11 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
@ -50,6 +50,7 @@
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
@ -102,12 +103,23 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Specifies the name of the crypto hardware (OpenSSL engine).
When compiled with PKCS#11 support it defaults to pcks11.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">label</replaceable></term>
<listitem>
<para>
Specifies the label of keys in the crypto hardware
(PKCS#11 device).
Specifies the label of keys in the crypto hardware (OpenSSL
engine). An example for the pkcs11 engine is pkcs11:foo
(note the string pkcs11 is in both E and l options.)
</para>
</listitem>
</varlistentry>

24
bin/dnssec/dnssec-keygen.c
View file

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.98 2009/10/03 18:03:53 each Exp $ */
/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -115,6 +115,11 @@ usage(void) {
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
#ifdef USE_PKCS11
fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n");
#else
fprintf(stderr, " -E <engine name>\n");
#endif
fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n");
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator "
@ -173,6 +178,11 @@ main(int argc, char **argv) {
isc_buffer_t buf;
isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
dns_rdataclass_t rdclass;
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
int dbits = 0;
@ -198,7 +208,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
@ -247,6 +257,9 @@ main(int argc, char **argv) {
if (*endp != '\0' || dbits < 0)
fatal("-d requires a non-negative number");
break;
case 'E':
engine = isc_commandline_argument;
break;
case 'e':
rsa_exp = 1;
break;
@ -400,10 +413,11 @@ main(int argc, char **argv) {
if (ectx == NULL)
setup_entropy(mctx, NULL, &ectx);
ret = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
ret = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (ret != ISC_R_SUCCESS)
fatal("could not initialize dst");
fatal("could not initialize dst: %s",
isc_result_totext(ret));
setup_logging(verbose, mctx, &log);

15
bin/dnssec/dnssec-keygen.docbook
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.29 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
@ -64,6 +64,7 @@
<arg><option>-C</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
@ -206,6 +207,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Uses a crypto hardware (OpenSSL engine) for random number
and, when supported, key generation. When compiled with PKCS#11
support it defaults to pcks11, the empty name resets it to
no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem>

26
bin/dnssec/dnssec-revoke.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-revoke.c,v 1.13 2009/09/29 15:06:06 fdupont Exp $ */
/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -54,6 +54,13 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "\t-E engine:\n");
#ifdef USE_PKCS11
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -K directory: use directory for key files\n");
fprintf(stderr, " -h: help\n");
@ -70,6 +77,11 @@ usage(void) {
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *dir = NULL;
char newname[1024], oldname[1024];
char keystr[KEY_FORMATSIZE];
@ -93,8 +105,11 @@ main(int argc, char **argv) {
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv, "fK:rhv:")) != -1) {
while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
force = ISC_TRUE;
break;
@ -150,10 +165,11 @@ main(int argc, char **argv) {
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst");
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, dir,

13
bin/dnssec/dnssec-revoke.docbook
View file

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-revoke.docbook,v 1.5 2009/07/20 11:56:35 fdupont Exp $ -->
<!-- $Id: dnssec-revoke.docbook,v 1.6 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-revoke">
<refentryinfo>
<date>June 1, 2009</date>
@ -47,6 +47,7 @@
<arg><option>-hr</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
@ -102,6 +103,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pcks11, the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>

25
bin/dnssec/dnssec-settime.c
View file

@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -57,6 +57,12 @@ usage(void) {
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n");
#ifdef USE_PKCS11
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
@ -112,6 +118,11 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
int
main(int argc, char **argv) {
isc_result_t result;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
char *filename = NULL, *directory = NULL;
char newname[1024];
char keystr[KEY_FORMATSIZE];
@ -150,8 +161,11 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"fK:uhp:v:P:A:R:I:D:")) != -1) {
"EfK:uhp:v:P:A:R:I:D:")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
break;
case 'f':
forceupdate = ISC_TRUE;
break;
@ -313,10 +327,11 @@ main(int argc, char **argv) {
result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize hash");
result = dst_lib_init(mctx, ectx,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
result = dst_lib_init2(mctx, ectx, engine,
ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst");
fatal("Could not initialize dst: %s",
isc_result_totext(result));
isc_entropy_stopcallbacksources(ectx);
result = dst_key_fromnamedfile(filename, directory,

13
bin/dnssec/dnssec-settime.docbook
View file

@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
<!-- $Id: dnssec-settime.docbook,v 1.5 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
@ -53,6 +53,7 @@
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="req">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
@ -127,6 +128,16 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pcks11, the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

61
bin/dnssec/dnssec-signzone.c
View file

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-signzone.c,v 1.240 2009/10/03 18:03:54 each Exp $ */
/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -3324,6 +3324,13 @@ usage(void) {
fprintf(stderr, "\t-a:\t");
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
#ifdef USE_PKCS11
fprintf(stderr, "\t\tname of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
#endif
fprintf(stderr, "\t-p:\t");
fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
fprintf(stderr, "\t-P:\t");
@ -3398,6 +3405,11 @@ main(int argc, char *argv[]) {
isc_result_t result;
isc_log_t *log = NULL;
isc_boolean_t pseudorandom = ISC_FALSE;
#ifdef USE_PKCS11
const char *engine = "pkcs11";
#else
const char *engine = NULL;
#endif
unsigned int eflags;
isc_boolean_t free_output = ISC_FALSE;
int tempfilelen;
@ -3412,7 +3424,7 @@ main(int argc, char *argv[]) {
isc_boolean_t set_iter = ISC_FALSE;
#define CMDLINE_FLAGS \
"3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
"3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
/*
* Process memory debugging argument first.
@ -3494,8 +3506,8 @@ main(int argc, char *argv[]) {
fatal("DS directory must be non-empty string");
break;
case 'K':
directory = isc_commandline_argument;
case 'E':
engine = isc_commandline_argument;
break;
case 'e':
@ -3523,6 +3535,10 @@ main(int argc, char *argv[]) {
usage();
break;
case 'I':
inputformatstr = isc_commandline_argument;
break;
case 'i':
endp = NULL;
cycle = strtol(isc_commandline_argument, &endp, 0);
@ -3531,10 +3547,6 @@ main(int argc, char *argv[]) {
"positive");
break;
case 'I':
inputformatstr = isc_commandline_argument;
break;
case 'j':
endp = NULL;
jitter = strtol(isc_commandline_argument, &endp, 0);
@ -3542,6 +3554,10 @@ main(int argc, char *argv[]) {
fatal("jitter must be numeric and positive");
break;
case 'K':
directory = isc_commandline_argument;
break;
case 'k':
if (ndskeys == MAXDSKEYS)
fatal("too many key-signing keys specified");
@ -3563,6 +3579,10 @@ main(int argc, char *argv[]) {
case 'm':
break;
case 'N':
serialformatstr = isc_commandline_argument;
break;
case 'n':
endp = NULL;
ntasks = strtol(isc_commandline_argument, &endp, 0);
@ -3570,39 +3590,35 @@ main(int argc, char *argv[]) {
fatal("number of cpus must be numeric");
break;
case 'N':
serialformatstr = isc_commandline_argument;
case 'O':
outputformatstr = isc_commandline_argument;
break;
case 'o':
origin = isc_commandline_argument;
break;
case 'O':
outputformatstr = isc_commandline_argument;
case 'P':
disable_zone_check = ISC_TRUE;
break;
case 'p':
pseudorandom = ISC_TRUE;
break;
case 'P':
disable_zone_check = ISC_TRUE;
break;
case 'r':
setup_entropy(mctx, isc_commandline_argument, &ectx);
break;
case 's':
startstr = isc_commandline_argument;
break;
case 'S':
smartsign = ISC_TRUE;
generateds = ISC_TRUE;
break;
case 's':
startstr = isc_commandline_argument;
break;
case 'T':
endp = NULL;
set_keyttl = ISC_TRUE;
@ -3659,9 +3675,10 @@ main(int argc, char *argv[]) {
if (result != ISC_R_SUCCESS)
fatal("could not create hash context");
result = dst_lib_init(mctx, ectx, eflags);
result = dst_lib_init2(mctx, ectx, engine, eflags);
if (result != ISC_R_SUCCESS)
fatal("could not initialize dst");
fatal("could not initialize dst: %s",
isc_result_totext(result));
isc_stdtime_get(&now);

15
bin/dnssec/dnssec-signzone.docbook
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-signzone.docbook,v 1.38 2009/09/29 22:17:34 each Exp $ -->
<!-- $Id: dnssec-signzone.docbook,v 1.39 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.dnssec-signzone">
<refentryinfo>
<date>June 05, 2009</date>
@ -60,6 +60,7 @@
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg><option>-g</option></arg>
@ -149,6 +150,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
<para>
Uses a crypto hardware (OpenSSL engine) for the crypto operations
it supports, for instance signing with private keys from
a secure key store. When compiled with PKCS#11 support
it defaults to pcks11, the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>

4
bin/named/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.106 2009/09/01 18:40:25 jinmei Exp $
# $Id: Makefile.in,v 1.107 2009/10/05 17:30:49 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -45,7 +45,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \
${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
CDEFINES = -DBIND9 @USE_DLZ@
CDEFINES = -DBIND9 @USE_DLZ@ @USE_PKCS11@
CWARNINGS =

8
bin/named/include/named/globals.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: globals.h,v 1.85 2009/07/14 23:47:53 tbox Exp $ */
/* $Id: globals.h,v 1.86 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef NAMED_GLOBALS_H
#define NAMED_GLOBALS_H 1
@ -139,6 +139,12 @@ EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
EXTERN const char * ns_g_username INIT(NULL);
#ifdef USE_PKCS11
EXTERN const char * ns_g_engine INIT("pkcs11");
#else
EXTERN const char * ns_g_engine INIT(NULL);
#endif
EXTERN int ns_g_listen INIT(3);
EXTERN isc_time_t ns_g_boottime;
EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE);

12
bin/named/main.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: main.c,v 1.174 2009/09/29 15:06:06 fdupont Exp $ */
/* $Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -298,8 +298,9 @@ usage(void) {
}
fprintf(stderr,
"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
"[-f|-g] [-n number_of_cpus]\n"
" [-p port] [-s] [-t chrootdir] [-u username]\n"
"[-E engine] [-f|-g]\n"
" [-n number_of_cpus] [-p port] [-s] "
"[-t chrootdir] [-u username]\n"
" [-m {usage|trace|record|size|mctx}]\n");
}
@ -408,7 +409,7 @@ parse_command_line(int argc, char *argv[]) {
isc_commandline_errprint = ISC_FALSE;
while ((ch = isc_commandline_parse(argc, argv,
"46c:C:d:fFgi:lm:n:N:p:P:"
"46c:C:d:E:fFgi:lm:n:N:p:P:"
"sS:t:T:u:vVx:")) != -1) {
switch (ch) {
case '4':
@ -444,6 +445,9 @@ parse_command_line(int argc, char *argv[]) {
ns_g_debuglevel = parse_int(isc_commandline_argument,
"debug level");
break;
case 'E':
ns_g_engine = isc_commandline_argument;
break;
case 'f':
ns_g_foreground = ISC_TRUE;
break;

17
bin/named/named.docbook
View file

@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.docbook,v 1.25 2009/05/21 23:47:28 tbox Exp $ -->
<!-- $Id: named.docbook,v 1.26 2009/10/05 17:30:49 fdupont Exp $ -->
<refentry id="man.named">
<refentryinfo>
<date>May 21, 2009</date>
@ -60,6 +60,7 @@
<arg><option>-6</option></arg>
<arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
<arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
<arg><option>-f</option></arg>
<arg><option>-g</option></arg>
<arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
@ -116,6 +117,7 @@
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">config-file</replaceable></term>
<listitem>
@ -144,6 +146,19 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine-name</replaceable></term>
<listitem>
<para>
Use a crypto hardware (OpenSSL engine) for the crypto operations
it supports, for instance re-signing with private keys from
a secure key store. When compiled with PKCS#11 support
<replaceable class="parameter">engine-name</replaceable>
defaults to pkcs11, the empty name resets it to no engine.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f</term>
<listitem>

5
bin/named/server.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: server.c,v 1.549 2009/09/29 15:06:06 fdupont Exp $ */
/* $Id: server.c,v 1.550 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -4650,7 +4650,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
ISC_R_NOMEMORY : ISC_R_SUCCESS,
"allocating reload event");
CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
ns_g_engine, ISC_ENTROPY_GOODONLY),
"initializing DST");
server->tkeyctx = NULL;

4
lib/dns/Makefile.in
View file

@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.166 2009/09/01 00:22:26 jinmei Exp $
# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@ -34,7 +34,7 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} \
${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
CDEFINES = -DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
CDEFINES = -DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ \
${USE_ISC_SPNEGO}
CWARNINGS =

16
lib/dns/dst_api.c
View file

@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: dst_api.c,v 1.33 2009/09/25 01:42:09 marka Exp $
* $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $
*/
/*! \file */
@ -146,6 +146,12 @@ default_memfree(void *arg, void *ptr) {
isc_result_t
dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
return (dst_lib_init2(mctx, ectx, NULL, eflags));
}
isc_result_t
dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
const char *engine, unsigned int eflags) {
isc_result_t result;
REQUIRE(mctx != NULL);
@ -173,7 +179,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
if (result != ISC_R_SUCCESS)
return (result);
isc_mem_setname(dst__memory_pool, "dst", NULL);
#ifndef OPENSSL_LEAKS
isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
#endif
#else
isc_mem_attach(mctx, &dst__memory_pool);
#endif
@ -192,7 +200,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
#ifdef OPENSSL
RETERR(dst__openssl_init());
RETERR(dst__openssl_init(engine));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
@ -209,6 +217,8 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
return (ISC_R_SUCCESS);
out:
/* avoid immediate crash! */
dst_initialized = ISC_TRUE;
dst_lib_destroy();
return (result);
}
@ -1520,6 +1530,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
unsigned int flags = dst_entropy_flags;
if (pseudo)
flags &= ~ISC_ENTROPY_GOODONLY;
else
flags |= ISC_ENTROPY_BLOCKING;
return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
#else
UNUSED(buf);

4
lib/dns/dst_internal.h
View file

@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_internal.h,v 1.18 2009/09/23 11:16:50 fdupont Exp $ */
/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef DST_DST_INTERNAL_H
#define DST_DST_INTERNAL_H 1
@ -187,7 +187,7 @@ struct dst_func {
/*%
* Initializers
*/
isc_result_t dst__openssl_init(void);
isc_result_t dst__openssl_init(const char *engine);
isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
isc_result_t dst__hmacsha1_init(struct dst_func **funcp);

7
lib/dns/dst_openssl.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: dst_openssl.h,v 1.8 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef DST_OPENSSL_H
#define DST_OPENSSL_H 1
@ -29,10 +29,7 @@ isc_result_t
dst__openssl_toresult(isc_result_t fallback);
ENGINE *
dst__openssl_getengine(const char *name);
isc_result_t
dst__openssl_setdefault(const char *name);
dst__openssl_getengine(const char *engine);
ISC_LANG_ENDDECLS

7
lib/dns/include/dst/dst.h
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dst.h,v 1.19 2009/09/23 16:01:57 each Exp $ */
/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */
#ifndef DST_DST_H
#define DST_DST_H 1
@ -94,6 +94,10 @@ typedef struct dst_context dst_context_t;
isc_result_t
dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
isc_result_t
dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
const char *engine, unsigned int eflags);
/*%<
* Initializes the DST subsystem.
*
@ -104,6 +108,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
* Returns:
* \li ISC_R_SUCCESS
* \li ISC_R_NOMEMORY
* \li DST_R_NOENGINE
*
* Ensures:
* \li DST is properly initialized.

234
lib/dns/openssl_link.c
View file

@ -31,7 +31,7 @@
/*
* Principal Author: Brian Wellington
* $Id: openssl_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
* $Id: openssl_link.c,v 1.27 2009/10/05 17:30:49 fdupont Exp $
*/
#ifdef OPENSSL
@ -45,6 +45,8 @@
#include <isc/thread.h>
#include <isc/util.h>
#include <dst/result.h>
#include "dst_internal.h"
#include "dst_openssl.h"
@ -60,12 +62,6 @@
#ifdef USE_ENGINE
#include <openssl/engine.h>
#ifdef ENGINE_ID
const char *engine_id = ENGINE_ID;
#else
const char *engine_id;
#endif
#endif
static RAND_METHOD *rm = NULL;
@ -74,15 +70,7 @@ static isc_mutex_t *locks = NULL;
static int nlocks;
#ifdef USE_ENGINE
static ENGINE *e;
static ENGINE *he;
#endif
#ifdef USE_PKCS11
static isc_result_t
dst__openssl_load_engine(const char *name, const char *engine_id,
const char **pre_cmds, int pre_num,
const char **post_cmds, int post_num);
static ENGINE *e = NULL;
#endif
static int
@ -135,8 +123,16 @@ id_callback(void) {
static void *
mem_alloc(size_t size) {
#ifdef OPENSSL_LEAKS
void *ptr;
INSIST(dst__memory_pool != NULL);
ptr = isc_mem_allocate(dst__memory_pool, size);
return (ptr);
#else
INSIST(dst__memory_pool != NULL);
return (isc_mem_allocate(dst__memory_pool, size));
#endif
}
static void
@ -148,16 +144,26 @@ mem_free(void *ptr) {
static void *
mem_realloc(void *ptr, size_t size) {
#ifdef OPENSSL_LEAKS
void *rptr;
INSIST(dst__memory_pool != NULL);
rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
return (rptr);
#else
INSIST(dst__memory_pool != NULL);
return (isc_mem_reallocate(dst__memory_pool, ptr, size));
#endif
}
isc_result_t
dst__openssl_init() {
dst__openssl_init(const char *engine) {
isc_result_t result;
#ifdef USE_ENGINE
/* const char *name; */
ENGINE *re;
#else
UNUSED(engine);
#endif
#ifdef DNS_CRYPTO_LEAKS
@ -187,73 +193,26 @@ dst__openssl_init() {
rm->add = entropy_add;
rm->pseudorand = entropy_getpseudo;
rm->status = entropy_status;
#ifdef USE_ENGINE
OPENSSL_config(NULL);
#ifdef USE_PKCS11
#ifndef PKCS11_SO_PATH
#define PKCS11_SO_PATH "/usr/local/lib/engines/engine_pkcs11.so"
#endif
#ifndef PKCS11_MODULE_PATH
#define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so"
#endif
{
/*
* to use this to config the PIN, add in openssl.cnf:
* - at the beginning: "openssl_conf = openssl_def"
* - at any place these sections:
* [ openssl_def ]
* engines = engine_section
* [ engine_section ]
* pkcs11 = pkcs11_section
* [ pkcs11_section ]
* PIN = my___pin
*/
const char *pre_cmds[] = {
"SO_PATH", PKCS11_SO_PATH,
"LOAD", NULL,
"MODULE_PATH", PKCS11_MODULE_PATH
};
const char *post_cmds[] = {
/* "PIN", "my___pin" */
};
result = dst__openssl_load_engine("pkcs11", "pkcs11",
pre_cmds, 0,
post_cmds, /*1*/ 0);
if (result != ISC_R_SUCCESS)
goto cleanup_rm;
}
#else /* USE_PKCS11 */
if (engine_id != NULL) {
e = ENGINE_by_id(engine_id);
if (engine != NULL && *engine == '\0')
engine = NULL;
if (engine != NULL) {
e = ENGINE_by_id(engine);
if (e == NULL) {
result = ISC_R_NOTFOUND;
result = DST_R_NOENGINE;
goto cleanup_rm;
}
if (!ENGINE_init(e)) {
result = ISC_R_FAILURE;
ENGINE_free(e);
/* This will init the engine. */
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
result = DST_R_NOENGINE;
goto cleanup_rm;
}
ENGINE_set_default(e, ENGINE_METHOD_ALL);
ENGINE_free(e);
if (he == NULL)
he = e;
} else {
ENGINE_register_all_complete();
for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
/*
* Something weird here. If we call ENGINE_finish()
* ENGINE_get_default_RAND() will fail.
*/
if (ENGINE_init(e)) {
if (he == NULL)
he = e;
}
}
}
#endif /* USE_PKCS11 */
re = ENGINE_get_default_RAND();
if (re == NULL) {
re = ENGINE_new();
@ -266,7 +225,6 @@ dst__openssl_init() {
ENGINE_free(re);
} else
ENGINE_finish(re);
#else
RAND_set_rand_method(rm);
#endif /* USE_ENGINE */
@ -274,13 +232,18 @@ dst__openssl_init() {
#ifdef USE_ENGINE
cleanup_rm:
if (e != NULL)
ENGINE_free(e);
e = NULL;
mem_free(rm);
rm = NULL;
#endif
cleanup_mutexinit:
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
cleanup_mutexalloc:
mem_free(locks);
locks = NULL;
return (result);
}
@ -290,16 +253,22 @@ dst__openssl_destroy() {
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_unload(1);
if (rm != NULL) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
#endif
mem_free(rm);
rm = NULL;
}
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
CONF_modules_free();
#endif
OBJ_cleanup();
EVP_cleanup();
#if defined(USE_ENGINE)
if (he != NULL)
ENGINE_finish(he);
else if (e != NULL)
ENGINE_finish(e);
he = e = NULL;
if (e != NULL)
ENGINE_free(e);
e = NULL;
#if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
ENGINE_cleanup();
#endif
@ -308,23 +277,18 @@ dst__openssl_destroy() {
CRYPTO_cleanup_all_ex_data();
#endif
ERR_clear_error();
ERR_free_strings();
ERR_remove_state(0);
ERR_free_strings();
#ifdef DNS_CRYPTO_LEAKS
CRYPTO_mem_leaks_fp(stderr);
#endif
if (rm != NULL) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
#endif
mem_free(rm);
}
if (locks != NULL) {
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
mem_free(locks);
locks = NULL;
}
}
@ -345,90 +309,18 @@ dst__openssl_toresult(isc_result_t fallback) {
}
ENGINE *
dst__openssl_getengine(const char *name) {
UNUSED(name);
dst__openssl_getengine(const char *engine) {
if (engine == NULL)
return (NULL);
#if defined(USE_ENGINE)
return (he);
#else
return (NULL);
#endif
}
isc_result_t
dst__openssl_setdefault(const char *name) {
UNUSED(name);
#if defined(USE_ENGINE)
ENGINE_set_default(e, ENGINE_METHOD_ALL);
#endif
/*
* XXXMPA If the engine does not have a default RAND method
* restore our method.
*/
return (ISC_R_SUCCESS);
}
#ifdef USE_PKCS11
/*
* 'name' is the name the engine is known by to the dst library.
* This may or may not match the name the engine is known by to
* openssl. It is the name that is stored in the private key file.
*
* 'engine_id' is the openssl engine name.
*
* pre_cmds and post_cmds a sequence if command argument pairs
* pre_num and post_num are a count of those pairs.
*
* "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
* "LOAD", NULL
* "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so")
*/
static isc_result_t
dst__openssl_load_engine(const char *name, const char *engine_id,
const char **pre_cmds, int pre_num,
const char **post_cmds, int post_num)
{
ENGINE *e;
UNUSED(name);
if (!strcasecmp(engine_id, "dynamic"))
ENGINE_load_dynamic();
e = ENGINE_by_id(engine_id);
if (e == NULL)
return (ISC_R_NOTFOUND);
while (pre_num--) {
if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
ENGINE_free(e);
return (ISC_R_FAILURE);
}
pre_cmds += 2;
}
if (!ENGINE_init(e)) {
ENGINE_free(e);
return (ISC_R_FAILURE);
}
/*
* ENGINE_init() returned a functional reference, so free the
* structural reference from ENGINE_by_id().
*/
ENGINE_free(e);
while (post_num--) {
if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
ENGINE_free(e);
return (ISC_R_FAILURE);
}
post_cmds += 2;
}
if (he != NULL)
ENGINE_finish(he);
he = e;
return (ISC_R_SUCCESS);
return (NULL);
if (strcmp(engine, ENGINE_get_id(e)) == 0)
return (e);
#endif
return (NULL);
}
#endif /* USE_PKCS11 */
#else /* OPENSSL */

4
lib/dns/opensslrsa_link.c
View file

@ -17,7 +17,7 @@
/*
* Principal Author: Brian Wellington
* $Id: opensslrsa_link.c,v 1.28 2009/09/23 11:16:50 fdupont Exp $
* $Id: opensslrsa_link.c,v 1.29 2009/10/05 17:30:49 fdupont Exp $
*/
#ifdef OPENSSL
#ifndef USE_EVP
@ -968,6 +968,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
UNUSED(pin);
if (engine == NULL)
DST_RET(DST_R_NOENGINE);
e = dst__openssl_getengine(engine);
if (e == NULL)
DST_RET(DST_R_NOENGINE);

10
lib/isc/task.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: task.c,v 1.110 2009/09/02 23:48:02 tbox Exp $ */
/* $Id: task.c,v 1.111 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file
* \author Principal Author: Bob Halley
@ -40,6 +40,10 @@
#include <isc/util.h>
#include <isc/xml.h>
#ifdef OPENSSL_LEAKS
#include <openssl/err.h>
#endif
/*%
* For BIND9 internal applications:
* when built with threads we use multiple worker threads shared by the whole
@ -1156,6 +1160,10 @@ run(void *uap) {
XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
ISC_MSG_EXITING, "exiting"));
#ifdef OPENSSL_LEAKS
ERR_remove_state(0);
#endif
return ((isc_threadresult_t)0);
}
#endif /* USE_WORKER_THREADS */

10
lib/isc/timer.c
View file

@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: timer.c,v 1.94 2009/09/03 21:55:13 jinmei Exp $ */
/* $Id: timer.c,v 1.95 2009/10/05 17:30:49 fdupont Exp $ */
/*! \file */
@ -34,6 +34,10 @@
#include <isc/timer.h>
#include <isc/util.h>
#ifdef OPENSSL_LEAKS
#include <openssl/err.h>
#endif
/* See task.c about the following definition: */
#ifdef BIND9
#ifdef ISC_PLATFORM_USETHREADS
@ -828,6 +832,10 @@ run(void *uap) {
}
UNLOCK(&manager->lock);
#ifdef OPENSSL_LEAKS
ERR_remove_state(0);
#endif
return ((isc_threadresult_t)0);
}
#endif /* USE_TIMER_THREAD */