diff --git a/CHANGES b/CHANGES index d2421b974e..72125d4eb7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +2703. [func] Introduce an OpenSSL "engine" argument with -E + for all binaries which can take benefit of + crypto hardware. [RT #20230] + 2702. [func] Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all] 2701. [doc] Correction to ARM: hmac-md5 is no longer the only diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index 2af3838fa8..39471eedfe 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.40 2009/09/01 18:40:25 jinmei Exp $ +# $Id: Makefile.in,v 1.41 2009/10/05 17:30:49 fdupont Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -25,7 +25,7 @@ top_srcdir = @top_srcdir@ CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} -CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\" +CDEFINES = -DBIND9 -DVERSION=\"${VERSION}\" @USE_PKCS11@ CWARNINGS = DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 9a89b56965..3d062f1175 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-dsfromkey.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: dnssec-dsfromkey.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -440,7 +440,8 @@ main(int argc, char **argv) { result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) - fatal("could not initialize dst"); + fatal("could not initialize dst: %s", + isc_result_totext(result)); isc_entropy_stopcallbacksources(ectx); setup_logging(verbose, mctx, &log); diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index f0e41d1101..556082230a 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keyfromlabel.c,v 1.17 2009/10/03 18:03:53 each Exp $ */ +/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -63,20 +63,28 @@ usage(void) { fprintf(stderr, "Required options:\n"); fprintf(stderr, " -a algorithm: %s\n", algs); fprintf(stderr, " -l label: label of the key pair\n"); +#ifdef USE_PKCS11 + fprintf(stderr, " (for instance \"pkcs11:foo\"\n"); +#else + fprintf(stderr, " -E enginename\n"); +#endif fprintf(stderr, " name: owner of the key\n"); fprintf(stderr, "Other options:\n"); - fprintf(stderr, " -c (default: IN)\n"); + fprintf(stderr, " -c class (default: IN)\n"); +#ifdef USE_PKCS11 + fprintf(stderr, " -E enginename (default: pkcs11)\n"); +#endif fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -K directory: directory in which to place " "key files\n"); fprintf(stderr, " -k : generate a TYPE=KEY key\n"); fprintf(stderr, " -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE\n"); - fprintf(stderr, " -p : default: 3 [dnssec]\n"); - fprintf(stderr, " -t : " + fprintf(stderr, " -p protocol: default: 3 [dnssec]\n"); + fprintf(stderr, " -t type: " "AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF " "(default: AUTHCONF)\n"); - fprintf(stderr, " -v \n"); + fprintf(stderr, " -v verbose level\n"); fprintf(stderr, "Date options:\n"); fprintf(stderr, " -P date/[+-]offset: set key publication date\n"); fprintf(stderr, " -A date/[+-]offset: set key activation date\n"); @@ -97,6 +105,11 @@ int main(int argc, char **argv) { char *algname = NULL, *nametype = NULL, *type = NULL; const char *directory = NULL; +#ifdef USE_PKCS11 + const char *engine = "pkcs11"; +#else + const char *engine = NULL; +#endif char *classname = NULL; char *endp; dst_key_t *key = NULL, *oldkey = NULL; @@ -116,7 +129,7 @@ main(int argc, char **argv) { isc_entropy_t *ectx = NULL; dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; - char *label = NULL, *engine = NULL; + char *label = NULL; isc_stdtime_t publish = 0, activate = 0, revoke = 0; isc_stdtime_t inactive = 0, delete = 0; isc_stdtime_t now; @@ -140,7 +153,7 @@ main(int argc, char **argv) { isc_stdtime_get(&now); while ((ch = isc_commandline_parse(argc, argv, - "a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1) + "a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1) { switch (ch) { case 'a': @@ -152,6 +165,9 @@ main(int argc, char **argv) { case 'c': classname = isc_commandline_argument; break; + case 'E': + engine = isc_commandline_argument; + break; case 'f': if (toupper(isc_commandline_argument[0]) == 'K') kskflag = DNS_KEYFLAG_KSK; @@ -270,10 +286,11 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - ret = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + ret = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (ret != ISC_R_SUCCESS) - fatal("could not initialize dst"); + fatal("could not initialize dst: %s", + isc_result_totext(ret)); setup_logging(verbose, mctx, &log); diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index 6d2f70e6ee..b80e0b1cae 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + February 8, 2008 @@ -50,6 +50,7 @@ + @@ -102,12 +103,23 @@ + + -E engine + + + Specifies the name of the crypto hardware (OpenSSL engine). + When compiled with PKCS#11 support it defaults to pcks11. + + + + -l label - Specifies the label of keys in the crypto hardware - (PKCS#11 device). + Specifies the label of keys in the crypto hardware (OpenSSL + engine). An example for the pkcs11 engine is pkcs11:foo + (note the string pkcs11 is in both E and l options.) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 0c5d497fce..d1a4efa345 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-keygen.c,v 1.98 2009/10/03 18:03:53 each Exp $ */ +/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -115,6 +115,11 @@ usage(void) { fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); fprintf(stderr, " -c : (default: IN)\n"); fprintf(stderr, " -d (0 => max, default)\n"); +#ifdef USE_PKCS11 + fprintf(stderr, " -E (default \"pkcs11\")\n"); +#else + fprintf(stderr, " -E \n"); +#endif fprintf(stderr, " -e: use large exponent (RSAMD5/RSASHA1 only)\n"); fprintf(stderr, " -f : KSK | REVOKE\n"); fprintf(stderr, " -g : use specified generator " @@ -173,6 +178,11 @@ main(int argc, char **argv) { isc_buffer_t buf; isc_log_t *log = NULL; isc_entropy_t *ectx = NULL; +#ifdef USE_PKCS11 + const char *engine = "pkcs11"; +#else + const char *engine = NULL; +#endif dns_rdataclass_t rdclass; int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC; int dbits = 0; @@ -198,7 +208,7 @@ main(int argc, char **argv) { /* * Process memory debugging argument first. */ -#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:" +#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:" while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) { switch (ch) { case 'm': @@ -247,6 +257,9 @@ main(int argc, char **argv) { if (*endp != '\0' || dbits < 0) fatal("-d requires a non-negative number"); break; + case 'E': + engine = isc_commandline_argument; + break; case 'e': rsa_exp = 1; break; @@ -400,10 +413,11 @@ main(int argc, char **argv) { if (ectx == NULL) setup_entropy(mctx, NULL, &ectx); - ret = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + ret = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (ret != ISC_R_SUCCESS) - fatal("could not initialize dst"); + fatal("could not initialize dst: %s", + isc_result_totext(ret)); setup_logging(verbose, mctx, &log); diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook index c0d8ba2898..1daa979788 100644 --- a/bin/dnssec/dnssec-keygen.docbook +++ b/bin/dnssec/dnssec-keygen.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 30, 2000 @@ -64,6 +64,7 @@ + @@ -206,6 +207,18 @@ + + -E engine + + + Uses a crypto hardware (OpenSSL engine) for random number + and, when supported, key generation. When compiled with PKCS#11 + support it defaults to pcks11, the empty name resets it to + no engine. + + + + -e diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index 7f2f6d301c..40168c4f80 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-revoke.c,v 1.13 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -54,6 +54,13 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "\t-E engine:\n"); +#ifdef USE_PKCS11 + fprintf(stderr, "\t\tname of an OpenSSL engine to use " + "(default is \"pkcs11\")\n"); +#else + fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); +#endif fprintf(stderr, " -f: force overwrite\n"); fprintf(stderr, " -K directory: use directory for key files\n"); fprintf(stderr, " -h: help\n"); @@ -70,6 +77,11 @@ usage(void) { int main(int argc, char **argv) { isc_result_t result; +#ifdef USE_PKCS11 + const char *engine = "pkcs11"; +#else + const char *engine = NULL; +#endif char *filename = NULL, *dir = NULL; char newname[1024], oldname[1024]; char keystr[KEY_FORMATSIZE]; @@ -93,8 +105,11 @@ main(int argc, char **argv) { isc_commandline_errprint = ISC_FALSE; - while ((ch = isc_commandline_parse(argc, argv, "fK:rhv:")) != -1) { + while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) { switch (ch) { + case 'E': + engine = isc_commandline_argument; + break; case 'f': force = ISC_TRUE; break; @@ -150,10 +165,11 @@ main(int argc, char **argv) { result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); if (result != ISC_R_SUCCESS) fatal("Could not initialize hash"); - result = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) - fatal("Could not initialize dst"); + fatal("Could not initialize dst: %s", + isc_result_totext(result)); isc_entropy_stopcallbacksources(ectx); result = dst_key_fromnamedfile(filename, dir, diff --git a/bin/dnssec/dnssec-revoke.docbook b/bin/dnssec/dnssec-revoke.docbook index 3143928559..e010fcbb9d 100644 --- a/bin/dnssec/dnssec-revoke.docbook +++ b/bin/dnssec/dnssec-revoke.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 1, 2009 @@ -47,6 +47,7 @@ + keyfile @@ -102,6 +103,16 @@ + + -E engine + + + Use the given OpenSSL engine. When compiled with PKCS#11 support + it defaults to pcks11, the empty name resets it to no engine. + + + + -f diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index ff323c337d..471403e398 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -14,7 +14,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-settime.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -57,6 +57,12 @@ usage(void) { fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "General options:\n"); +#ifdef USE_PKCS11 + fprintf(stderr, "\t\tname of an OpenSSL engine to use " + "(default is \"pkcs11\")\n"); +#else + fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); +#endif fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); @@ -112,6 +118,11 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch, int main(int argc, char **argv) { isc_result_t result; +#ifdef USE_PKCS11 + const char *engine = "pkcs11"; +#else + const char *engine = NULL; +#endif char *filename = NULL, *directory = NULL; char newname[1024]; char keystr[KEY_FORMATSIZE]; @@ -150,8 +161,11 @@ main(int argc, char **argv) { isc_stdtime_get(&now); while ((ch = isc_commandline_parse(argc, argv, - "fK:uhp:v:P:A:R:I:D:")) != -1) { + "EfK:uhp:v:P:A:R:I:D:")) != -1) { switch (ch) { + case 'E': + engine = isc_commandline_argument; + break; case 'f': forceupdate = ISC_TRUE; break; @@ -313,10 +327,11 @@ main(int argc, char **argv) { result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); if (result != ISC_R_SUCCESS) fatal("Could not initialize hash"); - result = dst_lib_init(mctx, ectx, - ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + result = dst_lib_init2(mctx, ectx, engine, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); if (result != ISC_R_SUCCESS) - fatal("Could not initialize dst"); + fatal("Could not initialize dst: %s", + isc_result_totext(result)); isc_entropy_stopcallbacksources(ectx); result = dst_key_fromnamedfile(filename, directory, diff --git a/bin/dnssec/dnssec-settime.docbook b/bin/dnssec/dnssec-settime.docbook index 43d7c732fe..54e49b76b6 100644 --- a/bin/dnssec/dnssec-settime.docbook +++ b/bin/dnssec/dnssec-settime.docbook @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + July 15, 2009 @@ -53,6 +53,7 @@ + keyfile @@ -127,6 +128,16 @@ + + + -E engine + + + Use the given OpenSSL engine. When compiled with PKCS#11 support + it defaults to pcks11, the empty name resets it to no engine. + + + diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index 5532e1a34e..7de39d05e6 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dnssec-signzone.c,v 1.240 2009/10/03 18:03:54 each Exp $ */ +/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -3324,6 +3324,13 @@ usage(void) { fprintf(stderr, "\t-a:\t"); fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-c class (IN)\n"); + fprintf(stderr, "\t-E engine:\n"); +#ifdef USE_PKCS11 + fprintf(stderr, "\t\tname of an OpenSSL engine to use " + "(default is \"pkcs11\")\n"); +#else + fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); +#endif fprintf(stderr, "\t-p:\t"); fprintf(stderr, "use pseudorandom data (faster but less secure)\n"); fprintf(stderr, "\t-P:\t"); @@ -3398,6 +3405,11 @@ main(int argc, char *argv[]) { isc_result_t result; isc_log_t *log = NULL; isc_boolean_t pseudorandom = ISC_FALSE; +#ifdef USE_PKCS11 + const char *engine = "pkcs11"; +#else + const char *engine = NULL; +#endif unsigned int eflags; isc_boolean_t free_output = ISC_FALSE; int tempfilelen; @@ -3412,7 +3424,7 @@ main(int argc, char *argv[]) { isc_boolean_t set_iter = ISC_FALSE; #define CMDLINE_FLAGS \ - "3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z" + "3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z" /* * Process memory debugging argument first. @@ -3494,8 +3506,8 @@ main(int argc, char *argv[]) { fatal("DS directory must be non-empty string"); break; - case 'K': - directory = isc_commandline_argument; + case 'E': + engine = isc_commandline_argument; break; case 'e': @@ -3523,6 +3535,10 @@ main(int argc, char *argv[]) { usage(); break; + case 'I': + inputformatstr = isc_commandline_argument; + break; + case 'i': endp = NULL; cycle = strtol(isc_commandline_argument, &endp, 0); @@ -3531,10 +3547,6 @@ main(int argc, char *argv[]) { "positive"); break; - case 'I': - inputformatstr = isc_commandline_argument; - break; - case 'j': endp = NULL; jitter = strtol(isc_commandline_argument, &endp, 0); @@ -3542,6 +3554,10 @@ main(int argc, char *argv[]) { fatal("jitter must be numeric and positive"); break; + case 'K': + directory = isc_commandline_argument; + break; + case 'k': if (ndskeys == MAXDSKEYS) fatal("too many key-signing keys specified"); @@ -3563,6 +3579,10 @@ main(int argc, char *argv[]) { case 'm': break; + case 'N': + serialformatstr = isc_commandline_argument; + break; + case 'n': endp = NULL; ntasks = strtol(isc_commandline_argument, &endp, 0); @@ -3570,39 +3590,35 @@ main(int argc, char *argv[]) { fatal("number of cpus must be numeric"); break; - case 'N': - serialformatstr = isc_commandline_argument; + case 'O': + outputformatstr = isc_commandline_argument; break; case 'o': origin = isc_commandline_argument; break; - case 'O': - outputformatstr = isc_commandline_argument; + case 'P': + disable_zone_check = ISC_TRUE; break; case 'p': pseudorandom = ISC_TRUE; break; - case 'P': - disable_zone_check = ISC_TRUE; - break; - case 'r': setup_entropy(mctx, isc_commandline_argument, &ectx); break; - case 's': - startstr = isc_commandline_argument; - break; - case 'S': smartsign = ISC_TRUE; generateds = ISC_TRUE; break; + case 's': + startstr = isc_commandline_argument; + break; + case 'T': endp = NULL; set_keyttl = ISC_TRUE; @@ -3659,9 +3675,10 @@ main(int argc, char *argv[]) { if (result != ISC_R_SUCCESS) fatal("could not create hash context"); - result = dst_lib_init(mctx, ectx, eflags); + result = dst_lib_init2(mctx, ectx, engine, eflags); if (result != ISC_R_SUCCESS) - fatal("could not initialize dst"); + fatal("could not initialize dst: %s", + isc_result_totext(result)); isc_stdtime_get(&now); diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook index 9a3dc364ae..aa3d506220 100644 --- a/bin/dnssec/dnssec-signzone.docbook +++ b/bin/dnssec/dnssec-signzone.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + June 05, 2009 @@ -60,6 +60,7 @@ + @@ -149,6 +150,18 @@ + + -E engine + + + Uses a crypto hardware (OpenSSL engine) for the crypto operations + it supports, for instance signing with private keys from + a secure key store. When compiled with PKCS#11 support + it defaults to pcks11, the empty name resets it to no engine. + + + + -g diff --git a/bin/named/Makefile.in b/bin/named/Makefile.in index a5cbc1e4d6..8898a24797 100644 --- a/bin/named/Makefile.in +++ b/bin/named/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.106 2009/09/01 18:40:25 jinmei Exp $ +# $Id: Makefile.in,v 1.107 2009/10/05 17:30:49 fdupont Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -45,7 +45,7 @@ CINCLUDES = -I${srcdir}/include -I${srcdir}/unix/include -I. \ ${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \ ${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES} -CDEFINES = -DBIND9 @USE_DLZ@ +CDEFINES = -DBIND9 @USE_DLZ@ @USE_PKCS11@ CWARNINGS = diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 3e81642272..26297c8744 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: globals.h,v 1.85 2009/07/14 23:47:53 tbox Exp $ */ +/* $Id: globals.h,v 1.86 2009/10/05 17:30:49 fdupont Exp $ */ #ifndef NAMED_GLOBALS_H #define NAMED_GLOBALS_H 1 @@ -139,6 +139,12 @@ EXTERN const char * lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR EXTERN const char * ns_g_username INIT(NULL); +#ifdef USE_PKCS11 +EXTERN const char * ns_g_engine INIT("pkcs11"); +#else +EXTERN const char * ns_g_engine INIT(NULL); +#endif + EXTERN int ns_g_listen INIT(3); EXTERN isc_time_t ns_g_boottime; EXTERN isc_boolean_t ns_g_memstatistics INIT(ISC_FALSE); diff --git a/bin/named/main.c b/bin/named/main.c index c6a640dd95..15b39268d0 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: main.c,v 1.174 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -298,8 +298,9 @@ usage(void) { } fprintf(stderr, "usage: named [-4|-6] [-c conffile] [-d debuglevel] " - "[-f|-g] [-n number_of_cpus]\n" - " [-p port] [-s] [-t chrootdir] [-u username]\n" + "[-E engine] [-f|-g]\n" + " [-n number_of_cpus] [-p port] [-s] " + "[-t chrootdir] [-u username]\n" " [-m {usage|trace|record|size|mctx}]\n"); } @@ -408,7 +409,7 @@ parse_command_line(int argc, char *argv[]) { isc_commandline_errprint = ISC_FALSE; while ((ch = isc_commandline_parse(argc, argv, - "46c:C:d:fFgi:lm:n:N:p:P:" + "46c:C:d:E:fFgi:lm:n:N:p:P:" "sS:t:T:u:vVx:")) != -1) { switch (ch) { case '4': @@ -444,6 +445,9 @@ parse_command_line(int argc, char *argv[]) { ns_g_debuglevel = parse_int(isc_commandline_argument, "debug level"); break; + case 'E': + ns_g_engine = isc_commandline_argument; + break; case 'f': ns_g_foreground = ISC_TRUE; break; diff --git a/bin/named/named.docbook b/bin/named/named.docbook index 1bbef3e709..c748911e24 100644 --- a/bin/named/named.docbook +++ b/bin/named/named.docbook @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + May 21, 2009 @@ -60,6 +60,7 @@ + @@ -116,6 +117,7 @@ + -c config-file @@ -144,6 +146,19 @@ + + -E engine-name + + + Use a crypto hardware (OpenSSL engine) for the crypto operations + it supports, for instance re-signing with private keys from + a secure key store. When compiled with PKCS#11 support + engine-name + defaults to pkcs11, the empty name resets it to no engine. + + + + -f diff --git a/bin/named/server.c b/bin/named/server.c index 4f81a99361..87870f99ff 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: server.c,v 1.549 2009/09/29 15:06:06 fdupont Exp $ */ +/* $Id: server.c,v 1.550 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -4650,7 +4650,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) { ISC_R_NOMEMORY : ISC_R_SUCCESS, "allocating reload event"); - CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY), + CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy, + ns_g_engine, ISC_ENTROPY_GOODONLY), "initializing DST"); server->tkeyctx = NULL; diff --git a/lib/dns/Makefile.in b/lib/dns/Makefile.in index eef55f1e27..d1acc2b35a 100644 --- a/lib/dns/Makefile.in +++ b/lib/dns/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.166 2009/09/01 00:22:26 jinmei Exp $ +# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -34,7 +34,7 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@ CINCLUDES = -I. -Iinclude ${DNS_INCLUDES} \ ${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@ -CDEFINES = -DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \ +CDEFINES = -DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ \ ${USE_ISC_SPNEGO} CWARNINGS = diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index cdf8a7c09c..9c4427dfe4 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: dst_api.c,v 1.33 2009/09/25 01:42:09 marka Exp $ + * $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -146,6 +146,12 @@ default_memfree(void *arg, void *ptr) { isc_result_t dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) { + return (dst_lib_init2(mctx, ectx, NULL, eflags)); +} + +isc_result_t +dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + const char *engine, unsigned int eflags) { isc_result_t result; REQUIRE(mctx != NULL); @@ -173,7 +179,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) { if (result != ISC_R_SUCCESS) return (result); isc_mem_setname(dst__memory_pool, "dst", NULL); +#ifndef OPENSSL_LEAKS isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE); +#endif #else isc_mem_attach(mctx, &dst__memory_pool); #endif @@ -192,7 +200,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) { RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384])); RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512])); #ifdef OPENSSL - RETERR(dst__openssl_init()); + RETERR(dst__openssl_init(engine)); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1])); RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1])); @@ -209,6 +217,8 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) { return (ISC_R_SUCCESS); out: + /* avoid immediate crash! */ + dst_initialized = ISC_TRUE; dst_lib_destroy(); return (result); } @@ -1520,6 +1530,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) { unsigned int flags = dst_entropy_flags; if (pseudo) flags &= ~ISC_ENTROPY_GOODONLY; + else + flags |= ISC_ENTROPY_BLOCKING; return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags)); #else UNUSED(buf); diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index 69ea338310..7d2935c8bc 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -29,7 +29,7 @@ * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_internal.h,v 1.18 2009/09/23 11:16:50 fdupont Exp $ */ +/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */ #ifndef DST_DST_INTERNAL_H #define DST_DST_INTERNAL_H 1 @@ -187,7 +187,7 @@ struct dst_func { /*% * Initializers */ -isc_result_t dst__openssl_init(void); +isc_result_t dst__openssl_init(const char *engine); isc_result_t dst__hmacmd5_init(struct dst_func **funcp); isc_result_t dst__hmacsha1_init(struct dst_func **funcp); diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h index 80eef93496..cb19044a26 100644 --- a/lib/dns/dst_openssl.h +++ b/lib/dns/dst_openssl.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */ +/* $Id: dst_openssl.h,v 1.8 2009/10/05 17:30:49 fdupont Exp $ */ #ifndef DST_OPENSSL_H #define DST_OPENSSL_H 1 @@ -29,10 +29,7 @@ isc_result_t dst__openssl_toresult(isc_result_t fallback); ENGINE * -dst__openssl_getengine(const char *name); - -isc_result_t -dst__openssl_setdefault(const char *name); +dst__openssl_getengine(const char *engine); ISC_LANG_ENDDECLS diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index 4cdb4c0057..dab99f0009 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: dst.h,v 1.19 2009/09/23 16:01:57 each Exp $ */ +/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */ #ifndef DST_DST_H #define DST_DST_H 1 @@ -94,6 +94,10 @@ typedef struct dst_context dst_context_t; isc_result_t dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags); + +isc_result_t +dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx, + const char *engine, unsigned int eflags); /*%< * Initializes the DST subsystem. * @@ -104,6 +108,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags); * Returns: * \li ISC_R_SUCCESS * \li ISC_R_NOMEMORY + * \li DST_R_NOENGINE * * Ensures: * \li DST is properly initialized. diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index cb223ae58a..04999b0b5c 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -31,7 +31,7 @@ /* * Principal Author: Brian Wellington - * $Id: openssl_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $ + * $Id: openssl_link.c,v 1.27 2009/10/05 17:30:49 fdupont Exp $ */ #ifdef OPENSSL @@ -45,6 +45,8 @@ #include #include +#include + #include "dst_internal.h" #include "dst_openssl.h" @@ -60,12 +62,6 @@ #ifdef USE_ENGINE #include - -#ifdef ENGINE_ID -const char *engine_id = ENGINE_ID; -#else -const char *engine_id; -#endif #endif static RAND_METHOD *rm = NULL; @@ -74,15 +70,7 @@ static isc_mutex_t *locks = NULL; static int nlocks; #ifdef USE_ENGINE -static ENGINE *e; -static ENGINE *he; -#endif - -#ifdef USE_PKCS11 -static isc_result_t -dst__openssl_load_engine(const char *name, const char *engine_id, - const char **pre_cmds, int pre_num, - const char **post_cmds, int post_num); +static ENGINE *e = NULL; #endif static int @@ -135,8 +123,16 @@ id_callback(void) { static void * mem_alloc(size_t size) { +#ifdef OPENSSL_LEAKS + void *ptr; + + INSIST(dst__memory_pool != NULL); + ptr = isc_mem_allocate(dst__memory_pool, size); + return (ptr); +#else INSIST(dst__memory_pool != NULL); return (isc_mem_allocate(dst__memory_pool, size)); +#endif } static void @@ -148,16 +144,26 @@ mem_free(void *ptr) { static void * mem_realloc(void *ptr, size_t size) { +#ifdef OPENSSL_LEAKS + void *rptr; + + INSIST(dst__memory_pool != NULL); + rptr = isc_mem_reallocate(dst__memory_pool, ptr, size); + return (rptr); +#else INSIST(dst__memory_pool != NULL); return (isc_mem_reallocate(dst__memory_pool, ptr, size)); +#endif } isc_result_t -dst__openssl_init() { +dst__openssl_init(const char *engine) { isc_result_t result; #ifdef USE_ENGINE - /* const char *name; */ ENGINE *re; +#else + + UNUSED(engine); #endif #ifdef DNS_CRYPTO_LEAKS @@ -187,73 +193,26 @@ dst__openssl_init() { rm->add = entropy_add; rm->pseudorand = entropy_getpseudo; rm->status = entropy_status; + #ifdef USE_ENGINE OPENSSL_config(NULL); -#ifdef USE_PKCS11 -#ifndef PKCS11_SO_PATH -#define PKCS11_SO_PATH "/usr/local/lib/engines/engine_pkcs11.so" -#endif -#ifndef PKCS11_MODULE_PATH -#define PKCS11_MODULE_PATH "/usr/lib/libpkcs11.so" -#endif - { - /* - * to use this to config the PIN, add in openssl.cnf: - * - at the beginning: "openssl_conf = openssl_def" - * - at any place these sections: - * [ openssl_def ] - * engines = engine_section - * [ engine_section ] - * pkcs11 = pkcs11_section - * [ pkcs11_section ] - * PIN = my___pin - */ - const char *pre_cmds[] = { - "SO_PATH", PKCS11_SO_PATH, - "LOAD", NULL, - "MODULE_PATH", PKCS11_MODULE_PATH - }; - const char *post_cmds[] = { - /* "PIN", "my___pin" */ - }; - result = dst__openssl_load_engine("pkcs11", "pkcs11", - pre_cmds, 0, - post_cmds, /*1*/ 0); - if (result != ISC_R_SUCCESS) - goto cleanup_rm; - } -#else /* USE_PKCS11 */ - if (engine_id != NULL) { - e = ENGINE_by_id(engine_id); + if (engine != NULL && *engine == '\0') + engine = NULL; + + if (engine != NULL) { + e = ENGINE_by_id(engine); if (e == NULL) { - result = ISC_R_NOTFOUND; + result = DST_R_NOENGINE; goto cleanup_rm; } - if (!ENGINE_init(e)) { - result = ISC_R_FAILURE; - ENGINE_free(e); + /* This will init the engine. */ + if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { + result = DST_R_NOENGINE; goto cleanup_rm; } - ENGINE_set_default(e, ENGINE_METHOD_ALL); - ENGINE_free(e); - if (he == NULL) - he = e; - } else { - ENGINE_register_all_complete(); - for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) { - - /* - * Something weird here. If we call ENGINE_finish() - * ENGINE_get_default_RAND() will fail. - */ - if (ENGINE_init(e)) { - if (he == NULL) - he = e; - } - } } -#endif /* USE_PKCS11 */ + re = ENGINE_get_default_RAND(); if (re == NULL) { re = ENGINE_new(); @@ -266,7 +225,6 @@ dst__openssl_init() { ENGINE_free(re); } else ENGINE_finish(re); - #else RAND_set_rand_method(rm); #endif /* USE_ENGINE */ @@ -274,13 +232,18 @@ dst__openssl_init() { #ifdef USE_ENGINE cleanup_rm: + if (e != NULL) + ENGINE_free(e); + e = NULL; mem_free(rm); + rm = NULL; #endif cleanup_mutexinit: CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); cleanup_mutexalloc: mem_free(locks); + locks = NULL; return (result); } @@ -290,16 +253,22 @@ dst__openssl_destroy() { /* * Sequence taken from apps_shutdown() in . */ -#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) - CONF_modules_unload(1); + if (rm != NULL) { +#if OPENSSL_VERSION_NUMBER >= 0x00907000L + RAND_cleanup(); #endif + mem_free(rm); + rm = NULL; + } +#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) + CONF_modules_free(); +#endif + OBJ_cleanup(); EVP_cleanup(); #if defined(USE_ENGINE) - if (he != NULL) - ENGINE_finish(he); - else if (e != NULL) - ENGINE_finish(e); - he = e = NULL; + if (e != NULL) + ENGINE_free(e); + e = NULL; #if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L ENGINE_cleanup(); #endif @@ -308,23 +277,18 @@ dst__openssl_destroy() { CRYPTO_cleanup_all_ex_data(); #endif ERR_clear_error(); - ERR_free_strings(); ERR_remove_state(0); + ERR_free_strings(); #ifdef DNS_CRYPTO_LEAKS CRYPTO_mem_leaks_fp(stderr); #endif - if (rm != NULL) { -#if OPENSSL_VERSION_NUMBER >= 0x00907000L - RAND_cleanup(); -#endif - mem_free(rm); - } if (locks != NULL) { CRYPTO_set_locking_callback(NULL); DESTROYMUTEXBLOCK(locks, nlocks); mem_free(locks); + locks = NULL; } } @@ -345,90 +309,18 @@ dst__openssl_toresult(isc_result_t fallback) { } ENGINE * -dst__openssl_getengine(const char *name) { - - UNUSED(name); +dst__openssl_getengine(const char *engine) { + if (engine == NULL) + return (NULL); #if defined(USE_ENGINE) - return (he); -#else - return (NULL); -#endif -} - -isc_result_t -dst__openssl_setdefault(const char *name) { - - UNUSED(name); - -#if defined(USE_ENGINE) - ENGINE_set_default(e, ENGINE_METHOD_ALL); -#endif - /* - * XXXMPA If the engine does not have a default RAND method - * restore our method. - */ - return (ISC_R_SUCCESS); -} - -#ifdef USE_PKCS11 -/* - * 'name' is the name the engine is known by to the dst library. - * This may or may not match the name the engine is known by to - * openssl. It is the name that is stored in the private key file. - * - * 'engine_id' is the openssl engine name. - * - * pre_cmds and post_cmds a sequence if command argument pairs - * pre_num and post_num are a count of those pairs. - * - * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so") - * "LOAD", NULL - * "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so") - */ -static isc_result_t -dst__openssl_load_engine(const char *name, const char *engine_id, - const char **pre_cmds, int pre_num, - const char **post_cmds, int post_num) -{ - ENGINE *e; - - UNUSED(name); - - if (!strcasecmp(engine_id, "dynamic")) - ENGINE_load_dynamic(); - e = ENGINE_by_id(engine_id); if (e == NULL) - return (ISC_R_NOTFOUND); - while (pre_num--) { - if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) { - ENGINE_free(e); - return (ISC_R_FAILURE); - } - pre_cmds += 2; - } - if (!ENGINE_init(e)) { - ENGINE_free(e); - return (ISC_R_FAILURE); - } - /* - * ENGINE_init() returned a functional reference, so free the - * structural reference from ENGINE_by_id(). - */ - ENGINE_free(e); - while (post_num--) { - if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) { - ENGINE_free(e); - return (ISC_R_FAILURE); - } - post_cmds += 2; - } - if (he != NULL) - ENGINE_finish(he); - he = e; - return (ISC_R_SUCCESS); + return (NULL); + if (strcmp(engine, ENGINE_get_id(e)) == 0) + return (e); +#endif + return (NULL); } -#endif /* USE_PKCS11 */ #else /* OPENSSL */ diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 13f6b944be..e81b4b9ab4 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -17,7 +17,7 @@ /* * Principal Author: Brian Wellington - * $Id: opensslrsa_link.c,v 1.28 2009/09/23 11:16:50 fdupont Exp $ + * $Id: opensslrsa_link.c,v 1.29 2009/10/05 17:30:49 fdupont Exp $ */ #ifdef OPENSSL #ifndef USE_EVP @@ -968,6 +968,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, UNUSED(pin); + if (engine == NULL) + DST_RET(DST_R_NOENGINE); e = dst__openssl_getengine(engine); if (e == NULL) DST_RET(DST_R_NOENGINE); diff --git a/lib/isc/task.c b/lib/isc/task.c index ddd4a53478..f70ea490fc 100644 --- a/lib/isc/task.c +++ b/lib/isc/task.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: task.c,v 1.110 2009/09/02 23:48:02 tbox Exp $ */ +/* $Id: task.c,v 1.111 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file * \author Principal Author: Bob Halley @@ -40,6 +40,10 @@ #include #include +#ifdef OPENSSL_LEAKS +#include +#endif + /*% * For BIND9 internal applications: * when built with threads we use multiple worker threads shared by the whole @@ -1156,6 +1160,10 @@ run(void *uap) { XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL, ISC_MSG_EXITING, "exiting")); +#ifdef OPENSSL_LEAKS + ERR_remove_state(0); +#endif + return ((isc_threadresult_t)0); } #endif /* USE_WORKER_THREADS */ diff --git a/lib/isc/timer.c b/lib/isc/timer.c index f9c4bf8653..891eb69aac 100644 --- a/lib/isc/timer.c +++ b/lib/isc/timer.c @@ -15,7 +15,7 @@ * PERFORMANCE OF THIS SOFTWARE. */ -/* $Id: timer.c,v 1.94 2009/09/03 21:55:13 jinmei Exp $ */ +/* $Id: timer.c,v 1.95 2009/10/05 17:30:49 fdupont Exp $ */ /*! \file */ @@ -34,6 +34,10 @@ #include #include +#ifdef OPENSSL_LEAKS +#include +#endif + /* See task.c about the following definition: */ #ifdef BIND9 #ifdef ISC_PLATFORM_USETHREADS @@ -828,6 +832,10 @@ run(void *uap) { } UNLOCK(&manager->lock); +#ifdef OPENSSL_LEAKS + ERR_remove_state(0); +#endif + return ((isc_threadresult_t)0); } #endif /* USE_TIMER_THREAD */