dns/bind9
dns/bind9
1
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9.git synced 2025-04-18 09:44:09 +03:00
Code

Remove OpenSSL Engine support

Browse Source 
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
and is going to be removed.  Remove the OpenSSL Engine support in favor
of OpenSSL Providers.
This commit is contained in:
Ondřej Surý 2024-08-05 11:40:42 +02:00
parent 1688c96bda
commit ef7aba7072
No known key found for this signature in database
GPG Key ID: 2820F37E873DEA41
69 changed files with 161 additions and 575 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.gitlab-ci.yml
View File

@ -1327,10 +1327,6 @@ gcc:bullseye:amd64:
<<: *build_job
system:gcc:bullseye:amd64:
# Set up environment variables that allow the "keyfromlabel" system test to be run
variables:
OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
<<: *debian_bullseye_amd64_image
<<: *system_test_job
needs:
@ -1358,10 +1354,6 @@ clang:bookworm:amd64:
<<: *build_job
system:clang:bookworm:amd64:
# Set up environment variables that allow the "keyfromlabel" system test to be run
variables:
OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
<<: *debian_bookworm_amd64_image
<<: *system_test_job
needs:

1
OPTIONS.md
View File

@ -26,4 +26,3 @@ Some of these settings are:
| `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult |
| `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` |
| `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports |
| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support |

2
bin/check/named-checkconf.c
View File

@ -728,7 +728,7 @@ main(int argc, char **argv) {
CHECK(setup_logging(mctx, stdout, &logc));
CHECK(dst_lib_init(mctx, NULL));
CHECK(dst_lib_init(mctx));
cleanup_dst = true;
CHECK(cfg_parser_create(mctx, logc, &parser));

2
bin/confgen/keygen.c
View File

@ -120,7 +120,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
fatal("unsupported algorithm %d\n", alg);
}
DO("initialize dst library", dst_lib_init(mctx, NULL));
DO("initialize dst library", dst_lib_init(mctx));
DO("generate key",
dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY,

2
bin/delv/delv.c
View File

@ -2220,7 +2220,7 @@ main(int argc, char *argv[]) {
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
loop = isc_loop_main(loopmgr);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("dst_lib_init failed: %d", result);
}

2
bin/dig/dighost.c
View File

@ -1375,7 +1375,7 @@ setup_libs(void) {
isc_mem_setname(mctx, "dig");
mainloop = isc_loop_main(loopmgr);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
check_result(result, "dst_lib_init");
is_dst_up = true;
}

2
bin/dnssec/dnssec-cds.c
View File

@ -1180,7 +1180,7 @@ main(int argc, char *argv[]) {
setup_logging(mctx, &lctx);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

2
bin/dnssec/dnssec-dsfromkey.c
View File

@ -489,7 +489,7 @@ main(int argc, char **argv) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

2
bin/dnssec/dnssec-importkey.c
View File

@ -408,7 +408,7 @@ main(int argc, char **argv) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

11
bin/dnssec/dnssec-keyfromlabel.c
View File

@ -63,8 +63,6 @@ usage(void) {
" ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
@ -112,7 +110,6 @@ main(int argc, char **argv) {
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
const char *engine = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
@ -176,7 +173,7 @@ main(int argc, char **argv) {
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
@ -335,7 +332,7 @@ main(int argc, char **argv) {
}
}
ret = dst_lib_init(mctx, engine);
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
@ -595,8 +592,8 @@ main(int argc, char **argv) {
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
label, NULL, mctx, &key);
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label,
NULL, mctx, &key);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];

14
bin/dnssec/dnssec-keyfromlabel.rst
View File

@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
@ -63,22 +63,12 @@ Options
versions, then the NSEC3 version is used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
.. option:: -E engine
This option specifies the cryptographic hardware to use.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -l label
This option specifies the label for a key pair in the crypto hardware.
When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
an arbitrary string that identifies a particular key. It may be
preceded by an optional OpenSSL engine name, followed by a colon, as
in ``pkcs11:keylabel``.
an arbitrary string that identifies a particular key.
.. option:: -n nametype

9
bin/dnssec/dnssec-keygen.c
View File

@ -176,8 +176,6 @@ usage(void) {
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f <keyflag>: ZSK | KSK | REVOKE\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
@ -842,7 +840,6 @@ main(int argc, char **argv) {
isc_mem_t *mctx = NULL;
isc_result_t ret;
isc_textregion_t r;
const char *engine = NULL;
unsigned char c;
int ch;
bool set_fips_mode = false;
@ -921,7 +918,7 @@ main(int argc, char **argv) {
}
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
@ -1140,7 +1137,7 @@ main(int argc, char **argv) {
}
}
ret = dst_lib_init(mctx, engine);
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
@ -1245,7 +1242,7 @@ main(int argc, char **argv) {
}
kasp_from_conf(config, mctx, lctx, ctx.policy,
ctx.directory, engine, &kasp);
ctx.directory, &kasp);
if (kasp == NULL) {
fatal("failed to load dnssec-policy '%s'",
ctx.policy);

10
bin/dnssec/dnssec-keygen.rst
View File

@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
@ -94,14 +94,6 @@ Options
and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
ECDSAP384SHA384, ED25519, and ED448.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f flag
This option sets the specified flag in the flag field of the KEY/DNSKEY record.

9
bin/dnssec/dnssec-ksr.c
View File

@ -41,7 +41,6 @@ const char *program = "dnssec-ksr";
*/
static isc_log_t *lctx = NULL;
static isc_mem_t *mctx = NULL;
const char *engine = NULL;
/*
* The domain we are working on
*/
@ -122,7 +121,6 @@ usage(int ret) {
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "\n");
fprintf(stderr, "Options:\n");
fprintf(stderr, " -E <engine>: name of an OpenSSL engine to use\n");
fprintf(stderr, " -e <date/offset>: end date\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -f: KSR file to sign\n");
@ -173,8 +171,7 @@ getkasp(ksr_ctx_t *ksr, dns_kasp_t **kasp) {
fatal("unable to load dnssec-policy '%s' from '%s'",
ksr->policy, ksr->configfile);
}
kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, engine,
kasp);
kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, kasp);
if (*kasp == NULL) {
fatal("failed to load dnssec-policy '%s'", ksr->policy);
}
@ -1213,7 +1210,7 @@ main(int argc, char *argv[]) {
while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'e':
ksr.end = strtotime(isc_commandline_argument, ksr.now,
@ -1267,7 +1264,7 @@ main(int argc, char *argv[]) {
fatal("must provide a command and zone name");
}
ret = dst_lib_init(mctx, engine);
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}

10
bin/dnssec/dnssec-ksr.rst
View File

@ -21,7 +21,7 @@ dnssec-ksr - Create signed key response (SKR) files for offline KSK setups
Synopsis
~~~~~~~~
:program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
:program:`dnssec-ksr` [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
Description
~~~~~~~~~~~
@ -40,14 +40,6 @@ server.
Options
~~~~~~~
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -e date/offset
This option sets the end date for which keys or SKRs need to be generated

6
bin/dnssec/dnssec-revoke.c
View File

@ -46,7 +46,6 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -K directory: use directory for key files\n");
@ -64,7 +63,6 @@ usage(void) {
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
char const *filename = NULL;
char *dir = NULL;
char newname[1024], oldname[1024];
@ -89,7 +87,7 @@ main(int argc, char **argv) {
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
force = true;
@ -159,7 +157,7 @@ main(int argc, char **argv) {
}
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));

10
bin/dnssec/dnssec-revoke.rst
View File

@ -21,7 +21,7 @@ dnssec-revoke - set the REVOKED bit on a DNSSEC key
Synopsis
~~~~~~~~
:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-f**] [**-R**] {keyfile}
Description
~~~~~~~~~~~
@ -53,14 +53,6 @@ Options
This option prints version information.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f
This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair,

6
bin/dnssec/dnssec-settime.c
View File

@ -51,7 +51,6 @@ usage(void) {
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
@ -186,7 +185,6 @@ writekey(dst_key_t *key, const char *directory, bool write_state) {
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
const char *filename = NULL;
char *directory = NULL;
char keystr[DST_KEY_FORMATSIZE];
@ -314,7 +312,7 @@ main(int argc, char **argv) {
&setdstime);
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
force = true;
@ -555,7 +553,7 @@ main(int argc, char **argv) {
fatal("Options -g, -d, -k, -r and -z require -s to be set");
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));

10
bin/dnssec/dnssec-settime.rst
View File

@ -21,7 +21,7 @@ dnssec-settime: set the key timing metadata for a DNSSEC key
Synopsis
~~~~~~~~
:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
Description
~~~~~~~~~~~
@ -97,14 +97,6 @@ Options
This option sets the debugging level.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
Timing Options
~~~~~~~~~~~~~~

7
bin/dnssec/dnssec-signzone.c
View File

@ -3263,8 +3263,6 @@ usage(void) {
fprintf(stderr, "\t-a:\t");
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n");
fprintf(stderr, "\t-Q:\t");
@ -3353,7 +3351,6 @@ main(int argc, char *argv[]) {
dns_dnsseckey_t *key;
isc_result_t result, vresult;
isc_log_t *log = NULL;
const char *engine = NULL;
bool free_output = false;
int tempfilelen = 0;
dns_rdataclass_t rdclass;
@ -3461,7 +3458,7 @@ main(int argc, char *argv[]) {
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'e':
@ -3748,7 +3745,7 @@ main(int argc, char *argv[]) {
}
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

11
bin/dnssec/dnssec-signzone.rst
View File

@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool
Synopsis
~~~~~~~~
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
@ -62,15 +62,6 @@ Options
``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>`
or serial-number updating.
.. option:: -E engine
This option specifies the hardware to use for cryptographic
operations, such as a secure key store used for signing, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)

7
bin/dnssec/dnssec-verify.c
View File

@ -157,8 +157,6 @@ usage(void) {
fprintf(stderr, "\t-I format:\n");
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
@ -171,7 +169,6 @@ main(int argc, char *argv[]) {
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
const char *engine = NULL;
char *classname = NULL;
dns_rdataclass_t rdclass;
char *endp;
@ -215,7 +212,7 @@ main(int argc, char *argv[]) {
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'I':
@ -275,7 +272,7 @@ main(int argc, char *argv[]) {
}
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

10
bin/dnssec/dnssec-verify.rst
View File

@ -21,7 +21,7 @@ dnssec-verify - DNSSEC zone verification tool
Synopsis
~~~~~~~~
:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
:program:`dnssec-verify` [**-c** class] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
Description
~~~~~~~~~~~
@ -37,14 +37,6 @@ Options
This option specifies the DNS class of the zone.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -I input-format
This option sets the format of the input zone file. Possible formats are ``text``

9
bin/dnssec/dnssectool.c
View File

@ -605,8 +605,7 @@ cleanup:
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
const char *name, const char *keydir, const char *engine,
dns_kasp_t **kaspp) {
const char *name, const char *keydir, dns_kasp_t **kaspp) {
isc_result_t result = ISC_R_NOTFOUND;
const cfg_listelt_t *element;
const cfg_obj_t *kasps = NULL;
@ -625,8 +624,8 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
{
cfg_obj_t *kconfig = cfg_listelt_value(element);
ks = NULL;
result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine,
&kslist, NULL);
result = cfg_keystore_fromconfig(kconfig, mctx, lctx, &kslist,
NULL);
if (result != ISC_R_SUCCESS) {
fatal("failed to configure key-store '%s': %s",
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
@ -635,7 +634,7 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
}
/* Default key-directory key store. */
ks = NULL;
(void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
(void)cfg_keystore_fromconfig(NULL, mctx, lctx, &kslist, &ks);
INSIST(ks != NULL);
if (keydir != NULL) {
/* '-K keydir' takes priority */

3
bin/dnssec/dnssectool.h
View File

@ -119,5 +119,4 @@ loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal);
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
const char *name, const char *keydir, const char *engine,
dns_kasp_t **kaspp);
const char *name, const char *keydir, dns_kasp_t **kaspp);

2
bin/named/include/named/globals.h
View File

@ -129,8 +129,6 @@ EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/"
EXTERN const char *named_g_username INIT(NULL);
EXTERN const char *named_g_engine INIT(NULL);
EXTERN isc_time_t named_g_boottime;
EXTERN isc_time_t named_g_configtime;
EXTERN bool named_g_memstatistics INIT(false);

7
bin/named/main.c
View File

@ -307,7 +307,7 @@ library_unexpected_error(const char *file, int line, const char *func,
static void
usage(void) {
fprintf(stderr, "usage: named [-4|-6] [-c conffile] [-d debuglevel] "
"[-D comment] [-E engine]\n"
"[-D comment]\n"
" [-f|-g] [-L logfile] [-n number_of_cpus] "
"[-p port] [-s]\n"
" [-S sockets] [-t chrootdir] [-u "
@ -632,7 +632,7 @@ printversion(bool verbose) {
printf("threads support is enabled\n");
isc_mem_create(&mctx);
result = dst_lib_init(mctx, named_g_engine);
result = dst_lib_init(mctx);
if (result == ISC_R_SUCCESS) {
isc_buffer_init(&b, buf, sizeof(buf));
format_supported_algorithms(printit);
@ -894,7 +894,8 @@ parse_command_line(int argc, char *argv[]) {
/* Descriptive comment for 'ps'. */
break;
case 'E':
named_g_engine = isc_commandline_argument;
named_main_earlyfatal(
"%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
named_g_foreground = true;

11
bin/named/named.rst
View File

@ -21,7 +21,7 @@ named - Internet domain name server
Synopsis
~~~~~~~~
:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ]
:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ]
Description
~~~~~~~~~~~
@ -73,15 +73,6 @@ Options
This option specifies a string that is used to identify a instance of :program:`named`
in a process listing. The contents of ``string`` are not examined.
.. option:: -E engine-name
When applicable, this option specifies the hardware to use for cryptographic
operations, such as a secure key store used for signing.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f
This option runs the server in the foreground (i.e., do not daemonize).

9
bin/named/server.c
View File

@ -8988,7 +8988,7 @@ load_configuration(const char *filename, named_server_t *server,
* Create the built-in key store ("key-directory").
*/
result = cfg_keystore_fromconfig(NULL, named_g_mctx, named_g_lctx,
named_g_engine, &keystorelist, NULL);
&keystorelist, NULL);
if (result != ISC_R_SUCCESS) {
goto cleanup_keystorelist;
}
@ -9004,8 +9004,8 @@ load_configuration(const char *filename, named_server_t *server,
cfg_obj_t *kconfig = cfg_listelt_value(element);
keystore = NULL;
result = cfg_keystore_fromconfig(kconfig, named_g_mctx,
named_g_lctx, named_g_engine,
&keystorelist, NULL);
named_g_lctx, &keystorelist,
NULL);
if (result != ISC_R_SUCCESS) {
goto cleanup_keystorelist;
}
@ -10331,8 +10331,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
ISC_LIST_INIT(server->viewlist);
/* Must be first. */
CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine),
"initializing DST");
CHECKFATAL(dst_lib_init(named_g_mctx), "initializing DST");
CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL,
&server->in_roothints),

2
bin/nsupdate/nsupdate.c
View File

@ -926,7 +926,7 @@ setup_system(void *arg ISC_ATTR_UNUSED) {
result = dns_dispatchmgr_create(gmctx, loopmgr, netmgr, &dispatchmgr);
check_result(result, "dns_dispatchmgr_create");
result = dst_lib_init(gmctx, NULL);
result = dst_lib_init(gmctx);
check_result(result, "dst_lib_init");
is_dst_up = true;

2
bin/tests/system/enginepkcs11/clean.sh
View File

@ -25,7 +25,7 @@ rm -f ns*/*.kskid1 ns*/*.kskid2 ns*/*.zskid1 ns/*.zskid2
rm -f ns*/dig.out.*
rm -f ns*/K*
rm -f ns*/keygen.out.*
rm -f ns*/named.conf ns1/named.args ns1/named.run ns1/named.memstats
rm -f ns*/named.conf ns1/named.run ns1/named.memstats
rm -f ns*/pin
rm -f ns*/update.cmd.*
rm -f ns*/update.log.*

1
bin/tests/system/enginepkcs11/ns1/named.args Normal file
View File

@ -0,0 +1 @@
-D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152

1
bin/tests/system/enginepkcs11/ns1/named.args.in
View File

@ -1 +0,0 @@
@ENGINE_ARGS@ -D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152

1
bin/tests/system/enginepkcs11/ns2/named.args Normal file
View File

@ -0,0 +1 @@
-D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152

1
bin/tests/system/enginepkcs11/ns2/named.args.in
View File

@ -1 +0,0 @@
@ENGINE_ARGS@ -D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152

10
bin/tests/system/enginepkcs11/setup.sh
View File

@ -41,13 +41,12 @@ keyfromlabel() {
dir="$4"
shift 4
$KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
$KEYFRLAB -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
# Setup ns1.
copy_setports ns1/named.conf.in ns1/named.conf
sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns1/named.args.in >ns1/named.args
mkdir ns1/keys
@ -91,7 +90,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}"
$SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
$SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"
@ -183,7 +182,6 @@ done
# Setup ns2 (with views).
copy_setports ns2/named.conf.in ns2/named.conf
sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" <ns2/named.args.in >ns2/named.args
mkdir ns2/keys
@ -226,11 +224,11 @@ if [ "${supported}" = 1 ]; then
echo_i "Sign zone with $ksk1 $zsk1"
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile1}"
$SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1
$SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1
test "$ret" -eq 0 || exit 1
cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile2}"
$SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1
$SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1
test "$ret" -eq 0 || exit 1
echo_i "Generate successor keys $alg $type:$bits for zone $zone"

2
bin/tests/system/enginepkcs11/tests.sh
View File

@ -255,7 +255,7 @@ EOF
n=$((n + 1))
ret=0
echo_i "Test dnssec-keygen for $zone ($n)"
$KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
$KEYGEN -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1
check_keys $zone 2 || ret=1
status=$((status + ret))

4
bin/tests/system/feature-test.c
View File

@ -202,7 +202,7 @@ main(int argc, char **argv) {
int answer;
isc_mem_create(&mctx);
dst_lib_init(mctx, NULL);
dst_lib_init(mctx);
answer = dst_algorithm_supported(DST_ALG_HMACMD5) ? 0 : 1;
dst_lib_destroy();
isc_mem_detach(&mctx);
@ -232,7 +232,7 @@ main(int argc, char **argv) {
int answer;
isc_mem_t *mctx = NULL;
isc_mem_create(&mctx);
dst_lib_init(mctx, NULL);
dst_lib_init(mctx);
answer = dst_algorithm_supported(DST_ALG_RSASHA1) ? 0 : 1;
dst_lib_destroy();
isc_mem_detach(&mctx);

9
bin/tests/system/isctest/vars/openssl.py
View File

@ -20,15 +20,12 @@ OPENSSL_VARS = {
"OPENSSL_CONF": os.getenv("OPENSSL_CONF", None),
"SOFTHSM2_CONF": os.getenv("SOFTHSM2_CONF", None),
"SOFTHSM2_MODULE": None,
"ENGINE_ARG": None,
}
def parse_openssl_config(path: Optional[str]):
if path is None or not os.path.exists(path):
OPENSSL_VARS["ENGINE_ARG"] = None
OPENSSL_VARS["SOFTHSM2_MODULE"] = None
os.environ.pop("ENGINE_ARG", None)
os.environ.pop("SOFTHSM2_MODULE", None)
return
assert os.path.isfile(path), f"{path} exists, but it's not a file"
@ -41,11 +38,7 @@ def parse_openssl_config(path: Optional[str]):
if res:
key = res.group(1).strip()
val = res.group(2).strip()
if key == "engine_id":
OPENSSL_VARS["ENGINE_ARG"] = f"-E {val}"
os.environ["ENGINE_ARG"] = f"-E {val}"
log.debug("ENGINE_ARG set to {OPENSSL_VARS['ENGINE_ARG']}")
elif key in ["MODULE_PATH", "pkcs11-module-path"]:
if key in ["MODULE_PATH", "pkcs11-module-path"]:
OPENSSL_VARS["SOFTHSM2_MODULE"] = val
os.environ["SOFTHSM2_MODULE"] = val
log.debug(

4
bin/tests/system/keyfromlabel/tests.sh
View File

@ -35,7 +35,7 @@ keyfromlabel() {
id="$3"
shift 3
$KEYFRLAB $ENGINE_ARG -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1
$KEYFRLAB -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1
cat keyfromlabel.out.$zone.$id
}
@ -84,7 +84,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \
echo_i "Sign zone with $ksk $zsk"
ret=0
cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile"
$SIGNER $ENGINE_ARG -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1
$SIGNER -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
fi

2
bin/tests/system/makejournal.c
View File

@ -101,7 +101,7 @@ main(int argc, char **argv) {
isc_mem_debugging |= ISC_MEM_DEBUGRECORD;
isc_mem_create(&mctx);
CHECK(dst_lib_init(mctx, NULL));
CHECK(dst_lib_init(mctx));
dst_active = true;
isc_log_create(mctx, &lctx, &logconfig);

2
bin/tests/system/pipelined/pipequeries.c
View File

@ -275,7 +275,7 @@ main(int argc, char *argv[]) {
isc_log_create(mctx, &lctx, &lcfg);
RUNCHECK(dst_lib_init(mctx, NULL));
RUNCHECK(dst_lib_init(mctx));
RUNCHECK(dns_dispatchmgr_create(mctx, loopmgr, netmgr, &dispatchmgr));

2
bin/tests/system/rsabigexponent/bigkey.c
View File

@ -105,7 +105,7 @@ main(int argc, char **argv) {
}
isc_mem_create(&mctx);
CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()");
CHECK(dst_lib_init(mctx), "dst_lib_init()");
isc_log_create(mctx, &log_, &logconfig);
isc_log_setcontext(log_);
dns_log_init(log_);

2
bin/tools/mdig.c
View File

@ -2131,7 +2131,7 @@ main(int argc, char *argv[]) {
isc_managers_create(&mctx, 1, &loopmgr, &netmgr);
isc_log_create(mctx, &lctx, &lcfg);
RUNCHECK(dst_lib_init(mctx, NULL));
RUNCHECK(dst_lib_init(mctx));
isc_nonce_buf(cookie_secret, sizeof(cookie_secret));
ISC_LIST_INIT(queries);

21
doc/arm/build.inc.rst
View File

@ -62,18 +62,17 @@ To build BIND 9, the following packages must be installed:
- ``perl``
- ``pkg-config`` / ``pkgconfig`` / ``pkgconf``
BIND 9.20 requires ``libuv`` 1.34.0 or higher, using ``libuv`` >= 1.40.0
is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is
not supported, as this could lead to an assertion failure in the UDP
receive code. On older systems, an updated ``libuv`` package needs to be
installed from sources such as EPEL, PPA, or other native sources. The
other option is to build and install ``libuv`` from source.
BIND 9.20 requires ``libuv`` 1.37.0 or higher, using ``libuv`` >= 1.40.0 is
recommended. On older systems, an updated ``libuv`` package needs to be
installed from sources such as EPEL, PPA, or other native sources. The other
option is to build and install ``libuv`` from source.
OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed
in a nonstandard location, specify the prefix using
``--with-openssl=<PREFIX>`` on the ``configure`` command line. To use a
PKCS#11 hardware service module for cryptographic operations,
``engine_pkcs11`` from the OpenSC project must be compiled and used.
OpenSSL 1.1.1 or newer is required. If the OpenSSL library is installed
in a nonstandard location, specify the prefix using ``PKG_CONFIG_PATH``.
To use a PKCS#11 hardware service module for cryptographic operations,
PKCS#11 Provider (https://github.com/latchset/pkcs11-provider/tree/main)
must be compiled, configured and used directly in the OpenSSL 3.x.
The Userspace RCU library ``liburcu`` (https://liburcu.org/) is used
for lock-free data structures and concurrent safe memory reclamation.

151
doc/arm/pkcs11.inc.rst
View File

@ -23,12 +23,10 @@ library which provides a low-level PKCS#11 interface to drive the HSM
hardware. The PKCS#11 provider library comes from the HSM vendor, and it
is specific to the HSM to be controlled.
BIND 9 access PKCS#11 libraries via OpenSSL extensions. The extension for
OpenSSL 3 and newer is `pkcs11-provider`_. And for the older OpenSSL versions
engine_pkcs11 from the `OpenSC`_ project can be used.
BIND 9 access PKCS#11 libraries via OpenSSL Providers. The provider for
OpenSSL 3 and newer is `pkcs11-provider`_.
.. _`pkcs11-provider`: https://github.com/latchset/pkcs11-provider
.. _OpenSC: https://github.com/OpenSC/libp11
In both cases the extension is dynamically loaded into OpenSSL and the HSM is
operated indirectly; any cryptographic operations not supported by the HSM can
@ -67,102 +65,6 @@ with BIND.
$ make install
$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
OpenSSL 1.x.x with engine_pkcs11
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
OpenSSL engine-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.
engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL.
That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine
API. One has to register the engine with OpenSSL and one has to provide the
path to the PKCS#11 module which should be gatewayed to. This can be done by
editing the OpenSSL configuration file, by engine specific controls, or by using
the p11-kit proxy module.
It is recommended, that libp11 >= 0.4.12 is used.
For more detailed howto including the examples, we recommend reading:
https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11
When using engine_pkcs11, all BIND binaries potentially need the keys require
'-E pkcs11' argument to activate the engine support.
Even though OpenSSL 3 has compatibility support for Engine API it is not
recommended to be used due to bugs in OpenSSL and libp11.
It is not possible to generate new keys via the engine_pkcs11 and therefore it
is not recommended to use it in a ``dnssec-policy`` setup (although it is
possible to put previously generated keys in the ``key-directory`` and let the
key manager select those keys when a key rollover is started.
Configuring engine_pkcs11
^^^^^^^^^^^^^^^^^^^^^^^^^
The canonical documentation for configuring engine_pkcs11 is in the
`libp11/README.md`_, but here's copy of working configuration for
your convenience:
.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration
We are going to use our own custom copy of OpenSSL configuration, again it's
driven by an environment variable, this time called OPENSSL_CONF. We are
going to copy the global OpenSSL configuration (often found in
``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11.
::
cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf
and export the environment variable:
::
export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf
Now add the following line at the top of file, before any sections (in square
brackets) are defined:
::
openssl_conf = openssl_init
And make sure there are no other 'openssl_conf = ...' lines in the file.
Add following lines at the bottom of the file:
::
[openssl_init]
engines=engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path = <PATHTO>/pkcs11.so
MODULE_PATH = <FULL_PATH_TO_HSM_MODULE>
# if automatic logging to the token is needed, PIN can be specified as below
#PIN = 1234
init = 0
Enabling the OpenSSL Engine in BIND commands
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
When using OpenSSL Engine-based PKCS#11, the "engine" to be used by OpenSSL can be
specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E
<engine>`` command line option. This engine name matches the 'engine_id' in the
``openssl.cnf`` created in previous section.
The zone signing commences as usual, with only one small difference. We need to
provide the name of the OpenSSL engine using the -E command line option.
::
dnssec-signzone -E pkcs11 -S -o example.net example.net
OpenSSL 3 with pkcs11-provider
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -170,16 +72,13 @@ OpenSSL provider-based PKCS#11 uses pkcs11-provider project.
pkcs11-provider tries to fit the PKCS#11 API within the Provider API of OpenSSL.
That is, it provides a gateway between PKCS#11 modules and the OpenSSL Provider
API. One has to register the engine with OpenSSL and one has to provide the
API. One has to register the provider with OpenSSL and one has to provide the
path to the PKCS#11 module which should be gatewayed to. This can be done by
editing the OpenSSL configuration file, by engine specific controls, or by using
the p11-kit proxy module.
editing the OpenSSL configuration file, using provider specific controls, or
by using the p11-kit proxy module.
It is required to use pkcs11-provider git commit
2e8c26b4157fd21422c66f0b4d7b26cf8c320570 from October 2, 2023 or later.
BIND support for pkcs11-provider is built in and the -E command line option
explained above should not be used.
It is required to use pkcs11-provider version 0.3 or later. It is recommended
to use the lastest version available.
Configuring pkcs11-provider
^^^^^^^^^^^^^^^^^^^^^^^^^^^
@ -248,9 +147,14 @@ HSM keys can now be created and used. We are going to assume that you already
have a BIND 9 installed, either from a package, or from the sources, and the
tools are readily available in the ``$PATH``.
For generating the keys, we are going to use ``pkcs11-tool`` available from the
OpenSC suite. On both DEB-based and RPM-based distributions, the package is
called opensc.
A zone that is configured with ``dnssec-policy`` can generate keys through
the PKCS#11 Provider API of OpenSSL.
If you want to create keys manually, the ``pkcs11-tool`` available from the
`OpenSC`_ suite can be used. On both DEB-based and RPM-based distributions,
the package is called opensc.
.. _OpenSC: https://github.com/OpenSC/libp11
We need to generate at least two RSA keys:
@ -266,23 +170,23 @@ Convert the RSA keys stored in the HSM into a format that BIND 9 understands.
The :iscman:`dnssec-keyfromlabel` tool from BIND 9 can link the raw keys stored in the
HSM with the ``K<zone>+<alg>+<id>`` files.
You'll need to provide the OpenSSL engine name (``pkcs11``) if using the engine and
the algorithm (``RSASHA256``). The key is referenced with the PKCS#11 URI scheme and it
can contain the PKCS#11 token label (we asume that it has been initialized as bind9),
and the PKCS#11 object label (called label when generating the keys using ``pkcs11-tool``)
and the HSM PIN. Refer to :rfc:`7512` for the full PKCS#11 URI specification.
You'll need to provide the algorithm (``RSASHA256``). The key is referenced with
the PKCS#11 URI scheme and it can contain the PKCS#11 token label (we asume that
it has been initialized as bind9), and the PKCS#11 object label (called label
when generating the keys using ``pkcs11-tool``) and the HSM PIN. Refer to
:rfc:`7512` for the full PKCS#11 URI specification.
Convert the KSK:
::
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net
and ZSK:
::
dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net
dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net
NOTE: you can use PIN stored on disk, by specifying ``pin-source=<path_to>/<file>``, f.e.:
@ -327,15 +231,10 @@ this is when creating ECDSA keys, you should specify a unique ID:
Running :iscman:`named` With Automatic Zone Re-signing
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The zone can also be signed automatically by named. Again, we need to provide
the name of the OpenSSL engine using the :option:`-E <named -E>` command line option,
if using OpenSSL 1.x.x with engine_pkcs11, and this is not needed when using OpenSSL 3.x.x providers.
Once the keys are created, the zone can also be signed automatically by named
without further requisites.
::
named -E pkcs11 -c named.conf
and the logs should have lines like:
The logs should have lines like:
::

2
fuzz/dns_message_checksig.c
View File

@ -173,7 +173,7 @@ LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) {
isc_mem_create(&mctx);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fprintf(stderr, "dst_lib_init failed: %s\n",
isc_result_totext(result));

15
lib/dns/dst_api.c
View File

@ -190,16 +190,14 @@ addsuffix(char *filename, int len, const char *dirname, const char *ofilename,
} while (0);
isc_result_t
dst_lib_init(isc_mem_t *mctx, const char *engine) {
dst_lib_init(isc_mem_t *mctx) {
isc_result_t result;
REQUIRE(mctx != NULL);
REQUIRE(!dst_initialized);
UNUSED(engine);
memset(dst_t_func, 0, sizeof(dst_t_func));
RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */
dst__openssl_init(); /* Sets FIPS mode. */
RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
@ -998,8 +996,8 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg,
isc_result_t
dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
const char *engine, const char *label, const char *pin,
isc_mem_t *mctx, dst_key_t **keyp) {
const char *label, const char *pin, isc_mem_t *mctx,
dst_key_t **keyp) {
dst_key_t *key;
isc_result_t result;
@ -1018,7 +1016,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
return (DST_R_UNSUPPORTEDALG);
}
result = key->func->fromlabel(key, engine, label, pin);
result = key->func->fromlabel(key, label, pin);
if (result != ISC_R_SUCCESS) {
dst_key_free(&key);
return (result);
@ -1408,9 +1406,6 @@ dst_key_free(dst_key_t **keyp) {
if (key->directory != NULL) {
isc_mem_free(mctx, key->directory);
}
if (key->engine != NULL) {
isc_mem_free(mctx, key->engine);
}
if (key->label != NULL) {
isc_mem_free(mctx, key->label);
}

11
lib/dns/dst_internal.h
View File

@ -92,8 +92,7 @@ struct dst_key {
dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */
isc_mem_t *mctx; /*%< memory context */
char *directory; /*%< key directory */
char *engine; /*%< engine name (HSM) */
char *label; /*%< engine label (HSM) */
char *label; /*%< HSM label */
union {
void *generic;
dns_gss_ctx_id_t gssctx;
@ -185,8 +184,8 @@ struct dst_func {
/* cleanup */
void (*cleanup)(void);
isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
const char *label, const char *pin);
isc_result_t (*fromlabel)(dst_key_t *key, const char *label,
const char *pin);
isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
int *length);
isc_result_t (*restore)(dst_key_t *key, const char *keystr);
@ -195,8 +194,8 @@ struct dst_func {
/*%
* Initializers
*/
isc_result_t
dst__openssl_init(const char *engine);
void
dst__openssl_init(void);
isc_result_t
dst__hmacmd5_init(struct dst_func **funcp);

9
lib/dns/dst_openssl.h
View File

@ -41,14 +41,9 @@ isc_result_t
dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname,
isc_result_t fallback, const char *file, int line);
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE *
dst__openssl_getengine(const char *engine);
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
isc_result_t
dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv);
dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,
EVP_PKEY **ppub, EVP_PKEY **ppriv);
bool
dst__openssl_keypair_compare(const dst_key_t *key1, const dst_key_t *key2);

20
lib/dns/include/dns/keystore.h
View File

@ -42,7 +42,6 @@ struct dns_keystore {
unsigned int magic;
isc_mem_t *mctx;
const char *name;
const char *engine;
/* Internals. */
isc_mutex_t lock;
@ -64,8 +63,7 @@ struct dns_keystore {
#define DNS_KEYSTORE_KEYDIRECTORY "key-directory"
isc_result_t
dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine,
dns_keystore_t **kspp);
dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp);
/*%<
* Create a key store.
*
@ -75,8 +73,6 @@ dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine,
*
*\li 'name' is a valid C string.
*
*\li 'engine' is the name of the OpenSSL engine to use, may be NULL.
*
*\li kspp != NULL && *kspp == NULL
*
* Returns:
@ -101,20 +97,6 @@ dns_keystore_name(dns_keystore_t *keystore);
*\li name of 'keystore'.
*/
const char *
dns_keystore_engine(dns_keystore_t *keystore);
/*%<
* Get keystore engine.
*
* Requires:
*
*\li 'keystore' is a valid keystore.
*
* Returns:
*
*\li engine of 'keystore'. May be NULL.
*/
const char *
dns_keystore_directory(dns_keystore_t *keystore, const char *keydir);
/*%<

7
lib/dns/include/dst/dst.h
View File

@ -198,7 +198,7 @@ typedef enum dst_algorithm {
*** Functions
***/
isc_result_t
dst_lib_init(isc_mem_t *mctx, const char *engine);
dst_lib_init(isc_mem_t *mctx);
/*%<
* Initializes the DST subsystem.
*
@ -208,7 +208,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine);
* Returns:
* \li ISC_R_SUCCESS
* \li ISC_R_NOMEMORY
* \li DST_R_NOENGINE
*
* Ensures:
* \li DST is properly initialized.
@ -627,8 +626,8 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg,
isc_result_t
dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags,
unsigned int protocol, dns_rdataclass_t rdclass,
const char *engine, const char *label, const char *pin,
isc_mem_t *mctx, dst_key_t **keyp);
const char *label, const char *pin, isc_mem_t *mctx,
dst_key_t **keyp);
isc_result_t
dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits,

11
lib/dns/keystore.c
View File

@ -26,15 +26,13 @@
#include <dns/keyvalues.h>
isc_result_t
dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine,
dns_keystore_t **kspp) {
dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp) {
dns_keystore_t *keystore;
REQUIRE(name != NULL);
REQUIRE(kspp != NULL && *kspp == NULL);
keystore = isc_mem_get(mctx, sizeof(*keystore));
keystore->engine = engine;
keystore->mctx = NULL;
isc_mem_attach(mctx, &keystore->mctx);
@ -85,13 +83,6 @@ dns_keystore_name(dns_keystore_t *keystore) {
return (keystore->name);
}
const char *
dns_keystore_engine(dns_keystore_t *keystore) {
REQUIRE(DNS_KEYSTORE_VALID(keystore));
return (keystore->engine);
}
const char *
dns_keystore_directory(dns_keystore_t *keystore, const char *keydir) {
if (keystore == NULL) {

135
lib/dns/openssl_link.c
View File

@ -42,9 +42,6 @@
#include "dst_internal.h"
#include "dst_openssl.h"
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
#include <openssl/engine.h>
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/core_names.h>
#include <openssl/store.h>
@ -58,10 +55,6 @@
goto err; \
}
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
static ENGINE *global_engine = NULL;
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
static void
enable_fips_mode(void) {
#if defined(ENABLE_FIPS_MODE)
@ -79,52 +72,14 @@ enable_fips_mode(void) {
#endif
}
isc_result_t
dst__openssl_init(const char *engine) {
void
dst__openssl_init(void) {
enable_fips_mode();
if (engine != NULL && *engine == '\0') {
engine = NULL;
}
if (engine == NULL) {
return (ISC_R_SUCCESS);
}
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
global_engine = ENGINE_by_id(engine);
if (global_engine == NULL) {
goto cleanup_rm;
}
if (!ENGINE_init(global_engine)) {
goto cleanup_rm;
}
/* This will init the engine. */
if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) {
goto cleanup_init;
}
return (ISC_R_SUCCESS);
cleanup_init:
ENGINE_finish(global_engine);
cleanup_rm:
if (global_engine != NULL) {
ENGINE_free(global_engine);
}
ERR_clear_error();
global_engine = NULL;
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
return (DST_R_NOENGINE);
}
void
dst__openssl_destroy(void) {
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
if (global_engine != NULL) {
ENGINE_finish(global_engine);
ENGINE_free(global_engine);
}
global_engine = NULL;
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
/* No-op */
}
static isc_result_t
@ -211,67 +166,6 @@ done:
return (result);
}
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE *
dst__openssl_getengine(const char *engine) {
if (engine == NULL) {
return (NULL);
}
if (global_engine == NULL) {
return (NULL);
}
if (strcmp(engine, ENGINE_get_id(global_engine)) == 0) {
return (global_engine);
}
return (NULL);
}
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
static isc_result_t
dst__openssl_fromlabel_engine(int key_base_id, const char *engine,
const char *label, const char *pin,
EVP_PKEY **ppub, EVP_PKEY **ppriv) {
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
isc_result_t ret = ISC_R_SUCCESS;
ENGINE *e = NULL;
UNUSED(pin);
e = dst__openssl_getengine(engine);
if (e == NULL) {
DST_RET(dst__openssl_toresult(DST_R_NOENGINE));
}
*ppub = ENGINE_load_public_key(e, label, NULL, NULL);
if (*ppub == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
DST_R_OPENSSLFAILURE));
}
if (EVP_PKEY_base_id(*ppub) != key_base_id) {
DST_RET(DST_R_BADKEYTYPE);
}
*ppriv = ENGINE_load_private_key(e, label, NULL, NULL);
if (*ppriv == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
DST_R_OPENSSLFAILURE));
}
if (EVP_PKEY_base_id(*ppriv) != key_base_id) {
DST_RET(DST_R_BADKEYTYPE);
}
err:
return (ret);
#else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
UNUSED(key_base_id);
UNUSED(engine);
UNUSED(label);
UNUSED(pin);
UNUSED(ppub);
UNUSED(ppriv);
return (DST_R_NOENGINE);
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
}
static isc_result_t
dst__openssl_fromlabel_provider(int key_base_id, const char *label,
const char *pin, EVP_PKEY **ppub,
@ -335,25 +229,10 @@ err:
}
isc_result_t
dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) {
if (engine == NULL) {
return (dst__openssl_fromlabel_provider(key_base_id, label, pin,
ppub, ppriv));
}
if (*ppub != NULL) {
EVP_PKEY_free(*ppub);
*ppub = NULL;
}
if (*ppriv != NULL) {
EVP_PKEY_free(*ppriv);
*ppriv = NULL;
}
return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin,
ppub, ppriv));
dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin,
EVP_PKEY **ppub, EVP_PKEY **ppriv) {
return (dst__openssl_fromlabel_provider(key_base_id, label, pin, ppub,
ppriv));
}
bool

23
lib/dns/opensslecdsa_link.c
View File

@ -984,13 +984,6 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
priv.elements[i].data = buf;
i++;
}
if (key->engine != NULL) {
priv.elements[i].tag = TAG_ECDSA_ENGINE;
priv.elements[i].length = (unsigned short)strlen(key->engine) +
1;
priv.elements[i].data = (unsigned char *)key->engine;
i++;
}
if (key->label != NULL) {
priv.elements[i].tag = TAG_ECDSA_LABEL;
@ -1009,15 +1002,13 @@ err:
}
static isc_result_t
opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin);
opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin);
static isc_result_t
opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
EVP_PKEY *pkey = NULL;
const char *engine = NULL;
const char *label = NULL;
int i, privkey_index = -1;
@ -1044,7 +1035,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
for (i = 0; i < priv.nelements; i++) {
switch (priv.elements[i].tag) {
case TAG_ECDSA_ENGINE:
engine = (char *)priv.elements[i].data;
/* The Engine: tag is explicitly ignored */
break;
case TAG_ECDSA_LABEL:
label = (char *)priv.elements[i].data;
@ -1058,7 +1049,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
}
if (label != NULL) {
ret = opensslecdsa_fromlabel(key, engine, label, NULL);
ret = opensslecdsa_fromlabel(key, label, NULL);
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -1104,15 +1095,14 @@ err:
}
static isc_result_t
opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin) {
opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin) {
EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
REQUIRE(opensslecdsa_valid_key_alg(key->key_alg));
UNUSED(pin);
ret = dst__openssl_fromlabel(EVP_PKEY_EC, engine, label, pin, &pubpkey,
ret = dst__openssl_fromlabel(EVP_PKEY_EC, label, pin, &pubpkey,
&privpkey);
if (ret != ISC_R_SUCCESS) {
goto err;
@ -1127,9 +1117,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
goto err;
}
if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine);
}
key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey);
key->keydata.pkeypair.priv = privpkey;

26
lib/dns/openssleddsa_link.c
View File

@ -105,8 +105,7 @@ raw_key_to_ossl(const eddsa_alginfo_t *alginfo, int private,
}
static isc_result_t
openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin);
openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin);
static isc_result_t
openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
@ -389,13 +388,6 @@ openssleddsa_tofile(const dst_key_t *key, const char *directory) {
priv.elements[i].data = buf;
i++;
}
if (key->engine != NULL) {
priv.elements[i].tag = TAG_EDDSA_ENGINE;
priv.elements[i].length = (unsigned short)strlen(key->engine) +
1;
priv.elements[i].data = (unsigned char *)key->engine;
i++;
}
if (key->label != NULL) {
priv.elements[i].tag = TAG_EDDSA_LABEL;
priv.elements[i].length = (unsigned short)strlen(key->label) +
@ -420,7 +412,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
dst_private_t priv;
isc_result_t ret;
int i, privkey_index = -1;
const char *engine = NULL, *label = NULL;
const char *label = NULL;
EVP_PKEY *pkey = NULL;
size_t len;
isc_mem_t *mctx = key->mctx;
@ -450,7 +442,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
for (i = 0; i < priv.nelements; i++) {
switch (priv.elements[i].tag) {
case TAG_EDDSA_ENGINE:
engine = (char *)priv.elements[i].data;
/* The Engine: tag is explicitly ignored */
break;
case TAG_EDDSA_LABEL:
label = (char *)priv.elements[i].data;
@ -464,7 +456,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
}
if (label != NULL) {
ret = openssleddsa_fromlabel(key, engine, label, NULL);
ret = openssleddsa_fromlabel(key, label, NULL);
if (ret != ISC_R_SUCCESS) {
goto err;
}
@ -506,8 +498,7 @@ err:
}
static isc_result_t
openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin) {
openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin) {
const eddsa_alginfo_t *alginfo = openssleddsa_alg_info(key->key_alg);
EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
@ -515,15 +506,12 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
REQUIRE(alginfo != NULL);
UNUSED(pin);
ret = dst__openssl_fromlabel(alginfo->pkey_type, engine, label, pin,
&pubpkey, &privpkey);
ret = dst__openssl_fromlabel(alginfo->pkey_type, label, pin, &pubpkey,
&privpkey);
if (ret != ISC_R_SUCCESS) {
goto err;
}
if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine);
}
key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey);
key->keydata.pkeypair.priv = privpkey;

25
lib/dns/opensslrsa_link.c
View File

@ -931,14 +931,6 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
i++;
}
if (key->engine != NULL) {
priv.elements[i].tag = TAG_RSA_ENGINE;
priv.elements[i].length = (unsigned short)strlen(key->engine) +
1;
priv.elements[i].data = (unsigned char *)key->engine;
i++;
}
if (key->label != NULL) {
priv.elements[i].tag = TAG_RSA_LABEL;
priv.elements[i].length = (unsigned short)strlen(key->label) +
@ -963,8 +955,7 @@ err:
}
static isc_result_t
opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin);
opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin);
static isc_result_t
opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
@ -972,7 +963,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
isc_result_t ret;
int i;
isc_mem_t *mctx = NULL;
const char *engine = NULL, *label = NULL;
const char *label = NULL;
EVP_PKEY *pkey = NULL;
rsa_components_t c = { .bnfree = true };
@ -1002,7 +993,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
for (i = 0; i < priv.nelements; i++) {
switch (priv.elements[i].tag) {
case TAG_RSA_ENGINE:
engine = (char *)priv.elements[i].data;
/* The Engine: tag is explicitly ignored */
break;
case TAG_RSA_LABEL:
label = (char *)priv.elements[i].data;
@ -1017,7 +1008,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
* See if we can fetch it.
*/
if (label != NULL) {
ret = opensslrsa_fromlabel(key, engine, label, NULL);
ret = opensslrsa_fromlabel(key, label, NULL);
if (ret != ISC_R_SUCCESS) {
DST_RET(ret);
}
@ -1111,12 +1102,11 @@ err:
}
static isc_result_t
opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin) {
opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin) {
EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
ret = dst__openssl_fromlabel(EVP_PKEY_RSA, engine, label, pin, &pubpkey,
ret = dst__openssl_fromlabel(EVP_PKEY_RSA, label, pin, &pubpkey,
&privpkey);
if (ret != ISC_R_SUCCESS) {
goto err;
@ -1126,9 +1116,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(ISC_R_RANGE);
}
if (engine != NULL) {
key->engine = isc_mem_strdup(key->mctx, engine);
}
key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey);
key->keydata.pkeypair.priv = privpkey;

1
lib/isc/openssl_shim.c
View File

@ -16,7 +16,6 @@
#include <string.h>
#include <openssl/crypto.h>
#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/opensslv.h>

1
lib/isc/openssl_shim.h
View File

@ -14,7 +14,6 @@
#pragma once
#include <openssl/crypto.h>
#include <openssl/engine.h>
#include <openssl/evp.h>
#include <openssl/hmac.h>
#include <openssl/opensslv.h>

3
lib/isc/result.c
View File

@ -242,7 +242,8 @@ static const char *description[ISC_R_NRESULTS] = {
[DST_R_COMPUTESECRETFAILURE] = "failure computing a shared secret",
[DST_R_NORANDOMNESS] = "no randomness available",
[DST_R_BADKEYTYPE] = "bad key type",
[DST_R_NOENGINE] = "no engine",
[DST_R_NOENGINE] = "OpenSSL Engine support has been removed; "
"use OpenSSL Providers for PKCS#11",
[DST_R_EXTERNALKEY] = "illegal operation for an external key",
[DNS_R_NOERROR] = "NOERROR",

4
lib/isc/tls.c
View File

@ -142,8 +142,8 @@ isc__tls_initialize(void) {
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
0x30000000L */
uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG;
uint64_t opts = OPENSSL_INIT_LOAD_CONFIG;
#if defined(OPENSSL_INIT_NO_ATEXIT)
/*
* We call OPENSSL_cleanup() manually, in a correct order, thus disable

12
lib/isccfg/check.c
View File

@ -1470,9 +1470,8 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
}
}
ret = cfg_keystore_fromconfig(kconfig, mctx,
logctx, NULL,
&kslist, NULL);
ret = cfg_keystore_fromconfig(
kconfig, mctx, logctx, &kslist, NULL);
if (ret != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = ret;
@ -1485,8 +1484,7 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config,
/*
* Add default key-store "key-directory".
*/
tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist,
NULL);
tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL);
if (tresult != ISC_R_SUCCESS) {
if (result == ISC_R_SUCCESS) {
result = tresult;
@ -3025,10 +3023,10 @@ check_keydir(const cfg_obj_t *config, const cfg_obj_t *zconfig,
element = cfg_list_next(element))
{
cfg_obj_t *kcfg = cfg_listelt_value(element);
(void)cfg_keystore_fromconfig(kcfg, mctx, logctx, NULL, &kslist,
(void)cfg_keystore_fromconfig(kcfg, mctx, logctx, &kslist,
NULL);
}
(void)cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist, NULL);
(void)cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL);
/*
* Look for the dnssec-policy by name, which is the dnssec-policy

5
lib/isccfg/include/isccfg/kaspconf.h
View File

@ -62,9 +62,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
isc_result_t
cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
isc_log_t *logctx, const char *engine,
dns_keystorelist_t *keystorelist,
dns_keystore_t **kspp);
isc_log_t *logctx, dns_keystorelist_t *keystorelist,
dns_keystore_t **kspp);
/*%<
* Create and configure a key store. If a 'keystorelist' is provided, a lookup
* happens and if a keystore already exists with the same name, no new one is

5
lib/isccfg/kaspconf.c
View File

@ -748,8 +748,7 @@ cleanup:
isc_result_t
cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
isc_log_t *logctx, const char *engine,
dns_keystorelist_t *keystorelist,
isc_log_t *logctx, dns_keystorelist_t *keystorelist,
dns_keystore_t **kspp) {
isc_result_t result;
const cfg_obj_t *maps[2];
@ -785,7 +784,7 @@ cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx,
* No key-store with configured name was found in list, create new one.
*/
INSIST(keystore == NULL);
result = dns_keystore_create(mctx, name, engine, &keystore);
result = dns_keystore_create(mctx, name, &keystore);
if (result != ISC_R_SUCCESS) {
return (result);
}

2
tests/dns/dst_test.c
View File

@ -47,7 +47,7 @@ static int
setup_test(void **state) {
UNUSED(state);
dst_lib_init(mctx, NULL);
dst_lib_init(mctx);
return (0);
}

2
tests/dns/private_test.c
View File

@ -43,7 +43,7 @@ setup_test(void **state) {
UNUSED(state);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);

2
tests/dns/rsa_test.c
View File

@ -43,7 +43,7 @@ setup_test(void **state) {
UNUSED(state);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);

2
tests/dns/sigs_test.c
View File

@ -77,7 +77,7 @@ setup_test(void **state) {
UNUSED(state);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);

2
tests/dns/tsig_test.c
View File

@ -54,7 +54,7 @@ setup_test(void **state) {
UNUSED(state);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
return (1);