explicit engine rt20230a

CHANGES

@@ -1,3 +1,7 @@
+2703.	[func]		Introduce an OpenSSL "engine" argument with -E
+			for all binaries which can take benefit of
+			crypto hardware. [RT #20230]
+
 2702.	[func]		Update PKCS#11 tools (bin/pkcs11) [RT #20225 & all]
 
 2701.	[doc]		Correction to ARM: hmac-md5 is no longer the only

bin/dnssec/Makefile.in

@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.40 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.41 2009/10/05 17:30:49 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -25,7 +25,7 @@ top_srcdir =	@top_srcdir@
 
 CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES}
 
-CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\" 
+CDEFINES =	-DBIND9 -DVERSION=\"${VERSION}\" @USE_PKCS11@
 CWARNINGS =
 
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@

bin/dnssec/dnssec-dsfromkey.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-dsfromkey.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -440,7 +440,8 @@ main(int argc, char **argv) {
 	result = dst_lib_init(mctx, ectx,
 			      ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	setup_logging(verbose, mctx, &log);

bin/dnssec/dnssec-keyfromlabel.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keyfromlabel.c,v 1.17 2009/10/03 18:03:53 each Exp $ */
+/* $Id: dnssec-keyfromlabel.c,v 1.18 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -63,20 +63,28 @@ usage(void) {
 	fprintf(stderr, "Required options:\n");
 	fprintf(stderr, "    -a algorithm: %s\n", algs);
 	fprintf(stderr, "    -l label: label of the key pair\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "      (for instance \"pkcs11:foo\"\n");
+#else
+	fprintf(stderr, "    -E enginename\n");
+#endif
 	fprintf(stderr, "    name: owner of the key\n");
 	fprintf(stderr, "Other options:\n");
-	fprintf(stderr, "    -c <class> (default: IN)\n");
+	fprintf(stderr, "    -c class (default: IN)\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E enginename (default: pkcs11)\n");
+#endif
 	fprintf(stderr, "    -f keyflag: KSK | REVOKE\n");
 	fprintf(stderr, "    -K directory: directory in which to place "
 			"key files\n");
 	fprintf(stderr, "    -k : generate a TYPE=KEY key\n");
 	fprintf(stderr, "    -n nametype: ZONE | HOST | ENTITY | USER | OTHER\n");
 	fprintf(stderr, "        (DNSKEY generation defaults to ZONE\n");
-	fprintf(stderr, "    -p <protocol>: default: 3 [dnssec]\n");
+	fprintf(stderr, "    -p protocol: default: 3 [dnssec]\n");
-	fprintf(stderr, "    -t <type>: "
+	fprintf(stderr, "    -t type: "
 		"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
 		"(default: AUTHCONF)\n");
-	fprintf(stderr, "    -v <verbose level>\n");
+	fprintf(stderr, "    -v verbose level\n");
 	fprintf(stderr, "Date options:\n");
 	fprintf(stderr, "    -P date/[+-]offset: set key publication date\n");
 	fprintf(stderr, "    -A date/[+-]offset: set key activation date\n");
@@ -97,6 +105,11 @@ int
 main(int argc, char **argv) {
 	char		*algname = NULL, *nametype = NULL, *type = NULL;
 	const char	*directory = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
 	char		*classname = NULL;
 	char		*endp;
 	dst_key_t	*key = NULL, *oldkey = NULL;
@@ -116,7 +129,7 @@ main(int argc, char **argv) {
 	isc_entropy_t	*ectx = NULL;
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
-	char		*label = NULL, *engine = NULL;
+	char		*label = NULL;
 	isc_stdtime_t	publish = 0, activate = 0, revoke = 0;
 	isc_stdtime_t	inactive = 0, delete = 0;
 	isc_stdtime_t	now;
@@ -140,7 +153,7 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-				"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
+				"a:Cc:E:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
 	{
 	    switch (ch) {
 		case 'a':
@@ -152,6 +165,9 @@ main(int argc, char **argv) {
 		case 'c':
 			classname = isc_commandline_argument;
 			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'f':
 			if (toupper(isc_commandline_argument[0]) == 'K')
 				kskflag = DNS_KEYFLAG_KSK;
@@ -270,10 +286,11 @@ main(int argc, char **argv) {
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
+	ret = dst_lib_init2(mctx, ectx, engine,
 			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(ret));
 
 	setup_logging(verbose, mctx, &log);
 

bin/dnssec/dnssec-keyfromlabel.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
+<!-- $Id: dnssec-keyfromlabel.docbook,v 1.11 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.dnssec-keyfromlabel">
   <refentryinfo>
     <date>February 8, 2008</date>
@@ -50,6 +50,7 @@
       <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
       <arg><option>-G</option></arg>
       <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
@@ -102,12 +103,23 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the name of the crypto hardware (OpenSSL engine).
+            When compiled with PKCS#11 support it defaults to pcks11.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-l <replaceable class="parameter">label</replaceable></term>
         <listitem>
           <para>
-            Specifies the label of keys in the crypto hardware
+            Specifies the label of keys in the crypto hardware (OpenSSL
-            (PKCS#11 device).
+            engine). An example for the pkcs11 engine is pkcs11:foo
+            (note the string pkcs11 is in both E and l options.)
           </para>
         </listitem>
       </varlistentry>

bin/dnssec/dnssec-keygen.c

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-keygen.c,v 1.98 2009/10/03 18:03:53 each Exp $ */
+/* $Id: dnssec-keygen.c,v 1.99 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -115,6 +115,11 @@ usage(void) {
 	fprintf(stderr, "	 (DNSKEY generation defaults to ZONE)\n");
 	fprintf(stderr, "    -c <class>: (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "    -E <engine name> (default \"pkcs11\")\n");
+#else
+	fprintf(stderr, "    -E <engine name>\n");
+#endif
 	fprintf(stderr, "    -e: use large exponent (RSAMD5/RSASHA1 only)\n");
 	fprintf(stderr, "    -f <keyflag>: KSK | REVOKE\n");
 	fprintf(stderr, "    -g <generator>: use specified generator "
@@ -173,6 +178,11 @@ main(int argc, char **argv) {
 	isc_buffer_t	buf;
 	isc_log_t	*log = NULL;
 	isc_entropy_t	*ectx = NULL;
+#ifdef USE_PKCS11
+	const char	*engine = "pkcs11";
+#else
+	const char	*engine = NULL;
+#endif
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
@@ -198,7 +208,7 @@ main(int argc, char **argv) {
 	/*
 	 * Process memory debugging argument first.
 	 */
-#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
+#define CMDLINE_FLAGS "3a:b:Cc:d:E:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
 	while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
 		switch (ch) {
 		case 'm':
@@ -247,6 +257,9 @@ main(int argc, char **argv) {
 			if (*endp != '\0' || dbits < 0)
 				fatal("-d requires a non-negative number");
 			break;
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'e':
 			rsa_exp = 1;
 			break;
@@ -400,10 +413,11 @@ main(int argc, char **argv) {
 
 	if (ectx == NULL)
 		setup_entropy(mctx, NULL, &ectx);
-	ret = dst_lib_init(mctx, ectx,
+	ret = dst_lib_init2(mctx, ectx, engine,
 			    ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (ret != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(ret));
 
 	setup_logging(verbose, mctx, &log);
 

bin/dnssec/dnssec-keygen.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
+<!-- $Id: dnssec-keygen.docbook,v 1.29 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.dnssec-keygen">
   <refentryinfo>
     <date>June 30, 2000</date>
@@ -64,6 +64,7 @@
       <arg><option>-C</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-e</option></arg>
       <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
       <arg><option>-G</option></arg>
@@ -206,6 +207,18 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Uses a crypto hardware (OpenSSL engine) for random number
+            and, when supported, key generation. When compiled with PKCS#11
+            support it defaults to pcks11, the empty name resets it to
+            no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-e</term>
         <listitem>

bin/dnssec/dnssec-revoke.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-revoke.c,v 1.13 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-revoke.c,v 1.14 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -54,6 +54,13 @@ usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
+	fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "    -f:	   force overwrite\n");
 	fprintf(stderr, "    -K directory: use directory for key files\n");
 	fprintf(stderr, "    -h:	   help\n");
@@ -70,6 +77,11 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	isc_result_t result;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	char *filename = NULL, *dir = NULL;
 	char newname[1024], oldname[1024];
 	char keystr[KEY_FORMATSIZE];
@@ -93,8 +105,11 @@ main(int argc, char **argv) {
 
 	isc_commandline_errprint = ISC_FALSE;
 
-	while ((ch = isc_commandline_parse(argc, argv, "fK:rhv:")) != -1) {
+	while ((ch = isc_commandline_parse(argc, argv, "EfK:rhv:")) != -1) {
 		switch (ch) {
+		    case 'E':
+			engine = isc_commandline_argument;
+			break;
 		    case 'f':
 			force = ISC_TRUE;
 			break;
@@ -150,10 +165,11 @@ main(int argc, char **argv) {
 	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
 	if (result != ISC_R_SUCCESS)
 		fatal("Could not initialize hash");
-	result = dst_lib_init(mctx, ectx,
+	result = dst_lib_init2(mctx, ectx, engine,
 			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize dst");
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	result = dst_key_fromnamedfile(filename, dir,

bin/dnssec/dnssec-revoke.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-revoke.docbook,v 1.5 2009/07/20 11:56:35 fdupont Exp $ -->
+<!-- $Id: dnssec-revoke.docbook,v 1.6 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.dnssec-revoke">
   <refentryinfo>
     <date>June 1, 2009</date>
@@ -47,6 +47,7 @@
       <arg><option>-hr</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-f</option></arg>
       <arg choice="req">keyfile</arg>
     </cmdsynopsis>
@@ -102,6 +103,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-f</term>
         <listitem>

bin/dnssec/dnssec-settime.c

@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-settime.c,v 1.14 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: dnssec-settime.c,v 1.15 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -57,6 +57,12 @@ usage(void) {
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "General options:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "    -f:                 force update of old-style "
 						 "keys\n");
 	fprintf(stderr, "    -K directory:       set key file location\n");
@@ -112,6 +118,11 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
 int
 main(int argc, char **argv) {
 	isc_result_t result;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	char *filename = NULL, *directory = NULL;
 	char newname[1024];
 	char keystr[KEY_FORMATSIZE];
@@ -150,8 +161,11 @@ main(int argc, char **argv) {
 	isc_stdtime_get(&now);
 
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "fK:uhp:v:P:A:R:I:D:")) != -1) {
+					   "EfK:uhp:v:P:A:R:I:D:")) != -1) {
 		switch (ch) {
+		case 'E':
+			engine = isc_commandline_argument;
+			break;
 		case 'f':
 			forceupdate = ISC_TRUE;
 			break;
@@ -313,10 +327,11 @@ main(int argc, char **argv) {
 	result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE);
 	if (result != ISC_R_SUCCESS)
 		fatal("Could not initialize hash");
-	result = dst_lib_init(mctx, ectx,
+	result = dst_lib_init2(mctx, ectx, engine,
 			       ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY);
 	if (result != ISC_R_SUCCESS)
-		fatal("Could not initialize dst");
+		fatal("Could not initialize dst: %s",
+		      isc_result_totext(result));
 	isc_entropy_stopcallbacksources(ectx);
 
 	result = dst_key_fromnamedfile(filename, directory,

bin/dnssec/dnssec-settime.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
+<!-- $Id: dnssec-settime.docbook,v 1.5 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.dnssec-settime">
   <refentryinfo>
     <date>July 15, 2009</date>
@@ -53,6 +53,7 @@
       <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
       <arg><option>-h</option></arg>
       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg choice="req">keyfile</arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -127,6 +128,16 @@
           </para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Use the given OpenSSL engine. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

bin/dnssec/dnssec-signzone.c

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dnssec-signzone.c,v 1.240 2009/10/03 18:03:54 each Exp $ */
+/* $Id: dnssec-signzone.c,v 1.241 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -3324,6 +3324,13 @@ usage(void) {
 	fprintf(stderr, "\t-a:\t");
 	fprintf(stderr, "verify generated signatures\n");
 	fprintf(stderr, "\t-c class (IN)\n");
+	fprintf(stderr, "\t-E engine:\n");
+#ifdef USE_PKCS11
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
+				"(default is \"pkcs11\")\n");
+#else
+	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
+#endif
 	fprintf(stderr, "\t-p:\t");
 	fprintf(stderr, "use pseudorandom data (faster but less secure)\n");
 	fprintf(stderr, "\t-P:\t");
@@ -3398,6 +3405,11 @@ main(int argc, char *argv[]) {
 	isc_result_t result;
 	isc_log_t *log = NULL;
 	isc_boolean_t pseudorandom = ISC_FALSE;
+#ifdef USE_PKCS11
+	const char *engine = "pkcs11";
+#else
+	const char *engine = NULL;
+#endif
 	unsigned int eflags;
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen;
@@ -3412,7 +3424,7 @@ main(int argc, char *argv[]) {
 	isc_boolean_t set_iter = ISC_FALSE;
 
 #define CMDLINE_FLAGS \
-	"3:AaCc:Dd:e:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
+	"3:AaCc:Dd:Ee:f:FghH:i:I:j:K:k:l:m:n:N:o:O:pPr:s:ST:tuUv:z"
 
 	/*
 	 * Process memory debugging argument first.
@@ -3494,8 +3506,8 @@ main(int argc, char *argv[]) {
 				fatal("DS directory must be non-empty string");
 			break;
 
-		case 'K':
+		case 'E':
-			directory = isc_commandline_argument;
+			engine = isc_commandline_argument;
 			break;
 
 		case 'e':
@@ -3523,6 +3535,10 @@ main(int argc, char *argv[]) {
 			usage();
 			break;
 
+		case 'I':
+			inputformatstr = isc_commandline_argument;
+			break;
+
 		case 'i':
 			endp = NULL;
 			cycle = strtol(isc_commandline_argument, &endp, 0);
@@ -3531,10 +3547,6 @@ main(int argc, char *argv[]) {
 				      "positive");
 			break;
 
-		case 'I':
-			inputformatstr = isc_commandline_argument;
-			break;
-
 		case 'j':
 			endp = NULL;
 			jitter = strtol(isc_commandline_argument, &endp, 0);
@@ -3542,6 +3554,10 @@ main(int argc, char *argv[]) {
 				fatal("jitter must be numeric and positive");
 			break;
 
+		case 'K':
+			directory = isc_commandline_argument;
+			break;
+
 		case 'k':
 			if (ndskeys == MAXDSKEYS)
 				fatal("too many key-signing keys specified");
@@ -3563,6 +3579,10 @@ main(int argc, char *argv[]) {
 		case 'm':
 			break;
 
+		case 'N':
+			serialformatstr = isc_commandline_argument;
+			break;
+
 		case 'n':
 			endp = NULL;
 			ntasks = strtol(isc_commandline_argument, &endp, 0);
@@ -3570,39 +3590,35 @@ main(int argc, char *argv[]) {
 				fatal("number of cpus must be numeric");
 			break;
 
-		case 'N':
+		case 'O':
-			serialformatstr = isc_commandline_argument;
+			outputformatstr = isc_commandline_argument;
 			break;
 
 		case 'o':
 			origin = isc_commandline_argument;
 			break;
 
-		case 'O':
+		case 'P':
-			outputformatstr = isc_commandline_argument;
+			disable_zone_check = ISC_TRUE;
 			break;
 
 		case 'p':
 			pseudorandom = ISC_TRUE;
 			break;
 
-		case 'P':
-			disable_zone_check = ISC_TRUE;
-			break;
-
 		case 'r':
 			setup_entropy(mctx, isc_commandline_argument, &ectx);
 			break;
 
-		case 's':
-			startstr = isc_commandline_argument;
-			break;
-
 		case 'S':
 			smartsign = ISC_TRUE;
 			generateds = ISC_TRUE;
 			break;
 
+		case 's':
+			startstr = isc_commandline_argument;
+			break;
+
 		case 'T':
 			endp = NULL;
 			set_keyttl = ISC_TRUE;
@@ -3659,9 +3675,10 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("could not create hash context");
 
-	result = dst_lib_init(mctx, ectx, eflags);
+	result = dst_lib_init2(mctx, ectx, engine, eflags);
 	if (result != ISC_R_SUCCESS)
-		fatal("could not initialize dst");
+		fatal("could not initialize dst: %s",
+		      isc_result_totext(result));
 
 	isc_stdtime_get(&now);
 

bin/dnssec/dnssec-signzone.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: dnssec-signzone.docbook,v 1.38 2009/09/29 22:17:34 each Exp $ -->
+<!-- $Id: dnssec-signzone.docbook,v 1.39 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.dnssec-signzone">
   <refentryinfo>
     <date>June 05, 2009</date>
@@ -60,6 +60,7 @@
       <arg><option>-a</option></arg>
       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
       <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
       <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
       <arg><option>-g</option></arg>
@@ -149,6 +150,18 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine</replaceable></term>
+        <listitem>
+          <para>
+            Uses a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            it defaults to pcks11, the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-g</term>
         <listitem>

bin/named/Makefile.in

@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.106 2009/09/01 18:40:25 jinmei Exp $
+# $Id: Makefile.in,v 1.107 2009/10/05 17:30:49 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -45,7 +45,7 @@ CINCLUDES =	-I${srcdir}/include -I${srcdir}/unix/include -I. \
 		${ISCCFG_INCLUDES} ${ISCCC_INCLUDES} ${ISC_INCLUDES} \
 		${DLZDRIVER_INCLUDES} ${DBDRIVER_INCLUDES}
 
-CDEFINES =      -DBIND9 @USE_DLZ@
+CDEFINES =      -DBIND9 @USE_DLZ@ @USE_PKCS11@
 
 CWARNINGS =
 

bin/named/include/named/globals.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: globals.h,v 1.85 2009/07/14 23:47:53 tbox Exp $ */
+/* $Id: globals.h,v 1.86 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef NAMED_GLOBALS_H
 #define NAMED_GLOBALS_H 1
@@ -139,6 +139,12 @@ EXTERN const char *		lwresd_g_defaultpidfile INIT(NS_LOCALSTATEDIR
 
 EXTERN const char *		ns_g_username		INIT(NULL);
 
+#ifdef USE_PKCS11
+EXTERN const char *		ns_g_engine		INIT("pkcs11");
+#else
+EXTERN const char *		ns_g_engine		INIT(NULL);
+#endif
+
 EXTERN int			ns_g_listen		INIT(3);
 EXTERN isc_time_t		ns_g_boottime;
 EXTERN isc_boolean_t		ns_g_memstatistics	INIT(ISC_FALSE);

bin/named/main.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: main.c,v 1.174 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: main.c,v 1.175 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -298,8 +298,9 @@ usage(void) {
 	}
 	fprintf(stderr,
 		"usage: named [-4|-6] [-c conffile] [-d debuglevel] "
-		"[-f|-g] [-n number_of_cpus]\n"
+		"[-E engine] [-f|-g]\n"
-		"             [-p port] [-s] [-t chrootdir] [-u username]\n"
+		"             [-n number_of_cpus] [-p port] [-s] "
+		"[-t chrootdir] [-u username]\n"
 		"             [-m {usage|trace|record|size|mctx}]\n");
 }
 
@@ -408,7 +409,7 @@ parse_command_line(int argc, char *argv[]) {
 
 	isc_commandline_errprint = ISC_FALSE;
 	while ((ch = isc_commandline_parse(argc, argv,
-					   "46c:C:d:fFgi:lm:n:N:p:P:"
+					   "46c:C:d:E:fFgi:lm:n:N:p:P:"
 					   "sS:t:T:u:vVx:")) != -1) {
 		switch (ch) {
 		case '4':
@@ -444,6 +445,9 @@ parse_command_line(int argc, char *argv[]) {
 			ns_g_debuglevel = parse_int(isc_commandline_argument,
 						    "debug level");
 			break;
+		case 'E':
+			ns_g_engine = isc_commandline_argument;
+			break;
 		case 'f':
 			ns_g_foreground = ISC_TRUE;
 			break;

bin/named/named.docbook

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.docbook,v 1.25 2009/05/21 23:47:28 tbox Exp $ -->
+<!-- $Id: named.docbook,v 1.26 2009/10/05 17:30:49 fdupont Exp $ -->
 <refentry id="man.named">
   <refentryinfo>
     <date>May 21, 2009</date>
@@ -60,6 +60,7 @@
       <arg><option>-6</option></arg>
       <arg><option>-c <replaceable class="parameter">config-file</replaceable></option></arg>
       <arg><option>-d <replaceable class="parameter">debug-level</replaceable></option></arg>
+      <arg><option>-E <replaceable class="parameter">engine-name</replaceable></option></arg>
       <arg><option>-f</option></arg>
       <arg><option>-g</option></arg>
       <arg><option>-m <replaceable class="parameter">flag</replaceable></option></arg>
@@ -116,6 +117,7 @@
           </para>
         </listitem>
       </varlistentry>
+
       <varlistentry>
         <term>-c <replaceable class="parameter">config-file</replaceable></term>
         <listitem>
@@ -144,6 +146,19 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>-E <replaceable class="parameter">engine-name</replaceable></term>
+        <listitem>
+          <para>
+            Use a crypto hardware (OpenSSL engine) for the crypto operations
+            it supports, for instance re-signing with private keys from
+            a secure key store. When compiled with PKCS#11 support
+            <replaceable class="parameter">engine-name</replaceable>
+            defaults to pkcs11, the empty name resets it to no engine.
+          </para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>-f</term>
         <listitem>

bin/named/server.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: server.c,v 1.549 2009/09/29 15:06:06 fdupont Exp $ */
+/* $Id: server.c,v 1.550 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -4650,7 +4650,8 @@ ns_server_create(isc_mem_t *mctx, ns_server_t **serverp) {
 		   ISC_R_NOMEMORY : ISC_R_SUCCESS,
 		   "allocating reload event");
 
-	CHECKFATAL(dst_lib_init(ns_g_mctx, ns_g_entropy, ISC_ENTROPY_GOODONLY),
+	CHECKFATAL(dst_lib_init2(ns_g_mctx, ns_g_entropy,
+				 ns_g_engine, ISC_ENTROPY_GOODONLY),
 		   "initializing DST");
 
 	server->tkeyctx = NULL;

lib/dns/Makefile.in

@@ -13,7 +13,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# $Id: Makefile.in,v 1.166 2009/09/01 00:22:26 jinmei Exp $
+# $Id: Makefile.in,v 1.167 2009/10/05 17:30:49 fdupont Exp $
 
 srcdir =	@srcdir@
 VPATH =		@srcdir@
@@ -34,7 +34,7 @@ USE_ISC_SPNEGO = @USE_ISC_SPNEGO@
 CINCLUDES =	-I. -Iinclude ${DNS_INCLUDES} \
 		${ISC_INCLUDES} @DST_OPENSSL_INC@ @DST_GSSAPI_INC@
 
-CDEFINES =	-DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_PKCS11@ @USE_GSSAPI@ \
+CDEFINES =	-DBIND9 -DUSE_MD5 @USE_OPENSSL@ @USE_GSSAPI@ \
 		${USE_ISC_SPNEGO}
 
 CWARNINGS =

lib/dns/dst_api.c

@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: dst_api.c,v 1.33 2009/09/25 01:42:09 marka Exp $
+ * $Id: dst_api.c,v 1.34 2009/10/05 17:30:49 fdupont Exp $
  */
 
 /*! \file */
@@ -146,6 +146,12 @@ default_memfree(void *arg, void *ptr) {
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
+	return (dst_lib_init2(mctx, ectx, NULL, eflags));
+}
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags) {
 	isc_result_t result;
 
 	REQUIRE(mctx != NULL);
@@ -173,7 +179,9 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	isc_mem_setname(dst__memory_pool, "dst", NULL);
+#ifndef OPENSSL_LEAKS
 	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
+#endif
 #else
 	isc_mem_attach(mctx, &dst__memory_pool);
 #endif
@@ -192,7 +200,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
 #ifdef OPENSSL
-	RETERR(dst__openssl_init());
+	RETERR(dst__openssl_init(engine));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
@@ -209,6 +217,8 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags) {
 	return (ISC_R_SUCCESS);
 
  out:
+	/* avoid immediate crash! */
+	dst_initialized = ISC_TRUE;
 	dst_lib_destroy();
 	return (result);
 }
@@ -1520,6 +1530,8 @@ dst__entropy_getdata(void *buf, unsigned int len, isc_boolean_t pseudo) {
 	unsigned int flags = dst_entropy_flags;
 	if (pseudo)
 		flags &= ~ISC_ENTROPY_GOODONLY;
+	else
+		flags |= ISC_ENTROPY_BLOCKING;
 	return (isc_entropy_getdata(dst_entropy_pool, buf, len, NULL, flags));
 #else
 	UNUSED(buf);

lib/dns/dst_internal.h

@@ -29,7 +29,7 @@
  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_internal.h,v 1.18 2009/09/23 11:16:50 fdupont Exp $ */
+/* $Id: dst_internal.h,v 1.19 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef DST_DST_INTERNAL_H
 #define DST_DST_INTERNAL_H 1
@@ -187,7 +187,7 @@ struct dst_func {
 /*%
  * Initializers
  */
-isc_result_t dst__openssl_init(void);
+isc_result_t dst__openssl_init(const char *engine);
 
 isc_result_t dst__hmacmd5_init(struct dst_func **funcp);
 isc_result_t dst__hmacsha1_init(struct dst_func **funcp);

lib/dns/dst_openssl.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst_openssl.h,v 1.7 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: dst_openssl.h,v 1.8 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef DST_OPENSSL_H
 #define DST_OPENSSL_H 1
@@ -29,10 +29,7 @@ isc_result_t
 dst__openssl_toresult(isc_result_t fallback);
 
 ENGINE *
-dst__openssl_getengine(const char *name);
+dst__openssl_getengine(const char *engine);
-
-isc_result_t
-dst__openssl_setdefault(const char *name);
 
 ISC_LANG_ENDDECLS
 

lib/dns/include/dst/dst.h

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: dst.h,v 1.19 2009/09/23 16:01:57 each Exp $ */
+/* $Id: dst.h,v 1.20 2009/10/05 17:30:49 fdupont Exp $ */
 
 #ifndef DST_DST_H
 #define DST_DST_H 1
@@ -94,6 +94,10 @@ typedef struct dst_context 	dst_context_t;
 
 isc_result_t
 dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
+
+isc_result_t
+dst_lib_init2(isc_mem_t *mctx, isc_entropy_t *ectx,
+	      const char *engine, unsigned int eflags);
 /*%<
  * Initializes the DST subsystem.
  *
@@ -104,6 +108,7 @@ dst_lib_init(isc_mem_t *mctx, isc_entropy_t *ectx, unsigned int eflags);
  * Returns:
  * \li	ISC_R_SUCCESS
  * \li	ISC_R_NOMEMORY
+ * \li	DST_R_NOENGINE
  *
  * Ensures:
  * \li	DST is properly initialized.

lib/dns/openssl_link.c

@@ -31,7 +31,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: openssl_link.c,v 1.26 2009/09/03 04:09:58 marka Exp $
+ * $Id: openssl_link.c,v 1.27 2009/10/05 17:30:49 fdupont Exp $
  */
 #ifdef OPENSSL
 
@@ -45,6 +45,8 @@
 #include <isc/thread.h>
 #include <isc/util.h>
 
+#include <dst/result.h>
+
 #include "dst_internal.h"
 #include "dst_openssl.h"
 
@@ -60,12 +62,6 @@
 
 #ifdef USE_ENGINE
 #include <openssl/engine.h>
-
-#ifdef ENGINE_ID
-const char *engine_id = ENGINE_ID;
-#else
-const char *engine_id;
-#endif
 #endif
 
 static RAND_METHOD *rm = NULL;
@@ -74,15 +70,7 @@ static isc_mutex_t *locks = NULL;
 static int nlocks;
 
 #ifdef USE_ENGINE
-static ENGINE *e;
+static ENGINE *e = NULL;
-static ENGINE *he;
-#endif
-
-#ifdef USE_PKCS11
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
-			 const char **pre_cmds, int pre_num,
-			 const char **post_cmds, int post_num);
 #endif
 
 static int
@@ -135,8 +123,16 @@ id_callback(void) {
 
 static void *
 mem_alloc(size_t size) {
+#ifdef OPENSSL_LEAKS
+	void *ptr;
+
+	INSIST(dst__memory_pool != NULL);
+	ptr = isc_mem_allocate(dst__memory_pool, size);
+	return (ptr);
+#else
 	INSIST(dst__memory_pool != NULL);
 	return (isc_mem_allocate(dst__memory_pool, size));
+#endif
 }
 
 static void
@@ -148,16 +144,26 @@ mem_free(void *ptr) {
 
 static void *
 mem_realloc(void *ptr, size_t size) {
+#ifdef OPENSSL_LEAKS
+	void *rptr;
+
+	INSIST(dst__memory_pool != NULL);
+	rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
+	return (rptr);
+#else
 	INSIST(dst__memory_pool != NULL);
 	return (isc_mem_reallocate(dst__memory_pool, ptr, size));
+#endif
 }
 
 isc_result_t
-dst__openssl_init() {
+dst__openssl_init(const char *engine) {
 	isc_result_t result;
 #ifdef USE_ENGINE
-	/* const char  *name; */
 	ENGINE *re;
+#else
+
+	UNUSED(engine);
 #endif
 
 #ifdef  DNS_CRYPTO_LEAKS
@@ -187,73 +193,26 @@ dst__openssl_init() {
 	rm->add = entropy_add;
 	rm->pseudorand = entropy_getpseudo;
 	rm->status = entropy_status;
+
 #ifdef USE_ENGINE
 	OPENSSL_config(NULL);
-#ifdef USE_PKCS11
-#ifndef PKCS11_SO_PATH
-#define PKCS11_SO_PATH		"/usr/local/lib/engines/engine_pkcs11.so"
-#endif
-#ifndef PKCS11_MODULE_PATH
-#define PKCS11_MODULE_PATH	"/usr/lib/libpkcs11.so"
-#endif
-	{
-		/*
-		 * to use this to config the PIN, add in openssl.cnf:
-		 *  - at the beginning: "openssl_conf = openssl_def"
-		 *  - at any place these sections:
-		 * [ openssl_def ]
-		 * engines = engine_section
-		 * [ engine_section ]
-		 * pkcs11 = pkcs11_section
-		 * [ pkcs11_section ]
-		 * PIN = my___pin
-		 */
 
-		const char *pre_cmds[] = {
+	if (engine != NULL && *engine == '\0')
-			"SO_PATH", PKCS11_SO_PATH,
+		engine = NULL;
-			"LOAD", NULL,
+
-			"MODULE_PATH", PKCS11_MODULE_PATH
+	if (engine != NULL) {
-		};
+		e = ENGINE_by_id(engine);
-		const char *post_cmds[] = {
-			/* "PIN", "my___pin" */
-		};
-		result = dst__openssl_load_engine("pkcs11", "pkcs11",
-						  pre_cmds, 0,
-						  post_cmds, /*1*/ 0);
-		if (result != ISC_R_SUCCESS)
-			goto cleanup_rm;
-	}
-#else /* USE_PKCS11 */
-	if (engine_id != NULL) {
-		e = ENGINE_by_id(engine_id);
 		if (e == NULL) {
-			result = ISC_R_NOTFOUND;
+			result = DST_R_NOENGINE;
 			goto cleanup_rm;
 		}
-		if (!ENGINE_init(e)) {
+		/* This will init the engine. */
-			result = ISC_R_FAILURE;
+		if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
-			ENGINE_free(e);
+			result = DST_R_NOENGINE;
 			goto cleanup_rm;
 		}
-		ENGINE_set_default(e, ENGINE_METHOD_ALL);
+	}
-		ENGINE_free(e);
-		if (he == NULL)
-			he = e;
-	} else {
-		ENGINE_register_all_complete();
-		for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
 
-			/*
-			 * Something weird here. If we call ENGINE_finish()
-			 * ENGINE_get_default_RAND() will fail.
-			 */
-			if (ENGINE_init(e)) {
-				if (he == NULL)
-					he = e;
-			}
-		}
-	}
-#endif /* USE_PKCS11 */
 	re = ENGINE_get_default_RAND();
 	if (re == NULL) {
 		re = ENGINE_new();
@@ -266,7 +225,6 @@ dst__openssl_init() {
 		ENGINE_free(re);
 	} else
 		ENGINE_finish(re);
-
 #else
 	RAND_set_rand_method(rm);
 #endif /* USE_ENGINE */
@@ -274,13 +232,18 @@ dst__openssl_init() {
 
 #ifdef USE_ENGINE
  cleanup_rm:
+	if (e != NULL)
+		ENGINE_free(e);
+	e = NULL;
 	mem_free(rm);
+	rm = NULL;
 #endif
  cleanup_mutexinit:
 	CRYPTO_set_locking_callback(NULL);
 	DESTROYMUTEXBLOCK(locks, nlocks);
  cleanup_mutexalloc:
 	mem_free(locks);
+	locks = NULL;
 	return (result);
 }
 
@@ -290,16 +253,22 @@ dst__openssl_destroy() {
 	/*
 	 * Sequence taken from apps_shutdown() in <apps/apps.h>.
 	 */
-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	if (rm != NULL) {
-	CONF_modules_unload(1);
+#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+		RAND_cleanup();
 #endif
+		mem_free(rm);
+		rm = NULL;
+	}
+#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
+	CONF_modules_free();
+#endif
+	OBJ_cleanup();
 	EVP_cleanup();
 #if defined(USE_ENGINE)
-	if (he != NULL)
+	if (e != NULL)
-		ENGINE_finish(he);
+		ENGINE_free(e);
-	else if (e != NULL)
+	e = NULL;
-		ENGINE_finish(e);
-	he = e = NULL;
 #if defined(USE_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
 	ENGINE_cleanup();
 #endif
@@ -308,23 +277,18 @@ dst__openssl_destroy() {
 	CRYPTO_cleanup_all_ex_data();
 #endif
 	ERR_clear_error();
-	ERR_free_strings();
 	ERR_remove_state(0);
+	ERR_free_strings();
 
 #ifdef  DNS_CRYPTO_LEAKS
 	CRYPTO_mem_leaks_fp(stderr);
 #endif
 
-	if (rm != NULL) {
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
-		RAND_cleanup();
-#endif
-		mem_free(rm);
-	}
 	if (locks != NULL) {
 		CRYPTO_set_locking_callback(NULL);
 		DESTROYMUTEXBLOCK(locks, nlocks);
 		mem_free(locks);
+		locks = NULL;
 	}
 }
 
@@ -345,90 +309,18 @@ dst__openssl_toresult(isc_result_t fallback) {
 }
 
 ENGINE *
-dst__openssl_getengine(const char *name) {
+dst__openssl_getengine(const char *engine) {
 
-	UNUSED(name);
+	if (engine == NULL)
-
-#if defined(USE_ENGINE)
-	return (he);
-#else
 		return (NULL);
-#endif
-}
-
-isc_result_t
-dst__openssl_setdefault(const char *name) {
-
-	UNUSED(name);
-
 #if defined(USE_ENGINE)
-	ENGINE_set_default(e, ENGINE_METHOD_ALL);
-#endif
-	/*
-	 * XXXMPA If the engine does not have a default RAND method
-	 * restore our method.
-	 */
-	return (ISC_R_SUCCESS);
-}
-
-#ifdef USE_PKCS11
-/*
- * 'name' is the name the engine is known by to the dst library.
- * This may or may not match the name the engine is known by to
- * openssl.  It is the name that is stored in the private key file.
- *
- * 'engine_id' is the openssl engine name.
- *
- * pre_cmds and post_cmds a sequence if command argument pairs
- * pre_num and post_num are a count of those pairs.
- *
- * "SO_PATH", PKCS11_SO_PATH ("/usr/local/lib/engines/engine_pkcs11.so")
- * "LOAD", NULL
- * "MODULE_PATH", PKCS11_MODULE_PATH ("/usr/lib/libpkcs11.so")
- */
-static isc_result_t
-dst__openssl_load_engine(const char *name, const char *engine_id,
-			 const char **pre_cmds, int pre_num,
-			 const char **post_cmds, int post_num)
-{
-	ENGINE *e;
-
-	UNUSED(name);
-
-	if (!strcasecmp(engine_id, "dynamic"))
-		ENGINE_load_dynamic();
-	e = ENGINE_by_id(engine_id);
 	if (e == NULL)
-		return (ISC_R_NOTFOUND);
+		return (NULL);
-	while (pre_num--) {
+	if (strcmp(engine, ENGINE_get_id(e)) == 0)
-		if (!ENGINE_ctrl_cmd_string(e, pre_cmds[0], pre_cmds[1], 0)) {
+		return (e);
-			ENGINE_free(e);
+#endif
-			return (ISC_R_FAILURE);
+	return (NULL);
 }
-		pre_cmds += 2;
-	}
-	if (!ENGINE_init(e)) {
-		ENGINE_free(e);
-		return (ISC_R_FAILURE);
-	}
-	/*
-	 * ENGINE_init() returned a functional reference, so free the
-	 * structural reference from ENGINE_by_id().
-	 */
-	ENGINE_free(e);
-	while (post_num--) {
-		if (!ENGINE_ctrl_cmd_string(e, post_cmds[0], post_cmds[1], 0)) {
-			ENGINE_free(e);
-			return (ISC_R_FAILURE);
-		}
-		post_cmds += 2;
-	}
-	if (he != NULL)
-		ENGINE_finish(he);
-	he = e;
-	return (ISC_R_SUCCESS);
-}
-#endif /* USE_PKCS11 */
 
 #else /* OPENSSL */
 

lib/dns/opensslrsa_link.c

@@ -17,7 +17,7 @@
 
 /*
  * Principal Author: Brian Wellington
- * $Id: opensslrsa_link.c,v 1.28 2009/09/23 11:16:50 fdupont Exp $
+ * $Id: opensslrsa_link.c,v 1.29 2009/10/05 17:30:49 fdupont Exp $
  */
 #ifdef OPENSSL
 #ifndef USE_EVP
@@ -968,6 +968,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 
 	UNUSED(pin);
 
+	if (engine == NULL)
+		DST_RET(DST_R_NOENGINE);
 	e = dst__openssl_getengine(engine);
 	if (e == NULL)
 		DST_RET(DST_R_NOENGINE);

lib/isc/task.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: task.c,v 1.110 2009/09/02 23:48:02 tbox Exp $ */
+/* $Id: task.c,v 1.111 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file
  * \author Principal Author: Bob Halley
@@ -40,6 +40,10 @@
 #include <isc/util.h>
 #include <isc/xml.h>
 
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
 /*%
  * For BIND9 internal applications:
  * when built with threads we use multiple worker threads shared by the whole
@@ -1156,6 +1160,10 @@ run(void *uap) {
 	XTHREADTRACE(isc_msgcat_get(isc_msgcat, ISC_MSGSET_GENERAL,
 				    ISC_MSG_EXITING, "exiting"));
 
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
 	return ((isc_threadresult_t)0);
 }
 #endif /* USE_WORKER_THREADS */

lib/isc/timer.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: timer.c,v 1.94 2009/09/03 21:55:13 jinmei Exp $ */
+/* $Id: timer.c,v 1.95 2009/10/05 17:30:49 fdupont Exp $ */
 
 /*! \file */
 
@@ -34,6 +34,10 @@
 #include <isc/timer.h>
 #include <isc/util.h>
 
+#ifdef OPENSSL_LEAKS
+#include <openssl/err.h>
+#endif
+
 /* See task.c about the following definition: */
 #ifdef BIND9
 #ifdef ISC_PLATFORM_USETHREADS
@@ -828,6 +832,10 @@ run(void *uap) {
 	}
 	UNLOCK(&manager->lock);
 
+#ifdef OPENSSL_LEAKS
+	ERR_remove_state(0);
+#endif
+
 	return ((isc_threadresult_t)0);
 }
 #endif /* USE_TIMER_THREAD */