diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 103b04a49c..f95c3e9c5b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1327,10 +1327,6 @@ gcc:bullseye:amd64: <<: *build_job system:gcc:bullseye:amd64: - # Set up environment variables that allow the "keyfromlabel" system test to be run - variables: - OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" - SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" <<: *debian_bullseye_amd64_image <<: *system_test_job needs: @@ -1358,10 +1354,6 @@ clang:bookworm:amd64: <<: *build_job system:clang:bookworm:amd64: - # Set up environment variables that allow the "keyfromlabel" system test to be run - variables: - OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" - SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" <<: *debian_bookworm_amd64_image <<: *system_test_job needs: diff --git a/OPTIONS.md b/OPTIONS.md index acdcaf823e..71f556f4f1 100644 --- a/OPTIONS.md +++ b/OPTIONS.md @@ -26,4 +26,3 @@ Some of these settings are: | `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult | | `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` | | `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports | -| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support | diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index d8ee57074f..fcdeb867c4 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -728,7 +728,7 @@ main(int argc, char **argv) { CHECK(setup_logging(mctx, stdout, &logc)); - CHECK(dst_lib_init(mctx, NULL)); + CHECK(dst_lib_init(mctx)); cleanup_dst = true; CHECK(cfg_parser_create(mctx, logc, &parser)); diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 348c05d874..922d066302 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -120,7 +120,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize, fatal("unsupported algorithm %d\n", alg); } - DO("initialize dst library", dst_lib_init(mctx, NULL)); + DO("initialize dst library", dst_lib_init(mctx)); DO("generate key", dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY, diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 549d1bde5a..0da4af4e1b 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -2220,7 +2220,7 @@ main(int argc, char *argv[]) { isc_managers_create(&mctx, 1, &loopmgr, &netmgr); loop = isc_loop_main(loopmgr); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("dst_lib_init failed: %d", result); } diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 001e3a46c8..157f2e0325 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1375,7 +1375,7 @@ setup_libs(void) { isc_mem_setname(mctx, "dig"); mainloop = isc_loop_main(loopmgr); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); check_result(result, "dst_lib_init"); is_dst_up = true; } diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index ebd619aaa3..1952ffd721 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -1180,7 +1180,7 @@ main(int argc, char *argv[]) { setup_logging(mctx, &lctx); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 422abad267..574b5a299e 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -489,7 +489,7 @@ main(int argc, char **argv) { fatal("extraneous arguments"); } - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index c93a0158eb..1574ee7aba 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -408,7 +408,7 @@ main(int argc, char **argv) { fatal("extraneous arguments"); } - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 8b052aba9b..38ed1f7d75 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -63,8 +63,6 @@ usage(void) { " ED25519 | ED448\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); - fprintf(stderr, " -E :\n"); - fprintf(stderr, " name of an OpenSSL engine to use\n"); fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -K directory: directory in which to place " "key files\n"); @@ -112,7 +110,6 @@ main(int argc, char **argv) { const char *directory = NULL; const char *predecessor = NULL; dst_key_t *prevkey = NULL; - const char *engine = NULL; char *classname = NULL; char *endp; dst_key_t *key = NULL; @@ -176,7 +173,7 @@ main(int argc, char **argv) { classname = isc_commandline_argument; break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': c = (unsigned char)(isc_commandline_argument[0]); @@ -335,7 +332,7 @@ main(int argc, char **argv) { } } - ret = dst_lib_init(mctx, engine); + ret = dst_lib_init(mctx); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } @@ -595,8 +592,8 @@ main(int argc, char **argv) { isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ - ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine, - label, NULL, mctx, &key); + ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label, + NULL, mctx, &key); if (ret != ISC_R_SUCCESS) { char namestr[DNS_NAME_FORMATSIZE]; diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index 098feb9ecb..d0cc5ef5cd 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} +:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} Description ~~~~~~~~~~~ @@ -63,22 +63,12 @@ Options versions, then the NSEC3 version is used; for example, ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. -.. option:: -E engine - - This option specifies the cryptographic hardware to use. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -l label This option specifies the label for a key pair in the crypto hardware. When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is - an arbitrary string that identifies a particular key. It may be - preceded by an optional OpenSSL engine name, followed by a colon, as - in ``pkcs11:keylabel``. + an arbitrary string that identifies a particular key. .. option:: -n nametype diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 20de2b3670..6f738e96d8 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -176,8 +176,6 @@ usage(void) { fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); fprintf(stderr, " -c : (default: IN)\n"); fprintf(stderr, " -d (0 => max, default)\n"); - fprintf(stderr, " -E :\n"); - fprintf(stderr, " name of an OpenSSL engine to use\n"); fprintf(stderr, " -f : ZSK | KSK | REVOKE\n"); fprintf(stderr, " -F: FIPS mode\n"); fprintf(stderr, " -L : default key TTL\n"); @@ -842,7 +840,6 @@ main(int argc, char **argv) { isc_mem_t *mctx = NULL; isc_result_t ret; isc_textregion_t r; - const char *engine = NULL; unsigned char c; int ch; bool set_fips_mode = false; @@ -921,7 +918,7 @@ main(int argc, char **argv) { } break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': c = (unsigned char)(isc_commandline_argument[0]); @@ -1140,7 +1137,7 @@ main(int argc, char **argv) { } } - ret = dst_lib_init(mctx, engine); + ret = dst_lib_init(mctx); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } @@ -1245,7 +1242,7 @@ main(int argc, char **argv) { } kasp_from_conf(config, mctx, lctx, ctx.policy, - ctx.directory, engine, &kasp); + ctx.directory, &kasp); if (kasp == NULL) { fatal("failed to load dnssec-policy '%s'", ctx.policy); diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 2e12fe60cd..88044ee26b 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ @@ -94,14 +94,6 @@ Options and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519, and ED448. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -f flag This option sets the specified flag in the flag field of the KEY/DNSKEY record. diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index 493c483d6e..f9f7bcedf9 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -41,7 +41,6 @@ const char *program = "dnssec-ksr"; */ static isc_log_t *lctx = NULL; static isc_mem_t *mctx = NULL; -const char *engine = NULL; /* * The domain we are working on */ @@ -122,7 +121,6 @@ usage(int ret) { fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "\n"); fprintf(stderr, "Options:\n"); - fprintf(stderr, " -E : name of an OpenSSL engine to use\n"); fprintf(stderr, " -e : end date\n"); fprintf(stderr, " -F: FIPS mode\n"); fprintf(stderr, " -f: KSR file to sign\n"); @@ -173,8 +171,7 @@ getkasp(ksr_ctx_t *ksr, dns_kasp_t **kasp) { fatal("unable to load dnssec-policy '%s' from '%s'", ksr->policy, ksr->configfile); } - kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, engine, - kasp); + kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, kasp); if (*kasp == NULL) { fatal("failed to load dnssec-policy '%s'", ksr->policy); } @@ -1213,7 +1210,7 @@ main(int argc, char *argv[]) { while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { switch (ch) { case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'e': ksr.end = strtotime(isc_commandline_argument, ksr.now, @@ -1267,7 +1264,7 @@ main(int argc, char *argv[]) { fatal("must provide a command and zone name"); } - ret = dst_lib_init(mctx, engine); + ret = dst_lib_init(mctx); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } diff --git a/bin/dnssec/dnssec-ksr.rst b/bin/dnssec/dnssec-ksr.rst index 1ed7275aca..8a0f507770 100644 --- a/bin/dnssec/dnssec-ksr.rst +++ b/bin/dnssec/dnssec-ksr.rst @@ -21,7 +21,7 @@ dnssec-ksr - Create signed key response (SKR) files for offline KSK setups Synopsis ~~~~~~~~ -:program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone} +:program:`dnssec-ksr` [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone} Description ~~~~~~~~~~~ @@ -40,14 +40,6 @@ server. Options ~~~~~~~ -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -e date/offset This option sets the end date for which keys or SKRs need to be generated diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index cf7f2b74de..afea87f148 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -46,7 +46,6 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); - fprintf(stderr, " -E engine: specify OpenSSL engine\n"); fprintf(stderr, " -f: force overwrite\n"); fprintf(stderr, " -h: help\n"); fprintf(stderr, " -K directory: use directory for key files\n"); @@ -64,7 +63,6 @@ usage(void) { int main(int argc, char **argv) { isc_result_t result; - const char *engine = NULL; char const *filename = NULL; char *dir = NULL; char newname[1024], oldname[1024]; @@ -89,7 +87,7 @@ main(int argc, char **argv) { while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) { switch (ch) { case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': force = true; @@ -159,7 +157,7 @@ main(int argc, char **argv) { } } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("Could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst index 052865fb7c..fc03d5a911 100644 --- a/bin/dnssec/dnssec-revoke.rst +++ b/bin/dnssec/dnssec-revoke.rst @@ -21,7 +21,7 @@ dnssec-revoke - set the REVOKED bit on a DNSSEC key Synopsis ~~~~~~~~ -:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile} +:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-f**] [**-R**] {keyfile} Description ~~~~~~~~~~~ @@ -53,14 +53,6 @@ Options This option prints version information. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -f This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair, diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index f19d0781b5..0b46f2f8ef 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -51,7 +51,6 @@ usage(void) { fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "General options:\n"); - fprintf(stderr, " -E engine: specify OpenSSL engine\n"); fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); @@ -186,7 +185,6 @@ writekey(dst_key_t *key, const char *directory, bool write_state) { int main(int argc, char **argv) { isc_result_t result; - const char *engine = NULL; const char *filename = NULL; char *directory = NULL; char keystr[DST_KEY_FORMATSIZE]; @@ -314,7 +312,7 @@ main(int argc, char **argv) { &setdstime); break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': force = true; @@ -555,7 +553,7 @@ main(int argc, char **argv) { fatal("Options -g, -d, -k, -r and -z require -s to be set"); } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("Could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index 5cb4ea8370..5e31ce3748 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -21,7 +21,7 @@ dnssec-settime: set the key timing metadata for a DNSSEC key Synopsis ~~~~~~~~ -:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset] +:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset] Description ~~~~~~~~~~~ @@ -97,14 +97,6 @@ Options This option sets the debugging level. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - Timing Options ~~~~~~~~~~~~~~ diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index fed31e8139..3d1908a1ae 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3263,8 +3263,6 @@ usage(void) { fprintf(stderr, "\t-a:\t"); fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-E engine:\n"); - fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); fprintf(stderr, "\t-P:\t"); fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "\t-Q:\t"); @@ -3353,7 +3351,6 @@ main(int argc, char *argv[]) { dns_dnsseckey_t *key; isc_result_t result, vresult; isc_log_t *log = NULL; - const char *engine = NULL; bool free_output = false; int tempfilelen = 0; dns_rdataclass_t rdclass; @@ -3461,7 +3458,7 @@ main(int argc, char *argv[]) { break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'e': @@ -3748,7 +3745,7 @@ main(int argc, char *argv[]) { } } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index ec4cc2d0a2..3e1465a43c 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool Synopsis ~~~~~~~~ -:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] +:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] Description ~~~~~~~~~~~ @@ -62,15 +62,6 @@ Options ``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>` or serial-number updating. -.. option:: -E engine - - This option specifies the hardware to use for cryptographic - operations, such as a secure key store used for signing, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -F This options turns on FIPS (US Federal Information Processing Standards) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index c4ce4eadf7..0494113884 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -157,8 +157,6 @@ usage(void) { fprintf(stderr, "\t-I format:\n"); fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-E engine:\n"); - fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, " "not ZSKs\n"); fprintf(stderr, "\t-z:\tAll records signed with KSKs\n"); @@ -171,7 +169,6 @@ main(int argc, char *argv[]) { char *inputformatstr = NULL; isc_result_t result; isc_log_t *log = NULL; - const char *engine = NULL; char *classname = NULL; dns_rdataclass_t rdclass; char *endp; @@ -215,7 +212,7 @@ main(int argc, char *argv[]) { break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'I': @@ -275,7 +272,7 @@ main(int argc, char *argv[]) { } } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst index 7f55353257..f835c09173 100644 --- a/bin/dnssec/dnssec-verify.rst +++ b/bin/dnssec/dnssec-verify.rst @@ -21,7 +21,7 @@ dnssec-verify - DNSSEC zone verification tool Synopsis ~~~~~~~~ -:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile} +:program:`dnssec-verify` [**-c** class] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile} Description ~~~~~~~~~~~ @@ -37,14 +37,6 @@ Options This option specifies the DNS class of the zone. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -I input-format This option sets the format of the input zone file. Possible formats are ``text`` diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 69f93c0852..b35a24058f 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -605,8 +605,7 @@ cleanup: void kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, - const char *name, const char *keydir, const char *engine, - dns_kasp_t **kaspp) { + const char *name, const char *keydir, dns_kasp_t **kaspp) { isc_result_t result = ISC_R_NOTFOUND; const cfg_listelt_t *element; const cfg_obj_t *kasps = NULL; @@ -625,8 +624,8 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, { cfg_obj_t *kconfig = cfg_listelt_value(element); ks = NULL; - result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine, - &kslist, NULL); + result = cfg_keystore_fromconfig(kconfig, mctx, lctx, &kslist, + NULL); if (result != ISC_R_SUCCESS) { fatal("failed to configure key-store '%s': %s", cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), @@ -635,7 +634,7 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, } /* Default key-directory key store. */ ks = NULL; - (void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks); + (void)cfg_keystore_fromconfig(NULL, mctx, lctx, &kslist, &ks); INSIST(ks != NULL); if (keydir != NULL) { /* '-K keydir' takes priority */ diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index c9a1a5f757..aac6a709ad 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -119,5 +119,4 @@ loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal); void kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, - const char *name, const char *keydir, const char *engine, - dns_kasp_t **kaspp); + const char *name, const char *keydir, dns_kasp_t **kaspp); diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 0fc26f212d..6de1be8e36 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -129,8 +129,6 @@ EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/" EXTERN const char *named_g_username INIT(NULL); -EXTERN const char *named_g_engine INIT(NULL); - EXTERN isc_time_t named_g_boottime; EXTERN isc_time_t named_g_configtime; EXTERN bool named_g_memstatistics INIT(false); diff --git a/bin/named/main.c b/bin/named/main.c index 735b361ac5..12d5705137 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -307,7 +307,7 @@ library_unexpected_error(const char *file, int line, const char *func, static void usage(void) { fprintf(stderr, "usage: named [-4|-6] [-c conffile] [-d debuglevel] " - "[-D comment] [-E engine]\n" + "[-D comment]\n" " [-f|-g] [-L logfile] [-n number_of_cpus] " "[-p port] [-s]\n" " [-S sockets] [-t chrootdir] [-u " @@ -632,7 +632,7 @@ printversion(bool verbose) { printf("threads support is enabled\n"); isc_mem_create(&mctx); - result = dst_lib_init(mctx, named_g_engine); + result = dst_lib_init(mctx); if (result == ISC_R_SUCCESS) { isc_buffer_init(&b, buf, sizeof(buf)); format_supported_algorithms(printit); @@ -894,7 +894,8 @@ parse_command_line(int argc, char *argv[]) { /* Descriptive comment for 'ps'. */ break; case 'E': - named_g_engine = isc_commandline_argument; + named_main_earlyfatal( + "%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': named_g_foreground = true; diff --git a/bin/named/named.rst b/bin/named/named.rst index ee893faba7..f9c7dc7532 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -21,7 +21,7 @@ named - Internet domain name server Synopsis ~~~~~~~~ -:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ] +:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ] Description ~~~~~~~~~~~ @@ -73,15 +73,6 @@ Options This option specifies a string that is used to identify a instance of :program:`named` in a process listing. The contents of ``string`` are not examined. -.. option:: -E engine-name - - When applicable, this option specifies the hardware to use for cryptographic - operations, such as a secure key store used for signing. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -f This option runs the server in the foreground (i.e., do not daemonize). diff --git a/bin/named/server.c b/bin/named/server.c index 6f68406196..341bf7460d 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8988,7 +8988,7 @@ load_configuration(const char *filename, named_server_t *server, * Create the built-in key store ("key-directory"). */ result = cfg_keystore_fromconfig(NULL, named_g_mctx, named_g_lctx, - named_g_engine, &keystorelist, NULL); + &keystorelist, NULL); if (result != ISC_R_SUCCESS) { goto cleanup_keystorelist; } @@ -9004,8 +9004,8 @@ load_configuration(const char *filename, named_server_t *server, cfg_obj_t *kconfig = cfg_listelt_value(element); keystore = NULL; result = cfg_keystore_fromconfig(kconfig, named_g_mctx, - named_g_lctx, named_g_engine, - &keystorelist, NULL); + named_g_lctx, &keystorelist, + NULL); if (result != ISC_R_SUCCESS) { goto cleanup_keystorelist; } @@ -10331,8 +10331,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { ISC_LIST_INIT(server->viewlist); /* Must be first. */ - CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), - "initializing DST"); + CHECKFATAL(dst_lib_init(named_g_mctx), "initializing DST"); CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, &server->in_roothints), diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 3048df8345..64bec6b631 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -926,7 +926,7 @@ setup_system(void *arg ISC_ATTR_UNUSED) { result = dns_dispatchmgr_create(gmctx, loopmgr, netmgr, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); - result = dst_lib_init(gmctx, NULL); + result = dst_lib_init(gmctx); check_result(result, "dst_lib_init"); is_dst_up = true; diff --git a/bin/tests/system/enginepkcs11/clean.sh b/bin/tests/system/enginepkcs11/clean.sh index 5a24ebd3da..63d8a52581 100644 --- a/bin/tests/system/enginepkcs11/clean.sh +++ b/bin/tests/system/enginepkcs11/clean.sh @@ -25,7 +25,7 @@ rm -f ns*/*.kskid1 ns*/*.kskid2 ns*/*.zskid1 ns/*.zskid2 rm -f ns*/dig.out.* rm -f ns*/K* rm -f ns*/keygen.out.* -rm -f ns*/named.conf ns1/named.args ns1/named.run ns1/named.memstats +rm -f ns*/named.conf ns1/named.run ns1/named.memstats rm -f ns*/pin rm -f ns*/update.cmd.* rm -f ns*/update.log.* diff --git a/bin/tests/system/enginepkcs11/ns1/named.args b/bin/tests/system/enginepkcs11/ns1/named.args new file mode 100644 index 0000000000..32f18fd1f1 --- /dev/null +++ b/bin/tests/system/enginepkcs11/ns1/named.args @@ -0,0 +1 @@ +-D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns1/named.args.in b/bin/tests/system/enginepkcs11/ns1/named.args.in deleted file mode 100644 index 889992190a..0000000000 --- a/bin/tests/system/enginepkcs11/ns1/named.args.in +++ /dev/null @@ -1 +0,0 @@ -@ENGINE_ARGS@ -D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns2/named.args b/bin/tests/system/enginepkcs11/ns2/named.args new file mode 100644 index 0000000000..d0846e5155 --- /dev/null +++ b/bin/tests/system/enginepkcs11/ns2/named.args @@ -0,0 +1 @@ +-D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns2/named.args.in b/bin/tests/system/enginepkcs11/ns2/named.args.in deleted file mode 100644 index 1d6beb9a9f..0000000000 --- a/bin/tests/system/enginepkcs11/ns2/named.args.in +++ /dev/null @@ -1 +0,0 @@ -@ENGINE_ARGS@ -D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh index e0dd87ae49..9ef2d1e0dc 100644 --- a/bin/tests/system/enginepkcs11/setup.sh +++ b/bin/tests/system/enginepkcs11/setup.sh @@ -41,13 +41,12 @@ keyfromlabel() { dir="$4" shift 4 - $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 + $KEYFRLAB -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 cat keyfromlabel.out.$zone.$id } # Setup ns1. copy_setports ns1/named.conf.in ns1/named.conf -sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" ns1/named.args mkdir ns1/keys @@ -91,7 +90,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ echo_i "Sign zone with $ksk1 $zsk1" cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" - $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 + $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 test "$ret" -eq 0 || exit 1 echo_i "Generate successor keys $alg $type:$bits for zone $zone" @@ -183,7 +182,6 @@ done # Setup ns2 (with views). copy_setports ns2/named.conf.in ns2/named.conf -sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" ns2/named.args mkdir ns2/keys @@ -226,11 +224,11 @@ if [ "${supported}" = 1 ]; then echo_i "Sign zone with $ksk1 $zsk1" cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile1}" - $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1 + $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1 test "$ret" -eq 0 || exit 1 cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile2}" - $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1 + $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1 test "$ret" -eq 0 || exit 1 echo_i "Generate successor keys $alg $type:$bits for zone $zone" diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh index 7b0c1072bf..138b0483a8 100644 --- a/bin/tests/system/enginepkcs11/tests.sh +++ b/bin/tests/system/enginepkcs11/tests.sh @@ -255,7 +255,7 @@ EOF n=$((n + 1)) ret=0 echo_i "Test dnssec-keygen for $zone ($n)" - $KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1 + $KEYGEN -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1 check_keys $zone 2 || ret=1 status=$((status + ret)) diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 5b3c504d62..63017c9143 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -202,7 +202,7 @@ main(int argc, char **argv) { int answer; isc_mem_create(&mctx); - dst_lib_init(mctx, NULL); + dst_lib_init(mctx); answer = dst_algorithm_supported(DST_ALG_HMACMD5) ? 0 : 1; dst_lib_destroy(); isc_mem_detach(&mctx); @@ -232,7 +232,7 @@ main(int argc, char **argv) { int answer; isc_mem_t *mctx = NULL; isc_mem_create(&mctx); - dst_lib_init(mctx, NULL); + dst_lib_init(mctx); answer = dst_algorithm_supported(DST_ALG_RSASHA1) ? 0 : 1; dst_lib_destroy(); isc_mem_detach(&mctx); diff --git a/bin/tests/system/isctest/vars/openssl.py b/bin/tests/system/isctest/vars/openssl.py index 5df12b7247..19d62d1811 100644 --- a/bin/tests/system/isctest/vars/openssl.py +++ b/bin/tests/system/isctest/vars/openssl.py @@ -20,15 +20,12 @@ OPENSSL_VARS = { "OPENSSL_CONF": os.getenv("OPENSSL_CONF", None), "SOFTHSM2_CONF": os.getenv("SOFTHSM2_CONF", None), "SOFTHSM2_MODULE": None, - "ENGINE_ARG": None, } def parse_openssl_config(path: Optional[str]): if path is None or not os.path.exists(path): - OPENSSL_VARS["ENGINE_ARG"] = None OPENSSL_VARS["SOFTHSM2_MODULE"] = None - os.environ.pop("ENGINE_ARG", None) os.environ.pop("SOFTHSM2_MODULE", None) return assert os.path.isfile(path), f"{path} exists, but it's not a file" @@ -41,11 +38,7 @@ def parse_openssl_config(path: Optional[str]): if res: key = res.group(1).strip() val = res.group(2).strip() - if key == "engine_id": - OPENSSL_VARS["ENGINE_ARG"] = f"-E {val}" - os.environ["ENGINE_ARG"] = f"-E {val}" - log.debug("ENGINE_ARG set to {OPENSSL_VARS['ENGINE_ARG']}") - elif key in ["MODULE_PATH", "pkcs11-module-path"]: + if key in ["MODULE_PATH", "pkcs11-module-path"]: OPENSSL_VARS["SOFTHSM2_MODULE"] = val os.environ["SOFTHSM2_MODULE"] = val log.debug( diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index ae4c9a6e6e..c3e38d8ae5 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -35,7 +35,7 @@ keyfromlabel() { id="$3" shift 3 - $KEYFRLAB $ENGINE_ARG -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1 + $KEYFRLAB -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1 cat keyfromlabel.out.$zone.$id } @@ -84,7 +84,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ echo_i "Sign zone with $ksk $zsk" ret=0 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" - $SIGNER $ENGINE_ARG -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 + $SIGNER -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) fi diff --git a/bin/tests/system/makejournal.c b/bin/tests/system/makejournal.c index b9e766cf68..c42c97ba58 100644 --- a/bin/tests/system/makejournal.c +++ b/bin/tests/system/makejournal.c @@ -101,7 +101,7 @@ main(int argc, char **argv) { isc_mem_debugging |= ISC_MEM_DEBUGRECORD; isc_mem_create(&mctx); - CHECK(dst_lib_init(mctx, NULL)); + CHECK(dst_lib_init(mctx)); dst_active = true; isc_log_create(mctx, &lctx, &logconfig); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c index b0293eef0a..d2237e8347 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -275,7 +275,7 @@ main(int argc, char *argv[]) { isc_log_create(mctx, &lctx, &lcfg); - RUNCHECK(dst_lib_init(mctx, NULL)); + RUNCHECK(dst_lib_init(mctx)); RUNCHECK(dns_dispatchmgr_create(mctx, loopmgr, netmgr, &dispatchmgr)); diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index 3c3fda0912..5f3c9151a2 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -105,7 +105,7 @@ main(int argc, char **argv) { } isc_mem_create(&mctx); - CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()"); + CHECK(dst_lib_init(mctx), "dst_lib_init()"); isc_log_create(mctx, &log_, &logconfig); isc_log_setcontext(log_); dns_log_init(log_); diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c index 5dadd55c11..b620f51688 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c @@ -2131,7 +2131,7 @@ main(int argc, char *argv[]) { isc_managers_create(&mctx, 1, &loopmgr, &netmgr); isc_log_create(mctx, &lctx, &lcfg); - RUNCHECK(dst_lib_init(mctx, NULL)); + RUNCHECK(dst_lib_init(mctx)); isc_nonce_buf(cookie_secret, sizeof(cookie_secret)); ISC_LIST_INIT(queries); diff --git a/doc/arm/build.inc.rst b/doc/arm/build.inc.rst index 6782d7abfe..e9b18bbdf5 100644 --- a/doc/arm/build.inc.rst +++ b/doc/arm/build.inc.rst @@ -62,18 +62,17 @@ To build BIND 9, the following packages must be installed: - ``perl`` - ``pkg-config`` / ``pkgconfig`` / ``pkgconf`` -BIND 9.20 requires ``libuv`` 1.34.0 or higher, using ``libuv`` >= 1.40.0 -is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is -not supported, as this could lead to an assertion failure in the UDP -receive code. On older systems, an updated ``libuv`` package needs to be -installed from sources such as EPEL, PPA, or other native sources. The -other option is to build and install ``libuv`` from source. +BIND 9.20 requires ``libuv`` 1.37.0 or higher, using ``libuv`` >= 1.40.0 is +recommended. On older systems, an updated ``libuv`` package needs to be +installed from sources such as EPEL, PPA, or other native sources. The other +option is to build and install ``libuv`` from source. -OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed -in a nonstandard location, specify the prefix using -``--with-openssl=`` on the ``configure`` command line. To use a -PKCS#11 hardware service module for cryptographic operations, -``engine_pkcs11`` from the OpenSC project must be compiled and used. +OpenSSL 1.1.1 or newer is required. If the OpenSSL library is installed +in a nonstandard location, specify the prefix using ``PKG_CONFIG_PATH``. + +To use a PKCS#11 hardware service module for cryptographic operations, +PKCS#11 Provider (https://github.com/latchset/pkcs11-provider/tree/main) +must be compiled, configured and used directly in the OpenSSL 3.x. The Userspace RCU library ``liburcu`` (https://liburcu.org/) is used for lock-free data structures and concurrent safe memory reclamation. diff --git a/doc/arm/pkcs11.inc.rst b/doc/arm/pkcs11.inc.rst index 1367bfbe5c..2cf848a59d 100644 --- a/doc/arm/pkcs11.inc.rst +++ b/doc/arm/pkcs11.inc.rst @@ -23,12 +23,10 @@ library which provides a low-level PKCS#11 interface to drive the HSM hardware. The PKCS#11 provider library comes from the HSM vendor, and it is specific to the HSM to be controlled. -BIND 9 access PKCS#11 libraries via OpenSSL extensions. The extension for -OpenSSL 3 and newer is `pkcs11-provider`_. And for the older OpenSSL versions -engine_pkcs11 from the `OpenSC`_ project can be used. +BIND 9 access PKCS#11 libraries via OpenSSL Providers. The provider for +OpenSSL 3 and newer is `pkcs11-provider`_. .. _`pkcs11-provider`: https://github.com/latchset/pkcs11-provider -.. _OpenSC: https://github.com/OpenSC/libp11 In both cases the extension is dynamically loaded into OpenSSL and the HSM is operated indirectly; any cryptographic operations not supported by the HSM can @@ -67,102 +65,6 @@ with BIND. $ make install $ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 -OpenSSL 1.x.x with engine_pkcs11 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -OpenSSL engine-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project. - -engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL. -That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine -API. One has to register the engine with OpenSSL and one has to provide the -path to the PKCS#11 module which should be gatewayed to. This can be done by -editing the OpenSSL configuration file, by engine specific controls, or by using -the p11-kit proxy module. - -It is recommended, that libp11 >= 0.4.12 is used. - -For more detailed howto including the examples, we recommend reading: - -https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11 - -When using engine_pkcs11, all BIND binaries potentially need the keys require -'-E pkcs11' argument to activate the engine support. - -Even though OpenSSL 3 has compatibility support for Engine API it is not -recommended to be used due to bugs in OpenSSL and libp11. - -It is not possible to generate new keys via the engine_pkcs11 and therefore it -is not recommended to use it in a ``dnssec-policy`` setup (although it is -possible to put previously generated keys in the ``key-directory`` and let the -key manager select those keys when a key rollover is started. - -Configuring engine_pkcs11 -^^^^^^^^^^^^^^^^^^^^^^^^^ - -The canonical documentation for configuring engine_pkcs11 is in the -`libp11/README.md`_, but here's copy of working configuration for -your convenience: - -.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration - -We are going to use our own custom copy of OpenSSL configuration, again it's -driven by an environment variable, this time called OPENSSL_CONF. We are -going to copy the global OpenSSL configuration (often found in -``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11. - -:: - - cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf - -and export the environment variable: - -:: - - export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf - -Now add the following line at the top of file, before any sections (in square -brackets) are defined: - -:: - - openssl_conf = openssl_init - -And make sure there are no other 'openssl_conf = ...' lines in the file. - -Add following lines at the bottom of the file: - -:: - - [openssl_init] - engines=engine_section - - [engine_section] - pkcs11 = pkcs11_section - - [pkcs11_section] - engine_id = pkcs11 - dynamic_path = /pkcs11.so - MODULE_PATH = - # if automatic logging to the token is needed, PIN can be specified as below - #PIN = 1234 - init = 0 - -Enabling the OpenSSL Engine in BIND commands -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -When using OpenSSL Engine-based PKCS#11, the "engine" to be used by OpenSSL can be -specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E -`` command line option. This engine name matches the 'engine_id' in the -``openssl.cnf`` created in previous section. - -The zone signing commences as usual, with only one small difference. We need to -provide the name of the OpenSSL engine using the -E command line option. - -:: - - dnssec-signzone -E pkcs11 -S -o example.net example.net - - OpenSSL 3 with pkcs11-provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -170,16 +72,13 @@ OpenSSL provider-based PKCS#11 uses pkcs11-provider project. pkcs11-provider tries to fit the PKCS#11 API within the Provider API of OpenSSL. That is, it provides a gateway between PKCS#11 modules and the OpenSSL Provider -API. One has to register the engine with OpenSSL and one has to provide the +API. One has to register the provider with OpenSSL and one has to provide the path to the PKCS#11 module which should be gatewayed to. This can be done by -editing the OpenSSL configuration file, by engine specific controls, or by using -the p11-kit proxy module. +editing the OpenSSL configuration file, using provider specific controls, or +by using the p11-kit proxy module. -It is required to use pkcs11-provider git commit -2e8c26b4157fd21422c66f0b4d7b26cf8c320570 from October 2, 2023 or later. - -BIND support for pkcs11-provider is built in and the -E command line option -explained above should not be used. +It is required to use pkcs11-provider version 0.3 or later. It is recommended +to use the lastest version available. Configuring pkcs11-provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -248,9 +147,14 @@ HSM keys can now be created and used. We are going to assume that you already have a BIND 9 installed, either from a package, or from the sources, and the tools are readily available in the ``$PATH``. -For generating the keys, we are going to use ``pkcs11-tool`` available from the -OpenSC suite. On both DEB-based and RPM-based distributions, the package is -called opensc. +A zone that is configured with ``dnssec-policy`` can generate keys through +the PKCS#11 Provider API of OpenSSL. + +If you want to create keys manually, the ``pkcs11-tool`` available from the +`OpenSC`_ suite can be used. On both DEB-based and RPM-based distributions, +the package is called opensc. + +.. _OpenSC: https://github.com/OpenSC/libp11 We need to generate at least two RSA keys: @@ -266,23 +170,23 @@ Convert the RSA keys stored in the HSM into a format that BIND 9 understands. The :iscman:`dnssec-keyfromlabel` tool from BIND 9 can link the raw keys stored in the HSM with the ``K++`` files. -You'll need to provide the OpenSSL engine name (``pkcs11``) if using the engine and -the algorithm (``RSASHA256``). The key is referenced with the PKCS#11 URI scheme and it -can contain the PKCS#11 token label (we asume that it has been initialized as bind9), -and the PKCS#11 object label (called label when generating the keys using ``pkcs11-tool``) -and the HSM PIN. Refer to :rfc:`7512` for the full PKCS#11 URI specification. +You'll need to provide the algorithm (``RSASHA256``). The key is referenced with +the PKCS#11 URI scheme and it can contain the PKCS#11 token label (we asume that +it has been initialized as bind9), and the PKCS#11 object label (called label +when generating the keys using ``pkcs11-tool``) and the HSM PIN. Refer to +:rfc:`7512` for the full PKCS#11 URI specification. Convert the KSK: :: - dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net + dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net and ZSK: :: - dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net + dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net NOTE: you can use PIN stored on disk, by specifying ``pin-source=/``, f.e.: @@ -327,15 +231,10 @@ this is when creating ECDSA keys, you should specify a unique ID: Running :iscman:`named` With Automatic Zone Re-signing ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The zone can also be signed automatically by named. Again, we need to provide -the name of the OpenSSL engine using the :option:`-E ` command line option, -if using OpenSSL 1.x.x with engine_pkcs11, and this is not needed when using OpenSSL 3.x.x providers. +Once the keys are created, the zone can also be signed automatically by named +without further requisites. -:: - - named -E pkcs11 -c named.conf - -and the logs should have lines like: +The logs should have lines like: :: diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 25a3119304..363b3e9ff1 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -173,7 +173,7 @@ LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) { isc_mem_create(&mctx); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fprintf(stderr, "dst_lib_init failed: %s\n", isc_result_totext(result)); diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 487bb84bee..cd593ca9fd 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -190,16 +190,14 @@ addsuffix(char *filename, int len, const char *dirname, const char *ofilename, } while (0); isc_result_t -dst_lib_init(isc_mem_t *mctx, const char *engine) { +dst_lib_init(isc_mem_t *mctx) { isc_result_t result; REQUIRE(mctx != NULL); REQUIRE(!dst_initialized); - UNUSED(engine); - memset(dst_t_func, 0, sizeof(dst_t_func)); - RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */ + dst__openssl_init(); /* Sets FIPS mode. */ RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1])); RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224])); @@ -998,8 +996,8 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg, isc_result_t dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, - const char *engine, const char *label, const char *pin, - isc_mem_t *mctx, dst_key_t **keyp) { + const char *label, const char *pin, isc_mem_t *mctx, + dst_key_t **keyp) { dst_key_t *key; isc_result_t result; @@ -1018,7 +1016,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, return (DST_R_UNSUPPORTEDALG); } - result = key->func->fromlabel(key, engine, label, pin); + result = key->func->fromlabel(key, label, pin); if (result != ISC_R_SUCCESS) { dst_key_free(&key); return (result); @@ -1408,9 +1406,6 @@ dst_key_free(dst_key_t **keyp) { if (key->directory != NULL) { isc_mem_free(mctx, key->directory); } - if (key->engine != NULL) { - isc_mem_free(mctx, key->engine); - } if (key->label != NULL) { isc_mem_free(mctx, key->label); } diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index cf902deaa6..fe89420916 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -92,8 +92,7 @@ struct dst_key { dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */ isc_mem_t *mctx; /*%< memory context */ char *directory; /*%< key directory */ - char *engine; /*%< engine name (HSM) */ - char *label; /*%< engine label (HSM) */ + char *label; /*%< HSM label */ union { void *generic; dns_gss_ctx_id_t gssctx; @@ -185,8 +184,8 @@ struct dst_func { /* cleanup */ void (*cleanup)(void); - isc_result_t (*fromlabel)(dst_key_t *key, const char *engine, - const char *label, const char *pin); + isc_result_t (*fromlabel)(dst_key_t *key, const char *label, + const char *pin); isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length); isc_result_t (*restore)(dst_key_t *key, const char *keystr); @@ -195,8 +194,8 @@ struct dst_func { /*% * Initializers */ -isc_result_t -dst__openssl_init(const char *engine); +void +dst__openssl_init(void); isc_result_t dst__hmacmd5_init(struct dst_func **funcp); diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h index b7541fd0e6..f4ff5cc46e 100644 --- a/lib/dns/dst_openssl.h +++ b/lib/dns/dst_openssl.h @@ -41,14 +41,9 @@ isc_result_t dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname, isc_result_t fallback, const char *file, int line); -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -ENGINE * -dst__openssl_getengine(const char *engine); -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - isc_result_t -dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label, - const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv); +dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin, + EVP_PKEY **ppub, EVP_PKEY **ppriv); bool dst__openssl_keypair_compare(const dst_key_t *key1, const dst_key_t *key2); diff --git a/lib/dns/include/dns/keystore.h b/lib/dns/include/dns/keystore.h index 8888eb12d4..4e648bc414 100644 --- a/lib/dns/include/dns/keystore.h +++ b/lib/dns/include/dns/keystore.h @@ -42,7 +42,6 @@ struct dns_keystore { unsigned int magic; isc_mem_t *mctx; const char *name; - const char *engine; /* Internals. */ isc_mutex_t lock; @@ -64,8 +63,7 @@ struct dns_keystore { #define DNS_KEYSTORE_KEYDIRECTORY "key-directory" isc_result_t -dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine, - dns_keystore_t **kspp); +dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp); /*%< * Create a key store. * @@ -75,8 +73,6 @@ dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine, * *\li 'name' is a valid C string. * - *\li 'engine' is the name of the OpenSSL engine to use, may be NULL. - * *\li kspp != NULL && *kspp == NULL * * Returns: @@ -101,20 +97,6 @@ dns_keystore_name(dns_keystore_t *keystore); *\li name of 'keystore'. */ -const char * -dns_keystore_engine(dns_keystore_t *keystore); -/*%< - * Get keystore engine. - * - * Requires: - * - *\li 'keystore' is a valid keystore. - * - * Returns: - * - *\li engine of 'keystore'. May be NULL. - */ - const char * dns_keystore_directory(dns_keystore_t *keystore, const char *keydir); /*%< diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index dc6b5a15b8..ee569582ca 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -198,7 +198,7 @@ typedef enum dst_algorithm { *** Functions ***/ isc_result_t -dst_lib_init(isc_mem_t *mctx, const char *engine); +dst_lib_init(isc_mem_t *mctx); /*%< * Initializes the DST subsystem. * @@ -208,7 +208,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine); * Returns: * \li ISC_R_SUCCESS * \li ISC_R_NOMEMORY - * \li DST_R_NOENGINE * * Ensures: * \li DST is properly initialized. @@ -627,8 +626,8 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg, isc_result_t dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, - const char *engine, const char *label, const char *pin, - isc_mem_t *mctx, dst_key_t **keyp); + const char *label, const char *pin, isc_mem_t *mctx, + dst_key_t **keyp); isc_result_t dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits, diff --git a/lib/dns/keystore.c b/lib/dns/keystore.c index 90b766d62e..c714606a13 100644 --- a/lib/dns/keystore.c +++ b/lib/dns/keystore.c @@ -26,15 +26,13 @@ #include isc_result_t -dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine, - dns_keystore_t **kspp) { +dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp) { dns_keystore_t *keystore; REQUIRE(name != NULL); REQUIRE(kspp != NULL && *kspp == NULL); keystore = isc_mem_get(mctx, sizeof(*keystore)); - keystore->engine = engine; keystore->mctx = NULL; isc_mem_attach(mctx, &keystore->mctx); @@ -85,13 +83,6 @@ dns_keystore_name(dns_keystore_t *keystore) { return (keystore->name); } -const char * -dns_keystore_engine(dns_keystore_t *keystore) { - REQUIRE(DNS_KEYSTORE_VALID(keystore)); - - return (keystore->engine); -} - const char * dns_keystore_directory(dns_keystore_t *keystore, const char *keydir) { if (keystore == NULL) { diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index d8191b1f05..596627046c 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -42,9 +42,6 @@ #include "dst_internal.h" #include "dst_openssl.h" -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -#include -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ #if OPENSSL_VERSION_NUMBER >= 0x30000000L #include #include @@ -58,10 +55,6 @@ goto err; \ } -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -static ENGINE *global_engine = NULL; -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - static void enable_fips_mode(void) { #if defined(ENABLE_FIPS_MODE) @@ -79,52 +72,14 @@ enable_fips_mode(void) { #endif } -isc_result_t -dst__openssl_init(const char *engine) { +void +dst__openssl_init(void) { enable_fips_mode(); - - if (engine != NULL && *engine == '\0') { - engine = NULL; - } - - if (engine == NULL) { - return (ISC_R_SUCCESS); - } - -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - global_engine = ENGINE_by_id(engine); - if (global_engine == NULL) { - goto cleanup_rm; - } - if (!ENGINE_init(global_engine)) { - goto cleanup_rm; - } - /* This will init the engine. */ - if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) { - goto cleanup_init; - } - return (ISC_R_SUCCESS); -cleanup_init: - ENGINE_finish(global_engine); -cleanup_rm: - if (global_engine != NULL) { - ENGINE_free(global_engine); - } - ERR_clear_error(); - global_engine = NULL; -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - return (DST_R_NOENGINE); } void dst__openssl_destroy(void) { -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - if (global_engine != NULL) { - ENGINE_finish(global_engine); - ENGINE_free(global_engine); - } - global_engine = NULL; -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ + /* No-op */ } static isc_result_t @@ -211,67 +166,6 @@ done: return (result); } -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -ENGINE * -dst__openssl_getengine(const char *engine) { - if (engine == NULL) { - return (NULL); - } - if (global_engine == NULL) { - return (NULL); - } - if (strcmp(engine, ENGINE_get_id(global_engine)) == 0) { - return (global_engine); - } - return (NULL); -} -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - -static isc_result_t -dst__openssl_fromlabel_engine(int key_base_id, const char *engine, - const char *label, const char *pin, - EVP_PKEY **ppub, EVP_PKEY **ppriv) { -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - isc_result_t ret = ISC_R_SUCCESS; - ENGINE *e = NULL; - - UNUSED(pin); - - e = dst__openssl_getengine(engine); - if (e == NULL) { - DST_RET(dst__openssl_toresult(DST_R_NOENGINE)); - } - - *ppub = ENGINE_load_public_key(e, label, NULL, NULL); - if (*ppub == NULL) { - DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_base_id(*ppub) != key_base_id) { - DST_RET(DST_R_BADKEYTYPE); - } - - *ppriv = ENGINE_load_private_key(e, label, NULL, NULL); - if (*ppriv == NULL) { - DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_base_id(*ppriv) != key_base_id) { - DST_RET(DST_R_BADKEYTYPE); - } -err: - return (ret); -#else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - UNUSED(key_base_id); - UNUSED(engine); - UNUSED(label); - UNUSED(pin); - UNUSED(ppub); - UNUSED(ppriv); - return (DST_R_NOENGINE); -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ -} - static isc_result_t dst__openssl_fromlabel_provider(int key_base_id, const char *label, const char *pin, EVP_PKEY **ppub, @@ -335,25 +229,10 @@ err: } isc_result_t -dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label, - const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) { - if (engine == NULL) { - return (dst__openssl_fromlabel_provider(key_base_id, label, pin, - ppub, ppriv)); - } - - if (*ppub != NULL) { - EVP_PKEY_free(*ppub); - *ppub = NULL; - } - - if (*ppriv != NULL) { - EVP_PKEY_free(*ppriv); - *ppriv = NULL; - } - - return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin, - ppub, ppriv)); +dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin, + EVP_PKEY **ppub, EVP_PKEY **ppriv) { + return (dst__openssl_fromlabel_provider(key_base_id, label, pin, ppub, + ppriv)); } bool diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 2c99650285..6f71a72a2a 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -984,13 +984,6 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { priv.elements[i].data = buf; i++; } - if (key->engine != NULL) { - priv.elements[i].tag = TAG_ECDSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } if (key->label != NULL) { priv.elements[i].tag = TAG_ECDSA_LABEL; @@ -1009,15 +1002,13 @@ err: } static isc_result_t -opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin); +opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin); static isc_result_t opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; EVP_PKEY *pkey = NULL; - const char *engine = NULL; const char *label = NULL; int i, privkey_index = -1; @@ -1044,7 +1035,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { case TAG_ECDSA_ENGINE: - engine = (char *)priv.elements[i].data; + /* The Engine: tag is explicitly ignored */ break; case TAG_ECDSA_LABEL: label = (char *)priv.elements[i].data; @@ -1058,7 +1049,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } if (label != NULL) { - ret = opensslecdsa_fromlabel(key, engine, label, NULL); + ret = opensslecdsa_fromlabel(key, label, NULL); if (ret != ISC_R_SUCCESS) { goto err; } @@ -1104,15 +1095,14 @@ err: } static isc_result_t -opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { +opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin) { EVP_PKEY *privpkey = NULL, *pubpkey = NULL; isc_result_t ret; REQUIRE(opensslecdsa_valid_key_alg(key->key_alg)); UNUSED(pin); - ret = dst__openssl_fromlabel(EVP_PKEY_EC, engine, label, pin, &pubpkey, + ret = dst__openssl_fromlabel(EVP_PKEY_EC, label, pin, &pubpkey, &privpkey); if (ret != ISC_R_SUCCESS) { goto err; @@ -1127,9 +1117,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, goto err; } - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index a299bd0227..76aa2a9f57 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -105,8 +105,7 @@ raw_key_to_ossl(const eddsa_alginfo_t *alginfo, int private, } static isc_result_t -openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin); +openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin); static isc_result_t openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) { @@ -389,13 +388,6 @@ openssleddsa_tofile(const dst_key_t *key, const char *directory) { priv.elements[i].data = buf; i++; } - if (key->engine != NULL) { - priv.elements[i].tag = TAG_EDDSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } if (key->label != NULL) { priv.elements[i].tag = TAG_EDDSA_LABEL; priv.elements[i].length = (unsigned short)strlen(key->label) + @@ -420,7 +412,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; int i, privkey_index = -1; - const char *engine = NULL, *label = NULL; + const char *label = NULL; EVP_PKEY *pkey = NULL; size_t len; isc_mem_t *mctx = key->mctx; @@ -450,7 +442,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { case TAG_EDDSA_ENGINE: - engine = (char *)priv.elements[i].data; + /* The Engine: tag is explicitly ignored */ break; case TAG_EDDSA_LABEL: label = (char *)priv.elements[i].data; @@ -464,7 +456,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } if (label != NULL) { - ret = openssleddsa_fromlabel(key, engine, label, NULL); + ret = openssleddsa_fromlabel(key, label, NULL); if (ret != ISC_R_SUCCESS) { goto err; } @@ -506,8 +498,7 @@ err: } static isc_result_t -openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { +openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin) { const eddsa_alginfo_t *alginfo = openssleddsa_alg_info(key->key_alg); EVP_PKEY *privpkey = NULL, *pubpkey = NULL; isc_result_t ret; @@ -515,15 +506,12 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, REQUIRE(alginfo != NULL); UNUSED(pin); - ret = dst__openssl_fromlabel(alginfo->pkey_type, engine, label, pin, - &pubpkey, &privpkey); + ret = dst__openssl_fromlabel(alginfo->pkey_type, label, pin, &pubpkey, + &privpkey); if (ret != ISC_R_SUCCESS) { goto err; } - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 878fae17e3..661632484b 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -931,14 +931,6 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { i++; } - if (key->engine != NULL) { - priv.elements[i].tag = TAG_RSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - if (key->label != NULL) { priv.elements[i].tag = TAG_RSA_LABEL; priv.elements[i].length = (unsigned short)strlen(key->label) + @@ -963,8 +955,7 @@ err: } static isc_result_t -opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin); +opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin); static isc_result_t opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { @@ -972,7 +963,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { isc_result_t ret; int i; isc_mem_t *mctx = NULL; - const char *engine = NULL, *label = NULL; + const char *label = NULL; EVP_PKEY *pkey = NULL; rsa_components_t c = { .bnfree = true }; @@ -1002,7 +993,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { case TAG_RSA_ENGINE: - engine = (char *)priv.elements[i].data; + /* The Engine: tag is explicitly ignored */ break; case TAG_RSA_LABEL: label = (char *)priv.elements[i].data; @@ -1017,7 +1008,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { * See if we can fetch it. */ if (label != NULL) { - ret = opensslrsa_fromlabel(key, engine, label, NULL); + ret = opensslrsa_fromlabel(key, label, NULL); if (ret != ISC_R_SUCCESS) { DST_RET(ret); } @@ -1111,12 +1102,11 @@ err: } static isc_result_t -opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { +opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin) { EVP_PKEY *privpkey = NULL, *pubpkey = NULL; isc_result_t ret; - ret = dst__openssl_fromlabel(EVP_PKEY_RSA, engine, label, pin, &pubpkey, + ret = dst__openssl_fromlabel(EVP_PKEY_RSA, label, pin, &pubpkey, &privpkey); if (ret != ISC_R_SUCCESS) { goto err; @@ -1126,9 +1116,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(ISC_R_RANGE); } - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c index 08bc9c56a9..6b1f3c6909 100644 --- a/lib/isc/openssl_shim.c +++ b/lib/isc/openssl_shim.c @@ -16,7 +16,6 @@ #include #include -#include #include #include #include diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h index f7f6f5ae56..7817a248fe 100644 --- a/lib/isc/openssl_shim.h +++ b/lib/isc/openssl_shim.h @@ -14,7 +14,6 @@ #pragma once #include -#include #include #include #include diff --git a/lib/isc/result.c b/lib/isc/result.c index 765105ab55..440351d1ba 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -242,7 +242,8 @@ static const char *description[ISC_R_NRESULTS] = { [DST_R_COMPUTESECRETFAILURE] = "failure computing a shared secret", [DST_R_NORANDOMNESS] = "no randomness available", [DST_R_BADKEYTYPE] = "bad key type", - [DST_R_NOENGINE] = "no engine", + [DST_R_NOENGINE] = "OpenSSL Engine support has been removed; " + "use OpenSSL Providers for PKCS#11", [DST_R_EXTERNALKEY] = "illegal operation for an external key", [DNS_R_NOERROR] = "NOERROR", diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 504b221115..825ceb4aa4 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -142,8 +142,8 @@ isc__tls_initialize(void) { #endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ 0x30000000L */ - uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN | - OPENSSL_INIT_LOAD_CONFIG; + uint64_t opts = OPENSSL_INIT_LOAD_CONFIG; + #if defined(OPENSSL_INIT_NO_ATEXIT) /* * We call OPENSSL_cleanup() manually, in a correct order, thus disable diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 8dd8efa934..6c16e34ad9 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1470,9 +1470,8 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, } } - ret = cfg_keystore_fromconfig(kconfig, mctx, - logctx, NULL, - &kslist, NULL); + ret = cfg_keystore_fromconfig( + kconfig, mctx, logctx, &kslist, NULL); if (ret != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) { result = ret; @@ -1485,8 +1484,7 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, /* * Add default key-store "key-directory". */ - tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist, - NULL); + tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL); if (tresult != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) { result = tresult; @@ -3025,10 +3023,10 @@ check_keydir(const cfg_obj_t *config, const cfg_obj_t *zconfig, element = cfg_list_next(element)) { cfg_obj_t *kcfg = cfg_listelt_value(element); - (void)cfg_keystore_fromconfig(kcfg, mctx, logctx, NULL, &kslist, + (void)cfg_keystore_fromconfig(kcfg, mctx, logctx, &kslist, NULL); } - (void)cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist, NULL); + (void)cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL); /* * Look for the dnssec-policy by name, which is the dnssec-policy diff --git a/lib/isccfg/include/isccfg/kaspconf.h b/lib/isccfg/include/isccfg/kaspconf.h index ccc1cecc5d..b558d13d27 100644 --- a/lib/isccfg/include/isccfg/kaspconf.h +++ b/lib/isccfg/include/isccfg/kaspconf.h @@ -62,9 +62,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, isc_result_t cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, - isc_log_t *logctx, const char *engine, - dns_keystorelist_t *keystorelist, - dns_keystore_t **kspp); + isc_log_t *logctx, dns_keystorelist_t *keystorelist, + dns_keystore_t **kspp); /*%< * Create and configure a key store. If a 'keystorelist' is provided, a lookup * happens and if a keystore already exists with the same name, no new one is diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 419818f257..96fdf2e814 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -748,8 +748,7 @@ cleanup: isc_result_t cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, - isc_log_t *logctx, const char *engine, - dns_keystorelist_t *keystorelist, + isc_log_t *logctx, dns_keystorelist_t *keystorelist, dns_keystore_t **kspp) { isc_result_t result; const cfg_obj_t *maps[2]; @@ -785,7 +784,7 @@ cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, * No key-store with configured name was found in list, create new one. */ INSIST(keystore == NULL); - result = dns_keystore_create(mctx, name, engine, &keystore); + result = dns_keystore_create(mctx, name, &keystore); if (result != ISC_R_SUCCESS) { return (result); } diff --git a/tests/dns/dst_test.c b/tests/dns/dst_test.c index b8f80dd8aa..9ebc5be3f0 100644 --- a/tests/dns/dst_test.c +++ b/tests/dns/dst_test.c @@ -47,7 +47,7 @@ static int setup_test(void **state) { UNUSED(state); - dst_lib_init(mctx, NULL); + dst_lib_init(mctx); return (0); } diff --git a/tests/dns/private_test.c b/tests/dns/private_test.c index 9f3a87f947..0b2eb6ddf8 100644 --- a/tests/dns/private_test.c +++ b/tests/dns/private_test.c @@ -43,7 +43,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1); diff --git a/tests/dns/rsa_test.c b/tests/dns/rsa_test.c index c9895690d4..7a5c356e1c 100644 --- a/tests/dns/rsa_test.c +++ b/tests/dns/rsa_test.c @@ -43,7 +43,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1); diff --git a/tests/dns/sigs_test.c b/tests/dns/sigs_test.c index aeadb93ae6..d33d74e8cc 100644 --- a/tests/dns/sigs_test.c +++ b/tests/dns/sigs_test.c @@ -77,7 +77,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1); diff --git a/tests/dns/tsig_test.c b/tests/dns/tsig_test.c index 95e2c0b52d..1cd62e675f 100644 --- a/tests/dns/tsig_test.c +++ b/tests/dns/tsig_test.c @@ -54,7 +54,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1);