From ef7aba70726cff9afaaa8c7054098f84087ccf84 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Mon, 5 Aug 2024 11:40:42 +0200 Subject: [PATCH] Remove OpenSSL Engine support The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x and is going to be removed. Remove the OpenSSL Engine support in favor of OpenSSL Providers. --- .gitlab-ci.yml | 8 - OPTIONS.md | 1 - bin/check/named-checkconf.c | 2 +- bin/confgen/keygen.c | 2 +- bin/delv/delv.c | 2 +- bin/dig/dighost.c | 2 +- bin/dnssec/dnssec-cds.c | 2 +- bin/dnssec/dnssec-dsfromkey.c | 2 +- bin/dnssec/dnssec-importkey.c | 2 +- bin/dnssec/dnssec-keyfromlabel.c | 11 +- bin/dnssec/dnssec-keyfromlabel.rst | 14 +- bin/dnssec/dnssec-keygen.c | 9 +- bin/dnssec/dnssec-keygen.rst | 10 +- bin/dnssec/dnssec-ksr.c | 9 +- bin/dnssec/dnssec-ksr.rst | 10 +- bin/dnssec/dnssec-revoke.c | 6 +- bin/dnssec/dnssec-revoke.rst | 10 +- bin/dnssec/dnssec-settime.c | 6 +- bin/dnssec/dnssec-settime.rst | 10 +- bin/dnssec/dnssec-signzone.c | 7 +- bin/dnssec/dnssec-signzone.rst | 11 +- bin/dnssec/dnssec-verify.c | 7 +- bin/dnssec/dnssec-verify.rst | 10 +- bin/dnssec/dnssectool.c | 9 +- bin/dnssec/dnssectool.h | 3 +- bin/named/include/named/globals.h | 2 - bin/named/main.c | 7 +- bin/named/named.rst | 11 +- bin/named/server.c | 9 +- bin/nsupdate/nsupdate.c | 2 +- bin/tests/system/enginepkcs11/clean.sh | 2 +- bin/tests/system/enginepkcs11/ns1/named.args | 1 + .../system/enginepkcs11/ns1/named.args.in | 1 - bin/tests/system/enginepkcs11/ns2/named.args | 1 + .../system/enginepkcs11/ns2/named.args.in | 1 - bin/tests/system/enginepkcs11/setup.sh | 10 +- bin/tests/system/enginepkcs11/tests.sh | 2 +- bin/tests/system/feature-test.c | 4 +- bin/tests/system/isctest/vars/openssl.py | 9 +- bin/tests/system/keyfromlabel/tests.sh | 4 +- bin/tests/system/makejournal.c | 2 +- bin/tests/system/pipelined/pipequeries.c | 2 +- bin/tests/system/rsabigexponent/bigkey.c | 2 +- bin/tools/mdig.c | 2 +- doc/arm/build.inc.rst | 21 ++- doc/arm/pkcs11.inc.rst | 151 +++--------------- fuzz/dns_message_checksig.c | 2 +- lib/dns/dst_api.c | 15 +- lib/dns/dst_internal.h | 11 +- lib/dns/dst_openssl.h | 9 +- lib/dns/include/dns/keystore.h | 20 +-- lib/dns/include/dst/dst.h | 7 +- lib/dns/keystore.c | 11 +- lib/dns/openssl_link.c | 135 +--------------- lib/dns/opensslecdsa_link.c | 23 +-- lib/dns/openssleddsa_link.c | 26 +-- lib/dns/opensslrsa_link.c | 25 +-- lib/isc/openssl_shim.c | 1 - lib/isc/openssl_shim.h | 1 - lib/isc/result.c | 3 +- lib/isc/tls.c | 4 +- lib/isccfg/check.c | 12 +- lib/isccfg/include/isccfg/kaspconf.h | 5 +- lib/isccfg/kaspconf.c | 5 +- tests/dns/dst_test.c | 2 +- tests/dns/private_test.c | 2 +- tests/dns/rsa_test.c | 2 +- tests/dns/sigs_test.c | 2 +- tests/dns/tsig_test.c | 2 +- 69 files changed, 161 insertions(+), 575 deletions(-) create mode 100644 bin/tests/system/enginepkcs11/ns1/named.args delete mode 100644 bin/tests/system/enginepkcs11/ns1/named.args.in create mode 100644 bin/tests/system/enginepkcs11/ns2/named.args delete mode 100644 bin/tests/system/enginepkcs11/ns2/named.args.in diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 103b04a49c..f95c3e9c5b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1327,10 +1327,6 @@ gcc:bullseye:amd64: <<: *build_job system:gcc:bullseye:amd64: - # Set up environment variables that allow the "keyfromlabel" system test to be run - variables: - OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" - SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" <<: *debian_bullseye_amd64_image <<: *system_test_job needs: @@ -1358,10 +1354,6 @@ clang:bookworm:amd64: <<: *build_job system:clang:bookworm:amd64: - # Set up environment variables that allow the "keyfromlabel" system test to be run - variables: - OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" - SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" <<: *debian_bookworm_amd64_image <<: *system_test_job needs: diff --git a/OPTIONS.md b/OPTIONS.md index acdcaf823e..71f556f4f1 100644 --- a/OPTIONS.md +++ b/OPTIONS.md @@ -26,4 +26,3 @@ Some of these settings are: | `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult | | `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` | | `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports | -| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support | diff --git a/bin/check/named-checkconf.c b/bin/check/named-checkconf.c index d8ee57074f..fcdeb867c4 100644 --- a/bin/check/named-checkconf.c +++ b/bin/check/named-checkconf.c @@ -728,7 +728,7 @@ main(int argc, char **argv) { CHECK(setup_logging(mctx, stdout, &logc)); - CHECK(dst_lib_init(mctx, NULL)); + CHECK(dst_lib_init(mctx)); cleanup_dst = true; CHECK(cfg_parser_create(mctx, logc, &parser)); diff --git a/bin/confgen/keygen.c b/bin/confgen/keygen.c index 348c05d874..922d066302 100644 --- a/bin/confgen/keygen.c +++ b/bin/confgen/keygen.c @@ -120,7 +120,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize, fatal("unsupported algorithm %d\n", alg); } - DO("initialize dst library", dst_lib_init(mctx, NULL)); + DO("initialize dst library", dst_lib_init(mctx)); DO("generate key", dst_key_generate(dns_rootname, alg, keysize, 0, 0, DNS_KEYPROTO_ANY, diff --git a/bin/delv/delv.c b/bin/delv/delv.c index 549d1bde5a..0da4af4e1b 100644 --- a/bin/delv/delv.c +++ b/bin/delv/delv.c @@ -2220,7 +2220,7 @@ main(int argc, char *argv[]) { isc_managers_create(&mctx, 1, &loopmgr, &netmgr); loop = isc_loop_main(loopmgr); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("dst_lib_init failed: %d", result); } diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 001e3a46c8..157f2e0325 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1375,7 +1375,7 @@ setup_libs(void) { isc_mem_setname(mctx, "dig"); mainloop = isc_loop_main(loopmgr); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); check_result(result, "dst_lib_init"); is_dst_up = true; } diff --git a/bin/dnssec/dnssec-cds.c b/bin/dnssec/dnssec-cds.c index ebd619aaa3..1952ffd721 100644 --- a/bin/dnssec/dnssec-cds.c +++ b/bin/dnssec/dnssec-cds.c @@ -1180,7 +1180,7 @@ main(int argc, char *argv[]) { setup_logging(mctx, &lctx); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c index 422abad267..574b5a299e 100644 --- a/bin/dnssec/dnssec-dsfromkey.c +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -489,7 +489,7 @@ main(int argc, char **argv) { fatal("extraneous arguments"); } - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-importkey.c b/bin/dnssec/dnssec-importkey.c index c93a0158eb..1574ee7aba 100644 --- a/bin/dnssec/dnssec-importkey.c +++ b/bin/dnssec/dnssec-importkey.c @@ -408,7 +408,7 @@ main(int argc, char **argv) { fatal("extraneous arguments"); } - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-keyfromlabel.c b/bin/dnssec/dnssec-keyfromlabel.c index 8b052aba9b..38ed1f7d75 100644 --- a/bin/dnssec/dnssec-keyfromlabel.c +++ b/bin/dnssec/dnssec-keyfromlabel.c @@ -63,8 +63,6 @@ usage(void) { " ED25519 | ED448\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -c class (default: IN)\n"); - fprintf(stderr, " -E :\n"); - fprintf(stderr, " name of an OpenSSL engine to use\n"); fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -K directory: directory in which to place " "key files\n"); @@ -112,7 +110,6 @@ main(int argc, char **argv) { const char *directory = NULL; const char *predecessor = NULL; dst_key_t *prevkey = NULL; - const char *engine = NULL; char *classname = NULL; char *endp; dst_key_t *key = NULL; @@ -176,7 +173,7 @@ main(int argc, char **argv) { classname = isc_commandline_argument; break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': c = (unsigned char)(isc_commandline_argument[0]); @@ -335,7 +332,7 @@ main(int argc, char **argv) { } } - ret = dst_lib_init(mctx, engine); + ret = dst_lib_init(mctx); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } @@ -595,8 +592,8 @@ main(int argc, char **argv) { isc_buffer_init(&buf, filename, sizeof(filename) - 1); /* associate the key */ - ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine, - label, NULL, mctx, &key); + ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label, + NULL, mctx, &key); if (ret != ISC_R_SUCCESS) { char namestr[DNS_NAME_FORMATSIZE]; diff --git a/bin/dnssec/dnssec-keyfromlabel.rst b/bin/dnssec/dnssec-keyfromlabel.rst index 098feb9ecb..d0cc5ef5cd 100644 --- a/bin/dnssec/dnssec-keyfromlabel.rst +++ b/bin/dnssec/dnssec-keyfromlabel.rst @@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} +:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} Description ~~~~~~~~~~~ @@ -63,22 +63,12 @@ Options versions, then the NSEC3 version is used; for example, ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm. -.. option:: -E engine - - This option specifies the cryptographic hardware to use. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -l label This option specifies the label for a key pair in the crypto hardware. When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is - an arbitrary string that identifies a particular key. It may be - preceded by an optional OpenSSL engine name, followed by a colon, as - in ``pkcs11:keylabel``. + an arbitrary string that identifies a particular key. .. option:: -n nametype diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 20de2b3670..6f738e96d8 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -176,8 +176,6 @@ usage(void) { fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); fprintf(stderr, " -c : (default: IN)\n"); fprintf(stderr, " -d (0 => max, default)\n"); - fprintf(stderr, " -E :\n"); - fprintf(stderr, " name of an OpenSSL engine to use\n"); fprintf(stderr, " -f : ZSK | KSK | REVOKE\n"); fprintf(stderr, " -F: FIPS mode\n"); fprintf(stderr, " -L : default key TTL\n"); @@ -842,7 +840,6 @@ main(int argc, char **argv) { isc_mem_t *mctx = NULL; isc_result_t ret; isc_textregion_t r; - const char *engine = NULL; unsigned char c; int ch; bool set_fips_mode = false; @@ -921,7 +918,7 @@ main(int argc, char **argv) { } break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': c = (unsigned char)(isc_commandline_argument[0]); @@ -1140,7 +1137,7 @@ main(int argc, char **argv) { } } - ret = dst_lib_init(mctx, engine); + ret = dst_lib_init(mctx); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } @@ -1245,7 +1242,7 @@ main(int argc, char **argv) { } kasp_from_conf(config, mctx, lctx, ctx.policy, - ctx.directory, engine, &kasp); + ctx.directory, &kasp); if (kasp == NULL) { fatal("failed to load dnssec-policy '%s'", ctx.policy); diff --git a/bin/dnssec/dnssec-keygen.rst b/bin/dnssec/dnssec-keygen.rst index 2e12fe60cd..88044ee26b 100644 --- a/bin/dnssec/dnssec-keygen.rst +++ b/bin/dnssec/dnssec-keygen.rst @@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool Synopsis ~~~~~~~~ -:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} +:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name} Description ~~~~~~~~~~~ @@ -94,14 +94,6 @@ Options and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519, and ED448. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -f flag This option sets the specified flag in the flag field of the KEY/DNSKEY record. diff --git a/bin/dnssec/dnssec-ksr.c b/bin/dnssec/dnssec-ksr.c index 493c483d6e..f9f7bcedf9 100644 --- a/bin/dnssec/dnssec-ksr.c +++ b/bin/dnssec/dnssec-ksr.c @@ -41,7 +41,6 @@ const char *program = "dnssec-ksr"; */ static isc_log_t *lctx = NULL; static isc_mem_t *mctx = NULL; -const char *engine = NULL; /* * The domain we are working on */ @@ -122,7 +121,6 @@ usage(int ret) { fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "\n"); fprintf(stderr, "Options:\n"); - fprintf(stderr, " -E : name of an OpenSSL engine to use\n"); fprintf(stderr, " -e : end date\n"); fprintf(stderr, " -F: FIPS mode\n"); fprintf(stderr, " -f: KSR file to sign\n"); @@ -173,8 +171,7 @@ getkasp(ksr_ctx_t *ksr, dns_kasp_t **kasp) { fatal("unable to load dnssec-policy '%s' from '%s'", ksr->policy, ksr->configfile); } - kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, engine, - kasp); + kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, kasp); if (*kasp == NULL) { fatal("failed to load dnssec-policy '%s'", ksr->policy); } @@ -1213,7 +1210,7 @@ main(int argc, char *argv[]) { while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) { switch (ch) { case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'e': ksr.end = strtotime(isc_commandline_argument, ksr.now, @@ -1267,7 +1264,7 @@ main(int argc, char *argv[]) { fatal("must provide a command and zone name"); } - ret = dst_lib_init(mctx, engine); + ret = dst_lib_init(mctx); if (ret != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(ret)); } diff --git a/bin/dnssec/dnssec-ksr.rst b/bin/dnssec/dnssec-ksr.rst index 1ed7275aca..8a0f507770 100644 --- a/bin/dnssec/dnssec-ksr.rst +++ b/bin/dnssec/dnssec-ksr.rst @@ -21,7 +21,7 @@ dnssec-ksr - Create signed key response (SKR) files for offline KSK setups Synopsis ~~~~~~~~ -:program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone} +:program:`dnssec-ksr` [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone} Description ~~~~~~~~~~~ @@ -40,14 +40,6 @@ server. Options ~~~~~~~ -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -e date/offset This option sets the end date for which keys or SKRs need to be generated diff --git a/bin/dnssec/dnssec-revoke.c b/bin/dnssec/dnssec-revoke.c index cf7f2b74de..afea87f148 100644 --- a/bin/dnssec/dnssec-revoke.c +++ b/bin/dnssec/dnssec-revoke.c @@ -46,7 +46,6 @@ usage(void) { fprintf(stderr, "Usage:\n"); fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); - fprintf(stderr, " -E engine: specify OpenSSL engine\n"); fprintf(stderr, " -f: force overwrite\n"); fprintf(stderr, " -h: help\n"); fprintf(stderr, " -K directory: use directory for key files\n"); @@ -64,7 +63,6 @@ usage(void) { int main(int argc, char **argv) { isc_result_t result; - const char *engine = NULL; char const *filename = NULL; char *dir = NULL; char newname[1024], oldname[1024]; @@ -89,7 +87,7 @@ main(int argc, char **argv) { while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) { switch (ch) { case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': force = true; @@ -159,7 +157,7 @@ main(int argc, char **argv) { } } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("Could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-revoke.rst b/bin/dnssec/dnssec-revoke.rst index 052865fb7c..fc03d5a911 100644 --- a/bin/dnssec/dnssec-revoke.rst +++ b/bin/dnssec/dnssec-revoke.rst @@ -21,7 +21,7 @@ dnssec-revoke - set the REVOKED bit on a DNSSEC key Synopsis ~~~~~~~~ -:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile} +:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-f**] [**-R**] {keyfile} Description ~~~~~~~~~~~ @@ -53,14 +53,6 @@ Options This option prints version information. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -f This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair, diff --git a/bin/dnssec/dnssec-settime.c b/bin/dnssec/dnssec-settime.c index f19d0781b5..0b46f2f8ef 100644 --- a/bin/dnssec/dnssec-settime.c +++ b/bin/dnssec/dnssec-settime.c @@ -51,7 +51,6 @@ usage(void) { fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, "Version: %s\n", PACKAGE_VERSION); fprintf(stderr, "General options:\n"); - fprintf(stderr, " -E engine: specify OpenSSL engine\n"); fprintf(stderr, " -f: force update of old-style " "keys\n"); fprintf(stderr, " -K directory: set key file location\n"); @@ -186,7 +185,6 @@ writekey(dst_key_t *key, const char *directory, bool write_state) { int main(int argc, char **argv) { isc_result_t result; - const char *engine = NULL; const char *filename = NULL; char *directory = NULL; char keystr[DST_KEY_FORMATSIZE]; @@ -314,7 +312,7 @@ main(int argc, char **argv) { &setdstime); break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': force = true; @@ -555,7 +553,7 @@ main(int argc, char **argv) { fatal("Options -g, -d, -k, -r and -z require -s to be set"); } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("Could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-settime.rst b/bin/dnssec/dnssec-settime.rst index 5cb4ea8370..5e31ce3748 100644 --- a/bin/dnssec/dnssec-settime.rst +++ b/bin/dnssec/dnssec-settime.rst @@ -21,7 +21,7 @@ dnssec-settime: set the key timing metadata for a DNSSEC key Synopsis ~~~~~~~~ -:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset] +:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset] Description ~~~~~~~~~~~ @@ -97,14 +97,6 @@ Options This option sets the debugging level. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - Timing Options ~~~~~~~~~~~~~~ diff --git a/bin/dnssec/dnssec-signzone.c b/bin/dnssec/dnssec-signzone.c index fed31e8139..3d1908a1ae 100644 --- a/bin/dnssec/dnssec-signzone.c +++ b/bin/dnssec/dnssec-signzone.c @@ -3263,8 +3263,6 @@ usage(void) { fprintf(stderr, "\t-a:\t"); fprintf(stderr, "verify generated signatures\n"); fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-E engine:\n"); - fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); fprintf(stderr, "\t-P:\t"); fprintf(stderr, "disable post-sign verification\n"); fprintf(stderr, "\t-Q:\t"); @@ -3353,7 +3351,6 @@ main(int argc, char *argv[]) { dns_dnsseckey_t *key; isc_result_t result, vresult; isc_log_t *log = NULL; - const char *engine = NULL; bool free_output = false; int tempfilelen = 0; dns_rdataclass_t rdclass; @@ -3461,7 +3458,7 @@ main(int argc, char *argv[]) { break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'e': @@ -3748,7 +3745,7 @@ main(int argc, char *argv[]) { } } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index ec4cc2d0a2..3e1465a43c 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool Synopsis ~~~~~~~~ -:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] +:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...] Description ~~~~~~~~~~~ @@ -62,15 +62,6 @@ Options ``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>` or serial-number updating. -.. option:: -E engine - - This option specifies the hardware to use for cryptographic - operations, such as a secure key store used for signing, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -F This options turns on FIPS (US Federal Information Processing Standards) diff --git a/bin/dnssec/dnssec-verify.c b/bin/dnssec/dnssec-verify.c index c4ce4eadf7..0494113884 100644 --- a/bin/dnssec/dnssec-verify.c +++ b/bin/dnssec/dnssec-verify.c @@ -157,8 +157,6 @@ usage(void) { fprintf(stderr, "\t-I format:\n"); fprintf(stderr, "\t\tfile format of input zonefile (text)\n"); fprintf(stderr, "\t-c class (IN)\n"); - fprintf(stderr, "\t-E engine:\n"); - fprintf(stderr, "\t\tname of an OpenSSL engine to use\n"); fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, " "not ZSKs\n"); fprintf(stderr, "\t-z:\tAll records signed with KSKs\n"); @@ -171,7 +169,6 @@ main(int argc, char *argv[]) { char *inputformatstr = NULL; isc_result_t result; isc_log_t *log = NULL; - const char *engine = NULL; char *classname = NULL; dns_rdataclass_t rdclass; char *endp; @@ -215,7 +212,7 @@ main(int argc, char *argv[]) { break; case 'E': - engine = isc_commandline_argument; + fatal("%s", isc_result_totext(DST_R_NOENGINE)); break; case 'I': @@ -275,7 +272,7 @@ main(int argc, char *argv[]) { } } - result = dst_lib_init(mctx, engine); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fatal("could not initialize dst: %s", isc_result_totext(result)); diff --git a/bin/dnssec/dnssec-verify.rst b/bin/dnssec/dnssec-verify.rst index 7f55353257..f835c09173 100644 --- a/bin/dnssec/dnssec-verify.rst +++ b/bin/dnssec/dnssec-verify.rst @@ -21,7 +21,7 @@ dnssec-verify - DNSSEC zone verification tool Synopsis ~~~~~~~~ -:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile} +:program:`dnssec-verify` [**-c** class] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile} Description ~~~~~~~~~~~ @@ -37,14 +37,6 @@ Options This option specifies the DNS class of the zone. -.. option:: -E engine - - This option specifies the cryptographic hardware to use, when applicable. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -I input-format This option sets the format of the input zone file. Possible formats are ``text`` diff --git a/bin/dnssec/dnssectool.c b/bin/dnssec/dnssectool.c index 69f93c0852..b35a24058f 100644 --- a/bin/dnssec/dnssectool.c +++ b/bin/dnssec/dnssectool.c @@ -605,8 +605,7 @@ cleanup: void kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, - const char *name, const char *keydir, const char *engine, - dns_kasp_t **kaspp) { + const char *name, const char *keydir, dns_kasp_t **kaspp) { isc_result_t result = ISC_R_NOTFOUND; const cfg_listelt_t *element; const cfg_obj_t *kasps = NULL; @@ -625,8 +624,8 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, { cfg_obj_t *kconfig = cfg_listelt_value(element); ks = NULL; - result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine, - &kslist, NULL); + result = cfg_keystore_fromconfig(kconfig, mctx, lctx, &kslist, + NULL); if (result != ISC_R_SUCCESS) { fatal("failed to configure key-store '%s': %s", cfg_obj_asstring(cfg_tuple_get(kconfig, "name")), @@ -635,7 +634,7 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, } /* Default key-directory key store. */ ks = NULL; - (void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks); + (void)cfg_keystore_fromconfig(NULL, mctx, lctx, &kslist, &ks); INSIST(ks != NULL); if (keydir != NULL) { /* '-K keydir' takes priority */ diff --git a/bin/dnssec/dnssectool.h b/bin/dnssec/dnssectool.h index c9a1a5f757..aac6a709ad 100644 --- a/bin/dnssec/dnssectool.h +++ b/bin/dnssec/dnssectool.h @@ -119,5 +119,4 @@ loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal); void kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx, - const char *name, const char *keydir, const char *engine, - dns_kasp_t **kaspp); + const char *name, const char *keydir, dns_kasp_t **kaspp); diff --git a/bin/named/include/named/globals.h b/bin/named/include/named/globals.h index 0fc26f212d..6de1be8e36 100644 --- a/bin/named/include/named/globals.h +++ b/bin/named/include/named/globals.h @@ -129,8 +129,6 @@ EXTERN const char *named_g_defaultpidfile INIT(NAMED_LOCALSTATEDIR "/run/" EXTERN const char *named_g_username INIT(NULL); -EXTERN const char *named_g_engine INIT(NULL); - EXTERN isc_time_t named_g_boottime; EXTERN isc_time_t named_g_configtime; EXTERN bool named_g_memstatistics INIT(false); diff --git a/bin/named/main.c b/bin/named/main.c index 735b361ac5..12d5705137 100644 --- a/bin/named/main.c +++ b/bin/named/main.c @@ -307,7 +307,7 @@ library_unexpected_error(const char *file, int line, const char *func, static void usage(void) { fprintf(stderr, "usage: named [-4|-6] [-c conffile] [-d debuglevel] " - "[-D comment] [-E engine]\n" + "[-D comment]\n" " [-f|-g] [-L logfile] [-n number_of_cpus] " "[-p port] [-s]\n" " [-S sockets] [-t chrootdir] [-u " @@ -632,7 +632,7 @@ printversion(bool verbose) { printf("threads support is enabled\n"); isc_mem_create(&mctx); - result = dst_lib_init(mctx, named_g_engine); + result = dst_lib_init(mctx); if (result == ISC_R_SUCCESS) { isc_buffer_init(&b, buf, sizeof(buf)); format_supported_algorithms(printit); @@ -894,7 +894,8 @@ parse_command_line(int argc, char *argv[]) { /* Descriptive comment for 'ps'. */ break; case 'E': - named_g_engine = isc_commandline_argument; + named_main_earlyfatal( + "%s", isc_result_totext(DST_R_NOENGINE)); break; case 'f': named_g_foreground = true; diff --git a/bin/named/named.rst b/bin/named/named.rst index ee893faba7..f9c7dc7532 100644 --- a/bin/named/named.rst +++ b/bin/named/named.rst @@ -21,7 +21,7 @@ named - Internet domain name server Synopsis ~~~~~~~~ -:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-E** engine-name] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ] +:program:`named` [ [**-4**] | [**-6**] ] [**-c** config-file] [**-C**] [**-d** debug-level] [**-D** string] [**-f**] [**-g**] [**-L** logfile] [**-M** option] [**-m** flag] [**-n** #cpus] [**-p** port] [**-s**] [**-t** directory] [**-u** user] [**-v**] [**-V**] ] Description ~~~~~~~~~~~ @@ -73,15 +73,6 @@ Options This option specifies a string that is used to identify a instance of :program:`named` in a process listing. The contents of ``string`` are not examined. -.. option:: -E engine-name - - When applicable, this option specifies the hardware to use for cryptographic - operations, such as a secure key store used for signing. - - When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL - engine identifier that drives the cryptographic accelerator or - hardware service module (usually ``pkcs11``). - .. option:: -f This option runs the server in the foreground (i.e., do not daemonize). diff --git a/bin/named/server.c b/bin/named/server.c index 6f68406196..341bf7460d 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -8988,7 +8988,7 @@ load_configuration(const char *filename, named_server_t *server, * Create the built-in key store ("key-directory"). */ result = cfg_keystore_fromconfig(NULL, named_g_mctx, named_g_lctx, - named_g_engine, &keystorelist, NULL); + &keystorelist, NULL); if (result != ISC_R_SUCCESS) { goto cleanup_keystorelist; } @@ -9004,8 +9004,8 @@ load_configuration(const char *filename, named_server_t *server, cfg_obj_t *kconfig = cfg_listelt_value(element); keystore = NULL; result = cfg_keystore_fromconfig(kconfig, named_g_mctx, - named_g_lctx, named_g_engine, - &keystorelist, NULL); + named_g_lctx, &keystorelist, + NULL); if (result != ISC_R_SUCCESS) { goto cleanup_keystorelist; } @@ -10331,8 +10331,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) { ISC_LIST_INIT(server->viewlist); /* Must be first. */ - CHECKFATAL(dst_lib_init(named_g_mctx, named_g_engine), - "initializing DST"); + CHECKFATAL(dst_lib_init(named_g_mctx), "initializing DST"); CHECKFATAL(dns_rootns_create(mctx, dns_rdataclass_in, NULL, &server->in_roothints), diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c index 3048df8345..64bec6b631 100644 --- a/bin/nsupdate/nsupdate.c +++ b/bin/nsupdate/nsupdate.c @@ -926,7 +926,7 @@ setup_system(void *arg ISC_ATTR_UNUSED) { result = dns_dispatchmgr_create(gmctx, loopmgr, netmgr, &dispatchmgr); check_result(result, "dns_dispatchmgr_create"); - result = dst_lib_init(gmctx, NULL); + result = dst_lib_init(gmctx); check_result(result, "dst_lib_init"); is_dst_up = true; diff --git a/bin/tests/system/enginepkcs11/clean.sh b/bin/tests/system/enginepkcs11/clean.sh index 5a24ebd3da..63d8a52581 100644 --- a/bin/tests/system/enginepkcs11/clean.sh +++ b/bin/tests/system/enginepkcs11/clean.sh @@ -25,7 +25,7 @@ rm -f ns*/*.kskid1 ns*/*.kskid2 ns*/*.zskid1 ns/*.zskid2 rm -f ns*/dig.out.* rm -f ns*/K* rm -f ns*/keygen.out.* -rm -f ns*/named.conf ns1/named.args ns1/named.run ns1/named.memstats +rm -f ns*/named.conf ns1/named.run ns1/named.memstats rm -f ns*/pin rm -f ns*/update.cmd.* rm -f ns*/update.log.* diff --git a/bin/tests/system/enginepkcs11/ns1/named.args b/bin/tests/system/enginepkcs11/ns1/named.args new file mode 100644 index 0000000000..32f18fd1f1 --- /dev/null +++ b/bin/tests/system/enginepkcs11/ns1/named.args @@ -0,0 +1 @@ +-D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns1/named.args.in b/bin/tests/system/enginepkcs11/ns1/named.args.in deleted file mode 100644 index 889992190a..0000000000 --- a/bin/tests/system/enginepkcs11/ns1/named.args.in +++ /dev/null @@ -1 +0,0 @@ -@ENGINE_ARGS@ -D enginepkcs11-ns1 -m record -c named.conf -d 99 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns2/named.args b/bin/tests/system/enginepkcs11/ns2/named.args new file mode 100644 index 0000000000..d0846e5155 --- /dev/null +++ b/bin/tests/system/enginepkcs11/ns2/named.args @@ -0,0 +1 @@ +-D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/ns2/named.args.in b/bin/tests/system/enginepkcs11/ns2/named.args.in deleted file mode 100644 index 1d6beb9a9f..0000000000 --- a/bin/tests/system/enginepkcs11/ns2/named.args.in +++ /dev/null @@ -1 +0,0 @@ -@ENGINE_ARGS@ -D enginepkcs11-ns2 -m record -c named.conf -d 99 -U 4 -T maxcachesize=2097152 diff --git a/bin/tests/system/enginepkcs11/setup.sh b/bin/tests/system/enginepkcs11/setup.sh index e0dd87ae49..9ef2d1e0dc 100644 --- a/bin/tests/system/enginepkcs11/setup.sh +++ b/bin/tests/system/enginepkcs11/setup.sh @@ -41,13 +41,12 @@ keyfromlabel() { dir="$4" shift 4 - $KEYFRLAB $ENGINE_ARG -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 + $KEYFRLAB -K $dir -a $alg -l "pkcs11:token=softhsm2-enginepkcs11;object=${id}-${zone};pin-source=$PWD/ns1/pin" "$@" $zone >>keyfromlabel.out.$zone.$id 2>keyfromlabel.err.$zone.$id || return 1 cat keyfromlabel.out.$zone.$id } # Setup ns1. copy_setports ns1/named.conf.in ns1/named.conf -sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" ns1/named.args mkdir ns1/keys @@ -91,7 +90,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ echo_i "Sign zone with $ksk1 $zsk1" cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile}" - $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 + $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile}" >signer.out.$zone || ret=1 test "$ret" -eq 0 || exit 1 echo_i "Generate successor keys $alg $type:$bits for zone $zone" @@ -183,7 +182,6 @@ done # Setup ns2 (with views). copy_setports ns2/named.conf.in ns2/named.conf -sed -e "s/@ENGINE_ARGS@/${ENGINE_ARG}/g" ns2/named.args mkdir ns2/keys @@ -226,11 +224,11 @@ if [ "${supported}" = 1 ]; then echo_i "Sign zone with $ksk1 $zsk1" cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile1}" - $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1 + $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile1}" >signer.out.view1.$zone || ret=1 test "$ret" -eq 0 || exit 1 cat "$infile" "${dir}/${ksk1}.key" "${dir}/${zsk1}.key" >"${dir}/${zonefile2}" - $SIGNER $ENGINE_ARG -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1 + $SIGNER -K $dir -S -a -g -O full -o "$zone" "${dir}/${zonefile2}" >signer.out.view2.$zone || ret=1 test "$ret" -eq 0 || exit 1 echo_i "Generate successor keys $alg $type:$bits for zone $zone" diff --git a/bin/tests/system/enginepkcs11/tests.sh b/bin/tests/system/enginepkcs11/tests.sh index 7b0c1072bf..138b0483a8 100644 --- a/bin/tests/system/enginepkcs11/tests.sh +++ b/bin/tests/system/enginepkcs11/tests.sh @@ -255,7 +255,7 @@ EOF n=$((n + 1)) ret=0 echo_i "Test dnssec-keygen for $zone ($n)" - $KEYGEN $ENGINE_ARG -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1 + $KEYGEN -k $alg -l named.conf $zone >keygen.out.$zone.$n 2>/dev/null || ret=1 check_keys $zone 2 || ret=1 status=$((status + ret)) diff --git a/bin/tests/system/feature-test.c b/bin/tests/system/feature-test.c index 5b3c504d62..63017c9143 100644 --- a/bin/tests/system/feature-test.c +++ b/bin/tests/system/feature-test.c @@ -202,7 +202,7 @@ main(int argc, char **argv) { int answer; isc_mem_create(&mctx); - dst_lib_init(mctx, NULL); + dst_lib_init(mctx); answer = dst_algorithm_supported(DST_ALG_HMACMD5) ? 0 : 1; dst_lib_destroy(); isc_mem_detach(&mctx); @@ -232,7 +232,7 @@ main(int argc, char **argv) { int answer; isc_mem_t *mctx = NULL; isc_mem_create(&mctx); - dst_lib_init(mctx, NULL); + dst_lib_init(mctx); answer = dst_algorithm_supported(DST_ALG_RSASHA1) ? 0 : 1; dst_lib_destroy(); isc_mem_detach(&mctx); diff --git a/bin/tests/system/isctest/vars/openssl.py b/bin/tests/system/isctest/vars/openssl.py index 5df12b7247..19d62d1811 100644 --- a/bin/tests/system/isctest/vars/openssl.py +++ b/bin/tests/system/isctest/vars/openssl.py @@ -20,15 +20,12 @@ OPENSSL_VARS = { "OPENSSL_CONF": os.getenv("OPENSSL_CONF", None), "SOFTHSM2_CONF": os.getenv("SOFTHSM2_CONF", None), "SOFTHSM2_MODULE": None, - "ENGINE_ARG": None, } def parse_openssl_config(path: Optional[str]): if path is None or not os.path.exists(path): - OPENSSL_VARS["ENGINE_ARG"] = None OPENSSL_VARS["SOFTHSM2_MODULE"] = None - os.environ.pop("ENGINE_ARG", None) os.environ.pop("SOFTHSM2_MODULE", None) return assert os.path.isfile(path), f"{path} exists, but it's not a file" @@ -41,11 +38,7 @@ def parse_openssl_config(path: Optional[str]): if res: key = res.group(1).strip() val = res.group(2).strip() - if key == "engine_id": - OPENSSL_VARS["ENGINE_ARG"] = f"-E {val}" - os.environ["ENGINE_ARG"] = f"-E {val}" - log.debug("ENGINE_ARG set to {OPENSSL_VARS['ENGINE_ARG']}") - elif key in ["MODULE_PATH", "pkcs11-module-path"]: + if key in ["MODULE_PATH", "pkcs11-module-path"]: OPENSSL_VARS["SOFTHSM2_MODULE"] = val os.environ["SOFTHSM2_MODULE"] = val log.debug( diff --git a/bin/tests/system/keyfromlabel/tests.sh b/bin/tests/system/keyfromlabel/tests.sh index ae4c9a6e6e..c3e38d8ae5 100644 --- a/bin/tests/system/keyfromlabel/tests.sh +++ b/bin/tests/system/keyfromlabel/tests.sh @@ -35,7 +35,7 @@ keyfromlabel() { id="$3" shift 3 - $KEYFRLAB $ENGINE_ARG -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1 + $KEYFRLAB -a $alg -l "pkcs11:token=softhsm2-keyfromlabel;object=${id}-${zone};pin-source=$PWD/pin" "$@" $zone >>keyfromlabel.out.$zone.$id || return 1 cat keyfromlabel.out.$zone.$id } @@ -84,7 +84,7 @@ for algtypebits in rsasha256:rsa:2048 rsasha512:rsa:2048 \ echo_i "Sign zone with $ksk $zsk" ret=0 cat "$infile" "$ksk.key" "$zsk.key" >"$zonefile" - $SIGNER $ENGINE_ARG -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 + $SIGNER -S -a -g -o "$zone" "$zonefile" >signer.out.$zone || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) fi diff --git a/bin/tests/system/makejournal.c b/bin/tests/system/makejournal.c index b9e766cf68..c42c97ba58 100644 --- a/bin/tests/system/makejournal.c +++ b/bin/tests/system/makejournal.c @@ -101,7 +101,7 @@ main(int argc, char **argv) { isc_mem_debugging |= ISC_MEM_DEBUGRECORD; isc_mem_create(&mctx); - CHECK(dst_lib_init(mctx, NULL)); + CHECK(dst_lib_init(mctx)); dst_active = true; isc_log_create(mctx, &lctx, &logconfig); diff --git a/bin/tests/system/pipelined/pipequeries.c b/bin/tests/system/pipelined/pipequeries.c index b0293eef0a..d2237e8347 100644 --- a/bin/tests/system/pipelined/pipequeries.c +++ b/bin/tests/system/pipelined/pipequeries.c @@ -275,7 +275,7 @@ main(int argc, char *argv[]) { isc_log_create(mctx, &lctx, &lcfg); - RUNCHECK(dst_lib_init(mctx, NULL)); + RUNCHECK(dst_lib_init(mctx)); RUNCHECK(dns_dispatchmgr_create(mctx, loopmgr, netmgr, &dispatchmgr)); diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index 3c3fda0912..5f3c9151a2 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -105,7 +105,7 @@ main(int argc, char **argv) { } isc_mem_create(&mctx); - CHECK(dst_lib_init(mctx, NULL), "dst_lib_init()"); + CHECK(dst_lib_init(mctx), "dst_lib_init()"); isc_log_create(mctx, &log_, &logconfig); isc_log_setcontext(log_); dns_log_init(log_); diff --git a/bin/tools/mdig.c b/bin/tools/mdig.c index 5dadd55c11..b620f51688 100644 --- a/bin/tools/mdig.c +++ b/bin/tools/mdig.c @@ -2131,7 +2131,7 @@ main(int argc, char *argv[]) { isc_managers_create(&mctx, 1, &loopmgr, &netmgr); isc_log_create(mctx, &lctx, &lcfg); - RUNCHECK(dst_lib_init(mctx, NULL)); + RUNCHECK(dst_lib_init(mctx)); isc_nonce_buf(cookie_secret, sizeof(cookie_secret)); ISC_LIST_INIT(queries); diff --git a/doc/arm/build.inc.rst b/doc/arm/build.inc.rst index 6782d7abfe..e9b18bbdf5 100644 --- a/doc/arm/build.inc.rst +++ b/doc/arm/build.inc.rst @@ -62,18 +62,17 @@ To build BIND 9, the following packages must be installed: - ``perl`` - ``pkg-config`` / ``pkgconfig`` / ``pkgconf`` -BIND 9.20 requires ``libuv`` 1.34.0 or higher, using ``libuv`` >= 1.40.0 -is recommended. Compiling or running with ``libuv`` 1.35.0 or 1.36.0 is -not supported, as this could lead to an assertion failure in the UDP -receive code. On older systems, an updated ``libuv`` package needs to be -installed from sources such as EPEL, PPA, or other native sources. The -other option is to build and install ``libuv`` from source. +BIND 9.20 requires ``libuv`` 1.37.0 or higher, using ``libuv`` >= 1.40.0 is +recommended. On older systems, an updated ``libuv`` package needs to be +installed from sources such as EPEL, PPA, or other native sources. The other +option is to build and install ``libuv`` from source. -OpenSSL 1.0.2e or newer is required. If the OpenSSL library is installed -in a nonstandard location, specify the prefix using -``--with-openssl=`` on the ``configure`` command line. To use a -PKCS#11 hardware service module for cryptographic operations, -``engine_pkcs11`` from the OpenSC project must be compiled and used. +OpenSSL 1.1.1 or newer is required. If the OpenSSL library is installed +in a nonstandard location, specify the prefix using ``PKG_CONFIG_PATH``. + +To use a PKCS#11 hardware service module for cryptographic operations, +PKCS#11 Provider (https://github.com/latchset/pkcs11-provider/tree/main) +must be compiled, configured and used directly in the OpenSSL 3.x. The Userspace RCU library ``liburcu`` (https://liburcu.org/) is used for lock-free data structures and concurrent safe memory reclamation. diff --git a/doc/arm/pkcs11.inc.rst b/doc/arm/pkcs11.inc.rst index 1367bfbe5c..2cf848a59d 100644 --- a/doc/arm/pkcs11.inc.rst +++ b/doc/arm/pkcs11.inc.rst @@ -23,12 +23,10 @@ library which provides a low-level PKCS#11 interface to drive the HSM hardware. The PKCS#11 provider library comes from the HSM vendor, and it is specific to the HSM to be controlled. -BIND 9 access PKCS#11 libraries via OpenSSL extensions. The extension for -OpenSSL 3 and newer is `pkcs11-provider`_. And for the older OpenSSL versions -engine_pkcs11 from the `OpenSC`_ project can be used. +BIND 9 access PKCS#11 libraries via OpenSSL Providers. The provider for +OpenSSL 3 and newer is `pkcs11-provider`_. .. _`pkcs11-provider`: https://github.com/latchset/pkcs11-provider -.. _OpenSC: https://github.com/OpenSC/libp11 In both cases the extension is dynamically loaded into OpenSSL and the HSM is operated indirectly; any cryptographic operations not supported by the HSM can @@ -67,102 +65,6 @@ with BIND. $ make install $ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2 -OpenSSL 1.x.x with engine_pkcs11 -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -OpenSSL engine-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project. - -engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL. -That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine -API. One has to register the engine with OpenSSL and one has to provide the -path to the PKCS#11 module which should be gatewayed to. This can be done by -editing the OpenSSL configuration file, by engine specific controls, or by using -the p11-kit proxy module. - -It is recommended, that libp11 >= 0.4.12 is used. - -For more detailed howto including the examples, we recommend reading: - -https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11 - -When using engine_pkcs11, all BIND binaries potentially need the keys require -'-E pkcs11' argument to activate the engine support. - -Even though OpenSSL 3 has compatibility support for Engine API it is not -recommended to be used due to bugs in OpenSSL and libp11. - -It is not possible to generate new keys via the engine_pkcs11 and therefore it -is not recommended to use it in a ``dnssec-policy`` setup (although it is -possible to put previously generated keys in the ``key-directory`` and let the -key manager select those keys when a key rollover is started. - -Configuring engine_pkcs11 -^^^^^^^^^^^^^^^^^^^^^^^^^ - -The canonical documentation for configuring engine_pkcs11 is in the -`libp11/README.md`_, but here's copy of working configuration for -your convenience: - -.. _`libp11/README.md`: https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration - -We are going to use our own custom copy of OpenSSL configuration, again it's -driven by an environment variable, this time called OPENSSL_CONF. We are -going to copy the global OpenSSL configuration (often found in -``etc/ssl/openssl.conf``) and customize it to use engines_pkcs11. - -:: - - cp /etc/ssl/openssl.cnf /opt/bind9/etc/openssl.cnf - -and export the environment variable: - -:: - - export OPENSSL_CONF=/opt/bind9/etc/openssl.cnf - -Now add the following line at the top of file, before any sections (in square -brackets) are defined: - -:: - - openssl_conf = openssl_init - -And make sure there are no other 'openssl_conf = ...' lines in the file. - -Add following lines at the bottom of the file: - -:: - - [openssl_init] - engines=engine_section - - [engine_section] - pkcs11 = pkcs11_section - - [pkcs11_section] - engine_id = pkcs11 - dynamic_path = /pkcs11.so - MODULE_PATH = - # if automatic logging to the token is needed, PIN can be specified as below - #PIN = 1234 - init = 0 - -Enabling the OpenSSL Engine in BIND commands -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -When using OpenSSL Engine-based PKCS#11, the "engine" to be used by OpenSSL can be -specified in :iscman:`named` and all of the BIND ``dnssec-*`` tools by using the ``-E -`` command line option. This engine name matches the 'engine_id' in the -``openssl.cnf`` created in previous section. - -The zone signing commences as usual, with only one small difference. We need to -provide the name of the OpenSSL engine using the -E command line option. - -:: - - dnssec-signzone -E pkcs11 -S -o example.net example.net - - OpenSSL 3 with pkcs11-provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -170,16 +72,13 @@ OpenSSL provider-based PKCS#11 uses pkcs11-provider project. pkcs11-provider tries to fit the PKCS#11 API within the Provider API of OpenSSL. That is, it provides a gateway between PKCS#11 modules and the OpenSSL Provider -API. One has to register the engine with OpenSSL and one has to provide the +API. One has to register the provider with OpenSSL and one has to provide the path to the PKCS#11 module which should be gatewayed to. This can be done by -editing the OpenSSL configuration file, by engine specific controls, or by using -the p11-kit proxy module. +editing the OpenSSL configuration file, using provider specific controls, or +by using the p11-kit proxy module. -It is required to use pkcs11-provider git commit -2e8c26b4157fd21422c66f0b4d7b26cf8c320570 from October 2, 2023 or later. - -BIND support for pkcs11-provider is built in and the -E command line option -explained above should not be used. +It is required to use pkcs11-provider version 0.3 or later. It is recommended +to use the lastest version available. Configuring pkcs11-provider ^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -248,9 +147,14 @@ HSM keys can now be created and used. We are going to assume that you already have a BIND 9 installed, either from a package, or from the sources, and the tools are readily available in the ``$PATH``. -For generating the keys, we are going to use ``pkcs11-tool`` available from the -OpenSC suite. On both DEB-based and RPM-based distributions, the package is -called opensc. +A zone that is configured with ``dnssec-policy`` can generate keys through +the PKCS#11 Provider API of OpenSSL. + +If you want to create keys manually, the ``pkcs11-tool`` available from the +`OpenSC`_ suite can be used. On both DEB-based and RPM-based distributions, +the package is called opensc. + +.. _OpenSC: https://github.com/OpenSC/libp11 We need to generate at least two RSA keys: @@ -266,23 +170,23 @@ Convert the RSA keys stored in the HSM into a format that BIND 9 understands. The :iscman:`dnssec-keyfromlabel` tool from BIND 9 can link the raw keys stored in the HSM with the ``K++`` files. -You'll need to provide the OpenSSL engine name (``pkcs11``) if using the engine and -the algorithm (``RSASHA256``). The key is referenced with the PKCS#11 URI scheme and it -can contain the PKCS#11 token label (we asume that it has been initialized as bind9), -and the PKCS#11 object label (called label when generating the keys using ``pkcs11-tool``) -and the HSM PIN. Refer to :rfc:`7512` for the full PKCS#11 URI specification. +You'll need to provide the algorithm (``RSASHA256``). The key is referenced with +the PKCS#11 URI scheme and it can contain the PKCS#11 token label (we asume that +it has been initialized as bind9), and the PKCS#11 object label (called label +when generating the keys using ``pkcs11-tool``) and the HSM PIN. Refer to +:rfc:`7512` for the full PKCS#11 URI specification. Convert the KSK: :: - dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net + dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-ksk;pin-value=0000" -f KSK example.net and ZSK: :: - dnssec-keyfromlabel -E pkcs11 -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net + dnssec-keyfromlabel -a RSASHA256 -l "pkcs11:token=bind9;object=example.net-zsk;pin-value=0000" example.net NOTE: you can use PIN stored on disk, by specifying ``pin-source=/``, f.e.: @@ -327,15 +231,10 @@ this is when creating ECDSA keys, you should specify a unique ID: Running :iscman:`named` With Automatic Zone Re-signing ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -The zone can also be signed automatically by named. Again, we need to provide -the name of the OpenSSL engine using the :option:`-E ` command line option, -if using OpenSSL 1.x.x with engine_pkcs11, and this is not needed when using OpenSSL 3.x.x providers. +Once the keys are created, the zone can also be signed automatically by named +without further requisites. -:: - - named -E pkcs11 -c named.conf - -and the logs should have lines like: +The logs should have lines like: :: diff --git a/fuzz/dns_message_checksig.c b/fuzz/dns_message_checksig.c index 25a3119304..363b3e9ff1 100644 --- a/fuzz/dns_message_checksig.c +++ b/fuzz/dns_message_checksig.c @@ -173,7 +173,7 @@ LLVMFuzzerInitialize(int *argc ISC_ATTR_UNUSED, char ***argv ISC_ATTR_UNUSED) { isc_mem_create(&mctx); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { fprintf(stderr, "dst_lib_init failed: %s\n", isc_result_totext(result)); diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 487bb84bee..cd593ca9fd 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -190,16 +190,14 @@ addsuffix(char *filename, int len, const char *dirname, const char *ofilename, } while (0); isc_result_t -dst_lib_init(isc_mem_t *mctx, const char *engine) { +dst_lib_init(isc_mem_t *mctx) { isc_result_t result; REQUIRE(mctx != NULL); REQUIRE(!dst_initialized); - UNUSED(engine); - memset(dst_t_func, 0, sizeof(dst_t_func)); - RETERR(dst__openssl_init(engine)); /* Sets FIPS mode. */ + dst__openssl_init(); /* Sets FIPS mode. */ RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5])); RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1])); RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224])); @@ -998,8 +996,8 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg, isc_result_t dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, - const char *engine, const char *label, const char *pin, - isc_mem_t *mctx, dst_key_t **keyp) { + const char *label, const char *pin, isc_mem_t *mctx, + dst_key_t **keyp) { dst_key_t *key; isc_result_t result; @@ -1018,7 +1016,7 @@ dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, return (DST_R_UNSUPPORTEDALG); } - result = key->func->fromlabel(key, engine, label, pin); + result = key->func->fromlabel(key, label, pin); if (result != ISC_R_SUCCESS) { dst_key_free(&key); return (result); @@ -1408,9 +1406,6 @@ dst_key_free(dst_key_t **keyp) { if (key->directory != NULL) { isc_mem_free(mctx, key->directory); } - if (key->engine != NULL) { - isc_mem_free(mctx, key->engine); - } if (key->label != NULL) { isc_mem_free(mctx, key->label); } diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index cf902deaa6..fe89420916 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -92,8 +92,7 @@ struct dst_key { dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */ isc_mem_t *mctx; /*%< memory context */ char *directory; /*%< key directory */ - char *engine; /*%< engine name (HSM) */ - char *label; /*%< engine label (HSM) */ + char *label; /*%< HSM label */ union { void *generic; dns_gss_ctx_id_t gssctx; @@ -185,8 +184,8 @@ struct dst_func { /* cleanup */ void (*cleanup)(void); - isc_result_t (*fromlabel)(dst_key_t *key, const char *engine, - const char *label, const char *pin); + isc_result_t (*fromlabel)(dst_key_t *key, const char *label, + const char *pin); isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer, int *length); isc_result_t (*restore)(dst_key_t *key, const char *keystr); @@ -195,8 +194,8 @@ struct dst_func { /*% * Initializers */ -isc_result_t -dst__openssl_init(const char *engine); +void +dst__openssl_init(void); isc_result_t dst__hmacmd5_init(struct dst_func **funcp); diff --git a/lib/dns/dst_openssl.h b/lib/dns/dst_openssl.h index b7541fd0e6..f4ff5cc46e 100644 --- a/lib/dns/dst_openssl.h +++ b/lib/dns/dst_openssl.h @@ -41,14 +41,9 @@ isc_result_t dst___openssl_toresult3(isc_logcategory_t *category, const char *funcname, isc_result_t fallback, const char *file, int line); -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -ENGINE * -dst__openssl_getengine(const char *engine); -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - isc_result_t -dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label, - const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv); +dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin, + EVP_PKEY **ppub, EVP_PKEY **ppriv); bool dst__openssl_keypair_compare(const dst_key_t *key1, const dst_key_t *key2); diff --git a/lib/dns/include/dns/keystore.h b/lib/dns/include/dns/keystore.h index 8888eb12d4..4e648bc414 100644 --- a/lib/dns/include/dns/keystore.h +++ b/lib/dns/include/dns/keystore.h @@ -42,7 +42,6 @@ struct dns_keystore { unsigned int magic; isc_mem_t *mctx; const char *name; - const char *engine; /* Internals. */ isc_mutex_t lock; @@ -64,8 +63,7 @@ struct dns_keystore { #define DNS_KEYSTORE_KEYDIRECTORY "key-directory" isc_result_t -dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine, - dns_keystore_t **kspp); +dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp); /*%< * Create a key store. * @@ -75,8 +73,6 @@ dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine, * *\li 'name' is a valid C string. * - *\li 'engine' is the name of the OpenSSL engine to use, may be NULL. - * *\li kspp != NULL && *kspp == NULL * * Returns: @@ -101,20 +97,6 @@ dns_keystore_name(dns_keystore_t *keystore); *\li name of 'keystore'. */ -const char * -dns_keystore_engine(dns_keystore_t *keystore); -/*%< - * Get keystore engine. - * - * Requires: - * - *\li 'keystore' is a valid keystore. - * - * Returns: - * - *\li engine of 'keystore'. May be NULL. - */ - const char * dns_keystore_directory(dns_keystore_t *keystore, const char *keydir); /*%< diff --git a/lib/dns/include/dst/dst.h b/lib/dns/include/dst/dst.h index dc6b5a15b8..ee569582ca 100644 --- a/lib/dns/include/dst/dst.h +++ b/lib/dns/include/dst/dst.h @@ -198,7 +198,7 @@ typedef enum dst_algorithm { *** Functions ***/ isc_result_t -dst_lib_init(isc_mem_t *mctx, const char *engine); +dst_lib_init(isc_mem_t *mctx); /*%< * Initializes the DST subsystem. * @@ -208,7 +208,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine); * Returns: * \li ISC_R_SUCCESS * \li ISC_R_NOMEMORY - * \li DST_R_NOENGINE * * Ensures: * \li DST is properly initialized. @@ -627,8 +626,8 @@ dst_key_buildinternal(const dns_name_t *name, unsigned int alg, isc_result_t dst_key_fromlabel(const dns_name_t *name, int alg, unsigned int flags, unsigned int protocol, dns_rdataclass_t rdclass, - const char *engine, const char *label, const char *pin, - isc_mem_t *mctx, dst_key_t **keyp); + const char *label, const char *pin, isc_mem_t *mctx, + dst_key_t **keyp); isc_result_t dst_key_generate(const dns_name_t *name, unsigned int alg, unsigned int bits, diff --git a/lib/dns/keystore.c b/lib/dns/keystore.c index 90b766d62e..c714606a13 100644 --- a/lib/dns/keystore.c +++ b/lib/dns/keystore.c @@ -26,15 +26,13 @@ #include isc_result_t -dns_keystore_create(isc_mem_t *mctx, const char *name, const char *engine, - dns_keystore_t **kspp) { +dns_keystore_create(isc_mem_t *mctx, const char *name, dns_keystore_t **kspp) { dns_keystore_t *keystore; REQUIRE(name != NULL); REQUIRE(kspp != NULL && *kspp == NULL); keystore = isc_mem_get(mctx, sizeof(*keystore)); - keystore->engine = engine; keystore->mctx = NULL; isc_mem_attach(mctx, &keystore->mctx); @@ -85,13 +83,6 @@ dns_keystore_name(dns_keystore_t *keystore) { return (keystore->name); } -const char * -dns_keystore_engine(dns_keystore_t *keystore) { - REQUIRE(DNS_KEYSTORE_VALID(keystore)); - - return (keystore->engine); -} - const char * dns_keystore_directory(dns_keystore_t *keystore, const char *keydir) { if (keystore == NULL) { diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index d8191b1f05..596627046c 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -42,9 +42,6 @@ #include "dst_internal.h" #include "dst_openssl.h" -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -#include -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ #if OPENSSL_VERSION_NUMBER >= 0x30000000L #include #include @@ -58,10 +55,6 @@ goto err; \ } -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -static ENGINE *global_engine = NULL; -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - static void enable_fips_mode(void) { #if defined(ENABLE_FIPS_MODE) @@ -79,52 +72,14 @@ enable_fips_mode(void) { #endif } -isc_result_t -dst__openssl_init(const char *engine) { +void +dst__openssl_init(void) { enable_fips_mode(); - - if (engine != NULL && *engine == '\0') { - engine = NULL; - } - - if (engine == NULL) { - return (ISC_R_SUCCESS); - } - -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - global_engine = ENGINE_by_id(engine); - if (global_engine == NULL) { - goto cleanup_rm; - } - if (!ENGINE_init(global_engine)) { - goto cleanup_rm; - } - /* This will init the engine. */ - if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) { - goto cleanup_init; - } - return (ISC_R_SUCCESS); -cleanup_init: - ENGINE_finish(global_engine); -cleanup_rm: - if (global_engine != NULL) { - ENGINE_free(global_engine); - } - ERR_clear_error(); - global_engine = NULL; -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - return (DST_R_NOENGINE); } void dst__openssl_destroy(void) { -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - if (global_engine != NULL) { - ENGINE_finish(global_engine); - ENGINE_free(global_engine); - } - global_engine = NULL; -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ + /* No-op */ } static isc_result_t @@ -211,67 +166,6 @@ done: return (result); } -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 -ENGINE * -dst__openssl_getengine(const char *engine) { - if (engine == NULL) { - return (NULL); - } - if (global_engine == NULL) { - return (NULL); - } - if (strcmp(engine, ENGINE_get_id(global_engine)) == 0) { - return (global_engine); - } - return (NULL); -} -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - -static isc_result_t -dst__openssl_fromlabel_engine(int key_base_id, const char *engine, - const char *label, const char *pin, - EVP_PKEY **ppub, EVP_PKEY **ppriv) { -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 - isc_result_t ret = ISC_R_SUCCESS; - ENGINE *e = NULL; - - UNUSED(pin); - - e = dst__openssl_getengine(engine); - if (e == NULL) { - DST_RET(dst__openssl_toresult(DST_R_NOENGINE)); - } - - *ppub = ENGINE_load_public_key(e, label, NULL, NULL); - if (*ppub == NULL) { - DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_base_id(*ppub) != key_base_id) { - DST_RET(DST_R_BADKEYTYPE); - } - - *ppriv = ENGINE_load_private_key(e, label, NULL, NULL); - if (*ppriv == NULL) { - DST_RET(dst__openssl_toresult2("ENGINE_load_private_key", - DST_R_OPENSSLFAILURE)); - } - if (EVP_PKEY_base_id(*ppriv) != key_base_id) { - DST_RET(DST_R_BADKEYTYPE); - } -err: - return (ret); -#else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - UNUSED(key_base_id); - UNUSED(engine); - UNUSED(label); - UNUSED(pin); - UNUSED(ppub); - UNUSED(ppriv); - return (DST_R_NOENGINE); -#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ -} - static isc_result_t dst__openssl_fromlabel_provider(int key_base_id, const char *label, const char *pin, EVP_PKEY **ppub, @@ -335,25 +229,10 @@ err: } isc_result_t -dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label, - const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) { - if (engine == NULL) { - return (dst__openssl_fromlabel_provider(key_base_id, label, pin, - ppub, ppriv)); - } - - if (*ppub != NULL) { - EVP_PKEY_free(*ppub); - *ppub = NULL; - } - - if (*ppriv != NULL) { - EVP_PKEY_free(*ppriv); - *ppriv = NULL; - } - - return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin, - ppub, ppriv)); +dst__openssl_fromlabel(int key_base_id, const char *label, const char *pin, + EVP_PKEY **ppub, EVP_PKEY **ppriv) { + return (dst__openssl_fromlabel_provider(key_base_id, label, pin, ppub, + ppriv)); } bool diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 2c99650285..6f71a72a2a 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -984,13 +984,6 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { priv.elements[i].data = buf; i++; } - if (key->engine != NULL) { - priv.elements[i].tag = TAG_ECDSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } if (key->label != NULL) { priv.elements[i].tag = TAG_ECDSA_LABEL; @@ -1009,15 +1002,13 @@ err: } static isc_result_t -opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin); +opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin); static isc_result_t opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; EVP_PKEY *pkey = NULL; - const char *engine = NULL; const char *label = NULL; int i, privkey_index = -1; @@ -1044,7 +1035,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { case TAG_ECDSA_ENGINE: - engine = (char *)priv.elements[i].data; + /* The Engine: tag is explicitly ignored */ break; case TAG_ECDSA_LABEL: label = (char *)priv.elements[i].data; @@ -1058,7 +1049,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } if (label != NULL) { - ret = opensslecdsa_fromlabel(key, engine, label, NULL); + ret = opensslecdsa_fromlabel(key, label, NULL); if (ret != ISC_R_SUCCESS) { goto err; } @@ -1104,15 +1095,14 @@ err: } static isc_result_t -opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { +opensslecdsa_fromlabel(dst_key_t *key, const char *label, const char *pin) { EVP_PKEY *privpkey = NULL, *pubpkey = NULL; isc_result_t ret; REQUIRE(opensslecdsa_valid_key_alg(key->key_alg)); UNUSED(pin); - ret = dst__openssl_fromlabel(EVP_PKEY_EC, engine, label, pin, &pubpkey, + ret = dst__openssl_fromlabel(EVP_PKEY_EC, label, pin, &pubpkey, &privpkey); if (ret != ISC_R_SUCCESS) { goto err; @@ -1127,9 +1117,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, goto err; } - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index a299bd0227..76aa2a9f57 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -105,8 +105,7 @@ raw_key_to_ossl(const eddsa_alginfo_t *alginfo, int private, } static isc_result_t -openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin); +openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin); static isc_result_t openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) { @@ -389,13 +388,6 @@ openssleddsa_tofile(const dst_key_t *key, const char *directory) { priv.elements[i].data = buf; i++; } - if (key->engine != NULL) { - priv.elements[i].tag = TAG_EDDSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } if (key->label != NULL) { priv.elements[i].tag = TAG_EDDSA_LABEL; priv.elements[i].length = (unsigned short)strlen(key->label) + @@ -420,7 +412,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; int i, privkey_index = -1; - const char *engine = NULL, *label = NULL; + const char *label = NULL; EVP_PKEY *pkey = NULL; size_t len; isc_mem_t *mctx = key->mctx; @@ -450,7 +442,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { case TAG_EDDSA_ENGINE: - engine = (char *)priv.elements[i].data; + /* The Engine: tag is explicitly ignored */ break; case TAG_EDDSA_LABEL: label = (char *)priv.elements[i].data; @@ -464,7 +456,7 @@ openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } if (label != NULL) { - ret = openssleddsa_fromlabel(key, engine, label, NULL); + ret = openssleddsa_fromlabel(key, label, NULL); if (ret != ISC_R_SUCCESS) { goto err; } @@ -506,8 +498,7 @@ err: } static isc_result_t -openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { +openssleddsa_fromlabel(dst_key_t *key, const char *label, const char *pin) { const eddsa_alginfo_t *alginfo = openssleddsa_alg_info(key->key_alg); EVP_PKEY *privpkey = NULL, *pubpkey = NULL; isc_result_t ret; @@ -515,15 +506,12 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, REQUIRE(alginfo != NULL); UNUSED(pin); - ret = dst__openssl_fromlabel(alginfo->pkey_type, engine, label, pin, - &pubpkey, &privpkey); + ret = dst__openssl_fromlabel(alginfo->pkey_type, label, pin, &pubpkey, + &privpkey); if (ret != ISC_R_SUCCESS) { goto err; } - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 878fae17e3..661632484b 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -931,14 +931,6 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { i++; } - if (key->engine != NULL) { - priv.elements[i].tag = TAG_RSA_ENGINE; - priv.elements[i].length = (unsigned short)strlen(key->engine) + - 1; - priv.elements[i].data = (unsigned char *)key->engine; - i++; - } - if (key->label != NULL) { priv.elements[i].tag = TAG_RSA_LABEL; priv.elements[i].length = (unsigned short)strlen(key->label) + @@ -963,8 +955,7 @@ err: } static isc_result_t -opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin); +opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin); static isc_result_t opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { @@ -972,7 +963,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { isc_result_t ret; int i; isc_mem_t *mctx = NULL; - const char *engine = NULL, *label = NULL; + const char *label = NULL; EVP_PKEY *pkey = NULL; rsa_components_t c = { .bnfree = true }; @@ -1002,7 +993,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { case TAG_RSA_ENGINE: - engine = (char *)priv.elements[i].data; + /* The Engine: tag is explicitly ignored */ break; case TAG_RSA_LABEL: label = (char *)priv.elements[i].data; @@ -1017,7 +1008,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { * See if we can fetch it. */ if (label != NULL) { - ret = opensslrsa_fromlabel(key, engine, label, NULL); + ret = opensslrsa_fromlabel(key, label, NULL); if (ret != ISC_R_SUCCESS) { DST_RET(ret); } @@ -1111,12 +1102,11 @@ err: } static isc_result_t -opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, - const char *pin) { +opensslrsa_fromlabel(dst_key_t *key, const char *label, const char *pin) { EVP_PKEY *privpkey = NULL, *pubpkey = NULL; isc_result_t ret; - ret = dst__openssl_fromlabel(EVP_PKEY_RSA, engine, label, pin, &pubpkey, + ret = dst__openssl_fromlabel(EVP_PKEY_RSA, label, pin, &pubpkey, &privpkey); if (ret != ISC_R_SUCCESS) { goto err; @@ -1126,9 +1116,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(ISC_R_RANGE); } - if (engine != NULL) { - key->engine = isc_mem_strdup(key->mctx, engine); - } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/isc/openssl_shim.c b/lib/isc/openssl_shim.c index 08bc9c56a9..6b1f3c6909 100644 --- a/lib/isc/openssl_shim.c +++ b/lib/isc/openssl_shim.c @@ -16,7 +16,6 @@ #include #include -#include #include #include #include diff --git a/lib/isc/openssl_shim.h b/lib/isc/openssl_shim.h index f7f6f5ae56..7817a248fe 100644 --- a/lib/isc/openssl_shim.h +++ b/lib/isc/openssl_shim.h @@ -14,7 +14,6 @@ #pragma once #include -#include #include #include #include diff --git a/lib/isc/result.c b/lib/isc/result.c index 765105ab55..440351d1ba 100644 --- a/lib/isc/result.c +++ b/lib/isc/result.c @@ -242,7 +242,8 @@ static const char *description[ISC_R_NRESULTS] = { [DST_R_COMPUTESECRETFAILURE] = "failure computing a shared secret", [DST_R_NORANDOMNESS] = "no randomness available", [DST_R_BADKEYTYPE] = "bad key type", - [DST_R_NOENGINE] = "no engine", + [DST_R_NOENGINE] = "OpenSSL Engine support has been removed; " + "use OpenSSL Providers for PKCS#11", [DST_R_EXTERNALKEY] = "illegal operation for an external key", [DNS_R_NOERROR] = "NOERROR", diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 504b221115..825ceb4aa4 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -142,8 +142,8 @@ isc__tls_initialize(void) { #endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ 0x30000000L */ - uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN | - OPENSSL_INIT_LOAD_CONFIG; + uint64_t opts = OPENSSL_INIT_LOAD_CONFIG; + #if defined(OPENSSL_INIT_NO_ATEXIT) /* * We call OPENSSL_cleanup() manually, in a correct order, thus disable diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index 8dd8efa934..6c16e34ad9 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -1470,9 +1470,8 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, } } - ret = cfg_keystore_fromconfig(kconfig, mctx, - logctx, NULL, - &kslist, NULL); + ret = cfg_keystore_fromconfig( + kconfig, mctx, logctx, &kslist, NULL); if (ret != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) { result = ret; @@ -1485,8 +1484,7 @@ check_options(const cfg_obj_t *options, const cfg_obj_t *config, /* * Add default key-store "key-directory". */ - tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist, - NULL); + tresult = cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL); if (tresult != ISC_R_SUCCESS) { if (result == ISC_R_SUCCESS) { result = tresult; @@ -3025,10 +3023,10 @@ check_keydir(const cfg_obj_t *config, const cfg_obj_t *zconfig, element = cfg_list_next(element)) { cfg_obj_t *kcfg = cfg_listelt_value(element); - (void)cfg_keystore_fromconfig(kcfg, mctx, logctx, NULL, &kslist, + (void)cfg_keystore_fromconfig(kcfg, mctx, logctx, &kslist, NULL); } - (void)cfg_keystore_fromconfig(NULL, mctx, logctx, NULL, &kslist, NULL); + (void)cfg_keystore_fromconfig(NULL, mctx, logctx, &kslist, NULL); /* * Look for the dnssec-policy by name, which is the dnssec-policy diff --git a/lib/isccfg/include/isccfg/kaspconf.h b/lib/isccfg/include/isccfg/kaspconf.h index ccc1cecc5d..b558d13d27 100644 --- a/lib/isccfg/include/isccfg/kaspconf.h +++ b/lib/isccfg/include/isccfg/kaspconf.h @@ -62,9 +62,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, isc_result_t cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, - isc_log_t *logctx, const char *engine, - dns_keystorelist_t *keystorelist, - dns_keystore_t **kspp); + isc_log_t *logctx, dns_keystorelist_t *keystorelist, + dns_keystore_t **kspp); /*%< * Create and configure a key store. If a 'keystorelist' is provided, a lookup * happens and if a keystore already exists with the same name, no new one is diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 419818f257..96fdf2e814 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -748,8 +748,7 @@ cleanup: isc_result_t cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, - isc_log_t *logctx, const char *engine, - dns_keystorelist_t *keystorelist, + isc_log_t *logctx, dns_keystorelist_t *keystorelist, dns_keystore_t **kspp) { isc_result_t result; const cfg_obj_t *maps[2]; @@ -785,7 +784,7 @@ cfg_keystore_fromconfig(const cfg_obj_t *config, isc_mem_t *mctx, * No key-store with configured name was found in list, create new one. */ INSIST(keystore == NULL); - result = dns_keystore_create(mctx, name, engine, &keystore); + result = dns_keystore_create(mctx, name, &keystore); if (result != ISC_R_SUCCESS) { return (result); } diff --git a/tests/dns/dst_test.c b/tests/dns/dst_test.c index b8f80dd8aa..9ebc5be3f0 100644 --- a/tests/dns/dst_test.c +++ b/tests/dns/dst_test.c @@ -47,7 +47,7 @@ static int setup_test(void **state) { UNUSED(state); - dst_lib_init(mctx, NULL); + dst_lib_init(mctx); return (0); } diff --git a/tests/dns/private_test.c b/tests/dns/private_test.c index 9f3a87f947..0b2eb6ddf8 100644 --- a/tests/dns/private_test.c +++ b/tests/dns/private_test.c @@ -43,7 +43,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1); diff --git a/tests/dns/rsa_test.c b/tests/dns/rsa_test.c index c9895690d4..7a5c356e1c 100644 --- a/tests/dns/rsa_test.c +++ b/tests/dns/rsa_test.c @@ -43,7 +43,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1); diff --git a/tests/dns/sigs_test.c b/tests/dns/sigs_test.c index aeadb93ae6..d33d74e8cc 100644 --- a/tests/dns/sigs_test.c +++ b/tests/dns/sigs_test.c @@ -77,7 +77,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1); diff --git a/tests/dns/tsig_test.c b/tests/dns/tsig_test.c index 95e2c0b52d..1cd62e675f 100644 --- a/tests/dns/tsig_test.c +++ b/tests/dns/tsig_test.c @@ -54,7 +54,7 @@ setup_test(void **state) { UNUSED(state); - result = dst_lib_init(mctx, NULL); + result = dst_lib_init(mctx); if (result != ISC_R_SUCCESS) { return (1);