Commit ba751492 authored by Evan Hunt's avatar Evan Hunt

[master] native PKCS#11 support

3705.	[func]		"configure --enable-native-pkcs11" enables BIND
			to use the PKCS#11 API for all cryptographic
			functions, so that it can drive a hardware service
			module directly without the need to use a modified
			OpenSSL as intermediary (so long as the HSM's vendor
			provides a complete-enough implementation of the
			PKCS#11 interface). This has been tested successfully
			with the Thales nShield HSM and with SoftHSMv2 from
			the OpenDNSSEC project. [RT #29031]
parent 1f4c6451
3705. [func] "configure --enable-native-pkcs11" enables BIND
to use the PKCS#11 API for all cryptographic
functions, so that it can drive a hardware service
module directly without the need to use a modified
OpenSSL as intermediary (so long as the HSM's vendor
provides a complete-enough implementation of the
PKCS#11 interface). This has been tested successfully
with the Thales nShield HSM and with SoftHSMv2 from
the OpenDNSSEC project. [RT #29031]
3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185] 3704. [protocol] Accept integer timestamps in RRSIG records. [RT #35185]
3703. [func] To improve recursive resolver performance, cache 3703. [func] To improve recursive resolver performance, cache
......
...@@ -83,6 +83,12 @@ BIND 9.10.0 ...@@ -83,6 +83,12 @@ BIND 9.10.0
- The internal and export versions of the BIND libraries - The internal and export versions of the BIND libraries
(libisc, libdns, etc) have been unified so that external (libisc, libdns, etc) have been unified so that external
library clients can use the same libraries as BIND itself. library clients can use the same libraries as BIND itself.
- A new compile-time option allows the BIND 9 cryptography
functions to use the PKCS#11 API natively, so that BIND
can drive a cryptographic hardware service module directly
instead of using a modified OpenSSL as an intermediary.
This has been tested with the Thales nShield HSM and with
SoftHSMv2 from the Open DNSSEC project.
- New 'dnssec-coverage' tool to check DNSSEC key coverage - New 'dnssec-coverage' tool to check DNSSEC key coverage
for a zone and report if a lapse in signing coverage has for a zone and report if a lapse in signing coverage has
been inadvertently scheduled. been inadvertently scheduled.
......
...@@ -132,14 +132,11 @@ int sigwait(const unsigned int *set, int *sig); ...@@ -132,14 +132,11 @@ int sigwait(const unsigned int *set, int *sig);
/** define if you have strerror in the C library. */ /** define if you have strerror in the C library. */
#undef HAVE_STRERROR #undef HAVE_STRERROR
/** Define if you are running under Compaq TruCluster. */
#undef HAVE_TRUCLUSTER
/* Define if OpenSSL includes DSA support */ /* Define if OpenSSL includes DSA support */
#undef HAVE_OPENSSL_DSA #undef HAVE_OPENSSL_DSA
/* Define if OpenSSL includes ECDSA support */ /* Define if you have getpassphrase in the C library. */
#undef HAVE_OPENSSL_ECDSA #undef HAVE_GETPASSPHRASE
/* Define to the length type used by the socket API (socklen_t, size_t, int). */ /* Define to the length type used by the socket API (socklen_t, size_t, int). */
#undef ISC_SOCKADDR_LEN_T #undef ISC_SOCKADDR_LEN_T
......
...@@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@ ...@@ -24,7 +24,7 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@ @BIND9_MAKE_INCLUDES@
CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \ CINCLUDES = ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
${ISC_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\" CDEFINES = -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS = CWARNINGS =
...@@ -34,11 +34,13 @@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@ ...@@ -34,11 +34,13 @@ ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
BIND9LIBS = ../../lib/bind9/libbind9.@A@ BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
LIBS = ${ISCLIBS} @LIBS@ LIBS = ${ISCLIBS} @LIBS@
NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@ NOSYMLIBS = ${ISCNOSYMLIBS} @LIBS@
...@@ -70,14 +72,15 @@ named-checkzone.@O@: named-checkzone.c ...@@ -70,14 +72,15 @@ named-checkzone.@O@: named-checkzone.c
-c ${srcdir}/named-checkzone.c -c ${srcdir}/named-checkzone.c
named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \ named-checkconf@EXEEXT@: named-checkconf.@O@ check-tool.@O@ ${ISCDEPLIBS} \
${ISCCFGDEPLIBS} ${BIND9DEPLIBS} ${ISCCFGDEPLIBS} ${BIND9DEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \ export BASEOBJS="named-checkconf.@O@ check-tool.@O@"; \
export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS}"; \ export LIBS0="${BIND9LIBS} ${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD} ${FINALBUILDCMD}
named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ ${ISCDEPLIBS} ${DNSDEPLIBS} named-checkzone@EXEEXT@: named-checkzone.@O@ check-tool.@O@ \
${ISCDEPLIBS} ${DNSDEPLIBS} ${ISCPK11DEPLIBS}
export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \ export BASEOBJS="named-checkzone.@O@ check-tool.@O@"; \
export LIBS0="${ISCCFGLIBS} ${DNSLIBS}"; \ export LIBS0="${ISCCFGLIBS} ${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD} ${FINALBUILDCMD}
doc man:: ${MANOBJS} doc man:: ${MANOBJS}
......
...@@ -23,7 +23,8 @@ top_srcdir = @top_srcdir@ ...@@ -23,7 +23,8 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@ @BIND9_MAKE_INCLUDES@
CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \ CINCLUDES = -I${srcdir}/include ${ISC_INCLUDES} ${ISCCC_INCLUDES} \
${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} ${ISCCFG_INCLUDES} ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISCPK11_INCLUDES}
CDEFINES = CDEFINES =
CWARNINGS = CWARNINGS =
...@@ -34,21 +35,25 @@ ISCLIBS = ../../lib/isc/libisc.@A@ ...@@ -34,21 +35,25 @@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
BIND9LIBS = ../../lib/bind9/libbind9.@A@ BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@ ISCCCDEPLIBS = ../../lib/isccc/libisccc.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} ${ISCLIBS} @LIBS@ RNDCLIBS = ${ISCCFGLIBS} ${ISCCCLIBS} ${BIND9LIBS} ${DNSLIBS} \
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
RNDCDEPLIBS = ${ISCCFGDEPLIBS} ${ISCCCDEPLIBS} ${BIND9DEPLIBS} \
${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} CONFDEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
SRCS= rndc-confgen.c ddns-confgen.c SRCS= rndc-confgen.c ddns-confgen.c
......
...@@ -26,7 +26,8 @@ top_srcdir = @top_srcdir@ ...@@ -26,7 +26,8 @@ top_srcdir = @top_srcdir@
READLINE_LIB = @READLINE_LIB@ READLINE_LIB = @READLINE_LIB@
CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \ CINCLUDES = -I${srcdir}/include ${DNS_INCLUDES} ${BIND9_INCLUDES} \
${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} ${ISC_INCLUDES} ${LWRES_INCLUDES} ${ISCCFG_INCLUDES} \
${ISCPK11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" CDEFINES = -DVERSION=\"${VERSION}\"
CWARNINGS = CWARNINGS =
...@@ -37,20 +38,22 @@ BIND9LIBS = ../../lib/bind9/libbind9.@A@ ...@@ -37,20 +38,22 @@ BIND9LIBS = ../../lib/bind9/libbind9.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
LWRESLIBS = ../../lib/lwres/liblwres.@A@ LWRESLIBS = ../../lib/lwres/liblwres.@A@
ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@ ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@
BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@ BIND9DEPLIBS = ../../lib/bind9/libbind9.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@
LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@ LWRESDEPLIBS = ../../lib/lwres/liblwres.@A@
ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} ${ISCCFGDEPLIBS} \ DEPLIBS = ${DNSDEPLIBS} ${BIND9DEPLIBS} ${ISCDEPLIBS} \
${LWRESDEPLIBS} ${ISCPK11DEPLIBS} ${ISCCFGDEPLIBS} ${LWRESDEPLIBS}
LIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ LIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCLIBS} @IDNLIBS@ @LIBS@ ${ISCLIBS} @IDNLIBS@ @LIBS@
NOSYMLIBS = ${LWRESLIBS} ${DNSLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \ NOSYMLIBS = ${LWRESLIBS} ${BIND9LIBS} ${ISCCFGLIBS} \
${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@ ${ISCNOSYMLIBS} @IDNLIBS@ @LIBS@
SUBDIRS = SUBDIRS =
...@@ -73,14 +76,17 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES} ...@@ -73,14 +76,17 @@ MANOBJS = ${MANPAGES} ${HTMLPAGES}
dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} dig@EXEEXT@: dig.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \ export BASEOBJS="dig.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD} ${FINALBUILDCMD}
host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} host@EXEEXT@: host.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \ export BASEOBJS="host.@O@ dighost.@O@ ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD} ${FINALBUILDCMD}
nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS} nslookup@EXEEXT@: nslookup.@O@ dighost.@O@ ${UOBJS} ${DEPLIBS}
export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \ export BASEOBJS="nslookup.@O@ dighost.@O@ ${READLINE_LIB} ${UOBJS}"; \
export LIBS0="${DNSLIBS} ${ISCPK11LIBS}"; \
${FINALBUILDCMD} ${FINALBUILDCMD}
doc man:: ${MANOBJS} doc man:: ${MANOBJS}
......
...@@ -23,23 +23,26 @@ top_srcdir = @top_srcdir@ ...@@ -23,23 +23,26 @@ top_srcdir = @top_srcdir@
@BIND9_MAKE_INCLUDES@ @BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCPK11_INCLUDES}
CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ CDEFINES = -DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
@CRYPTO@ -DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
CWARNINGS = CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@ DNSLIBS = ../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
ISCLIBS = ../../lib/isc/libisc.@A@ ISCLIBS = ../../lib/isc/libisc.@A@
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@
ISCPK11LIBS = ../../lib/iscpk11/libiscpk11.@A@
DNSDEPLIBS = ../../lib/dns/libdns.@A@ DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@ ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCPK11DEPLIBS = ../../lib/iscpk11/libiscpk11.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS} ${ISCPK11DEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ LIBS = ${DNSLIBS} ${ISCLIBS} ${ISCPK11LIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@ NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} ${ISCPK11LIBS} @LIBS@
# Alphabetically # Alphabetically
TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \
......
...@@ -448,7 +448,7 @@ main(int argc, char **argv) { ...@@ -448,7 +448,7 @@ main(int argc, char **argv) {
else if (strcasecmp(algname, "SHA256") == 0 || else if (strcasecmp(algname, "SHA256") == 0 ||
strcasecmp(algname, "SHA-256") == 0) strcasecmp(algname, "SHA-256") == 0)
dtype = DNS_DSDIGEST_SHA256; dtype = DNS_DSDIGEST_SHA256;
#ifdef HAVE_OPENSSL_GOST #if defined(HAVE_OPENSSL_GOST) || defined(HAVE_PKCS11_GOST)
else if (strcasecmp(algname, "GOST") == 0) else if (strcasecmp(algname, "GOST") == 0)
dtype = DNS_DSDIGEST_GOST; dtype = DNS_DSDIGEST_GOST;
#endif #endif
......
...@@ -76,10 +76,15 @@ usage(void) { ...@@ -76,10 +76,15 @@ usage(void) {
"NSEC3RSASHA1 if using -3)\n"); "NSEC3RSASHA1 if using -3)\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n"); fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n"); fprintf(stderr, " -c class (default: IN)\n");
#ifdef USE_PKCS11 fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " -E enginename (default: pkcs11)\n"); #if defined(PKCS11CRYPTO)
fprintf(stderr, " path to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " name of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else #else
fprintf(stderr, " -E enginename\n"); fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif #endif
fprintf(stderr, " -f keyflag: KSK | REVOKE\n"); fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place " fprintf(stderr, " -K directory: directory in which to place "
...@@ -116,7 +121,7 @@ main(int argc, char **argv) { ...@@ -116,7 +121,7 @@ main(int argc, char **argv) {
char *nametype = NULL, *type = NULL; char *nametype = NULL, *type = NULL;
const char *directory = NULL; const char *directory = NULL;
#ifdef USE_PKCS11 #ifdef USE_PKCS11
const char *engine = "pkcs11"; const char *engine = PKCS11_ENGINE;
#else #else
const char *engine = NULL; const char *engine = NULL;
#endif #endif
...@@ -334,16 +339,15 @@ main(int argc, char **argv) { ...@@ -334,16 +339,15 @@ main(int argc, char **argv) {
if (argc > isc_commandline_index + 1) if (argc > isc_commandline_index + 1)
fatal("extraneous arguments"); fatal("extraneous arguments");
if (strchr(label, ':') == NULL && if (strchr(label, ':') == NULL) {
engine != NULL && strlen(engine) != 0U) {
char *l; char *l;
int len; int len;
len = strlen(label) + strlen(engine) + 2; len = strlen(label) + 8;
l = isc_mem_allocate(mctx, len); l = isc_mem_allocate(mctx, len);
if (l == NULL) if (l == NULL)
fatal("cannot allocate memory"); fatal("cannot allocate memory");
snprintf(l, len, "%s:%s", engine, label); snprintf(l, len, "pkcs11:%s", label);
isc_mem_free(mctx, label); isc_mem_free(mctx, label);
label = l; label = l;
} }
...@@ -460,7 +464,7 @@ main(int argc, char **argv) { ...@@ -460,7 +464,7 @@ main(int argc, char **argv) {
/* associate the key */ /* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, ret = dst_key_fromlabel(name, alg, flags, protocol,
rdclass, engine, label, NULL, mctx, &key); rdclass, "pkcs11", label, NULL, mctx, &key);
isc_entropy_stopcallbacksources(ectx); isc_entropy_stopcallbacksources(ectx);
if (ret != ISC_R_SUCCESS) { if (ret != ISC_R_SUCCESS) {
...@@ -468,7 +472,7 @@ main(int argc, char **argv) { ...@@ -468,7 +472,7 @@ main(int argc, char **argv) {
char algstr[DNS_SECALG_FORMATSIZE]; char algstr[DNS_SECALG_FORMATSIZE];
dns_name_format(name, namestr, sizeof(namestr)); dns_name_format(name, namestr, sizeof(namestr));
dns_secalg_format(alg, algstr, sizeof(algstr)); dns_secalg_format(alg, algstr, sizeof(algstr));
fatal("failed to get key %s/%s: %s\n", fatal("failed to get key %s/%s: %s",
namestr, algstr, isc_result_totext(ret)); namestr, algstr, isc_result_totext(ret));
/* NOTREACHED */ /* NOTREACHED */
exit(-1); exit(-1);
......
...@@ -133,8 +133,15 @@ ...@@ -133,8 +133,15 @@
<term>-E <replaceable class="parameter">engine</replaceable></term> <term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem> <listitem>
<para> <para>
Specifies the name of the crypto hardware (OpenSSL engine). Specifies the cryptographic hardware to use.
When compiled with PKCS#11 support it defaults to "pkcs11". </para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -119,10 +119,15 @@ usage(void) { ...@@ -119,10 +119,15 @@ usage(void) {
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n"); fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n"); fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n"); fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
#ifdef USE_PKCS11 fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " -E <engine name> (default \"pkcs11\")\n"); #if defined(PKCS11CRYPTO)
fprintf(stderr, " path to PKCS#11 provider library "
"(default is %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " name of an OpenSSL engine to use "
"(default is \"pkcs11\")\n");
#else #else
fprintf(stderr, " -E <engine name>\n"); fprintf(stderr, " name of an OpenSSL engine to use\n");
#endif #endif
fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n"); fprintf(stderr, " -f <keyflag>: KSK | REVOKE\n");
fprintf(stderr, " -g <generator>: use specified generator " fprintf(stderr, " -g <generator>: use specified generator "
...@@ -223,7 +228,7 @@ main(int argc, char **argv) { ...@@ -223,7 +228,7 @@ main(int argc, char **argv) {
isc_log_t *log = NULL; isc_log_t *log = NULL;
isc_entropy_t *ectx = NULL; isc_entropy_t *ectx = NULL;
#ifdef USE_PKCS11 #ifdef USE_PKCS11
const char *engine = "pkcs11"; const char *engine = PKCS11_ENGINE;
#else #else
const char *engine = NULL; const char *engine = NULL;
#endif #endif
......
...@@ -224,10 +224,15 @@ ...@@ -224,10 +224,15 @@
<term>-E <replaceable class="parameter">engine</replaceable></term> <term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem> <listitem>
<para> <para>
Uses a crypto hardware (OpenSSL engine) for random number Specifies the cryptographic hardware to use, when applicable.
and, when supported, key generation. When compiled with PKCS#11 </para>
support it defaults to pkcs11; the empty name resets it to <para>
no engine. When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -53,7 +53,10 @@ usage(void) { ...@@ -53,7 +53,10 @@ usage(void) {
fprintf(stderr, "Usage:\n"); fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "Version: %s\n", VERSION);
#ifdef USE_PKCS11 #if defined(PKCS11CRYPTO)
fprintf(stderr, " -E engine: specify PKCS#11 provider "
"(default: %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " -E engine: specify OpenSSL engine " fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n"); "(default \"pkcs11\")\n");
#else #else
...@@ -76,7 +79,7 @@ int ...@@ -76,7 +79,7 @@ int
main(int argc, char **argv) { main(int argc, char **argv) {
isc_result_t result; isc_result_t result;
#ifdef USE_PKCS11 #ifdef USE_PKCS11
const char *engine = "pkcs11"; const char *engine = PKCS11_ENGINE;
#else #else
const char *engine = NULL; const char *engine = NULL;
#endif #endif
......
...@@ -109,8 +109,15 @@ ...@@ -109,8 +109,15 @@
<term>-E <replaceable class="parameter">engine</replaceable></term> <term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem> <listitem>
<para> <para>
Use the given OpenSSL engine. When compiled with PKCS#11 support Specifies the cryptographic hardware to use, when applicable.
it defaults to pkcs11; the empty name resets it to no engine. </para>
<para>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>
......
...@@ -57,9 +57,12 @@ usage(void) { ...@@ -57,9 +57,12 @@ usage(void) {
fprintf(stderr, " %s [options] keyfile\n\n", program); fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", VERSION); fprintf(stderr, "Version: %s\n", VERSION);
fprintf(stderr, "General options:\n"); fprintf(stderr, "General options:\n");
#ifdef USE_PKCS11 #if defined(PKCS11CRYPTO)
fprintf(stderr, " -E engine: specify PKCS#11 provider "
"(default: %s)\n", PK11_LIB_LOCATION);
#elif defined(USE_PKCS11)
fprintf(stderr, " -E engine: specify OpenSSL engine " fprintf(stderr, " -E engine: specify OpenSSL engine "
"(default \"pkcs11\")\n"); "(default \"pkcs11\")\n");
#else #else
fprintf(stderr, " -E engine: specify OpenSSL engine\n"); fprintf(stderr, " -E engine: specify OpenSSL engine\n");
#endif #endif
...@@ -119,7 +122,7 @@ int ...@@ -119,7 +122,7 @@ int
main(int argc, char **argv) { main(int argc, char **argv) {
isc_result_t result; isc_result_t result;
#ifdef USE_PKCS11 #ifdef USE_PKCS11
const char *engine = "pkcs11"; const char *engine = PKCS11_ENGINE;
#else #else
const char *engine = NULL; const char *engine = NULL;
#endif #endif
......
...@@ -153,8 +153,15 @@ ...@@ -153,8 +153,15 @@
<term>-E <replaceable class="parameter">engine</replaceable></term>