Make OpenSSL mandatory

c3b8130f · Ondřej Surý · 3322e41e · c3b8130f · c3b8130f · c3b8130f
Commit c3b8130f authored Jun 12, 2018 by Ondřej Surý
--- a/acconfig.h
+++ b/acconfig.h
@@ -121,12 +121,6 @@ int sigwait(const unsigned int *set, int *sig);
 /** define if you have strerror in the C library. */
 #undef HAVE_STRERROR

-/* Define if OpenSSL includes DSA support */
-#undef HAVE_OPENSSL_DSA
-
-/* Define if you have getpassphrase in the C library. */
-#undef HAVE_GETPASSPHRASE
-
 /* Define to the length type used by the socket API (socklen_t, size_t, int). */
 #undef ISC_SOCKADDR_LEN_T


--- a/aclocal.m4
+++ b/aclocal.m4
@@ -288,8 +288,9 @@ AS_VAR_COPY([$1], [pkg_cv_][$1])
 AS_VAR_IF([$1], [""], [$5], [$4])dnl
 ])dnl PKG_CHECK_VAR

-m4_include([libtool.m4/libtool.m4])
-m4_include([libtool.m4/ltoptions.m4])
-m4_include([libtool.m4/ltsugar.m4])
-m4_include([libtool.m4/ltversion.m4])
-m4_include([libtool.m4/lt~obsolete.m4])
+m4_include([m4/ax_check_openssl.m4])
+m4_include([m4/libtool.m4])
+m4_include([m4/ltoptions.m4])
+m4_include([m4/ltsugar.m4])
+m4_include([m4/ltversion.m4])
+m4_include([m4/lt~obsolete.m4])
--- a/bin/check/Makefile.in
+++ b/bin/check/Makefile.in
@@ -16,15 +16,15 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@

 CINCLUDES =	${NS_INCLUDES} ${BIND9_INCLUDES} ${DNS_INCLUDES} ${ISCCFG_INCLUDES} \
-		${ISC_INCLUDES} @DST_OPENSSL_INC@
+		${ISC_INCLUDES} @OPENSSL_INCLUDES@

 CDEFINES = 	-DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
 CWARNINGS =

 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
 NSLIBS =	../../lib/ns/libns.@A@


--- a/bin/confgen/Makefile.in
+++ b/bin/confgen/Makefile.in
@@ -27,8 +27,8 @@ CWARNINGS =

 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 ISCCCLIBS =	../../lib/isccc/libisccc.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@


--- a/bin/confgen/ddns-confgen.c
+++ b/bin/confgen/ddns-confgen.c
@@ -36,7 +36,7 @@
 #include <isc/time.h>
 #include <isc/util.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -102,7 +102,7 @@ main(int argc, char **argv) {
 	int len = 0;
 	int ch;

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/confgen/keygen.c
+++ b/bin/confgen/keygen.c
@@ -43,10 +43,8 @@
 const char *
 alg_totext(dns_secalg_t alg) {
 	switch (alg) {
-#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
 		return "hmac-md5";
-#endif
 	    case DST_ALG_HMACSHA1:
 		return "hmac-sha1";
 	    case DST_ALG_HMACSHA224:
@@ -71,10 +69,8 @@ alg_fromtext(const char *name) {
 	if (strncasecmp(p, "hmac-", 5) == 0)
 		p = &name[5];

-#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(p, "md5") == 0)
 		return DST_ALG_HMACMD5;
-#endif
 	if (strcasecmp(p, "sha1") == 0)
 		return DST_ALG_HMACSHA1;
 	if (strcasecmp(p, "sha224") == 0)
@@ -124,9 +120,7 @@ generate_key(isc_mem_t *mctx, dns_secalg_t alg, int keysize,
 	dst_key_t *key = NULL;

 	switch (alg) {
-#ifndef PK11_MD5_DISABLE
 	    case DST_ALG_HMACMD5:
-#endif
 	    case DST_ALG_HMACSHA1:
 	    case DST_ALG_HMACSHA224:
 	    case DST_ALG_HMACSHA256:

--- a/bin/delv/Makefile.in
+++ b/bin/delv/Makefile.in
@@ -16,7 +16,7 @@ VERSION=@BIND9_VERSION@
 @BIND9_MAKE_INCLUDES@

 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @DST_OPENSSL_INC@
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @OPENSSL_INCLUDES@

 CDEFINES =	-DVERSION=\"${VERSION}\" \
 		-DSYSCONFDIR=\"${sysconfdir}\"
@@ -24,8 +24,8 @@ CWARNINGS =

 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@

 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

--- a/bin/dig/Makefile.in
+++ b/bin/dig/Makefile.in
@@ -19,7 +19,7 @@ READLINE_LIB = @READLINE_LIB@

 CINCLUDES =	-I${srcdir}/include ${DNS_INCLUDES} \
 		${BIND9_INCLUDES} ${ISC_INCLUDES} \
-		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @DST_OPENSSL_INC@
+		${IRS_INCLUDES} ${ISCCFG_INCLUDES} @LIBIDN2_CFLAGS@ @OPENSSL_INCLUDES@

 CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =
@@ -27,8 +27,8 @@ CWARNINGS =
 ISCCFGLIBS =	../../lib/isccfg/libisccfg.@A@
 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
 BIND9LIBS =	../../lib/bind9/libbind9.@A@
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
 IRSLIBS =	../../lib/irs/libirs.@A@

 ISCCFGDEPLIBS =	../../lib/isccfg/libisccfg.@A@

--- a/bin/dig/dig.c
+++ b/bin/dig/dig.c
@@ -1771,11 +1771,7 @@ dash_option(char *option, char *next, dig_lookup_t **lookup,
 			ptr = ptr2;
 			ptr2 = ptr3;
 		} else  {
-#ifndef PK11_MD5_DISABLE
 			hmacname = DNS_TSIG_HMACMD5_NAME;
-#else
-			hmacname = DNS_TSIG_HMACSHA256_NAME;
-#endif
 			digestbits = 0;
 		}
 		/* XXXONDREJ: FIXME */

--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@@ -84,7 +84,7 @@

 #include <dig/dig.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -1032,14 +1032,12 @@ parse_hmac(const char *hmac) {

 	digestbits = 0;

-#ifndef PK11_MD5_DISABLE
 	if (strcasecmp(buf, "hmac-md5") == 0) {
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 	} else if (strncasecmp(buf, "hmac-md5-", 9) == 0) {
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		digestbits = parse_bits(&buf[9], "digest-bits [0..128]", 128);
 	} else
-#endif
 	if (strcasecmp(buf, "hmac-sha1") == 0) {
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		digestbits = 0;
@@ -1153,11 +1151,9 @@ setup_file_key(void) {
 	}

 	switch (dst_key_alg(dstkey)) {
-#ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		hmacname = DNS_TSIG_HMACMD5_NAME;
 		break;
-#endif
 	case DST_ALG_HMACSHA1:
 		hmacname = DNS_TSIG_HMACSHA1_NAME;
 		break;
@@ -1314,7 +1310,7 @@ setup_libs(void) {

 	debug("setup_libs()");

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -15,15 +15,14 @@ VERSION=@BIND9_VERSION@

 @BIND9_MAKE_INCLUDES@

-CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @DST_OPENSSL_INC@
+CINCLUDES =	${DNS_INCLUDES} ${ISC_INCLUDES} @OPENSSL_INCLUDES@

-CDEFINES =	-DVERSION=\"${VERSION}\" @USE_PKCS11@ @PKCS11_ENGINE@ \
-		-DPK11_LIB_LOCATION=\"@PKCS11_PROVIDER@\"
+CDEFINES =	-DVERSION=\"${VERSION}\"
 CWARNINGS =

 DNSLIBS =	../../lib/dns/libdns.@A@ @DNS_CRYPTO_LIBS@
-ISCLIBS =	../../lib/isc/libisc.@A@ @ISC_OPENSSL_LIBS@
-ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @ISC_OPENSSL_LIBS@
+ISCLIBS =	../../lib/isc/libisc.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@
+ISCNOSYMLIBS =	../../lib/isc/libisc-nosymtbl.@A@ @OPENSSL_LDFLAGS@ @OPENSSL_LIBS@

 DNSDEPLIBS =	../../lib/dns/libdns.@A@
 ISCDEPLIBS =	../../lib/isc/libisc.@A@

--- a/bin/dnssec/dnssec-cds.c
+++ b/bin/dnssec/dnssec-cds.c
@@ -53,7 +53,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -1147,7 +1147,7 @@ main(int argc, char *argv[]) {
 		fatal("out of memory");
 	}

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -41,7 +41,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -370,7 +370,7 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/dnssec/dnssec-importkey.c
+++ b/bin/dnssec/dnssec-importkey.c
@@ -41,7 +41,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -310,7 +310,7 @@ main(int argc, char **argv) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/dnssec/dnssec-keyfromlabel.c
+++ b/bin/dnssec/dnssec-keyfromlabel.c
@@ -37,7 +37,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -69,12 +69,9 @@ usage(void) {
 	fprintf(stderr, "    -3: use NSEC3-capable algorithm\n");
 	fprintf(stderr, "    -c class (default: IN)\n");
 	fprintf(stderr, "    -E <engine>:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
 	fprintf(stderr, "        path to PKCS#11 provider library "
 				"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
-	fprintf(stderr, "        name of an OpenSSL engine to use "
-				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
 #endif
@@ -124,11 +121,7 @@ main(int argc, char **argv) {
 	const char	*directory = NULL;
 	const char	*predecessor = NULL;
 	dst_key_t	*prevkey = NULL;
-#ifdef USE_PKCS11
-	const char	*engine = PKCS11_ENGINE;
-#else
 	const char	*engine = NULL;
-#endif
 	char		*classname = NULL;
 	char		*endp;
 	dst_key_t	*key = NULL;
@@ -173,7 +166,7 @@ main(int argc, char **argv) {

 	RUNTIME_CHECK(isc_mem_create(0, 0, &mctx) == ISC_R_SUCCESS);

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
@@ -388,20 +381,10 @@ main(int argc, char **argv) {
 		}

 		if (strcasecmp(algname, "RSA") == 0) {
-#ifndef PK11_MD5_DISABLE
 			fprintf(stderr, "The use of RSA (RSAMD5) is not "
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
-#else
-			fprintf(stderr,
-				"The use of RSA (RSAMD5) was disabled\n");
-			if (freeit != NULL)
-				free(freeit);
-			return (1);
-		} else if (strcasecmp(algname, "RSAMD5") == 0) {
-			fprintf(stderr, "The use of RSAMD5 was disabled\n");
-#endif
 			if (freeit != NULL)
 				free(freeit);
 			return (1);
@@ -512,11 +495,6 @@ main(int argc, char **argv) {
 		alg = dst_key_alg(prevkey);
 		flags = dst_key_flags(prevkey);

-#ifdef PK11_MD5_DISABLE
-		if (alg == DST_ALG_RSAMD5)
-			fatal("Key %s uses disabled RSAMD5", predecessor);
-#endif
-
 		dst_key_format(prevkey, keystr, sizeof(keystr));
 		dst_key_getprivateformat(prevkey, &major, &minor);
 		if (major != DST_MAJOR_VERSION || minor < DST_MINOR_VERSION)
@@ -606,7 +584,7 @@ main(int argc, char **argv) {

 	/* associate the key */
 	ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass,
-#if HAVE_PKCS11
+#if USE_PKCS11
 				"pkcs11",
 #else
 				engine,

--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -52,7 +52,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -106,12 +106,9 @@ usage(void) {
 	fprintf(stderr, "    -c <class>: (default: IN)\n");
 	fprintf(stderr, "    -d <digest bits> (0 => max, default)\n");
 	fprintf(stderr, "    -E <engine>:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
 	fprintf(stderr, "        path to PKCS#11 provider library "
 				"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
-	fprintf(stderr, "        name of an OpenSSL engine to use "
-				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "        name of an OpenSSL engine to use\n");
 #endif
@@ -216,11 +213,7 @@ main(int argc, char **argv) {
 	dst_key_t	*prevkey = NULL;
 	isc_buffer_t	buf;
 	isc_log_t	*log = NULL;
-#ifdef USE_PKCS11
-	const char	*engine = PKCS11_ENGINE;
-#else
 	const char	*engine = NULL;
-#endif
 	dns_rdataclass_t rdclass;
 	int		options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
 	int		dbits = 0;
@@ -247,7 +240,7 @@ main(int argc, char **argv) {
 	if (argc == 1)
 		usage();

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();
@@ -523,23 +516,12 @@ main(int argc, char **argv) {
 		}

 		if (strcasecmp(algname, "RSA") == 0) {
-#ifndef PK11_MD5_DISABLE
 			fprintf(stderr, "The use of RSA (RSAMD5) is not "
 					"recommended.\nIf you still wish to "
 					"use RSA (RSAMD5) please specify "
 					"\"-a RSAMD5\"\n");
 			INSIST(freeit == NULL);
 			return (1);
-#else
-			fprintf(stderr,
-				"The use of RSA (RSAMD5) was disabled\n");
-			INSIST(freeit == NULL);
-			return (1);
-		} else if (strcasecmp(algname, "RSAMD5") == 0) {
-			fprintf(stderr, "The use of RSAMD5 was disabled\n");
-			INSIST(freeit == NULL);
-			return (1);
-#endif
 		} else {
 			r.base = algname;
 			r.length = strlen(algname);
@@ -552,10 +534,6 @@ main(int argc, char **argv) {
 			}
 		}

-#ifdef PK11_MD5_DISABLE
-		INSIST((alg != DNS_KEYALG_RSAMD5));
-#endif
-
 		if (!dst_algorithm_supported(alg)) {
 			fatal("unsupported algorithm: %d", alg);
 		}

--- a/bin/dnssec/dnssec-revoke.c
+++ b/bin/dnssec/dnssec-revoke.c
@@ -30,7 +30,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -49,12 +49,9 @@ usage(void) {
 	fprintf(stderr, "Usage:\n");
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
-#if HAVE_PKCS11
+#if USE_PKCS11
 	fprintf(stderr, "    -E engine:    specify PKCS#11 provider "
 					"(default: %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
-	fprintf(stderr, "    -E engine:    specify OpenSSL engine "
-					   "(default \"pkcs11\")\n");
 #else
 	fprintf(stderr, "    -E engine:    specify OpenSSL engine\n");
 #endif
@@ -75,11 +72,7 @@ usage(void) {
 int
 main(int argc, char **argv) {
 	isc_result_t result;
-#ifdef USE_PKCS11
-	const char *engine = PKCS11_ENGINE;
-#else
 	const char *engine = NULL;
-#endif
 	char const *filename = NULL;
 	char *dir = NULL;
 	char newname[1024], oldname[1024];

--- a/bin/dnssec/dnssec-settime.c
+++ b/bin/dnssec/dnssec-settime.c
@@ -33,7 +33,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -53,7 +53,7 @@ usage(void) {
 	fprintf(stderr,	"    %s [options] keyfile\n\n", program);
 	fprintf(stderr, "Version: %s\n", VERSION);
 	fprintf(stderr, "General options:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
 	fprintf(stderr, "    -E engine:          specify PKCS#11 provider "
 					"(default: %s)\n", PK11_LIB_LOCATION);
 #elif defined(USE_PKCS11)
@@ -127,11 +127,7 @@ printtime(dst_key_t *key, int type, const char *tag, isc_boolean_t epoch,
 int
 main(int argc, char **argv) {
 	isc_result_t	result;
-#ifdef USE_PKCS11
-	const char	*engine = PKCS11_ENGINE;
-#else
 	const char	*engine = NULL;
-#endif
 	const char 	*filename = NULL;
 	char		*directory = NULL;
 	char		newname[1024];
@@ -178,7 +174,7 @@ main(int argc, char **argv) {

 	setup_logging(mctx, &log);

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/dnssec/dnssec-signzone.c
+++ b/bin/dnssec/dnssec-signzone.c
@@ -80,7 +80,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -3131,12 +3131,9 @@ usage(void) {
 	fprintf(stderr, "verify generated signatures\n");
 	fprintf(stderr, "\t-c class (IN)\n");
 	fprintf(stderr, "\t-E engine:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
 	fprintf(stderr, "\t\tpath to PKCS#11 provider library "
 		"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
-	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
-				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
 #endif
@@ -3229,11 +3226,7 @@ main(int argc, char *argv[]) {
 	dns_dnsseckey_t *key;
 	isc_result_t result, vresult;
 	isc_log_t *log = NULL;
-#ifdef USE_PKCS11
-	const char *engine = PKCS11_ENGINE;
-#else
 	const char *engine = NULL;
-#endif
 	isc_boolean_t free_output = ISC_FALSE;
 	int tempfilelen = 0;
 	dns_rdataclass_t rdclass;
@@ -3286,7 +3279,7 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();

--- a/bin/dnssec/dnssec-verify.c
+++ b/bin/dnssec/dnssec-verify.c
@@ -62,7 +62,7 @@

 #include <dst/dst.h>

-#if HAVE_PKCS11
+#if USE_PKCS11
 #include <pk11/result.h>
 #endif

@@ -150,12 +150,9 @@ usage(void) {
 	fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
 	fprintf(stderr, "\t-c class (IN)\n");
 	fprintf(stderr, "\t-E engine:\n");
-#if HAVE_PKCS11
+#if USE_PKCS11
 	fprintf(stderr, "\t\tpath to PKCS#11 provider library "
 		"(default is %s)\n", PK11_LIB_LOCATION);
-#elif defined(USE_PKCS11)
-	fprintf(stderr, "\t\tname of an OpenSSL engine to use "
-				"(default is \"pkcs11\")\n");
 #else
 	fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
 #endif
@@ -171,11 +168,7 @@ main(int argc, char *argv[]) {
 	char *inputformatstr = NULL;
 	isc_result_t result;
 	isc_log_t *log = NULL;
-#ifdef USE_PKCS11
-	const char *engine = PKCS11_ENGINE;
-#else
 	const char *engine = NULL;
-#endif
 	char *classname = NULL;
 	dns_rdataclass_t rdclass;
 	char *endp;
@@ -212,7 +205,7 @@ main(int argc, char *argv[]) {
 	if (result != ISC_R_SUCCESS)
 		fatal("out of memory");

-#if HAVE_PKCS11
+#if USE_PKCS11
 	pk11_result_register();
 #endif
 	dns_result_register();