[master] native PKCS#11 support
3705. [func] "configure --enable-native-pkcs11" enables BIND to use the PKCS#11 API for all cryptographic functions, so that it can drive a hardware service module directly without the need to use a modified OpenSSL as intermediary (so long as the HSM's vendor provides a complete-enough implementation of the PKCS#11 interface). This has been tested successfully with the Thales nShield HSM and with SoftHSMv2 from the OpenDNSSEC project. [RT #29031]
This commit is contained in:
@@ -45,8 +45,14 @@
|
||||
#include <dst/dst.h>
|
||||
#include <dst/gssapi.h>
|
||||
|
||||
#include "dst_internal.h"
|
||||
|
||||
#define TKEY_RANDOM_AMOUNT 16
|
||||
|
||||
#ifdef PKCS11CRYPTO
|
||||
#include <iscpk11/pk11.h>
|
||||
#endif
|
||||
|
||||
#define RETERR(x) do { \
|
||||
result = (x); \
|
||||
if (result != ISC_R_SUCCESS) \
|
||||
@@ -382,8 +388,8 @@ process_dhtkey(dns_message_t *msg, dns_name_t *signer, dns_name_t *name,
|
||||
if (randomdata == NULL)
|
||||
goto failure;
|
||||
|
||||
result = isc_entropy_getdata(tctx->ectx, randomdata,
|
||||
TKEY_RANDOM_AMOUNT, NULL, 0);
|
||||
result = dst__entropy_getdata(randomdata, TKEY_RANDOM_AMOUNT,
|
||||
ISC_FALSE);
|
||||
if (result != ISC_R_SUCCESS) {
|
||||
tkey_log("process_dhtkey: failed to obtain entropy: %s",
|
||||
isc_result_totext(result));
|
||||
|
||||
Reference in New Issue
Block a user