ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Remove OpenSSL Engine support

Browse Source 
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
and is going to be removed.  Remove the OpenSSL Engine support in favor
of OpenSSL Providers.
This commit is contained in:
Ondřej Surý
2024-08-05 11:40:42 +02:00
parent 1688c96bda
commit ef7aba7072
69 changed files with 161 additions and 575 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/dnssec/dnssec-cds.c
View File

@@ -1180,7 +1180,7 @@ main(int argc, char *argv[]) {
setup_logging(mctx, &lctx);
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

2
bin/dnssec/dnssec-dsfromkey.c
View File

@@ -489,7 +489,7 @@ main(int argc, char **argv) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

2
bin/dnssec/dnssec-importkey.c
View File

@@ -408,7 +408,7 @@ main(int argc, char **argv) {
fatal("extraneous arguments");
}
result = dst_lib_init(mctx, NULL);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

11
bin/dnssec/dnssec-keyfromlabel.c
View File

@@ -63,8 +63,6 @@ usage(void) {
" ED25519 | ED448\n");
fprintf(stderr, " -3: use NSEC3-capable algorithm\n");
fprintf(stderr, " -c class (default: IN)\n");
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f keyflag: KSK | REVOKE\n");
fprintf(stderr, " -K directory: directory in which to place "
"key files\n");
@@ -112,7 +110,6 @@ main(int argc, char **argv) {
const char *directory = NULL;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
const char *engine = NULL;
char *classname = NULL;
char *endp;
dst_key_t *key = NULL;
@@ -176,7 +173,7 @@ main(int argc, char **argv) {
classname = isc_commandline_argument;
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
@@ -335,7 +332,7 @@ main(int argc, char **argv) {
}
}
ret = dst_lib_init(mctx, engine);
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
@@ -595,8 +592,8 @@ main(int argc, char **argv) {
isc_buffer_init(&buf, filename, sizeof(filename) - 1);
/* associate the key */
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, engine,
label, NULL, mctx, &key);
ret = dst_key_fromlabel(name, alg, flags, protocol, rdclass, label,
NULL, mctx, &key);
if (ret != ISC_R_SUCCESS) {
char namestr[DNS_NAME_FORMATSIZE];

14
bin/dnssec/dnssec-keyfromlabel.rst
View File

@@ -21,7 +21,7 @@ dnssec-keyfromlabel - DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
Description
~~~~~~~~~~~
@@ -63,22 +63,12 @@ Options
versions, then the NSEC3 version is used; for example,
``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
.. option:: -E engine
This option specifies the cryptographic hardware to use.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -l label
This option specifies the label for a key pair in the crypto hardware.
When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
an arbitrary string that identifies a particular key. It may be
preceded by an optional OpenSSL engine name, followed by a colon, as
in ``pkcs11:keylabel``.
an arbitrary string that identifies a particular key.
.. option:: -n nametype

9
bin/dnssec/dnssec-keygen.c
View File

@@ -176,8 +176,6 @@ usage(void) {
fprintf(stderr, " (DNSKEY generation defaults to ZONE)\n");
fprintf(stderr, " -c <class>: (default: IN)\n");
fprintf(stderr, " -d <digest bits> (0 => max, default)\n");
fprintf(stderr, " -E <engine>:\n");
fprintf(stderr, " name of an OpenSSL engine to use\n");
fprintf(stderr, " -f <keyflag>: ZSK | KSK | REVOKE\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -L <ttl>: default key TTL\n");
@@ -842,7 +840,6 @@ main(int argc, char **argv) {
isc_mem_t *mctx = NULL;
isc_result_t ret;
isc_textregion_t r;
const char *engine = NULL;
unsigned char c;
int ch;
bool set_fips_mode = false;
@@ -921,7 +918,7 @@ main(int argc, char **argv) {
}
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
c = (unsigned char)(isc_commandline_argument[0]);
@@ -1140,7 +1137,7 @@ main(int argc, char **argv) {
}
}
ret = dst_lib_init(mctx, engine);
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}
@@ -1245,7 +1242,7 @@ main(int argc, char **argv) {
}
kasp_from_conf(config, mctx, lctx, ctx.policy,
ctx.directory, engine, &kasp);
ctx.directory, &kasp);
if (kasp == NULL) {
fatal("failed to load dnssec-policy '%s'",
ctx.policy);

10
bin/dnssec/dnssec-keygen.rst
View File

@@ -21,7 +21,7 @@ dnssec-keygen: DNSSEC key generation tool
Synopsis
~~~~~~~~
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
:program:`dnssec-keygen` [**-3**] [**-A** date/offset] [**-a** algorithm] [**-b** keysize] [**-C**] [**-c** class] [**-D** date/offset] [**-d** bits] [**-D** sync date/offset] [**-f** flag] [**-F**] [**-G**] [**-h**] [**-I** date/offset] [**-i** interval] [**-K** directory] [**-k** policy] [**-L** ttl] [**-l** file] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-q**] [**-R** date/offset] [**-S** key] [**-s** strength] [**-T** rrtype] [**-t** type] [**-V**] [**-v** level] {name}
Description
~~~~~~~~~~~
@@ -94,14 +94,6 @@ Options
and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
ECDSAP384SHA384, ED25519, and ED448.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f flag
This option sets the specified flag in the flag field of the KEY/DNSKEY record.

9
bin/dnssec/dnssec-ksr.c
View File

@@ -41,7 +41,6 @@ const char *program = "dnssec-ksr";
*/
static isc_log_t *lctx = NULL;
static isc_mem_t *mctx = NULL;
const char *engine = NULL;
/*
* The domain we are working on
*/
@@ -122,7 +121,6 @@ usage(int ret) {
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "\n");
fprintf(stderr, "Options:\n");
fprintf(stderr, " -E <engine>: name of an OpenSSL engine to use\n");
fprintf(stderr, " -e <date/offset>: end date\n");
fprintf(stderr, " -F: FIPS mode\n");
fprintf(stderr, " -f: KSR file to sign\n");
@@ -173,8 +171,7 @@ getkasp(ksr_ctx_t *ksr, dns_kasp_t **kasp) {
fatal("unable to load dnssec-policy '%s' from '%s'",
ksr->policy, ksr->configfile);
}
kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, engine,
kasp);
kasp_from_conf(config, mctx, lctx, ksr->policy, ksr->keydir, kasp);
if (*kasp == NULL) {
fatal("failed to load dnssec-policy '%s'", ksr->policy);
}
@@ -1213,7 +1210,7 @@ main(int argc, char *argv[]) {
while ((ch = isc_commandline_parse(argc, argv, OPTIONS)) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'e':
ksr.end = strtotime(isc_commandline_argument, ksr.now,
@@ -1267,7 +1264,7 @@ main(int argc, char *argv[]) {
fatal("must provide a command and zone name");
}
ret = dst_lib_init(mctx, engine);
ret = dst_lib_init(mctx);
if (ret != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s", isc_result_totext(ret));
}

10
bin/dnssec/dnssec-ksr.rst
View File

@@ -21,7 +21,7 @@ dnssec-ksr - Create signed key response (SKR) files for offline KSK setups
Synopsis
~~~~~~~~
:program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
:program:`dnssec-ksr` [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
Description
~~~~~~~~~~~
@@ -40,14 +40,6 @@ server.
Options
~~~~~~~
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -e date/offset
This option sets the end date for which keys or SKRs need to be generated

6
bin/dnssec/dnssec-revoke.c
View File

@@ -46,7 +46,6 @@ usage(void) {
fprintf(stderr, "Usage:\n");
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force overwrite\n");
fprintf(stderr, " -h: help\n");
fprintf(stderr, " -K directory: use directory for key files\n");
@@ -64,7 +63,6 @@ usage(void) {
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
char const *filename = NULL;
char *dir = NULL;
char newname[1024], oldname[1024];
@@ -89,7 +87,7 @@ main(int argc, char **argv) {
while ((ch = isc_commandline_parse(argc, argv, "E:fK:rRhv:V")) != -1) {
switch (ch) {
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
force = true;
@@ -159,7 +157,7 @@ main(int argc, char **argv) {
}
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));

10
bin/dnssec/dnssec-revoke.rst
View File

@@ -21,7 +21,7 @@ dnssec-revoke - set the REVOKED bit on a DNSSEC key
Synopsis
~~~~~~~~
:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
:program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-f**] [**-R**] {keyfile}
Description
~~~~~~~~~~~
@@ -53,14 +53,6 @@ Options
This option prints version information.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -f
This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair,

6
bin/dnssec/dnssec-settime.c
View File

@@ -51,7 +51,6 @@ usage(void) {
fprintf(stderr, " %s [options] keyfile\n\n", program);
fprintf(stderr, "Version: %s\n", PACKAGE_VERSION);
fprintf(stderr, "General options:\n");
fprintf(stderr, " -E engine: specify OpenSSL engine\n");
fprintf(stderr, " -f: force update of old-style "
"keys\n");
fprintf(stderr, " -K directory: set key file location\n");
@@ -186,7 +185,6 @@ writekey(dst_key_t *key, const char *directory, bool write_state) {
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
const char *filename = NULL;
char *directory = NULL;
char keystr[DST_KEY_FORMATSIZE];
@@ -314,7 +312,7 @@ main(int argc, char **argv) {
&setdstime);
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'f':
force = true;
@@ -555,7 +553,7 @@ main(int argc, char **argv) {
fatal("Options -g, -d, -k, -r and -z require -s to be set");
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("Could not initialize dst: %s",
isc_result_totext(result));

10
bin/dnssec/dnssec-settime.rst
View File

@@ -21,7 +21,7 @@ dnssec-settime: set the key timing metadata for a DNSSEC key
Synopsis
~~~~~~~~
:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
Description
~~~~~~~~~~~
@@ -97,14 +97,6 @@ Options
This option sets the debugging level.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
Timing Options
~~~~~~~~~~~~~~

7
bin/dnssec/dnssec-signzone.c
View File

@@ -3263,8 +3263,6 @@ usage(void) {
fprintf(stderr, "\t-a:\t");
fprintf(stderr, "verify generated signatures\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-P:\t");
fprintf(stderr, "disable post-sign verification\n");
fprintf(stderr, "\t-Q:\t");
@@ -3353,7 +3351,6 @@ main(int argc, char *argv[]) {
dns_dnsseckey_t *key;
isc_result_t result, vresult;
isc_log_t *log = NULL;
const char *engine = NULL;
bool free_output = false;
int tempfilelen = 0;
dns_rdataclass_t rdclass;
@@ -3461,7 +3458,7 @@ main(int argc, char *argv[]) {
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'e':
@@ -3748,7 +3745,7 @@ main(int argc, char *argv[]) {
}
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

11
bin/dnssec/dnssec-signzone.rst
View File

@@ -21,7 +21,7 @@ dnssec-signzone - DNSSEC zone signing tool
Synopsis
~~~~~~~~
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-E** engine] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
:program:`dnssec-signzone` [**-a**] [**-c** class] [**-d** directory] [**-D**] [**-e** end-time] [**-f** output-file] [**-F**] [**-g**] [**-G sync-records**] [**-h**] [**-i** interval] [**-I** input-format] [**-j** jitter] [**-J** filename] [**-K** directory] [**-k** key] [**-L** serial] [**-M** maxttl] [**-N** soa-serial-format] [**-o** origin] [**-O** output-format] [**-P**] [**-Q**] [**-q**] [**-R**] [**-S**] [**-s** start-time] [**-T** ttl] [**-t**] [**-u**] [**-v** level] [**-V**] [**-X** extended end-time] [**-x**] [**-z**] [**-3** salt] [**-H** iterations] [**-A**] {zonefile} [key...]
Description
~~~~~~~~~~~
@@ -62,15 +62,6 @@ Options
``$INCLUDE``. This option cannot be combined with :option:`-O raw <-O>`
or serial-number updating.
.. option:: -E engine
This option specifies the hardware to use for cryptographic
operations, such as a secure key store used for signing, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)

7
bin/dnssec/dnssec-verify.c
View File

@@ -157,8 +157,6 @@ usage(void) {
fprintf(stderr, "\t-I format:\n");
fprintf(stderr, "\t\tfile format of input zonefile (text)\n");
fprintf(stderr, "\t-c class (IN)\n");
fprintf(stderr, "\t-E engine:\n");
fprintf(stderr, "\t\tname of an OpenSSL engine to use\n");
fprintf(stderr, "\t-x:\tDNSKEY record signed with KSKs only, "
"not ZSKs\n");
fprintf(stderr, "\t-z:\tAll records signed with KSKs\n");
@@ -171,7 +169,6 @@ main(int argc, char *argv[]) {
char *inputformatstr = NULL;
isc_result_t result;
isc_log_t *log = NULL;
const char *engine = NULL;
char *classname = NULL;
dns_rdataclass_t rdclass;
char *endp;
@@ -215,7 +212,7 @@ main(int argc, char *argv[]) {
break;
case 'E':
engine = isc_commandline_argument;
fatal("%s", isc_result_totext(DST_R_NOENGINE));
break;
case 'I':
@@ -275,7 +272,7 @@ main(int argc, char *argv[]) {
}
}
result = dst_lib_init(mctx, engine);
result = dst_lib_init(mctx);
if (result != ISC_R_SUCCESS) {
fatal("could not initialize dst: %s",
isc_result_totext(result));

10
bin/dnssec/dnssec-verify.rst
View File

@@ -21,7 +21,7 @@ dnssec-verify - DNSSEC zone verification tool
Synopsis
~~~~~~~~
:program:`dnssec-verify` [**-c** class] [**-E** engine] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
:program:`dnssec-verify` [**-c** class] [**-I** input-format] [**-J** filename] [**-o** origin] [**-q**] [**-v** level] [**-V**] [**-x**] [**-z**] {zonefile}
Description
~~~~~~~~~~~
@@ -37,14 +37,6 @@ Options
This option specifies the DNS class of the zone.
.. option:: -E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
engine identifier that drives the cryptographic accelerator or
hardware service module (usually ``pkcs11``).
.. option:: -I input-format
This option sets the format of the input zone file. Possible formats are ``text``

9
bin/dnssec/dnssectool.c
View File

@@ -605,8 +605,7 @@ cleanup:
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
const char *name, const char *keydir, const char *engine,
dns_kasp_t **kaspp) {
const char *name, const char *keydir, dns_kasp_t **kaspp) {
isc_result_t result = ISC_R_NOTFOUND;
const cfg_listelt_t *element;
const cfg_obj_t *kasps = NULL;
@@ -625,8 +624,8 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
{
cfg_obj_t *kconfig = cfg_listelt_value(element);
ks = NULL;
result = cfg_keystore_fromconfig(kconfig, mctx, lctx, engine,
&kslist, NULL);
result = cfg_keystore_fromconfig(kconfig, mctx, lctx, &kslist,
NULL);
if (result != ISC_R_SUCCESS) {
fatal("failed to configure key-store '%s': %s",
cfg_obj_asstring(cfg_tuple_get(kconfig, "name")),
@@ -635,7 +634,7 @@ kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
}
/* Default key-directory key store. */
ks = NULL;
(void)cfg_keystore_fromconfig(NULL, mctx, lctx, engine, &kslist, &ks);
(void)cfg_keystore_fromconfig(NULL, mctx, lctx, &kslist, &ks);
INSIST(ks != NULL);
if (keydir != NULL) {
/* '-K keydir' takes priority */

3
bin/dnssec/dnssectool.h
View File

@@ -119,5 +119,4 @@ loadjournal(isc_mem_t *mctx, dns_db_t *db, const char *journal);
void
kasp_from_conf(cfg_obj_t *config, isc_mem_t *mctx, isc_log_t *lctx,
const char *name, const char *keydir, const char *engine,
dns_kasp_t **kaspp);
const char *name, const char *keydir, dns_kasp_t **kaspp);