[Opendnssec-develop] HSM reopen

Rickard Bellgrim rickard at opendnssec.org
Fri Aug 26 13:44:13 UTC 2011 

I think we could implement a more simpler NO-OP in libhsm so that we
do not need to count keys. Just to see that the sessions still work.

// Rickard

On Thu, Aug 25, 2011 at 11:55 AM, Siôn Lloyd <sion at nominet.org.uk> wrote:
> From the meeting yesterday I was going to find the patch for HSM connection
> fun.
>
> This is code that I added in December last year, the patch is for the 1.1
> branch.
>
> For my tests Rickard suggested adding the following:
>
> for (int i = 0; i < ctx->session_count; i++)
> {
>    ctx->session[i]->session = 0;
> }
>
> which invalidates any HSM connections... It worked, but as I am not sure
> that this looks the same as a timed out connection I did not commit the
> code.
>
> It validates a connection by counting the keys, which seems like a neutral
> operation. As the enforcer doesn't run so often this should be okay; I'm not
> sure that the overhead of this is acceptable for the signer though.
>
> Sion
>
>
>
> sion at sion:~/work/opendnssec/OpenDNSSEC-1.1$ svn diff
> Index: enforcer/enforcerd/enforcer.c
> ===================================================================
> --- enforcer/enforcerd/enforcer.c       (revision 4267)
> +++ enforcer/enforcerd/enforcer.c       (working copy)
> @@ -286,6 +286,10 @@
>             log_msg(config, LOG_INFO, "Received SIGINT, exiting...");
>             break;
>         }
> +
> +        /* Make sure that we can still talk to the HSM; this call exits if
> +           we can not */
> +        check_hsm_connection(&ctx, config);
>     }
>
>     /*
> @@ -1771,3 +1775,71 @@
>
>     return status;
>  }
> +
> +void check_hsm_connection(hsm_ctx_t **ctx, DAEMONCONFIG *config)
> +{
> +    int result = 0;
> +    char *hsm_error_message = NULL;
> +    int i;
> +
> +    for (i = 0; i < (*ctx)->session_count; i++) {
> +        result = hsm_count_keys_session(*ctx, (*ctx)->session[i]);
> +        if (result == 0) {
> +            /* Either that HSM is empty or we could not talk to it,
> +               assume that we need to reconnect */
> +            break;
> +        }
> +    }
> +
> +    /* If we got zero then it probably means that we could not talk to an
> HSM
> */
> +    if (result == 0) {
> +
> +        if (*ctx) {
> +            hsm_destroy_context(*ctx);
> +        }
> +
> +        result = hsm_close();
> +
> +        if (config->configfile != NULL) {
> +            result = hsm_open(config->configfile, hsm_prompt_pin, NULL);
> +        } else {
> +            result = hsm_open(CONFIG_FILE, hsm_prompt_pin, NULL);
> +        }
> +        if (result) {
> +            hsm_error_message = hsm_get_error(*ctx);
> +            if (hsm_error_message) {
> +                log_msg(config, LOG_ERR, hsm_error_message);
> +                free(hsm_error_message);
> +            } else {
> +                /* decode the error code ourselves
> +                   TODO find if there is a better way to do this (and can
> all
> of these be returned? are there others?) */
> +                switch (result) {
> +                    case HSM_ERROR:
> +                        log_msg(config, LOG_ERR, "hsm_open() result: HSM
> error");
> +                        break;
> +                    case HSM_PIN_INCORRECT:
> +                        log_msg(config, LOG_ERR, "hsm_open() result:
> incorrect
> PIN");
> +                        break;
> +                    case HSM_CONFIG_FILE_ERROR:
> +                        log_msg(config, LOG_ERR, "hsm_open() result: config
> file
> error");
> +                        break;
> +                    case HSM_REPOSITORY_NOT_FOUND:
> +                        log_msg(config, LOG_ERR, "hsm_open() result:
> repository not found");
> +                        break;
> +                    case HSM_NO_REPOSITORIES:
> +                        log_msg(config, LOG_ERR, "hsm_open() result: no
> repositories");
> +                        break;
> +                    default:
> +                        log_msg(config, LOG_ERR, "hsm_open() result: %d",
> result);
> +                }
> +            }
> +            unlink(config->pidfile);
> +            exit(1);
> +        }
> +        log_msg(config, LOG_INFO, "HSM reopened successfully.");
> +        *ctx = hsm_create_context();
> +    } else {
> +        log_msg(config, LOG_INFO, "HSM connection open.");
> +    }
> +
> +}
> Index: enforcer/enforcerd/enforcer.h
> ===================================================================
> --- enforcer/enforcerd/enforcer.h       (revision 4267)
> +++ enforcer/enforcerd/enforcer.h       (working copy)
> @@ -51,5 +51,6 @@
>  int read_zonelist_filename(const char* filename, char**
> zone_list_filename);
>  int do_purge(int interval, int policy_id);
>  int NewDSSet(int zone_id, const char* zone_name, const char* DSSubmitCmd);
> +void check_hsm_connection(hsm_ctx_t **ctx, DAEMONCONFIG *config);
>
>  #endif /* ENFORCER_H */
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>

More information about the Opendnssec-develop mailing list