[Opendnssec-develop] HSM reopen
Rickard Bellgrim
rickard at opendnssec.org
Fri Aug 26 13:44:13 UTC 2011
I think we could implement a more simpler NO-OP in libhsm so that we
do not need to count keys. Just to see that the sessions still work.
// Rickard
On Thu, Aug 25, 2011 at 11:55 AM, Siôn Lloyd <sion at nominet.org.uk> wrote:
> From the meeting yesterday I was going to find the patch for HSM connection
> fun.
>
> This is code that I added in December last year, the patch is for the 1.1
> branch.
>
> For my tests Rickard suggested adding the following:
>
> for (int i = 0; i < ctx->session_count; i++)
> {
> ctx->session[i]->session = 0;
> }
>
> which invalidates any HSM connections... It worked, but as I am not sure
> that this looks the same as a timed out connection I did not commit the
> code.
>
> It validates a connection by counting the keys, which seems like a neutral
> operation. As the enforcer doesn't run so often this should be okay; I'm not
> sure that the overhead of this is acceptable for the signer though.
>
> Sion
>
>
>
> sion at sion:~/work/opendnssec/OpenDNSSEC-1.1$ svn diff
> Index: enforcer/enforcerd/enforcer.c
> ===================================================================
> --- enforcer/enforcerd/enforcer.c (revision 4267)
> +++ enforcer/enforcerd/enforcer.c (working copy)
> @@ -286,6 +286,10 @@
> log_msg(config, LOG_INFO, "Received SIGINT, exiting...");
> break;
> }
> +
> + /* Make sure that we can still talk to the HSM; this call exits if
> + we can not */
> + check_hsm_connection(&ctx, config);
> }
>
> /*
> @@ -1771,3 +1775,71 @@
>
> return status;
> }
> +
> +void check_hsm_connection(hsm_ctx_t **ctx, DAEMONCONFIG *config)
> +{
> + int result = 0;
> + char *hsm_error_message = NULL;
> + int i;
> +
> + for (i = 0; i < (*ctx)->session_count; i++) {
> + result = hsm_count_keys_session(*ctx, (*ctx)->session[i]);
> + if (result == 0) {
> + /* Either that HSM is empty or we could not talk to it,
> + assume that we need to reconnect */
> + break;
> + }
> + }
> +
> + /* If we got zero then it probably means that we could not talk to an
> HSM
> */
> + if (result == 0) {
> +
> + if (*ctx) {
> + hsm_destroy_context(*ctx);
> + }
> +
> + result = hsm_close();
> +
> + if (config->configfile != NULL) {
> + result = hsm_open(config->configfile, hsm_prompt_pin, NULL);
> + } else {
> + result = hsm_open(CONFIG_FILE, hsm_prompt_pin, NULL);
> + }
> + if (result) {
> + hsm_error_message = hsm_get_error(*ctx);
> + if (hsm_error_message) {
> + log_msg(config, LOG_ERR, hsm_error_message);
> + free(hsm_error_message);
> + } else {
> + /* decode the error code ourselves
> + TODO find if there is a better way to do this (and can
> all
> of these be returned? are there others?) */
> + switch (result) {
> + case HSM_ERROR:
> + log_msg(config, LOG_ERR, "hsm_open() result: HSM
> error");
> + break;
> + case HSM_PIN_INCORRECT:
> + log_msg(config, LOG_ERR, "hsm_open() result:
> incorrect
> PIN");
> + break;
> + case HSM_CONFIG_FILE_ERROR:
> + log_msg(config, LOG_ERR, "hsm_open() result: config
> file
> error");
> + break;
> + case HSM_REPOSITORY_NOT_FOUND:
> + log_msg(config, LOG_ERR, "hsm_open() result:
> repository not found");
> + break;
> + case HSM_NO_REPOSITORIES:
> + log_msg(config, LOG_ERR, "hsm_open() result: no
> repositories");
> + break;
> + default:
> + log_msg(config, LOG_ERR, "hsm_open() result: %d",
> result);
> + }
> + }
> + unlink(config->pidfile);
> + exit(1);
> + }
> + log_msg(config, LOG_INFO, "HSM reopened successfully.");
> + *ctx = hsm_create_context();
> + } else {
> + log_msg(config, LOG_INFO, "HSM connection open.");
> + }
> +
> +}
> Index: enforcer/enforcerd/enforcer.h
> ===================================================================
> --- enforcer/enforcerd/enforcer.h (revision 4267)
> +++ enforcer/enforcerd/enforcer.h (working copy)
> @@ -51,5 +51,6 @@
> int read_zonelist_filename(const char* filename, char**
> zone_list_filename);
> int do_purge(int interval, int policy_id);
> int NewDSSet(int zone_id, const char* zone_name, const char* DSSubmitCmd);
> +void check_hsm_connection(hsm_ctx_t **ctx, DAEMONCONFIG *config);
>
> #endif /* ENFORCER_H */
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
More information about the Opendnssec-develop
mailing list