From b154e9fd7a4acc87435f858d43b8c234885a8763 Mon Sep 17 00:00:00 2001

From: Evan Hunt <each@isc.org>

Date: Tue, 18 Feb 2014 22:36:14 -0800

Subject: [PATCH 1/2] add "--with-tuning=large" option

3745.	[func]		"configure --with-tuning=large" adjusts various

			compiled-in constants and default settings to

			values suited to large servers with abundant

			memory. [RT #29538]

(cherry picked from commit 6a3fa181d1253db5191139e20231512eebaddeeb)

---

 README                     |    8 +

 bin/named/bind9.ver3.xsl.h |    6 +-

 bin/named/interfacemgr.c   |    9 +-

 bin/named/named.docbook    |    3 +

 bin/named/server.c         |   21 +-

 bin/named/update.c         |    2 +-

 config.h.in                |    3 +

 configure                  | 1064 ++++++++++++++++++++++++++++++++++++--------

 configure.in               |   25 ++

 lib/dns/client.c           |    8 +-

 lib/isc/unix/socket.c      |   12 +

 11 files changed, 975 insertions(+), 186 deletions(-)

diff --git a/README b/README

index b22e9ce..7451acb 100644

--- a/README

+++ b/README

@@ -221,6 +221,14 @@ Building

 	To build shared libraries, specify "--with-libtool" on the

 	configure command line.

+	Certain compiled-in constants and default settings can be

+	increased to values better suited to large servers with abundant

+	memory resources (e.g, 64-bit servers with 12G or more of memory)

+	by specifying "--with-tuning=large" on the configure command

+	line. This can improve performance on big servers, but will

+	consume more memory and may degrade performance on smaller

+	systems.

+

 	For the server to support DNSSEC, you need to build it

 	with crypto support.  You must have OpenSSL 0.9.5a

 	or newer installed and specify "--with-openssl" on the

diff --git a/bin/named/bind9.ver3.xsl.h b/bin/named/bind9.ver3.xsl.h

index c55714a..8c0a4a9 100644

--- a/bin/named/bind9.ver3.xsl.h

+++ b/bin/named/bind9.ver3.xsl.h

@@ -210,7 +210,7 @@ static char xslmsg[] =

 	" 
Incoming Requests
\n"

 	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"

 	" \n"

-	" 
[graph incoming requests]
\n"

+	" 
[no incoming requests]
\n"

 	" </xsl:if>\n"

 	" \n"

 	" <xsl:for-each select=\"server/counters[@type="opcode"]/counter\">\n"

@@ -235,7 +235,7 @@ static char xslmsg[] =

 	" 
Incoming Queries by Type
\n"

 	" <xsl:if test=\"system-property('xsl:vendor')!='Transformiix'\">\n"

 	" \n"

-	" 
[graph incoming qtypes]
\n"

+	" 
[no incoming queries]
\n"

 	" </xsl:if>\n"

 	" \n"

 	" <xsl:for-each select=\"server/counters[@type="qtype"]/counter\">\n"

@@ -307,7 +307,7 @@ static char xslmsg[] =

 	" \n"

 	" <script type=\"text/javascript\">\n"

 	" graphs.push({\n"

-	" 'title' : \"Server Response Types\",\n"

+	" 'title' : \"Server Counters\",\n"

 	" 'target': 'chart_server_nsstat_restype',\n"

 	" 'data': [['Type','Counter'],<xsl:for-each select=\"server/counters[@type="nsstat"]/counter[.>0]\">['<xsl:value-of select=\"@name\"/>',<xsl:value-of select=\".\"/>],</xsl:for-each>]\n"

 	" });\n"

diff --git a/bin/named/interfacemgr.c b/bin/named/interfacemgr.c

index a9aa4a4..4aee47a 100644

--- a/bin/named/interfacemgr.c

+++ b/bin/named/interfacemgr.c

@@ -56,6 +56,12 @@

 #endif

 #endif

+#ifdef TUNE_LARGE

+#define UDPBUFFERS 32768 

+#else

+#define UDPBUFFERS 1000

+#endif /* TUNE_LARGE */

+

 #define IFMGR_MAGIC			ISC_MAGIC('I', 'F', 'M', 'G')

 #define NS_INTERFACEMGR_VALID(t)	ISC_MAGIC_VALID(t, IFMGR_MAGIC)

@@ -422,7 +428,8 @@ ns_interface_listenudp(ns_interface_t *ifp) {

 		result = dns_dispatch_getudp_dup(ifp->mgr->dispatchmgr,

 						 ns_g_socketmgr,

 						 ns_g_taskmgr, &ifp->addr,

-						 4096, 32768, 32768, 8219, 8237,

+						 4096, UDPBUFFERS,

+						 32768, 8219, 8237,

 						 attrs, attrmask,

 						 &ifp->udpdispatch[disp],

 						 disp == 0

diff --git a/bin/named/named.docbook b/bin/named/named.docbook

index 8f46aac..33f962e 100644

--- a/bin/named/named.docbook

+++ b/bin/named/named.docbook

@@ -248,6 +248,9 @@

 	  <para>

 	    Allow <command>named</command> to use up to

 	    <replaceable class="parameter">#max-socks</replaceable> sockets.

+            The default value is 4096 on systems built with default

+            configuration options, and 21000 on systems built with

+            "configure --with-tuning=large".

 	  </para>

           <warning>

             <para>

diff --git a/bin/named/server.c b/bin/named/server.c

index b1681b4..48a7ef0 100644

--- a/bin/named/server.c

+++ b/bin/named/server.c

@@ -127,6 +127,16 @@

 #define SIZE_MAX ((size_t)-1)

 #endif

+#ifdef TUNE_LARGE

+#define RESOLVER_NTASKS 523

+#define UDPBUFFERS 32768

+#define EXCLBUFFERS 32768

+#else

+#define RESOLVER_NTASKS 31

+#define UDPBUFFERS 1000

+#define EXCLBUFFERS 4096

+#endif /* TUNE_LARGE */

+

 /*%

  * Check an operation for failure.  Assumes that the function

  * using it has a 'result' variable and a 'cleanup' label.

@@ -948,7 +958,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,

 	isc_sockaddr_t sa;

 	unsigned int attrs, attrmask;

 	const cfg_obj_t *obj = NULL;

-	unsigned int maxdispatchbuffers;

+	unsigned int maxdispatchbuffers = UDPBUFFERS;

 	switch (af) {

 	case AF_INET:

@@ -997,7 +1007,7 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,

 	}

 	if (isc_sockaddr_getport(&sa) == 0) {

 		attrs |= DNS_DISPATCHATTR_EXCLUSIVE;

-		maxdispatchbuffers = 32768;

+		maxdispatchbuffers = EXCLBUFFERS;

 	} else {

 		INSIST(obj != NULL);

 		if (is_firstview) {

@@ -1006,7 +1016,6 @@ get_view_querysource_dispatch(const cfg_obj_t **maps,

 				    "suppresses port randomization and can be "

 				    "insecure.");

 		}

-		maxdispatchbuffers = 32768;

 	}

 	attrmask = 0;

@@ -2718,8 +2727,8 @@ configure_view(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,

 	}

 	ndisp = 4 * ISC_MIN(ns_g_udpdisp, MAX_UDP_DISPATCH);

-	CHECK(dns_view_createresolver(view, ns_g_taskmgr, 31, ndisp,

-				      ns_g_socketmgr, ns_g_timermgr,

+	CHECK(dns_view_createresolver(view, ns_g_taskmgr, RESOLVER_NTASKS,

+				      ndisp, ns_g_socketmgr, ns_g_timermgr,

 				      resopts, ns_g_dispatchmgr,

 				      dispatch4, dispatch6));

@@ -6502,7 +6511,7 @@ ns_add_reserved_dispatch(ns_server_t *server, const isc_sockaddr_t *addr) {

 	result = dns_dispatch_getudp(ns_g_dispatchmgr, ns_g_socketmgr,

 				     ns_g_taskmgr, &dispatch->addr, 4096,

-				     32768, 32768, 16411, 16433,

+				     UDPBUFFERS, 32768, 16411, 16433,

 				     attrs, attrmask, &dispatch->dispatch);

 	if (result != ISC_R_SUCCESS)

 		goto cleanup;

diff --git a/bin/named/update.c b/bin/named/update.c

index 2263382..14687ea 100644

--- a/bin/named/update.c

+++ b/bin/named/update.c

@@ -2454,7 +2454,7 @@ update_action(isc_task_t *task, isc_event_t *event) {

 	unsigned int options;

 	dns_difftuple_t *tuple;

 	dns_rdata_dnskey_t dnskey;

-	isc_boolean_t had_dnskey;

+	isc_boolean_t had_dnskey = ISC_FALSE;

 	dns_rdatatype_t privatetype = dns_zone_getprivatetype(zone);

 	INSIST(event->ev_type == DNS_EVENT_UPDATE);

diff --git a/config.h.in b/config.h.in

index 3515f69..eca525c 100644

--- a/config.h.in

+++ b/config.h.in

@@ -457,6 +457,9 @@ int sigwait(const unsigned int *set, int *sig);

 /* Define to 1 if you can safely include both <sys/time.h> and <time.h>. */

 #undef TIME_WITH_SYS_TIME

+/* Define to use large-system tuning. */

+#undef TUNE_LARGE

+

 /* Defined if you need to use ioctl(FIONBIO) instead a fcntl call to make

    non-blocking. */

 #undef USE_FIONBIO_IOCTL

diff --git a/configure b/configure

index c62da63..31c518a 100755

--- a/configure

+++ b/configure

@@ -162,7 +162,7 @@

 #

 #  -----------------------------------------------------------------------------

 #

-# Copyright (c) 1997 - 2003 Kungliga Tekniska H�gskolan

+# Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan

 # (Royal Institute of Technology, Stockholm, Sweden).

 # All rights reserved.

 #

@@ -517,6 +517,21 @@

 # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED

 # OF THE POSSIBILITY OF SUCH DAMAGE.

 #

+# -----------------------------------------------------------------------------

+#

+# Copyright (C) 2008-2011  Red Hat, Inc.

+#

+# Permission to use, copy, modify, and/or distribute this software for any

+# purpose with or without fee is hereby granted, provided that the above

+# copyright notice and this permission notice appear in all copies.

+#

+# THE SOFTWARE IS PROVIDED "AS IS" AND Red Hat DISCLAIMS ALL WARRANTIES WITH

+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY

+# AND FITNESS.  IN NO EVENT SHALL Red Hat BE LIABLE FOR ANY SPECIAL, DIRECT,

+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM

+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE

+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR

+# PERFORMANCE OF THIS SOFTWARE.

 # From configure.in Revision: 1.533 .

 # Guess values for system-dependent variables and create Makefiles.

 # Generated by GNU Autoconf 2.69.

@@ -1305,6 +1320,8 @@ THREADOPTSRCS

 THREADOPTOBJS

 ISC_PLATFORM_USETHREADS

 ALWAYS_DEFINES

+CHECK_DSA

+DNS_CRYPTO_PK11_LIBS

 DNS_CRYPTO_LIBS

 DNS_GSSAPI_LIBS

 DST_GSSAPI_INC

@@ -1313,7 +1330,25 @@ ISC_PLATFORM_KRB5HEADER

 ISC_PLATFORM_GSSAPI_KRB5_HEADER

 ISC_PLATFORM_GSSAPIHEADER

 ISC_PLATFORM_HAVEGSSAPI

+GEOIPLINKOBJS

+GEOIPLINKSRCS

+PKCS11_TEST

+PKCS11_GOST

+PKCS11_ECDSA

+CRYPTO_PK11

+CRYPTO

+PKCS11LINKSRCS

+PKCS11LINKOBJS

 PKCS11_PROVIDER

+ISC_ISCPK11_API_O

+ISC_ISCPK11_API_C

+ISC_PK11_RESULT_O

+ISC_PK11_RESULT_C

+ISC_PK11_API_O

+ISC_PK11_API_C

+ISC_PK11_O

+ISC_PK11_C

+PKCS11_ENGINE

 PKCS11_TOOLS

 USE_PKCS11

 ISC_OPENSSL_INC

@@ -1325,7 +1360,6 @@ OPENSSLLINKOBJS

 OPENSSLGOSTLINKSRCS

 OPENSSLGOSTLINKOBJS

 DST_OPENSSL_INC

-USE_OPENSSL

 LWRES_PLATFORM_NEEDSYSSELECTH

 ISC_PLATFORM_NEEDSYSSELECTH

 ISC_PLATFORM_HAVEDEVPOLL

@@ -1434,6 +1468,7 @@ PATH_SEPARATOR

 SHELL'

 ac_subst_files='BIND9_MAKE_INCLUDES

 BIND9_MAKE_RULES

+LIBISCPK11_API

 LIBISC_API

 LIBISCCC_API

 LIBISCCFG_API

@@ -1460,18 +1495,20 @@ enable_kqueue

 enable_epoll

 enable_devpoll

 with_openssl

-enable_openssl_version_check

-with_ecdsa

+enable_native_pkcs11

+with_pkcs11

 with_gost

+with_ecdsa

+enable_openssl_version_check

 enable_openssl_hash

-with_pkcs11

+with_libtool

+with_geoip

 with_gssapi

 with_randomdev

 enable_threads

 with_libxml2

 enable_largefile

 with_purify

-with_libtool

 enable_backtrace

 enable_symtable

 enable_exportlib

@@ -1496,6 +1533,7 @@ with_libiconv

 with_iconv

 with_idnlib

 with_atf

+with_tuning

 with_dlopen

 with_dlz_postgres

 with_dlz_mysql

@@ -2139,6 +2177,7 @@ Optional Features:

   --enable-kqueue         use BSD kqueue when available [default=yes]

   --enable-epoll          use Linux epoll when available [default=auto]

   --enable-devpoll        use /dev/poll when available [default=yes]

+  --enable-native-pkcs11  use native PKCS11 for all crypto [default=no]

   --enable-openssl-version-check

                           Check OpenSSL Version [default=yes]

   --enable-openssl-hash   use OpenSSL for hash functions [default=no]

@@ -2175,15 +2214,16 @@ Optional Packages:

   --with-python=PATH      Specify path to python interpreter

   --with-openssl=PATH     Build with OpenSSL yes|no|path.

 			  (Required for DNSSEC)

-  --with-ecdsa            OpenSSL ECDSA

-  --with-gost             OpenSSL GOST

   --with-pkcs11=PATH      Build with PKCS11 support yes|no|path

                           (PATH is for the PKCS11 provider)

+  --with-gost             Crypto GOST yes|no|raw|asn1.

+  --with-ecdsa            OpenSSL ECDSA

+  --with-libtool          use GNU libtool

+  --with-geoip=PATH       Build with GeoIP support (yes|no|path)

   --with-gssapi=PATH      Specify path for system-supplied GSSAPI [default=yes]

   --with-randomdev=PATH   Specify path for random device

   --with-libxml2=PATH     Build with libxml2 library yes|no|path

   --with-purify=PATH      use Rational purify

-  --with-libtool          use GNU libtool

   --with-export-libdir=PATH

                           installation directory for the export library

                           [EPREFIX/lib/bind9]

@@ -2199,6 +2239,7 @@ Optional Packages:

   --with-iconv=LIBSPEC    specify iconv library default -liconv

   --with-idnlib=ARG       specify libidnkit

   --with-atf=ARG          Automated Test Framework support

+  --with-tuning=ARG       Specify server tuning (large or default)

   --with-dlopen=ARG       Support dynamically loadable DLZ drivers

   --with-dlz-postgres=PATH   Build with Postgres DLZ driver yes|no|path.

                                (Required to use Postgres with DLZ)

@@ -13056,13 +13097,16 @@ $as_echo "#define STDC_HEADERS 1" >>confdefs.h

 fi

-for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h

+for ac_header in fcntl.h regex.h sys/time.h unistd.h sys/sockio.h sys/select.h sys/param.h sys/sysctl.h net/if6.h sys/socket.h net/route.h linux/netlink.h linux/rtnetlink.h

 do :

   as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`

 ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default

 #ifdef HAVE_SYS_PARAM_H

 # include <sys/param.h>

 #endif

+#ifdef HAVE_SYS_SOCKET_H

+# include <sys/socket.h>

+#endif

 "

 if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :

@@ -14008,26 +14052,98 @@ else

 fi

+#

+# was --enable-native-pkcs11 specified?

+#  (note it implies both --without-openssl and --with-pkcs11)

+#

+# Check whether --enable-native-pkcs11 was given.

+if test "${enable_native_pkcs11+set}" = set; then :

+  enableval=$enable_native_pkcs11; want_native_pkcs11="$enableval"

+else

+  want_native_pkcs11="no"

+fi

+

+

+

+# Check whether --with-pkcs11 was given.

+if test "${with_pkcs11+set}" = set; then :

+  withval=$with_pkcs11; use_pkcs11="$withval"

+else

+  use_pkcs11="auto"

+fi

+

+

 openssldirs="/usr /usr/local /usr/local/ssl /usr/pkg /usr/sfw"

 if test "$use_openssl" = "auto"

 then

-	for d in $openssldirs

-	do

-		if test -f $d/include/openssl/opensslv.h

-		then

-			use_openssl=$d

-			break

-		fi

-	done

+#    if test "$want_native_pkcs11" = "yes"

+#    then

+#        use_openssl="native_pkcs11"

+#    else

+	    for d in $openssldirs

+    	do

+	    	if test -f $d/include/openssl/opensslv.h

+		    then

+			    use_openssl=$d

+    			break

+		    fi

+    	done

+#    fi

 fi

 OPENSSL_ECDSA=""

 OPENSSL_GOST=""

+

+# Check whether --with-gost was given.

+if test "${with_gost+set}" = set; then :

+  withval=$with_gost; with_gost="$withval"

+else

+  with_gost="auto"

+fi

+

+

+# Check whether --with-ecdsa was given.

+if test "${with_ecdsa+set}" = set; then :

+  withval=$with_ecdsa; with_ecdsa="$withval"

+else

+  with_ecdsa="auto"

+fi

+

+

+gosttype="raw"

+case "$with_gost" in

+	raw)

+		with_gost="yes"

+		;;

+	asn1)

+

+$as_echo "#define PREFER_GOSTASN1 1" >>confdefs.h

+

+                gosttype="asn1"

+		with_gost="yes"

+		;;

+	auto|yes|no)

+		;;

+	*)

+		as_fn_error $? "unknown GOST private key encoding" "$LINENO" 5

+		;;

+esac

+

 case "$use_openssl" in

+    native_pkcs11)

+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled because of native PKCS11" >&5

+$as_echo "disabled because of native PKCS11" >&6; }

+		DST_OPENSSL_INC=""

+		CRYPTO=""

+		OPENSSLGOSTLINKOBJS=""

+		OPENSSLGOSTLINKSRS=""

+		OPENSSLLINKOBJS=""

+		OPENSSLLINKSRCS=""

+		;;

 	no)

 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5

 $as_echo "no" >&6; }

 		DST_OPENSSL_INC=""

-		USE_OPENSSL=""

+		CRYPTO=""

 		OPENSSLGOSTLINKOBJS=""

 		OPENSSLGOSTLINKSRS=""

 		OPENSSLLINKOBJS=""

@@ -14035,7 +14151,7 @@ $as_echo "no" >&6; }

 		;;

 	auto)

 		DST_OPENSSL_INC=""

-		USE_OPENSSL=""

+		CRYPTO=""

 		OPENSSLGOSTLINKOBJS=""

 		OPENSSLGOSTLINKSRS=""

 		OPENSSLLINKOBJS=""

@@ -14044,6 +14160,11 @@ $as_echo "no" >&6; }

 If you don't want OpenSSL, use --without-openssl" "$LINENO" 5

 		;;

 	*)

+#		if test "$want_native_pkcs11" = "yes"

+#		then

+#                        AC_MSG_RESULT()

+#			AC_MSG_ERROR([OpenSSL and native PKCS11 cannot be used together.])

+#		fi

 		if test "$use_openssl" = "yes"

 		then

 			# User did not specify a path - guess it

@@ -14065,7 +14186,7 @@ $as_echo "not found" >&6; }

 		then

 			as_fn_error $? "\"$use_openssl/include/openssl/opensslv.h\" not found" "$LINENO" 5

 		fi

-		USE_OPENSSL='-DOPENSSL'

+		CRYPTO='-DOPENSSL'

 		if test "$use_openssl" = "/usr"

 		then

 			DST_OPENSSL_INC=""

@@ -14102,6 +14223,7 @@ $as_echo "not found" >&6; }

 		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL from $use_openssl/lib and $use_openssl/include" >&5

 $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }

+		saved_cc="$CC"

 		saved_cflags="$CFLAGS"

 		saved_libs="$LIBS"

 		CFLAGS="$CFLAGS $DST_OPENSSL_INC"

@@ -14305,13 +14427,6 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \

 fi

-# Check whether --with-ecdsa was given.

-if test "${with_ecdsa+set}" = set; then :

-  withval=$with_ecdsa; with_ecdsa="$withval"

-else

-  with_ecdsa="auto"

-fi

-

         case "$with_ecdsa" in

         yes)

             case "$have_ecdsa" in

@@ -14342,6 +14457,15 @@ $as_echo "#define HAVE_OPENSSL_ECDSA 1" >>confdefs.h

         { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL GOST support" >&5

 $as_echo_n "checking for OpenSSL GOST support... " >&6; }

         have_gost=""

+		case "$use_pkcs11" in

+                auto|no)

+                        ;;

+                *)

+                        if $use_threads; then

+                                CC="$CC -pthread"

+                        fi

+                        ;;

+        esac

         if test "$cross_compiling" = yes; then :

   { $as_echo "$as_me:${as_lineno-$LINENO}: result: using --with-gost" >&5

 $as_echo "using --with-gost" >&6; }

@@ -14385,13 +14509,6 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \

 fi

-# Check whether --with-gost was given.

-if test "${with_gost+set}" = set; then :

-  withval=$with_gost; with_gost="$withval"

-else

-  with_gost="auto"

-fi

-

         case "$with_gost" in

         yes)

             case "$have_gost" in

@@ -14404,7 +14521,7 @@ fi

         *)

             case "$have_gost" in

             yes|no) ;;

-            *) as_fn_error $? "need --with-gost=[yes or no]" "$LINENO" 5 ;;

+            *) as_fn_error $? "need --with-gost=[yes, no, raw or asn1]" "$LINENO" 5 ;;

             esac

             ;;

         esac

@@ -14441,8 +14558,8 @@ esac

-

 DNS_CRYPTO_LIBS="$DNS_CRYPTO_LIBS $DNS_OPENSSL_LIBS"

+DNS_CRYPTO_PK11_LIBS="$DNS_CRYPTO_LIBS"

 #

 # Use OpenSSL for hash functions

@@ -14457,7 +14574,7 @@ fi

 case $want_openssl_hash in

 	yes)

-		if test "$USE_OPENSSL" = ""

+		if test "$CRYPTO" = ""

 		then

 			as_fn_error $? "No OpenSSL for hash functions" "$LINENO" 5

 		fi

@@ -14472,6 +14589,46 @@ esac

+

+# Check whether --with-libtool was given.

+if test "${with_libtool+set}" = set; then :

+  withval=$with_libtool; use_libtool="$withval"

+else

+  use_libtool="no"

+fi

+

+

+case $use_libtool in

+	yes)

+

+		O=lo

+		A=la

+		LIBTOOL_MKDEP_SED='s;\.o;\.lo;'

+		LIBTOOL_MODE_COMPILE='--mode=compile --tag=CC'

+		LIBTOOL_MODE_INSTALL='--mode=install --tag=CC'

+		LIBTOOL_MODE_LINK='--mode=link --tag=CC'

+		case "$host" in

+		*) LIBTOOL_ALLOW_UNDEFINED= ;;

+		esac

+		case "$host" in

+		*-ibm-aix*) LIBTOOL_IN_MAIN="-Wl,-bI:T_testlist.imp" ;;

+		*) LIBTOOL_IN_MAIN= ;;

+		esac;

+		;;

+	*)

+		O=o

+		A=a

+		LIBTOOL=

+

+		LIBTOOL_MKDEP_SED=

+		LIBTOOL_MODE_COMPILE=

+		LIBTOOL_MODE_INSTALL=

+		LIBTOOL_MODE_LINK=

+		LIBTOOL_ALLOW_UNDEFINED=

+		LIBTOOL_IN_MAIN=

+		;;

+esac

+

 #

 # PKCS11 (aka crypto hardware) support

 #

@@ -14481,31 +14638,125 @@ esac

 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS11 support" >&5

 $as_echo_n "checking for PKCS11 support... " >&6; }

-# Check whether --with-pkcs11 was given.

-if test "${with_pkcs11+set}" = set; then :

-  withval=$with_pkcs11; use_pkcs11="$withval"

-else

-  use_pkcs11="no"

+if test "$use_pkcs11" = "auto"

+then

+	if test "$want_native_pkcs11" = "yes"

+	then

+		use_pkcs11="yes"

+	else

+		use_pkcs11="no"

+	fi

 fi

-

 case "$use_pkcs11" in

 	no|'')

-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: disabled" >&5

-$as_echo "disabled" >&6; }

-		USE_PKCS11=''

-		PKCS11_TOOLS=''

+		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5

+$as_echo "no" >&6; }

+		USE_PKCS11=""

+		PKCS11_TEST=""

+		PKCS11_TOOLS=""

+		ISC_PK11_C=""

+		ISC_PK11_O=""

+		ISC_PK11_API_C=""

+		ISC_PK11_API_O=""

+		ISC_PK11_RESULT_C=""

+		ISC_PK11_RESULT_O=""

+		ISC_ISCPK11_API_C=""

+		ISC_ISCPK11_API_O=""

 		;;

 	yes|*)

-		{ $as_echo "$as_me:${as_lineno-$LINENO}: result: using OpenSSL with PKCS11 support" >&5

-$as_echo "using OpenSSL with PKCS11 support" >&6; }

+        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5

+$as_echo "yes" >&6; }

+                if ! $use_threads; then

+			as_fn_error $? "PKCS11 requires thread support" "$LINENO" 5

+                fi

+		if test "$CRYPTO" != ""

+		then

+			{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL with PKCS11 support" >&5

+$as_echo_n "checking for OpenSSL with PKCS11 support... " >&6; }

+                        saved_cc="$CC"

+			saved_cflags="$CFLAGS"

+			saved_libs="$LIBS"

+                        CC="$CC -pthread"

+			CFLAGS="$CFLAGS $DST_OPENSSL_INC"

+			LIBS="$LIBS $DNS_OPENSSL_LIBS"

+			if test "$cross_compiling" = yes; then :

+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: cross compile" >&5

+$as_echo "cross compile" >&6; }

+			PKCS11_TEST=''

+			PKCS11_ENGINE='-DPKCS11_ENGINE=NULL'

+else

+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext

+/* end confdefs.h.  */

+

+#include <openssl/conf.h>

+#include <openssl/engine.h>

+int main() {