|
 |
a912db |
From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
|
|
|
a912db |
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
|
a912db |
Date: Thu, 8 Sep 2022 16:33:38 +0200
|
|
|
a912db |
Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
|
|
|
a912db |
|
|
|
a912db |
OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
|
|
|
a912db |
builders. But it can be built in legacy mode, where deprecated but still
|
|
|
a912db |
working API would be used.
|
|
|
a912db |
|
|
|
a912db |
It can work under OpenSSL 3.0, but only if using legacy code paths
|
|
|
a912db |
matching OpenSSL 1.1 calls and functions.
|
|
|
a912db |
|
|
|
a912db |
Remove fromlabel processing by OpenSSL 3.0 only functions. They can
|
|
|
a912db |
return later with a proper provider support for pkcs11.
|
|
|
a912db |
---
|
|
|
a912db |
lib/dns/opensslecdsa_link.c | 55 -------------------------------------
|
|
|
a912db |
lib/dns/opensslrsa_link.c | 32 ---------------------
|
|
|
a912db |
2 files changed, 87 deletions(-)
|
|
|
a912db |
|
|
|
a912db |
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
|
|
a912db |
index 04f0d80b5e..f04f076e42 100644
|
|
|
a912db |
--- a/lib/dns/opensslecdsa_link.c
|
|
|
a912db |
+++ b/lib/dns/opensslecdsa_link.c
|
|
|
a912db |
@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
|
|
a912db |
isc_result_t ret = ISC_R_SUCCESS;
|
|
|
a912db |
ENGINE *e;
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
EC_KEY *eckey = NULL;
|
|
|
a912db |
EC_KEY *pubeckey = NULL;
|
|
|
a912db |
int group_nid;
|
|
|
a912db |
-#else
|
|
|
a912db |
- size_t len;
|
|
|
a912db |
- const char *curve_name, *nist_curve_name;
|
|
|
a912db |
- char buf[128]; /* Sufficient for all of the supported curves' names. */
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
EVP_PKEY *pkey = NULL;
|
|
|
a912db |
EVP_PKEY *pubpkey = NULL;
|
|
|
a912db |
|
|
|
a912db |
@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
DST_RET(DST_R_NOENGINE);
|
|
|
a912db |
}
|
|
|
a912db |
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
if (key->key_alg == DST_ALG_ECDSA256) {
|
|
|
a912db |
group_nid = NID_X9_62_prime256v1;
|
|
|
a912db |
} else {
|
|
|
a912db |
group_nid = NID_secp384r1;
|
|
|
a912db |
}
|
|
|
a912db |
-#else
|
|
|
a912db |
- /* Get the expected curve names */
|
|
|
a912db |
- if (key->key_alg == DST_ALG_ECDSA256) {
|
|
|
a912db |
- curve_name = "prime256v1";
|
|
|
a912db |
- nist_curve_name = "P-256";
|
|
|
a912db |
- } else {
|
|
|
a912db |
- curve_name = "secp384r1";
|
|
|
a912db |
- nist_curve_name = "P-384";
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
/* Load private key. */
|
|
|
a912db |
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
|
|
a912db |
@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
|
|
|
a912db |
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
|
|
a912db |
}
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
|
|
a912db |
if (eckey == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
|
a912db |
@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
|
|
|
a912db |
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
|
|
a912db |
}
|
|
|
a912db |
-#else
|
|
|
a912db |
- len = 0;
|
|
|
a912db |
- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
|
|
a912db |
- buf, sizeof buf, &len) != 1 ||
|
|
|
a912db |
- len == 0 || len >= sizeof buf)
|
|
|
a912db |
- {
|
|
|
a912db |
- DST_RET(DST_R_INVALIDPRIVATEKEY);
|
|
|
a912db |
- }
|
|
|
a912db |
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
|
|
a912db |
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
|
|
a912db |
- {
|
|
|
a912db |
- DST_RET(DST_R_INVALIDPRIVATEKEY);
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
/* Load public key. */
|
|
|
a912db |
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
|
|
|
a912db |
@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
|
|
|
a912db |
DST_RET(DST_R_INVALIDPUBLICKEY);
|
|
|
a912db |
}
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
|
|
|
a912db |
if (pubeckey == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
|
a912db |
@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
|
|
|
a912db |
DST_RET(DST_R_INVALIDPUBLICKEY);
|
|
|
a912db |
}
|
|
|
a912db |
-#else
|
|
|
a912db |
- len = 0;
|
|
|
a912db |
- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
|
|
a912db |
- buf, sizeof buf, &len) != 1 ||
|
|
|
a912db |
- len == 0 || len >= sizeof buf)
|
|
|
a912db |
- {
|
|
|
a912db |
- DST_RET(DST_R_INVALIDPUBLICKEY);
|
|
|
a912db |
- }
|
|
|
a912db |
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
|
|
a912db |
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
|
|
a912db |
- {
|
|
|
a912db |
- DST_RET(DST_R_INVALIDPUBLICKEY);
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
}
|
|
|
a912db |
-#else
|
|
|
a912db |
- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
|
|
|
a912db |
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
key->label = isc_mem_strdup(key->mctx, label);
|
|
|
a912db |
key->engine = isc_mem_strdup(key->mctx, engine);
|
|
|
a912db |
@@ -1442,14 +1389,12 @@ err:
|
|
|
a912db |
if (pkey != NULL) {
|
|
|
a912db |
EVP_PKEY_free(pkey);
|
|
|
a912db |
}
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
if (pubeckey != NULL) {
|
|
|
a912db |
EC_KEY_free(pubeckey);
|
|
|
a912db |
}
|
|
|
a912db |
if (eckey != NULL) {
|
|
|
a912db |
EC_KEY_free(eckey);
|
|
|
a912db |
}
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
return (ret);
|
|
|
a912db |
#else
|
|
|
a912db |
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
|
|
|
a912db |
index 867b486a2f..cf350610ba 100644
|
|
|
a912db |
--- a/lib/dns/opensslrsa_link.c
|
|
|
a912db |
+++ b/lib/dns/opensslrsa_link.c
|
|
|
a912db |
@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
|
a912db |
key->engine = isc_mem_strdup(key->mctx, engine);
|
|
|
a912db |
key->label = isc_mem_strdup(key->mctx, label);
|
|
|
a912db |
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
|
a912db |
if (rsa == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
|
a912db |
@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
}
|
|
|
a912db |
RSA_get0_key(rsa, NULL, &ex, NULL);
|
|
|
a912db |
-#else
|
|
|
a912db |
- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
|
|
|
a912db |
- ISC_R_SUCCESS) {
|
|
|
a912db |
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
- }
|
|
|
a912db |
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
|
|
|
a912db |
- 1) {
|
|
|
a912db |
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
if (ex == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
ENGINE *e = NULL;
|
|
|
a912db |
isc_result_t ret = ISC_R_SUCCESS;
|
|
|
a912db |
EVP_PKEY *pkey = NULL, *pubpkey = NULL;
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
RSA *rsa = NULL, *pubrsa = NULL;
|
|
|
a912db |
const BIGNUM *ex = NULL;
|
|
|
a912db |
-#else
|
|
|
a912db |
- BIGNUM *ex = NULL;
|
|
|
a912db |
-#endif
|
|
|
a912db |
|
|
|
a912db |
UNUSED(pin);
|
|
|
a912db |
|
|
|
a912db |
@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
|
|
|
a912db |
DST_R_OPENSSLFAILURE));
|
|
|
a912db |
}
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
pubrsa = EVP_PKEY_get1_RSA(pubpkey);
|
|
|
a912db |
if (pubrsa == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
|
a912db |
}
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
|
|
a912db |
if (pkey == NULL) {
|
|
|
a912db |
@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
key->engine = isc_mem_strdup(key->mctx, engine);
|
|
|
a912db |
key->label = isc_mem_strdup(key->mctx, label);
|
|
|
a912db |
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
|
a912db |
if (rsa == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
|
a912db |
@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
}
|
|
|
a912db |
RSA_get0_key(rsa, NULL, &ex, NULL);
|
|
|
a912db |
-#else
|
|
|
a912db |
- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
|
|
|
a912db |
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
- }
|
|
|
a912db |
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
|
|
|
a912db |
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
|
|
|
a912db |
if (ex == NULL) {
|
|
|
a912db |
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
|
a912db |
@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
|
a912db |
pkey = NULL;
|
|
|
a912db |
|
|
|
a912db |
err:
|
|
|
a912db |
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
|
a912db |
if (rsa != NULL) {
|
|
|
a912db |
RSA_free(rsa);
|
|
|
a912db |
}
|
|
|
a912db |
if (pubrsa != NULL) {
|
|
|
a912db |
RSA_free(pubrsa);
|
|
|
a912db |
}
|
|
|
a912db |
-#else
|
|
|
a912db |
- if (ex != NULL) {
|
|
|
a912db |
- BN_free(ex);
|
|
|
a912db |
- }
|
|
|
a912db |
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
|
a912db |
if (pkey != NULL) {
|
|
|
a912db |
EVP_PKEY_free(pkey);
|
|
|
a912db |
}
|
|
|
a912db |
--
|
|
|
a912db |
2.37.2
|
|
|
a912db |
|