upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-23 01:40:23 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Remove engine related parts for OpenSSL 3.0

Browse source 
OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
builders. But it can be built in legacy mode, where deprecated but still
working API would be used.

It can work under OpenSSL 3.0, but only if using legacy code paths
matching OpenSSL 1.1 calls and functions.

Remove fromlabel processing by OpenSSL 3.0 only functions. They can
return later with a proper provider support for pkcs11.

(cherry picked from commit 6c55ea17c6)
This commit is contained in:
Petr Menšík 2022-09-08 16:33:38 +02:00 committed by Mark Andrews
parent d6806c9fe7
commit 8a425dbac4
2 changed files with 0 additions and 87 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

55
lib/dns/opensslecdsa_link.c
View file

@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
isc_result_t ret = ISC_R_SUCCESS;
ENGINE *e;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
EC_KEY *eckey = NULL;
EC_KEY *pubeckey = NULL;
int group_nid;
#else
size_t len;
const char *curve_name, *nist_curve_name;
char buf[128]; /* Sufficient for all of the supported curves' names. */
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
EVP_PKEY *pkey = NULL;
EVP_PKEY *pubpkey = NULL;
@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(DST_R_NOENGINE);
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (key->key_alg == DST_ALG_ECDSA256) {
group_nid = NID_X9_62_prime256v1;
} else {
group_nid = NID_secp384r1;
}
#else
/* Get the expected curve names */
if (key->key_alg == DST_ALG_ECDSA256) {
curve_name = "prime256v1";
nist_curve_name = "P-256";
} else {
curve_name = "secp384r1";
nist_curve_name = "P-384";
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
/* Load private key. */
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (eckey == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
#else
len = 0;
if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
buf, sizeof buf, &len) != 1 ||
len == 0 || len >= sizeof buf)
{
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
{
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
/* Load public key. */
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
DST_RET(DST_R_INVALIDPUBLICKEY);
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
if (pubeckey == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
DST_RET(DST_R_INVALIDPUBLICKEY);
}
#else
len = 0;
if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
buf, sizeof buf, &len) != 1 ||
len == 0 || len >= sizeof buf)
{
DST_RET(DST_R_INVALIDPUBLICKEY);
}
if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
{
DST_RET(DST_R_INVALIDPUBLICKEY);
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
#else
if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
key->label = isc_mem_strdup(key->mctx, label);
key->engine = isc_mem_strdup(key->mctx, engine);
@ -1442,14 +1389,12 @@ err:
if (pkey != NULL) {
EVP_PKEY_free(pkey);
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (pubeckey != NULL) {
EC_KEY_free(pubeckey);
}
if (eckey != NULL) {
EC_KEY_free(eckey);
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
return (ret);
#else

32
lib/dns/opensslrsa_link.c
View file

@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
RSA_get0_key(rsa, NULL, &ex, NULL);
#else
if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
ISC_R_SUCCESS) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
1) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (ex == NULL) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
ENGINE *e = NULL;
isc_result_t ret = ISC_R_SUCCESS;
EVP_PKEY *pkey = NULL, *pubpkey = NULL;
#if OPENSSL_VERSION_NUMBER < 0x30000000L
RSA *rsa = NULL, *pubrsa = NULL;
const BIGNUM *ex = NULL;
#else
BIGNUM *ex = NULL;
#endif
UNUSED(pin);
@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
DST_R_OPENSSLFAILURE));
}
#if OPENSSL_VERSION_NUMBER < 0x30000000L
pubrsa = EVP_PKEY_get1_RSA(pubpkey);
if (pubrsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
if (pkey == NULL) {
@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label);
#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
RSA_get0_key(rsa, NULL, &ex, NULL);
#else
if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (ex == NULL) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pkey = NULL;
err:
#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (rsa != NULL) {
RSA_free(rsa);
}
if (pubrsa != NULL) {
RSA_free(pubrsa);
}
#else
if (ex != NULL) {
BN_free(ex);
}
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (pkey != NULL) {
EVP_PKEY_free(pkey);
}