From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 2 Aug 2021 11:33:32 +0000 (+0200)
Subject: - Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
X-Git-Tag: release-1.13.2rc1~16^2~5
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ca00814e674ac8047e07b6bec55413002c1035d7;p=thirdparty%2Funbound.git

- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
  keyraw functions to produce EVP_PKEY results.
---

diff --git a/doc/Changelog b/doc/Changelog
index aca4b2d1f..8557baf18 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+2 August 2021: Wouter
+	- Prepare for OpenSSL 3.0.0 provider API usage, move the sldns
+	  keyraw functions to produce EVP_PKEY results.
+
 30 July 2021: Wouter
 	- Fix #515: Compilation against openssl 3.0.0 beta2 is failing to
 	  build unbound.
diff --git a/sldns/keyraw.c b/sldns/keyraw.c
index 2ec225bc5..34cf94332 100644
--- a/sldns/keyraw.c
+++ b/sldns/keyraw.c
@@ -262,6 +262,26 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 	return dsa;
 }
 
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len)
+{
+	DSA* dsa;
+	EVP_PKEY* evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return 0;
+	}
+	dsa = sldns_key_buf2dsa_raw(key, len);
+	if(!dsa) {
+		EVP_PKEY_free(evp_key);
+		return 0;
+	}
+	if(EVP_PKEY_assign_DSA(evp_key, dsa) == 0) {
+		DSA_free(dsa);
+		EVP_PKEY_free(evp_key);
+		return 0;
+	}
+	return evp_key;
+}
+
 RSA *
 sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 {
@@ -328,6 +348,26 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 	return rsa;
 }
 
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len)
+{
+	RSA* rsa;
+	EVP_PKEY *evp_key = EVP_PKEY_new();
+	if(!evp_key) {
+		return 0;
+	}
+	rsa = sldns_key_buf2rsa_raw(key, len);
+	if(!rsa) {
+		EVP_PKEY_free(evp_key);
+		return 0;
+	}
+	if(EVP_PKEY_assign_RSA(evp_key, rsa) == 0) {
+		RSA_free(rsa);
+		EVP_PKEY_free(evp_key);
+		return 0;
+	}
+	return evp_key;
+}
+
 #ifdef USE_GOST
 EVP_PKEY*
 sldns_gost2pkey_raw(unsigned char* key, size_t keylen)
diff --git a/sldns/keyraw.h b/sldns/keyraw.h
index 989b02ce0..0166129b3 100644
--- a/sldns/keyraw.h
+++ b/sldns/keyraw.h
@@ -65,6 +65,14 @@ void sldns_key_EVP_unload_gost(void);
  */
 DSA *sldns_key_buf2dsa_raw(unsigned char* key, size_t len);
 
+/**
+ * Converts a holding buffer with DSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY *sldns_key_dsa2pkey_raw(unsigned char* key, size_t len);
+
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.
  * Only available if ldns was compiled with GOST.
@@ -92,6 +100,14 @@ EVP_PKEY* sldns_ecdsa2pkey_raw(unsigned char* key, size_t keylen, uint8_t algo);
  */
 RSA *sldns_key_buf2rsa_raw(unsigned char* key, size_t len);
 
+/**
+ * Converts a holding buffer with RSA key material to EVP PKEY in openssl.
+ * \param[in] key the uncompressed wireformat of the key.
+ * \param[in] len length of key data
+ * \return the key or NULL on error.
+ */
+EVP_PKEY* sldns_key_rsa2pkey_raw(unsigned char* key, size_t len);
+
 /**
  * Converts a holding buffer with key material to EVP PKEY in openssl.
  * Only available if ldns was compiled with ED25519.
diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c
index a4d020143..5a817a4c8 100644
--- a/validator/val_secalgo.c
+++ b/validator/val_secalgo.c
@@ -513,29 +513,13 @@ static int
 setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type, 
 	unsigned char* key, size_t keylen)
 {
-#if defined(USE_DSA) && defined(USE_SHA1)
-	DSA* dsa;
-#endif
-	RSA* rsa;
-
 	switch(algo) {
 #if defined(USE_DSA) && defined(USE_SHA1)
 		case LDNS_DSA:
 		case LDNS_DSA_NSEC3:
-			*evp_key = EVP_PKEY_new();
+			*evp_key = sldns_key_dsa2pkey_raw(key, keylen);
 			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return 0;
-			}
-			dsa = sldns_key_buf2dsa_raw(key, keylen);
-			if(!dsa) {
-				verbose(VERB_QUERY, "verify: "
-					"sldns_key_buf2dsa_raw failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_DSA(*evp_key, dsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_DSA failed");
+				log_err("verify: sldns_key_dsa2pkey failed");
 				return 0;
 			}
 #ifdef HAVE_EVP_DSS1
@@ -558,20 +542,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #if defined(HAVE_EVP_SHA512) && defined(USE_SHA2)
 		case LDNS_RSASHA512:
 #endif
-			*evp_key = EVP_PKEY_new();
+			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
 			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return 0;
-			}
-			rsa = sldns_key_buf2rsa_raw(key, keylen);
-			if(!rsa) {
-				verbose(VERB_QUERY, "verify: "
-					"sldns_key_buf2rsa_raw SHA failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_RSA SHA failed");
+				log_err("verify: sldns_key_rsa2pkey SHA failed");
 				return 0;
 			}
 
@@ -595,20 +568,9 @@ setup_key_digest(int algo, EVP_PKEY** evp_key, const EVP_MD** digest_type,
 #endif /* defined(USE_SHA1) || (defined(HAVE_EVP_SHA256) && defined(USE_SHA2)) || (defined(HAVE_EVP_SHA512) && defined(USE_SHA2)) */
 
 		case LDNS_RSAMD5:
-			*evp_key = EVP_PKEY_new();
+			*evp_key = sldns_key_rsa2pkey_raw(key, keylen);
 			if(!*evp_key) {
-				log_err("verify: malloc failure in crypto");
-				return 0;
-			}
-			rsa = sldns_key_buf2rsa_raw(key, keylen);
-			if(!rsa) {
-				verbose(VERB_QUERY, "verify: "
-					"sldns_key_buf2rsa_raw MD5 failed");
-				return 0;
-			}
-			if(EVP_PKEY_assign_RSA(*evp_key, rsa) == 0) {
-				verbose(VERB_QUERY, "verify: "
-					"EVP_PKEY_assign_RSA MD5 failed");
+				log_err("verify: sldns_key_rsa2pkey MD5 failed");
 				return 0;
 			}
 			*digest_type = EVP_md5();