Remove support for OpenSSL < 1.0.0

diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c
index be043205787cb674b19cc0be721784d3584072ef..af3d928c78d00294c6add98adc4d2951c9b00a75 100644 (file)
--- a/bin/tests/system/rsabigexponent/bigkey.c
+++ b/bin/tests/system/rsabigexponent/bigkey.c
@@ -42,19 +42,10 @@
 #include <dst/dst.h>
 #include <dst/result.h>
 
-#ifdef OPENSSL
-#include <openssl/opensslv.h>
-#if OPENSSL_VERSION_NUMBER <= 0x00908000L
-#define USE_FIX_KEY_FILES
-#endif
-#else
-#define USE_FIX_KEY_FILES
-#endif
-
-#ifdef USE_FIX_KEY_FILES
+#if !defined(OPENSSL)
 
 /*
- * Use a fixed key file pair if OpenSSL doesn't support > 32 bit exponents.
+ * Use a fixed key file pair if compiled without OpenSSL.
  */
 
 int

diff --git a/config.h.in b/config.h.in
index cdb3fa8a3a37755608c2368b1326c32809a8bf41..45d342ef682e4834ca50573bf5264e472b7d6ddc 100644 (file)
--- a/config.h.in
+++ b/config.h.in
@@ -239,6 +239,12 @@ int sigwait(const unsigned int *set, int *sig);
 /* Define to 1 if you have the <edit/readline/readline.h> header file. */
 #undef HAVE_EDIT_READLINE_READLINE_H
 
+/* Define to 1 if you have the `EVP_sha1' function. */
+#undef HAVE_EVP_SHA1
+
+/* Define to 1 if you have the `EVP_sha224' function. */
+#undef HAVE_EVP_SHA224
+
 /* Define to 1 if you have the `EVP_sha256' function. */
 #undef HAVE_EVP_SHA256
 

diff --git a/config.h.win32 b/config.h.win32
index 5405d83010a67a8e4c11c69ef9e396f5ccdf2c9c..10f91bc6e6f6e1d9573376b34fe2c41b36a41406 100644 (file)
--- a/config.h.win32
+++ b/config.h.win32
@@ -312,15 +312,6 @@ typedef __int64 off_t;
 /* Define to enable "rrset-order fixed" syntax. */
 @DNS_RDATASET_FIXED@
 
-/* Define to 1 if you have the `EVP_sha256' function. */
-@HAVE_EVP_SHA256@
-
-/* Define to 1 if you have the `EVP_sha384' function. */
-@HAVE_EVP_SHA384@
-
-/* Define to 1 if you have the `EVP_sha512' function. */
-@HAVE_EVP_SHA512@
-
 /* Define if OpenSSL provides FIPS_mode() */
 @HAVE_FIPS_MODE@
 

diff --git a/configure b/configure
index 88f21d857f908d4b543608104faa431e637a12d9..f036382f6ca6f045431dfb9f19bb54912b5032a3 100755 (executable)
--- a/configure
+++ b/configure
@@ -16385,6 +16385,36 @@ $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
                saved_libs="$LIBS"
                CFLAGS="$DST_OPENSSL_INC $CFLAGS"
                LIBS="$DST_OPENSSL_LIBS $LIBS"
+
+               { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL" >&5
+$as_echo_n "checking for OpenSSL >= 1.0.0 or LibreSSL... " >&6; }
+               cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+#include <openssl/opensslv.h>
+
+int
+main ()
+{
+
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
+#error OpenSSL >= 1.0.0 or LibreSSL needed
+#endif
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+else
+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+                            as_fn_error $? "OpenSSL >= 1.0.0 or LibreSSL not found" "$LINENO" 5
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
                { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
 $as_echo_n "checking whether linking with OpenSSL works... " >&6; }
                if test "$cross_compiling" = yes; then :
@@ -16536,7 +16566,7 @@ $as_echo "yes" >&6; }
 $as_echo "no" >&6; }
        fi
 
-       for ac_func in EVP_sha256 EVP_sha384 EVP_sha512
+       for ac_func in EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
@@ -16545,6 +16575,9 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
 #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
 _ACEOF
 
+else
+
+                          as_fn_error $? "SHA-1 and SHA-2 support in OpenSSL is mandatory." "$LINENO" 5
 fi
 done
 
@@ -16577,9 +16610,6 @@ else
 int main() {
        EC_KEY *ec256, *ec384;
 
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-       return (1);
-#endif
        ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
        ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
        if (ec256 == NULL || ec384 == NULL)

diff --git a/configure.in b/configure.in
index 66992da669b075d4614f8ad79097437cedc51861..7accaf8bb1607f24083f47705feb91b7169ad1fd 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1626,6 +1626,20 @@ If you do not want OpenSSL, use --without-openssl])
                saved_libs="$LIBS"
                CFLAGS="$DST_OPENSSL_INC $CFLAGS"
                LIBS="$DST_OPENSSL_LIBS $LIBS"
+
+               AC_MSG_CHECKING(for OpenSSL >= 1.0.0 or LibreSSL)
+               AC_TRY_COMPILE([
+#include <openssl/opensslv.h>
+],
+[
+#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)
+#error OpenSSL >= 1.0.0 or LibreSSL needed
+#endif
+],
+                           [AC_MSG_RESULT([yes])],
+                           [AC_MSG_RESULT([no])
+                            AC_MSG_ERROR([OpenSSL >= 1.0.0 or LibreSSL not found])])
+
                AC_MSG_CHECKING(whether linking with OpenSSL works)
                AC_TRY_RUN([
 #include <openssl/err.h>
@@ -1710,7 +1724,8 @@ DSO_METHOD_dlfcn();
                AC_MSG_RESULT(no)
        fi
 
-       AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)
+       AC_CHECK_FUNCS([EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [], [
+                          AC_MSG_ERROR([SHA-1 and SHA-2 support in OpenSSL is mandatory.])])
 
        AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])
 
@@ -1722,9 +1737,6 @@ DSO_METHOD_dlfcn();
 int main() {
        EC_KEY *ec256, *ec384;
 
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-       return (1);
-#endif
        ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
        ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
        if (ec256 == NULL || ec384 == NULL)

diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h
index e844a935728c727f7df9c71e796f82f1a63a78b9..7b82b74c4888b09ab889cab830243dd834dffcf2 100644 (file)
--- a/lib/dns/dst_internal.h
+++ b/lib/dns/dst_internal.h
@@ -114,9 +114,6 @@ struct dst_key {
                void *generic;
                gss_ctx_id_t gssctx;
 #ifdef OPENSSL
-#if !defined(USE_EVP) || !USE_EVP
-               RSA *rsa;
-#endif
 #ifndef PK11_DSA_DISABLE
                DSA *dsa;
 #endif

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index ac479ce4849282ed55e08a64deb4bd278b39c1bc..65962f21caa6483086e2ac2aff018d7014d9fcde 100644 (file)
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -59,7 +59,7 @@ static int nlocks;
 static ENGINE *e = NULL;
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static void
 lock_callback(int mode, int type, const char *file, int line) {
        UNUSED(file);
@@ -71,7 +71,7 @@ lock_callback(int mode, int type, const char *file, int line) {
 }
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
+#if defined(LIBRESSL_VERSION_NUMBER)
 static unsigned long
 id_callback(void) {
        return ((unsigned long)isc_thread_self());
@@ -135,7 +135,7 @@ mem_realloc(void *ptr, size_t size FLARG) {
 #endif
 }
 
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 static void
 _set_thread_id(CRYPTO_THREADID *id)
 {
@@ -166,12 +166,11 @@ dst__openssl_init(const char *engine) {
        if (result != ISC_R_SUCCESS)
                goto cleanup_mutexalloc;
        CRYPTO_set_locking_callback(lock_callback);
-# if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
-       CRYPTO_THREADID_set_callback(_set_thread_id);
-# else
+# if defined(LIBRESSL_VERSION_NUMBER)
        CRYPTO_set_id_callback(id_callback);
+# elif OPENSSL_VERSION_NUMBER < 0x10100000L
+       CRYPTO_THREADID_set_callback(_set_thread_id);
 # endif
-
        ERR_load_crypto_strings();
 #endif
 
@@ -237,32 +236,24 @@ dst__openssl_init(const char *engine) {
 
 void
 dst__openssl_destroy(void) {
-#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
-       OPENSSL_cleanup();
-#else
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
        /*
         * Sequence taken from apps_shutdown() in <apps/apps.h>.
         */
-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
        CONF_modules_free();
-#endif
        OBJ_cleanup();
        EVP_cleanup();
 #if !defined(OPENSSL_NO_ENGINE)
        if (e != NULL)
                ENGINE_free(e);
        e = NULL;
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L
        ENGINE_cleanup();
 #endif
-#endif
-#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
        CRYPTO_cleanup_all_ex_data();
-#endif
        ERR_clear_error();
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
        ERR_remove_thread_state(NULL);
-#elif OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER)
+#elif defined(LIBRESSL_VERSION_NUMBER)
        ERR_remove_state(0);
 #endif
        ERR_free_strings();
@@ -277,6 +268,8 @@ dst__openssl_destroy(void) {
                mem_free(locks FILELINE);
                locks = NULL;
        }
+#else
+       OPENSSL_cleanup();
 #endif
 }
 

diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
index 7e3a5d77b3b59bace9b03eaec1a7610359d7520c..ebdaeaa0da388f854c5c500b3d906b1083abc3d9 100644 (file)
--- a/lib/dns/openssldh_link.c
+++ b/lib/dns/openssldh_link.c
@@ -240,7 +240,6 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
        return (ISC_TRUE);
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
        union {
@@ -255,12 +254,10 @@ progress_cb(int p, int n, BN_GENCB *cb) {
                u.fptr(p);
        return (1);
 }
-#endif
 
 static isc_result_t
 openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
        DH *dh = NULL;
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
        BN_GENCB *cb;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
        BN_GENCB _cb;
@@ -269,10 +266,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
                void *dptr;
                void (*fptr)(int);
        } u;
-#else
-
-       UNUSED(callback);
-#endif
 
        if (generator == 0) {
                if (key->key_size == 768 ||
@@ -303,7 +296,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
        }
 
        if (generator != 0) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
                dh = DH_new();
                if (dh == NULL)
                        return (dst__openssl_toresult(ISC_R_NOMEMORY));
@@ -331,14 +323,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
                }
                BN_GENCB_free(cb);
                cb = NULL;
-#else
-               dh = DH_generate_parameters(key->key_size, generator,
-                                           NULL, NULL);
-               if (dh == NULL)
-                       return (dst__openssl_toresult2(
-                                       "DH_generate_parameters",
-                                       DST_R_OPENSSLFAILURE));
-#endif
        }
 
        if (DH_generate_key(dh) == 0) {

diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c
index dfbd484247855bcc411fa323fe216040476ea60e..355af0e6e06bf3b278d1d9790a62a869e94292f1 100644 (file)
--- a/lib/dns/openssldsa_link.c
+++ b/lib/dns/openssldsa_link.c
@@ -24,9 +24,6 @@
  */
 
 #ifdef OPENSSL
-#ifndef USE_EVP
-#define USE_EVP 1
-#endif
 
 #include <config.h>
 
@@ -127,7 +124,6 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
 
 static isc_result_t
 openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx;
 
        UNUSED(key);
@@ -144,53 +140,25 @@ openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) {
        dctx->ctxdata.evp_md_ctx = evp_md_ctx;
 
        return (ISC_R_SUCCESS);
-#else
-       isc_sha1_t *sha1ctx;
-
-       UNUSED(key);
-
-       sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-       if (sha1ctx == NULL)
-               return (ISC_R_NOMEMORY);
-       isc_sha1_init(sha1ctx);
-       dctx->ctxdata.sha1ctx = sha1ctx;
-       return (ISC_R_SUCCESS);
-#endif
 }
 
 static void
 openssldsa_destroyctx(dst_context_t *dctx) {
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 
        if (evp_md_ctx != NULL) {
                EVP_MD_CTX_destroy(evp_md_ctx);
                dctx->ctxdata.evp_md_ctx = NULL;
        }
-#else
-       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-       if (sha1ctx != NULL) {
-               isc_sha1_invalidate(sha1ctx);
-               isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t));
-               dctx->ctxdata.sha1ctx = NULL;
-       }
-#endif
 }
 
 static isc_result_t
 openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
 
        if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
                return (ISC_R_FAILURE);
        }
-#else
-       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-       isc_sha1_update(sha1ctx, data->base, data->length);
-#endif
        return (ISC_R_SUCCESS);
 }
 
@@ -211,22 +179,16 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
        DSA_SIG *dsasig;
        const BIGNUM *r = 0, *s = NULL;
        unsigned int klen;
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
        EVP_PKEY *pkey;
        unsigned char *sigbuf;
        const unsigned char *sb;
        unsigned int siglen;
-#else
-       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-       unsigned char digest[ISC_SHA1_DIGESTLENGTH];
-#endif
 
        isc_buffer_availableregion(sig, &region);
        if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1)
                return (ISC_R_NOSPACE);
 
-#if USE_EVP
        pkey = EVP_PKEY_new();
        if (pkey == NULL)
                return (ISC_R_NOMEMORY);
@@ -263,28 +225,6 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
        }
        free(sigbuf);
 
-#elif 0
-       /* Only use EVP for the Digest */
-       if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
-               return (dst__openssl_toresult3(dctx->category,
-                                              "EVP_DigestFinal_ex",
-                                              ISC_R_FAILURE));
-       }
-       dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
-       if (dsasig == NULL)
-               return (dst__openssl_toresult3(dctx->category,
-                                              "DSA_do_sign",
-                                              DST_R_SIGNFAILURE));
-#else
-       isc_sha1_final(sha1ctx, digest);
-
-       dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa);
-       if (dsasig == NULL)
-               return (dst__openssl_toresult3(dctx->category,
-                                              "DSA_do_sign",
-                                              DST_R_SIGNFAILURE));
-#endif
-
        klen = (key->key_size - 512)/64;
        if (klen > 255)
                return (ISC_R_FAILURE);
@@ -310,29 +250,14 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
        int status = 0;
        unsigned char *cp = sig->base;
        DSA_SIG *dsasig;
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#if 0
-       EVP_PKEY *pkey;
-       unsigned char *sigbuf;
-#endif
        unsigned int siglen;
-#else
-       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-#endif
        unsigned char digest[ISC_SHA1_DIGESTLENGTH];
 
-
-#if USE_EVP
-#if 1
        /* Only use EVP for the digest */
        if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) {
                return (ISC_R_FAILURE);
        }
-#endif
-#else
-       isc_sha1_final(sha1ctx, digest);
-#endif
 
        if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) {
                return (DST_R_VERIFYFAILURE);
@@ -347,28 +272,8 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
        s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL);
        DSA_SIG_set0(dsasig, r, s);
 
-#if 0
-       pkey = EVP_PKEY_new();
-       if (pkey == NULL)
-               return (ISC_R_NOMEMORY);
-       if (!EVP_PKEY_set1_DSA(pkey, dsa)) {
-               EVP_PKEY_free(pkey);
-               return (ISC_R_FAILURE);
-       }
-       /* Convert to Dss-Sig-Value (RFC2459). */
-       sigbuf = malloc(EVP_PKEY_size(pkey) + 50);
-       if (sigbuf == NULL) {
-               EVP_PKEY_free(pkey);
-               return (ISC_R_NOMEMORY);
-       }
-       siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf);
-       INSIST(EVP_PKEY_size(pkey) >= (int) siglen);
-       status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey);
-       EVP_PKEY_free(pkey);
-       free(sigbuf);
-#else
        status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa);
-#endif
+
        DSA_SIG_free(dsasig);
        switch (status) {
        case 1:
@@ -416,7 +321,6 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
        return (ISC_TRUE);
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
        union {
@@ -431,14 +335,12 @@ progress_cb(int p, int n, BN_GENCB *cb) {
                u.fptr(p);
        return (1);
 }
-#endif
 
 static isc_result_t
 openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
        DSA *dsa;
        unsigned char rand_array[ISC_SHA1_DIGESTLENGTH];
        isc_result_t result;
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
        BN_GENCB *cb;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
        BN_GENCB _cb;
@@ -448,10 +350,6 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
                void (*fptr)(int);
        } u;
 
-#else
-
-       UNUSED(callback);
-#endif
        UNUSED(unused);
 
        result = dst__entropy_getdata(rand_array, sizeof(rand_array),
@@ -459,7 +357,6 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
        if (result != ISC_R_SUCCESS)
                return (result);
 
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
        dsa = DSA_new();
        if (dsa == NULL)
                return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -488,14 +385,6 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
        }
        BN_GENCB_free(cb);
        cb = NULL;
-#else
-       dsa = DSA_generate_parameters(key->key_size, rand_array,
-                                     ISC_SHA1_DIGESTLENGTH, NULL, NULL,
-                                     NULL, NULL);
-       if (dsa == NULL)
-               return (dst__openssl_toresult2("DSA_generate_parameters",
-                                              DST_R_OPENSSLFAILURE));
-#endif
 
        if (DSA_generate_key(dsa) == 0) {
                DSA_free(dsa);

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 2e474592492741480281c76d14403a6e642b3d91..3b8ba82e25911ae117589350c3b019ca11759cd9 100644 (file)
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -13,10 +13,6 @@
 
 #if defined(OPENSSL) && defined(HAVE_OPENSSL_ECDSA)
 
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384)
-#error "ECDSA without EVP for SHA2?"
-#endif
-
 #include <isc/entropy.h>
 #include <isc/mem.h>
 #include <isc/safe.h>

diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 17c48679db8dd3a407c630639503220f3c1ae253..867b8f6cadc121bf02d279d54d45c4c70ea18941 100644 (file)
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -15,15 +15,6 @@
 #ifdef OPENSSL
 #include <config.h>
 
-#ifndef USE_EVP
-#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA512)
-#define USE_EVP 0
-#else
-#define USE_EVP 1
-#endif
-#endif
-
-
 #include <isc/entropy.h>
 #include <isc/md5.h>
 #include <isc/mem.h>
@@ -44,9 +35,7 @@
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/rsa.h>
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
 #include <openssl/bn.h>
-#endif
 #if !defined(OPENSSL_NO_ENGINE)
 #include <openssl/engine.h>
 #endif
@@ -62,65 +51,10 @@
  * We don't use configure for windows so enforce the OpenSSL version
  * here.  Unlike with configure we don't support overriding this test.
  */
-#ifdef WIN32
-#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \
-       OPENSSL_VERSION_NUMBER < 0x00908000L) || \
-      (OPENSSL_VERSION_NUMBER >= 0x0090804fL && \
-       OPENSSL_VERSION_NUMBER < 0x10002000L) || \
-      OPENSSL_VERSION_NUMBER >= 0x1000205fL)
-#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater.
-#endif
-#endif
-
-
-       /*
-        * XXXMPA  Temporarily disable RSA_BLINDING as it requires
-        * good quality random data that cannot currently be guaranteed.
-        * XXXMPA  Find which versions of openssl use pseudo random data
-        * and set RSA_FLAG_BLINDING for those.
-        */
-
-#if 0
-#if OPENSSL_VERSION_NUMBER < 0x0090601fL
-#define SET_FLAGS(rsa) \
-       do { \
-       (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
-       (rsa)->flags |= RSA_FLAG_BLINDING; \
-       } while (0)
-#else
-#define SET_FLAGS(rsa) \
-       do { \
-               (rsa)->flags |= RSA_FLAG_BLINDING; \
-       } while (0)
-#endif
+#if defined(WIN32) && (OPENSSL_VERSION_NUMBER < 0x10000000L)
+#error Please upgrade OpenSSL to 1.0.0 or greater.
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x0090601fL
-#define SET_FLAGS(rsa) \
-       do { \
-       (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \
-       (rsa)->flags &= ~RSA_FLAG_BLINDING; \
-       } while (0)
-#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
-#if defined(RSA_FLAG_NO_BLINDING)
-#define SET_FLAGS(rsa) \
-       do { \
-               (rsa)->flags &= ~RSA_FLAG_BLINDING; \
-               (rsa)->flags |= RSA_FLAG_NO_BLINDING; \
-       } while (0)
-#else
-#define SET_FLAGS(rsa) \
-       do { \
-               (rsa)->flags &= ~RSA_FLAG_BLINDING; \
-       } while (0)
-#endif
-#else
-#define SET_FLAGS(rsa) \
-       do { \
-               RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \
-               RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \
-       } while (0)
-#endif
 #define DST_RET(a) {ret = a; goto err;}
 
 #if !defined(HAVE_RSA_SET0_KEY)
@@ -256,10 +190,8 @@ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data);
 
 static isc_result_t
 opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx;
        const EVP_MD *type = NULL;
-#endif
 
        UNUSED(key);
 #ifndef PK11_MD5_DISABLE
@@ -302,7 +234,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
                INSIST(0);
        }
 
-#if USE_EVP
        evp_md_ctx = EVP_MD_CTX_create();
        if (evp_md_ctx == NULL)
                return (ISC_R_NOMEMORY);
@@ -317,16 +248,12 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
        case DST_ALG_NSEC3RSASHA1:
                type = EVP_sha1();      /* SHA1 + RSA */
                break;
-#ifdef HAVE_EVP_SHA256
        case DST_ALG_RSASHA256:
                type = EVP_sha256();    /* SHA256 + RSA */
                break;
-#endif
-#ifdef HAVE_EVP_SHA512
        case DST_ALG_RSASHA512:
                type = EVP_sha512();
                break;
-#endif
        default:
                INSIST(0);
        }
@@ -338,70 +265,13 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) {
                                               ISC_R_FAILURE));
        }
        dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-#else
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-               {
-                       isc_md5_t *md5ctx;
-
-                       md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t));
-                       if (md5ctx == NULL)
-                               return (ISC_R_NOMEMORY);
-                       isc_md5_init(md5ctx);
-                       dctx->ctxdata.md5ctx = md5ctx;
-               }
-               break;
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               {
-                       isc_sha1_t *sha1ctx;
-
-                       sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t));
-                       if (sha1ctx == NULL)
-                               return (ISC_R_NOMEMORY);
-                       isc_sha1_init(sha1ctx);
-                       dctx->ctxdata.sha1ctx = sha1ctx;
-               }
-               break;
-       case DST_ALG_RSASHA256:
-               {
-                       isc_sha256_t *sha256ctx;
-
-                       sha256ctx = isc_mem_get(dctx->mctx,
-                                               sizeof(isc_sha256_t));
-                       if (sha256ctx == NULL)
-                               return (ISC_R_NOMEMORY);
-                       isc_sha256_init(sha256ctx);
-                       dctx->ctxdata.sha256ctx = sha256ctx;
-               }
-               break;
-       case DST_ALG_RSASHA512:
-               {
-                       isc_sha512_t *sha512ctx;
-
-                       sha512ctx = isc_mem_get(dctx->mctx,
-                                               sizeof(isc_sha512_t));
-                       if (sha512ctx == NULL)
-                               return (ISC_R_NOMEMORY);
-                       isc_sha512_init(sha512ctx);
-                       dctx->ctxdata.sha512ctx = sha512ctx;
-               }
-               break;
-       default:
-               INSIST(0);
-       }
-#endif
 
        return (ISC_R_SUCCESS);
 }
 
 static void
 opensslrsa_destroyctx(dst_context_t *dctx) {
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#endif
 
 #ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
@@ -416,75 +286,15 @@ opensslrsa_destroyctx(dst_context_t *dctx) {
                dctx->key->key_alg == DST_ALG_RSASHA512);
 #endif
 
-#if USE_EVP
        if (evp_md_ctx != NULL) {
                EVP_MD_CTX_destroy(evp_md_ctx);
                dctx->ctxdata.evp_md_ctx = NULL;
        }
-#else
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-               {
-                       isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-                       if (md5ctx != NULL) {
-                               isc_md5_invalidate(md5ctx);
-                               isc_mem_put(dctx->mctx, md5ctx,
-                                           sizeof(isc_md5_t));
-                               dctx->ctxdata.md5ctx = NULL;
-                       }
-               }
-               break;
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               {
-                       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-                       if (sha1ctx != NULL) {
-                               isc_sha1_invalidate(sha1ctx);
-                               isc_mem_put(dctx->mctx, sha1ctx,
-                                           sizeof(isc_sha1_t));
-                               dctx->ctxdata.sha1ctx = NULL;
-                       }
-               }
-               break;
-       case DST_ALG_RSASHA256:
-               {
-                       isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-                       if (sha256ctx != NULL) {
-                               isc_sha256_invalidate(sha256ctx);
-                               isc_mem_put(dctx->mctx, sha256ctx,
-                                           sizeof(isc_sha256_t));
-                               dctx->ctxdata.sha256ctx = NULL;
-                       }
-               }
-               break;
-       case DST_ALG_RSASHA512:
-               {
-                       isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-                       if (sha512ctx != NULL) {
-                               isc_sha512_invalidate(sha512ctx);
-                               isc_mem_put(dctx->mctx, sha512ctx,
-                                           sizeof(isc_sha512_t));
-                               dctx->ctxdata.sha512ctx = NULL;
-                       }
-               }
-               break;
-       default:
-               INSIST(0);
-       }
-#endif
 }
 
 static isc_result_t
 opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-#endif
 
 #ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
@@ -499,87 +309,21 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
                dctx->key->key_alg == DST_ALG_RSASHA512);
 #endif
 
-#if USE_EVP
        if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
                return (dst__openssl_toresult3(dctx->category,
                                               "EVP_DigestUpdate",
                                               ISC_R_FAILURE));
        }
-#else
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-               {
-                       isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-                       isc_md5_update(md5ctx, data->base, data->length);
-               }
-               break;
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               {
-                       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-                       isc_sha1_update(sha1ctx, data->base, data->length);
-               }
-               break;
-       case DST_ALG_RSASHA256:
-               {
-                       isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-                       isc_sha256_update(sha256ctx, data->base, data->length);
-               }
-               break;
-       case DST_ALG_RSASHA512:
-               {
-                       isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-                       isc_sha512_update(sha512ctx, data->base, data->length);
-               }
-               break;
-       default:
-               INSIST(0);
-       }
-#endif
        return (ISC_R_SUCCESS);
 }
 
-#if ! USE_EVP && OPENSSL_VERSION_NUMBER < 0x00908000L
-/*
- * Digest prefixes from RFC 5702.
- */
-static unsigned char sha256_prefix[] =
-        { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
-          0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20};
-static unsigned char sha512_prefix[] =
-        { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48,
-          0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40};
-#define PREFIXLEN sizeof(sha512_prefix)
-#else
-#define PREFIXLEN 0
-#endif
-
 static isc_result_t
 opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
        dst_key_t *key = dctx->key;
        isc_region_t r;
        unsigned int siglen = 0;
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
        EVP_PKEY *pkey = key->keydata.pkey;
-#else
-       RSA *rsa = key->keydata.rsa;
-       /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
-       unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH];
-       int status;
-       int type = 0;
-       unsigned int digestlen = 0;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-       unsigned int prefixlen = 0;
-       const unsigned char *prefix = NULL;
-#endif
-#endif
 
 #ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
@@ -596,7 +340,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
 
        isc_buffer_availableregion(sig, &r);
 
-#if USE_EVP
        if (r.length < (unsigned int) EVP_PKEY_size(pkey))
                return (ISC_R_NOSPACE);
 
@@ -605,105 +348,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
                                               "EVP_SignFinal",
                                               ISC_R_FAILURE));
        }
-#else
-       if (r.length < (unsigned int) RSA_size(rsa))
-               return (ISC_R_NOSPACE);
-
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-               {
-                       isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-                       isc_md5_final(md5ctx, digest);
-                       type = NID_md5;
-                       digestlen = ISC_MD5_DIGESTLENGTH;
-               }
-               break;
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               {
-                       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-                       isc_sha1_final(sha1ctx, digest);
-                       type = NID_sha1;
-                       digestlen = ISC_SHA1_DIGESTLENGTH;
-               }
-               break;
-       case DST_ALG_RSASHA256:
-               {
-                       isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-                       isc_sha256_final(digest, sha256ctx);
-                       digestlen = ISC_SHA256_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-                       prefix = sha256_prefix;
-                       prefixlen = sizeof(sha256_prefix);
-#else
-                       type = NID_sha256;
-#endif
-               }
-               break;
-       case DST_ALG_RSASHA512:
-               {
-                       isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-                       isc_sha512_final(digest, sha512ctx);
-                       digestlen = ISC_SHA512_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-                       prefix = sha512_prefix;
-                       prefixlen = sizeof(sha512_prefix);
-#else
-                       type = NID_sha512;
-#endif
-               }
-               break;
-       default:
-               INSIST(0);
-       }
-
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               INSIST(type != 0);
-               status = RSA_sign(type, digest, digestlen, r.base,
-                                 &siglen, rsa);
-               break;
-
-       case DST_ALG_RSASHA256:
-       case DST_ALG_RSASHA512:
-               INSIST(prefix != NULL);
-               INSIST(prefixlen != 0);
-               INSIST(prefixlen + digestlen <= sizeof(digest));
-
-               memmove(digest + prefixlen, digest, digestlen);
-               memmove(digest, prefix, prefixlen);
-               status = RSA_private_encrypt(digestlen + prefixlen,
-                                            digest, r.base, rsa,
-                                            RSA_PKCS1_PADDING);
-               if (status < 0)
-                       status = 0;
-               else
-                       siglen = status;
-               break;
-
-       default:
-               INSIST(0);
-       }
-#else
-       INSIST(type != 0);
-       status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa);
-#endif
-       if (status == 0)
-               return (dst__openssl_toresult3(dctx->category,
-                                              "RSA_sign",
-                                              DST_R_OPENSSLFAILURE));
-#endif
 
        isc_buffer_add(sig, siglen);
 
@@ -715,22 +359,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
        dst_key_t *key = dctx->key;
        int status = 0;
        const BIGNUM *e = NULL;
-#if USE_EVP
        EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
        EVP_PKEY *pkey = key->keydata.pkey;
        RSA *rsa;
        int bits;
-#else
-       /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */
-       unsigned char digest[ISC_SHA512_DIGESTLENGTH];
-       int type = 0;
-       unsigned int digestlen = 0;
-       RSA *rsa = key->keydata.rsa;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-       unsigned int prefixlen = 0;
-       const unsigned char *prefix = NULL;
-#endif
-#endif
 
 #ifndef PK11_MD5_DISABLE
        REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 ||
@@ -745,7 +377,6 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
                dctx->key->key_alg == DST_ALG_RSASHA512);
 #endif
 
-#if USE_EVP
        rsa = EVP_PKEY_get1_RSA(pkey);
        if (rsa == NULL)
                return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -766,126 +397,6 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
                                               "EVP_VerifyFinal",
                                               DST_R_VERIFYFAILURE));
        }
-#else
-       RSA_get0_key(rsa, NULL, &e, NULL);
-       if (BN_num_bits(e) > maxbits && maxbits != 0)
-               return (DST_R_VERIFYFAILURE);
-
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-               {
-                       isc_md5_t *md5ctx = dctx->ctxdata.md5ctx;
-
-                       isc_md5_final(md5ctx, digest);
-                       type = NID_md5;
-                       digestlen = ISC_MD5_DIGESTLENGTH;
-               }
-               break;
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               {
-                       isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx;
-
-                       isc_sha1_final(sha1ctx, digest);
-                       type = NID_sha1;
-                       digestlen = ISC_SHA1_DIGESTLENGTH;
-               }
-               break;
-       case DST_ALG_RSASHA256:
-               {
-                       isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx;
-
-                       isc_sha256_final(digest, sha256ctx);
-                       digestlen = ISC_SHA256_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-                       prefix = sha256_prefix;
-                       prefixlen = sizeof(sha256_prefix);
-#else
-                       type = NID_sha256;
-#endif
-               }
-               break;
-       case DST_ALG_RSASHA512:
-               {
-                       isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx;
-
-                       isc_sha512_final(digest, sha512ctx);
-                       digestlen = ISC_SHA512_DIGESTLENGTH;
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-                       prefix = sha512_prefix;
-                       prefixlen = sizeof(sha512_prefix);
-#else
-                       type = NID_sha512;
-#endif
-               }
-               break;
-       default:
-               INSIST(0);
-       }
-
-       if (sig->length != (unsigned int) RSA_size(rsa))
-               return (DST_R_VERIFYFAILURE);
-
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-       switch (dctx->key->key_alg) {
-#ifndef PK11_MD5_DISABLE
-       case DST_ALG_RSAMD5:
-#endif
-       case DST_ALG_RSASHA1:
-       case DST_ALG_NSEC3RSASHA1:
-               INSIST(type != 0);
-               status = RSA_verify(type, digest, digestlen, sig->base,
-                                   RSA_size(rsa), rsa);
-               break;
-
-       case DST_ALG_RSASHA256:
-       case DST_ALG_RSASHA512:
-               {
-                       /*
-                        * 1024 is big enough for all valid RSA bit sizes
-                        * for use with DNSSEC.
-                        */
-                       unsigned char original[PREFIXLEN + 1024];
-
-                       INSIST(prefix != NULL);
-                       INSIST(prefixlen != 0U);
-
-                       if (RSA_size(rsa) > (int)sizeof(original))
-                               return (DST_R_VERIFYFAILURE);
-
-                       status = RSA_public_decrypt(sig->length, sig->base,
-                                                   original, rsa,
-                                                   RSA_PKCS1_PADDING);
-                       if (status <= 0)
-                               return (dst__openssl_toresult3(
-                                               dctx->category,
-                                               "RSA_public_decrypt",
-                                               DST_R_VERIFYFAILURE));
-                       if (status != (int)(prefixlen + digestlen))
-                               return (DST_R_VERIFYFAILURE);
-                       if (!isc_safe_memequal(original, prefix, prefixlen))
-                               return (DST_R_VERIFYFAILURE);
-                       if (!isc_safe_memequal(original + prefixlen,
-                                           digest, digestlen))
-                               return (DST_R_VERIFYFAILURE);
-                       status = 1;
-               }
-               break;
-
-       default:
-               INSIST(0);
-       }
-#else
-       INSIST(type != 0);
-       status = RSA_verify(type, digest, digestlen, sig->base,
-                            RSA_size(rsa), rsa);
-#endif
-       if (status != 1)
-               return (dst__openssl_toresult(DST_R_VERIFYFAILURE));
-       return (ISC_R_SUCCESS);
-#endif
 }
 
 static isc_result_t
@@ -902,11 +413,8 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
        const BIGNUM *d1 = NULL, *d2 = NULL;
        const BIGNUM *p1 = NULL, *p2 = NULL;
        const BIGNUM *q1 = NULL, *q2 = NULL;
-#if USE_EVP
        EVP_PKEY *pkey1, *pkey2;
-#endif
 
-#if USE_EVP
        pkey1 = key1->keydata.pkey;
        pkey2 = key2->keydata.pkey;
        /*
@@ -921,10 +429,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
                rsa2 = EVP_PKEY_get1_RSA(pkey2);
                RSA_free(rsa2);
        }
-#else
-       rsa1 = key1->keydata.rsa;
-       rsa2 = key2->keydata.rsa;
-#endif
 
        if (rsa1 == NULL && rsa2 == NULL)
                return (ISC_TRUE);
@@ -938,7 +442,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
        if (status != 0)
                return (ISC_FALSE);
 
-#if USE_EVP
        if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 ||
            RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) {
                if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 ||
@@ -949,7 +452,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
                 */
                return (ISC_TRUE);
        }
-#endif
 
        if (d1 != NULL || d2 != NULL) {
                if (d1 == NULL || d2 == NULL)
@@ -964,7 +466,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
        return (ISC_TRUE);
 }
 
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
 static int
 progress_cb(int p, int n, BN_GENCB *cb) {
        union {
@@ -979,11 +480,9 @@ progress_cb(int p, int n, BN_GENCB *cb) {
                u.fptr(p);
        return (1);
 }
-#endif
 
 static isc_result_t
 opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
-#if OPENSSL_VERSION_NUMBER > 0x00908000L
        isc_result_t ret = DST_R_OPENSSLFAILURE;
        union {
                void *dptr;
@@ -995,9 +494,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
        BN_GENCB _cb;
 #endif
        BN_GENCB *cb = BN_GENCB_new();
-#if USE_EVP
        EVP_PKEY *pkey = EVP_PKEY_new();
-#endif
 
        /*
         * Reject incorrect RSA key lengths.
@@ -1028,12 +525,10 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
 
        if (rsa == NULL || e == NULL || cb == NULL)
                goto err;
-#if USE_EVP
        if (pkey == NULL)
                goto err;
        if (!EVP_PKEY_set1_RSA(pkey, rsa))
                goto err;
-#endif
 
        if (exp == 0) {
                /* RSA_F4 0x10001 */
@@ -1056,26 +551,19 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
                BN_free(e);
                BN_GENCB_free(cb);
                cb = NULL;
-               SET_FLAGS(rsa);
-#if USE_EVP
                key->keydata.pkey = pkey;
 
                RSA_free(rsa);
-#else
-               key->keydata.rsa = rsa;
-#endif
                return (ISC_R_SUCCESS);
        }
        ret = dst__openssl_toresult2("RSA_generate_key_ex",
                                     DST_R_OPENSSLFAILURE);
 
  err:
-#if USE_EVP
        if (pkey != NULL) {
                EVP_PKEY_free(pkey);
                pkey = NULL;
        }
-#endif
        if (e != NULL) {
                BN_free(e);
                e = NULL;
@@ -1089,60 +577,15 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
                cb = NULL;
        }
        return (dst__openssl_toresult(ret));
-#else
-       RSA *rsa;
-       unsigned long e;
-#if USE_EVP
-       EVP_PKEY *pkey = EVP_PKEY_new();
-
-       UNUSED(callback);
-
-       if (pkey == NULL)
-               return (ISC_R_NOMEMORY);
-#else
-       UNUSED(callback);
-#endif
-
-       if (exp == 0)
-              e = RSA_F4;
-       else
-              e = 0x40000003;
-       rsa = RSA_generate_key(key->key_size, e, NULL, NULL);
-       if (rsa == NULL) {
-#if USE_EVP
-               EVP_PKEY_free(pkey);
-#endif
-               return (dst__openssl_toresult2("RSA_generate_key",
-                                              DST_R_OPENSSLFAILURE));
-       }
-       SET_FLAGS(rsa);
-#if USE_EVP
-       if (!EVP_PKEY_set1_RSA(pkey, rsa)) {
-               EVP_PKEY_free(pkey);
-               RSA_free(rsa);
-               return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-       }
-       key->keydata.pkey = pkey;
-       RSA_free(rsa);
-#else
-       key->keydata.rsa = rsa;
-#endif
-
-       return (ISC_R_SUCCESS);
-#endif
 }
 
 static isc_boolean_t
 opensslrsa_isprivate(const dst_key_t *key) {
        const BIGNUM *d = NULL;
-#if USE_EVP
        RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
        INSIST(rsa != NULL);
        RSA_free(rsa);
        /* key->keydata.pkey still has a reference so rsa is still valid. */
-#else
-       RSA *rsa = key->keydata.rsa;
-#endif
        if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0)
                return (ISC_TRUE);
        RSA_get0_key(rsa, NULL, NULL, &d);
@@ -1151,15 +594,9 @@ opensslrsa_isprivate(const dst_key_t *key) {
 
 static void
 opensslrsa_destroy(dst_key_t *key) {
-#if USE_EVP
        EVP_PKEY *pkey = key->keydata.pkey;
        EVP_PKEY_free(pkey);
        key->keydata.pkey = NULL;
-#else
-       RSA *rsa = key->keydata.rsa;
-       RSA_free(rsa);
-       key->keydata.rsa = NULL;
-#endif
 }
 
 static isc_result_t
@@ -1169,25 +606,15 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
        unsigned int mod_bytes;
        isc_result_t ret;
        RSA *rsa;
-#if USE_EVP
        EVP_PKEY *pkey;
-#endif
        const BIGNUM *e = NULL, *n = NULL;
 
-#if USE_EVP
        REQUIRE(key->keydata.pkey != NULL);
-#else
-       REQUIRE(key->keydata.rsa != NULL);
-#endif
 
-#if USE_EVP
        pkey = key->keydata.pkey;
        rsa = EVP_PKEY_get1_RSA(pkey);
        if (rsa == NULL)
                return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-#else
-       rsa = key->keydata.rsa;
-#endif
 
        isc_buffer_availableregion(data, &r);
 
@@ -1220,10 +647,8 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
 
        ret = ISC_R_SUCCESS;
  err:
-#if USE_EVP
        if (rsa != NULL)
                RSA_free(rsa);
-#endif
        return (ret);
 }
 
@@ -1233,9 +658,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
        isc_region_t r;
        unsigned int e_bytes;
        unsigned int length;
-#if USE_EVP
        EVP_PKEY *pkey;
-#endif
        BIGNUM *e = NULL, *n = NULL;
 
        isc_buffer_remainingregion(data, &r);
@@ -1246,7 +669,6 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
        rsa = RSA_new();
        if (rsa == NULL)
                return (dst__openssl_toresult(ISC_R_NOMEMORY));
-       SET_FLAGS(rsa);
 
        if (r.length < 1) {
                RSA_free(rsa);
@@ -1283,7 +705,6 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
 
        isc_buffer_forward(data, length);
 
-#if USE_EVP
        pkey = EVP_PKEY_new();
        if (pkey == NULL) {
                RSA_free(rsa);
@@ -1296,9 +717,6 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
        }
        key->keydata.pkey = pkey;
        RSA_free(rsa);
-#else
-       key->keydata.rsa = rsa;
-#endif
 
        return (ISC_R_SUCCESS);
 }
@@ -1314,17 +732,11 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
        const BIGNUM *p = NULL, *q = NULL;
        const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
 
-#if USE_EVP
        if (key->keydata.pkey == NULL)
                return (DST_R_NULLKEY);
        rsa = EVP_PKEY_get1_RSA(key->keydata.pkey);
        if (rsa == NULL)
                return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-#else
-       if (key->keydata.rsa == NULL)
-               return (DST_R_NULLKEY);
-       rsa = key->keydata.rsa;
-#endif
        memset(bufs, 0, sizeof(bufs));
 
        RSA_get0_key(rsa, &n, &e, &d);
@@ -1427,9 +839,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
        priv.nelements = i;
        result = dst__privstruct_writefile(key, &priv, directory);
  fail:
-#if USE_EVP
        RSA_free(rsa);
-#endif
        for (i = 0; i < 8; i++) {
                if (bufs[i] == NULL)
                        break;
@@ -1488,9 +898,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 #endif
        isc_mem_t *mctx = key->mctx;
        const char *engine = NULL, *label = NULL;
-#if !defined(OPENSSL_NO_ENGINE) || USE_EVP
        EVP_PKEY *pkey = NULL;
-#endif
        BIGNUM *n = NULL, *e = NULL, *d = NULL;
        BIGNUM *p = NULL, *q = NULL;
        BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
@@ -1513,15 +921,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
                return (ISC_R_SUCCESS);
        }
 
-#if USE_EVP
        if (pub != NULL && pub->keydata.pkey != NULL)
                pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
-#else
-       if (pub != NULL && pub->keydata.rsa != NULL) {
-               pubrsa = pub->keydata.rsa;
-               pub->keydata.rsa = NULL;
-       }
-#endif
 
        for (i = 0; i < priv.nelements; i++) {
                switch (priv.elements[i].tag) {
@@ -1569,13 +970,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
                if (pubrsa != NULL)
                        RSA_free(pubrsa);
                key->key_size = EVP_PKEY_bits(pkey);
-#if USE_EVP
                key->keydata.pkey = pkey;
                RSA_free(rsa);
-#else
-               key->keydata.rsa = rsa;
-               EVP_PKEY_free(pkey);
-#endif
                dst__privstruct_free(&priv, mctx);
                isc_safe_memwipe(&priv, sizeof(priv));
                return (ISC_R_SUCCESS);
@@ -1587,18 +983,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        rsa = RSA_new();
        if (rsa == NULL)
                DST_RET(ISC_R_NOMEMORY);
-       SET_FLAGS(rsa);
 
-#if USE_EVP
        pkey = EVP_PKEY_new();
        if (pkey == NULL)
                DST_RET(ISC_R_NOMEMORY);
        if (!EVP_PKEY_set1_RSA(pkey, rsa))
                DST_RET(ISC_R_FAILURE);
        key->keydata.pkey = pkey;
-#else
-       key->keydata.rsa = rsa;
-#endif
 
        for (i = 0; i < priv.nelements; i++) {
                BIGNUM *bn;
@@ -1665,17 +1056,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
        key->key_size = BN_num_bits(n);
        if (pubrsa != NULL)
                RSA_free(pubrsa);
-#if USE_EVP
        RSA_free(rsa);
-#endif
 
        return (ISC_R_SUCCESS);
 
  err:
-#if USE_EVP
        if (pkey != NULL)
                EVP_PKEY_free(pkey);
-#endif
        if (rsa != NULL)
                RSA_free(rsa);
        if (pubrsa != NULL)
@@ -1746,13 +1133,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
        if (pubrsa != NULL)
                RSA_free(pubrsa);
        key->key_size = EVP_PKEY_bits(pkey);
-#if USE_EVP
        key->keydata.pkey = pkey;
        RSA_free(rsa);
-#else
-       key->keydata.rsa = rsa;
-       EVP_PKEY_free(pkey);
-#endif
        return (ISC_R_SUCCESS);
 
  err:
@@ -1802,22 +1184,10 @@ isc_result_t
 dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) {
        REQUIRE(funcp != NULL);
 
+       UNUSED(algorithm);
+
        if (*funcp == NULL) {
-               switch (algorithm) {
-               case DST_ALG_RSASHA256:
-#if defined(HAVE_EVP_SHA256) || !USE_EVP
-                       *funcp = &opensslrsa_functions;
-#endif
-                       break;
-               case DST_ALG_RSASHA512:
-#if defined(HAVE_EVP_SHA512) || !USE_EVP
-                       *funcp = &opensslrsa_functions;
-#endif
-                       break;
-               default:
-                       *funcp = &opensslrsa_functions;
-                       break;
-               }
+               *funcp = &opensslrsa_functions;
        }
        return (ISC_R_SUCCESS);
 }

diff --git a/libtool.m4/ltsugar.m4 b/libtool.m4/ltsugar.m4
index 9000a057d31ddf75cb85ccda8757de4493bcdbe7..48bc9344a4d661e116be1483d5520753875b2bd1 100644 (file)
--- a/libtool.m4/ltsugar.m4
+++ b/libtool.m4/ltsugar.m4
@@ -1,6 +1,7 @@
 # ltsugar.m4 -- libtool m4 base layer.                         -*-Autoconf-*-
 #
-# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc.
+# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software
+# Foundation, Inc.
 # Written by Gary V. Vaughan, 2004
 #
 # This file is free software; the Free Software Foundation gives
@@ -33,7 +34,7 @@ m4_define([_lt_join],
 # ------------
 # Manipulate m4 lists.
 # These macros are necessary as long as will still need to support
-# Autoconf-2.59 which quotes differently.
+# Autoconf-2.59, which quotes differently.
 m4_define([lt_car], [[$1]])
 m4_define([lt_cdr],
 [m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])],
@@ -44,7 +45,7 @@ m4_define([lt_unquote], $1)
 
 # lt_append(MACRO-NAME, STRING, [SEPARATOR])
 # ------------------------------------------
-# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'.
+# Redefine MACRO-NAME to hold its former content plus 'SEPARATOR''STRING'.
 # Note that neither SEPARATOR nor STRING are expanded; they are appended
 # to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked).
 # No SEPARATOR is output if MACRO-NAME was previously undefined (different

diff --git a/libtool.m4/lt~obsolete.m4 b/libtool.m4/lt~obsolete.m4
index c573da90c5ccebffba4dce9a6462036bfa986d5f..c6b26f88f6c3c1a052afa6314ba2adf832d785ee 100644 (file)
--- a/libtool.m4/lt~obsolete.m4
+++ b/libtool.m4/lt~obsolete.m4
@@ -1,6 +1,7 @@
 # lt~obsolete.m4 -- aclocal satisfying obsolete definitions.    -*-Autoconf-*-
 #
-#   Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc.
+#   Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software
+#   Foundation, Inc.
 #   Written by Scott James Remnant, 2004.
 #
 # This file is free software; the Free Software Foundation gives
@@ -11,7 +12,7 @@
 
 # These exist entirely to fool aclocal when bootstrapping libtool.
 #
-# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN)
+# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN),
 # which have later been changed to m4_define as they aren't part of the
 # exported API, or moved to Autoconf or Automake where they belong.
 #
@@ -25,7 +26,7 @@
 # included after everything else.  This provides aclocal with the
 # AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything
 # because those macros already exist, or will be overwritten later.
-# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. 
+# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6.
 #
 # Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here.
 # Yes, that means every name once taken will need to remain here until

diff --git a/win32utils/Configure b/win32utils/Configure
index cf8cf891db3518a5e89cb23167d58e301d5b9b00..78cc6667067f90dece99b853a4684160c58d937b 100644 (file)
--- a/win32utils/Configure
+++ b/win32utils/Configure
@@ -198,9 +198,6 @@ my @substdefh = ("AES_CC",
                  "DNS_RDATASET_FIXED",
                  "ENABLE_RPZ_NSDNAME",
                  "ENABLE_RPZ_NSIP",
-                 "HAVE_EVP_SHA256",
-                 "HAVE_EVP_SHA384",
-                 "HAVE_EVP_SHA512",
                  "HAVE_FIPS_MODE",
                  "HAVE_GEOIP",
                  "HAVE_GEOIP_CITY_V6",
@@ -1572,14 +1569,12 @@ if ($use_openssl eq "yes") {
 #include <openssl/opensslv.h>
 
 int main() {
-        if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL &&
-             OPENSSL_VERSION_NUMBER < 0x00908000L) ||
-             OPENSSL_VERSION_NUMBER >= 0x0090804fL)
+        if (OPENSSL_VERSION_NUMBER >= 0x10000000L) {
                 return (0);
+        }
         printf("\n\nFound   OPENSSL_VERSION_NUMBER %#010x\n",
                OPENSSL_VERSION_NUMBER);
-        printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
-               "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n");
+        printf("Require OPENSSL_VERSION_NUMBER 0x10000000L or greater (1.0.0)\n\n");
         return (1);
 }
 EOF
@@ -1624,108 +1619,6 @@ EOF
     }
 }
 
-# check EVP_sha256 / EVP_sha384 / EVP_sha512
-
-if ($use_openssl eq "yes") {
-    if ($verbose) {
-        printf "checking for EVP_sha256\n";
-    }
-    open F, ">testsha256.c" || die $!;
-    print F << 'EOF';
-extern void *EVP_sha256();
-
-int main() {
-        return EVP_sha256() != 0;
-}
-EOF
-    close F;
-    my $library = $configlib{"OPENSSL_LIB"};
-    $compret = `cl /nologo /MD testsha256.c "$library"`;
-    if (grep { -f and -x } ".\\testsha256.exe") {
-        `.\\testsha256.exe`;
-        if ($? == 0) {
-            if ($verbose) {
-                print "EVP_sha256 test failed: disabling EVP_sha256\n";
-            }
-            $use_ecdsa = "no";
-            $enable_openssl_hash = "no";
-        } else {
-            $configdefh{"HAVE_EVP_SHA256"} = 1;
-        }
-    } else {
-        if ($verbose) {
-            print "can't compile EVP_sha256 test: $compret\n";
-            print "disabling EVP_sha256\n";
-        }
-        $use_ecdsa = "no";
-        $enable_openssl_hash = "no";
-    }
-
-    if ($verbose) {
-        printf "checking for EVP_sha384\n";
-    }
-    open F, ">testsha384.c" || die $!;
-    print F << 'EOF';
-extern void *EVP_sha384();
-
-int main() {
-        return EVP_sha384() != 0;
-}
-EOF
-    close F;
-    $compret = `cl /nologo /MD testsha384.c "$library"`;
-    if (grep { -f and -x } ".\\testsha384.exe") {
-        `.\\testsha384.exe`;
-        if ($? == 0) {
-            if ($verbose) {
-                print "EVP_sha384 test failed: disabling EVP_sha384\n";
-            }
-            $use_ecdsa = "no";
-            $enable_openssl_hash = "no";
-        } else {
-            $configdefh{"HAVE_EVP_SHA384"} = 1;
-        }
-    } else {
-        if ($verbose) {
-            print "can't compile EVP_sha384 test: $compret\n";
-            print "disabling EVP_sha384\n";
-        }
-        $use_ecdsa = "no";
-        $enable_openssl_hash = "no";
-    }
-
-    if ($verbose) {
-        printf "checking for EVP_sha512\n";
-    }
-    open F, ">testsha512.c" || die $!;
-    print F << 'EOF';
-extern void *EVP_sha512();
-
-int main() {
-        return EVP_sha512() != 0;
-}
-EOF
-    close F;
-    $compret = `cl /nologo /MD testsha512.c "$library"`;
-    if (grep { -f and -x } ".\\testsha512.exe") {
-        `.\\testsha512.exe`;
-        if ($? == 0) {
-            if ($verbose) {
-                print "EVP_sha512 test failed: disabling EVP_sha512\n";
-            }
-            $use_eddsa = "no";
-        } else {
-            $configdefh{"HAVE_EVP_SHA512"} = 1;
-        }
-    } else {
-        if ($verbose) {
-            print "can't compile EVP_sha512 test: $compret\n";
-            print "disabling EVP_sha512\n";
-        }
-        $use_eddsa = "no";
-    }
-}
-
 # with-ecdsa
 if ($use_openssl eq "no") {
     $use_ecdsa = "no";