From: Aydın Mercan Date: Wed, 14 Jan 2026 14:34:35 +0000 (+0300) Subject: use isc_ossl_wrap to generate epheremal tls keys X-Git-Tag: v9.21.18~2^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19c9053a6b7f582323770c74e61a53adc2d657c4;p=thirdparty%2Fbind9.git use isc_ossl_wrap to generate epheremal tls keys --- diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 68c9b495d55..9f1aa63969e 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -181,12 +181,6 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, X509 *cert = NULL; EVP_PKEY *pkey = NULL; SSL_CTX *ctx = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L - EC_KEY *eckey = NULL; -#else - EVP_PKEY_CTX *pkey_ctx = NULL; - EVP_PKEY *params_pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ char errbuf[256]; const SSL_METHOD *method = NULL; @@ -208,79 +202,10 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); if (ephemeral) { - const int group_nid = NID_X9_62_prime256v1; - -#if OPENSSL_VERSION_NUMBER < 0x30000000L - eckey = EC_KEY_new_by_curve_name(group_nid); - if (eckey == NULL) { - goto ssl_error; - } - - /* Generate the key. */ - rv = EC_KEY_generate_key(eckey); - if (rv != 1) { - goto ssl_error; - } - pkey = EVP_PKEY_new(); - if (pkey == NULL) { - goto ssl_error; - } - rv = EVP_PKEY_set1_EC_KEY(pkey, eckey); - if (rv != 1) { + if (isc_ossl_wrap_generate_p256_key(&pkey) != ISC_R_SUCCESS) { goto ssl_error; } - /* Use a named curve and uncompressed point conversion form. */ - EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey), - OPENSSL_EC_NAMED_CURVE); - EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey), - POINT_CONVERSION_UNCOMPRESSED); - - /* Cleanup */ - EC_KEY_free(eckey); - eckey = NULL; -#else - /* Generate the key's parameters. */ - pkey_ctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL); - if (pkey_ctx == NULL) { - goto ssl_error; - } - rv = EVP_PKEY_paramgen_init(pkey_ctx); - if (rv != 1) { - goto ssl_error; - } - rv = EVP_PKEY_CTX_set_ec_paramgen_curve_nid(pkey_ctx, - group_nid); - if (rv != 1) { - goto ssl_error; - } - rv = EVP_PKEY_paramgen(pkey_ctx, ¶ms_pkey); - if (rv != 1 || params_pkey == NULL) { - goto ssl_error; - } - EVP_PKEY_CTX_free(pkey_ctx); - - /* Generate the key. */ - pkey_ctx = EVP_PKEY_CTX_new(params_pkey, NULL); - if (pkey_ctx == NULL) { - goto ssl_error; - } - rv = EVP_PKEY_keygen_init(pkey_ctx); - if (rv != 1) { - goto ssl_error; - } - rv = EVP_PKEY_keygen(pkey_ctx, &pkey); - if (rv != 1 || pkey == NULL) { - goto ssl_error; - } - - /* Cleanup */ - EVP_PKEY_free(params_pkey); - params_pkey = NULL; - EVP_PKEY_CTX_free(pkey_ctx); - pkey_ctx = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ - cert = X509_new(); if (cert == NULL) { goto ssl_error; @@ -358,18 +283,6 @@ ssl_error: if (pkey != NULL) { EVP_PKEY_free(pkey); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L - if (eckey != NULL) { - EC_KEY_free(eckey); - } -#else - if (params_pkey != NULL) { - EVP_PKEY_free(params_pkey); - } - if (pkey_ctx != NULL) { - EVP_PKEY_CTX_free(pkey_ctx); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ return ISC_R_TLSERROR; }