From: Norbert Pocs Date: Thu, 28 Aug 2025 14:11:10 +0000 (+0200) Subject: apps/: Remove engines X-Git-Tag: 4.0-PRE-CLANG-FORMAT-WEBKIT~79 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26b1723ed4be98657953b597ea4f8706748b2835;p=thirdparty%2Fopenssl.git apps/: Remove engines Signed-off-by: Norbert Pocs Reviewed-by: Matt Caswell Reviewed-by: Saša Nedvědický Reviewed-by: Neil Horman Reviewed-by: Dmitry Belyavskiy Reviewed-by: Saša Nedvědický Reviewed-by: Eugene Syromiatnikov (Merged from https://github.com/openssl/openssl/pull/29305) --- diff --git a/apps/ca.c b/apps/ca.c index 3a5689ce5b4..d224ccaffa3 100644 --- a/apps/ca.c +++ b/apps/ca.c @@ -145,7 +145,7 @@ static int msie_hack = 0; typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, + OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SUBJ, OPT_UTF8, OPT_CREATE_SERIAL, OPT_MULTIVALUE_RDN, OPT_STARTDATE, OPT_ENDDATE, OPT_DAYS, OPT_MD, OPT_POLICY, OPT_KEYFILE, OPT_KEYFORM, OPT_PASSIN, OPT_KEY, OPT_CERT, OPT_CERTFORM, OPT_SELFSIGN, @@ -182,9 +182,6 @@ const OPTIONS ca_options[] = { {"ss_cert", OPT_SS_CERT, '<', "File contains a self signed cert to sign"}, {"spkac", OPT_SPKAC, '<', "File contains DN and signed public key and challenge"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Configuration"), {"config", OPT_CONFIG, 's', "A config file"}, @@ -266,7 +263,6 @@ const OPTIONS ca_options[] = { int ca_main(int argc, char **argv) { CONF *conf = NULL; - ENGINE *e = NULL; BIGNUM *crlnumber = NULL, *serial = NULL; EVP_PKEY *pkey = NULL; BIO *in = NULL, *out = NULL, *Sout = NULL; @@ -500,9 +496,6 @@ opthelp: rev_arg = opt_arg(); rev_type = (o - OPT_CRL_REASON) + REV_CRL_REASON; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; } } @@ -591,7 +584,7 @@ end_of_options: goto end; } } - pkey = load_key(keyfile, keyformat, 0, passin, e, "CA private key"); + pkey = load_key(keyfile, keyformat, 0, passin, "CA private key"); cleanse(passin); if (pkey == NULL) /* load_key() has already printed an appropriate message */ @@ -1319,7 +1312,6 @@ end_of_options: X509_CRL_free(crl); NCONF_free(conf); NCONF_free(extfile_conf); - release_engine(e); return ret; } diff --git a/apps/cmp.c b/apps/cmp.c index 627fac1a856..9e539262712 100644 --- a/apps/cmp.c +++ b/apps/cmp.c @@ -160,7 +160,6 @@ static int opt_crlform = FORMAT_ASN1; static char *opt_keyform_s = NULL; static int opt_keyform = FORMAT_UNDEF; static char *opt_otherpass = NULL; -static char *opt_engine = NULL; #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) /* TLS connection */ @@ -264,9 +263,6 @@ typedef enum OPTION_choice { OPT_CERTFORM, OPT_CRLFORM, OPT_KEYFORM, OPT_OTHERPASS, -#ifndef OPENSSL_NO_ENGINE - OPT_ENGINE, -#endif OPT_PROV_ENUM, OPT_R_ENUM, @@ -500,12 +496,6 @@ const OPTIONS cmp_options[] = { "Format of the key input (ENGINE, other values ignored)"}, {"otherpass", OPT_OTHERPASS, 's', "Pass phrase source potentially needed for loading certificates of others"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', - "Use crypto engine with given identifier, possibly a hardware device."}, - {OPT_MORE_STR, 0, 0, - "Engines may also be defined in OpenSSL config file engine section."}, -#endif OPT_PROV_OPTIONS, OPT_R_OPTIONS, @@ -678,9 +668,6 @@ static varref cmp_vars[] = { /* must be in same order as enumerated above! */ {&opt_certform_s}, {&opt_crlform_s}, {&opt_keyform_s}, {&opt_otherpass}, -#ifndef OPENSSL_NO_ENGINE - {&opt_engine}, -#endif #if !defined(OPENSSL_NO_SOCK) && !defined(OPENSSL_NO_HTTP) {(char **)&opt_tls_used}, {&opt_tls_cert}, {&opt_tls_key}, @@ -768,10 +755,10 @@ static int set_verbosity(int level) } static EVP_PKEY *load_key_pwd(const char *uri, int format, - const char *pass, ENGINE *eng, const char *desc) + const char *pass, const char *desc) { char *pass_string = get_passwd(pass, desc); - EVP_PKEY *pkey = load_key(uri, format, 0, pass_string, eng, desc); + EVP_PKEY *pkey = load_key(uri, format, 0, pass_string, desc); clear_free(pass_string); return pkey; @@ -1099,11 +1086,7 @@ static int transform_opts(void) return 0; } -#ifndef OPENSSL_NO_ENGINE -# define FORMAT_OPTIONS (OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_ENGINE) -#else -# define FORMAT_OPTIONS (OPT_FMT_PEMDER | OPT_FMT_PKCS12) -#endif +#define FORMAT_OPTIONS (OPT_FMT_PEMDER | OPT_FMT_PKCS12) if (opt_keyform_s != NULL && !opt_format(opt_keyform_s, FORMAT_OPTIONS, &opt_keyform)) { @@ -1127,7 +1110,7 @@ static int transform_opts(void) return 1; } -static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) +static OSSL_CMP_SRV_CTX *setup_srv_ctx(void) { OSSL_CMP_CTX *ctx; /* extra CMP (client) ctx partly used by server */ OSSL_CMP_SRV_CTX *srv_ctx = ossl_cmp_mock_srv_new(app_get0_libctx(), @@ -1180,7 +1163,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) if (opt_srv_key != NULL) { EVP_PKEY *pkey = load_key_pwd(opt_srv_key, opt_keyform, opt_srv_keypass, - engine, "private key for mock server cert"); + "private key for mock server cert"); if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) { EVP_PKEY_free(pkey); @@ -1220,7 +1203,7 @@ static OSSL_CMP_SRV_CTX *setup_srv_ctx(ENGINE *engine) } if (opt_rsp_key != NULL) { EVP_PKEY *pkey = load_key_pwd(opt_rsp_key, opt_keyform, - opt_rsp_keypass, engine, + opt_rsp_keypass, "private key for enrollment cert"); if (pkey == NULL @@ -1370,8 +1353,7 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx) * set up ssl_ctx for the OSSL_CMP_CTX based on options from config file/CLI. * Returns pointer on success, NULL on error */ -static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host, - ENGINE *engine) +static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host) { STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted(ctx); EVP_PKEY *pkey = NULL; @@ -1477,7 +1459,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host, } pkey = load_key_pwd(opt_tls_key, opt_keyform, opt_tls_keypass, - engine, "TLS client private key"); + "TLS client private key"); cleanse(opt_tls_keypass); if (pkey == NULL) goto err; @@ -1526,7 +1508,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host, * file/CLI while parsing options and checking their consistency. * Returns 1 on success, 0 on error */ -static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) +static int setup_protection_ctx(OSSL_CMP_CTX *ctx) { if (!opt_unprotected_requests && opt_secret == NULL && opt_key == NULL) { CMP_err("must give -key or -secret unless -unprotected_requests is used"); @@ -1564,7 +1546,7 @@ static int setup_protection_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) return 0; if (opt_key != NULL) { - EVP_PKEY *pkey = load_key_pwd(opt_key, opt_keyform, opt_keypass, engine, + EVP_PKEY *pkey = load_key_pwd(opt_key, opt_keyform, opt_keypass, "private key for CMP client certificate"); if (pkey == NULL || !OSSL_CMP_CTX_set1_pkey(ctx, pkey)) { @@ -1688,7 +1670,7 @@ static int set_fallback_pubkey(OSSL_CMP_CTX *ctx) * based on options from CLI and/or config file. * Returns 1 on success, 0 on error */ -static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) +static int setup_request_ctx(OSSL_CMP_CTX *ctx) { X509_REQ *csr = NULL; X509_EXTENSIONS *exts = NULL; @@ -1870,14 +1852,14 @@ static int setup_request_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) BIO *bio_bak = bio_err; bio_err = NULL; /* suppress diagnostics on first try loading key */ - pkey = load_key_pwd(file, format, pass, engine, desc); + pkey = load_key_pwd(file, format, pass, desc); bio_err = bio_bak; if (pkey == NULL) { ERR_clear_error(); desc = opt_csr == NULL ? "fallback public key for cert to be enrolled" : "public key for checking cert resulting from p10cr"; - pkey = load_pubkey(file, format, 0, pass, engine, desc); + pkey = load_pubkey(file, format, 0, pass, desc); priv = 0; } @@ -2140,7 +2122,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx) * Prints reason for error to bio_err. * Returns 1 on success, 0 on error */ -static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) +static int setup_client_ctx(OSSL_CMP_CTX *ctx) { int ret = 0; char *host = NULL, *port = NULL, *path = NULL, *used_path = opt_path; @@ -2299,7 +2281,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) goto err; APP_HTTP_TLS_INFO_free(OSSL_CMP_CTX_get_http_cb_arg(ctx)); (void)OSSL_CMP_CTX_set_http_cb_arg(ctx, info); - info->ssl_ctx = setup_ssl_ctx(ctx, host, engine); + info->ssl_ctx = setup_ssl_ctx(ctx, host); info->server = host; host = NULL; /* prevent deallocation */ if ((info->port = OPENSSL_strdup(server_port)) == NULL) @@ -2314,10 +2296,10 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine) } #endif - if (!setup_protection_ctx(ctx, engine)) + if (!setup_protection_ctx(ctx)) goto err; - if (!setup_request_ctx(ctx, engine)) + if (!setup_request_ctx(ctx)) goto err; if (!set_name(opt_recipient, OSSL_CMP_CTX_set1_recipient, ctx, "recipient") @@ -3069,11 +3051,6 @@ static int get_opts(int argc, char **argv) case OPT_OTHERPASS: opt_otherpass = opt_str(); break; -#ifndef OPENSSL_NO_ENGINE - case OPT_ENGINE: - opt_engine = opt_str(); - break; -#endif case OPT_PROV_CASES: if (!opt_provider(o)) goto opthelp; @@ -3606,7 +3583,6 @@ int cmp_main(int argc, char **argv) char *configfile = NULL; int i; X509 *newcert = NULL; - ENGINE *engine = NULL; int ret = 0; /* default: failure */ if (!handle_opts_upfront(argc, argv)) @@ -3672,15 +3648,6 @@ int cmp_main(int argc, char **argv) if (opt_batch) set_base_ui_method(UI_null()); - if (opt_engine != NULL) { - engine = setup_engine_methods(opt_engine, - 0 /* not: ENGINE_METHOD_ALL */, 0); - if (engine == NULL) { - CMP_err1("cannot load engine %s", opt_engine); - goto err; - } - } - OSSL_CMP_CTX_set_log_verbosity(cmp_ctx, opt_verbosity); if (!OSSL_CMP_CTX_set_log_cb(cmp_ctx, print_to_bio_out)) { CMP_err1("cannot set up error reporting and logging for %s", prog); @@ -3740,7 +3707,7 @@ int cmp_main(int argc, char **argv) OSSL_CMP_SRV_CTX *srv_ctx; OSSL_CMP_CTX *srv_cmp_ctx; - if ((srv_ctx = setup_srv_ctx(engine)) == NULL) + if ((srv_ctx = setup_srv_ctx()) == NULL) goto err; OSSL_CMP_CTX_set_transfer_cb_arg(cmp_ctx /* of client */, srv_ctx); @@ -3791,7 +3758,7 @@ int cmp_main(int argc, char **argv) CMP_warn("-use_mock_srv option is not used if enough filenames given for -rspin"); } - if (!setup_client_ctx(cmp_ctx, engine)) { + if (!setup_client_ctx(cmp_ctx)) { CMP_err("cannot set up CMP context"); goto err; } @@ -3935,7 +3902,6 @@ int cmp_main(int argc, char **argv) #endif } X509_VERIFY_PARAM_free(vpm); - release_engine(engine); NCONF_free(conf); /* must not do as long as opt_... variables are used */ OSSL_CMP_log_close(); diff --git a/apps/cms.c b/apps/cms.c index 7e2d6ba32a5..00349f0db10 100644 --- a/apps/cms.c +++ b/apps/cms.c @@ -89,7 +89,7 @@ typedef enum OPTION_choice { OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_CERTSOUT, OPT_MD, OPT_INKEY, OPT_KEYFORM, OPT_KEYOPT, OPT_RR_FROM, OPT_RR_TO, OPT_AES128_WRAP, OPT_AES192_WRAP, OPT_AES256_WRAP, - OPT_3DES_WRAP, OPT_WRAP, OPT_ENGINE, + OPT_3DES_WRAP, OPT_WRAP, OPT_R_ENUM, OPT_PROV_ENUM, OPT_CONFIG, OPT_V_ENUM, @@ -161,9 +161,6 @@ const OPTIONS cms_options[] = { {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"}, {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -#endif OPT_PROV_OPTIONS, OPT_R_OPTIONS, @@ -313,7 +310,6 @@ int cms_main(int argc, char **argv) BIO *in = NULL, *out = NULL, *indata = NULL, *rctin = NULL; CMS_ContentInfo *cms = NULL, *rcms = NULL; CMS_ReceiptRequest *rr = NULL; - ENGINE *e = NULL; EVP_PKEY *key = NULL; EVP_CIPHER *cipher = NULL, *wrap_cipher = NULL, *kekcipher = NULL; EVP_MD *sign_md = NULL; @@ -599,9 +595,6 @@ int cms_main(int argc, char **argv) goto opthelp; } break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PASSIN: passinarg = opt_arg(); break; @@ -962,7 +955,7 @@ int cms_main(int argc, char **argv) } if (keyfile != NULL) { - key = load_key(keyfile, keyform, 0, passin, e, "signing key"); + key = load_key(keyfile, keyform, 0, passin, "signing key"); if (key == NULL) goto end; } @@ -1220,7 +1213,7 @@ int cms_main(int argc, char **argv) ret = 2; goto end; } - key = load_key(keyfile, keyform, 0, passin, e, "signing key"); + key = load_key(keyfile, keyform, 0, passin, "signing key"); if (key == NULL) { ret = 2; goto end; @@ -1439,7 +1432,6 @@ int cms_main(int argc, char **argv) EVP_MD_free(sign_md); CMS_ContentInfo_free(cms); CMS_ContentInfo_free(rcms); - release_engine(e); BIO_free(rctin); BIO_free(in); BIO_free(indata); diff --git a/apps/crl.c b/apps/crl.c index 5f9c6296568..e0218334d1b 100644 --- a/apps/crl.c +++ b/apps/crl.c @@ -265,7 +265,7 @@ int crl_main(int argc, char **argv) newcrl = load_crl(crldiff, informat, 0, "other CRL"); if (!newcrl) goto end; - pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key"); + pkey = load_key(keyfile, keyformat, 0, NULL, "CRL signing key"); if (pkey == NULL) { X509_CRL_free(newcrl); goto end; diff --git a/apps/dgst.c b/apps/dgst.c index 07fa5fe26d2..782ff6f8161 100644 --- a/apps/dgst.c +++ b/apps/dgst.c @@ -42,7 +42,7 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_LIST, OPT_C, OPT_R, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY, - OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL, + OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT, OPT_HMAC, OPT_HMAC_ENV, OPT_HMAC_STDIN, OPT_MAC, OPT_SIGOPT, OPT_MACOPT, OPT_XOFLEN, OPT_DIGEST, @@ -55,11 +55,6 @@ const OPTIONS dgst_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"list", OPT_LIST, '-', "List digests"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, - {"engine_impl", OPT_ENGINE_IMPL, '-', - "Also use engine given by -engine for digest operations"}, -#endif {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, OPT_SECTION("Output"), @@ -99,7 +94,6 @@ const OPTIONS dgst_options[] = { int dgst_main(int argc, char **argv) { BIO *in = NULL, *inp = NULL, *bmd = NULL, *out = NULL; - ENGINE *e = NULL, *impl = NULL; EVP_PKEY *sigkey = NULL; STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL; char *hmac_key = NULL; @@ -117,7 +111,6 @@ int dgst_main(int argc, char **argv) int i, ret = EXIT_FAILURE, out_bin = -1, want_pub = 0, do_verify = 0; int xoflen = 0; unsigned char *buf = NULL, *sigbuf = NULL; - int engine_impl = 0; struct doall_dgst_digests dec; EVP_MD_CTX *signctx = NULL; int oneshot_sign = 0; @@ -183,12 +176,6 @@ int dgst_main(int argc, char **argv) if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform)) goto opthelp; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; - case OPT_ENGINE_IMPL: - engine_impl = 1; - break; case OPT_HEX: out_bin = 0; break; @@ -282,8 +269,6 @@ int dgst_main(int argc, char **argv) "No signature to verify: use the -signature option\n"); goto end; } - if (engine_impl) - impl = e; in = BIO_new(BIO_s_file()); bmd = BIO_new(BIO_f_md()); @@ -319,9 +304,9 @@ int dgst_main(int argc, char **argv) if (keyfile != NULL) { if (want_pub) - sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key"); + sigkey = load_pubkey(keyfile, keyform, 0, NULL, "public key"); else - sigkey = load_key(keyfile, keyform, 0, passin, e, "private key"); + sigkey = load_key(keyfile, keyform, 0, passin, "private key"); if (sigkey == NULL) { /* * load_[pub]key() has already printed an appropriate message @@ -344,7 +329,7 @@ int dgst_main(int argc, char **argv) if (mac_name != NULL) { EVP_PKEY_CTX *mac_ctx = NULL; - if (!init_gen_str(&mac_ctx, mac_name, impl, 0, NULL, NULL)) + if (!init_gen_str(&mac_ctx, mac_name, 0, NULL, NULL)) goto end; if (macopts != NULL) { for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) { @@ -359,7 +344,6 @@ int dgst_main(int argc, char **argv) } sigkey = app_keygen(mac_ctx, mac_name, 0, 0 /* not verbose */); - /* Verbose output would make external-tests gost-engine fail */ EVP_PKEY_CTX_free(mac_ctx); if (sigkey == NULL) goto end; @@ -370,7 +354,7 @@ int dgst_main(int argc, char **argv) md = (EVP_MD *)EVP_sha256(); digestname = SN_sha256; } - sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, impl, + sigkey = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, (unsigned char *)hmac_key, strlen(hmac_key)); if (sigkey == NULL) @@ -389,19 +373,13 @@ int dgst_main(int argc, char **argv) goto end; } if (do_verify) - if (impl == NULL) - res = EVP_DigestVerifyInit_ex(mctx, &pctx, digestname, - app_get0_libctx(), - app_get0_propq(), sigkey, NULL); - else - res = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey); + res = EVP_DigestVerifyInit_ex(mctx, &pctx, digestname, + app_get0_libctx(), + app_get0_propq(), sigkey, NULL); else - if (impl == NULL) - res = EVP_DigestSignInit_ex(mctx, &pctx, digestname, - app_get0_libctx(), - app_get0_propq(), sigkey, NULL); - else - res = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey); + res = EVP_DigestSignInit_ex(mctx, &pctx, digestname, + app_get0_libctx(), + app_get0_propq(), sigkey, NULL); if (res == 0) { BIO_printf(bio_err, "Error setting context\n"); goto end; @@ -432,7 +410,7 @@ int dgst_main(int argc, char **argv) } if (md == NULL) md = (EVP_MD *)EVP_sha256(); - if (!EVP_DigestInit_ex(mctx, md, impl)) { + if (!EVP_DigestInit_ex(mctx, md, NULL)) { BIO_printf(bio_err, "Error setting digest\n"); goto end; } @@ -534,7 +512,6 @@ int dgst_main(int argc, char **argv) sk_OPENSSL_STRING_pop_free(macopts, clear_free); OPENSSL_free(sigbuf); BIO_free(bmd); - release_engine(e); return ret; } diff --git a/apps/dhparam.c b/apps/dhparam.c index 600b7ed2b5b..72fa6f0d9ab 100644 --- a/apps/dhparam.c +++ b/apps/dhparam.c @@ -37,7 +37,7 @@ static int verbose = 1; typedef enum OPTION_choice { OPT_COMMON, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, - OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT, + OPT_CHECK, OPT_TEXT, OPT_NOOUT, OPT_DSAPARAM, OPT_2, OPT_3, OPT_5, OPT_VERBOSE, OPT_QUIET, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -52,9 +52,6 @@ const OPTIONS dhparam_options[] = { {"dsaparam", OPT_DSAPARAM, '-', "Read or generate DSA parameters, convert to DH"}, #endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, @@ -85,7 +82,6 @@ int dhparam_main(int argc, char **argv) EVP_PKEY *pkey = NULL, *tmppkey = NULL; EVP_PKEY_CTX *ctx = NULL; char *infile = NULL, *outfile = NULL, *prog; - ENGINE *e = NULL; int dsaparam = 0; int text = 0, ret = 1, num = 0, g = 0; int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0; @@ -117,9 +113,6 @@ int dhparam_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_CHECK: check = 1; break; @@ -362,7 +355,6 @@ int dhparam_main(int argc, char **argv) EVP_PKEY_free(pkey); EVP_PKEY_free(tmppkey); EVP_PKEY_CTX_free(ctx); - release_engine(e); return ret; } diff --git a/apps/dsa.c b/apps/dsa.c index 9ba8c252daf..7ba3634d6d8 100644 --- a/apps/dsa.c +++ b/apps/dsa.c @@ -34,7 +34,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_ENGINE, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, /* Do not change the order here; see case statements below */ OPT_PVK_NONE, OPT_PVK_WEAK, OPT_PVK_STRONG, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN, @@ -51,9 +51,6 @@ const OPTIONS dsa_options[] = { {"pvk-weak", OPT_PVK_WEAK, '-', "Enable 'Weak' PVK encoding level"}, {"pvk-none", OPT_PVK_NONE, '-', "Don't enforce PVK encoding"}, #endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input key"}, @@ -77,7 +74,6 @@ const OPTIONS dsa_options[] = { int dsa_main(int argc, char **argv) { BIO *out = NULL; - ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_CIPHER *enc = NULL; char *infile = NULL, *outfile = NULL, *prog; @@ -120,9 +116,6 @@ int dsa_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PASSIN: passinarg = opt_arg(); break; @@ -176,9 +169,9 @@ int dsa_main(int argc, char **argv) BIO_printf(bio_err, "read DSA key\n"); if (pubin) - pkey = load_pubkey(infile, informat, 1, passin, e, "public key"); + pkey = load_pubkey(infile, informat, 1, passin, "public key"); else - pkey = load_key(infile, informat, 1, passin, e, "private key"); + pkey = load_key(infile, informat, 1, passin, "private key"); if (pkey == NULL) { BIO_printf(bio_err, "unable to load Key\n"); @@ -300,7 +293,6 @@ int dsa_main(int argc, char **argv) BIO_free_all(out); EVP_PKEY_free(pkey); EVP_CIPHER_free(enc); - release_engine(e); OPENSSL_free(passin); OPENSSL_free(passout); return ret; diff --git a/apps/dsaparam.c b/apps/dsaparam.c index 6cb0007aa3c..583224f56d4 100644 --- a/apps/dsaparam.c +++ b/apps/dsaparam.c @@ -27,7 +27,7 @@ static int verbose = 0; typedef enum OPTION_choice { OPT_COMMON, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, - OPT_NOOUT, OPT_GENKEY, OPT_ENGINE, OPT_VERBOSE, OPT_QUIET, + OPT_NOOUT, OPT_GENKEY, OPT_VERBOSE, OPT_QUIET, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -36,9 +36,6 @@ const OPTIONS dsaparam_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, @@ -64,7 +61,6 @@ const OPTIONS dsaparam_options[] = { int dsaparam_main(int argc, char **argv) { - ENGINE *e = NULL; BIO *out = NULL; EVP_PKEY *params = NULL, *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; @@ -100,9 +96,6 @@ int dsaparam_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_TEXT: text = 1; break; @@ -253,6 +246,5 @@ int dsaparam_main(int argc, char **argv) EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); EVP_PKEY_free(params); - release_engine(e); return ret; } diff --git a/apps/ec.c b/apps/ec.c index 9f4d5fadea6..0d0cddfb29e 100644 --- a/apps/ec.c +++ b/apps/ec.c @@ -23,7 +23,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER, OPT_NO_PUBLIC, OPT_CHECK, OPT_PROV_ENUM @@ -32,13 +32,10 @@ typedef enum OPTION_choice { const OPTIONS ec_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input file"}, - {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"}, + {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12)"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"check", OPT_CHECK, '-', "check key consistency"}, @@ -68,7 +65,6 @@ int ec_main(int argc, char **argv) EVP_PKEY_CTX *pctx = NULL; EVP_PKEY *eckey = NULL; BIO *out = NULL; - ENGINE *e = NULL; EVP_CIPHER *enc = NULL; char *infile = NULL, *outfile = NULL, *ciphername = NULL, *prog; char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL; @@ -128,9 +124,6 @@ int ec_main(int argc, char **argv) case OPT_PASSOUT: passoutarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_CIPHER: ciphername = opt_unknown(); break; @@ -171,9 +164,9 @@ int ec_main(int argc, char **argv) } if (pubin) - eckey = load_pubkey(infile, informat, 1, passin, e, "public key"); + eckey = load_pubkey(infile, informat, 1, passin, "public key"); else - eckey = load_key(infile, informat, 1, passin, e, "private key"); + eckey = load_key(infile, informat, 1, passin, "private key"); if (eckey == NULL) { BIO_printf(bio_err, "unable to load Key\n"); @@ -278,7 +271,6 @@ end: OSSL_ENCODER_CTX_free(ectx); OSSL_DECODER_CTX_free(dctx); EVP_PKEY_CTX_free(pctx); - release_engine(e); if (passin != NULL) OPENSSL_clear_free(passin, strlen(passin)); if (passout != NULL) diff --git a/apps/ecparam.c b/apps/ecparam.c index b025e9bc750..f326105ec56 100644 --- a/apps/ecparam.c +++ b/apps/ecparam.c @@ -25,7 +25,7 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME, - OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_ENGINE, OPT_CHECK_NAMED, + OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_CHECK_NAMED, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -34,9 +34,6 @@ const OPTIONS ecparam_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"list_curves", OPT_LIST_CURVES, '-', "Prints a list of all curve 'short names'"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"genkey", OPT_GENKEY, '-', "Generate ec key"}, {"in", OPT_IN, '<', "Input file - default stdin"}, @@ -95,7 +92,6 @@ int ecparam_main(int argc, char **argv) EVP_PKEY *params_key = NULL, *key = NULL; OSSL_ENCODER_CTX *ectx_key = NULL, *ectx_params = NULL; OSSL_DECODER_CTX *dctx_params = NULL; - ENGINE *e = NULL; BIO *out = NULL; char *curve_name = NULL; char *asn1_encoding = NULL; @@ -175,9 +171,6 @@ int ecparam_main(int argc, char **argv) if (!opt_provider(o)) goto end; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; } } @@ -345,7 +338,6 @@ int ecparam_main(int argc, char **argv) end: if (ret != 0) ERR_print_errors(bio_err); - release_engine(e); EVP_PKEY_free(params_key); EVP_PKEY_free(key); EVP_PKEY_CTX_free(pctx); diff --git a/apps/enc.c b/apps/enc.c index ab53e83c02d..15cc52847c2 100644 --- a/apps/enc.c +++ b/apps/enc.c @@ -45,7 +45,7 @@ struct doall_enc_ciphers { typedef enum OPTION_choice { OPT_COMMON, OPT_LIST, - OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V, + OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_D, OPT_P, OPT_V, OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A, OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE, OPT_UPPER_S, OPT_IV, OPT_MD, OPT_ITER, OPT_PBKDF2, OPT_CIPHER, @@ -64,9 +64,6 @@ const OPTIONS enc_options[] = { {"d", OPT_D, '-', "Decrypt"}, {"p", OPT_P, '-', "Print the iv/key"}, {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, @@ -119,7 +116,6 @@ int enc_main(int argc, char **argv) { static char buf[128]; static const char magic[] = "Salted__"; - ENGINE *e = NULL; BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio = NULL, *wbio = NULL; EVP_CIPHER_CTX *ctx = NULL; @@ -211,9 +207,6 @@ int enc_main(int argc, char **argv) case OPT_PASS: passarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_D: enc = 0; break; @@ -667,7 +660,7 @@ int enc_main(int argc, char **argv) EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); if (rawkey_set) { - if (!EVP_CipherInit_ex(ctx, cipher, e, key, + if (!EVP_CipherInit_ex(ctx, cipher, NULL, key, (hiv == NULL && wrap == 1 ? NULL : iv), enc)) { BIO_printf(bio_err, "Error setting cipher %s\n", EVP_CIPHER_get0_name(cipher)); @@ -792,7 +785,6 @@ int enc_main(int argc, char **argv) #endif BIO_free(bbrot); BIO_free(bzstd); - release_engine(e); OPENSSL_free(pass); return ret; } diff --git a/apps/gendsa.c b/apps/gendsa.c index a655c6ea02b..fd9de9ecb61 100644 --- a/apps/gendsa.c +++ b/apps/gendsa.c @@ -24,7 +24,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_CIPHER, OPT_VERBOSE, OPT_QUIET, + OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_VERBOSE, OPT_QUIET, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -33,9 +33,6 @@ const OPTIONS gendsa_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output the key to the specified file"}, @@ -53,7 +50,6 @@ const OPTIONS gendsa_options[] = { int gendsa_main(int argc, char **argv) { - ENGINE *e = NULL; BIO *out = NULL, *in = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; @@ -82,9 +78,6 @@ int gendsa_main(int argc, char **argv) case OPT_PASSOUT: passoutarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_R_CASES: if (!opt_rand(o)) goto end; @@ -166,7 +159,6 @@ int gendsa_main(int argc, char **argv) EVP_PKEY_free(pkey); EVP_PKEY_CTX_free(ctx); EVP_CIPHER_free(enc); - release_engine(e); OPENSSL_free(passout); return ret; } diff --git a/apps/genpkey.c b/apps/genpkey.c index 2dcca2ee888..f39388b1f8a 100644 --- a/apps/genpkey.c +++ b/apps/genpkey.c @@ -17,11 +17,11 @@ static int verbose = 0; -static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e, +static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, OSSL_LIB_CTX *libctx, const char *propq); typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE, + OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE, OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER, OPT_VERBOSE, OPT_QUIET, OPT_CONFIG, OPT_OUTPUBKEY, OPT_PROV_ENUM, OPT_R_ENUM @@ -30,9 +30,6 @@ typedef enum OPTION_choice { const OPTIONS genpkey_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"paramfile", OPT_PARAMFILE, '<', "Parameters file"}, {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"}, {"verbose", OPT_VERBOSE, '-', "Output status while generating keys"}, @@ -107,7 +104,6 @@ int genpkey_main(int argc, char **argv) { CONF *conf = NULL; BIO *mem_out = NULL, *mem_outpubkey = NULL; - ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog, *p; @@ -150,9 +146,6 @@ int genpkey_main(int argc, char **argv) case OPT_PASS: passarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PARAMFILE: if (do_param == 1) goto opthelp; @@ -205,11 +198,11 @@ int genpkey_main(int argc, char **argv) /* Fetch cipher, etc. */ if (paramfile != NULL) { - if (!init_keygen_file(&ctx, paramfile, e, libctx, app_get0_propq())) + if (!init_keygen_file(&ctx, paramfile, libctx, app_get0_propq())) goto end; } if (algname != NULL) { - if (!init_gen_str(&ctx, algname, e, do_param, libctx, app_get0_propq())) + if (!init_gen_str(&ctx, algname, do_param, libctx, app_get0_propq())) goto end; } if (ctx == NULL) @@ -317,13 +310,12 @@ int genpkey_main(int argc, char **argv) EVP_CIPHER_free(cipher); BIO_free_all(mem_out); BIO_free_all(mem_outpubkey); - release_engine(e); OPENSSL_free(pass); NCONF_free(conf); return ret; } -static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e, +static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, OSSL_LIB_CTX *libctx, const char *propq) { BIO *pbio; @@ -348,10 +340,7 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e, return 0; } - if (e != NULL) - ctx = EVP_PKEY_CTX_new(pkey, e); - else - ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); if (ctx == NULL) goto err; if (EVP_PKEY_keygen_init(ctx) <= 0) @@ -370,26 +359,17 @@ static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e, } int init_gen_str(EVP_PKEY_CTX **pctx, - const char *algname, ENGINE *e, int do_param, + const char *algname, int do_param, OSSL_LIB_CTX *libctx, const char *propq) { EVP_PKEY_CTX *ctx = NULL; -#ifndef OPENSSL_NO_DEPRECATED_3_6 - int pkey_id; -#endif if (*pctx) { BIO_puts(bio_err, "Algorithm already set!\n"); return 0; } -#ifndef OPENSSL_NO_DEPRECATED_3_6 - pkey_id = get_legacy_pkey_id(libctx, algname, e); - if (pkey_id != NID_undef) - ctx = EVP_PKEY_CTX_new_id(pkey_id, e); - else -#endif - ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq); + ctx = EVP_PKEY_CTX_new_from_name(libctx, algname, propq); if (ctx == NULL) goto err; diff --git a/apps/genrsa.c b/apps/genrsa.c index 54d025e24c2..5b022fd3a2e 100644 --- a/apps/genrsa.c +++ b/apps/genrsa.c @@ -34,7 +34,7 @@ typedef enum OPTION_choice { #ifndef OPENSSL_NO_DEPRECATED_3_0 OPT_3, #endif - OPT_F4, OPT_ENGINE, + OPT_F4, OPT_OUT, OPT_PASSOUT, OPT_CIPHER, OPT_PRIMES, OPT_VERBOSE, OPT_QUIET, OPT_R_ENUM, OPT_PROV_ENUM, OPT_TRADITIONAL } OPTION_CHOICE; @@ -44,9 +44,6 @@ const OPTIONS genrsa_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -76,7 +73,6 @@ const OPTIONS genrsa_options[] = { int genrsa_main(int argc, char **argv) { BN_GENCB *cb = BN_GENCB_new(); - ENGINE *eng = NULL; BIGNUM *bn = BN_new(); BIO *out = NULL; EVP_PKEY *pkey = NULL; @@ -116,9 +112,6 @@ opthelp: case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - eng = setup_engine(opt_arg(), 0); - break; case OPT_R_CASES: if (!opt_rand(o)) goto end; @@ -179,7 +172,7 @@ opthelp: if (out == NULL) goto end; - if (!init_gen_str(&ctx, "RSA", eng, 0, app_get0_libctx(), + if (!init_gen_str(&ctx, "RSA", 0, app_get0_libctx(), app_get0_propq())) goto end; @@ -242,7 +235,6 @@ opthelp: EVP_PKEY_free(pkey); EVP_CIPHER_free(enc); BIO_free_all(out); - release_engine(eng); OPENSSL_free(passout); if (ret != 0) ERR_print_errors(bio_err); diff --git a/apps/include/apps.h b/apps/include/apps.h index 58e92102362..236f3ea9980 100644 --- a/apps/include/apps.h +++ b/apps/include/apps.h @@ -35,7 +35,6 @@ # include "opt.h" # include "fmt.h" # include "platform.h" -# include "engine_loader.h" # include "app_libctx.h" /* @@ -129,10 +128,10 @@ X509_CRL *load_crl(const char *uri, int format, int maybe_stdin, void cleanse(char *str); void clear_free(char *str); EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *desc); + const char *pass, const char *desc); /* first try reading public key, on failure resort to loading private key */ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *desc); + const char *pass, const char *desc); EVP_PKEY *load_keyparams(const char *uri, int format, int maybe_stdin, const char *keytype, const char *desc); EVP_PKEY *load_keyparams_suppress(const char *uri, int format, int maybe_stdin, @@ -178,18 +177,9 @@ __owur int ctx_set_ctlog_list_file(SSL_CTX *ctx, const char *path); # endif -ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug); -# define setup_engine(e, debug) setup_engine_methods(e, (unsigned int)-1, debug) -void release_engine(ENGINE *e); -int init_engine(ENGINE *e); -int finish_engine(ENGINE *e); -char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc); - # ifndef OPENSSL_NO_DEPRECATED_3_6 int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e); # endif -const EVP_MD *get_digest_from_engine(const char *name); -const EVP_CIPHER *get_cipher_from_engine(const char *name); # ifndef OPENSSL_NO_OCSP OCSP_RESPONSE *process_responder(OCSP_REQUEST *req, const char *host, @@ -281,7 +271,7 @@ int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value); int x509_ctrl_string(X509 *x, const char *value); int x509_req_ctrl_string(X509_REQ *x, const char *value); int init_gen_str(EVP_PKEY_CTX **pctx, - const char *algname, ENGINE *e, int do_param, + const char *algname, int do_param, OSSL_LIB_CTX *libctx, const char *propq); int cert_matches_key(const X509 *cert, const EVP_PKEY *pkey); int do_X509_sign(X509 *x, int force_v1, EVP_PKEY *pkey, const char *md, diff --git a/apps/include/engine_loader.h b/apps/include/engine_loader.h deleted file mode 100644 index 30fdb9e5512..00000000000 --- a/apps/include/engine_loader.h +++ /dev/null @@ -1,21 +0,0 @@ -/* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ -#ifndef HEADER_ENGINE_LOADER_H -# define HEADER_ENGINE_LOADER_H - -# include - -/* this is a private URI scheme */ -# define ENGINE_SCHEME "org.openssl.engine" -# define ENGINE_SCHEME_COLON ENGINE_SCHEME ":" - -int setup_engine_loader(void); -void destroy_engine_loader(void); - -#endif diff --git a/apps/include/opt.h b/apps/include/opt.h index d8d75182802..bca6072dd5a 100644 --- a/apps/include/opt.h +++ b/apps/include/opt.h @@ -383,11 +383,10 @@ typedef struct string_int_pair_st { # define OPT_FMT_ASN1 (OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64) # define OPT_FMT_PDE (OPT_FMT_PEMDER | OPT_FMT_ENGINE) # define OPT_FMT_PDS (OPT_FMT_PEMDER | OPT_FMT_SMIME) -# define OPT_FMT_ANY ( \ - OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64 | \ - OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ - OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NSS | \ - OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) +# define OPT_FMT_ANY (OPT_FMT_PEM | OPT_FMT_DER | OPT_FMT_B64 | \ + OPT_FMT_PKCS12 | OPT_FMT_SMIME | \ + OPT_FMT_MSBLOB | OPT_FMT_NSS | \ + OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK) /* Divide options into sections when displaying usage */ #define OPT_SECTION(sec) { OPT_SECTION_STR, 1, '-', sec " options:\n" } diff --git a/apps/info.c b/apps/info.c index 5a469eed969..b3115d11d9d 100644 --- a/apps/info.c +++ b/apps/info.c @@ -13,7 +13,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_CONFIGDIR, OPT_ENGINESDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP, + OPT_CONFIGDIR, OPT_MODULESDIR, OPT_DSOEXT, OPT_DIRNAMESEP, OPT_LISTSEP, OPT_SEEDS, OPT_CPUSETTINGS, OPT_WINDOWSCONTEXT } OPTION_CHOICE; @@ -24,7 +24,6 @@ const OPTIONS info_options[] = { OPT_SECTION("Output"), {"configdir", OPT_CONFIGDIR, '-', "Default configuration file directory"}, - {"enginesdir", OPT_ENGINESDIR, '-', "Default engine module directory"}, {"modulesdir", OPT_MODULESDIR, '-', "Default module directory (other than engine modules)"}, {"dsoext", OPT_DSOEXT, '-', "Configured extension for modules"}, @@ -58,10 +57,6 @@ opthelp: type = OPENSSL_INFO_CONFIG_DIR; dirty++; break; - case OPT_ENGINESDIR: - type = OPENSSL_INFO_ENGINES_DIR; - dirty++; - break; case OPT_MODULESDIR: type = OPENSSL_INFO_MODULES_DIR; dirty++; diff --git a/apps/lib/apps.c b/apps/lib/apps.c index 8933565de15..e043829a103 100644 --- a/apps/lib/apps.c +++ b/apps/lib/apps.c @@ -15,12 +15,6 @@ # define _POSIX_C_SOURCE 2 #endif -#ifndef OPENSSL_NO_ENGINE -/* We need to use some deprecated APIs */ -# define OPENSSL_SUPPRESS_DEPRECATED -# include -#endif - #include #include #include @@ -558,41 +552,33 @@ void clear_free(char *str) } EVP_PKEY *load_key(const char *uri, int format, int may_stdin, - const char *pass, ENGINE *e, const char *desc) + const char *pass, const char *desc) { EVP_PKEY *pkey = NULL; - char *allocated_uri = NULL; if (desc == NULL) desc = "private key"; - if (format == FORMAT_ENGINE) - uri = allocated_uri = make_engine_uri(e, uri, desc); (void)load_key_certs_crls(uri, format, may_stdin, pass, desc, 0, &pkey, NULL, NULL, NULL, NULL, NULL, NULL); - OPENSSL_free(allocated_uri); return pkey; } /* first try reading public key, on failure resort to loading private key */ EVP_PKEY *load_pubkey(const char *uri, int format, int maybe_stdin, - const char *pass, ENGINE *e, const char *desc) + const char *pass, const char *desc) { EVP_PKEY *pkey = NULL; - char *allocated_uri = NULL; if (desc == NULL) desc = "public key"; - if (format == FORMAT_ENGINE) - uri = allocated_uri = make_engine_uri(e, uri, desc); (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, 1, NULL, &pkey, NULL, NULL, NULL, NULL, NULL); if (pkey == NULL) (void)load_key_certs_crls(uri, format, maybe_stdin, pass, desc, 0, &pkey, NULL, NULL, NULL, NULL, NULL, NULL); - OPENSSL_free(allocated_uri); return pkey; } diff --git a/apps/lib/build.info b/apps/lib/build.info index f0df6087340..a781117264e 100644 --- a/apps/lib/build.info +++ b/apps/lib/build.info @@ -10,7 +10,7 @@ ENDIF # Source for libapps $LIBAPPSSRC=apps.c apps_ui.c log.c opt.c fmt.c s_cb.c s_socket.c app_rand.c \ columns.c app_params.c names.c app_provider.c app_x509.c http_server.c \ - engine.c engine_loader.c app_libctx.c apps_opt_printf.c + app_libctx.c apps_opt_printf.c IF[{- !$disabled{apps} -}] LIBS{noinst}=../libapps.a diff --git a/apps/lib/engine.c b/apps/lib/engine.c deleted file mode 100644 index 5d9b408c7b2..00000000000 --- a/apps/lib/engine.c +++ /dev/null @@ -1,195 +0,0 @@ -/* - * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * Here is a set of wrappers for the ENGINE API, which are no-ops when the - * ENGINE API is disabled / removed. - * We need to suppress deprecation warnings to make this work. - */ -#define OPENSSL_SUPPRESS_DEPRECATED - -#include /* strcmp */ - -#include /* Ensure we have the ENGINE type, regardless */ -#include -#ifndef OPENSSL_NO_ENGINE -# include -#endif -#include "apps.h" - -#ifndef OPENSSL_NO_ENGINE -/* Try to load an engine in a shareable library */ -static ENGINE *try_load_engine(const char *engine) -{ - ENGINE *e = NULL; - - if ((e = ENGINE_by_id("dynamic")) != NULL) { - if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0) - || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) { - ENGINE_free(e); - e = NULL; - } - } - return e; -} -#endif - -ENGINE *setup_engine_methods(const char *id, unsigned int methods, int debug) -{ - ENGINE *e = NULL; - -#ifndef OPENSSL_NO_ENGINE - if (id != NULL) { - if (strcmp(id, "auto") == 0) { - BIO_printf(bio_err, "Enabling auto ENGINE support\n"); - ENGINE_register_all_complete(); - return NULL; - } - if ((e = ENGINE_by_id(id)) == NULL - && (e = try_load_engine(id)) == NULL) { - BIO_printf(bio_err, "Invalid engine \"%s\"\n", id); - ERR_print_errors(bio_err); - return NULL; - } - if (debug) - (void)ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM, 0, bio_err, 0); - if (!ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, - (void *)get_ui_method(), 0, 1) - || !ENGINE_set_default(e, methods)) { - BIO_printf(bio_err, "Cannot use engine \"%s\"\n", ENGINE_get_id(e)); - ERR_print_errors(bio_err); - ENGINE_free(e); - return NULL; - } - - BIO_printf(bio_err, "Engine \"%s\" set.\n", ENGINE_get_id(e)); - } -#endif - return e; -} - -void release_engine(ENGINE *e) -{ -#ifndef OPENSSL_NO_ENGINE - /* Free our "structural" reference. */ - ENGINE_free(e); -#endif -} - -int init_engine(ENGINE *e) -{ - int rv = 1; - -#ifndef OPENSSL_NO_ENGINE - rv = ENGINE_init(e); -#endif - return rv; -} - -int finish_engine(ENGINE *e) -{ - int rv = 1; - -#ifndef OPENSSL_NO_ENGINE - rv = ENGINE_finish(e); -#endif - return rv; -} - -char *make_engine_uri(ENGINE *e, const char *key_id, const char *desc) -{ - char *new_uri = NULL; - -#ifndef OPENSSL_NO_ENGINE - if (e == NULL) { - BIO_printf(bio_err, "No engine specified for loading %s\n", desc); - } else if (key_id == NULL) { - BIO_printf(bio_err, "No engine key id specified for loading %s\n", desc); - } else { - const char *engineid = ENGINE_get_id(e); - size_t uri_sz = - sizeof(ENGINE_SCHEME_COLON) - 1 - + strlen(engineid) - + 1 /* : */ - + strlen(key_id) - + 1 /* \0 */ - ; - - new_uri = OPENSSL_malloc(uri_sz); - if (new_uri != NULL) { - OPENSSL_strlcpy(new_uri, ENGINE_SCHEME_COLON, uri_sz); - OPENSSL_strlcat(new_uri, engineid, uri_sz); - OPENSSL_strlcat(new_uri, ":", uri_sz); - OPENSSL_strlcat(new_uri, key_id, uri_sz); - } - } -#else - BIO_printf(bio_err, "Engines not supported for loading %s\n", desc); -#endif - return new_uri; -} - -#ifndef OPENSSL_NO_DEPRECATED_3_6 -int get_legacy_pkey_id(OSSL_LIB_CTX *libctx, const char *algname, ENGINE *e) -{ - const EVP_PKEY_ASN1_METHOD *ameth; - ENGINE *tmpeng = NULL; - int pkey_id = NID_undef; - - ERR_set_mark(); - ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1); - -#if !defined(OPENSSL_NO_ENGINE) - ENGINE_finish(tmpeng); - - if (ameth == NULL && e != NULL) - ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1); - else -#endif - /* We're only interested if it comes from an ENGINE */ - if (tmpeng == NULL) - ameth = NULL; - - ERR_pop_to_mark(); - if (ameth == NULL) - return NID_undef; - - EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth); - - return pkey_id; -} -#endif - -const EVP_MD *get_digest_from_engine(const char *name) -{ -#ifndef OPENSSL_NO_ENGINE - ENGINE *eng; - - eng = ENGINE_get_digest_engine(OBJ_sn2nid(name)); - if (eng != NULL) { - ENGINE_finish(eng); - return EVP_get_digestbyname(name); - } -#endif - return NULL; -} - -const EVP_CIPHER *get_cipher_from_engine(const char *name) -{ -#ifndef OPENSSL_NO_ENGINE - ENGINE *eng; - - eng = ENGINE_get_cipher_engine(OBJ_sn2nid(name)); - if (eng != NULL) { - ENGINE_finish(eng); - return EVP_get_cipherbyname(name); - } -#endif - return NULL; -} diff --git a/apps/lib/engine_loader.c b/apps/lib/engine_loader.c deleted file mode 100644 index e0f26f614af..00000000000 --- a/apps/lib/engine_loader.c +++ /dev/null @@ -1,202 +0,0 @@ -/* - * Copyright 2018-2022 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * Here is an STORE loader for ENGINE backed keys. It relies on deprecated - * functions, and therefore need to have deprecation warnings suppressed. - * This file is not compiled at all in a '--api=3 no-deprecated' configuration. - */ -#define OPENSSL_SUPPRESS_DEPRECATED - -#include "internal/e_os.h" -#include "apps.h" - -#ifndef OPENSSL_NO_ENGINE - -# include -# include -# include -# include - -/* - * Support for legacy private engine keys via the 'org.openssl.engine:' scheme - * - * org.openssl.engine:{engineid}:{keyid} - * - * Note: we ONLY support ENGINE_load_private_key() and ENGINE_load_public_key() - * Note 2: This scheme has a precedent in code in PKIX-SSH. for exactly - * this sort of purpose. - */ - -/* Local definition of OSSL_STORE_LOADER_CTX */ -struct ossl_store_loader_ctx_st { - ENGINE *e; /* Structural reference */ - char *keyid; - int expected; - int loaded; /* 0 = key not loaded yet, 1 = key loaded */ -}; - -static OSSL_STORE_LOADER_CTX *OSSL_STORE_LOADER_CTX_new(ENGINE *e, char *keyid) -{ - OSSL_STORE_LOADER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx)); - - if (ctx != NULL) { - ctx->e = e; - ctx->keyid = keyid; - } - return ctx; -} - -static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx) -{ - if (ctx != NULL) { - ENGINE_free(ctx->e); - OPENSSL_free(ctx->keyid); - OPENSSL_free(ctx); - } -} - -static OSSL_STORE_LOADER_CTX *engine_open(const OSSL_STORE_LOADER *loader, - const char *uri, - const UI_METHOD *ui_method, - void *ui_data) -{ - const char *p = uri, *q; - ENGINE *e = NULL; - char *keyid = NULL; - OSSL_STORE_LOADER_CTX *ctx = NULL; - - if (!CHECK_AND_SKIP_CASE_PREFIX(p, ENGINE_SCHEME_COLON)) - return NULL; - - /* Look for engine ID */ - q = strchr(p, ':'); - if (q != NULL /* There is both an engine ID and a key ID */ - && p[0] != ':' /* The engine ID is at least one character */ - && q[1] != '\0') { /* The key ID is at least one character */ - char engineid[256]; - size_t engineid_l = q - p; - - strncpy(engineid, p, engineid_l); - engineid[engineid_l] = '\0'; - e = ENGINE_by_id(engineid); - - keyid = OPENSSL_strdup(q + 1); - } - - if (e != NULL && keyid != NULL) - ctx = OSSL_STORE_LOADER_CTX_new(e, keyid); - - if (ctx == NULL) { - OPENSSL_free(keyid); - ENGINE_free(e); - } - - return ctx; -} - -static int engine_expect(OSSL_STORE_LOADER_CTX *ctx, int expected) -{ - if (expected == 0 - || expected == OSSL_STORE_INFO_PUBKEY - || expected == OSSL_STORE_INFO_PKEY) { - ctx->expected = expected; - return 1; - } - return 0; -} - -static OSSL_STORE_INFO *engine_load(OSSL_STORE_LOADER_CTX *ctx, - const UI_METHOD *ui_method, void *ui_data) -{ - EVP_PKEY *pkey = NULL, *pubkey = NULL; - OSSL_STORE_INFO *info = NULL; - - if (ctx->loaded == 0) { - if (ENGINE_init(ctx->e)) { - if (ctx->expected == 0 - || ctx->expected == OSSL_STORE_INFO_PKEY) - pkey = - ENGINE_load_private_key(ctx->e, ctx->keyid, - (UI_METHOD *)ui_method, ui_data); - if ((pkey == NULL && ctx->expected == 0) - || ctx->expected == OSSL_STORE_INFO_PUBKEY) - pubkey = - ENGINE_load_public_key(ctx->e, ctx->keyid, - (UI_METHOD *)ui_method, ui_data); - ENGINE_finish(ctx->e); - } - } - - ctx->loaded = 1; - - if (pubkey != NULL) - info = OSSL_STORE_INFO_new_PUBKEY(pubkey); - else if (pkey != NULL) - info = OSSL_STORE_INFO_new_PKEY(pkey); - if (info == NULL) { - EVP_PKEY_free(pkey); - EVP_PKEY_free(pubkey); - } - return info; -} - -static int engine_eof(OSSL_STORE_LOADER_CTX *ctx) -{ - return ctx->loaded != 0; -} - -static int engine_error(OSSL_STORE_LOADER_CTX *ctx) -{ - return 0; -} - -static int engine_close(OSSL_STORE_LOADER_CTX *ctx) -{ - OSSL_STORE_LOADER_CTX_free(ctx); - return 1; -} - -int setup_engine_loader(void) -{ - OSSL_STORE_LOADER *loader = NULL; - - if ((loader = OSSL_STORE_LOADER_new(NULL, ENGINE_SCHEME)) == NULL - || !OSSL_STORE_LOADER_set_open(loader, engine_open) - || !OSSL_STORE_LOADER_set_expect(loader, engine_expect) - || !OSSL_STORE_LOADER_set_load(loader, engine_load) - || !OSSL_STORE_LOADER_set_eof(loader, engine_eof) - || !OSSL_STORE_LOADER_set_error(loader, engine_error) - || !OSSL_STORE_LOADER_set_close(loader, engine_close) - || !OSSL_STORE_register_loader(loader)) { - OSSL_STORE_LOADER_free(loader); - loader = NULL; - } - - return loader != NULL; -} - -void destroy_engine_loader(void) -{ - OSSL_STORE_LOADER *loader = OSSL_STORE_unregister_loader(ENGINE_SCHEME); - OSSL_STORE_LOADER_free(loader); -} - -#else /* !OPENSSL_NO_ENGINE */ - -int setup_engine_loader(void) -{ - return 0; -} - -void destroy_engine_loader(void) -{ -} - -#endif diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index b567b179b68..c4fa5d9d8a2 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -1126,10 +1126,10 @@ int load_excert(SSL_EXCERT **pexc) return 0; if (exc->keyfile != NULL) { exc->key = load_key(exc->keyfile, exc->keyform, - 0, NULL, NULL, "server key"); + 0, NULL, "server key"); } else { exc->key = load_key(exc->certfile, exc->certform, - 0, NULL, NULL, "server key"); + 0, NULL, "server key"); } if (exc->key == NULL) return 0; diff --git a/apps/list.c b/apps/list.c index 2aeedbbda89..9e3e65e77d4 100644 --- a/apps/list.c +++ b/apps/list.c @@ -1181,7 +1181,7 @@ static int is_md_available(const char *name) return 1; } - return propq != NULL || get_digest_from_engine(name) == NULL ? 0 : 1; + return 0; } static int is_cipher_available(const char *name) @@ -1198,7 +1198,7 @@ static int is_cipher_available(const char *name) return 1; } - return propq != NULL || get_cipher_from_engine(name) == NULL ? 0 : 1; + return 0; } static void list_type(FUNC_TYPE ft, int one) @@ -1443,24 +1443,6 @@ static void list_provider_info(void) sk_OSSL_PROVIDER_free(providers); } -#ifndef OPENSSL_NO_DEPRECATED_3_0 -static void list_engines(void) -{ -# ifndef OPENSSL_NO_ENGINE - ENGINE *e; - - BIO_puts(bio_out, "Engines:\n"); - e = ENGINE_get_first(); - while (e) { - BIO_printf(bio_out, "%s\n", ENGINE_get_id(e)); - e = ENGINE_get_next(e); - } -# else - BIO_puts(bio_out, "Engine support is disabled.\n"); -# endif -} -#endif - static void list_disabled(void) { BIO_puts(bio_out, "Disabled algorithms:\n"); @@ -1521,9 +1503,6 @@ static void list_disabled(void) #ifdef OPENSSL_NO_EC2M BIO_puts(bio_out, "EC2M\n"); #endif -#if defined(OPENSSL_NO_ENGINE) && !defined(OPENSSL_NO_DEPRECATED_3_0) - BIO_puts(bio_out, "ENGINE\n"); -#endif #ifdef OPENSSL_NO_GOST BIO_puts(bio_out, "GOST\n"); #endif @@ -1639,9 +1618,6 @@ typedef enum HELPLIST_CHOICE { # if !defined(OPENSSL_NO_TLS1_3) OPT_TLS1_3, # endif -#endif -#ifndef OPENSSL_NO_DEPRECATED_3_0 - OPT_ENGINES, #endif OPT_PROV_ENUM } HELPLIST_CHOICE; @@ -1714,10 +1690,6 @@ const OPTIONS list_options[] = { #endif {"providers", OPT_PROVIDER_INFO, '-', "List of provider information"}, -#ifndef OPENSSL_NO_DEPRECATED_3_0 - {"engines", OPT_ENGINES, '-', - "List of loaded engines"}, -#endif {"disabled", OPT_DISABLED, '-', "List of disabled features"}, {"options", OPT_OPTIONS, 's', "List options for specified command"}, @@ -1767,9 +1739,6 @@ int list_main(int argc, char **argv) unsigned int pk_method:1; unsigned int store_loaders:1; unsigned int provider_info:1; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - unsigned int engines:1; -#endif unsigned int disabled:1; unsigned int objects:1; unsigned int options:1; @@ -1879,11 +1848,6 @@ opthelp: case OPT_PROVIDER_INFO: todo.provider_info = 1; break; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - case OPT_ENGINES: - todo.engines = 1; - break; -#endif case OPT_DISABLED: todo.disabled = 1; break; @@ -1997,10 +1961,6 @@ opthelp: MAYBE_ADD_NL(list_store_loaders()); if (todo.provider_info) MAYBE_ADD_NL(list_provider_info()); -#ifndef OPENSSL_NO_DEPRECATED_3_0 - if (todo.engines) - MAYBE_ADD_NL(list_engines()); -#endif if (todo.disabled) MAYBE_ADD_NL(list_disabled()); if (todo.objects) diff --git a/apps/ocsp.c b/apps/ocsp.c index 4769880fc69..e187582152b 100644 --- a/apps/ocsp.c +++ b/apps/ocsp.c @@ -598,7 +598,7 @@ int ocsp_main(int argc, char **argv) BIO_printf(bio_err, "Error getting password\n"); goto end; } - rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, NULL, + rkey = load_key(rkeyfile, FORMAT_UNDEF, 0, passin, "responder private key"); if (rkey == NULL) goto end; @@ -694,7 +694,7 @@ redo_accept: "signer certificates")) goto end; } - key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, NULL, + key = load_key(keyfile, FORMAT_UNDEF, 0, NULL, "signer private key"); if (key == NULL) goto end; diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index 768291e4ee8..9c02c1c7ec3 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -311,7 +311,6 @@ default_tsa = tsa_config1 # the default TSA section # These are used by the TSA reply generation only. dir = sys\$disk:[.demoCA # TSA root directory serial = $dir]tsaserial. # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir.cacert.pem] # Certificate chain to include in reply diff --git a/apps/openssl.c b/apps/openssl.c index cc9932ca430..b7f2f9982a2 100644 --- a/apps/openssl.c +++ b/apps/openssl.c @@ -20,9 +20,6 @@ #include #include #include -#ifndef OPENSSL_NO_ENGINE -# include -#endif #include /* Needed to get the other O_xxx flags. */ #ifdef OPENSSL_SYS_VMS @@ -65,12 +62,10 @@ static int apps_startup(void) #endif /* Set non-default library initialisation settings */ - if (!OPENSSL_init_ssl(OPENSSL_INIT_ENGINE_ALL_BUILTIN - | OPENSSL_INIT_LOAD_CONFIG, NULL)) + if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL)) return 0; (void)setup_ui_method(); - (void)setup_engine_loader(); /* * NOTE: This is an undocumented feature required for testing only. @@ -92,7 +87,6 @@ static void apps_shutdown(void) { app_providers_cleanup(); OSSL_LIB_CTX_free(app_get0_libctx()); - destroy_engine_loader(); destroy_ui_method(); } diff --git a/apps/openssl.cnf b/apps/openssl.cnf index abace0ea7f1..4db6a549b1f 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -311,7 +311,6 @@ default_tsa = tsa_config1 # the default TSA section # These are used by the TSA reply generation only. dir = ./demoCA # TSA root directory serial = $dir/tsaserial # The current serial number (mandatory) -crypto_device = builtin # OpenSSL engine to use for signing signer_cert = $dir/tsacert.pem # The TSA signing certificate # (optional) certs = $dir/cacert.pem # Certificate chain to include in reply diff --git a/apps/pkcs12.c b/apps/pkcs12.c index 9964faf21aa..7620edd69ab 100644 --- a/apps/pkcs12.c +++ b/apps/pkcs12.c @@ -69,7 +69,7 @@ typedef enum OPTION_choice { OPT_INKEY, OPT_CERTFILE, OPT_UNTRUSTED, OPT_PASSCERTS, OPT_NAME, OPT_CSP, OPT_CANAME, OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, - OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, + OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, OPT_PBMAC1_PBKDF2, OPT_PBMAC1_PBKDF2_MD, #ifndef OPENSSL_NO_DES OPT_LEGACY_ALG @@ -96,9 +96,6 @@ const OPTIONS pkcs12_options[] = { "Use legacy encryption: 3DES_CBC for keys, RC2_CBC for certs" # endif }, -#endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif OPT_PROV_OPTIONS, OPT_R_OPTIONS, @@ -183,7 +180,6 @@ int pkcs12_main(int argc, char **argv) char *cpass = NULL, *mpass = NULL, *badpass = NULL; const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL, *prog; int noCApath = 0, noCAfile = 0, noCAstore = 0; - ENGINE *e = NULL; BIO *in = NULL, *out = NULL; PKCS12 *p12 = NULL; STACK_OF(OPENSSL_STRING) *canames = NULL; @@ -364,9 +360,6 @@ int pkcs12_main(int argc, char **argv) case OPT_NOCAFILE: noCAfile = 1; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; #ifndef OPENSSL_NO_DES case OPT_LEGACY_ALG: use_legacy = 1; @@ -557,7 +550,7 @@ int pkcs12_main(int argc, char **argv) if (!(options & NOKEYS)) { key = load_key(keyname ? keyname : infile, - FORMAT_PEM, 1, passin, e, + FORMAT_PEM, 1, passin, keyname ? "private key from -inkey file" : "private key from -in file"); @@ -904,7 +897,6 @@ int pkcs12_main(int argc, char **argv) ret = 0; end: PKCS12_free(p12); - release_engine(e); BIO_free(in); BIO_free_all(out); sk_OPENSSL_STRING_free(canames); diff --git a/apps/pkcs7.c b/apps/pkcs7.c index 57cb517b178..90659334b83 100644 --- a/apps/pkcs7.c +++ b/apps/pkcs7.c @@ -24,15 +24,12 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT, OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_QUIET, - OPT_ENGINE, OPT_PROV_ENUM + OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkcs7_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, @@ -55,7 +52,6 @@ const OPTIONS pkcs7_options[] = { int pkcs7_main(int argc, char **argv) { - ENGINE *e = NULL; PKCS7 *p7 = NULL, *p7i; BIO *in = NULL, *out = NULL; int informat = FORMAT_PEM, outformat = FORMAT_PEM; @@ -105,9 +101,6 @@ int pkcs7_main(int argc, char **argv) case OPT_QUIET: quiet = 1; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PROV_CASES: if (!opt_provider(o)) goto end; @@ -217,7 +210,6 @@ int pkcs7_main(int argc, char **argv) ret = 0; end: PKCS7_free(p7); - release_engine(e); BIO_free(in); BIO_free_all(out); return ret; diff --git a/apps/pkcs8.c b/apps/pkcs8.c index 4ba81fe08b8..4876ce502a8 100644 --- a/apps/pkcs8.c +++ b/apps/pkcs8.c @@ -22,7 +22,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, #ifndef OPENSSL_NO_SCRYPT OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P, @@ -36,9 +36,6 @@ typedef enum OPTION_choice { const OPTIONS pkcs8_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"}, {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"}, {"v2prf", OPT_V2PRF, 's', "Set the PRF algorithm to use with PKCS#5 v2.0"}, @@ -75,7 +72,6 @@ const OPTIONS pkcs8_options[] = { int pkcs8_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; - ENGINE *e = NULL; EVP_PKEY *pkey = NULL; PKCS8_PRIV_KEY_INFO *p8inf = NULL; X509_SIG *p8 = NULL; @@ -171,9 +167,6 @@ int pkcs8_main(int argc, char **argv) case OPT_PASSOUT: passoutarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; #ifndef OPENSSL_NO_SCRYPT case OPT_SCRYPT: scrypt_N = 16384; @@ -229,7 +222,7 @@ int pkcs8_main(int argc, char **argv) goto end; if (topk8) { - pkey = load_key(infile, informat, 1, passin, e, "key"); + pkey = load_key(infile, informat, 1, passin, "key"); if (pkey == NULL) goto end; if ((p8inf = EVP_PKEY2PKCS8(pkey)) == NULL) { @@ -382,7 +375,6 @@ int pkcs8_main(int argc, char **argv) PKCS8_PRIV_KEY_INFO_free(p8inf); EVP_PKEY_free(pkey); EVP_CIPHER_free(cipher); - release_engine(e); BIO_free_all(out); BIO_free(in); OPENSSL_free(passin); diff --git a/apps/pkey.c b/apps/pkey.c index a876326e2b7..58a59c4600a 100644 --- a/apps/pkey.c +++ b/apps/pkey.c @@ -19,7 +19,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, + OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB, OPT_TEXT, OPT_NOOUT, OPT_CIPHER, OPT_TRADITIONAL, OPT_CHECK, OPT_PUB_CHECK, OPT_EC_PARAM_ENC, OPT_EC_CONV_FORM, @@ -29,9 +29,6 @@ typedef enum OPTION_choice { const OPTIONS pkey_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_PROV_OPTIONS, {"check", OPT_CHECK, '-', "Check key consistency"}, @@ -68,7 +65,6 @@ const OPTIONS pkey_options[] = { int pkey_main(int argc, char **argv) { BIO *out = NULL; - ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; EVP_CIPHER *cipher = NULL; @@ -110,9 +106,6 @@ int pkey_main(int argc, char **argv) case OPT_PASSOUT: passoutarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_IN: infile = opt_arg(); break; @@ -209,9 +202,9 @@ int pkey_main(int argc, char **argv) } if (pubin) - pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key"); + pkey = load_pubkey(infile, informat, 1, passin, "Public Key"); else - pkey = load_key(infile, informat, 1, passin, e, "key"); + pkey = load_key(infile, informat, 1, passin, "key"); if (pkey == NULL) goto end; @@ -242,7 +235,7 @@ int pkey_main(int argc, char **argv) if (check || pub_check) { int r; - ctx = EVP_PKEY_CTX_new(pkey, e); + ctx = EVP_PKEY_CTX_new(pkey, NULL); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; @@ -327,7 +320,6 @@ int pkey_main(int argc, char **argv) EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); EVP_CIPHER_free(cipher); - release_engine(e); BIO_free_all(out); OPENSSL_free(passin); OPENSSL_free(passout); diff --git a/apps/pkeyparam.c b/apps/pkeyparam.c index fd8de0e02fe..a35ad3e3b3e 100644 --- a/apps/pkeyparam.c +++ b/apps/pkeyparam.c @@ -19,16 +19,13 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, - OPT_ENGINE, OPT_CHECK, + OPT_CHECK, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS pkeyparam_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"check", OPT_CHECK, '-', "Check key param consistency"}, OPT_SECTION("Input"), @@ -45,7 +42,6 @@ const OPTIONS pkeyparam_options[] = { int pkeyparam_main(int argc, char **argv) { - ENGINE *e = NULL; BIO *in = NULL, *out = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; @@ -71,9 +67,6 @@ int pkeyparam_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_TEXT: text = 1; break; @@ -109,11 +102,8 @@ int pkeyparam_main(int argc, char **argv) goto end; if (check) { - if (e == NULL) - ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, - app_get0_propq()); - else - ctx = EVP_PKEY_CTX_new(pkey, e); + ctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), pkey, + app_get0_propq()); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; @@ -145,7 +135,6 @@ int pkeyparam_main(int argc, char **argv) end: EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); - release_engine(e); BIO_free_all(out); BIO_free(in); diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c index 900af11c38b..7a5f9987bc7 100644 --- a/apps/pkeyutl.c +++ b/apps/pkeyutl.c @@ -22,16 +22,14 @@ static EVP_PKEY *get_pkey(const char *kdfalg, const char *keyfile, int keyform, int key_type, - char *passinarg, int pkey_op, ENGINE *e); + char *passinarg, int pkey_op); static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, - int pkey_op, ENGINE *e, - const int engine_impl, int rawin, + int pkey_op, int rawin, EVP_PKEY *pkey /* ownership is passed to ctx */, EVP_MD_CTX *mctx, const char *digestname, const char *kemop, OSSL_LIB_CTX *libctx, const char *propq); -static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, - ENGINE *e); +static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file); static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, unsigned char *out, size_t *poutlen, @@ -56,7 +54,7 @@ static int only_nomd(EVP_PKEY *pkey) typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT, + OPT_IN, OPT_OUT, OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN, OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN, @@ -70,11 +68,6 @@ typedef enum OPTION_choice { const OPTIONS pkeyutl_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"engine_impl", OPT_ENGINE_IMPL, '-', - "Also use engine given by -engine for crypto operations"}, -#endif {"sign", OPT_SIGN, '-', "Sign input data with private key"}, {"verify", OPT_VERIFY, '-', "Verify with public key"}, {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"}, @@ -90,7 +83,7 @@ const OPTIONS pkeyutl_options[] = { {"pubin", OPT_PUBIN, '-', "Input key is a public key"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"}, - {"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12/ENGINE)"}, + {"peerform", OPT_PEERFORM, 'E', "Peer key format (DER/PEM/P12)"}, {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"}, {"rev", OPT_REV, '-', "Reverse the order of the input buffer"}, {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"}, @@ -126,7 +119,6 @@ int pkeyutl_main(int argc, char **argv) { CONF *conf = NULL; BIO *in = NULL, *out = NULL, *secout = NULL; - ENGINE *e = NULL; EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *pkey = NULL; char *infile = NULL, *outfile = NULL, *secoutfile = NULL, *sigfile = NULL, *passinarg = NULL; @@ -136,7 +128,6 @@ int pkeyutl_main(int argc, char **argv) int buf_inlen = 0, siglen = -1; int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF; int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; - int engine_impl = 0; int ret = 1, rv = -1; size_t buf_outlen = 0, secretlen = 0; const char *inkey = NULL; @@ -175,9 +166,6 @@ int pkeyutl_main(int argc, char **argv) case OPT_SIGFILE: sigfile = opt_arg(); break; - case OPT_ENGINE_IMPL: - engine_impl = 1; - break; case OPT_INKEY: inkey = opt_arg(); break; @@ -208,9 +196,6 @@ int pkeyutl_main(int argc, char **argv) if (!opt_provider(o)) goto end; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PUBIN: key_type = KEY_PUBKEY; break; @@ -317,7 +302,7 @@ int pkeyutl_main(int argc, char **argv) goto opthelp; } - pkey = get_pkey(kdfalg, inkey, keyform, key_type, passinarg, pkey_op, e); + pkey = get_pkey(kdfalg, inkey, keyform, key_type, passinarg, pkey_op); if (key_type != KEY_NONE && pkey == NULL) { BIO_printf(bio_err, "%s: Error loading key\n", prog); goto end; @@ -357,13 +342,13 @@ int pkeyutl_main(int argc, char **argv) goto end; } } - ctx = init_ctx(kdfalg, &keysize, pkey_op, e, engine_impl, rawin, pkey, + ctx = init_ctx(kdfalg, &keysize, pkey_op, rawin, pkey, mctx, digestname, kemop, libctx, app_get0_propq()); if (ctx == NULL) { BIO_printf(bio_err, "%s: Error initializing context\n", prog); goto end; } - if (peerkey != NULL && !setup_peer(ctx, peerform, peerkey, e)) { + if (peerkey != NULL && !setup_peer(ctx, peerform, peerkey)) { BIO_printf(bio_err, "%s: Error setting up peer key\n", prog); goto end; } @@ -601,7 +586,6 @@ int pkeyutl_main(int argc, char **argv) EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); EVP_MD_free(md); - release_engine(e); BIO_free(in); BIO_free_all(out); BIO_free_all(secout); @@ -617,7 +601,7 @@ int pkeyutl_main(int argc, char **argv) static EVP_PKEY *get_pkey(const char *kdfalg, const char *keyfile, int keyform, int key_type, - char *passinarg, int pkey_op, ENGINE *e) + char *passinarg, int pkey_op) { EVP_PKEY *pkey = NULL; char *passin = NULL; @@ -635,11 +619,11 @@ static EVP_PKEY *get_pkey(const char *kdfalg, } switch (key_type) { case KEY_PRIVKEY: - pkey = load_key(keyfile, keyform, 0, passin, e, "private key"); + pkey = load_key(keyfile, keyform, 0, passin, "private key"); break; case KEY_PUBKEY: - pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key"); + pkey = load_pubkey(keyfile, keyform, 0, NULL, "public key"); break; case KEY_CERT: @@ -659,21 +643,14 @@ static EVP_PKEY *get_pkey(const char *kdfalg, } static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, - int pkey_op, ENGINE *e, - const int engine_impl, int rawin, + int pkey_op, int rawin, EVP_PKEY *pkey /* ownership is passed to ctx */, EVP_MD_CTX *mctx, const char *digestname, const char *kemop, OSSL_LIB_CTX *libctx, const char *propq) { EVP_PKEY_CTX *ctx = NULL; - ENGINE *impl = NULL; int rv = -1; -#ifndef OPENSSL_NO_ENGINE - if (engine_impl) - impl = e; -#endif - if (kdfalg != NULL) { int kdfnid = OBJ_sn2nid(kdfalg); @@ -685,19 +662,13 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, return NULL; } } - if (impl != NULL) - ctx = EVP_PKEY_CTX_new_id(kdfnid, impl); - else - ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq); + ctx = EVP_PKEY_CTX_new_from_name(libctx, kdfalg, propq); } else { if (pkey == NULL) return NULL; *pkeysize = EVP_PKEY_get_size(pkey); - if (impl != NULL) - ctx = EVP_PKEY_CTX_new(pkey, impl); - else - ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); + ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, propq); } if (ctx == NULL) @@ -766,17 +737,13 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, return ctx; } -static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, - ENGINE *e) +static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file) { EVP_PKEY *pkey = EVP_PKEY_CTX_get0_pkey(ctx); EVP_PKEY *peer = NULL; - ENGINE *engine = NULL; int ret = 1; - if (peerform == FORMAT_ENGINE) - engine = e; - peer = load_pubkey(file, peerform, 0, NULL, engine, "peer key"); + peer = load_pubkey(file, peerform, 0, NULL, "peer key"); if (peer == NULL) { BIO_printf(bio_err, "Error reading peer key %s\n", file); return 0; diff --git a/apps/rand.c b/apps/rand.c index da747c1783e..d57ed74f6e6 100644 --- a/apps/rand.c +++ b/apps/rand.c @@ -20,7 +20,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_OUT, OPT_ENGINE, OPT_BASE64, OPT_HEX, + OPT_OUT, OPT_BASE64, OPT_HEX, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; @@ -29,9 +29,6 @@ const OPTIONS rand_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Output"), {"out", OPT_OUT, '>', "Output file"}, @@ -48,7 +45,6 @@ const OPTIONS rand_options[] = { int rand_main(int argc, char **argv) { - ENGINE *e = NULL; BIO *out = NULL; char *outfile = NULL, *prog; OPTION_CHOICE o; @@ -73,9 +69,6 @@ int rand_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_R_CASES: if (!opt_rand(o)) goto end; @@ -223,7 +216,6 @@ int rand_main(int argc, char **argv) if (ret != 0) ERR_print_errors(bio_err); OPENSSL_free(buf); - release_engine(e); BIO_free_all(out); return ret; } diff --git a/apps/req.c b/apps/req.c index 1e877c23174..2842dff993b 100644 --- a/apps/req.c +++ b/apps/req.c @@ -71,8 +71,7 @@ static int check_end(const char *str, const char *end); static int join(char buf[], size_t buf_size, const char *name, const char *tail, const char *desc); static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, - char **pkeytype, long *pkeylen, - ENGINE *keygen_engine); + char **pkeytype, long *pkeylen); static const char *section = "req"; static CONF *req_conf = NULL; @@ -82,7 +81,7 @@ static int batch = 0; typedef enum OPTION_choice { OPT_COMMON, OPT_CIPHER, - OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_KEYGEN_ENGINE, OPT_KEY, + OPT_INFORM, OPT_OUTFORM, OPT_KEY, OPT_PUBKEY, OPT_NEW, OPT_CONFIG, OPT_KEYFORM, OPT_IN, OPT_OUT, OPT_KEYOUT, OPT_PASSIN, OPT_PASSOUT, OPT_NEWKEY, OPT_PKEYOPT, OPT_SIGOPT, OPT_VFYOPT, OPT_BATCH, OPT_NEWHDR, OPT_MODULUS, @@ -100,11 +99,6 @@ const OPTIONS req_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"cipher", OPT_CIPHER, 's', "Specify the cipher for private key encryption"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"keygen_engine", OPT_KEYGEN_ENGINE, 's', - "Specify engine to be used for key generation operations"}, -#endif {"in", OPT_IN, '<', "X.509 request input file (default stdin)"}, {"inform", OPT_INFORM, 'F', "CSR input format to use (PEM or DER; by default try PEM first)"}, @@ -245,7 +239,6 @@ int req_main(int argc, char **argv) { ASN1_INTEGER *serial = NULL; BIO *out = NULL; - ENGINE *e = NULL, *gen_eng = NULL; EVP_PKEY *pkey = NULL, *CAkey = NULL; EVP_PKEY_CTX *genctx = NULL; STACK_OF(OPENSSL_STRING) *pkeyopts = NULL, *sigopts = NULL, *vfyopts = NULL; @@ -298,18 +291,6 @@ int req_main(int argc, char **argv) if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat)) goto opthelp; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; - case OPT_KEYGEN_ENGINE: -#ifndef OPENSSL_NO_ENGINE - gen_eng = setup_engine(opt_arg(), 0); - if (gen_eng == NULL) { - BIO_printf(bio_err, "Can't find keygen engine %s\n", *argv); - goto opthelp; - } -#endif - break; case OPT_KEY: keyfile = opt_arg(); break; @@ -624,7 +605,7 @@ int req_main(int argc, char **argv) } if (keyfile != NULL) { - pkey = load_key(keyfile, keyform, 0, passin, e, "private key"); + pkey = load_key(keyfile, keyform, 0, passin, "private key"); if (pkey == NULL) goto end; app_RAND_load_conf(req_conf, section); @@ -640,7 +621,7 @@ int req_main(int argc, char **argv) if (!app_conf_try_number(req_conf, section, BITS, &newkey_len)) newkey_len = DEFAULT_KEY_LENGTH; - genctx = set_keygen_ctx(keyalg, &keyalgstr, &newkey_len, gen_eng); + genctx = set_keygen_ctx(keyalg, &keyalgstr, &newkey_len); if (genctx == NULL) goto end; @@ -762,7 +743,7 @@ int req_main(int argc, char **argv) "Warning: Ignoring -CAkey option since no -CA option is given\n"); } else { if ((CAkey = load_key(CAkeyfile, FORMAT_UNDEF, - 0, passin, e, + 0, passin, CAkeyfile != CAfile ? "issuer private key from -CAkey arg" : "issuer private key from -CA arg")) == NULL) @@ -1056,9 +1037,6 @@ int req_main(int argc, char **argv) sk_OPENSSL_STRING_free(vfyopts); lh_OPENSSL_STRING_doall(addexts, exts_cleanup); lh_OPENSSL_STRING_free(addexts); -#ifndef OPENSSL_NO_ENGINE - release_engine(gen_eng); -#endif OPENSSL_free(keyalgstr); X509_REQ_free(req); X509_NAME_free(fsubj); @@ -1066,7 +1044,6 @@ int req_main(int argc, char **argv) X509_free(CAcert); EVP_PKEY_free(CAkey); ASN1_INTEGER_free(serial); - release_engine(e); if (passin != nofree_passin) OPENSSL_free(passin); if (passout != nofree_passout) @@ -1484,8 +1461,7 @@ static int join(char buf[], size_t buf_size, const char *name, } static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, - char **pkeytype, long *pkeylen, - ENGINE *keygen_engine) + char **pkeytype, long *pkeylen) { EVP_PKEY_CTX *gctx = NULL; EVP_PKEY *param = NULL; @@ -1601,28 +1577,13 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr, return NULL; } - if (keygen_engine != NULL) - gctx = EVP_PKEY_CTX_new(param, keygen_engine); - else - gctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), - param, app_get0_propq()); + gctx = EVP_PKEY_CTX_new_from_pkey(app_get0_libctx(), + param, app_get0_propq()); *pkeylen = EVP_PKEY_get_bits(param); EVP_PKEY_free(param); } else { -#ifndef OPENSSL_NO_DEPRECATED_3_6 - if (keygen_engine != NULL) { - int pkey_id = get_legacy_pkey_id(app_get0_libctx(), *pkeytype, - keygen_engine); - - if (pkey_id != NID_undef) - gctx = EVP_PKEY_CTX_new_id(pkey_id, keygen_engine); - } else { -#endif - gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), - *pkeytype, app_get0_propq()); -#ifndef OPENSSL_NO_DEPRECATED_3_6 - } -#endif + gctx = EVP_PKEY_CTX_new_from_name(app_get0_libctx(), + *pkeytype, app_get0_propq()); } if (gctx == NULL) { diff --git a/apps/rsa.c b/apps/rsa.c index 9a4d16cbb01..8aa3295f8e2 100644 --- a/apps/rsa.c +++ b/apps/rsa.c @@ -41,7 +41,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT, + OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN, OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, /* Do not change the order here; see case statements below */ @@ -55,13 +55,10 @@ const OPTIONS rsa_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"check", OPT_CHECK, '-', "Verify key consistency"}, {"", OPT_CIPHER, '-', "Any supported cipher"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, 's', "Input file"}, - {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12/ENGINE)"}, + {"inform", OPT_INFORM, 'f', "Input format (DER/PEM/P12)"}, {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"}, {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"}, {"passin", OPT_PASSIN, 's', "Input file pass phrase source"}, @@ -121,7 +118,6 @@ static int try_legacy_encoding(EVP_PKEY *pkey, int outformat, int pubout, int rsa_main(int argc, char **argv) { - ENGINE *e = NULL; BIO *out = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *pctx; @@ -172,9 +168,6 @@ int rsa_main(int argc, char **argv) case OPT_PASSOUT: passoutarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PUBIN: pubin = 1; break; @@ -246,9 +239,9 @@ int rsa_main(int argc, char **argv) tmpformat = informat; } - pkey = load_pubkey(infile, tmpformat, 1, passin, e, "public key"); + pkey = load_pubkey(infile, tmpformat, 1, passin, "public key"); } else { - pkey = load_key(infile, informat, 1, passin, e, "private key"); + pkey = load_key(infile, informat, 1, passin, "private key"); } if (pkey == NULL) { @@ -403,7 +396,6 @@ int rsa_main(int argc, char **argv) ret = 0; end: OSSL_ENCODER_CTX_free(ectx); - release_engine(e); BIO_free_all(out); EVP_PKEY_free(pkey); EVP_CIPHER_free(enc); diff --git a/apps/rsautl.c b/apps/rsautl.c index db11e3498f3..ae0e30a4d93 100644 --- a/apps/rsautl.c +++ b/apps/rsautl.c @@ -27,7 +27,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP, + OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_RSA_RAW, OPT_OAEP, OPT_PKCS, OPT_X931, OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT, OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM, @@ -41,9 +41,6 @@ const OPTIONS rsautl_options[] = { {"verify", OPT_VERIFY, '-', "Verify with public key"}, {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"}, {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, @@ -72,7 +69,6 @@ const OPTIONS rsautl_options[] = { int rsautl_main(int argc, char **argv) { BIO *in = NULL, *out = NULL; - ENGINE *e = NULL; EVP_PKEY *pkey = NULL; EVP_PKEY_CTX *ctx = NULL; X509 *x; @@ -107,9 +103,6 @@ int rsautl_main(int argc, char **argv) case OPT_OUT: outfile = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_ASN1PARSE: asn1parse = 1; break; @@ -187,11 +180,11 @@ int rsautl_main(int argc, char **argv) switch (key_type) { case KEY_PRIVKEY: - pkey = load_key(keyfile, keyformat, 0, passin, e, "private key"); + pkey = load_key(keyfile, keyformat, 0, passin, "private key"); break; case KEY_PUBKEY: - pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "public key"); + pkey = load_pubkey(keyfile, keyformat, 0, NULL, "public key"); break; case KEY_CERT: @@ -282,7 +275,6 @@ int rsautl_main(int argc, char **argv) end: EVP_PKEY_CTX_free(ctx); EVP_PKEY_free(pkey); - release_engine(e); BIO_free(in); BIO_free_all(out); OPENSSL_free(rsa_in); diff --git a/apps/s_client.c b/apps/s_client.c index 7c3e1ef7bc8..80da100655c 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -483,12 +483,11 @@ typedef enum OPTION_choice { OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN, OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, OPT_BRIEF, OPT_PREXIT, OPT_NO_INTERACTIVE, OPT_CRLF, OPT_QUIET, OPT_NBIO, - OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF, - OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_WDEBUG, + OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_WDEBUG, # ifndef OPENSSL_NO_OCSP OPT_STATUS, OPT_STATUS_OCSP_CHECK_LEAF, OPT_STATUS_OCSP_CHECK_ALL, # endif - OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG, + OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE, OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS, #ifndef OPENSSL_NO_SRP @@ -530,11 +529,6 @@ const OPTIONS s_client_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, - {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's', - "Specify engine to be used for client certificate operations"}, -#endif {"ssl_config", OPT_SSL_CONFIG, 's', "Use specified section for SSL_CTX configuration"}, #ifndef OPENSSL_NO_CT {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"}, @@ -913,10 +907,6 @@ int s_client_main(int argc, char **argv) int enable_timeouts = 0; long socket_mtu = 0; #endif -#ifndef OPENSSL_NO_ENGINE - ENGINE *ssl_client_engine = NULL; -#endif - ENGINE *e = NULL; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) struct timeval tv; #endif @@ -1175,18 +1165,6 @@ int s_client_main(int argc, char **argv) case OPT_ADV: cmdmode = USER_DATA_MODE_ADVANCED; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 1); - break; - case OPT_SSL_CLIENT_ENGINE: -#ifndef OPENSSL_NO_ENGINE - ssl_client_engine = setup_engine(opt_arg(), 0); - if (ssl_client_engine == NULL) { - BIO_printf(bio_err, "Error getting client auth engine\n"); - goto opthelp; - } -#endif - break; case OPT_R_CASES: if (!opt_rand(o)) goto end; @@ -1771,7 +1749,7 @@ int s_client_main(int argc, char **argv) key_file = cert_file; if (key_file != NULL) { - key = load_key(key_file, key_format, 0, pass, e, + key = load_key(key_file, key_format, 0, pass, "client certificate private key"); if (key == NULL) goto end; @@ -1929,16 +1907,6 @@ int s_client_main(int argc, char **argv) } SSL_CTX_set0_CA_list(ctx, nm); } -#ifndef OPENSSL_NO_ENGINE - if (ssl_client_engine) { - if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) { - BIO_puts(bio_err, "Error setting client auth engine\n"); - release_engine(ssl_client_engine); - goto end; - } - release_engine(ssl_client_engine); - } -#endif #ifndef OPENSSL_NO_PSK if (psk_key != NULL) { @@ -3344,7 +3312,6 @@ int s_client_main(int argc, char **argv) OPENSSL_clear_free(sbuf, BUFSIZZ); OPENSSL_clear_free(mbuf, BUFSIZZ); clear_free(proxypass); - release_engine(e); BIO_free(bio_c_out); bio_c_out = NULL; BIO_free(bio_c_msg); diff --git a/apps/s_server.c b/apps/s_server.c index 52b4a60794f..a50740c6182 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -939,7 +939,6 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT, OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM, @@ -987,9 +986,6 @@ const OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_SSL_TRACE {"trace", OPT_TRACE, '-', "trace protocol messages"}, #endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Network"), {"port", OPT_PORT, 'p', @@ -1242,7 +1238,6 @@ const OPTIONS s_server_options[] = { int s_server_main(int argc, char *argv[]) { - ENGINE *engine = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; SSL_CONF_CTX *cctx = NULL; const SSL_METHOD *meth = TLS_server_method(); @@ -1832,11 +1827,6 @@ int s_server_main(int argc, char *argv[]) case OPT_ID_PREFIX: session_id_prefix = opt_arg(); break; - case OPT_ENGINE: -#ifndef OPENSSL_NO_ENGINE - engine = setup_engine(opt_arg(), s_debug); -#endif - break; case OPT_R_CASES: if (!opt_rand(o)) goto end; @@ -2048,7 +2038,7 @@ int s_server_main(int argc, char *argv[]) goto end; if (nocert == 0) { - s_key = load_key(s_key_file, s_key_format, 0, pass, engine, + s_key = load_key(s_key_file, s_key_format, 0, pass, "server certificate private key"); if (s_key == NULL) goto end; @@ -2065,7 +2055,7 @@ int s_server_main(int argc, char *argv[]) } if (tlsextcbp.servername != NULL) { - s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine, + s_key2 = load_key(s_key_file2, s_key_format, 0, pass, "second server certificate private key"); if (s_key2 == NULL) goto end; @@ -2111,7 +2101,7 @@ int s_server_main(int argc, char *argv[]) s_dkey_file = s_dcert_file; s_dkey = load_key(s_dkey_file, s_dkey_format, - 0, dpass, engine, "second certificate private key"); + 0, dpass, "second certificate private key"); if (s_dkey == NULL) goto end; @@ -2612,7 +2602,6 @@ int s_server_main(int argc, char *argv[]) ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); - release_engine(engine); BIO_free(bio_s_out); bio_s_out = NULL; BIO_free(bio_s_msg); diff --git a/apps/smime.c b/apps/smime.c index 211ddce4ab3..c87189e3817 100644 --- a/apps/smime.c +++ b/apps/smime.c @@ -38,7 +38,7 @@ typedef enum OPTION_choice { OPT_PK7OUT, OPT_TEXT, OPT_NOINTERN, OPT_NOVERIFY, OPT_NOCHAIN, OPT_NOCERTS, OPT_NOATTR, OPT_NODETACH, OPT_NOSMIMECAP, OPT_BINARY, OPT_NOSIGS, OPT_STREAM, OPT_INDEF, OPT_NOINDEF, - OPT_CRLFEOL, OPT_ENGINE, OPT_PASSIN, + OPT_CRLFEOL, OPT_PASSIN, OPT_TO, OPT_FROM, OPT_SUBJECT, OPT_SIGNER, OPT_RECIP, OPT_MD, OPT_CIPHER, OPT_INKEY, OPT_KEYFORM, OPT_CERTFILE, OPT_CAFILE, OPT_CAPATH, OPT_CASTORE, OPT_NOCAFILE, OPT_NOCAPATH, OPT_NOCASTORE, @@ -61,9 +61,6 @@ const OPTIONS smime_options[] = { {"inkey", OPT_INKEY, 's', "Input private key (if not signer or recipient)"}, {"keyform", OPT_KEYFORM, 'f', "Input private key format (ENGINE, other values ignored)"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"stream", OPT_STREAM, '-', "Enable CMS streaming" }, {"indef", OPT_INDEF, '-', "Same as -stream" }, {"noindef", OPT_NOINDEF, '-', "Disable CMS streaming"}, @@ -182,7 +179,6 @@ int smime_main(int argc, char **argv) int informat = FORMAT_SMIME, outformat = FORMAT_SMIME, keyform = FORMAT_UNDEF; int vpmtouched = 0, rv = 0; - ENGINE *e = NULL; const char *mime_eol = "\n"; OSSL_LIB_CTX *libctx = app_get0_libctx(); @@ -294,9 +290,6 @@ int smime_main(int argc, char **argv) if (conf == NULL) goto end; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PASSIN: passinarg = opt_arg(); break; @@ -520,7 +513,7 @@ int smime_main(int argc, char **argv) } if (keyfile != NULL) { - key = load_key(keyfile, keyform, 0, passin, e, "signing key"); + key = load_key(keyfile, keyform, 0, passin, "signing key"); if (key == NULL) goto end; } @@ -612,7 +605,7 @@ int smime_main(int argc, char **argv) signer = load_cert(signerfile, FORMAT_UNDEF, "signer certificate"); if (signer == NULL) goto end; - key = load_key(keyfile, keyform, 0, passin, e, "signing key"); + key = load_key(keyfile, keyform, 0, passin, "signing key"); if (key == NULL) goto end; @@ -701,7 +694,6 @@ int smime_main(int argc, char **argv) EVP_MD_free(sign_md); EVP_CIPHER_free(cipher); PKCS7_free(p7); - release_engine(e); BIO_free(in); BIO_free(indata); BIO_free_all(out); diff --git a/apps/speed.c b/apps/speed.c index cafd4c48807..4467385746d 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -233,7 +233,7 @@ static int opt_found(const char *name, unsigned int *result, typedef enum OPTION_choice { OPT_COMMON, - OPT_ELAPSED, OPT_EVP, OPT_HMAC, OPT_DECRYPT, OPT_ENGINE, OPT_MULTI, + OPT_ELAPSED, OPT_EVP, OPT_HMAC, OPT_DECRYPT, OPT_MULTI, OPT_MR, OPT_MB, OPT_MISALIGN, OPT_ASYNCJOBS, OPT_R_ENUM, OPT_PROV_ENUM, OPT_CONFIG, OPT_PRIMES, OPT_SECONDS, OPT_BYTES, OPT_AEAD, OPT_CMAC, OPT_MLOCK, OPT_TESTMODE, OPT_KEM, OPT_SIG @@ -257,9 +257,6 @@ const OPTIONS speed_options[] = { #ifndef OPENSSL_NO_ASYNC {"async_jobs", OPT_ASYNCJOBS, 'p', "Enable async mode and start specified number of jobs"}, -#endif -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif {"primes", OPT_PRIMES, 'p', "Specify number of primes (for RSA only)"}, {"mlock", OPT_MLOCK, '-', "Lock memory for better result determinism"}, @@ -1879,10 +1876,8 @@ static int get_max(const uint8_t doit[], size_t algs_len) { int speed_main(int argc, char **argv) { CONF *conf = NULL; - ENGINE *e = NULL; loopargs_t *loopargs = NULL; const char *prog; - const char *engine_id = NULL; EVP_CIPHER *evp_cipher = NULL; EVP_MAC *mac = NULL; double d = 0.0; @@ -2096,14 +2091,6 @@ int speed_main(int argc, char **argv) case OPT_DECRYPT: decrypt = 1; break; - case OPT_ENGINE: - /* - * In a forked execution, an engine might need to be - * initialised by each child process, not by the parent. - * So store the name here and run setup_engine() later on. - */ - engine_id = opt_arg(); - break; case OPT_MULTI: #ifndef NO_FORK multi = opt_int_arg(); @@ -2554,9 +2541,6 @@ int speed_main(int argc, char **argv) memset(loopargs[i].buf2_malloc, 0, buflen); } - /* Initialize the engine after the fork */ - e = setup_engine(engine_id, 0); - /* No parameters; turn on everything. */ if (argc == 0 && !doit[D_EVP] && !doit[D_HMAC] && !doit[D_EVP_CMAC] && !do_kems && !do_sigs) { @@ -3231,7 +3215,7 @@ int speed_main(int argc, char **argv) bn = BN_new(); st = bn != NULL && BN_set_word(bn, RSA_F4) - && init_gen_str(&genctx, "RSA", NULL, 0, NULL, NULL) + && init_gen_str(&genctx, "RSA", 0, NULL, NULL) && EVP_PKEY_CTX_set_rsa_keygen_bits(genctx, rsa_keys[testnum].bits) > 0 && EVP_PKEY_CTX_set1_rsa_keygen_pubexp(genctx, bn) > 0 && EVP_PKEY_CTX_set_rsa_keygen_primes(genctx, primes) > 0 @@ -4784,7 +4768,6 @@ int speed_main(int argc, char **argv) ASYNC_cleanup_thread(); } OPENSSL_free(loopargs); - release_engine(e); EVP_CIPHER_free(evp_cipher); EVP_MAC_free(mac); NCONF_free(conf); diff --git a/apps/spkac.c b/apps/spkac.c index 5a129a7fa77..73b126ffbb6 100644 --- a/apps/spkac.c +++ b/apps/spkac.c @@ -23,7 +23,7 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_NOOUT, OPT_PUBKEY, OPT_VERIFY, OPT_IN, OPT_OUT, - OPT_ENGINE, OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, + OPT_KEY, OPT_CHALLENGE, OPT_PASSIN, OPT_SPKAC, OPT_SPKSECT, OPT_KEYFORM, OPT_DIGEST, OPT_PROV_ENUM } OPTION_CHOICE; @@ -33,9 +33,6 @@ const OPTIONS spkac_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"spksect", OPT_SPKSECT, 's', "Specify the name of an SPKAC-dedicated section of configuration"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Input"), {"in", OPT_IN, '<', "Input file"}, @@ -60,7 +57,6 @@ int spkac_main(int argc, char **argv) { BIO *out = NULL; CONF *conf = NULL; - ENGINE *e = NULL; EVP_PKEY *pkey = NULL; NETSCAPE_SPKI *spki = NULL; char *challenge = NULL, *keyfile = NULL; @@ -122,9 +118,6 @@ int spkac_main(int argc, char **argv) case OPT_DIGEST: digest = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_PROV_CASES: if (!opt_provider(o)) goto end; @@ -146,7 +139,7 @@ int spkac_main(int argc, char **argv) goto end; pkey = load_key(strcmp(keyfile, "-") ? keyfile : NULL, - keyformat, 1, passin, e, "private key"); + keyformat, 1, passin, "private key"); if (pkey == NULL) goto end; spki = NETSCAPE_SPKI_new(); @@ -227,7 +220,6 @@ int spkac_main(int argc, char **argv) NETSCAPE_SPKI_free(spki); BIO_free_all(out); EVP_PKEY_free(pkey); - release_engine(e); OPENSSL_free(passin); return ret; } diff --git a/apps/srp.c b/apps/srp.c index 4e8f2265038..f35fe128cb4 100644 --- a/apps/srp.c +++ b/apps/srp.c @@ -193,7 +193,7 @@ typedef enum OPTION_choice { OPT_COMMON, OPT_VERBOSE, OPT_CONFIG, OPT_NAME, OPT_SRPVFILE, OPT_ADD, OPT_DELETE, OPT_MODIFY, OPT_LIST, OPT_GN, OPT_USERINFO, - OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE, OPT_R_ENUM, OPT_PROV_ENUM + OPT_PASSIN, OPT_PASSOUT, OPT_R_ENUM, OPT_PROV_ENUM } OPTION_CHOICE; const OPTIONS srp_options[] = { @@ -204,9 +204,6 @@ const OPTIONS srp_options[] = { {"verbose", OPT_VERBOSE, '-', "Talk a lot while doing things"}, {"config", OPT_CONFIG, '<', "A config file"}, {"name", OPT_NAME, 's', "The particular srp definition to use"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Action"), {"add", OPT_ADD, '-', "Add a user and SRP verifier"}, @@ -231,7 +228,6 @@ const OPTIONS srp_options[] = { int srp_main(int argc, char **argv) { - ENGINE *e = NULL; CA_DB *db = NULL; CONF *conf = NULL; int gNindex = -1, maxgN = -1, ret = 1, errors = 0, verbose = 0, i; @@ -291,9 +287,6 @@ int srp_main(int argc, char **argv) case OPT_PASSOUT: passoutarg = opt_arg(); break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_R_CASES: if (!opt_rand(o)) goto end; @@ -626,6 +619,5 @@ int srp_main(int argc, char **argv) ERR_print_errors(bio_err); NCONF_free(conf); free_index(db); - release_engine(e); return ret; } diff --git a/apps/storeutl.c b/apps/storeutl.c index bb489d6d9bd..fe809d421ca 100644 --- a/apps/storeutl.c +++ b/apps/storeutl.c @@ -25,7 +25,7 @@ static BIO *out = NULL; typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_OUT, OPT_PASSIN, + OPT_OUT, OPT_PASSIN, OPT_NOOUT, OPT_TEXT, OPT_RECURSIVE, OPT_SEARCHFOR_CERTS, OPT_SEARCHFOR_KEYS, OPT_SEARCHFOR_CRLS, OPT_CRITERION_SUBJECT, OPT_CRITERION_ISSUER, OPT_CRITERION_SERIAL, @@ -39,9 +39,6 @@ const OPTIONS storeutl_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, {"", OPT_MD, '-', "Any supported digest"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_SECTION("Search"), {"certs", OPT_SEARCHFOR_CERTS, '-', "Search for certificates only"}, @@ -73,7 +70,6 @@ int storeutl_main(int argc, char *argv[]) { int ret = 1, noout = 0, text = 0, recursive = 0; char *outfile = NULL, *passin = NULL, *passinarg = NULL; - ENGINE *e = NULL; OPTION_CHOICE o; char *prog; PW_CB_DATA pw_cb_data; @@ -243,9 +239,6 @@ int storeutl_main(int argc, char *argv[]) goto end; } break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_MD: digestname = opt_unknown(); break; @@ -324,7 +317,6 @@ int storeutl_main(int argc, char *argv[]) OSSL_STORE_SEARCH_free(search); BIO_free_all(out); OPENSSL_free(passin); - release_engine(e); return ret; } diff --git a/apps/ts.c b/apps/ts.c index e59bc3b4b4a..3bb9032d8f8 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -46,13 +46,13 @@ static int create_digest(BIO *input, const char *digest, static ASN1_INTEGER *create_nonce(int bits); /* Reply related functions. */ -static int reply_command(CONF *conf, const char *section, const char *engine, +static int reply_command(CONF *conf, const char *section, const char *queryfile, const char *passin, const char *inkey, const EVP_MD *md, const char *signer, const char *chain, const char *policy, const char *in, int token_in, const char *out, int token_out, int text); static TS_RESP *read_PKCS7(BIO *in_bio); -static TS_RESP *create_response(CONF *conf, const char *section, const char *engine, +static TS_RESP *create_response(CONF *conf, const char *section, const char *queryfile, const char *passin, const char *inkey, const EVP_MD *md, const char *signer, const char *chain, const char *policy); @@ -78,7 +78,7 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx); typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA, + OPT_CONFIG, OPT_SECTION, OPT_QUERY, OPT_DATA, OPT_DIGEST, OPT_TSPOLICY, OPT_NO_NONCE, OPT_CERT, OPT_IN, OPT_TOKEN_IN, OPT_OUT, OPT_TOKEN_OUT, OPT_TEXT, OPT_REPLY, OPT_QUERYFILE, OPT_PASSIN, OPT_INKEY, OPT_SIGNER, @@ -91,9 +91,6 @@ const OPTIONS ts_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, {"config", OPT_CONFIG, '<', "Configuration file"}, {"section", OPT_SECTION, 's', "Section to use within config file"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"inkey", OPT_INKEY, 's', "File with private key for reply"}, {"signer", OPT_SIGNER, 's', "Signer certificate file"}, {"chain", OPT_CHAIN, '<', "File with signer CA chain"}, @@ -143,11 +140,7 @@ static char* opt_helplist[] = { " [-signer tsa_cert.pem] [-inkey private_key.pem]", " [-chain certs_file.pem] [-tspolicy oid]", " [-in file] [-token_in] [-out file] [-token_out]", -#ifndef OPENSSL_NO_ENGINE - " [-text] [-engine id]", -#else " [-text]", -#endif "", " openssl ts -verify -CApath dir -CAfile root-cert.pem -CAstore uri", " -untrusted extra-certs.pem [-data file] [-digest hexstring]", @@ -160,7 +153,7 @@ int ts_main(int argc, char **argv) CONF *conf = NULL; const char *CAfile = NULL, *prog; char *untrusted = NULL; - const char *configfile = default_config_file, *engine = NULL; + const char *configfile = default_config_file; const char *section = NULL, *digestname = NULL; char **helpp; char *password = NULL; @@ -276,9 +269,6 @@ int ts_main(int argc, char **argv) case OPT_UNTRUSTED: untrusted = opt_arg(); break; - case OPT_ENGINE: - engine = opt_arg(); - break; case OPT_MD: digestname = opt_unknown(); break; @@ -331,7 +321,7 @@ int ts_main(int argc, char **argv) if ((conf == NULL) || (token_in != 0)) goto opthelp; } - ret = !reply_command(conf, section, engine, queryfile, + ret = !reply_command(conf, section, queryfile, password, inkey, md, signer, chain, policy, in, token_in, out, token_out, text); @@ -587,7 +577,7 @@ static ASN1_INTEGER *create_nonce(int bits) * Reply-related method definitions. */ -static int reply_command(CONF *conf, const char *section, const char *engine, +static int reply_command(CONF *conf, const char *section, const char *queryfile, const char *passin, const char *inkey, const EVP_MD *md, const char *signer, const char *chain, const char *policy, const char *in, int token_in, @@ -610,7 +600,7 @@ static int reply_command(CONF *conf, const char *section, const char *engine, response = d2i_TS_RESP_bio(in_bio, NULL); } } else { - response = create_response(conf, section, engine, queryfile, + response = create_response(conf, section, queryfile, passin, inkey, md, signer, chain, policy); if (response != NULL) BIO_printf(bio_err, "Response has been generated.\n"); @@ -695,7 +685,7 @@ static TS_RESP *read_PKCS7(BIO *in_bio) return resp; } -static TS_RESP *create_response(CONF *conf, const char *section, const char *engine, +static TS_RESP *create_response(CONF *conf, const char *section, const char *queryfile, const char *passin, const char *inkey, const EVP_MD *md, const char *signer, const char *chain, const char *policy) @@ -713,10 +703,6 @@ static TS_RESP *create_response(CONF *conf, const char *section, const char *eng goto end; if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx)) goto end; -#ifndef OPENSSL_NO_ENGINE - if (!TS_CONF_set_crypto_device(conf, section, engine)) - goto end; -#endif if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx)) goto end; if (!TS_CONF_set_certs(conf, section, chain, resp_ctx)) diff --git a/apps/verify.c b/apps/verify.c index 93b214281ea..ac2382b924c 100644 --- a/apps/verify.c +++ b/apps/verify.c @@ -27,7 +27,7 @@ static int v_verbose = 0, vflags = 0; typedef enum OPTION_choice { OPT_COMMON, - OPT_ENGINE, OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, + OPT_CAPATH, OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_UNTRUSTED, OPT_TRUSTED, OPT_CRLFILE, OPT_CRL_DOWNLOAD, OPT_SHOW_CHAIN, OPT_V_ENUM, OPT_NAMEOPT, OPT_VFYOPT, @@ -40,9 +40,6 @@ const OPTIONS verify_options[] = { OPT_SECTION("General"), {"help", OPT_HELP, '-', "Display this summary"}, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif {"verbose", OPT_VERBOSE, '-', "Print extra information about the operations being performed."}, {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"}, @@ -78,7 +75,6 @@ const OPTIONS verify_options[] = { int verify_main(int argc, char **argv) { - ENGINE *e = NULL; STACK_OF(X509) *untrusted = NULL, *trusted = NULL; STACK_OF(X509_CRL) *crls = NULL; STACK_OF(OPENSSL_STRING) *vfyopts = NULL; @@ -165,12 +161,6 @@ int verify_main(int argc, char **argv) case OPT_CRL_DOWNLOAD: crl_download = 1; break; - case OPT_ENGINE: - if ((e = setup_engine(opt_arg(), 0)) == NULL) { - /* Failure message already displayed */ - goto end; - } - break; case OPT_SHOW_CHAIN: show_chain = 1; break; @@ -238,7 +228,6 @@ int verify_main(int argc, char **argv) OSSL_STACK_OF_X509_free(trusted); sk_X509_CRL_pop_free(crls, X509_CRL_free); sk_OPENSSL_STRING_free(vfyopts); - release_engine(e); return (ret < 0 ? 2 : ret); } diff --git a/apps/version.c b/apps/version.c index 89fb64b70a4..370ded63757 100644 --- a/apps/version.c +++ b/apps/version.c @@ -18,7 +18,7 @@ typedef enum OPTION_choice { OPT_COMMON, - OPT_B, OPT_D, OPT_E, OPT_M, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A, OPT_R, OPT_C + OPT_B, OPT_D, OPT_M, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A, OPT_R, OPT_C #if defined(_WIN32) ,OPT_W #endif @@ -32,7 +32,6 @@ const OPTIONS version_options[] = { {"a", OPT_A, '-', "Show all data"}, {"b", OPT_B, '-', "Show build date"}, {"d", OPT_D, '-', "Show configuration directory"}, - {"e", OPT_E, '-', "Show engines directory"}, {"m", OPT_M, '-', "Show modules directory"}, {"f", OPT_F, '-', "Show compiler flags used"}, {"o", OPT_O, '-', "Show some internal datatype options"}, @@ -50,7 +49,7 @@ int version_main(int argc, char **argv) { int ret = 1, dirty = 0, seed = 0; int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0; - int engdir = 0, moddir = 0, cpuinfo = 0; + int moddir = 0, cpuinfo = 0; #if defined(_WIN32) int windows = 0; #endif @@ -75,9 +74,6 @@ opthelp: case OPT_D: dirty = dir = 1; break; - case OPT_E: - dirty = engdir = 1; - break; case OPT_M: dirty = moddir = 1; break; @@ -106,7 +102,7 @@ opthelp: #endif case OPT_A: seed = options = cflags = version = date = platform - = dir = engdir = moddir = cpuinfo + = dir = moddir = cpuinfo = 1; break; } @@ -135,8 +131,6 @@ opthelp: printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS)); if (dir) printf("%s\n", OpenSSL_version(OPENSSL_DIR)); - if (engdir) - printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR)); if (moddir) printf("%s\n", OpenSSL_version(OPENSSL_MODULES_DIR)); if (seed) { diff --git a/apps/x509.c b/apps/x509.c index d8c8dc9ae6c..caa74267804 100644 --- a/apps/x509.c +++ b/apps/x509.c @@ -53,7 +53,7 @@ typedef enum OPTION_choice { OPT_CHECKEMAIL, OPT_CHECKIP, OPT_NOOUT, OPT_TRUSTOUT, OPT_CLRTRUST, OPT_CLRREJECT, OPT_ALIAS, OPT_CACREATESERIAL, OPT_CLREXT, OPT_OCSPID, OPT_SUBJECT_HASH_OLD, OPT_ISSUER_HASH_OLD, OPT_COPY_EXTENSIONS, - OPT_BADSIG, OPT_MD, OPT_ENGINE, OPT_NOCERT, OPT_PRESERVE_DATES, + OPT_BADSIG, OPT_MD, OPT_NOCERT, OPT_PRESERVE_DATES, OPT_NOT_BEFORE, OPT_NOT_AFTER, OPT_R_ENUM, OPT_PROV_ENUM, OPT_EXT } OPTION_CHOICE; @@ -183,9 +183,6 @@ const OPTIONS x509_options[] = { "Reject certificate for a given purpose"}, OPT_R_OPTIONS, -#ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, -#endif OPT_PROV_OPTIONS, {NULL} }; @@ -303,7 +300,6 @@ int x509_main(int argc, char **argv) unsigned long certflag = 0; int preserve_dates = 0; OPTION_CHOICE o; - ENGINE *e = NULL; #ifndef OPENSSL_NO_MD5 int subject_hash_old = 0, issuer_hash_old = 0; #endif @@ -483,9 +479,6 @@ int x509_main(int argc, char **argv) if (!set_nameopt(opt_arg())) goto opthelp; break; - case OPT_ENGINE: - e = setup_engine(opt_arg(), 0); - break; case OPT_EMAIL: email = ++num; break; @@ -663,12 +656,12 @@ int x509_main(int argc, char **argv) goto err; } if (privkeyfile != NULL) { - privkey = load_key(privkeyfile, keyformat, 0, passin, e, "private key"); + privkey = load_key(privkeyfile, keyformat, 0, passin, "private key"); if (privkey == NULL) goto err; } if (pubkeyfile != NULL) { - if ((pubkey = load_pubkey(pubkeyfile, keyformat, 0, NULL, e, + if ((pubkey = load_pubkey(pubkeyfile, keyformat, 0, NULL, "explicitly set public key")) == NULL) goto err; } @@ -956,7 +949,7 @@ int x509_main(int argc, char **argv) noout = 1; } else if (CAfile != NULL) { if ((CAkey = load_key(CAkeyfile, CAkeyformat, - 0, passin, e, "CA private key")) == NULL) + 0, passin, "CA private key")) == NULL) goto err; if (!X509_check_private_key(xca, CAkey)) { BIO_printf(bio_err, @@ -1172,7 +1165,6 @@ int x509_main(int argc, char **argv) ASN1_INTEGER_free(sno); sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free); sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free); - release_engine(e); clear_free(passin); return ret; } diff --git a/test/build.info b/test/build.info index 99440984637..0f1f0898245 100644 --- a/test/build.info +++ b/test/build.info @@ -822,7 +822,7 @@ IF[{- !$disabled{tests} -}] DEPEND[cmp_client_test]=../libcrypto.a libtestutil.a SOURCE[ca_internals_test]=ca_internals_test.c ../apps/ca.c ../apps/lib/apps.c \ - ../apps/lib/app_rand.c ../apps/lib/engine.c ../apps/lib/app_provider.c \ + ../apps/lib/app_rand.c ../apps/lib/app_provider.c \ ../apps/lib/app_libctx.c ../apps/lib/fmt.c ../apps/lib/apps_ui.c \ ../apps/lib/app_x509.c ../crypto/asn1/a_time.c ../crypto/ctype.c INCLUDE[ca_internals_test]=.. ../include ../apps/include