From: Petr Menšík Date: Thu, 8 Sep 2022 14:33:38 +0000 (+0200) Subject: Remove engine related parts for OpenSSL 3.0 X-Git-Tag: v9.19.6~41^2~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6c55ea17c6c5e78454586fd9507021f882716403;p=thirdparty%2Fbind9.git Remove engine related parts for OpenSSL 3.0 OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM builders. But it can be built in legacy mode, where deprecated but still working API would be used. It can work under OpenSSL 3.0, but only if using legacy code paths matching OpenSSL 1.1 calls and functions. Remove fromlabel processing by OpenSSL 3.0 only functions. They can return later with a proper provider support for pkcs11. --- diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 04f0d80b5e6..f04f076e421 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 isc_result_t ret = ISC_R_SUCCESS; ENGINE *e; -#if OPENSSL_VERSION_NUMBER < 0x30000000L EC_KEY *eckey = NULL; EC_KEY *pubeckey = NULL; int group_nid; -#else - size_t len; - const char *curve_name, *nist_curve_name; - char buf[128]; /* Sufficient for all of the supported curves' names. */ -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ EVP_PKEY *pkey = NULL; EVP_PKEY *pubpkey = NULL; @@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(DST_R_NOENGINE); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (key->key_alg == DST_ALG_ECDSA256) { group_nid = NID_X9_62_prime256v1; } else { group_nid = NID_secp384r1; } -#else - /* Get the expected curve names */ - if (key->key_alg == DST_ALG_ECDSA256) { - curve_name = "prime256v1"; - nist_curve_name = "P-256"; - } else { - curve_name = "secp384r1"; - nist_curve_name = "P-384"; - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ /* Load private key. */ pkey = ENGINE_load_private_key(e, label, NULL, NULL); @@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { DST_RET(DST_R_INVALIDPRIVATEKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L eckey = EVP_PKEY_get1_EC_KEY(pkey); if (eckey == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) { DST_RET(DST_R_INVALIDPRIVATEKEY); } -#else - len = 0; - if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, - buf, sizeof buf, &len) != 1 || - len == 0 || len >= sizeof buf) - { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && - strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) - { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ /* Load public key. */ pubpkey = ENGINE_load_public_key(e, label, NULL, NULL); @@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) { DST_RET(DST_R_INVALIDPUBLICKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey); if (pubeckey == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) { DST_RET(DST_R_INVALIDPUBLICKEY); } -#else - len = 0; - if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME, - buf, sizeof buf, &len) != 1 || - len == 0 || len >= sizeof buf) - { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && - strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) - { - DST_RET(DST_R_INVALIDPUBLICKEY); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } -#else - if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ key->label = isc_mem_strdup(key->mctx, label); key->engine = isc_mem_strdup(key->mctx, engine); @@ -1442,14 +1389,12 @@ err: if (pkey != NULL) { EVP_PKEY_free(pkey); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (pubeckey != NULL) { EC_KEY_free(pubeckey); } if (eckey != NULL) { EC_KEY_free(eckey); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ return (ret); #else diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 50d0d6325f4..4d8c29ea899 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -1172,7 +1172,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { key->engine = isc_mem_strdup(key->mctx, engine); key->label = isc_mem_strdup(key->mctx, label); -#if OPENSSL_VERSION_NUMBER < 0x30000000L rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1181,16 +1180,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } RSA_get0_key(rsa, NULL, &ex, NULL); -#else - if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) != - ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } - if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != - 1) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (ex == NULL) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); @@ -1442,12 +1431,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, ENGINE *e = NULL; isc_result_t ret = ISC_R_SUCCESS; EVP_PKEY *pkey = NULL, *pubpkey = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *rsa = NULL, *pubrsa = NULL; const BIGNUM *ex = NULL; -#else - BIGNUM *ex = NULL; -#endif UNUSED(pin); @@ -1464,12 +1449,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", DST_R_OPENSSLFAILURE)); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L pubrsa = EVP_PKEY_get1_RSA(pubpkey); if (pubrsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ pkey = ENGINE_load_private_key(e, label, NULL, NULL); if (pkey == NULL) { @@ -1480,7 +1463,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, key->engine = isc_mem_strdup(key->mctx, engine); key->label = isc_mem_strdup(key->mctx, label); -#if OPENSSL_VERSION_NUMBER < 0x30000000L rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1489,14 +1471,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } RSA_get0_key(rsa, NULL, &ex, NULL); -#else - if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } - if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (ex == NULL) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); @@ -1510,18 +1484,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, pkey = NULL; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (rsa != NULL) { RSA_free(rsa); } if (pubrsa != NULL) { RSA_free(pubrsa); } -#else - if (ex != NULL) { - BN_free(ex); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (pkey != NULL) { EVP_PKEY_free(pkey); }