From: Yu Watanabe Date: Tue, 30 Jun 2026 08:00:27 +0000 (+0900) Subject: resolved: migrate RSA key construction to OpenSSL 3 EVP API X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cd3c0859b23f5b64e7f42d7bd68ae4195daf9784;p=thirdparty%2Fsystemd.git resolved: migrate RSA key construction to OpenSSL 3 EVP API OpenSSL 3.0 deprecated low-level key manipulation functions and direct access to RSA structures (such as RSA_new(), RSA_set0_key(), and RSA_size()). This commit modernizes dnssec_rsa_verify_raw() by replacing these deprecated functions with the provider-aware EVP API: * Uses OSSL_PARAM_BLD and EVP_PKEY_fromdata() to construct the RSA public key directly from the modulus and exponent BIGNUMs. * Replaces RSA_size() with EVP_PKEY_get_size(). Consequently, the workaround macros suppressing deprecated warnings (DISABLE_WARNING_DEPRECATED_DECLARATIONS) and the conditional fallback blocks (#if !defined(OPENSSL_NO_DEPRECATED_3_0)) are no longer needed and have been dropped. Unit tests are also updated to run unconditionally. --- diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 7d071052508..b9afdac9ffd 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -80,8 +80,6 @@ int dnssec_rsa_verify_raw( const struct iovec *exponent, const struct iovec *modulus) { -#if !defined(OPENSSL_NO_DEPRECATED_3_0) - DISABLE_WARNING_DEPRECATED_DECLARATIONS; int r; assert(hash_algorithm); @@ -98,23 +96,33 @@ int dnssec_rsa_verify_raw( if (!m) return log_openssl_errors(LOG_DEBUG, "Failed to convert RSA modulus to BIGNUM"); - _cleanup_(RSA_freep) RSA *rpubkey = sym_RSA_new(); - if (!rpubkey) + _cleanup_(OSSL_PARAM_BLD_freep) OSSL_PARAM_BLD *bld = sym_OSSL_PARAM_BLD_new(); + if (!bld) return -ENOMEM; - if (sym_RSA_set0_key(rpubkey, m, e, NULL) <= 0) - return log_openssl_errors(LOG_DEBUG, "Failed to set RSA public key"); - e = m = NULL; + if (sym_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_E, e) <= 0) + return log_openssl_errors(LOG_DEBUG, "Failed to push RSA exponent to OSSL_PARAM_BLD"); - if ((size_t) sym_RSA_size(rpubkey) != signature->iov_len) - return -EINVAL; + if (sym_OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_RSA_N, m) <= 0) + return log_openssl_errors(LOG_DEBUG, "Failed to push RSA modulus to OSSL_PARAM_BLD"); - _cleanup_(EVP_PKEY_freep) EVP_PKEY *epubkey = sym_EVP_PKEY_new(); - if (!epubkey) + _cleanup_(OSSL_PARAM_freep) OSSL_PARAM *params = sym_OSSL_PARAM_BLD_to_param(bld); + if (!params) + return log_openssl_errors(LOG_DEBUG, "Failed to generate OSSL param"); + + _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *kctx = sym_EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL); + if (!kctx) return -ENOMEM; - if (sym_EVP_PKEY_assign_RSA(epubkey, sym_RSAPublicKey_dup(rpubkey)) <= 0) - return log_openssl_errors(LOG_DEBUG, "Failed to assign RSA public key"); + if (sym_EVP_PKEY_fromdata_init(kctx) <= 0) + return log_openssl_errors(LOG_DEBUG, "Failed to initialize key creation"); + + _cleanup_(EVP_PKEY_freep) EVP_PKEY *epubkey = NULL; + if (sym_EVP_PKEY_fromdata(kctx, &epubkey, EVP_PKEY_PUBLIC_KEY, params) <= 0) + return log_openssl_errors(LOG_DEBUG, "Failed to load RSA public key from raw data"); + + if ((size_t) sym_EVP_PKEY_get_size(epubkey) != signature->iov_len) + return -EINVAL; _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = sym_EVP_PKEY_CTX_new(epubkey, NULL); if (!ctx) @@ -133,11 +141,7 @@ int dnssec_rsa_verify_raw( if (r < 0) return log_openssl_errors(LOG_DEBUG, "Signature verification failed"); - REENABLE_WARNING; return r; -#else - return -EOPNOTSUPP; -#endif } static int dnssec_rsa_verify( diff --git a/src/resolve/test-dnssec-crypto.c b/src/resolve/test-dnssec-crypto.c index c8b91bb1bac..034320b348d 100644 --- a/src/resolve/test-dnssec-crypto.c +++ b/src/resolve/test-dnssec-crypto.c @@ -197,7 +197,6 @@ TEST(generate_rsa_test_vectors) { -expected); TEST(dnssec_rsa_verify_raw) { -#if !defined(OPENSSL_NO_DEPRECATED_3_0) uint8_t *p; TEST_RSA_VERIFY(test_signature, test_digest, test_exponent, test_modulus, 1); @@ -245,9 +244,6 @@ TEST(dnssec_rsa_verify_raw) { p[bad_modulus.iov_len - 1] ^= 0x01; bad_modulus.iov_len -= 1; TEST_RSA_VERIFY(test_signature, test_digest, test_exponent, bad_modulus, -EINVAL); -#else - TEST_RSA_VERIFY(test_signature, test_digest, test_exponent, test_modulus, -EOPNOTSUPP); -#endif } static int intro(void) {