Fix keyfromlabel to not use engine parameter for provider keys

- Rework key checks to not require 'engine' tag, private key
  is valid with 'label' tag alone

- Fix _fromlabel() functions to work with engine == NULL

- Update dst__openssl_fromlabel_engine() to do provider lookup
  only when engine is not set

diff --git a/CHANGES b/CHANGES
index ace5d58b93c77fc362a108af073d66b5d9c89d39..9bdd9a777608360193cdf4cbef2e94cd96cd073e 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6223.  [func]          Make -E engine option for OpenSSL Engine API use only.
+                       OpenSSL Provider API will now require engine to not be
+                       set. [GL #8153]
+
 6222.  [func]          Fixes to provider/engine based ECDSA key handling. [GL !8152]
 
 6221.  [cleanup]       Refactor dns_rdataset internals, move rdatasetheader

diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c
index 375c1bcf8f8209729ece5ee2f304db472713b92b..499887924856ed7240e030aaf7ba80ec371c688f 100644 (file)
--- a/lib/dns/dst_parse.c
+++ b/lib/dns/dst_parse.c
@@ -189,10 +189,9 @@ check_rsa(const dst_private_t *priv, bool external) {
 
        mask = (1ULL << TAG_SHIFT) - 1;
 
-       if (have[TAG_RSA_ENGINE & mask]) {
+       if (have[TAG_RSA_LABEL & mask]) {
                ok = have[TAG_RSA_MODULUS & mask] &&
-                    have[TAG_RSA_PUBLICEXPONENT & mask] &&
-                    have[TAG_RSA_LABEL & mask];
+                    have[TAG_RSA_PUBLICEXPONENT & mask];
        } else {
                ok = have[TAG_RSA_MODULUS & mask] &&
                     have[TAG_RSA_PUBLICEXPONENT & mask] &&
@@ -234,11 +233,9 @@ check_ecdsa(const dst_private_t *priv, bool external) {
 
        mask = (1ULL << TAG_SHIFT) - 1;
 
-       if (have[TAG_ECDSA_ENGINE & mask]) {
-               ok = have[TAG_ECDSA_LABEL & mask];
-       } else {
-               ok = have[TAG_ECDSA_PRIVATEKEY & mask];
-       }
+       ok = have[TAG_ECDSA_LABEL & mask] ||
+            have[TAG_ECDSA_PRIVATEKEY & mask];
+
        return (ok ? 0 : -1);
 }
 
@@ -270,11 +267,9 @@ check_eddsa(const dst_private_t *priv, bool external) {
 
        mask = (1ULL << TAG_SHIFT) - 1;
 
-       if (have[TAG_EDDSA_ENGINE & mask]) {
-               ok = have[TAG_EDDSA_LABEL & mask];
-       } else {
-               ok = have[TAG_EDDSA_PRIVATEKEY & mask];
-       }
+       ok = have[TAG_EDDSA_LABEL & mask] ||
+            have[TAG_EDDSA_PRIVATEKEY & mask];
+
        return (ok ? 0 : -1);
 }
 

diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
index 3e624d57105ce8ec70a694d9083c372ec695039a..2aef28b930551239f3aa2cfdd52626e5d3f4c70e 100644 (file)
--- a/lib/dns/openssl_link.c
+++ b/lib/dns/openssl_link.c
@@ -81,32 +81,28 @@ enable_fips_mode(void) {
 
 isc_result_t
 dst__openssl_init(const char *engine) {
-       isc_result_t result = ISC_R_SUCCESS;
-
        enable_fips_mode();
 
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
        if (engine != NULL && *engine == '\0') {
                engine = NULL;
        }
 
-       if (engine != NULL) {
-               global_engine = ENGINE_by_id(engine);
-               if (global_engine == NULL) {
-                       result = DST_R_NOENGINE;
-                       goto cleanup_rm;
-               }
-               if (!ENGINE_init(global_engine)) {
-                       result = DST_R_NOENGINE;
-                       goto cleanup_rm;
-               }
-               /* This will init the engine. */
-               if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) {
-                       result = DST_R_NOENGINE;
-                       goto cleanup_init;
-               }
+       if (engine == NULL) {
+               return (ISC_R_SUCCESS);
        }
 
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+       global_engine = ENGINE_by_id(engine);
+       if (global_engine == NULL) {
+               goto cleanup_rm;
+       }
+       if (!ENGINE_init(global_engine)) {
+               goto cleanup_rm;
+       }
+       /* This will init the engine. */
+       if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) {
+               goto cleanup_init;
+       }
        return (ISC_R_SUCCESS);
 cleanup_init:
        ENGINE_finish(global_engine);
@@ -115,10 +111,8 @@ cleanup_rm:
                ENGINE_free(global_engine);
        }
        global_engine = NULL;
-#else
-       UNUSED(engine);
 #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-       return (result);
+       return (DST_R_NOENGINE);
 }
 
 void
@@ -242,9 +236,6 @@ dst__openssl_fromlabel_engine(int key_base_id, const char *engine,
 
        UNUSED(pin);
 
-       if (engine == NULL) {
-               DST_RET(DST_R_NOENGINE);
-       }
        e = dst__openssl_getengine(engine);
        if (e == NULL) {
                DST_RET(dst__openssl_toresult(DST_R_NOENGINE));
@@ -281,15 +272,13 @@ err:
 }
 
 static isc_result_t
-dst__openssl_fromlabel_provider(int key_base_id, const char *engine,
-                               const char *label, const char *pin,
+dst__openssl_fromlabel_provider(int key_base_id, const char *label, const char *pin,
                                EVP_PKEY **ppub, EVP_PKEY **ppriv) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
        isc_result_t ret = DST_R_OPENSSLFAILURE;
        OSSL_STORE_CTX *ctx = NULL;
 
        UNUSED(pin);
-       UNUSED(engine);
 
        ctx = OSSL_STORE_open(label, NULL, NULL, NULL, NULL);
        if (!ctx) {
@@ -335,7 +324,6 @@ err:
        return (ret);
 #else
        UNUSED(key_base_id);
-       UNUSED(engine);
        UNUSED(label);
        UNUSED(pin);
        UNUSED(ppub);
@@ -347,12 +335,9 @@ err:
 isc_result_t
 dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
                       const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) {
-       isc_result_t result;
-
-       result = dst__openssl_fromlabel_provider(key_base_id, engine, label,
-                                                pin, ppub, ppriv);
-       if (result != DST_R_OPENSSLFAILURE) {
-               return (result);
+       if (engine == NULL) {
+               return (dst__openssl_fromlabel_provider(key_base_id, label,
+                                                       pin, ppub, ppriv));
        }
 
        return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin,

diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index f87b36dbe2acf9df9437add0e736f9e478347421..f133fe64e828ce1e4ca6ec73df68615f591a3fb1 100644 (file)
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -997,7 +997,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
                goto err;
        }
 
-       key->engine = isc_mem_strdup(key->mctx, engine);
+       if (engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+       }
        key->label = isc_mem_strdup(key->mctx, label);
        key->key_size = EVP_PKEY_bits(privpkey);
        key->keydata.pkeypair.priv = privpkey;

diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c
index 142aa1623aac42d4faae9c94bece3c1ba5080685..f6d1fa3a140060945f24c550d09cd71f04d75f02 100644 (file)
--- a/lib/dns/openssleddsa_link.c
+++ b/lib/dns/openssleddsa_link.c
@@ -527,7 +527,9 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
                goto err;
        }
 
-       key->engine = isc_mem_strdup(key->mctx, engine);
+       if (key->engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+       }
        key->label = isc_mem_strdup(key->mctx, label);
        key->key_size = EVP_PKEY_bits(privpkey);
        key->keydata.pkeypair.priv = privpkey;

diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index cb815b73cc3b93b58fb739255164aa84b5f3efe5..54ab04dcf7036154c4dfc69b69da6d05e6ecfb67 100644 (file)
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1051,7 +1051,9 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
                DST_RET(ISC_R_RANGE);
        }
 
-       key->engine = isc_mem_strdup(key->mctx, engine);
+       if (key->engine != NULL) {
+               key->engine = isc_mem_strdup(key->mctx, engine);
+       }
        key->label = isc_mem_strdup(key->mctx, label);
        key->key_size = EVP_PKEY_bits(privpkey);
        key->keydata.pkeypair.priv = privpkey;