Return engine implementation but use legacy OpenSSL
Engine interface were deprecated in OpenSSL and therefore removed from normal compilation. But it is possible to compile on OpenSSL with compat define. That disables deprecation warnings and use functions same as for OpenSSL 1.1. That is required to keep working engine pkcs11 support. Otherwise loading keys via ENGINE_load_private_key would always fail. Resolves: rhbz:#2122010
This commit is contained in:
parent
9ef018d129
commit
a912dbe98b
1554
bind-9.18-pkcs11-engine-compat-api.patch
Normal file
1554
bind-9.18-pkcs11-engine-compat-api.patch
Normal file
File diff suppressed because it is too large
Load Diff
48
bind-9.18-pkcs11-engine-init.patch
Normal file
48
bind-9.18-pkcs11-engine-init.patch
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
From 87a2eac7a8264a0e8d64a8db85d44ec22454e256 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Wed, 7 Sep 2022 13:46:31 +0200
|
||||||
|
Subject: [PATCH 1/3] Add ENGINE_init and ENGINE_finish calls
|
||||||
|
|
||||||
|
According to manual page of ENGINE_init, it should be called explicitly
|
||||||
|
before any key operations happens. Make it active whole lifetime.
|
||||||
|
---
|
||||||
|
lib/dns/openssl_link.c | 9 ++++++++-
|
||||||
|
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c
|
||||||
|
index 333f34cb37..a3f63885fa 100644
|
||||||
|
--- a/lib/dns/openssl_link.c
|
||||||
|
+++ b/lib/dns/openssl_link.c
|
||||||
|
@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
|
||||||
|
result = DST_R_NOENGINE;
|
||||||
|
goto cleanup_rm;
|
||||||
|
}
|
||||||
|
+ if (!ENGINE_init(e)) {
|
||||||
|
+ result = DST_R_NOENGINE;
|
||||||
|
+ goto cleanup_rm;
|
||||||
|
+ }
|
||||||
|
/* This will init the engine. */
|
||||||
|
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
|
||||||
|
result = DST_R_NOENGINE;
|
||||||
|
- goto cleanup_rm;
|
||||||
|
+ goto cleanup_init;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return (ISC_R_SUCCESS);
|
||||||
|
+cleanup_init:
|
||||||
|
+ ENGINE_finish(e);
|
||||||
|
cleanup_rm:
|
||||||
|
if (e != NULL) {
|
||||||
|
ENGINE_free(e);
|
||||||
|
@@ -108,6 +114,7 @@ void
|
||||||
|
dst__openssl_destroy(void) {
|
||||||
|
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||||
|
if (e != NULL) {
|
||||||
|
+ ENGINE_finish(e);
|
||||||
|
ENGINE_free(e);
|
||||||
|
}
|
||||||
|
e = NULL;
|
||||||
|
--
|
||||||
|
2.37.2
|
||||||
|
|
245
bind-9.18-pkcs11-engine-remove-deadcode.patch
Normal file
245
bind-9.18-pkcs11-engine-remove-deadcode.patch
Normal file
@ -0,0 +1,245 @@
|
|||||||
|
From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
||||||
|
Date: Thu, 8 Sep 2022 16:33:38 +0200
|
||||||
|
Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
|
||||||
|
|
||||||
|
OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
|
||||||
|
builders. But it can be built in legacy mode, where deprecated but still
|
||||||
|
working API would be used.
|
||||||
|
|
||||||
|
It can work under OpenSSL 3.0, but only if using legacy code paths
|
||||||
|
matching OpenSSL 1.1 calls and functions.
|
||||||
|
|
||||||
|
Remove fromlabel processing by OpenSSL 3.0 only functions. They can
|
||||||
|
return later with a proper provider support for pkcs11.
|
||||||
|
---
|
||||||
|
lib/dns/opensslecdsa_link.c | 55 -------------------------------------
|
||||||
|
lib/dns/opensslrsa_link.c | 32 ---------------------
|
||||||
|
2 files changed, 87 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
||||||
|
index 04f0d80b5e..f04f076e42 100644
|
||||||
|
--- a/lib/dns/opensslecdsa_link.c
|
||||||
|
+++ b/lib/dns/opensslecdsa_link.c
|
||||||
|
@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||||
|
isc_result_t ret = ISC_R_SUCCESS;
|
||||||
|
ENGINE *e;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
EC_KEY *eckey = NULL;
|
||||||
|
EC_KEY *pubeckey = NULL;
|
||||||
|
int group_nid;
|
||||||
|
-#else
|
||||||
|
- size_t len;
|
||||||
|
- const char *curve_name, *nist_curve_name;
|
||||||
|
- char buf[128]; /* Sufficient for all of the supported curves' names. */
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
EVP_PKEY *pkey = NULL;
|
||||||
|
EVP_PKEY *pubpkey = NULL;
|
||||||
|
|
||||||
|
@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
DST_RET(DST_R_NOENGINE);
|
||||||
|
}
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||||
|
group_nid = NID_X9_62_prime256v1;
|
||||||
|
} else {
|
||||||
|
group_nid = NID_secp384r1;
|
||||||
|
}
|
||||||
|
-#else
|
||||||
|
- /* Get the expected curve names */
|
||||||
|
- if (key->key_alg == DST_ALG_ECDSA256) {
|
||||||
|
- curve_name = "prime256v1";
|
||||||
|
- nist_curve_name = "P-256";
|
||||||
|
- } else {
|
||||||
|
- curve_name = "secp384r1";
|
||||||
|
- nist_curve_name = "P-384";
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
/* Load private key. */
|
||||||
|
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||||
|
@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
|
||||||
|
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||||
|
}
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||||
|
if (eckey == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
|
@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
|
||||||
|
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||||
|
}
|
||||||
|
-#else
|
||||||
|
- len = 0;
|
||||||
|
- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||||
|
- buf, sizeof buf, &len) != 1 ||
|
||||||
|
- len == 0 || len >= sizeof buf)
|
||||||
|
- {
|
||||||
|
- DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||||
|
- }
|
||||||
|
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
||||||
|
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
||||||
|
- {
|
||||||
|
- DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
/* Load public key. */
|
||||||
|
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
|
||||||
|
@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
|
||||||
|
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||||
|
}
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
|
||||||
|
if (pubeckey == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
|
@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
|
||||||
|
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||||
|
}
|
||||||
|
-#else
|
||||||
|
- len = 0;
|
||||||
|
- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||||
|
- buf, sizeof buf, &len) != 1 ||
|
||||||
|
- len == 0 || len >= sizeof buf)
|
||||||
|
- {
|
||||||
|
- DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||||
|
- }
|
||||||
|
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
||||||
|
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
||||||
|
- {
|
||||||
|
- DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
}
|
||||||
|
-#else
|
||||||
|
- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
|
||||||
|
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
key->label = isc_mem_strdup(key->mctx, label);
|
||||||
|
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||||
|
@@ -1442,14 +1389,12 @@ err:
|
||||||
|
if (pkey != NULL) {
|
||||||
|
EVP_PKEY_free(pkey);
|
||||||
|
}
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
if (pubeckey != NULL) {
|
||||||
|
EC_KEY_free(pubeckey);
|
||||||
|
}
|
||||||
|
if (eckey != NULL) {
|
||||||
|
EC_KEY_free(eckey);
|
||||||
|
}
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
return (ret);
|
||||||
|
#else
|
||||||
|
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
|
||||||
|
index 867b486a2f..cf350610ba 100644
|
||||||
|
--- a/lib/dns/opensslrsa_link.c
|
||||||
|
+++ b/lib/dns/opensslrsa_link.c
|
||||||
|
@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||||
|
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||||
|
key->label = isc_mem_strdup(key->mctx, label);
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||||
|
if (rsa == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
|
@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
}
|
||||||
|
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||||
|
-#else
|
||||||
|
- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
|
||||||
|
- ISC_R_SUCCESS) {
|
||||||
|
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
- }
|
||||||
|
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
|
||||||
|
- 1) {
|
||||||
|
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
if (ex == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
ENGINE *e = NULL;
|
||||||
|
isc_result_t ret = ISC_R_SUCCESS;
|
||||||
|
EVP_PKEY *pkey = NULL, *pubpkey = NULL;
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
RSA *rsa = NULL, *pubrsa = NULL;
|
||||||
|
const BIGNUM *ex = NULL;
|
||||||
|
-#else
|
||||||
|
- BIGNUM *ex = NULL;
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
UNUSED(pin);
|
||||||
|
|
||||||
|
@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
|
||||||
|
DST_R_OPENSSLFAILURE));
|
||||||
|
}
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
pubrsa = EVP_PKEY_get1_RSA(pubpkey);
|
||||||
|
if (pubrsa == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
|
}
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||||
|
if (pkey == NULL) {
|
||||||
|
@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||||
|
key->label = isc_mem_strdup(key->mctx, label);
|
||||||
|
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||||
|
if (rsa == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||||
|
@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
}
|
||||||
|
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||||
|
-#else
|
||||||
|
- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
|
||||||
|
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
- }
|
||||||
|
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
|
||||||
|
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
|
||||||
|
if (ex == NULL) {
|
||||||
|
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||||
|
@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||||
|
pkey = NULL;
|
||||||
|
|
||||||
|
err:
|
||||||
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||||
|
if (rsa != NULL) {
|
||||||
|
RSA_free(rsa);
|
||||||
|
}
|
||||||
|
if (pubrsa != NULL) {
|
||||||
|
RSA_free(pubrsa);
|
||||||
|
}
|
||||||
|
-#else
|
||||||
|
- if (ex != NULL) {
|
||||||
|
- BN_free(ex);
|
||||||
|
- }
|
||||||
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||||
|
if (pkey != NULL) {
|
||||||
|
EVP_PKEY_free(pkey);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.37.2
|
||||||
|
|
14
bind.spec
14
bind.spec
@ -61,7 +61,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
|
|||||||
Name: bind
|
Name: bind
|
||||||
License: MPLv2.0
|
License: MPLv2.0
|
||||||
Version: 9.18.6
|
Version: 9.18.6
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
Epoch: 32
|
Epoch: 32
|
||||||
Url: https://www.isc.org/downloads/bind/
|
Url: https://www.isc.org/downloads/bind/
|
||||||
#
|
#
|
||||||
@ -97,6 +97,11 @@ Source49: named-chroot.files
|
|||||||
Patch10: bind-9.5-PIE.patch
|
Patch10: bind-9.5-PIE.patch
|
||||||
Patch16: bind-9.16-redhat_doc.patch
|
Patch16: bind-9.16-redhat_doc.patch
|
||||||
Patch22: bind-9.11-fips-tests.patch
|
Patch22: bind-9.11-fips-tests.patch
|
||||||
|
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/5385
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2122841
|
||||||
|
Patch23: bind-9.18-pkcs11-engine-init.patch
|
||||||
|
Patch24: bind-9.18-pkcs11-engine-compat-api.patch
|
||||||
|
Patch25: bind-9.18-pkcs11-engine-remove-deadcode.patch
|
||||||
|
|
||||||
%{?systemd_ordering}
|
%{?systemd_ordering}
|
||||||
Requires: coreutils
|
Requires: coreutils
|
||||||
@ -349,10 +354,11 @@ done
|
|||||||
cp -Tuav bin/tests "%{1}/bin/tests/" \
|
cp -Tuav bin/tests "%{1}/bin/tests/" \
|
||||||
|
|
||||||
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
||||||
|
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=10100"
|
||||||
%if %{with TSAN}
|
%if %{with TSAN}
|
||||||
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
|
CFLAGS+=" -O1 -fsanitize=thread -fPIE -pie"
|
||||||
%endif
|
%endif
|
||||||
export CFLAGS
|
export CFLAGS CPPFLAGS
|
||||||
export STD_CDEFINES="$CPPFLAGS"
|
export STD_CDEFINES="$CPPFLAGS"
|
||||||
|
|
||||||
|
|
||||||
@ -402,6 +408,7 @@ export LIBDIR_SUFFIX
|
|||||||
%endif
|
%endif
|
||||||
--enable-fixed-rrset \
|
--enable-fixed-rrset \
|
||||||
--enable-full-report \
|
--enable-full-report \
|
||||||
|
CPPFLAGS="$CPPFLAGS" \
|
||||||
;
|
;
|
||||||
%if %{with DNSTAP}
|
%if %{with DNSTAP}
|
||||||
pushd lib
|
pushd lib
|
||||||
@ -941,6 +948,9 @@ fi;
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Sep 06 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-3
|
||||||
|
- Return OpenSSL engine implementation for pkcs11 interface (#2122841)
|
||||||
|
|
||||||
* Thu Sep 01 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-2
|
* Thu Sep 01 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.6-2
|
||||||
- Always show error details for failed unittests (#2122010)
|
- Always show error details for failed unittests (#2122010)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user