a912dbe98b
Engine interface were deprecated in OpenSSL and therefore removed from normal compilation. But it is possible to compile on OpenSSL with compat define. That disables deprecation warnings and use functions same as for OpenSSL 1.1. That is required to keep working engine pkcs11 support. Otherwise loading keys via ENGINE_load_private_key would always fail. Resolves: rhbz:#2122010
1555 lines
54 KiB
Diff
1555 lines
54 KiB
Diff
From 561356ec1d46abb939e4eed10ee2c9e639eb88db Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
|
|
Date: Thu, 8 Sep 2022 17:19:20 +0200
|
|
Subject: [PATCH 2/3] Do not use OSSL_PARAM when engine API is compiled
|
|
|
|
OpenSSL has deprecated many things in version 3.0. If pkcs11 engine
|
|
should work then no builder from OpenSSL 3.0 API can be used.
|
|
|
|
Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when
|
|
OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow
|
|
working keys loading from the engine passed on command line.
|
|
---
|
|
lib/dns/openssldh_link.c | 136 +++++++++++++++++++-----------------
|
|
lib/dns/opensslecdsa_link.c | 119 +++++++++++++++----------------
|
|
lib/dns/opensslrsa_link.c | 118 +++++++++++++++----------------
|
|
3 files changed, 189 insertions(+), 184 deletions(-)
|
|
|
|
diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c
|
|
index d5dbc2e889..96c1d523b7 100644
|
|
--- a/lib/dns/openssldh_link.c
|
|
+++ b/lib/dns/openssldh_link.c
|
|
@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
|
|
static isc_result_t
|
|
openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
|
isc_buffer_t *secret) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dhpub, *dhpriv;
|
|
const BIGNUM *pub_key = NULL;
|
|
int secret_len = 0;
|
|
@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
EVP_PKEY *dhpub, *dhpriv;
|
|
size_t secret_len = 0;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
isc_region_t r;
|
|
unsigned int len;
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
REQUIRE(pub->keydata.dh != NULL);
|
|
REQUIRE(priv->keydata.dh != NULL);
|
|
|
|
@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
|
dhpriv = priv->keydata.pkey;
|
|
|
|
len = EVP_PKEY_get_size(dhpriv);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
isc_buffer_availableregion(secret, &r);
|
|
if (r.length < len) {
|
|
return (ISC_R_NOSPACE);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH_get0_key(dhpub, &pub_key, NULL);
|
|
secret_len = DH_compute_key(r.base, pub_key, dhpriv);
|
|
if (secret_len <= 0) {
|
|
@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
|
DST_R_COMPUTESECRETFAILURE));
|
|
}
|
|
EVP_PKEY_CTX_free(ctx);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
isc_buffer_add(secret, (unsigned int)secret_len);
|
|
|
|
@@ -165,7 +165,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
|
|
|
static bool
|
|
openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh1, *dh2;
|
|
const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
|
|
const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
|
|
@@ -175,9 +175,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
|
|
BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
|
|
BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
dh1 = key1->keydata.dh;
|
|
dh2 = key2->keydata.dh;
|
|
|
|
@@ -209,7 +209,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
|
|
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/
|
|
|
|
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
|
|
BN_cmp(pub_key1, pub_key2) != 0)
|
|
@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
}
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
if (p1 != NULL) {
|
|
BN_free(p1);
|
|
}
|
|
@@ -251,22 +251,23 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
if (priv_key2 != NULL) {
|
|
BN_clear_free(priv_key2);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
|
+ */
|
|
|
|
return (true);
|
|
}
|
|
|
|
static bool
|
|
openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh1, *dh2;
|
|
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
|
|
#else
|
|
EVP_PKEY *pkey1, *pkey2;
|
|
BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
dh1 = key1->keydata.dh;
|
|
dh2 = key2->keydata.dh;
|
|
|
|
@@ -292,13 +293,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
|
|
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
|
|
return (false);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
if (p1 != NULL) {
|
|
BN_free(p1);
|
|
}
|
|
@@ -311,12 +312,13 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
if (g2 != NULL) {
|
|
BN_free(g2);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
|
+ */
|
|
|
|
return (true);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
static int
|
|
progress_cb(int p, int n, BN_GENCB *cb) {
|
|
union {
|
|
@@ -347,7 +349,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
|
|
}
|
|
return (1);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
static isc_result_t
|
|
openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
@@ -357,7 +359,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
void (*fptr)(int);
|
|
} u;
|
|
BIGNUM *p = NULL, *g = NULL;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh = NULL;
|
|
BN_GENCB *cb = NULL;
|
|
#if !HAVE_BN_GENCB_NEW
|
|
@@ -370,9 +372,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
EVP_PKEY *param_pkey = NULL;
|
|
EVP_PKEY *pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
dh = DH_new();
|
|
if (dh == NULL) {
|
|
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
|
|
@@ -386,7 +388,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
if (param_ctx == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (generator == 0) {
|
|
/*
|
|
@@ -406,7 +408,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
if (p == NULL || g == NULL) {
|
|
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (DH_set0_pqg(dh, p, NULL, g) != 1) {
|
|
DST_RET(dst__openssl_toresult2(
|
|
"DH_set0_pqg", DST_R_OPENSSLFAILURE));
|
|
@@ -430,7 +432,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
params = OSSL_PARAM_BLD_to_param(bld);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
} else {
|
|
/*
|
|
@@ -443,7 +445,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
}
|
|
|
|
if (generator != 0) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
cb = BN_GENCB_new();
|
|
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
|
if (cb == NULL) {
|
|
@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
params = OSSL_PARAM_BLD_to_param(bld);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (DH_generate_key(dh) == 0) {
|
|
DST_RET(dst__openssl_toresult2("DH_generate_key",
|
|
DST_R_OPENSSLFAILURE));
|
|
@@ -557,12 +559,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
|
|
|
key->keydata.pkey = pkey;
|
|
pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
ret = ISC_R_SUCCESS;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (dh != NULL) {
|
|
DH_free(dh);
|
|
}
|
|
@@ -594,14 +596,14 @@ err:
|
|
if (g != NULL) {
|
|
BN_free(g);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
|
|
static bool
|
|
openssldh_isprivate(const dst_key_t *key) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh = key->keydata.dh;
|
|
const BIGNUM *priv_key = NULL;
|
|
|
|
@@ -626,12 +628,12 @@ openssldh_isprivate(const dst_key_t *key) {
|
|
}
|
|
|
|
return (ret);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
}
|
|
|
|
static void
|
|
openssldh_destroy(dst_key_t *key) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh = key->keydata.dh;
|
|
|
|
if (dh == NULL) {
|
|
@@ -649,7 +651,7 @@ openssldh_destroy(dst_key_t *key) {
|
|
|
|
EVP_PKEY_free(pkey);
|
|
key->keydata.pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
}
|
|
|
|
static void
|
|
@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) {
|
|
|
|
static isc_result_t
|
|
openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh;
|
|
const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
|
|
#else
|
|
EVP_PKEY *pkey;
|
|
BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
isc_region_t r;
|
|
uint16_t dnslen, plen, glen, publen;
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
REQUIRE(key->keydata.dh != NULL);
|
|
|
|
dh = key->keydata.dh;
|
|
@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
isc_buffer_availableregion(data, &r);
|
|
|
|
@@ -745,7 +747,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
isc_buffer_add(data, dnslen);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
if (p != NULL) {
|
|
BN_free(p);
|
|
}
|
|
@@ -755,7 +757,8 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
if (pub_key != NULL) {
|
|
BN_free(pub_key);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
|
+ */
|
|
|
|
return (ISC_R_SUCCESS);
|
|
}
|
|
@@ -763,14 +766,14 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
static isc_result_t
|
|
openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
isc_result_t ret;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh;
|
|
#else
|
|
OSSL_PARAM_BLD *bld = NULL;
|
|
OSSL_PARAM *params = NULL;
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
EVP_PKEY *pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
|
|
int key_size;
|
|
isc_region_t r;
|
|
@@ -782,7 +785,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
return (ISC_R_SUCCESS);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
dh = DH_new();
|
|
if (dh == NULL) {
|
|
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
|
|
@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
if (ctx == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
/*
|
|
* Read the prime length. 1 & 2 are table entries, > 16 means a
|
|
@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
key_size = BN_num_bits(p);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (DH_set0_pqg(dh, p, NULL, g) != 1) {
|
|
DST_RET(dst__openssl_toresult2("DH_set0_pqg",
|
|
DST_R_OPENSSLFAILURE));
|
|
@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (r.length < 2) {
|
|
DST_RET(DST_R_INVALIDPUBLICKEY);
|
|
@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
isc_buffer_forward(data, plen + glen + publen + 6);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
|
|
(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
|
|
/*
|
|
@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
key->keydata.pkey = pkey;
|
|
pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
key->key_size = (unsigned int)key_size;
|
|
|
|
ret = ISC_R_SUCCESS;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (dh != NULL) {
|
|
DH_free(dh);
|
|
}
|
|
@@ -975,7 +978,7 @@ err:
|
|
if (bld != NULL) {
|
|
OSSL_PARAM_BLD_free(bld);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
if (p != NULL) {
|
|
BN_free(p);
|
|
}
|
|
@@ -991,13 +994,13 @@ err:
|
|
|
|
static isc_result_t
|
|
openssldh_tofile(const dst_key_t *key, const char *directory) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh;
|
|
const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
|
|
#else
|
|
EVP_PKEY *pkey;
|
|
BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
dst_private_t priv;
|
|
unsigned char *bufs[4] = { NULL };
|
|
unsigned short i = 0;
|
|
@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
|
return (DST_R_EXTERNALKEY);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (key->keydata.dh == NULL) {
|
|
return (DST_R_NULLKEY);
|
|
}
|
|
@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
priv.elements[i].tag = TAG_DH_PRIME;
|
|
priv.elements[i].length = BN_num_bytes(p);
|
|
@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
|
}
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
if (p != NULL) {
|
|
BN_free(p);
|
|
}
|
|
@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
|
if (priv_key != NULL) {
|
|
BN_clear_free(priv_key);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
|
+ */
|
|
|
|
return (result);
|
|
}
|
|
@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
dst_private_t priv;
|
|
isc_result_t ret;
|
|
int i;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
DH *dh = NULL;
|
|
#else
|
|
OSSL_PARAM_BLD *bld = NULL;
|
|
OSSL_PARAM *params = NULL;
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
EVP_PKEY *pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
|
|
int key_size = 0;
|
|
isc_mem_t *mctx;
|
|
@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
DST_RET(DST_R_EXTERNALKEY);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
dh = DH_new();
|
|
if (dh == NULL) {
|
|
DST_RET(ISC_R_NOMEMORY);
|
|
@@ -1128,7 +1132,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
if (ctx == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
for (i = 0; i < priv.nelements; i++) {
|
|
BIGNUM *bn;
|
|
@@ -1155,7 +1159,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
}
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (DH_set0_key(dh, pub_key, priv_key) != 1) {
|
|
DST_RET(dst__openssl_toresult2("DH_set0_key",
|
|
DST_R_OPENSSLFAILURE));
|
|
@@ -1202,13 +1206,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
|
|
key->keydata.pkey = pkey;
|
|
pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
key->key_size = (unsigned int)key_size;
|
|
ret = ISC_R_SUCCESS;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (dh != NULL) {
|
|
DH_free(dh);
|
|
}
|
|
@@ -1225,7 +1229,7 @@ err:
|
|
if (bld != NULL) {
|
|
OSSL_PARAM_BLD_free(bld);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
if (p != NULL) {
|
|
BN_free(p);
|
|
}
|
|
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
|
|
index 519e88b7e7..04f0d80b5e 100644
|
|
--- a/lib/dns/opensslecdsa_link.c
|
|
+++ b/lib/dns/opensslecdsa_link.c
|
|
@@ -17,14 +17,14 @@
|
|
|
|
#include <openssl/bn.h>
|
|
#include <openssl/opensslv.h>
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
#include <openssl/core_names.h>
|
|
#endif
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/err.h>
|
|
#include <openssl/evp.h>
|
|
#include <openssl/objects.h>
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
#include <openssl/param_build.h>
|
|
#endif
|
|
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
|
@@ -57,7 +57,7 @@
|
|
goto err; \
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
static isc_result_t
|
|
raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
|
size_t key_len, EVP_PKEY **pkey) {
|
|
@@ -159,7 +159,8 @@ err:
|
|
|
|
return (ret);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
|
+ */
|
|
|
|
static isc_result_t
|
|
opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
|
|
@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
bool ret;
|
|
EVP_PKEY *pkey1 = key1->keydata.pkey;
|
|
EVP_PKEY *pkey2 = key2->keydata.pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey1 = NULL;
|
|
EC_KEY *eckey2 = NULL;
|
|
const BIGNUM *priv1;
|
|
@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
#else
|
|
BIGNUM *priv1 = NULL;
|
|
BIGNUM *priv2 = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (pkey1 == NULL && pkey2 == NULL) {
|
|
return (true);
|
|
@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
DST_RET(false);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
|
|
eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
|
|
if (eckey1 == NULL && eckey2 == NULL) {
|
|
@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
#else
|
|
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1);
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (priv1 != NULL || priv2 != NULL) {
|
|
if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0)
|
|
@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
ret = true;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (eckey1 != NULL) {
|
|
EC_KEY_free(eckey1);
|
|
}
|
|
@@ -471,7 +472,7 @@ err:
|
|
if (priv2 != NULL) {
|
|
BN_clear_free(priv2);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
|
isc_result_t ret;
|
|
int status;
|
|
EVP_PKEY *pkey = NULL;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey = NULL;
|
|
#else
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
EVP_PKEY *params_pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
int group_nid;
|
|
|
|
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
|
|
@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
|
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
eckey = EC_KEY_new_by_curve_name(group_nid);
|
|
if (eckey == NULL) {
|
|
DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name",
|
|
@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
|
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
key->keydata.pkey = pkey;
|
|
pkey = NULL;
|
|
@@ -573,7 +574,7 @@ err:
|
|
if (pkey != NULL) {
|
|
EVP_PKEY_free(pkey);
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (eckey != NULL) {
|
|
EC_KEY_free(eckey);
|
|
}
|
|
@@ -584,7 +585,7 @@ err:
|
|
if (ctx != NULL) {
|
|
EVP_PKEY_CTX_free(ctx);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
@@ -593,11 +594,11 @@ static bool
|
|
opensslecdsa_isprivate(const dst_key_t *key) {
|
|
bool ret;
|
|
EVP_PKEY *pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey;
|
|
#else
|
|
BIGNUM *priv = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
|
|
key->key_alg == DST_ALG_ECDSA384);
|
|
@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
|
|
return (false);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
|
|
|
ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
|
|
@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
|
|
if (priv != NULL) {
|
|
BN_clear_free(priv);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
@@ -640,7 +641,7 @@ static isc_result_t
|
|
opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
isc_result_t ret;
|
|
EVP_PKEY *pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey = NULL;
|
|
int len;
|
|
unsigned char *cp;
|
|
@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
BIGNUM *y = NULL;
|
|
size_t keysize = 0;
|
|
size_t len = 0;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
isc_region_t r;
|
|
unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
|
|
|
|
@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
pkey = key->keydata.pkey;
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
|
if (eckey == NULL) {
|
|
DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
|
|
@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
}
|
|
|
|
len = keysize;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
isc_buffer_availableregion(data, &r);
|
|
if (r.length < (unsigned int)len) {
|
|
DST_RET(ISC_R_NOSPACE);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
cp = buf;
|
|
if (!i2o_ECPublicKey(eckey, &cp)) {
|
|
DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
|
|
@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
BN_bn2bin_fixed(x, &buf[0], keysize / 2);
|
|
BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2);
|
|
memmove(r.base, buf, len);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
isc_buffer_add(data, len);
|
|
ret = ISC_R_SUCCESS;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (eckey != NULL) {
|
|
EC_KEY_free(eckey);
|
|
}
|
|
@@ -721,7 +722,7 @@ err:
|
|
if (y != NULL) {
|
|
BN_clear_free(y);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
isc_result_t ret;
|
|
EVP_PKEY *pkey = NULL;
|
|
isc_region_t r;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey = NULL;
|
|
const unsigned char *cp;
|
|
unsigned int len;
|
|
@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
int group_nid;
|
|
#else
|
|
size_t len;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
|
|
key->key_alg == DST_ALG_ECDSA384);
|
|
@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
DST_RET(DST_R_INVALIDPUBLICKEY);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (key->key_alg == DST_ALG_ECDSA256) {
|
|
group_nid = NID_X9_62_prime256v1;
|
|
} else {
|
|
@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
if (ret != ISC_R_SUCCESS) {
|
|
DST_RET(ret);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
isc_buffer_forward(data, len);
|
|
key->keydata.pkey = pkey;
|
|
@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
ret = ISC_R_SUCCESS;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (eckey != NULL) {
|
|
EC_KEY_free(eckey);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
return (ret);
|
|
}
|
|
|
|
@@ -814,13 +815,13 @@ static isc_result_t
|
|
opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
|
|
isc_result_t ret;
|
|
EVP_PKEY *pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey = NULL;
|
|
const BIGNUM *privkey = NULL;
|
|
#else
|
|
int status;
|
|
BIGNUM *privkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
dst_private_t priv;
|
|
unsigned char *buf = NULL;
|
|
unsigned short i;
|
|
@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
|
|
}
|
|
|
|
pkey = key->keydata.pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
|
if (eckey == NULL) {
|
|
DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY",
|
|
@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
|
|
DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param",
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
|
|
|
|
@@ -888,7 +889,7 @@ err:
|
|
if (buf != NULL && privkey != NULL) {
|
|
isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (eckey != NULL) {
|
|
EC_KEY_free(eckey);
|
|
}
|
|
@@ -896,12 +897,12 @@ err:
|
|
if (privkey != NULL) {
|
|
BN_clear_free(privkey);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
static isc_result_t
|
|
ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
|
|
const EC_POINT *pubkey;
|
|
@@ -1065,9 +1066,9 @@ err:
|
|
|
|
return (ret);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
static isc_result_t
|
|
load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv,
|
|
int privkey_index) {
|
|
@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
|
|
}
|
|
return (ISC_R_SUCCESS);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
static isc_result_t
|
|
finalize_eckey(dst_key_t *key,
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey,
|
|
#endif
|
|
const char *engine, const char *label) {
|
|
isc_result_t result = ISC_R_SUCCESS;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EVP_PKEY *pkey = NULL;
|
|
|
|
REQUIRE(eckey != NULL);
|
|
@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key,
|
|
}
|
|
|
|
key->keydata.pkey = pkey;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (label != NULL) {
|
|
key->label = isc_mem_strdup(key->mctx, label);
|
|
@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key,
|
|
return (result);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
static isc_result_t
|
|
dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
|
|
int group_nid;
|
|
@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
|
|
|
|
return (ISC_R_SUCCESS);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
static isc_result_t
|
|
opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
|
@@ -1173,10 +1174,10 @@ static isc_result_t
|
|
opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
dst_private_t priv;
|
|
isc_result_t ret;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
EC_KEY *eckey = NULL;
|
|
EC_KEY *pubeckey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
const char *engine = NULL;
|
|
const char *label = NULL;
|
|
int i, privkey_index = -1;
|
|
@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
goto err;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey);
|
|
if (eckey == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
} else {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
ret = dst__key_to_eckey(key, &eckey);
|
|
if (ret != ISC_R_SUCCESS) {
|
|
goto err;
|
|
@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
priv.elements[privkey_index].data,
|
|
priv.elements[privkey_index].length,
|
|
&key->keydata.pkey);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (ret != ISC_R_SUCCESS) {
|
|
goto err;
|
|
@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
finalize_key = true;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (pub != NULL && pub->keydata.pkey != NULL) {
|
|
pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
|
|
}
|
|
@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
if (finalize_key) {
|
|
ret = finalize_eckey(key, engine, label);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (pubeckey != NULL) {
|
|
EC_KEY_free(pubeckey);
|
|
}
|
|
if (eckey != NULL) {
|
|
EC_KEY_free(eckey);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
if (ret != ISC_R_SUCCESS) {
|
|
key->keydata.generic = NULL;
|
|
}
|
|
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
|
|
index fc905b7d60..867b486a2f 100644
|
|
--- a/lib/dns/opensslrsa_link.c
|
|
+++ b/lib/dns/opensslrsa_link.c
|
|
@@ -18,7 +18,7 @@
|
|
|
|
#include <openssl/bn.h>
|
|
#include <openssl/opensslv.h>
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
#include <openssl/core_names.h>
|
|
#endif
|
|
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
|
@@ -26,7 +26,7 @@
|
|
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
|
|
#include <openssl/err.h>
|
|
#include <openssl/objects.h>
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
|
#include <openssl/param_build.h>
|
|
#endif
|
|
#include <openssl/rsa.h>
|
|
@@ -180,12 +180,12 @@ static isc_result_t
|
|
opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
|
|
dst_key_t *key = dctx->key;
|
|
int status = 0;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa;
|
|
const BIGNUM *e = NULL;
|
|
#else
|
|
BIGNUM *e = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
|
EVP_PKEY *pkey = key->keydata.pkey;
|
|
int bits;
|
|
@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
|
|
dctx->key->key_alg == DST_ALG_RSASHA256 ||
|
|
dctx->key->key_alg == DST_ALG_RSASHA512);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
if (rsa == NULL) {
|
|
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
|
|
}
|
|
bits = BN_num_bits(e);
|
|
BN_free(e);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (bits > maxbits && maxbits != 0) {
|
|
return (DST_R_VERIFYFAILURE);
|
|
@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
int status;
|
|
EVP_PKEY *pkey1 = key1->keydata.pkey;
|
|
EVP_PKEY *pkey2 = key2->keydata.pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa1 = NULL;
|
|
RSA *rsa2 = NULL;
|
|
const BIGNUM *d1 = NULL, *d2 = NULL;
|
|
@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
BIGNUM *d1 = NULL, *d2 = NULL;
|
|
BIGNUM *p1 = NULL, *p2 = NULL;
|
|
BIGNUM *q1 = NULL, *q2 = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (pkey1 == NULL && pkey2 == NULL) {
|
|
return (true);
|
|
@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
DST_RET(false);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa1 = EVP_PKEY_get1_RSA(pkey1);
|
|
rsa2 = EVP_PKEY_get1_RSA(pkey2);
|
|
if (rsa1 == NULL && rsa2 == NULL) {
|
|
@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
#else
|
|
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1);
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (d1 != NULL || d2 != NULL) {
|
|
if (d1 == NULL || d2 == NULL) {
|
|
DST_RET(false);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA_get0_factors(rsa1, &p1, &q1);
|
|
RSA_get0_factors(rsa2, &p2, &q2);
|
|
#else
|
|
@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1);
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2);
|
|
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 ||
|
|
BN_cmp(q1, q2) != 0) {
|
|
@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
|
ret = true;
|
|
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (rsa1 != NULL) {
|
|
RSA_free(rsa1);
|
|
}
|
|
@@ -332,12 +332,12 @@ err:
|
|
if (q2 != NULL) {
|
|
BN_clear_free(q2);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
static int
|
|
progress_cb(int p, int n, BN_GENCB *cb) {
|
|
union {
|
|
@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
|
|
}
|
|
return (1);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
static isc_result_t
|
|
opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|
@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|
void (*fptr)(int);
|
|
} u;
|
|
BIGNUM *e = BN_new();
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa = RSA_new();
|
|
EVP_PKEY *pkey = EVP_PKEY_new();
|
|
#if !HAVE_BN_GENCB_NEW
|
|
@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|
#else
|
|
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
|
|
EVP_PKEY *pkey = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (e == NULL || rsa == NULL || pkey == NULL || cb == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|
if (e == NULL || ctx == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
/*
|
|
* Reject incorrect RSA key lengths.
|
|
@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|
BN_set_bit(e, 32);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
@@ -476,7 +476,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
|
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
key->keydata.pkey = pkey;
|
|
pkey = NULL;
|
|
@@ -486,7 +486,7 @@ err:
|
|
if (pkey != NULL) {
|
|
EVP_PKEY_free(pkey);
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (rsa != NULL) {
|
|
RSA_free(rsa);
|
|
}
|
|
@@ -497,7 +497,7 @@ err:
|
|
if (ctx != NULL) {
|
|
EVP_PKEY_CTX_free(ctx);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
if (e != NULL) {
|
|
BN_free(e);
|
|
}
|
|
@@ -508,12 +508,12 @@ static bool
|
|
opensslrsa_isprivate(const dst_key_t *key) {
|
|
bool ret;
|
|
EVP_PKEY *pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa;
|
|
const BIGNUM *d = NULL;
|
|
#else
|
|
BIGNUM *d = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
|
|
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
|
|
@@ -525,7 +525,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
|
|
return (false);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
INSIST(rsa != NULL);
|
|
|
|
@@ -542,7 +542,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
|
|
if (d != NULL) {
|
|
BN_clear_free(d);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
@@ -564,19 +564,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
unsigned int mod_bytes;
|
|
isc_result_t ret;
|
|
EVP_PKEY *pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa;
|
|
const BIGNUM *e = NULL, *n = NULL;
|
|
#else
|
|
BIGNUM *e = NULL, *n = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
REQUIRE(key->keydata.pkey != NULL);
|
|
|
|
pkey = key->keydata.pkey;
|
|
isc_buffer_availableregion(data, &r);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
if (rsa == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
@@ -588,7 +588,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
if (e == NULL || n == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
mod_bytes = BN_num_bytes(n);
|
|
e_bytes = BN_num_bytes(e);
|
|
@@ -621,7 +621,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
ret = ISC_R_SUCCESS;
|
|
err:
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (rsa != NULL) {
|
|
RSA_free(rsa);
|
|
}
|
|
@@ -632,7 +632,7 @@ err:
|
|
if (n != NULL) {
|
|
BN_free(n);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
return (ret);
|
|
}
|
|
|
|
@@ -643,13 +643,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
isc_region_t r;
|
|
unsigned int e_bytes;
|
|
unsigned int length;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa = NULL;
|
|
#else
|
|
OSSL_PARAM_BLD *bld = NULL;
|
|
OSSL_PARAM *params = NULL;
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
EVP_PKEY *pkey = NULL;
|
|
BIGNUM *e = NULL, *n = NULL;
|
|
|
|
@@ -691,7 +691,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
isc_buffer_forward(data, length);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = RSA_new();
|
|
if (rsa == NULL) {
|
|
DST_RET(dst__openssl_toresult2("RSA_new",
|
|
@@ -749,7 +749,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
|
|
DST_R_OPENSSLFAILURE));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
key->keydata.pkey = pkey;
|
|
pkey = NULL;
|
|
@@ -757,7 +757,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
|
|
|
err:
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (rsa != NULL) {
|
|
RSA_free(rsa);
|
|
}
|
|
@@ -771,7 +771,7 @@ err:
|
|
if (bld != NULL) {
|
|
OSSL_PARAM_BLD_free(bld);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
if (n != NULL) {
|
|
BN_free(n);
|
|
}
|
|
@@ -792,7 +792,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
|
unsigned char *bufs[8] = { NULL };
|
|
unsigned short i = 0;
|
|
EVP_PKEY *pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa = NULL;
|
|
const BIGNUM *n = NULL, *e = NULL, *d = NULL;
|
|
const BIGNUM *p = NULL, *q = NULL;
|
|
@@ -801,7 +801,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
|
BIGNUM *n = NULL, *e = NULL, *d = NULL;
|
|
BIGNUM *p = NULL, *q = NULL;
|
|
BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (key->keydata.pkey == NULL) {
|
|
DST_RET(DST_R_NULLKEY);
|
|
@@ -812,7 +812,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
|
}
|
|
|
|
pkey = key->keydata.pkey;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = EVP_PKEY_get1_RSA(pkey);
|
|
if (rsa == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
@@ -829,7 +829,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1);
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1);
|
|
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp);
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (n == NULL || e == NULL) {
|
|
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
|
@@ -935,7 +935,7 @@ err:
|
|
priv.elements[i].length);
|
|
}
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA_free(rsa);
|
|
#else
|
|
if (n != NULL) {
|
|
@@ -962,12 +962,12 @@ err:
|
|
if (iqmp != NULL) {
|
|
BN_clear_free(iqmp);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
return (ret);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
static isc_result_t
|
|
rsa_check(RSA *rsa, RSA *pub) {
|
|
const BIGNUM *n1 = NULL, *n2 = NULL;
|
|
@@ -1079,14 +1079,14 @@ err:
|
|
|
|
return (ret);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
static isc_result_t
|
|
opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
dst_private_t priv;
|
|
isc_result_t ret;
|
|
int i;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa = NULL, *pubrsa = NULL;
|
|
const BIGNUM *ex = NULL;
|
|
#else
|
|
@@ -1094,7 +1094,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
OSSL_PARAM *params = NULL;
|
|
EVP_PKEY_CTX *ctx = NULL;
|
|
BIGNUM *ex = NULL;
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
|
ENGINE *ep = NULL;
|
|
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
|
|
@@ -1126,11 +1126,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
DST_RET(ISC_R_SUCCESS);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (pub != NULL && pub->keydata.pkey != NULL) {
|
|
pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
for (i = 0; i < priv.nelements; i++) {
|
|
switch (priv.elements[i].tag) {
|
|
@@ -1249,7 +1249,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
}
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = RSA_new();
|
|
if (rsa == NULL) {
|
|
DST_RET(ISC_R_NOMEMORY);
|
|
@@ -1361,7 +1361,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
|
ISC_R_SUCCESS) {
|
|
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
|
|
if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
|
|
DST_RET(ISC_R_RANGE);
|
|
@@ -1375,7 +1375,7 @@ err:
|
|
if (pkey != NULL) {
|
|
EVP_PKEY_free(pkey);
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (rsa != NULL) {
|
|
RSA_free(rsa);
|
|
}
|
|
@@ -1419,7 +1419,7 @@ err:
|
|
if (iqmp != NULL) {
|
|
BN_clear_free(iqmp);
|
|
}
|
|
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
|
+#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
|
if (ret != ISC_R_SUCCESS) {
|
|
key->keydata.generic = NULL;
|
|
}
|
|
@@ -1643,7 +1643,7 @@ check_algorithm(unsigned char algorithm) {
|
|
int status;
|
|
isc_result_t ret = ISC_R_SUCCESS;
|
|
size_t len;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
RSA *rsa = NULL;
|
|
#else
|
|
OSSL_PARAM *params = NULL;
|
|
@@ -1689,7 +1689,7 @@ check_algorithm(unsigned char algorithm) {
|
|
DST_RET(ISC_R_NOMEMORY);
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
rsa = RSA_new();
|
|
if (rsa == NULL) {
|
|
DST_RET(dst__openssl_toresult2("RSA_new",
|
|
@@ -1762,7 +1762,7 @@ check_algorithm(unsigned char algorithm) {
|
|
err:
|
|
BN_free(e);
|
|
BN_free(n);
|
|
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
|
+#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
|
if (rsa != NULL) {
|
|
RSA_free(rsa);
|
|
}
|
|
--
|
|
2.37.2
|
|
|