bind/bind-9.18-pkcs11-engine-remove-deadcode.patch
Petr Menšík a912dbe98b Return engine implementation but use legacy OpenSSL
Engine interface were deprecated in OpenSSL and therefore removed from
normal compilation. But it is possible to compile on OpenSSL with compat
define. That disables deprecation warnings and use functions same as for
OpenSSL 1.1. That is required to keep working engine pkcs11 support.

Otherwise loading keys via ENGINE_load_private_key would always fail.

Resolves: rhbz:#2122010
2022-09-08 22:33:55 +02:00

246 lines
8.2 KiB
Diff

From cc8edfc6670ba97434bc5acb595539fd9c7d9123 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemensik@redhat.com>
Date: Thu, 8 Sep 2022 16:33:38 +0200
Subject: [PATCH 3/3] Remove engine related parts for OpenSSL 3.0
OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
builders. But it can be built in legacy mode, where deprecated but still
working API would be used.
It can work under OpenSSL 3.0, but only if using legacy code paths
matching OpenSSL 1.1 calls and functions.
Remove fromlabel processing by OpenSSL 3.0 only functions. They can
return later with a proper provider support for pkcs11.
---
lib/dns/opensslecdsa_link.c | 55 -------------------------------------
lib/dns/opensslrsa_link.c | 32 ---------------------
2 files changed, 87 deletions(-)
diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c
index 04f0d80b5e..f04f076e42 100644
--- a/lib/dns/opensslecdsa_link.c
+++ b/lib/dns/opensslecdsa_link.c
@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
isc_result_t ret = ISC_R_SUCCESS;
ENGINE *e;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
EC_KEY *eckey = NULL;
EC_KEY *pubeckey = NULL;
int group_nid;
-#else
- size_t len;
- const char *curve_name, *nist_curve_name;
- char buf[128]; /* Sufficient for all of the supported curves' names. */
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
EVP_PKEY *pkey = NULL;
EVP_PKEY *pubpkey = NULL;
@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(DST_R_NOENGINE);
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (key->key_alg == DST_ALG_ECDSA256) {
group_nid = NID_X9_62_prime256v1;
} else {
group_nid = NID_secp384r1;
}
-#else
- /* Get the expected curve names */
- if (key->key_alg == DST_ALG_ECDSA256) {
- curve_name = "prime256v1";
- nist_curve_name = "P-256";
- } else {
- curve_name = "secp384r1";
- nist_curve_name = "P-384";
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
/* Load private key. */
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
eckey = EVP_PKEY_get1_EC_KEY(pkey);
if (eckey == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
DST_RET(DST_R_INVALIDPRIVATEKEY);
}
-#else
- len = 0;
- if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
- buf, sizeof buf, &len) != 1 ||
- len == 0 || len >= sizeof buf)
- {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
- {
- DST_RET(DST_R_INVALIDPRIVATEKEY);
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
/* Load public key. */
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
DST_RET(DST_R_INVALIDPUBLICKEY);
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
if (pubeckey == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
DST_RET(DST_R_INVALIDPUBLICKEY);
}
-#else
- len = 0;
- if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
- buf, sizeof buf, &len) != 1 ||
- len == 0 || len >= sizeof buf)
- {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
- if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
- strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
- {
- DST_RET(DST_R_INVALIDPUBLICKEY);
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
-#else
- if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
key->label = isc_mem_strdup(key->mctx, label);
key->engine = isc_mem_strdup(key->mctx, engine);
@@ -1442,14 +1389,12 @@ err:
if (pkey != NULL) {
EVP_PKEY_free(pkey);
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (pubeckey != NULL) {
EC_KEY_free(pubeckey);
}
if (eckey != NULL) {
EC_KEY_free(eckey);
}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
return (ret);
#else
diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c
index 867b486a2f..cf350610ba 100644
--- a/lib/dns/opensslrsa_link.c
+++ b/lib/dns/opensslrsa_link.c
@@ -1167,7 +1167,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1176,16 +1175,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
RSA_get0_key(rsa, NULL, &ex, NULL);
-#else
- if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
- ISC_R_SUCCESS) {
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- }
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
- 1) {
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (ex == NULL) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
@@ -1437,12 +1426,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
ENGINE *e = NULL;
isc_result_t ret = ISC_R_SUCCESS;
EVP_PKEY *pkey = NULL, *pubpkey = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
RSA *rsa = NULL, *pubrsa = NULL;
const BIGNUM *ex = NULL;
-#else
- BIGNUM *ex = NULL;
-#endif
UNUSED(pin);
@@ -1459,12 +1444,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
DST_R_OPENSSLFAILURE));
}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
pubrsa = EVP_PKEY_get1_RSA(pubpkey);
if (pubrsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
if (pkey == NULL) {
@@ -1475,7 +1458,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label);
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
rsa = EVP_PKEY_get1_RSA(pkey);
if (rsa == NULL) {
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1484,14 +1466,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
}
RSA_get0_key(rsa, NULL, &ex, NULL);
-#else
- if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- }
- if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
- DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (ex == NULL) {
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
@@ -1505,18 +1479,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pkey = NULL;
err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
if (rsa != NULL) {
RSA_free(rsa);
}
if (pubrsa != NULL) {
RSA_free(pubrsa);
}
-#else
- if (ex != NULL) {
- BN_free(ex);
- }
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
if (pkey != NULL) {
EVP_PKEY_free(pkey);
}
--
2.37.2