diff --git a/bin/tests/system/rsabigexponent/bigkey.c b/bin/tests/system/rsabigexponent/bigkey.c index be04320578..af3d928c78 100644 --- a/bin/tests/system/rsabigexponent/bigkey.c +++ b/bin/tests/system/rsabigexponent/bigkey.c @@ -42,19 +42,10 @@ #include #include -#ifdef OPENSSL -#include -#if OPENSSL_VERSION_NUMBER <= 0x00908000L -#define USE_FIX_KEY_FILES -#endif -#else -#define USE_FIX_KEY_FILES -#endif - -#ifdef USE_FIX_KEY_FILES +#if !defined(OPENSSL) /* - * Use a fixed key file pair if OpenSSL doesn't support > 32 bit exponents. + * Use a fixed key file pair if compiled without OpenSSL. */ int diff --git a/config.h.in b/config.h.in index cdb3fa8a3a..45d342ef68 100644 --- a/config.h.in +++ b/config.h.in @@ -239,6 +239,12 @@ int sigwait(const unsigned int *set, int *sig); /* Define to 1 if you have the header file. */ #undef HAVE_EDIT_READLINE_READLINE_H +/* Define to 1 if you have the `EVP_sha1' function. */ +#undef HAVE_EVP_SHA1 + +/* Define to 1 if you have the `EVP_sha224' function. */ +#undef HAVE_EVP_SHA224 + /* Define to 1 if you have the `EVP_sha256' function. */ #undef HAVE_EVP_SHA256 diff --git a/config.h.win32 b/config.h.win32 index 5405d83010..10f91bc6e6 100644 --- a/config.h.win32 +++ b/config.h.win32 @@ -312,15 +312,6 @@ typedef __int64 off_t; /* Define to enable "rrset-order fixed" syntax. */ @DNS_RDATASET_FIXED@ -/* Define to 1 if you have the `EVP_sha256' function. */ -@HAVE_EVP_SHA256@ - -/* Define to 1 if you have the `EVP_sha384' function. */ -@HAVE_EVP_SHA384@ - -/* Define to 1 if you have the `EVP_sha512' function. */ -@HAVE_EVP_SHA512@ - /* Define if OpenSSL provides FIPS_mode() */ @HAVE_FIPS_MODE@ diff --git a/configure b/configure index 88f21d857f..f036382f6c 100755 --- a/configure +++ b/configure @@ -16385,6 +16385,36 @@ $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; } saved_libs="$LIBS" CFLAGS="$DST_OPENSSL_INC $CFLAGS" LIBS="$DST_OPENSSL_LIBS $LIBS" + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL >= 1.0.0 or LibreSSL" >&5 +$as_echo_n "checking for OpenSSL >= 1.0.0 or LibreSSL... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#include + +int +main () +{ + +#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL) +#error OpenSSL >= 1.0.0 or LibreSSL needed +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + as_fn_error $? "OpenSSL >= 1.0.0 or LibreSSL not found" "$LINENO" 5 +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5 $as_echo_n "checking whether linking with OpenSSL works... " >&6; } if test "$cross_compiling" = yes; then : @@ -16536,7 +16566,7 @@ $as_echo "yes" >&6; } $as_echo "no" >&6; } fi - for ac_func in EVP_sha256 EVP_sha384 EVP_sha512 + for ac_func in EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -16545,6 +16575,9 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then : #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 _ACEOF +else + + as_fn_error $? "SHA-1 and SHA-2 support in OpenSSL is mandatory." "$LINENO" 5 fi done @@ -16577,9 +16610,6 @@ else int main() { EC_KEY *ec256, *ec384; -#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384) - return (1); -#endif ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ec384 = EC_KEY_new_by_curve_name(NID_secp384r1); if (ec256 == NULL || ec384 == NULL) diff --git a/configure.in b/configure.in index 66992da669..7accaf8bb1 100644 --- a/configure.in +++ b/configure.in @@ -1626,6 +1626,20 @@ If you do not want OpenSSL, use --without-openssl]) saved_libs="$LIBS" CFLAGS="$DST_OPENSSL_INC $CFLAGS" LIBS="$DST_OPENSSL_LIBS $LIBS" + + AC_MSG_CHECKING(for OpenSSL >= 1.0.0 or LibreSSL) + AC_TRY_COMPILE([ +#include +], +[ +#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL) +#error OpenSSL >= 1.0.0 or LibreSSL needed +#endif +], + [AC_MSG_RESULT([yes])], + [AC_MSG_RESULT([no]) + AC_MSG_ERROR([OpenSSL >= 1.0.0 or LibreSSL not found])]) + AC_MSG_CHECKING(whether linking with OpenSSL works) AC_TRY_RUN([ #include @@ -1710,7 +1724,8 @@ DSO_METHOD_dlfcn(); AC_MSG_RESULT(no) fi - AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512) + AC_CHECK_FUNCS([EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [], [ + AC_MSG_ERROR([SHA-1 and SHA-2 support in OpenSSL is mandatory.])]) AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg]) @@ -1722,9 +1737,6 @@ DSO_METHOD_dlfcn(); int main() { EC_KEY *ec256, *ec384; -#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384) - return (1); -#endif ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); ec384 = EC_KEY_new_by_curve_name(NID_secp384r1); if (ec256 == NULL || ec384 == NULL) diff --git a/lib/dns/dst_internal.h b/lib/dns/dst_internal.h index e844a93572..7b82b74c48 100644 --- a/lib/dns/dst_internal.h +++ b/lib/dns/dst_internal.h @@ -114,9 +114,6 @@ struct dst_key { void *generic; gss_ctx_id_t gssctx; #ifdef OPENSSL -#if !defined(USE_EVP) || !USE_EVP - RSA *rsa; -#endif #ifndef PK11_DSA_DISABLE DSA *dsa; #endif diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index ac479ce484..65962f21ca 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -59,7 +59,7 @@ static int nlocks; static ENGINE *e = NULL; #endif -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void lock_callback(int mode, int type, const char *file, int line) { UNUSED(file); @@ -71,7 +71,7 @@ lock_callback(int mode, int type, const char *file, int line) { } #endif -#if OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER) +#if defined(LIBRESSL_VERSION_NUMBER) static unsigned long id_callback(void) { return ((unsigned long)isc_thread_self()); @@ -135,7 +135,7 @@ mem_realloc(void *ptr, size_t size FLARG) { #endif } -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L static void _set_thread_id(CRYPTO_THREADID *id) { @@ -166,12 +166,11 @@ dst__openssl_init(const char *engine) { if (result != ISC_R_SUCCESS) goto cleanup_mutexalloc; CRYPTO_set_locking_callback(lock_callback); -# if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L - CRYPTO_THREADID_set_callback(_set_thread_id); -# else +# if defined(LIBRESSL_VERSION_NUMBER) CRYPTO_set_id_callback(id_callback); +# elif OPENSSL_VERSION_NUMBER < 0x10100000L + CRYPTO_THREADID_set_callback(_set_thread_id); # endif - ERR_load_crypto_strings(); #endif @@ -237,32 +236,24 @@ dst__openssl_init(const char *engine) { void dst__openssl_destroy(void) { -#if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) - OPENSSL_cleanup(); -#else +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) /* * Sequence taken from apps_shutdown() in . */ -#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CONF_modules_free(); -#endif OBJ_cleanup(); EVP_cleanup(); #if !defined(OPENSSL_NO_ENGINE) if (e != NULL) ENGINE_free(e); e = NULL; -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_VERSION_NUMBER >= 0x00907000L ENGINE_cleanup(); #endif -#endif -#if (OPENSSL_VERSION_NUMBER >= 0x00907000L) CRYPTO_cleanup_all_ex_data(); -#endif ERR_clear_error(); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L && OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L ERR_remove_thread_state(NULL); -#elif OPENSSL_VERSION_NUMBER < 0x10000000L || defined(LIBRESSL_VERSION_NUMBER) +#elif defined(LIBRESSL_VERSION_NUMBER) ERR_remove_state(0); #endif ERR_free_strings(); @@ -277,6 +268,8 @@ dst__openssl_destroy(void) { mem_free(locks FILELINE); locks = NULL; } +#else + OPENSSL_cleanup(); #endif } diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index 7e3a5d77b3..ebdaeaa0da 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -240,7 +240,6 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { return (ISC_TRUE); } -#if OPENSSL_VERSION_NUMBER > 0x00908000L static int progress_cb(int p, int n, BN_GENCB *cb) { union { @@ -255,12 +254,10 @@ progress_cb(int p, int n, BN_GENCB *cb) { u.fptr(p); return (1); } -#endif static isc_result_t openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { DH *dh = NULL; -#if OPENSSL_VERSION_NUMBER > 0x00908000L BN_GENCB *cb; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) BN_GENCB _cb; @@ -269,10 +266,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { void *dptr; void (*fptr)(int); } u; -#else - - UNUSED(callback); -#endif if (generator == 0) { if (key->key_size == 768 || @@ -303,7 +296,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { } if (generator != 0) { -#if OPENSSL_VERSION_NUMBER > 0x00908000L dh = DH_new(); if (dh == NULL) return (dst__openssl_toresult(ISC_R_NOMEMORY)); @@ -331,14 +323,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { } BN_GENCB_free(cb); cb = NULL; -#else - dh = DH_generate_parameters(key->key_size, generator, - NULL, NULL); - if (dh == NULL) - return (dst__openssl_toresult2( - "DH_generate_parameters", - DST_R_OPENSSLFAILURE)); -#endif } if (DH_generate_key(dh) == 0) { diff --git a/lib/dns/openssldsa_link.c b/lib/dns/openssldsa_link.c index dfbd484247..355af0e6e0 100644 --- a/lib/dns/openssldsa_link.c +++ b/lib/dns/openssldsa_link.c @@ -24,9 +24,6 @@ */ #ifdef OPENSSL -#ifndef USE_EVP -#define USE_EVP 1 -#endif #include @@ -127,7 +124,6 @@ DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) { static isc_result_t openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) { -#if USE_EVP EVP_MD_CTX *evp_md_ctx; UNUSED(key); @@ -144,53 +140,25 @@ openssldsa_createctx(dst_key_t *key, dst_context_t *dctx) { dctx->ctxdata.evp_md_ctx = evp_md_ctx; return (ISC_R_SUCCESS); -#else - isc_sha1_t *sha1ctx; - - UNUSED(key); - - sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t)); - if (sha1ctx == NULL) - return (ISC_R_NOMEMORY); - isc_sha1_init(sha1ctx); - dctx->ctxdata.sha1ctx = sha1ctx; - return (ISC_R_SUCCESS); -#endif } static void openssldsa_destroyctx(dst_context_t *dctx) { -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; if (evp_md_ctx != NULL) { EVP_MD_CTX_destroy(evp_md_ctx); dctx->ctxdata.evp_md_ctx = NULL; } -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - if (sha1ctx != NULL) { - isc_sha1_invalidate(sha1ctx); - isc_mem_put(dctx->mctx, sha1ctx, sizeof(isc_sha1_t)); - dctx->ctxdata.sha1ctx = NULL; - } -#endif } static isc_result_t openssldsa_adddata(dst_context_t *dctx, const isc_region_t *data) { -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { return (ISC_R_FAILURE); } -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - isc_sha1_update(sha1ctx, data->base, data->length); -#endif return (ISC_R_SUCCESS); } @@ -211,22 +179,16 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { DSA_SIG *dsasig; const BIGNUM *r = 0, *s = NULL; unsigned int klen; -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey; unsigned char *sigbuf; const unsigned char *sb; unsigned int siglen; -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - unsigned char digest[ISC_SHA1_DIGESTLENGTH]; -#endif isc_buffer_availableregion(sig, ®ion); if (region.length < ISC_SHA1_DIGESTLENGTH * 2 + 1) return (ISC_R_NOSPACE); -#if USE_EVP pkey = EVP_PKEY_new(); if (pkey == NULL) return (ISC_R_NOMEMORY); @@ -263,28 +225,6 @@ openssldsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { } free(sigbuf); -#elif 0 - /* Only use EVP for the Digest */ - if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { - return (dst__openssl_toresult3(dctx->category, - "EVP_DigestFinal_ex", - ISC_R_FAILURE)); - } - dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); - if (dsasig == NULL) - return (dst__openssl_toresult3(dctx->category, - "DSA_do_sign", - DST_R_SIGNFAILURE)); -#else - isc_sha1_final(sha1ctx, digest); - - dsasig = DSA_do_sign(digest, ISC_SHA1_DIGESTLENGTH, dsa); - if (dsasig == NULL) - return (dst__openssl_toresult3(dctx->category, - "DSA_do_sign", - DST_R_SIGNFAILURE)); -#endif - klen = (key->key_size - 512)/64; if (klen > 255) return (ISC_R_FAILURE); @@ -310,29 +250,14 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { int status = 0; unsigned char *cp = sig->base; DSA_SIG *dsasig; -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -#if 0 - EVP_PKEY *pkey; - unsigned char *sigbuf; -#endif unsigned int siglen; -#else - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; -#endif unsigned char digest[ISC_SHA1_DIGESTLENGTH]; - -#if USE_EVP -#if 1 /* Only use EVP for the digest */ if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &siglen)) { return (ISC_R_FAILURE); } -#endif -#else - isc_sha1_final(sha1ctx, digest); -#endif if (sig->length != 2 * ISC_SHA1_DIGESTLENGTH + 1) { return (DST_R_VERIFYFAILURE); @@ -347,28 +272,8 @@ openssldsa_verify(dst_context_t *dctx, const isc_region_t *sig) { s = BN_bin2bn(cp, ISC_SHA1_DIGESTLENGTH, NULL); DSA_SIG_set0(dsasig, r, s); -#if 0 - pkey = EVP_PKEY_new(); - if (pkey == NULL) - return (ISC_R_NOMEMORY); - if (!EVP_PKEY_set1_DSA(pkey, dsa)) { - EVP_PKEY_free(pkey); - return (ISC_R_FAILURE); - } - /* Convert to Dss-Sig-Value (RFC2459). */ - sigbuf = malloc(EVP_PKEY_size(pkey) + 50); - if (sigbuf == NULL) { - EVP_PKEY_free(pkey); - return (ISC_R_NOMEMORY); - } - siglen = (unsigned) i2d_DSA_SIG(dsasig, &sigbuf); - INSIST(EVP_PKEY_size(pkey) >= (int) siglen); - status = EVP_VerifyFinal(evp_md_ctx, sigbuf, siglen, pkey); - EVP_PKEY_free(pkey); - free(sigbuf); -#else status = DSA_do_verify(digest, ISC_SHA1_DIGESTLENGTH, dsasig, dsa); -#endif + DSA_SIG_free(dsasig); switch (status) { case 1: @@ -416,7 +321,6 @@ openssldsa_compare(const dst_key_t *key1, const dst_key_t *key2) { return (ISC_TRUE); } -#if OPENSSL_VERSION_NUMBER > 0x00908000L static int progress_cb(int p, int n, BN_GENCB *cb) { union { @@ -431,14 +335,12 @@ progress_cb(int p, int n, BN_GENCB *cb) { u.fptr(p); return (1); } -#endif static isc_result_t openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { DSA *dsa; unsigned char rand_array[ISC_SHA1_DIGESTLENGTH]; isc_result_t result; -#if OPENSSL_VERSION_NUMBER > 0x00908000L BN_GENCB *cb; #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) BN_GENCB _cb; @@ -448,10 +350,6 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { void (*fptr)(int); } u; -#else - - UNUSED(callback); -#endif UNUSED(unused); result = dst__entropy_getdata(rand_array, sizeof(rand_array), @@ -459,7 +357,6 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { if (result != ISC_R_SUCCESS) return (result); -#if OPENSSL_VERSION_NUMBER > 0x00908000L dsa = DSA_new(); if (dsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -488,14 +385,6 @@ openssldsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { } BN_GENCB_free(cb); cb = NULL; -#else - dsa = DSA_generate_parameters(key->key_size, rand_array, - ISC_SHA1_DIGESTLENGTH, NULL, NULL, - NULL, NULL); - if (dsa == NULL) - return (dst__openssl_toresult2("DSA_generate_parameters", - DST_R_OPENSSLFAILURE)); -#endif if (DSA_generate_key(dsa) == 0) { DSA_free(dsa); diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 2e47459249..3b8ba82e25 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -13,10 +13,6 @@ #if defined(OPENSSL) && defined(HAVE_OPENSSL_ECDSA) -#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA384) -#error "ECDSA without EVP for SHA2?" -#endif - #include #include #include diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 17c48679db..867b8f6cad 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -15,15 +15,6 @@ #ifdef OPENSSL #include -#ifndef USE_EVP -#if !defined(HAVE_EVP_SHA256) || !defined(HAVE_EVP_SHA512) -#define USE_EVP 0 -#else -#define USE_EVP 1 -#endif -#endif - - #include #include #include @@ -44,9 +35,7 @@ #include #include #include -#if OPENSSL_VERSION_NUMBER > 0x00908000L #include -#endif #if !defined(OPENSSL_NO_ENGINE) #include #endif @@ -62,65 +51,10 @@ * We don't use configure for windows so enforce the OpenSSL version * here. Unlike with configure we don't support overriding this test. */ -#ifdef WIN32 -#if !((OPENSSL_VERSION_NUMBER >= 0x009070cfL && \ - OPENSSL_VERSION_NUMBER < 0x00908000L) || \ - (OPENSSL_VERSION_NUMBER >= 0x0090804fL && \ - OPENSSL_VERSION_NUMBER < 0x10002000L) || \ - OPENSSL_VERSION_NUMBER >= 0x1000205fL) -#error Please upgrade OpenSSL to 0.9.8d/0.9.7l or greater. -#endif +#if defined(WIN32) && (OPENSSL_VERSION_NUMBER < 0x10000000L) +#error Please upgrade OpenSSL to 1.0.0 or greater. #endif - - /* - * XXXMPA Temporarily disable RSA_BLINDING as it requires - * good quality random data that cannot currently be guaranteed. - * XXXMPA Find which versions of openssl use pseudo random data - * and set RSA_FLAG_BLINDING for those. - */ - -#if 0 -#if OPENSSL_VERSION_NUMBER < 0x0090601fL -#define SET_FLAGS(rsa) \ - do { \ - (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \ - (rsa)->flags |= RSA_FLAG_BLINDING; \ - } while (0) -#else -#define SET_FLAGS(rsa) \ - do { \ - (rsa)->flags |= RSA_FLAG_BLINDING; \ - } while (0) -#endif -#endif - -#if OPENSSL_VERSION_NUMBER < 0x0090601fL -#define SET_FLAGS(rsa) \ - do { \ - (rsa)->flags &= ~(RSA_FLAG_CACHE_PUBLIC | RSA_FLAG_CACHE_PRIVATE); \ - (rsa)->flags &= ~RSA_FLAG_BLINDING; \ - } while (0) -#elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) -#if defined(RSA_FLAG_NO_BLINDING) -#define SET_FLAGS(rsa) \ - do { \ - (rsa)->flags &= ~RSA_FLAG_BLINDING; \ - (rsa)->flags |= RSA_FLAG_NO_BLINDING; \ - } while (0) -#else -#define SET_FLAGS(rsa) \ - do { \ - (rsa)->flags &= ~RSA_FLAG_BLINDING; \ - } while (0) -#endif -#else -#define SET_FLAGS(rsa) \ - do { \ - RSA_clear_flags(rsa, RSA_FLAG_BLINDING); \ - RSA_set_flags(rsa, RSA_FLAG_NO_BLINDING); \ - } while (0) -#endif #define DST_RET(a) {ret = a; goto err;} #if !defined(HAVE_RSA_SET0_KEY) @@ -256,10 +190,8 @@ static isc_result_t opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data); static isc_result_t opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { -#if USE_EVP EVP_MD_CTX *evp_md_ctx; const EVP_MD *type = NULL; -#endif UNUSED(key); #ifndef PK11_MD5_DISABLE @@ -302,7 +234,6 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { INSIST(0); } -#if USE_EVP evp_md_ctx = EVP_MD_CTX_create(); if (evp_md_ctx == NULL) return (ISC_R_NOMEMORY); @@ -317,16 +248,12 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { case DST_ALG_NSEC3RSASHA1: type = EVP_sha1(); /* SHA1 + RSA */ break; -#ifdef HAVE_EVP_SHA256 case DST_ALG_RSASHA256: type = EVP_sha256(); /* SHA256 + RSA */ break; -#endif -#ifdef HAVE_EVP_SHA512 case DST_ALG_RSASHA512: type = EVP_sha512(); break; -#endif default: INSIST(0); } @@ -338,70 +265,13 @@ opensslrsa_createctx(dst_key_t *key, dst_context_t *dctx) { ISC_R_FAILURE)); } dctx->ctxdata.evp_md_ctx = evp_md_ctx; -#else - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx; - - md5ctx = isc_mem_get(dctx->mctx, sizeof(isc_md5_t)); - if (md5ctx == NULL) - return (ISC_R_NOMEMORY); - isc_md5_init(md5ctx); - dctx->ctxdata.md5ctx = md5ctx; - } - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - { - isc_sha1_t *sha1ctx; - - sha1ctx = isc_mem_get(dctx->mctx, sizeof(isc_sha1_t)); - if (sha1ctx == NULL) - return (ISC_R_NOMEMORY); - isc_sha1_init(sha1ctx); - dctx->ctxdata.sha1ctx = sha1ctx; - } - break; - case DST_ALG_RSASHA256: - { - isc_sha256_t *sha256ctx; - - sha256ctx = isc_mem_get(dctx->mctx, - sizeof(isc_sha256_t)); - if (sha256ctx == NULL) - return (ISC_R_NOMEMORY); - isc_sha256_init(sha256ctx); - dctx->ctxdata.sha256ctx = sha256ctx; - } - break; - case DST_ALG_RSASHA512: - { - isc_sha512_t *sha512ctx; - - sha512ctx = isc_mem_get(dctx->mctx, - sizeof(isc_sha512_t)); - if (sha512ctx == NULL) - return (ISC_R_NOMEMORY); - isc_sha512_init(sha512ctx); - dctx->ctxdata.sha512ctx = sha512ctx; - } - break; - default: - INSIST(0); - } -#endif return (ISC_R_SUCCESS); } static void opensslrsa_destroyctx(dst_context_t *dctx) { -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -#endif #ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || @@ -416,75 +286,15 @@ opensslrsa_destroyctx(dst_context_t *dctx) { dctx->key->key_alg == DST_ALG_RSASHA512); #endif -#if USE_EVP if (evp_md_ctx != NULL) { EVP_MD_CTX_destroy(evp_md_ctx); dctx->ctxdata.evp_md_ctx = NULL; } -#else - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - if (md5ctx != NULL) { - isc_md5_invalidate(md5ctx); - isc_mem_put(dctx->mctx, md5ctx, - sizeof(isc_md5_t)); - dctx->ctxdata.md5ctx = NULL; - } - } - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - { - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - if (sha1ctx != NULL) { - isc_sha1_invalidate(sha1ctx); - isc_mem_put(dctx->mctx, sha1ctx, - sizeof(isc_sha1_t)); - dctx->ctxdata.sha1ctx = NULL; - } - } - break; - case DST_ALG_RSASHA256: - { - isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx; - - if (sha256ctx != NULL) { - isc_sha256_invalidate(sha256ctx); - isc_mem_put(dctx->mctx, sha256ctx, - sizeof(isc_sha256_t)); - dctx->ctxdata.sha256ctx = NULL; - } - } - break; - case DST_ALG_RSASHA512: - { - isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx; - - if (sha512ctx != NULL) { - isc_sha512_invalidate(sha512ctx); - isc_mem_put(dctx->mctx, sha512ctx, - sizeof(isc_sha512_t)); - dctx->ctxdata.sha512ctx = NULL; - } - } - break; - default: - INSIST(0); - } -#endif } static isc_result_t opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; -#endif #ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || @@ -499,87 +309,21 @@ opensslrsa_adddata(dst_context_t *dctx, const isc_region_t *data) { dctx->key->key_alg == DST_ALG_RSASHA512); #endif -#if USE_EVP if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) { return (dst__openssl_toresult3(dctx->category, "EVP_DigestUpdate", ISC_R_FAILURE)); } -#else - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - isc_md5_update(md5ctx, data->base, data->length); - } - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - { - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - isc_sha1_update(sha1ctx, data->base, data->length); - } - break; - case DST_ALG_RSASHA256: - { - isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx; - - isc_sha256_update(sha256ctx, data->base, data->length); - } - break; - case DST_ALG_RSASHA512: - { - isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx; - - isc_sha512_update(sha512ctx, data->base, data->length); - } - break; - default: - INSIST(0); - } -#endif return (ISC_R_SUCCESS); } -#if ! USE_EVP && OPENSSL_VERSION_NUMBER < 0x00908000L -/* - * Digest prefixes from RFC 5702. - */ -static unsigned char sha256_prefix[] = - { 0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20}; -static unsigned char sha512_prefix[] = - { 0x30, 0x51, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, - 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x05, 0x00, 0x04, 0x40}; -#define PREFIXLEN sizeof(sha512_prefix) -#else -#define PREFIXLEN 0 -#endif - static isc_result_t opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { dst_key_t *key = dctx->key; isc_region_t r; unsigned int siglen = 0; -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; -#else - RSA *rsa = key->keydata.rsa; - /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */ - unsigned char digest[PREFIXLEN + ISC_SHA512_DIGESTLENGTH]; - int status; - int type = 0; - unsigned int digestlen = 0; -#if OPENSSL_VERSION_NUMBER < 0x00908000L - unsigned int prefixlen = 0; - const unsigned char *prefix = NULL; -#endif -#endif #ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || @@ -596,7 +340,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { isc_buffer_availableregion(sig, &r); -#if USE_EVP if (r.length < (unsigned int) EVP_PKEY_size(pkey)) return (ISC_R_NOSPACE); @@ -605,105 +348,6 @@ opensslrsa_sign(dst_context_t *dctx, isc_buffer_t *sig) { "EVP_SignFinal", ISC_R_FAILURE)); } -#else - if (r.length < (unsigned int) RSA_size(rsa)) - return (ISC_R_NOSPACE); - - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - isc_md5_final(md5ctx, digest); - type = NID_md5; - digestlen = ISC_MD5_DIGESTLENGTH; - } - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - { - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - isc_sha1_final(sha1ctx, digest); - type = NID_sha1; - digestlen = ISC_SHA1_DIGESTLENGTH; - } - break; - case DST_ALG_RSASHA256: - { - isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx; - - isc_sha256_final(digest, sha256ctx); - digestlen = ISC_SHA256_DIGESTLENGTH; -#if OPENSSL_VERSION_NUMBER < 0x00908000L - prefix = sha256_prefix; - prefixlen = sizeof(sha256_prefix); -#else - type = NID_sha256; -#endif - } - break; - case DST_ALG_RSASHA512: - { - isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx; - - isc_sha512_final(digest, sha512ctx); - digestlen = ISC_SHA512_DIGESTLENGTH; -#if OPENSSL_VERSION_NUMBER < 0x00908000L - prefix = sha512_prefix; - prefixlen = sizeof(sha512_prefix); -#else - type = NID_sha512; -#endif - } - break; - default: - INSIST(0); - } - -#if OPENSSL_VERSION_NUMBER < 0x00908000L - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - INSIST(type != 0); - status = RSA_sign(type, digest, digestlen, r.base, - &siglen, rsa); - break; - - case DST_ALG_RSASHA256: - case DST_ALG_RSASHA512: - INSIST(prefix != NULL); - INSIST(prefixlen != 0); - INSIST(prefixlen + digestlen <= sizeof(digest)); - - memmove(digest + prefixlen, digest, digestlen); - memmove(digest, prefix, prefixlen); - status = RSA_private_encrypt(digestlen + prefixlen, - digest, r.base, rsa, - RSA_PKCS1_PADDING); - if (status < 0) - status = 0; - else - siglen = status; - break; - - default: - INSIST(0); - } -#else - INSIST(type != 0); - status = RSA_sign(type, digest, digestlen, r.base, &siglen, rsa); -#endif - if (status == 0) - return (dst__openssl_toresult3(dctx->category, - "RSA_sign", - DST_R_OPENSSLFAILURE)); -#endif isc_buffer_add(sig, siglen); @@ -715,22 +359,10 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { dst_key_t *key = dctx->key; int status = 0; const BIGNUM *e = NULL; -#if USE_EVP EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; RSA *rsa; int bits; -#else - /* note: ISC_SHA512_DIGESTLENGTH >= ISC_*_DIGESTLENGTH */ - unsigned char digest[ISC_SHA512_DIGESTLENGTH]; - int type = 0; - unsigned int digestlen = 0; - RSA *rsa = key->keydata.rsa; -#if OPENSSL_VERSION_NUMBER < 0x00908000L - unsigned int prefixlen = 0; - const unsigned char *prefix = NULL; -#endif -#endif #ifndef PK11_MD5_DISABLE REQUIRE(dctx->key->key_alg == DST_ALG_RSAMD5 || @@ -745,7 +377,6 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { dctx->key->key_alg == DST_ALG_RSASHA512); #endif -#if USE_EVP rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -766,126 +397,6 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { "EVP_VerifyFinal", DST_R_VERIFYFAILURE)); } -#else - RSA_get0_key(rsa, NULL, &e, NULL); - if (BN_num_bits(e) > maxbits && maxbits != 0) - return (DST_R_VERIFYFAILURE); - - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: - { - isc_md5_t *md5ctx = dctx->ctxdata.md5ctx; - - isc_md5_final(md5ctx, digest); - type = NID_md5; - digestlen = ISC_MD5_DIGESTLENGTH; - } - break; -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - { - isc_sha1_t *sha1ctx = dctx->ctxdata.sha1ctx; - - isc_sha1_final(sha1ctx, digest); - type = NID_sha1; - digestlen = ISC_SHA1_DIGESTLENGTH; - } - break; - case DST_ALG_RSASHA256: - { - isc_sha256_t *sha256ctx = dctx->ctxdata.sha256ctx; - - isc_sha256_final(digest, sha256ctx); - digestlen = ISC_SHA256_DIGESTLENGTH; -#if OPENSSL_VERSION_NUMBER < 0x00908000L - prefix = sha256_prefix; - prefixlen = sizeof(sha256_prefix); -#else - type = NID_sha256; -#endif - } - break; - case DST_ALG_RSASHA512: - { - isc_sha512_t *sha512ctx = dctx->ctxdata.sha512ctx; - - isc_sha512_final(digest, sha512ctx); - digestlen = ISC_SHA512_DIGESTLENGTH; -#if OPENSSL_VERSION_NUMBER < 0x00908000L - prefix = sha512_prefix; - prefixlen = sizeof(sha512_prefix); -#else - type = NID_sha512; -#endif - } - break; - default: - INSIST(0); - } - - if (sig->length != (unsigned int) RSA_size(rsa)) - return (DST_R_VERIFYFAILURE); - -#if OPENSSL_VERSION_NUMBER < 0x00908000L - switch (dctx->key->key_alg) { -#ifndef PK11_MD5_DISABLE - case DST_ALG_RSAMD5: -#endif - case DST_ALG_RSASHA1: - case DST_ALG_NSEC3RSASHA1: - INSIST(type != 0); - status = RSA_verify(type, digest, digestlen, sig->base, - RSA_size(rsa), rsa); - break; - - case DST_ALG_RSASHA256: - case DST_ALG_RSASHA512: - { - /* - * 1024 is big enough for all valid RSA bit sizes - * for use with DNSSEC. - */ - unsigned char original[PREFIXLEN + 1024]; - - INSIST(prefix != NULL); - INSIST(prefixlen != 0U); - - if (RSA_size(rsa) > (int)sizeof(original)) - return (DST_R_VERIFYFAILURE); - - status = RSA_public_decrypt(sig->length, sig->base, - original, rsa, - RSA_PKCS1_PADDING); - if (status <= 0) - return (dst__openssl_toresult3( - dctx->category, - "RSA_public_decrypt", - DST_R_VERIFYFAILURE)); - if (status != (int)(prefixlen + digestlen)) - return (DST_R_VERIFYFAILURE); - if (!isc_safe_memequal(original, prefix, prefixlen)) - return (DST_R_VERIFYFAILURE); - if (!isc_safe_memequal(original + prefixlen, - digest, digestlen)) - return (DST_R_VERIFYFAILURE); - status = 1; - } - break; - - default: - INSIST(0); - } -#else - INSIST(type != 0); - status = RSA_verify(type, digest, digestlen, sig->base, - RSA_size(rsa), rsa); -#endif - if (status != 1) - return (dst__openssl_toresult(DST_R_VERIFYFAILURE)); - return (ISC_R_SUCCESS); -#endif } static isc_result_t @@ -902,11 +413,8 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { const BIGNUM *d1 = NULL, *d2 = NULL; const BIGNUM *p1 = NULL, *p2 = NULL; const BIGNUM *q1 = NULL, *q2 = NULL; -#if USE_EVP EVP_PKEY *pkey1, *pkey2; -#endif -#if USE_EVP pkey1 = key1->keydata.pkey; pkey2 = key2->keydata.pkey; /* @@ -921,10 +429,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { rsa2 = EVP_PKEY_get1_RSA(pkey2); RSA_free(rsa2); } -#else - rsa1 = key1->keydata.rsa; - rsa2 = key2->keydata.rsa; -#endif if (rsa1 == NULL && rsa2 == NULL) return (ISC_TRUE); @@ -938,7 +442,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { if (status != 0) return (ISC_FALSE); -#if USE_EVP if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) != 0 || RSA_test_flags(rsa2, RSA_FLAG_EXT_PKEY) != 0) { if (RSA_test_flags(rsa1, RSA_FLAG_EXT_PKEY) == 0 || @@ -949,7 +452,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { */ return (ISC_TRUE); } -#endif if (d1 != NULL || d2 != NULL) { if (d1 == NULL || d2 == NULL) @@ -964,7 +466,6 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { return (ISC_TRUE); } -#if OPENSSL_VERSION_NUMBER > 0x00908000L static int progress_cb(int p, int n, BN_GENCB *cb) { union { @@ -979,11 +480,9 @@ progress_cb(int p, int n, BN_GENCB *cb) { u.fptr(p); return (1); } -#endif static isc_result_t opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { -#if OPENSSL_VERSION_NUMBER > 0x00908000L isc_result_t ret = DST_R_OPENSSLFAILURE; union { void *dptr; @@ -995,9 +494,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { BN_GENCB _cb; #endif BN_GENCB *cb = BN_GENCB_new(); -#if USE_EVP EVP_PKEY *pkey = EVP_PKEY_new(); -#endif /* * Reject incorrect RSA key lengths. @@ -1028,12 +525,10 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { if (rsa == NULL || e == NULL || cb == NULL) goto err; -#if USE_EVP if (pkey == NULL) goto err; if (!EVP_PKEY_set1_RSA(pkey, rsa)) goto err; -#endif if (exp == 0) { /* RSA_F4 0x10001 */ @@ -1056,26 +551,19 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { BN_free(e); BN_GENCB_free(cb); cb = NULL; - SET_FLAGS(rsa); -#if USE_EVP key->keydata.pkey = pkey; RSA_free(rsa); -#else - key->keydata.rsa = rsa; -#endif return (ISC_R_SUCCESS); } ret = dst__openssl_toresult2("RSA_generate_key_ex", DST_R_OPENSSLFAILURE); err: -#if USE_EVP if (pkey != NULL) { EVP_PKEY_free(pkey); pkey = NULL; } -#endif if (e != NULL) { BN_free(e); e = NULL; @@ -1089,60 +577,15 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { cb = NULL; } return (dst__openssl_toresult(ret)); -#else - RSA *rsa; - unsigned long e; -#if USE_EVP - EVP_PKEY *pkey = EVP_PKEY_new(); - - UNUSED(callback); - - if (pkey == NULL) - return (ISC_R_NOMEMORY); -#else - UNUSED(callback); -#endif - - if (exp == 0) - e = RSA_F4; - else - e = 0x40000003; - rsa = RSA_generate_key(key->key_size, e, NULL, NULL); - if (rsa == NULL) { -#if USE_EVP - EVP_PKEY_free(pkey); -#endif - return (dst__openssl_toresult2("RSA_generate_key", - DST_R_OPENSSLFAILURE)); - } - SET_FLAGS(rsa); -#if USE_EVP - if (!EVP_PKEY_set1_RSA(pkey, rsa)) { - EVP_PKEY_free(pkey); - RSA_free(rsa); - return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); - } - key->keydata.pkey = pkey; - RSA_free(rsa); -#else - key->keydata.rsa = rsa; -#endif - - return (ISC_R_SUCCESS); -#endif } static isc_boolean_t opensslrsa_isprivate(const dst_key_t *key) { const BIGNUM *d = NULL; -#if USE_EVP RSA *rsa = EVP_PKEY_get1_RSA(key->keydata.pkey); INSIST(rsa != NULL); RSA_free(rsa); /* key->keydata.pkey still has a reference so rsa is still valid. */ -#else - RSA *rsa = key->keydata.rsa; -#endif if (rsa != NULL && RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY) != 0) return (ISC_TRUE); RSA_get0_key(rsa, NULL, NULL, &d); @@ -1151,15 +594,9 @@ opensslrsa_isprivate(const dst_key_t *key) { static void opensslrsa_destroy(dst_key_t *key) { -#if USE_EVP EVP_PKEY *pkey = key->keydata.pkey; EVP_PKEY_free(pkey); key->keydata.pkey = NULL; -#else - RSA *rsa = key->keydata.rsa; - RSA_free(rsa); - key->keydata.rsa = NULL; -#endif } static isc_result_t @@ -1169,25 +606,15 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { unsigned int mod_bytes; isc_result_t ret; RSA *rsa; -#if USE_EVP EVP_PKEY *pkey; -#endif const BIGNUM *e = NULL, *n = NULL; -#if USE_EVP REQUIRE(key->keydata.pkey != NULL); -#else - REQUIRE(key->keydata.rsa != NULL); -#endif -#if USE_EVP pkey = key->keydata.pkey; rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -#else - rsa = key->keydata.rsa; -#endif isc_buffer_availableregion(data, &r); @@ -1220,10 +647,8 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { ret = ISC_R_SUCCESS; err: -#if USE_EVP if (rsa != NULL) RSA_free(rsa); -#endif return (ret); } @@ -1233,9 +658,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_region_t r; unsigned int e_bytes; unsigned int length; -#if USE_EVP EVP_PKEY *pkey; -#endif BIGNUM *e = NULL, *n = NULL; isc_buffer_remainingregion(data, &r); @@ -1246,7 +669,6 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { rsa = RSA_new(); if (rsa == NULL) return (dst__openssl_toresult(ISC_R_NOMEMORY)); - SET_FLAGS(rsa); if (r.length < 1) { RSA_free(rsa); @@ -1283,7 +705,6 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, length); -#if USE_EVP pkey = EVP_PKEY_new(); if (pkey == NULL) { RSA_free(rsa); @@ -1296,9 +717,6 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { } key->keydata.pkey = pkey; RSA_free(rsa); -#else - key->keydata.rsa = rsa; -#endif return (ISC_R_SUCCESS); } @@ -1314,17 +732,11 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { const BIGNUM *p = NULL, *q = NULL; const BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -#if USE_EVP if (key->keydata.pkey == NULL) return (DST_R_NULLKEY); rsa = EVP_PKEY_get1_RSA(key->keydata.pkey); if (rsa == NULL) return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); -#else - if (key->keydata.rsa == NULL) - return (DST_R_NULLKEY); - rsa = key->keydata.rsa; -#endif memset(bufs, 0, sizeof(bufs)); RSA_get0_key(rsa, &n, &e, &d); @@ -1427,9 +839,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { priv.nelements = i; result = dst__privstruct_writefile(key, &priv, directory); fail: -#if USE_EVP RSA_free(rsa); -#endif for (i = 0; i < 8; i++) { if (bufs[i] == NULL) break; @@ -1488,9 +898,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { #endif isc_mem_t *mctx = key->mctx; const char *engine = NULL, *label = NULL; -#if !defined(OPENSSL_NO_ENGINE) || USE_EVP EVP_PKEY *pkey = NULL; -#endif BIGNUM *n = NULL, *e = NULL, *d = NULL; BIGNUM *p = NULL, *q = NULL; BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; @@ -1513,15 +921,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { return (ISC_R_SUCCESS); } -#if USE_EVP if (pub != NULL && pub->keydata.pkey != NULL) pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey); -#else - if (pub != NULL && pub->keydata.rsa != NULL) { - pubrsa = pub->keydata.rsa; - pub->keydata.rsa = NULL; - } -#endif for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { @@ -1569,13 +970,8 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if (pubrsa != NULL) RSA_free(pubrsa); key->key_size = EVP_PKEY_bits(pkey); -#if USE_EVP key->keydata.pkey = pkey; RSA_free(rsa); -#else - key->keydata.rsa = rsa; - EVP_PKEY_free(pkey); -#endif dst__privstruct_free(&priv, mctx); isc_safe_memwipe(&priv, sizeof(priv)); return (ISC_R_SUCCESS); @@ -1587,18 +983,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { rsa = RSA_new(); if (rsa == NULL) DST_RET(ISC_R_NOMEMORY); - SET_FLAGS(rsa); -#if USE_EVP pkey = EVP_PKEY_new(); if (pkey == NULL) DST_RET(ISC_R_NOMEMORY); if (!EVP_PKEY_set1_RSA(pkey, rsa)) DST_RET(ISC_R_FAILURE); key->keydata.pkey = pkey; -#else - key->keydata.rsa = rsa; -#endif for (i = 0; i < priv.nelements; i++) { BIGNUM *bn; @@ -1665,17 +1056,13 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { key->key_size = BN_num_bits(n); if (pubrsa != NULL) RSA_free(pubrsa); -#if USE_EVP RSA_free(rsa); -#endif return (ISC_R_SUCCESS); err: -#if USE_EVP if (pkey != NULL) EVP_PKEY_free(pkey); -#endif if (rsa != NULL) RSA_free(rsa); if (pubrsa != NULL) @@ -1746,13 +1133,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (pubrsa != NULL) RSA_free(pubrsa); key->key_size = EVP_PKEY_bits(pkey); -#if USE_EVP key->keydata.pkey = pkey; RSA_free(rsa); -#else - key->keydata.rsa = rsa; - EVP_PKEY_free(pkey); -#endif return (ISC_R_SUCCESS); err: @@ -1802,22 +1184,10 @@ isc_result_t dst__opensslrsa_init(dst_func_t **funcp, unsigned char algorithm) { REQUIRE(funcp != NULL); + UNUSED(algorithm); + if (*funcp == NULL) { - switch (algorithm) { - case DST_ALG_RSASHA256: -#if defined(HAVE_EVP_SHA256) || !USE_EVP - *funcp = &opensslrsa_functions; -#endif - break; - case DST_ALG_RSASHA512: -#if defined(HAVE_EVP_SHA512) || !USE_EVP - *funcp = &opensslrsa_functions; -#endif - break; - default: - *funcp = &opensslrsa_functions; - break; - } + *funcp = &opensslrsa_functions; } return (ISC_R_SUCCESS); } diff --git a/libtool.m4/ltsugar.m4 b/libtool.m4/ltsugar.m4 index 9000a057d3..48bc9344a4 100644 --- a/libtool.m4/ltsugar.m4 +++ b/libtool.m4/ltsugar.m4 @@ -1,6 +1,7 @@ # ltsugar.m4 -- libtool m4 base layer. -*-Autoconf-*- # -# Copyright (C) 2004, 2005, 2007, 2008 Free Software Foundation, Inc. +# Copyright (C) 2004-2005, 2007-2008, 2011-2015 Free Software +# Foundation, Inc. # Written by Gary V. Vaughan, 2004 # # This file is free software; the Free Software Foundation gives @@ -33,7 +34,7 @@ m4_define([_lt_join], # ------------ # Manipulate m4 lists. # These macros are necessary as long as will still need to support -# Autoconf-2.59 which quotes differently. +# Autoconf-2.59, which quotes differently. m4_define([lt_car], [[$1]]) m4_define([lt_cdr], [m4_if([$#], 0, [m4_fatal([$0: cannot be called without arguments])], @@ -44,7 +45,7 @@ m4_define([lt_unquote], $1) # lt_append(MACRO-NAME, STRING, [SEPARATOR]) # ------------------------------------------ -# Redefine MACRO-NAME to hold its former content plus `SEPARATOR'`STRING'. +# Redefine MACRO-NAME to hold its former content plus 'SEPARATOR''STRING'. # Note that neither SEPARATOR nor STRING are expanded; they are appended # to MACRO-NAME as is (leaving the expansion for when MACRO-NAME is invoked). # No SEPARATOR is output if MACRO-NAME was previously undefined (different diff --git a/libtool.m4/lt~obsolete.m4 b/libtool.m4/lt~obsolete.m4 index c573da90c5..c6b26f88f6 100644 --- a/libtool.m4/lt~obsolete.m4 +++ b/libtool.m4/lt~obsolete.m4 @@ -1,6 +1,7 @@ # lt~obsolete.m4 -- aclocal satisfying obsolete definitions. -*-Autoconf-*- # -# Copyright (C) 2004, 2005, 2007, 2009 Free Software Foundation, Inc. +# Copyright (C) 2004-2005, 2007, 2009, 2011-2015 Free Software +# Foundation, Inc. # Written by Scott James Remnant, 2004. # # This file is free software; the Free Software Foundation gives @@ -11,7 +12,7 @@ # These exist entirely to fool aclocal when bootstrapping libtool. # -# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN) +# In the past libtool.m4 has provided macros via AC_DEFUN (or AU_DEFUN), # which have later been changed to m4_define as they aren't part of the # exported API, or moved to Autoconf or Automake where they belong. # @@ -25,7 +26,7 @@ # included after everything else. This provides aclocal with the # AC_DEFUNs it wants, but when m4 processes it, it doesn't do anything # because those macros already exist, or will be overwritten later. -# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. +# We use AC_DEFUN over AU_DEFUN for compatibility with aclocal-1.6. # # Anytime we withdraw an AC_DEFUN or AU_DEFUN, remember to add it here. # Yes, that means every name once taken will need to remain here until diff --git a/win32utils/Configure b/win32utils/Configure index cf8cf891db..78cc666706 100644 --- a/win32utils/Configure +++ b/win32utils/Configure @@ -198,9 +198,6 @@ my @substdefh = ("AES_CC", "DNS_RDATASET_FIXED", "ENABLE_RPZ_NSDNAME", "ENABLE_RPZ_NSIP", - "HAVE_EVP_SHA256", - "HAVE_EVP_SHA384", - "HAVE_EVP_SHA512", "HAVE_FIPS_MODE", "HAVE_GEOIP", "HAVE_GEOIP_CITY_V6", @@ -1572,14 +1569,12 @@ if ($use_openssl eq "yes") { #include int main() { - if ((OPENSSL_VERSION_NUMBER >= 0x009070cfL && - OPENSSL_VERSION_NUMBER < 0x00908000L) || - OPENSSL_VERSION_NUMBER >= 0x0090804fL) + if (OPENSSL_VERSION_NUMBER >= 0x10000000L) { return (0); + } printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n", OPENSSL_VERSION_NUMBER); - printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n" - "Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n\n"); + printf("Require OPENSSL_VERSION_NUMBER 0x10000000L or greater (1.0.0)\n\n"); return (1); } EOF @@ -1624,108 +1619,6 @@ EOF } } -# check EVP_sha256 / EVP_sha384 / EVP_sha512 - -if ($use_openssl eq "yes") { - if ($verbose) { - printf "checking for EVP_sha256\n"; - } - open F, ">testsha256.c" || die $!; - print F << 'EOF'; -extern void *EVP_sha256(); - -int main() { - return EVP_sha256() != 0; -} -EOF - close F; - my $library = $configlib{"OPENSSL_LIB"}; - $compret = `cl /nologo /MD testsha256.c "$library"`; - if (grep { -f and -x } ".\\testsha256.exe") { - `.\\testsha256.exe`; - if ($? == 0) { - if ($verbose) { - print "EVP_sha256 test failed: disabling EVP_sha256\n"; - } - $use_ecdsa = "no"; - $enable_openssl_hash = "no"; - } else { - $configdefh{"HAVE_EVP_SHA256"} = 1; - } - } else { - if ($verbose) { - print "can't compile EVP_sha256 test: $compret\n"; - print "disabling EVP_sha256\n"; - } - $use_ecdsa = "no"; - $enable_openssl_hash = "no"; - } - - if ($verbose) { - printf "checking for EVP_sha384\n"; - } - open F, ">testsha384.c" || die $!; - print F << 'EOF'; -extern void *EVP_sha384(); - -int main() { - return EVP_sha384() != 0; -} -EOF - close F; - $compret = `cl /nologo /MD testsha384.c "$library"`; - if (grep { -f and -x } ".\\testsha384.exe") { - `.\\testsha384.exe`; - if ($? == 0) { - if ($verbose) { - print "EVP_sha384 test failed: disabling EVP_sha384\n"; - } - $use_ecdsa = "no"; - $enable_openssl_hash = "no"; - } else { - $configdefh{"HAVE_EVP_SHA384"} = 1; - } - } else { - if ($verbose) { - print "can't compile EVP_sha384 test: $compret\n"; - print "disabling EVP_sha384\n"; - } - $use_ecdsa = "no"; - $enable_openssl_hash = "no"; - } - - if ($verbose) { - printf "checking for EVP_sha512\n"; - } - open F, ">testsha512.c" || die $!; - print F << 'EOF'; -extern void *EVP_sha512(); - -int main() { - return EVP_sha512() != 0; -} -EOF - close F; - $compret = `cl /nologo /MD testsha512.c "$library"`; - if (grep { -f and -x } ".\\testsha512.exe") { - `.\\testsha512.exe`; - if ($? == 0) { - if ($verbose) { - print "EVP_sha512 test failed: disabling EVP_sha512\n"; - } - $use_eddsa = "no"; - } else { - $configdefh{"HAVE_EVP_SHA512"} = 1; - } - } else { - if ($verbose) { - print "can't compile EVP_sha512 test: $compret\n"; - print "disabling EVP_sha512\n"; - } - $use_eddsa = "no"; - } -} - # with-ecdsa if ($use_openssl eq "no") { $use_ecdsa = "no";