From 71a8f1e7cd83075416a4edd71572c9aec0ec49d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Wed, 7 Sep 2022 13:46:31 +0200 Subject: [PATCH 01/10] Add ENGINE_init and ENGINE_finish calls According to manual page of ENGINE_init, it should be called explicitly before any key operations happens. Make it active whole lifetime. --- lib/dns/openssl_link.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 333f34cb37..a3f63885fa 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) { result = DST_R_NOENGINE; goto cleanup_rm; } + if (!ENGINE_init(e)) { + result = DST_R_NOENGINE; + goto cleanup_rm; + } /* This will init the engine. */ if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) { result = DST_R_NOENGINE; - goto cleanup_rm; + goto cleanup_init; } } return (ISC_R_SUCCESS); +cleanup_init: + ENGINE_finish(e); cleanup_rm: if (e != NULL) { ENGINE_free(e); @@ -108,6 +114,7 @@ void dst__openssl_destroy(void) { #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 if (e != NULL) { + ENGINE_finish(e); ENGINE_free(e); } e = NULL; From f92950bb6490dcbc0e09cfae814fbd27423c4410 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 8 Sep 2022 17:19:20 +0200 Subject: [PATCH 02/10] Do not use OSSL_PARAM when engine API is compiled OpenSSL has deprecated many things in version 3.0. If pkcs11 engine should work then no builder from OpenSSL 3.0 API can be used. Allow switching to OpenSSL 1.1 like calls even on OpenSSL 3.0 when OPENSSL_API_COMPAT=10100 is defined. It would still compile and allow working keys loading from the engine passed on command line. --- lib/dns/openssldh_link.c | 136 +++++++++++++++++++----------------- lib/dns/opensslecdsa_link.c | 119 +++++++++++++++---------------- lib/dns/opensslrsa_link.c | 118 +++++++++++++++---------------- 3 files changed, 189 insertions(+), 184 deletions(-) diff --git a/lib/dns/openssldh_link.c b/lib/dns/openssldh_link.c index f063160148..a7cbdbe586 100644 --- a/lib/dns/openssldh_link.c +++ b/lib/dns/openssldh_link.c @@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL; static isc_result_t openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, isc_buffer_t *secret) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dhpub, *dhpriv; const BIGNUM *pub_key = NULL; int secret_len = 0; @@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *dhpub, *dhpriv; size_t secret_len = 0; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_region_t r; unsigned int len; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 REQUIRE(pub->keydata.dh != NULL); REQUIRE(priv->keydata.dh != NULL); @@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, dhpriv = priv->keydata.pkey; len = EVP_PKEY_get_size(dhpriv); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_buffer_availableregion(secret, &r); if (r.length < len) { return (ISC_R_NOSPACE); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH_get0_key(dhpub, &pub_key, NULL); secret_len = DH_compute_key(r.base, pub_key, dhpriv); if (secret_len <= 0) { @@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, DST_R_COMPUTESECRETFAILURE)); } EVP_PKEY_CTX_free(ctx); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_buffer_add(secret, (unsigned int)secret_len); @@ -166,7 +166,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv, static bool openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh1, *dh2; const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; @@ -176,9 +176,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { BIGNUM *pub_key1 = NULL, *pub_key2 = NULL; BIGNUM *priv_key1 = NULL, *priv_key2 = NULL; BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 dh1 = key1->keydata.dh; dh2 = key2->keydata.dh; @@ -210,7 +210,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2); EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 || BN_cmp(pub_key1, pub_key2) != 0) @@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) { } err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p1 != NULL) { BN_free(p1); } @@ -251,7 +251,8 @@ err: if (priv_key2 != NULL) { BN_clear_free(priv_key2); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ return (ret); } @@ -259,15 +260,15 @@ err: static bool openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { bool ret = true; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh1, *dh2; const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; #else EVP_PKEY *pkey1, *pkey2; BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 dh1 = key1->keydata.dh; dh2 = key2->keydata.dh; @@ -293,14 +294,14 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) { EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2); EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) { DST_RET(false); } err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p1 != NULL) { BN_free(p1); } @@ -313,12 +314,13 @@ err: if (g2 != NULL) { BN_free(g2); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ return (ret); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 static int progress_cb(int p, int n, BN_GENCB *cb) { union { @@ -349,7 +351,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { } return (1); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ static isc_result_t openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { @@ -359,7 +361,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { void (*fptr)(int); } u; BIGNUM *p = NULL, *g = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh = NULL; BN_GENCB *cb = NULL; #if !HAVE_BN_GENCB_NEW @@ -372,9 +374,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *param_pkey = NULL; EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 dh = DH_new(); if (dh == NULL) { DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); @@ -388,7 +390,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { if (param_ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (generator == 0) { /* @@ -408,7 +410,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { if (p == NULL || g == NULL) { DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (DH_set0_pqg(dh, p, NULL, g) != 1) { DST_RET(dst__openssl_toresult2( "DH_set0_pqg", DST_R_OPENSSLFAILURE)); @@ -432,7 +434,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { DST_R_OPENSSLFAILURE)); } params = OSSL_PARAM_BLD_to_param(bld); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ } else { /* @@ -445,7 +447,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { } if (generator != 0) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (callback != NULL) { cb = BN_GENCB_new(); #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) @@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { DST_R_OPENSSLFAILURE)); } params = OSSL_PARAM_BLD_to_param(bld); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (DH_generate_key(dh) == 0) { DST_RET(dst__openssl_toresult2("DH_generate_key", DST_R_OPENSSLFAILURE)); @@ -556,12 +558,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) { key->keydata.pkey = pkey; pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ ret = ISC_R_SUCCESS; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (dh != NULL) { DH_free(dh); } @@ -593,14 +595,14 @@ err: if (g != NULL) { BN_free(g); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } static bool openssldh_isprivate(const dst_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh = key->keydata.dh; const BIGNUM *priv_key = NULL; @@ -625,12 +627,12 @@ openssldh_isprivate(const dst_key_t *key) { } return (ret); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ } static void openssldh_destroy(dst_key_t *key) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh = key->keydata.dh; if (dh == NULL) { @@ -648,7 +650,7 @@ openssldh_destroy(dst_key_t *key) { EVP_PKEY_free(pkey); key->keydata.pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ } static void @@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) { static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { isc_result_t ret = ISC_R_SUCCESS; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh; const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; #else EVP_PKEY *pkey; BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_region_t r; uint16_t dnslen, plen, glen, publen; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 REQUIRE(key->keydata.dh != NULL); dh = key->keydata.dh; @@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_buffer_availableregion(data, &r); @@ -746,7 +748,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) { isc_buffer_add(data, dnslen); err: -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p != NULL) { BN_free(p); } @@ -756,7 +758,8 @@ err: if (pub_key != NULL) { BN_free(pub_key); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ return (ret); } @@ -764,14 +767,14 @@ err: static isc_result_t openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_result_t ret; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh; #else OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ BIGNUM *pub_key = NULL, *p = NULL, *g = NULL; int key_size; isc_region_t r; @@ -783,7 +786,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { return (ISC_R_SUCCESS); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 dh = DH_new(); if (dh == NULL) { DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY)); @@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { if (ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ /* * Read the prime length. 1 & 2 are table entries, > 16 means a @@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { key_size = BN_num_bits(p); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (DH_set0_pqg(dh, p, NULL, g) != 1) { DST_RET(dst__openssl_toresult2("DH_set0_pqg", DST_R_OPENSSLFAILURE)); @@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN", DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (r.length < 2) { DST_RET(DST_R_INVALIDPUBLICKEY); @@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, plen + glen + publen + 6); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 #if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \ (LIBRESSL_VERSION_NUMBER <= 0x2070200fL) /* @@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) { key->keydata.pkey = pkey; pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ key->key_size = (unsigned int)key_size; ret = ISC_R_SUCCESS; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (dh != NULL) { DH_free(dh); } @@ -975,7 +978,7 @@ err: if (bld != NULL) { OSSL_PARAM_BLD_free(bld); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (p != NULL) { BN_free(p); } @@ -991,13 +994,13 @@ err: static isc_result_t openssldh_tofile(const dst_key_t *key, const char *directory) { -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh; const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; #else EVP_PKEY *pkey; BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ dst_private_t priv; unsigned char *bufs[4] = { NULL }; unsigned short i = 0; @@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { return (DST_R_EXTERNALKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (key->keydata.dh == NULL) { return (DST_R_NULLKEY); } @@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ priv.elements[i].tag = TAG_DH_PRIME; priv.elements[i].length = BN_num_bytes(p); @@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { } } -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 if (p != NULL) { BN_free(p); } @@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) { if (priv_key != NULL) { BN_clear_free(priv_key); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ return (result); } @@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; int i; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 DH *dh = NULL; #else OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL; int key_size = 0; isc_mem_t *mctx; @@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(DST_R_EXTERNALKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 dh = DH_new(); if (dh == NULL) { DST_RET(ISC_R_NOMEMORY); @@ -1127,7 +1131,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if (ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ for (i = 0; i < priv.nelements; i++) { BIGNUM *bn; @@ -1154,7 +1158,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (DH_set0_key(dh, pub_key, priv_key) != 1) { DST_RET(dst__openssl_toresult2("DH_set0_key", DST_R_OPENSSLFAILURE)); @@ -1201,13 +1205,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { key->keydata.pkey = pkey; pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ key->key_size = (unsigned int)key_size; ret = ISC_R_SUCCESS; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (dh != NULL) { DH_free(dh); } @@ -1224,7 +1228,7 @@ err: if (bld != NULL) { OSSL_PARAM_BLD_free(bld); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (p != NULL) { BN_free(p); } diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 519e88b7e7..04f0d80b5e 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -17,14 +17,14 @@ #include #include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 #include #endif #include #include #include #include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 #include #endif #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 @@ -57,7 +57,7 @@ goto err; \ } -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 static isc_result_t raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key, size_t key_len, EVP_PKEY **pkey) { @@ -159,7 +159,8 @@ err: return (ret); } -#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \ + */ static isc_result_t opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) { @@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { bool ret; EVP_PKEY *pkey1 = key1->keydata.pkey; EVP_PKEY *pkey2 = key2->keydata.pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey1 = NULL; EC_KEY *eckey2 = NULL; const BIGNUM *priv1; @@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { #else BIGNUM *priv1 = NULL; BIGNUM *priv2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (pkey1 == NULL && pkey2 == NULL) { return (true); @@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { DST_RET(false); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 eckey1 = EVP_PKEY_get1_EC_KEY(pkey1); eckey2 = EVP_PKEY_get1_EC_KEY(pkey2); if (eckey1 == NULL && eckey2 == NULL) { @@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { #else EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (priv1 != NULL || priv2 != NULL) { if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0) @@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) { ret = true; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (eckey1 != NULL) { EC_KEY_free(eckey1); } @@ -471,7 +472,7 @@ err: if (priv2 != NULL) { BN_clear_free(priv2); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { isc_result_t ret; int status; EVP_PKEY *pkey = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey = NULL; #else EVP_PKEY_CTX *ctx = NULL; EVP_PKEY *params_pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ int group_nid; REQUIRE(key->key_alg == DST_ALG_ECDSA256 || @@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { key->key_size = DNS_KEY_ECDSA384SIZE * 4; } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 eckey = EC_KEY_new_by_curve_name(group_nid); if (eckey == NULL) { DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name", @@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) { DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ key->keydata.pkey = pkey; pkey = NULL; @@ -573,7 +574,7 @@ err: if (pkey != NULL) { EVP_PKEY_free(pkey); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (eckey != NULL) { EC_KEY_free(eckey); } @@ -584,7 +585,7 @@ err: if (ctx != NULL) { EVP_PKEY_CTX_free(ctx); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -593,11 +594,11 @@ static bool opensslecdsa_isprivate(const dst_key_t *key) { bool ret; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey; #else BIGNUM *priv = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || key->key_alg == DST_ALG_ECDSA384); @@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { return (false); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 eckey = EVP_PKEY_get1_EC_KEY(pkey); ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL); @@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) { if (priv != NULL) { BN_clear_free(priv); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -640,7 +641,7 @@ static isc_result_t opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { isc_result_t ret; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey = NULL; int len; unsigned char *cp; @@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { BIGNUM *y = NULL; size_t keysize = 0; size_t len = 0; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_region_t r; unsigned char buf[DNS_KEY_ECDSA384SIZE + 1]; @@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { pkey = key->keydata.pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 eckey = EVP_PKEY_get1_EC_KEY(pkey); if (eckey == NULL) { DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); @@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { } len = keysize; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_buffer_availableregion(data, &r); if (r.length < (unsigned int)len) { DST_RET(ISC_R_NOSPACE); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 cp = buf; if (!i2o_ECPublicKey(eckey, &cp)) { DST_RET(dst__openssl_toresult(ISC_R_FAILURE)); @@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) { BN_bn2bin_fixed(x, &buf[0], keysize / 2); BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2); memmove(r.base, buf, len); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_buffer_add(data, len); ret = ISC_R_SUCCESS; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (eckey != NULL) { EC_KEY_free(eckey); } @@ -721,7 +722,7 @@ err: if (y != NULL) { BN_clear_free(y); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_result_t ret; EVP_PKEY *pkey = NULL; isc_region_t r; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey = NULL; const unsigned char *cp; unsigned int len; @@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { int group_nid; #else size_t len; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ REQUIRE(key->key_alg == DST_ALG_ECDSA256 || key->key_alg == DST_ALG_ECDSA384); @@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { DST_RET(DST_R_INVALIDPUBLICKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (key->key_alg == DST_ALG_ECDSA256) { group_nid = NID_X9_62_prime256v1; } else { @@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { if (ret != ISC_R_SUCCESS) { DST_RET(ret); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ isc_buffer_forward(data, len); key->keydata.pkey = pkey; @@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) { ret = ISC_R_SUCCESS; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (eckey != NULL) { EC_KEY_free(eckey); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -814,13 +815,13 @@ static isc_result_t opensslecdsa_tofile(const dst_key_t *key, const char *directory) { isc_result_t ret; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey = NULL; const BIGNUM *privkey = NULL; #else int status; BIGNUM *privkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ dst_private_t priv; unsigned char *buf = NULL; unsigned short i; @@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { } pkey = key->keydata.pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 eckey = EVP_PKEY_get1_EC_KEY(pkey); if (eckey == NULL) { DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY", @@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) { DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param", DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ buf = isc_mem_get(key->mctx, BN_num_bytes(privkey)); @@ -888,7 +889,7 @@ err: if (buf != NULL && privkey != NULL) { isc_mem_put(key->mctx, buf, BN_num_bytes(privkey)); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (eckey != NULL) { EC_KEY_free(eckey); } @@ -896,12 +897,12 @@ err: if (privkey != NULL) { BN_clear_free(privkey); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 static isc_result_t ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) { const EC_POINT *pubkey; @@ -1065,9 +1066,9 @@ err: return (ret); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 static isc_result_t load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv, int privkey_index) { @@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) { } return (ISC_R_SUCCESS); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ static isc_result_t finalize_eckey(dst_key_t *key, -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey, #endif const char *engine, const char *label) { isc_result_t result = ISC_R_SUCCESS; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EVP_PKEY *pkey = NULL; REQUIRE(eckey != NULL); @@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key, } key->keydata.pkey = pkey; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (label != NULL) { key->label = isc_mem_strdup(key->mctx, label); @@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key, return (result); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 static isc_result_t dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { int group_nid; @@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) { return (ISC_R_SUCCESS); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ static isc_result_t opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, @@ -1173,10 +1174,10 @@ static isc_result_t opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 EC_KEY *eckey = NULL; EC_KEY *pubeckey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ const char *engine = NULL; const char *label = NULL; int i, privkey_index = -1; @@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { goto err; } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey); if (eckey == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ } else { -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 ret = dst__key_to_eckey(key, &eckey); if (ret != ISC_R_SUCCESS) { goto err; @@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { priv.elements[privkey_index].data, priv.elements[privkey_index].length, &key->keydata.pkey); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (ret != ISC_R_SUCCESS) { goto err; @@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { finalize_key = true; } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (pub != NULL && pub->keydata.pkey != NULL) { pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey); } @@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { if (finalize_key) { ret = finalize_eckey(key, engine, label); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (pubeckey != NULL) { EC_KEY_free(pubeckey); } if (eckey != NULL) { EC_KEY_free(eckey); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (ret != ISC_R_SUCCESS) { key->keydata.generic = NULL; } diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 2e03a2f022..50d0d6325f 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -18,7 +18,7 @@ #include #include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 #include #endif #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 @@ -26,7 +26,7 @@ #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ #include #include -#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 #include #endif #include @@ -180,12 +180,12 @@ static isc_result_t opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { dst_key_t *key = dctx->key; int status = 0; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa; const BIGNUM *e = NULL; #else BIGNUM *e = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx; EVP_PKEY *pkey = key->keydata.pkey; int bits; @@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { dctx->key->key_alg == DST_ALG_RSASHA256 || dctx->key->key_alg == DST_ALG_RSASHA512); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { return (dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) { } bits = BN_num_bits(e); BN_free(e); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (bits > maxbits && maxbits != 0) { return (DST_R_VERIFYFAILURE); @@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { int status; EVP_PKEY *pkey1 = key1->keydata.pkey; EVP_PKEY *pkey2 = key2->keydata.pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa1 = NULL; RSA *rsa2 = NULL; const BIGNUM *d1 = NULL, *d2 = NULL; @@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { BIGNUM *d1 = NULL, *d2 = NULL; BIGNUM *p1 = NULL, *p2 = NULL; BIGNUM *q1 = NULL, *q2 = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (pkey1 == NULL && pkey2 == NULL) { return (true); @@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { DST_RET(false); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa1 = EVP_PKEY_get1_RSA(pkey1); rsa2 = EVP_PKEY_get1_RSA(pkey2); if (rsa1 == NULL && rsa2 == NULL) { @@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { #else EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (d1 != NULL || d2 != NULL) { if (d1 == NULL || d2 == NULL) { DST_RET(false); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA_get0_factors(rsa1, &p1, &q1); RSA_get0_factors(rsa2, &p2, &q2); #else @@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2); EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 || BN_cmp(q1, q2) != 0) { @@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) { ret = true; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (rsa1 != NULL) { RSA_free(rsa1); } @@ -332,12 +332,12 @@ err: if (q2 != NULL) { BN_clear_free(q2); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 static int progress_cb(int p, int n, BN_GENCB *cb) { union { @@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) { } return (1); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ static isc_result_t opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { @@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { void (*fptr)(int); } u; BIGNUM *e = BN_new(); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa = RSA_new(); EVP_PKEY *pkey = EVP_PKEY_new(); #if !HAVE_BN_GENCB_NEW @@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { #else EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL); EVP_PKEY *pkey = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (e == NULL || rsa == NULL || pkey == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } @@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { if (e == NULL || ctx == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ /* * Reject incorrect RSA key lengths. @@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { BN_set_bit(e, 32); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } @@ -481,7 +481,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) { DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen", DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ key->keydata.pkey = pkey; pkey = NULL; @@ -491,7 +491,7 @@ err: if (pkey != NULL) { EVP_PKEY_free(pkey); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (rsa != NULL) { RSA_free(rsa); } @@ -502,7 +502,7 @@ err: if (ctx != NULL) { EVP_PKEY_CTX_free(ctx); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (e != NULL) { BN_free(e); } @@ -513,12 +513,12 @@ static bool opensslrsa_isprivate(const dst_key_t *key) { bool ret; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa; const BIGNUM *d = NULL; #else BIGNUM *d = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ REQUIRE(key->key_alg == DST_ALG_RSASHA1 || key->key_alg == DST_ALG_NSEC3RSASHA1 || @@ -530,7 +530,7 @@ opensslrsa_isprivate(const dst_key_t *key) { return (false); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = EVP_PKEY_get1_RSA(pkey); INSIST(rsa != NULL); @@ -547,7 +547,7 @@ opensslrsa_isprivate(const dst_key_t *key) { if (d != NULL) { BN_clear_free(d); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -569,19 +569,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { unsigned int mod_bytes; isc_result_t ret; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa; const BIGNUM *e = NULL, *n = NULL; #else BIGNUM *e = NULL, *n = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ REQUIRE(key->keydata.pkey != NULL); pkey = key->keydata.pkey; isc_buffer_availableregion(data, &r); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -593,7 +593,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { if (e == NULL || n == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ mod_bytes = BN_num_bytes(n); e_bytes = BN_num_bytes(e); @@ -626,7 +626,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) { ret = ISC_R_SUCCESS; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (rsa != NULL) { RSA_free(rsa); } @@ -637,7 +637,7 @@ err: if (n != NULL) { BN_free(n); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } @@ -648,13 +648,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_region_t r; unsigned int e_bytes; unsigned int length; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa = NULL; #else OSSL_PARAM_BLD *bld = NULL; OSSL_PARAM *params = NULL; EVP_PKEY_CTX *ctx = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ EVP_PKEY *pkey = NULL; BIGNUM *e = NULL, *n = NULL; @@ -696,7 +696,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { isc_buffer_forward(data, length); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = RSA_new(); if (rsa == NULL) { DST_RET(dst__openssl_toresult2("RSA_new", @@ -754,7 +754,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata", DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ key->keydata.pkey = pkey; pkey = NULL; @@ -762,7 +762,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) { err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (rsa != NULL) { RSA_free(rsa); } @@ -776,7 +776,7 @@ err: if (bld != NULL) { OSSL_PARAM_BLD_free(bld); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (n != NULL) { BN_free(n); } @@ -797,7 +797,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { unsigned char *bufs[8] = { NULL }; unsigned short i = 0; EVP_PKEY *pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa = NULL; const BIGNUM *n = NULL, *e = NULL, *d = NULL; const BIGNUM *p = NULL, *q = NULL; @@ -806,7 +806,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { BIGNUM *n = NULL, *e = NULL, *d = NULL; BIGNUM *p = NULL, *q = NULL; BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (key->keydata.pkey == NULL) { DST_RET(DST_R_NULLKEY); @@ -817,7 +817,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { } pkey = key->keydata.pkey; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -834,7 +834,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) { EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1); EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp); -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (n == NULL || e == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -940,7 +940,7 @@ err: priv.elements[i].length); } } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA_free(rsa); #else if (n != NULL) { @@ -967,12 +967,12 @@ err: if (iqmp != NULL) { BN_clear_free(iqmp); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ return (ret); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 static isc_result_t rsa_check(RSA *rsa, RSA *pub) { const BIGNUM *n1 = NULL, *n2 = NULL; @@ -1084,14 +1084,14 @@ err: return (ret); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ static isc_result_t opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { dst_private_t priv; isc_result_t ret; int i; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa = NULL, *pubrsa = NULL; const BIGNUM *ex = NULL; #else @@ -1099,7 +1099,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { OSSL_PARAM *params = NULL; EVP_PKEY_CTX *ctx = NULL; BIGNUM *ex = NULL; -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 ENGINE *ep = NULL; #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ @@ -1131,11 +1131,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(ISC_R_SUCCESS); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (pub != NULL && pub->keydata.pkey != NULL) { pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ for (i = 0; i < priv.nelements; i++) { switch (priv.elements[i].tag) { @@ -1254,7 +1254,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { } } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = RSA_new(); if (rsa == NULL) { DST_RET(ISC_R_NOMEMORY); @@ -1366,7 +1366,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { ISC_R_SUCCESS) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) { DST_RET(ISC_R_RANGE); @@ -1380,7 +1380,7 @@ err: if (pkey != NULL) { EVP_PKEY_free(pkey); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (rsa != NULL) { RSA_free(rsa); } @@ -1424,7 +1424,7 @@ err: if (iqmp != NULL) { BN_clear_free(iqmp); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */ if (ret != ISC_R_SUCCESS) { key->keydata.generic = NULL; } @@ -1648,7 +1648,7 @@ check_algorithm(unsigned char algorithm) { int status; isc_result_t ret = ISC_R_SUCCESS; size_t len; -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 RSA *rsa = NULL; #else OSSL_PARAM *params = NULL; @@ -1694,7 +1694,7 @@ check_algorithm(unsigned char algorithm) { DST_RET(ISC_R_NOMEMORY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 rsa = RSA_new(); if (rsa == NULL) { DST_RET(dst__openssl_toresult2("RSA_new", @@ -1767,7 +1767,7 @@ check_algorithm(unsigned char algorithm) { err: BN_free(e); BN_free(n); -#if OPENSSL_VERSION_NUMBER < 0x30000000L +#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 if (rsa != NULL) { RSA_free(rsa); } From 6c55ea17c6c5e78454586fd9507021f882716403 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= Date: Thu, 8 Sep 2022 16:33:38 +0200 Subject: [PATCH 03/10] Remove engine related parts for OpenSSL 3.0 OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM builders. But it can be built in legacy mode, where deprecated but still working API would be used. It can work under OpenSSL 3.0, but only if using legacy code paths matching OpenSSL 1.1 calls and functions. Remove fromlabel processing by OpenSSL 3.0 only functions. They can return later with a proper provider support for pkcs11. --- lib/dns/opensslecdsa_link.c | 55 ------------------------------------- lib/dns/opensslrsa_link.c | 32 --------------------- 2 files changed, 87 deletions(-) diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index 04f0d80b5e..f04f076e42 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 isc_result_t ret = ISC_R_SUCCESS; ENGINE *e; -#if OPENSSL_VERSION_NUMBER < 0x30000000L EC_KEY *eckey = NULL; EC_KEY *pubeckey = NULL; int group_nid; -#else - size_t len; - const char *curve_name, *nist_curve_name; - char buf[128]; /* Sufficient for all of the supported curves' names. */ -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ EVP_PKEY *pkey = NULL; EVP_PKEY *pubpkey = NULL; @@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(DST_R_NOENGINE); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (key->key_alg == DST_ALG_ECDSA256) { group_nid = NID_X9_62_prime256v1; } else { group_nid = NID_secp384r1; } -#else - /* Get the expected curve names */ - if (key->key_alg == DST_ALG_ECDSA256) { - curve_name = "prime256v1"; - nist_curve_name = "P-256"; - } else { - curve_name = "secp384r1"; - nist_curve_name = "P-384"; - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ /* Load private key. */ pkey = ENGINE_load_private_key(e, label, NULL, NULL); @@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) { DST_RET(DST_R_INVALIDPRIVATEKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L eckey = EVP_PKEY_get1_EC_KEY(pkey); if (eckey == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) { DST_RET(DST_R_INVALIDPRIVATEKEY); } -#else - len = 0; - if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME, - buf, sizeof buf, &len) != 1 || - len == 0 || len >= sizeof buf) - { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } - if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && - strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) - { - DST_RET(DST_R_INVALIDPRIVATEKEY); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ /* Load public key. */ pubpkey = ENGINE_load_public_key(e, label, NULL, NULL); @@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) { DST_RET(DST_R_INVALIDPUBLICKEY); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey); if (pubeckey == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) { DST_RET(DST_R_INVALIDPUBLICKEY); } -#else - len = 0; - if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME, - buf, sizeof buf, &len) != 1 || - len == 0 || len >= sizeof buf) - { - DST_RET(DST_R_INVALIDPUBLICKEY); - } - if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 && - strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0) - { - DST_RET(DST_R_INVALIDPUBLICKEY); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } -#else - if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ key->label = isc_mem_strdup(key->mctx, label); key->engine = isc_mem_strdup(key->mctx, engine); @@ -1442,14 +1389,12 @@ err: if (pkey != NULL) { EVP_PKEY_free(pkey); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (pubeckey != NULL) { EC_KEY_free(pubeckey); } if (eckey != NULL) { EC_KEY_free(eckey); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ return (ret); #else diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index 50d0d6325f..4d8c29ea89 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -1172,7 +1172,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { key->engine = isc_mem_strdup(key->mctx, engine); key->label = isc_mem_strdup(key->mctx, label); -#if OPENSSL_VERSION_NUMBER < 0x30000000L rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1181,16 +1180,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } RSA_get0_key(rsa, NULL, &ex, NULL); -#else - if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) != - ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } - if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != - 1) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (ex == NULL) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); @@ -1442,12 +1431,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, ENGINE *e = NULL; isc_result_t ret = ISC_R_SUCCESS; EVP_PKEY *pkey = NULL, *pubpkey = NULL; -#if OPENSSL_VERSION_NUMBER < 0x30000000L RSA *rsa = NULL, *pubrsa = NULL; const BIGNUM *ex = NULL; -#else - BIGNUM *ex = NULL; -#endif UNUSED(pin); @@ -1464,12 +1449,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(dst__openssl_toresult2("ENGINE_load_public_key", DST_R_OPENSSLFAILURE)); } -#if OPENSSL_VERSION_NUMBER < 0x30000000L pubrsa = EVP_PKEY_get1_RSA(pubpkey); if (pubrsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ pkey = ENGINE_load_private_key(e, label, NULL, NULL); if (pkey == NULL) { @@ -1480,7 +1463,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, key->engine = isc_mem_strdup(key->mctx, engine); key->label = isc_mem_strdup(key->mctx, label); -#if OPENSSL_VERSION_NUMBER < 0x30000000L rsa = EVP_PKEY_get1_RSA(pkey); if (rsa == NULL) { DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE)); @@ -1489,14 +1471,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); } RSA_get0_key(rsa, NULL, &ex, NULL); -#else - if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } - if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) { - DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (ex == NULL) { DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY)); @@ -1510,18 +1484,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, pkey = NULL; err: -#if OPENSSL_VERSION_NUMBER < 0x30000000L if (rsa != NULL) { RSA_free(rsa); } if (pubrsa != NULL) { RSA_free(pubrsa); } -#else - if (ex != NULL) { - BN_free(ex); - } -#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */ if (pkey != NULL) { EVP_PKEY_free(pkey); } From f32c52c5ca1d739f12c66df3334cf9d57d8c1e19 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 13 Sep 2022 17:06:52 +1000 Subject: [PATCH 04/10] Document -DOPENSSL_API_COMPAT=10100 in OPTIONS.md --- OPTIONS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/OPTIONS.md b/OPTIONS.md index 71f556f4f1..acdcaf823e 100644 --- a/OPTIONS.md +++ b/OPTIONS.md @@ -26,3 +26,4 @@ Some of these settings are: | `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult | | `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` | | `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports | +| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support | From 6d668b8c342973688049584c50b275b53dc1f8b5 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 13 Sep 2022 17:09:55 +1000 Subject: [PATCH 05/10] Update reference to point to doc/arm/build.inc.rst --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 564ae059df..07cf1decf1 100644 --- a/README.md +++ b/README.md @@ -125,7 +125,7 @@ including your patch as an attachment, preferably generated by ### Building BIND 9 For information about building BIND 9, see the -["Building BIND 9"](doc/arm/build.rst) section in the BIND 9 +["Building BIND 9"](doc/arm/build.inc.rst) section in the BIND 9 Administrator Reference Manual. ### Automated testing From 3dec2deebc8f5712a871de3aee6a2ffbe4cb1618 Mon Sep 17 00:00:00 2001 From: Michal Nowak Date: Tue, 13 Sep 2022 19:44:37 +0200 Subject: [PATCH 06/10] Let Debian sid image leverage PKCS#11 with OpenSSL 3 --- .gitlab-ci.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6c14c941b1..b72e88b14b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -790,12 +790,19 @@ gcc:sid:amd64: variables: CC: gcc CFLAGS: "${CFLAGS_COMMON} -O3" - EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb ${WITH_READLINE}" + # For the jemalloc ./configure option, see https://gitlab.isc.org/isc-projects/bind9/-/issues/3444 + EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb --without-jemalloc ${WITH_READLINE}" RUN_MAKE_INSTALL: 1 <<: *debian_sid_amd64_image <<: *build_job system:gcc:sid:amd64: + # Set up environment variables that allow the "keyfromlabel" system test to be run + variables: + DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf" + OPENSSL_CONF: "/var/tmp/etc/openssl.cnf" + SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf" + SOFTHSM2_MODULE: "/usr/lib/softhsm/libsofthsm2.so" <<: *debian_sid_amd64_image <<: *system_test_job needs: From 9b13dd7b4d58d67299453c1d452fc5cf43a1c1c2 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 11:49:18 +1000 Subject: [PATCH 07/10] Build against OpenSSL 3.0 in OpenSSL 1.1.0 compatibility mode --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b72e88b14b..0ccfdd194b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -789,7 +789,7 @@ scan-build: gcc:sid:amd64: variables: CC: gcc - CFLAGS: "${CFLAGS_COMMON} -O3" + CFLAGS: "${CFLAGS_COMMON} -O3 -DOPENSSL_API_COMPAT=10100" # For the jemalloc ./configure option, see https://gitlab.isc.org/isc-projects/bind9/-/issues/3444 EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb --without-jemalloc ${WITH_READLINE}" RUN_MAKE_INSTALL: 1 From 979062ee5da378a7e740406776acdb2ce773ca10 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 12:08:00 +1000 Subject: [PATCH 08/10] Report how named was built --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 0ccfdd194b..c686237303 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -284,6 +284,7 @@ stages: - test -z "${CROSS_COMPILATION}" || file lib/dns/gen | grep -F -q "ELF 64-bit LSB" - test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" ) - if test -z "${OUT_OF_TREE_WORKSPACE}" && test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi + - bin/named/named -V needs: - job: autoreconf artifacts: true From 54916b4e4534d1529ccd8db11f79cab56cae7f69 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 12:50:40 +1000 Subject: [PATCH 09/10] Add a CHANGES note for [GL !6711] --- CHANGES | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/CHANGES b/CHANGES index 2790440a74..b2f904045f 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,9 @@ +5978. [port] The ability to use pkcs11 via engine_pkcs11 has been + restored, by only using deprecated APIs in + OpenSSL 3.0.0. BIND needs to be compiled with + '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS + at compile time. [GL !6711] + 5977. [bug] named could incorrectly return non-truncated, glueless referrals for responses whose size was close to the UDP packet size limit. [GL #1967] From e27b063f670f35c160f317901f0845ffc49f28d0 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 14 Sep 2022 12:53:42 +1000 Subject: [PATCH 10/10] Add release note for [GL !6711] --- doc/notes/notes-current.rst | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 1d2dd322c0..8748f48718 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -57,6 +57,11 @@ Feature Changes keys using the algorithm number, followed by "+", followed by the key ID: for example, "8+54274". :gl:`#3525` +- The ability to use pkcs11 via engine_pkcs11 has been restored, by only using + deprecated APIs in OpenSSL 3.0.0. BIND needs to be compiled + with '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS at + compile time. :gl:`!6711` + Bug Fixes ~~~~~~~~~