mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
Merge branch 'bug/main/sha1-disabled-fedora-rhbz2122841' into 'main'
Engine pkcs11 cannot work with OSSL_PARAM on OpenSSL 3.0 See merge request isc-projects/bind9!6711
This commit is contained in:
Mark Andrews
@@ -284,6 +284,7 @@ stages:
|
||||
- test -z "${CROSS_COMPILATION}" || file lib/dns/gen | grep -F -q "ELF 64-bit LSB"
|
||||
- test -z "${CROSS_COMPILATION}" || ( ! git ls-files -z --others --exclude lib/dns/gen | xargs -0 file | grep "ELF 64-bit LSB" )
|
||||
- if test -z "${OUT_OF_TREE_WORKSPACE}" && test "$(git status --porcelain | grep -Ev '\?\?' | wc -l)" -gt "0"; then git status --short; exit 1; fi
|
||||
- bin/named/named -V
|
||||
needs:
|
||||
- job: autoreconf
|
||||
artifacts: true
|
||||
@@ -789,13 +790,20 @@ scan-build:
|
||||
gcc:sid:amd64:
|
||||
variables:
|
||||
CC: gcc
|
||||
CFLAGS: "${CFLAGS_COMMON} -O3"
|
||||
EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb ${WITH_READLINE}"
|
||||
CFLAGS: "${CFLAGS_COMMON} -O3 -DOPENSSL_API_COMPAT=10100"
|
||||
# For the jemalloc ./configure option, see https://gitlab.isc.org/isc-projects/bind9/-/issues/3444
|
||||
EXTRA_CONFIGURE: "--with-libidn2 --without-lmdb --without-jemalloc ${WITH_READLINE}"
|
||||
RUN_MAKE_INSTALL: 1
|
||||
<<: *debian_sid_amd64_image
|
||||
<<: *build_job
|
||||
|
||||
system:gcc:sid:amd64:
|
||||
# Set up environment variables that allow the "keyfromlabel" system test to be run
|
||||
variables:
|
||||
DEFAULT_OPENSSL_CONF: "/etc/ssl/openssl.cnf"
|
||||
OPENSSL_CONF: "/var/tmp/etc/openssl.cnf"
|
||||
SOFTHSM2_CONF: "/var/tmp/softhsm2/softhsm2.conf"
|
||||
SOFTHSM2_MODULE: "/usr/lib/softhsm/libsofthsm2.so"
|
||||
<<: *debian_sid_amd64_image
|
||||
<<: *system_test_job
|
||||
needs:
|
||||
|
||||
6
CHANGES
6
CHANGES
@@ -1,3 +1,9 @@
|
||||
5978. [port] The ability to use pkcs11 via engine_pkcs11 has been
|
||||
restored, by only using deprecated APIs in
|
||||
OpenSSL 3.0.0. BIND needs to be compiled with
|
||||
'-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS
|
||||
at compile time. [GL !6711]
|
||||
|
||||
5977. [bug] named could incorrectly return non-truncated, glueless
|
||||
referrals for responses whose size was close to the UDP
|
||||
packet size limit. [GL #1967]
|
||||
|
||||
@@ -26,3 +26,4 @@ Some of these settings are:
|
||||
| `-DISC_MEM_TRACKLINES=0` | Don't track memory allocations by file and line number; this improves performance but makes debugging more difficult |
|
||||
| `-DNAMED_RUN_PID_DIR=0` | Create default PID files in `${localstatedir}/run` rather than `${localstatedir}/run/named/` |
|
||||
| `-DNS_CLIENT_DROPPORT=0` | Disable dropping queries from particular well-known ports |
|
||||
| `-DOPENSSL_API_COMPAT=10100` | Build using the deprecated OpenSSL APIs so that the `engine` API is available when building with OpenSSL 3.0.0 for PKCS#11 support |
|
||||
|
||||
@@ -125,7 +125,7 @@ including your patch as an attachment, preferably generated by
|
||||
### <a name="build"/> Building BIND 9
|
||||
|
||||
For information about building BIND 9, see the
|
||||
["Building BIND 9"](doc/arm/build.rst) section in the BIND 9
|
||||
["Building BIND 9"](doc/arm/build.inc.rst) section in the BIND 9
|
||||
Administrator Reference Manual.
|
||||
|
||||
### <a name="testing"/> Automated testing
|
||||
|
||||
@@ -57,6 +57,11 @@ Feature Changes
|
||||
keys using the algorithm number, followed by "+", followed by the
|
||||
key ID: for example, "8+54274". :gl:`#3525`
|
||||
|
||||
- The ability to use pkcs11 via engine_pkcs11 has been restored, by only using
|
||||
deprecated APIs in OpenSSL 3.0.0. BIND needs to be compiled
|
||||
with '-DOPENSSL_API_COMPAT=10100' specified in the CFLAGS at
|
||||
compile time. :gl:`!6711`
|
||||
|
||||
Bug Fixes
|
||||
~~~~~~~~~
|
||||
|
||||
|
||||
@@ -85,14 +85,20 @@ dst__openssl_init(const char *engine) {
|
||||
result = DST_R_NOENGINE;
|
||||
goto cleanup_rm;
|
||||
}
|
||||
if (!ENGINE_init(e)) {
|
||||
result = DST_R_NOENGINE;
|
||||
goto cleanup_rm;
|
||||
}
|
||||
/* This will init the engine. */
|
||||
if (!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
|
||||
result = DST_R_NOENGINE;
|
||||
goto cleanup_rm;
|
||||
goto cleanup_init;
|
||||
}
|
||||
}
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
cleanup_init:
|
||||
ENGINE_finish(e);
|
||||
cleanup_rm:
|
||||
if (e != NULL) {
|
||||
ENGINE_free(e);
|
||||
@@ -108,6 +114,7 @@ void
|
||||
dst__openssl_destroy(void) {
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
if (e != NULL) {
|
||||
ENGINE_finish(e);
|
||||
ENGINE_free(e);
|
||||
}
|
||||
e = NULL;
|
||||
|
||||
@@ -91,7 +91,7 @@ static BIGNUM *bn2 = NULL, *bn768 = NULL, *bn1024 = NULL, *bn1536 = NULL;
|
||||
static isc_result_t
|
||||
openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
||||
isc_buffer_t *secret) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dhpub, *dhpriv;
|
||||
const BIGNUM *pub_key = NULL;
|
||||
int secret_len = 0;
|
||||
@@ -99,11 +99,11 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *dhpub, *dhpriv;
|
||||
size_t secret_len = 0;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
isc_region_t r;
|
||||
unsigned int len;
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
REQUIRE(pub->keydata.dh != NULL);
|
||||
REQUIRE(priv->keydata.dh != NULL);
|
||||
|
||||
@@ -119,14 +119,14 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
||||
dhpriv = priv->keydata.pkey;
|
||||
|
||||
len = EVP_PKEY_get_size(dhpriv);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
isc_buffer_availableregion(secret, &r);
|
||||
if (r.length < len) {
|
||||
return (ISC_R_NOSPACE);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH_get0_key(dhpub, &pub_key, NULL);
|
||||
secret_len = DH_compute_key(r.base, pub_key, dhpriv);
|
||||
if (secret_len <= 0) {
|
||||
@@ -156,7 +156,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
||||
DST_R_COMPUTESECRETFAILURE));
|
||||
}
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
isc_buffer_add(secret, (unsigned int)secret_len);
|
||||
|
||||
@@ -166,7 +166,7 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
|
||||
static bool
|
||||
openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
bool ret = true;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh1, *dh2;
|
||||
const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
|
||||
const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
|
||||
@@ -176,9 +176,9 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
|
||||
BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
|
||||
BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
dh1 = key1->keydata.dh;
|
||||
dh2 = key2->keydata.dh;
|
||||
|
||||
@@ -210,7 +210,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PUB_KEY, &pub_key2);
|
||||
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key1);
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key2);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L*/
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000*/
|
||||
|
||||
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0 ||
|
||||
BN_cmp(pub_key1, pub_key2) != 0)
|
||||
@@ -226,7 +226,7 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
}
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
if (p1 != NULL) {
|
||||
BN_free(p1);
|
||||
}
|
||||
@@ -251,7 +251,8 @@ err:
|
||||
if (priv_key2 != NULL) {
|
||||
BN_clear_free(priv_key2);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
||||
*/
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -259,15 +260,15 @@ err:
|
||||
static bool
|
||||
openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
bool ret = true;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh1, *dh2;
|
||||
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
|
||||
#else
|
||||
EVP_PKEY *pkey1, *pkey2;
|
||||
BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
dh1 = key1->keydata.dh;
|
||||
dh2 = key2->keydata.dh;
|
||||
|
||||
@@ -293,14 +294,14 @@ openssldh_paramcompare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_P, &p2);
|
||||
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_FFC_G, &g1);
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_FFC_G, &g2);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (BN_cmp(p1, p2) != 0 || BN_cmp(g1, g2) != 0) {
|
||||
DST_RET(false);
|
||||
}
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
if (p1 != NULL) {
|
||||
BN_free(p1);
|
||||
}
|
||||
@@ -313,12 +314,13 @@ err:
|
||||
if (g2 != NULL) {
|
||||
BN_free(g2);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
||||
*/
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
static int
|
||||
progress_cb(int p, int n, BN_GENCB *cb) {
|
||||
union {
|
||||
@@ -349,7 +351,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
static isc_result_t
|
||||
openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
@@ -359,7 +361,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
void (*fptr)(int);
|
||||
} u;
|
||||
BIGNUM *p = NULL, *g = NULL;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh = NULL;
|
||||
BN_GENCB *cb = NULL;
|
||||
#if !HAVE_BN_GENCB_NEW
|
||||
@@ -372,9 +374,9 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *param_pkey = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
dh = DH_new();
|
||||
if (dh == NULL) {
|
||||
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
|
||||
@@ -388,7 +390,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
if (param_ctx == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (generator == 0) {
|
||||
/*
|
||||
@@ -408,7 +410,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
if (p == NULL || g == NULL) {
|
||||
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (DH_set0_pqg(dh, p, NULL, g) != 1) {
|
||||
DST_RET(dst__openssl_toresult2(
|
||||
"DH_set0_pqg", DST_R_OPENSSLFAILURE));
|
||||
@@ -432,7 +434,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
params = OSSL_PARAM_BLD_to_param(bld);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
} else {
|
||||
/*
|
||||
@@ -445,7 +447,7 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
}
|
||||
|
||||
if (generator != 0) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (callback != NULL) {
|
||||
cb = BN_GENCB_new();
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
@@ -486,10 +488,10 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
params = OSSL_PARAM_BLD_to_param(bld);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (DH_generate_key(dh) == 0) {
|
||||
DST_RET(dst__openssl_toresult2("DH_generate_key",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
@@ -556,12 +558,12 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (dh != NULL) {
|
||||
DH_free(dh);
|
||||
}
|
||||
@@ -593,14 +595,14 @@ err:
|
||||
if (g != NULL) {
|
||||
BN_free(g);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
static bool
|
||||
openssldh_isprivate(const dst_key_t *key) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh = key->keydata.dh;
|
||||
const BIGNUM *priv_key = NULL;
|
||||
|
||||
@@ -625,12 +627,12 @@ openssldh_isprivate(const dst_key_t *key) {
|
||||
}
|
||||
|
||||
return (ret);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
}
|
||||
|
||||
static void
|
||||
openssldh_destroy(dst_key_t *key) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh = key->keydata.dh;
|
||||
|
||||
if (dh == NULL) {
|
||||
@@ -648,7 +650,7 @@ openssldh_destroy(dst_key_t *key) {
|
||||
|
||||
EVP_PKEY_free(pkey);
|
||||
key->keydata.pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
}
|
||||
|
||||
static void
|
||||
@@ -675,17 +677,17 @@ uint16_fromregion(isc_region_t *region) {
|
||||
static isc_result_t
|
||||
openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
isc_result_t ret = ISC_R_SUCCESS;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh;
|
||||
const BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
|
||||
#else
|
||||
EVP_PKEY *pkey;
|
||||
BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
isc_region_t r;
|
||||
uint16_t dnslen, plen, glen, publen;
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
REQUIRE(key->keydata.dh != NULL);
|
||||
|
||||
dh = key->keydata.dh;
|
||||
@@ -698,7 +700,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_P, &p);
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
isc_buffer_availableregion(data, &r);
|
||||
|
||||
@@ -746,7 +748,7 @@ openssldh_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
isc_buffer_add(data, dnslen);
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
if (p != NULL) {
|
||||
BN_free(p);
|
||||
}
|
||||
@@ -756,7 +758,8 @@ err:
|
||||
if (pub_key != NULL) {
|
||||
BN_free(pub_key);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
||||
*/
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -764,14 +767,14 @@ err:
|
||||
static isc_result_t
|
||||
openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
isc_result_t ret;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh;
|
||||
#else
|
||||
OSSL_PARAM_BLD *bld = NULL;
|
||||
OSSL_PARAM *params = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
BIGNUM *pub_key = NULL, *p = NULL, *g = NULL;
|
||||
int key_size;
|
||||
isc_region_t r;
|
||||
@@ -783,7 +786,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
dh = DH_new();
|
||||
if (dh == NULL) {
|
||||
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
|
||||
@@ -797,7 +800,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
if (ctx == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
/*
|
||||
* Read the prime length. 1 & 2 are table entries, > 16 means a
|
||||
@@ -873,7 +876,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
key_size = BN_num_bits(p);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (DH_set0_pqg(dh, p, NULL, g) != 1) {
|
||||
DST_RET(dst__openssl_toresult2("DH_set0_pqg",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
@@ -889,7 +892,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
DST_RET(dst__openssl_toresult2("OSSL_PARAM_BLD_push_BN",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (r.length < 2) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
@@ -907,7 +910,7 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
isc_buffer_forward(data, plen + glen + publen + 6);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && \
|
||||
(LIBRESSL_VERSION_NUMBER <= 0x2070200fL)
|
||||
/*
|
||||
@@ -951,14 +954,14 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
key->key_size = (unsigned int)key_size;
|
||||
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (dh != NULL) {
|
||||
DH_free(dh);
|
||||
}
|
||||
@@ -975,7 +978,7 @@ err:
|
||||
if (bld != NULL) {
|
||||
OSSL_PARAM_BLD_free(bld);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
if (p != NULL) {
|
||||
BN_free(p);
|
||||
}
|
||||
@@ -991,13 +994,13 @@ err:
|
||||
|
||||
static isc_result_t
|
||||
openssldh_tofile(const dst_key_t *key, const char *directory) {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh;
|
||||
const BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
|
||||
#else
|
||||
EVP_PKEY *pkey;
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
dst_private_t priv;
|
||||
unsigned char *bufs[4] = { NULL };
|
||||
unsigned short i = 0;
|
||||
@@ -1007,7 +1010,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
||||
return (DST_R_EXTERNALKEY);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (key->keydata.dh == NULL) {
|
||||
return (DST_R_NULLKEY);
|
||||
}
|
||||
@@ -1025,7 +1028,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_FFC_G, &g);
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PUB_KEY, &pub_key);
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_PRIV_KEY, &priv_key);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
priv.elements[i].tag = TAG_DH_PRIME;
|
||||
priv.elements[i].length = BN_num_bytes(p);
|
||||
@@ -1065,7 +1068,7 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
||||
}
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
if (p != NULL) {
|
||||
BN_free(p);
|
||||
}
|
||||
@@ -1078,7 +1081,8 @@ openssldh_tofile(const dst_key_t *key, const char *directory) {
|
||||
if (priv_key != NULL) {
|
||||
BN_clear_free(priv_key);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
||||
*/
|
||||
|
||||
return (result);
|
||||
}
|
||||
@@ -1088,14 +1092,14 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
DH *dh = NULL;
|
||||
#else
|
||||
OSSL_PARAM_BLD *bld = NULL;
|
||||
OSSL_PARAM *params = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
BIGNUM *pub_key = NULL, *priv_key = NULL, *p = NULL, *g = NULL;
|
||||
int key_size = 0;
|
||||
isc_mem_t *mctx;
|
||||
@@ -1113,7 +1117,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
DST_RET(DST_R_EXTERNALKEY);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
dh = DH_new();
|
||||
if (dh == NULL) {
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
@@ -1127,7 +1131,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
if (ctx == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
for (i = 0; i < priv.nelements; i++) {
|
||||
BIGNUM *bn;
|
||||
@@ -1154,7 +1158,7 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
}
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (DH_set0_key(dh, pub_key, priv_key) != 1) {
|
||||
DST_RET(dst__openssl_toresult2("DH_set0_key",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
@@ -1201,13 +1205,13 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
key->key_size = (unsigned int)key_size;
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (dh != NULL) {
|
||||
DH_free(dh);
|
||||
}
|
||||
@@ -1224,7 +1228,7 @@ err:
|
||||
if (bld != NULL) {
|
||||
OSSL_PARAM_BLD_free(bld);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
if (p != NULL) {
|
||||
BN_free(p);
|
||||
}
|
||||
|
||||
@@ -17,14 +17,14 @@
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/opensslv.h>
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
#include <openssl/core_names.h>
|
||||
#endif
|
||||
#include <openssl/ecdsa.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
#include <openssl/param_build.h>
|
||||
#endif
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
@@ -57,7 +57,7 @@
|
||||
goto err; \
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
static isc_result_t
|
||||
raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
|
||||
size_t key_len, EVP_PKEY **pkey) {
|
||||
@@ -159,7 +159,8 @@ err:
|
||||
|
||||
return (ret);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000 \
|
||||
*/
|
||||
|
||||
static isc_result_t
|
||||
opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
|
||||
@@ -411,7 +412,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
bool ret;
|
||||
EVP_PKEY *pkey1 = key1->keydata.pkey;
|
||||
EVP_PKEY *pkey2 = key2->keydata.pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey1 = NULL;
|
||||
EC_KEY *eckey2 = NULL;
|
||||
const BIGNUM *priv1;
|
||||
@@ -419,7 +420,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
#else
|
||||
BIGNUM *priv1 = NULL;
|
||||
BIGNUM *priv2 = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (pkey1 == NULL && pkey2 == NULL) {
|
||||
return (true);
|
||||
@@ -432,7 +433,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
DST_RET(false);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
|
||||
eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
|
||||
if (eckey1 == NULL && eckey2 == NULL) {
|
||||
@@ -445,7 +446,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
#else
|
||||
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_PRIV_KEY, &priv1);
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_PRIV_KEY, &priv2);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (priv1 != NULL || priv2 != NULL) {
|
||||
if (priv1 == NULL || priv2 == NULL || BN_cmp(priv1, priv2) != 0)
|
||||
@@ -457,7 +458,7 @@ opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
ret = true;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (eckey1 != NULL) {
|
||||
EC_KEY_free(eckey1);
|
||||
}
|
||||
@@ -471,7 +472,7 @@ err:
|
||||
if (priv2 != NULL) {
|
||||
BN_clear_free(priv2);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -481,12 +482,12 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
isc_result_t ret;
|
||||
int status;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey = NULL;
|
||||
#else
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
EVP_PKEY *params_pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
int group_nid;
|
||||
|
||||
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
|
||||
@@ -502,7 +503,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
key->key_size = DNS_KEY_ECDSA384SIZE * 4;
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
eckey = EC_KEY_new_by_curve_name(group_nid);
|
||||
if (eckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult2("EC_KEY_new_by_curve_name",
|
||||
@@ -563,7 +564,7 @@ opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
|
||||
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
pkey = NULL;
|
||||
@@ -573,7 +574,7 @@ err:
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
@@ -584,7 +585,7 @@ err:
|
||||
if (ctx != NULL) {
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -593,11 +594,11 @@ static bool
|
||||
opensslecdsa_isprivate(const dst_key_t *key) {
|
||||
bool ret;
|
||||
EVP_PKEY *pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey;
|
||||
#else
|
||||
BIGNUM *priv = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
|
||||
key->key_alg == DST_ALG_ECDSA384);
|
||||
@@ -607,7 +608,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
|
||||
return (false);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
|
||||
ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
|
||||
@@ -621,7 +622,7 @@ opensslecdsa_isprivate(const dst_key_t *key) {
|
||||
if (priv != NULL) {
|
||||
BN_clear_free(priv);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -640,7 +641,7 @@ static isc_result_t
|
||||
opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
isc_result_t ret;
|
||||
EVP_PKEY *pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey = NULL;
|
||||
int len;
|
||||
unsigned char *cp;
|
||||
@@ -650,7 +651,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
BIGNUM *y = NULL;
|
||||
size_t keysize = 0;
|
||||
size_t len = 0;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
isc_region_t r;
|
||||
unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
|
||||
|
||||
@@ -658,7 +659,7 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
pkey = key->keydata.pkey;
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
if (eckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
|
||||
@@ -677,14 +678,14 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
}
|
||||
|
||||
len = keysize;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
isc_buffer_availableregion(data, &r);
|
||||
if (r.length < (unsigned int)len) {
|
||||
DST_RET(ISC_R_NOSPACE);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
cp = buf;
|
||||
if (!i2o_ECPublicKey(eckey, &cp)) {
|
||||
DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
|
||||
@@ -704,13 +705,13 @@ opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
BN_bn2bin_fixed(x, &buf[0], keysize / 2);
|
||||
BN_bn2bin_fixed(y, &buf[keysize / 2], keysize / 2);
|
||||
memmove(r.base, buf, len);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
isc_buffer_add(data, len);
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
@@ -721,7 +722,7 @@ err:
|
||||
if (y != NULL) {
|
||||
BN_clear_free(y);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -731,7 +732,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
isc_result_t ret;
|
||||
EVP_PKEY *pkey = NULL;
|
||||
isc_region_t r;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey = NULL;
|
||||
const unsigned char *cp;
|
||||
unsigned int len;
|
||||
@@ -739,7 +740,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
int group_nid;
|
||||
#else
|
||||
size_t len;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
|
||||
key->key_alg == DST_ALG_ECDSA384);
|
||||
@@ -758,7 +759,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
group_nid = NID_X9_62_prime256v1;
|
||||
} else {
|
||||
@@ -794,7 +795,7 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
DST_RET(ret);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
isc_buffer_forward(data, len);
|
||||
key->keydata.pkey = pkey;
|
||||
@@ -802,11 +803,11 @@ opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
ret = ISC_R_SUCCESS;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@@ -814,13 +815,13 @@ static isc_result_t
|
||||
opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
isc_result_t ret;
|
||||
EVP_PKEY *pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey = NULL;
|
||||
const BIGNUM *privkey = NULL;
|
||||
#else
|
||||
int status;
|
||||
BIGNUM *privkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
dst_private_t priv;
|
||||
unsigned char *buf = NULL;
|
||||
unsigned short i;
|
||||
@@ -835,7 +836,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
}
|
||||
|
||||
pkey = key->keydata.pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
if (eckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult2("EVP_PKEY_get1_EC_KEY",
|
||||
@@ -853,7 +854,7 @@ opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
DST_RET(dst__openssl_toresult2("EVP_PKEY_get_bn_param",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
|
||||
|
||||
@@ -888,7 +889,7 @@ err:
|
||||
if (buf != NULL && privkey != NULL) {
|
||||
isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
@@ -896,12 +897,12 @@ err:
|
||||
if (privkey != NULL) {
|
||||
BN_clear_free(privkey);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
static isc_result_t
|
||||
ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
|
||||
const EC_POINT *pubkey;
|
||||
@@ -1065,9 +1066,9 @@ err:
|
||||
|
||||
return (ret);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
static isc_result_t
|
||||
load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv,
|
||||
int privkey_index) {
|
||||
@@ -1102,16 +1103,16 @@ eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
|
||||
}
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
static isc_result_t
|
||||
finalize_eckey(dst_key_t *key,
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey,
|
||||
#endif
|
||||
const char *engine, const char *label) {
|
||||
isc_result_t result = ISC_R_SUCCESS;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EVP_PKEY *pkey = NULL;
|
||||
|
||||
REQUIRE(eckey != NULL);
|
||||
@@ -1122,7 +1123,7 @@ finalize_eckey(dst_key_t *key,
|
||||
}
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (label != NULL) {
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
@@ -1138,7 +1139,7 @@ finalize_eckey(dst_key_t *key,
|
||||
return (result);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
static isc_result_t
|
||||
dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
|
||||
int group_nid;
|
||||
@@ -1163,7 +1164,7 @@ dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
static isc_result_t
|
||||
opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
@@ -1173,10 +1174,10 @@ static isc_result_t
|
||||
opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
EC_KEY *eckey = NULL;
|
||||
EC_KEY *pubeckey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
const char *engine = NULL;
|
||||
const char *label = NULL;
|
||||
int i, privkey_index = -1;
|
||||
@@ -1227,14 +1228,14 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
goto err;
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
eckey = EVP_PKEY_get1_EC_KEY(key->keydata.pkey);
|
||||
if (eckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
} else {
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
ret = dst__key_to_eckey(key, &eckey);
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
goto err;
|
||||
@@ -1251,7 +1252,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
priv.elements[privkey_index].data,
|
||||
priv.elements[privkey_index].length,
|
||||
&key->keydata.pkey);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
goto err;
|
||||
@@ -1260,7 +1261,7 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
finalize_key = true;
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (pub != NULL && pub->keydata.pkey != NULL) {
|
||||
pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
|
||||
}
|
||||
@@ -1283,17 +1284,17 @@ opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
if (finalize_key) {
|
||||
ret = finalize_eckey(key, engine, label);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (pubeckey != NULL) {
|
||||
EC_KEY_free(pubeckey);
|
||||
}
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
key->keydata.generic = NULL;
|
||||
}
|
||||
@@ -1310,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
isc_result_t ret = ISC_R_SUCCESS;
|
||||
ENGINE *e;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
EC_KEY *eckey = NULL;
|
||||
EC_KEY *pubeckey = NULL;
|
||||
int group_nid;
|
||||
#else
|
||||
size_t len;
|
||||
const char *curve_name, *nist_curve_name;
|
||||
char buf[128]; /* Sufficient for all of the supported curves' names. */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
EVP_PKEY *pkey = NULL;
|
||||
EVP_PKEY *pubpkey = NULL;
|
||||
|
||||
@@ -1335,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
DST_RET(DST_R_NOENGINE);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
group_nid = NID_X9_62_prime256v1;
|
||||
} else {
|
||||
group_nid = NID_secp384r1;
|
||||
}
|
||||
#else
|
||||
/* Get the expected curve names */
|
||||
if (key->key_alg == DST_ALG_ECDSA256) {
|
||||
curve_name = "prime256v1";
|
||||
nist_curve_name = "P-256";
|
||||
} else {
|
||||
curve_name = "secp384r1";
|
||||
nist_curve_name = "P-384";
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
/* Load private key. */
|
||||
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||
@@ -1362,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
eckey = EVP_PKEY_get1_EC_KEY(pkey);
|
||||
if (eckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1370,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
}
|
||||
#else
|
||||
len = 0;
|
||||
if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
buf, sizeof buf, &len) != 1 ||
|
||||
len == 0 || len >= sizeof buf)
|
||||
{
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
}
|
||||
if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
||||
strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
||||
{
|
||||
DST_RET(DST_R_INVALIDPRIVATEKEY);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
/* Load public key. */
|
||||
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
|
||||
@@ -1395,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
|
||||
if (pubeckey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1403,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
#else
|
||||
len = 0;
|
||||
if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
|
||||
buf, sizeof buf, &len) != 1 ||
|
||||
len == 0 || len >= sizeof buf)
|
||||
{
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
|
||||
strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
|
||||
{
|
||||
DST_RET(DST_R_INVALIDPUBLICKEY);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
#else
|
||||
if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||
@@ -1441,14 +1389,12 @@ err:
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (pubeckey != NULL) {
|
||||
EC_KEY_free(pubeckey);
|
||||
}
|
||||
if (eckey != NULL) {
|
||||
EC_KEY_free(eckey);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
return (ret);
|
||||
#else
|
||||
|
||||
@@ -18,7 +18,7 @@
|
||||
|
||||
#include <openssl/bn.h>
|
||||
#include <openssl/opensslv.h>
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
#include <openssl/core_names.h>
|
||||
#endif
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
@@ -26,7 +26,7 @@
|
||||
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/objects.h>
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x30000000L && OPENSSL_API_LEVEL >= 30000
|
||||
#include <openssl/param_build.h>
|
||||
#endif
|
||||
#include <openssl/rsa.h>
|
||||
@@ -180,12 +180,12 @@ static isc_result_t
|
||||
opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
|
||||
dst_key_t *key = dctx->key;
|
||||
int status = 0;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa;
|
||||
const BIGNUM *e = NULL;
|
||||
#else
|
||||
BIGNUM *e = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
|
||||
EVP_PKEY *pkey = key->keydata.pkey;
|
||||
int bits;
|
||||
@@ -195,7 +195,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
|
||||
dctx->key->key_alg == DST_ALG_RSASHA256 ||
|
||||
dctx->key->key_alg == DST_ALG_RSASHA512);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -213,7 +213,7 @@ opensslrsa_verify2(dst_context_t *dctx, int maxbits, const isc_region_t *sig) {
|
||||
}
|
||||
bits = BN_num_bits(e);
|
||||
BN_free(e);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (bits > maxbits && maxbits != 0) {
|
||||
return (DST_R_VERIFYFAILURE);
|
||||
@@ -243,7 +243,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
int status;
|
||||
EVP_PKEY *pkey1 = key1->keydata.pkey;
|
||||
EVP_PKEY *pkey2 = key2->keydata.pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa1 = NULL;
|
||||
RSA *rsa2 = NULL;
|
||||
const BIGNUM *d1 = NULL, *d2 = NULL;
|
||||
@@ -253,7 +253,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
BIGNUM *d1 = NULL, *d2 = NULL;
|
||||
BIGNUM *p1 = NULL, *p2 = NULL;
|
||||
BIGNUM *q1 = NULL, *q2 = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (pkey1 == NULL && pkey2 == NULL) {
|
||||
return (true);
|
||||
@@ -267,7 +267,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
DST_RET(false);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa1 = EVP_PKEY_get1_RSA(pkey1);
|
||||
rsa2 = EVP_PKEY_get1_RSA(pkey2);
|
||||
if (rsa1 == NULL && rsa2 == NULL) {
|
||||
@@ -280,14 +280,14 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
#else
|
||||
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_D, &d1);
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_D, &d2);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (d1 != NULL || d2 != NULL) {
|
||||
if (d1 == NULL || d2 == NULL) {
|
||||
DST_RET(false);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA_get0_factors(rsa1, &p1, &q1);
|
||||
RSA_get0_factors(rsa2, &p2, &q2);
|
||||
#else
|
||||
@@ -295,7 +295,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
EVP_PKEY_get_bn_param(pkey1, OSSL_PKEY_PARAM_RSA_FACTOR2, &q1);
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR1, &p2);
|
||||
EVP_PKEY_get_bn_param(pkey2, OSSL_PKEY_PARAM_RSA_FACTOR2, &q2);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (BN_cmp(d1, d2) != 0 || BN_cmp(p1, p2) != 0 ||
|
||||
BN_cmp(q1, q2) != 0) {
|
||||
@@ -306,7 +306,7 @@ opensslrsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
|
||||
ret = true;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (rsa1 != NULL) {
|
||||
RSA_free(rsa1);
|
||||
}
|
||||
@@ -332,12 +332,12 @@ err:
|
||||
if (q2 != NULL) {
|
||||
BN_clear_free(q2);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
static int
|
||||
progress_cb(int p, int n, BN_GENCB *cb) {
|
||||
union {
|
||||
@@ -368,7 +368,7 @@ progress_cb(EVP_PKEY_CTX *ctx) {
|
||||
}
|
||||
return (1);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
static isc_result_t
|
||||
opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
||||
@@ -378,7 +378,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
||||
void (*fptr)(int);
|
||||
} u;
|
||||
BIGNUM *e = BN_new();
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa = RSA_new();
|
||||
EVP_PKEY *pkey = EVP_PKEY_new();
|
||||
#if !HAVE_BN_GENCB_NEW
|
||||
@@ -388,9 +388,9 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
||||
#else
|
||||
EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name(NULL, "RSA", NULL);
|
||||
EVP_PKEY *pkey = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (e == NULL || rsa == NULL || pkey == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
@@ -398,7 +398,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
||||
if (e == NULL || ctx == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
/*
|
||||
* Reject incorrect RSA key lengths.
|
||||
@@ -437,7 +437,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
||||
BN_set_bit(e, 32);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (EVP_PKEY_set1_RSA(pkey, rsa) != 1) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
@@ -481,7 +481,7 @@ opensslrsa_generate(dst_key_t *key, int exp, void (*callback)(int)) {
|
||||
DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
pkey = NULL;
|
||||
@@ -491,7 +491,7 @@ err:
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
@@ -502,7 +502,7 @@ err:
|
||||
if (ctx != NULL) {
|
||||
EVP_PKEY_CTX_free(ctx);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
if (e != NULL) {
|
||||
BN_free(e);
|
||||
}
|
||||
@@ -513,12 +513,12 @@ static bool
|
||||
opensslrsa_isprivate(const dst_key_t *key) {
|
||||
bool ret;
|
||||
EVP_PKEY *pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa;
|
||||
const BIGNUM *d = NULL;
|
||||
#else
|
||||
BIGNUM *d = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
REQUIRE(key->key_alg == DST_ALG_RSASHA1 ||
|
||||
key->key_alg == DST_ALG_NSEC3RSASHA1 ||
|
||||
@@ -530,7 +530,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
|
||||
return (false);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
INSIST(rsa != NULL);
|
||||
|
||||
@@ -547,7 +547,7 @@ opensslrsa_isprivate(const dst_key_t *key) {
|
||||
if (d != NULL) {
|
||||
BN_clear_free(d);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
@@ -569,19 +569,19 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
unsigned int mod_bytes;
|
||||
isc_result_t ret;
|
||||
EVP_PKEY *pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa;
|
||||
const BIGNUM *e = NULL, *n = NULL;
|
||||
#else
|
||||
BIGNUM *e = NULL, *n = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
REQUIRE(key->keydata.pkey != NULL);
|
||||
|
||||
pkey = key->keydata.pkey;
|
||||
isc_buffer_availableregion(data, &r);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -593,7 +593,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
if (e == NULL || n == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
mod_bytes = BN_num_bytes(n);
|
||||
e_bytes = BN_num_bytes(e);
|
||||
@@ -626,7 +626,7 @@ opensslrsa_todns(const dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
ret = ISC_R_SUCCESS;
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
@@ -637,7 +637,7 @@ err:
|
||||
if (n != NULL) {
|
||||
BN_free(n);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
return (ret);
|
||||
}
|
||||
|
||||
@@ -648,13 +648,13 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
isc_region_t r;
|
||||
unsigned int e_bytes;
|
||||
unsigned int length;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa = NULL;
|
||||
#else
|
||||
OSSL_PARAM_BLD *bld = NULL;
|
||||
OSSL_PARAM *params = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
EVP_PKEY *pkey = NULL;
|
||||
BIGNUM *e = NULL, *n = NULL;
|
||||
|
||||
@@ -696,7 +696,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
isc_buffer_forward(data, length);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult2("RSA_new",
|
||||
@@ -754,7 +754,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
DST_RET(dst__openssl_toresult2("EVP_PKEY_fromdata",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
key->keydata.pkey = pkey;
|
||||
pkey = NULL;
|
||||
@@ -762,7 +762,7 @@ opensslrsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
|
||||
|
||||
err:
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
@@ -776,7 +776,7 @@ err:
|
||||
if (bld != NULL) {
|
||||
OSSL_PARAM_BLD_free(bld);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
if (n != NULL) {
|
||||
BN_free(n);
|
||||
}
|
||||
@@ -797,7 +797,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
unsigned char *bufs[8] = { NULL };
|
||||
unsigned short i = 0;
|
||||
EVP_PKEY *pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa = NULL;
|
||||
const BIGNUM *n = NULL, *e = NULL, *d = NULL;
|
||||
const BIGNUM *p = NULL, *q = NULL;
|
||||
@@ -806,7 +806,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
BIGNUM *n = NULL, *e = NULL, *d = NULL;
|
||||
BIGNUM *p = NULL, *q = NULL;
|
||||
BIGNUM *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (key->keydata.pkey == NULL) {
|
||||
DST_RET(DST_R_NULLKEY);
|
||||
@@ -817,7 +817,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
}
|
||||
|
||||
pkey = key->keydata.pkey;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -834,7 +834,7 @@ opensslrsa_tofile(const dst_key_t *key, const char *directory) {
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT1, &dmp1);
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_EXPONENT2, &dmq1);
|
||||
EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_COEFFICIENT1, &iqmp);
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (n == NULL || e == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -940,7 +940,7 @@ err:
|
||||
priv.elements[i].length);
|
||||
}
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA_free(rsa);
|
||||
#else
|
||||
if (n != NULL) {
|
||||
@@ -967,12 +967,12 @@ err:
|
||||
if (iqmp != NULL) {
|
||||
BN_clear_free(iqmp);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
return (ret);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
static isc_result_t
|
||||
rsa_check(RSA *rsa, RSA *pub) {
|
||||
const BIGNUM *n1 = NULL, *n2 = NULL;
|
||||
@@ -1084,14 +1084,14 @@ err:
|
||||
|
||||
return (ret);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
static isc_result_t
|
||||
opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
dst_private_t priv;
|
||||
isc_result_t ret;
|
||||
int i;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa = NULL, *pubrsa = NULL;
|
||||
const BIGNUM *ex = NULL;
|
||||
#else
|
||||
@@ -1099,7 +1099,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
OSSL_PARAM *params = NULL;
|
||||
EVP_PKEY_CTX *ctx = NULL;
|
||||
BIGNUM *ex = NULL;
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
|
||||
ENGINE *ep = NULL;
|
||||
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
|
||||
@@ -1131,11 +1131,11 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
DST_RET(ISC_R_SUCCESS);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (pub != NULL && pub->keydata.pkey != NULL) {
|
||||
pubrsa = EVP_PKEY_get1_RSA(pub->keydata.pkey);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
for (i = 0; i < priv.nelements; i++) {
|
||||
switch (priv.elements[i].tag) {
|
||||
@@ -1172,7 +1172,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1181,16 +1180,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||
#else
|
||||
if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
|
||||
ISC_R_SUCCESS) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
|
||||
1) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
if (ex == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
@@ -1254,7 +1243,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
}
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL) {
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
@@ -1366,7 +1355,7 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
|
||||
ISC_R_SUCCESS) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
|
||||
if (BN_num_bits(e) > RSA_MAX_PUBEXP_BITS) {
|
||||
DST_RET(ISC_R_RANGE);
|
||||
@@ -1380,7 +1369,7 @@ err:
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
@@ -1424,7 +1413,7 @@ err:
|
||||
if (iqmp != NULL) {
|
||||
BN_clear_free(iqmp);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000 */
|
||||
if (ret != ISC_R_SUCCESS) {
|
||||
key->keydata.generic = NULL;
|
||||
}
|
||||
@@ -1442,12 +1431,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
ENGINE *e = NULL;
|
||||
isc_result_t ret = ISC_R_SUCCESS;
|
||||
EVP_PKEY *pkey = NULL, *pubpkey = NULL;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
RSA *rsa = NULL, *pubrsa = NULL;
|
||||
const BIGNUM *ex = NULL;
|
||||
#else
|
||||
BIGNUM *ex = NULL;
|
||||
#endif
|
||||
|
||||
UNUSED(pin);
|
||||
|
||||
@@ -1464,12 +1449,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
|
||||
DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
pubrsa = EVP_PKEY_get1_RSA(pubpkey);
|
||||
if (pubrsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
pkey = ENGINE_load_private_key(e, label, NULL, NULL);
|
||||
if (pkey == NULL) {
|
||||
@@ -1480,7 +1463,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
key->engine = isc_mem_strdup(key->mctx, engine);
|
||||
key->label = isc_mem_strdup(key->mctx, label);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
rsa = EVP_PKEY_get1_RSA(pkey);
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
|
||||
@@ -1489,14 +1471,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
RSA_get0_key(rsa, NULL, &ex, NULL);
|
||||
#else
|
||||
if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
|
||||
if (ex == NULL) {
|
||||
DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
|
||||
@@ -1510,18 +1484,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
|
||||
pkey = NULL;
|
||||
|
||||
err:
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
if (pubrsa != NULL) {
|
||||
RSA_free(pubrsa);
|
||||
}
|
||||
#else
|
||||
if (ex != NULL) {
|
||||
BN_free(ex);
|
||||
}
|
||||
#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
|
||||
if (pkey != NULL) {
|
||||
EVP_PKEY_free(pkey);
|
||||
}
|
||||
@@ -1648,7 +1616,7 @@ check_algorithm(unsigned char algorithm) {
|
||||
int status;
|
||||
isc_result_t ret = ISC_R_SUCCESS;
|
||||
size_t len;
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
RSA *rsa = NULL;
|
||||
#else
|
||||
OSSL_PARAM *params = NULL;
|
||||
@@ -1694,7 +1662,7 @@ check_algorithm(unsigned char algorithm) {
|
||||
DST_RET(ISC_R_NOMEMORY);
|
||||
}
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
rsa = RSA_new();
|
||||
if (rsa == NULL) {
|
||||
DST_RET(dst__openssl_toresult2("RSA_new",
|
||||
@@ -1767,7 +1735,7 @@ check_algorithm(unsigned char algorithm) {
|
||||
err:
|
||||
BN_free(e);
|
||||
BN_free(n);
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L
|
||||
#if OPENSSL_VERSION_NUMBER < 0x30000000L || OPENSSL_API_LEVEL < 30000
|
||||
if (rsa != NULL) {
|
||||
RSA_free(rsa);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user