mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-01 15:05:23 +00:00
Code Issues Releases Wiki Activity

Make the OpenSSL RSA fromlabel helper a generic one

Browse Source
This commit is contained in:
Timo Teräs
2022-12-26 19:31:26 +02:00
committed by Ondřej Surý
parent 56614a722a
commit a0404696d7
3 changed files with 56 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/dns/dst_openssl.h
View File

@@ -41,4 +41,8 @@ ENGINE *
dst__openssl_getengine(const char *engine); dst__openssl_getengine(const char *engine);
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
isc_result_t
dst__openssl_fromlabel(const char *engine, const char *label, const char *pin,
EVP_PKEY **ppub, EVP_PKEY **ppriv);
ISC_LANG_ENDDECLS ISC_LANG_ENDDECLS

46
lib/dns/openssl_link.c
View File

@@ -47,6 +47,12 @@
#include "openssl_shim.h" #include "openssl_shim.h"
#define DST_RET(a) \
{ \
ret = a; \
goto err; \
}
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
static ENGINE *global_engine = NULL; static ENGINE *global_engine = NULL;
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
@@ -219,4 +225,44 @@ dst__openssl_getengine(const char *engine) {
} }
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
isc_result_t
dst__openssl_fromlabel(const char *engine, const char *label, const char *pin,
EVP_PKEY **ppub, EVP_PKEY **ppriv) {
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
isc_result_t ret = ISC_R_SUCCESS;
ENGINE *e = NULL;
UNUSED(pin);
if (engine == NULL) {
DST_RET(DST_R_NOENGINE);
}
e = dst__openssl_getengine(engine);
if (e == NULL) {
DST_RET(dst__openssl_toresult(DST_R_NOENGINE));
}
*ppub = ENGINE_load_public_key(e, label, NULL, NULL);
if (*ppub == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
DST_R_OPENSSLFAILURE));
}
*ppriv = ENGINE_load_private_key(e, label, NULL, NULL);
if (*ppriv == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
DST_R_OPENSSLFAILURE));
}
err:
return (ret);
#else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
UNUSED(engine);
UNUSED(label);
UNUSED(pin);
UNUSED(ppub);
UNUSED(ppriv);
return (DST_R_NOENGINE);
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
}
/*! \file */ /*! \file */

44
lib/dns/opensslrsa_link.c
View File

@@ -21,9 +21,6 @@
#include <openssl/objects.h> #include <openssl/objects.h>
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#include <openssl/rsa.h> #include <openssl/rsa.h>
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
#include <openssl/engine.h>
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
#if OPENSSL_VERSION_NUMBER >= 0x30000000L #if OPENSSL_VERSION_NUMBER >= 0x30000000L
#include <openssl/core_names.h> #include <openssl/core_names.h>
#include <openssl/param_build.h> #include <openssl/param_build.h>
@@ -1106,36 +1103,18 @@ err:
static isc_result_t static isc_result_t
opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
const char *pin) { const char *pin) {
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE *e = NULL;
isc_result_t ret = ISC_R_SUCCESS;
EVP_PKEY *privpkey = NULL, *pubpkey = NULL; EVP_PKEY *privpkey = NULL, *pubpkey = NULL;
isc_result_t ret;
UNUSED(pin); ret = dst__openssl_fromlabel(engine, label, pin, &pubpkey, &privpkey);
if (ret != ISC_R_SUCCESS) {
if (engine == NULL) { goto err;
DST_RET(DST_R_NOENGINE);
}
e = dst__openssl_getengine(engine);
if (e == NULL) {
DST_RET(dst__openssl_toresult(DST_R_NOENGINE));
} }
pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
if (pubpkey == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
DST_R_OPENSSLFAILURE));
}
if (!opensslrsa_check_exponent_bits(pubpkey, RSA_MAX_PUBEXP_BITS)) { if (!opensslrsa_check_exponent_bits(pubpkey, RSA_MAX_PUBEXP_BITS)) {
DST_RET(ISC_R_RANGE); DST_RET(ISC_R_RANGE);
} }
privpkey = ENGINE_load_private_key(e, label, NULL, NULL);
if (privpkey == NULL) {
DST_RET(dst__openssl_toresult2("ENGINE_load_private_key",
DST_R_OPENSSLFAILURE));
}
key->engine = isc_mem_strdup(key->mctx, engine); key->engine = isc_mem_strdup(key->mctx, engine);
key->label = isc_mem_strdup(key->mctx, label); key->label = isc_mem_strdup(key->mctx, label);
key->key_size = EVP_PKEY_bits(privpkey); key->key_size = EVP_PKEY_bits(privpkey);
@@ -1145,20 +1124,9 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
pubpkey = NULL; pubpkey = NULL;
err: err:
if (privpkey != NULL) { EVP_PKEY_free(privpkey);
EVP_PKEY_free(privpkey); EVP_PKEY_free(pubpkey);
}
if (pubpkey != NULL) {
EVP_PKEY_free(pubpkey);
}
return (ret); return (ret);
#else /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
UNUSED(key);
UNUSED(engine);
UNUSED(label);
UNUSED(pin);
return (DST_R_NOENGINE);
#endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
} }
static dst_func_t opensslrsa_functions = { static dst_func_t opensslrsa_functions = {