Make OpenSSL mandatory

2025-08-31 06:25:31 +00:00 · 2018-06-12 11:26:04 +02:00
parent 3322e41eeb
commit c3b8130fe8
146 changed files with 2012 additions and 8914 deletions
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -123,7 +123,6 @@ static isc_result_t	addsuffix(char *filename, int len,
 			return (_r);		\
 	} while (0);				\

-#if HAVE_OPENSSL
 static void *
 default_memalloc(void *arg, size_t size) {
 	UNUSED(arg);
@@ -137,7 +136,6 @@ default_memfree(void *arg, void *ptr) {
 	UNUSED(arg);
 	free(ptr);
 }
-#endif

 isc_result_t
 dst_lib_init(isc_mem_t *mctx, const char *engine) {
@@ -150,7 +148,6 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {

 	dst__memory_pool = NULL;

-#if HAVE_OPENSSL
 	UNUSED(mctx);
 	/*
 	 * When using --with-openssl, there seems to be no good way of not
@@ -168,27 +165,20 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 #ifndef OPENSSL_LEAKS
 	isc_mem_setdestroycheck(dst__memory_pool, ISC_FALSE);
 #endif
-#else /* HAVE_OPENSSL */
-	isc_mem_attach(mctx, &dst__memory_pool);
-#endif /* HAVE_OPENSSL */

 	dst_result_register();

 	memset(dst_t_func, 0, sizeof(dst_t_func));
-#ifndef PK11_MD5_DISABLE
 	RETERR(dst__hmacmd5_init(&dst_t_func[DST_ALG_HMACMD5]));
-#endif
 	RETERR(dst__hmacsha1_init(&dst_t_func[DST_ALG_HMACSHA1]));
 	RETERR(dst__hmacsha224_init(&dst_t_func[DST_ALG_HMACSHA224]));
 	RETERR(dst__hmacsha256_init(&dst_t_func[DST_ALG_HMACSHA256]));
 	RETERR(dst__hmacsha384_init(&dst_t_func[DST_ALG_HMACSHA384]));
 	RETERR(dst__hmacsha512_init(&dst_t_func[DST_ALG_HMACSHA512]));
-#if HAVE_OPENSSL
 	RETERR(dst__openssl_init(engine));
-#ifndef PK11_MD5_DISABLE
+#if USE_OPENSSL
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSAMD5],
 				    DST_ALG_RSAMD5));
-#endif
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA1],
 				    DST_ALG_RSASHA1));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1],
@@ -197,40 +187,30 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 				    DST_ALG_RSASHA256));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
 				    DST_ALG_RSASHA512));
-#if defined(HAVE_OPENSSL_DSA) && !defined(PK11_DSA_DISABLE)
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__openssldsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-#endif
-#ifndef PK11_DH_DISABLE
 	RETERR(dst__openssldh_init(&dst_t_func[DST_ALG_DH]));
-#endif
-#ifdef HAVE_OPENSSL_ECDSA
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
-#endif
 #ifdef HAVE_OPENSSL_ED25519
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
 #endif
 #ifdef HAVE_OPENSSL_ED448
 	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
 #endif
-#elif HAVE_PKCS11
+#endif /* USE_OPENSSL */
+
+#if USE_PKCS11
 	RETERR(dst__pkcs11_init(mctx, engine));
-#ifndef PK11_MD5_DISABLE
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSAMD5]));
-#endif
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA1]));
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_NSEC3RSASHA1]));
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA256]));
 	RETERR(dst__pkcs11rsa_init(&dst_t_func[DST_ALG_RSASHA512]));
-#ifndef PK11_DSA_DISABLE
 	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_DSA]));
 	RETERR(dst__pkcs11dsa_init(&dst_t_func[DST_ALG_NSEC3DSA]));
-#endif
-#ifndef PK11_DH_DISABLE
 	RETERR(dst__pkcs11dh_init(&dst_t_func[DST_ALG_DH]));
-#endif
-#ifdef HAVE_PKCS11_ECDSA
+#if HAVE_PKCS11_ECDSA
 	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
 	RETERR(dst__pkcs11ecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
 #endif
@@ -240,7 +220,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 #ifdef HAVE_PKCS11_ED448
 	RETERR(dst__pkcs11eddsa_init(&dst_t_func[DST_ALG_ED448]));
 #endif
-#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
+#endif /* USE_PKCS11 */
 #ifdef GSSAPI
 	RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
 #endif
@@ -264,13 +244,10 @@ dst_lib_destroy(void) {
 	for (i = 0; i < DST_MAX_ALGS; i++)
 		if (dst_t_func[i] != NULL && dst_t_func[i]->cleanup != NULL)
 			dst_t_func[i]->cleanup();
-#if HAVE_OPENSSL
 	dst__openssl_destroy();
-#elif HAVE_PKCS11
+#if USE_PKCS11
 	(void) dst__pkcs11_destroy();
-#else
-#error Either OpenSSL or PKCS#11 cryptographic provider needed.
-#endif /* if HAVE_OPENSSL, elif HAVE_PKCS11 */
+#endif /* USE_PKCS11 */
 	if (dst__memory_pool != NULL)
 		isc_mem_detach(&dst__memory_pool);
 }
@@ -1050,10 +1027,8 @@ comparekeys(const dst_key_t *key1, const dst_key_t *key2,
 	if (key1->key_id != key2->key_id) {
 		if (!match_revoked_key)
 			return (ISC_FALSE);
-#ifndef PK11_MD5_DISABLE
 		if (key1->key_alg == DST_ALG_RSAMD5)
 			return (ISC_FALSE);
-#endif
 		if ((key1->key_flags & DNS_KEYFLAG_REVOKE) ==
 		    (key2->key_flags & DNS_KEYFLAG_REVOKE))
 			return (ISC_FALSE);
@@ -1216,21 +1191,17 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {

 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
-#endif
 	case DST_ALG_RSASHA1:
 	case DST_ALG_NSEC3RSASHA1:
 	case DST_ALG_RSASHA256:
 	case DST_ALG_RSASHA512:
 		*n = (key->key_size + 7) / 8;
 		break;
-#ifndef PK11_DSA_DISABLE
 	case DST_ALG_DSA:
 	case DST_ALG_NSEC3DSA:
 		*n = DNS_SIG_DSASIGSIZE;
 		break;
-#endif
 	case DST_ALG_ECDSA256:
 		*n = DNS_SIG_ECDSA256SIZE;
 		break;
@@ -1243,11 +1214,9 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	case DST_ALG_ED448:
 		*n = DNS_SIG_ED448SIZE;
 		break;
-#ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
 		*n = 16;
 		break;
-#endif
 	case DST_ALG_HMACSHA1:
 		*n = ISC_SHA1_DIGESTLENGTH;
 		break;
@@ -1266,9 +1235,7 @@ dst_key_sigsize(const dst_key_t *key, unsigned int *n) {
 	case DST_ALG_GSSAPI:
 		*n = 128; /*%< XXX */
 		break;
-#ifndef PK11_DH_DISABLE
 	case DST_ALG_DH:
-#endif
 	default:
 		return (DST_R_UNSUPPORTEDALG);
 	}
@@ -1281,15 +1248,11 @@ dst_key_secretsize(const dst_key_t *key, unsigned int *n) {
 	REQUIRE(VALID_KEY(key));
 	REQUIRE(n != NULL);

-#ifndef PK11_DH_DISABLE
-	if (key->key_alg == DST_ALG_DH)
+	if (key->key_alg == DST_ALG_DH) {
 		*n = (key->key_size + 7) / 8;
-	else
-#endif
-		return (DST_R_UNSUPPORTEDALG);
-#ifndef PK11_DH_DISABLE
-	return (ISC_R_SUCCESS);
-#endif
+		return (ISC_R_SUCCESS);
+	}
+	return (DST_R_UNSUPPORTEDALG);
 }

 /*%
@@ -1568,28 +1531,20 @@ issymmetric(const dst_key_t *key) {

 	/* XXXVIX this switch statement is too sparse to gen a jump table. */
 	switch (key->key_alg) {
-#ifndef PK11_MD5_DISABLE
 	case DST_ALG_RSAMD5:
-#endif
 	case DST_ALG_RSASHA1:
 	case DST_ALG_NSEC3RSASHA1:
 	case DST_ALG_RSASHA256:
 	case DST_ALG_RSASHA512:
-#ifndef PK11_DSA_DISABLE
 	case DST_ALG_DSA:
 	case DST_ALG_NSEC3DSA:
-#endif
-#ifndef PK11_DH_DISABLE
 	case DST_ALG_DH:
-#endif
 	case DST_ALG_ECDSA256:
 	case DST_ALG_ECDSA384:
 	case DST_ALG_ED25519:
 	case DST_ALG_ED448:
 		return (ISC_FALSE);
-#ifndef PK11_MD5_DISABLE
 	case DST_ALG_HMACMD5:
-#endif
 	case DST_ALG_HMACSHA1:
 	case DST_ALG_HMACSHA224:
 	case DST_ALG_HMACSHA256: