diff --git a/CHANGES b/CHANGES index ace5d58b93..9bdd9a7776 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6223. [func] Make -E engine option for OpenSSL Engine API use only. + OpenSSL Provider API will now require engine to not be + set. [GL #8153] + 6222. [func] Fixes to provider/engine based ECDSA key handling. [GL !8152] 6221. [cleanup] Refactor dns_rdataset internals, move rdatasetheader diff --git a/lib/dns/dst_parse.c b/lib/dns/dst_parse.c index 375c1bcf8f..4998879248 100644 --- a/lib/dns/dst_parse.c +++ b/lib/dns/dst_parse.c @@ -189,10 +189,9 @@ check_rsa(const dst_private_t *priv, bool external) { mask = (1ULL << TAG_SHIFT) - 1; - if (have[TAG_RSA_ENGINE & mask]) { + if (have[TAG_RSA_LABEL & mask]) { ok = have[TAG_RSA_MODULUS & mask] && - have[TAG_RSA_PUBLICEXPONENT & mask] && - have[TAG_RSA_LABEL & mask]; + have[TAG_RSA_PUBLICEXPONENT & mask]; } else { ok = have[TAG_RSA_MODULUS & mask] && have[TAG_RSA_PUBLICEXPONENT & mask] && @@ -234,11 +233,9 @@ check_ecdsa(const dst_private_t *priv, bool external) { mask = (1ULL << TAG_SHIFT) - 1; - if (have[TAG_ECDSA_ENGINE & mask]) { - ok = have[TAG_ECDSA_LABEL & mask]; - } else { - ok = have[TAG_ECDSA_PRIVATEKEY & mask]; - } + ok = have[TAG_ECDSA_LABEL & mask] || + have[TAG_ECDSA_PRIVATEKEY & mask]; + return (ok ? 0 : -1); } @@ -270,11 +267,9 @@ check_eddsa(const dst_private_t *priv, bool external) { mask = (1ULL << TAG_SHIFT) - 1; - if (have[TAG_EDDSA_ENGINE & mask]) { - ok = have[TAG_EDDSA_LABEL & mask]; - } else { - ok = have[TAG_EDDSA_PRIVATEKEY & mask]; - } + ok = have[TAG_EDDSA_LABEL & mask] || + have[TAG_EDDSA_PRIVATEKEY & mask]; + return (ok ? 0 : -1); } diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 3e624d5710..2aef28b930 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -81,32 +81,28 @@ enable_fips_mode(void) { isc_result_t dst__openssl_init(const char *engine) { - isc_result_t result = ISC_R_SUCCESS; - enable_fips_mode(); -#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 if (engine != NULL && *engine == '\0') { engine = NULL; } - if (engine != NULL) { - global_engine = ENGINE_by_id(engine); - if (global_engine == NULL) { - result = DST_R_NOENGINE; - goto cleanup_rm; - } - if (!ENGINE_init(global_engine)) { - result = DST_R_NOENGINE; - goto cleanup_rm; - } - /* This will init the engine. */ - if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) { - result = DST_R_NOENGINE; - goto cleanup_init; - } + if (engine == NULL) { + return (ISC_R_SUCCESS); } +#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 + global_engine = ENGINE_by_id(engine); + if (global_engine == NULL) { + goto cleanup_rm; + } + if (!ENGINE_init(global_engine)) { + goto cleanup_rm; + } + /* This will init the engine. */ + if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) { + goto cleanup_init; + } return (ISC_R_SUCCESS); cleanup_init: ENGINE_finish(global_engine); @@ -115,10 +111,8 @@ cleanup_rm: ENGINE_free(global_engine); } global_engine = NULL; -#else - UNUSED(engine); #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */ - return (result); + return (DST_R_NOENGINE); } void @@ -242,9 +236,6 @@ dst__openssl_fromlabel_engine(int key_base_id, const char *engine, UNUSED(pin); - if (engine == NULL) { - DST_RET(DST_R_NOENGINE); - } e = dst__openssl_getengine(engine); if (e == NULL) { DST_RET(dst__openssl_toresult(DST_R_NOENGINE)); @@ -281,15 +272,13 @@ err: } static isc_result_t -dst__openssl_fromlabel_provider(int key_base_id, const char *engine, - const char *label, const char *pin, +dst__openssl_fromlabel_provider(int key_base_id, const char *label, const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) { #if OPENSSL_VERSION_NUMBER >= 0x30000000L isc_result_t ret = DST_R_OPENSSLFAILURE; OSSL_STORE_CTX *ctx = NULL; UNUSED(pin); - UNUSED(engine); ctx = OSSL_STORE_open(label, NULL, NULL, NULL, NULL); if (!ctx) { @@ -335,7 +324,6 @@ err: return (ret); #else UNUSED(key_base_id); - UNUSED(engine); UNUSED(label); UNUSED(pin); UNUSED(ppub); @@ -347,12 +335,9 @@ err: isc_result_t dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label, const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) { - isc_result_t result; - - result = dst__openssl_fromlabel_provider(key_base_id, engine, label, - pin, ppub, ppriv); - if (result != DST_R_OPENSSLFAILURE) { - return (result); + if (engine == NULL) { + return (dst__openssl_fromlabel_provider(key_base_id, label, + pin, ppub, ppriv)); } return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin, diff --git a/lib/dns/opensslecdsa_link.c b/lib/dns/opensslecdsa_link.c index f87b36dbe2..f133fe64e8 100644 --- a/lib/dns/opensslecdsa_link.c +++ b/lib/dns/opensslecdsa_link.c @@ -997,7 +997,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label, goto err; } - key->engine = isc_mem_strdup(key->mctx, engine); + if (engine != NULL) { + key->engine = isc_mem_strdup(key->mctx, engine); + } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/dns/openssleddsa_link.c b/lib/dns/openssleddsa_link.c index 142aa1623a..f6d1fa3a14 100644 --- a/lib/dns/openssleddsa_link.c +++ b/lib/dns/openssleddsa_link.c @@ -527,7 +527,9 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label, goto err; } - key->engine = isc_mem_strdup(key->mctx, engine); + if (key->engine != NULL) { + key->engine = isc_mem_strdup(key->mctx, engine); + } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey; diff --git a/lib/dns/opensslrsa_link.c b/lib/dns/opensslrsa_link.c index cb815b73cc..54ab04dcf7 100644 --- a/lib/dns/opensslrsa_link.c +++ b/lib/dns/opensslrsa_link.c @@ -1051,7 +1051,9 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label, DST_RET(ISC_R_RANGE); } - key->engine = isc_mem_strdup(key->mctx, engine); + if (key->engine != NULL) { + key->engine = isc_mem_strdup(key->mctx, engine); + } key->label = isc_mem_strdup(key->mctx, label); key->key_size = EVP_PKEY_bits(privpkey); key->keydata.pkeypair.priv = privpkey;