Remove engine related parts for OpenSSL 3.0

OpenSSL just cannot work with mixing ENGINE_* api mixed with OSSL_PARAM
builders. But it can be built in legacy mode, where deprecated but still
working API would be used.

It can work under OpenSSL 3.0, but only if using legacy code paths
matching OpenSSL 1.1 calls and functions.

Remove fromlabel processing by OpenSSL 3.0 only functions. They can
return later with a proper provider support for pkcs11.

lib/dns/opensslecdsa_link.c

@@ -1311,15 +1311,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 #if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	isc_result_t ret = ISC_R_SUCCESS;
 	ENGINE *e;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	EC_KEY *eckey = NULL;
 	EC_KEY *pubeckey = NULL;
 	int group_nid;
-#else
-	size_t len;
-	const char *curve_name, *nist_curve_name;
-	char buf[128]; /* Sufficient for all of the supported curves' names. */
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 	EVP_PKEY *pkey = NULL;
 	EVP_PKEY *pubpkey = NULL;
 
@@ -1336,22 +1330,11 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		DST_RET(DST_R_NOENGINE);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (key->key_alg == DST_ALG_ECDSA256) {
 		group_nid = NID_X9_62_prime256v1;
 	} else {
 		group_nid = NID_secp384r1;
 	}
-#else
-	/* Get the expected curve names */
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		curve_name = "prime256v1";
-		nist_curve_name = "P-256";
-	} else {
-		curve_name = "secp384r1";
-		nist_curve_name = "P-384";
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 	/* Load private key. */
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
@@ -1363,7 +1346,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	if (EVP_PKEY_base_id(pkey) != EVP_PKEY_EC) {
 		DST_RET(DST_R_INVALIDPRIVATEKEY);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	eckey = EVP_PKEY_get1_EC_KEY(pkey);
 	if (eckey == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1371,20 +1353,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey)) != group_nid) {
 		DST_RET(DST_R_INVALIDPRIVATEKEY);
 	}
-#else
-	len = 0;
-	if (EVP_PKEY_get_utf8_string_param(pkey, OSSL_PKEY_PARAM_GROUP_NAME,
-					   buf, sizeof buf, &len) != 1 ||
-	    len == 0 || len >= sizeof buf)
-	{
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
-	{
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 	/* Load public key. */
 	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
@@ -1396,7 +1364,6 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	if (EVP_PKEY_base_id(pubpkey) != EVP_PKEY_EC) {
 		DST_RET(DST_R_INVALIDPUBLICKEY);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	pubeckey = EVP_PKEY_get1_EC_KEY(pubpkey);
 	if (pubeckey == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1404,30 +1371,10 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	if (EC_GROUP_get_curve_name(EC_KEY_get0_group(pubeckey)) != group_nid) {
 		DST_RET(DST_R_INVALIDPUBLICKEY);
 	}
-#else
-	len = 0;
-	if (EVP_PKEY_get_utf8_string_param(pubpkey, OSSL_PKEY_PARAM_GROUP_NAME,
-					   buf, sizeof buf, &len) != 1 ||
-	    len == 0 || len >= sizeof buf)
-	{
-		DST_RET(DST_R_INVALIDPUBLICKEY);
-	}
-	if (strncasecmp(buf, curve_name, strlen(curve_name)) != 0 &&
-	    strncasecmp(buf, nist_curve_name, strlen(nist_curve_name)) != 0)
-	{
-		DST_RET(DST_R_INVALIDPUBLICKEY);
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
 	}
-#else
-	if (ecdsa_check(&pkey, pubpkey) != ISC_R_SUCCESS) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 	key->label = isc_mem_strdup(key->mctx, label);
 	key->engine = isc_mem_strdup(key->mctx, engine);
@@ -1442,14 +1389,12 @@ err:
 	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (pubeckey != NULL) {
 		EC_KEY_free(pubeckey);
 	}
 	if (eckey != NULL) {
 		EC_KEY_free(eckey);
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 	return (ret);
 #else

lib/dns/opensslrsa_link.c

@@ -1172,7 +1172,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 		key->engine = isc_mem_strdup(key->mctx, engine);
 		key->label = isc_mem_strdup(key->mctx, label);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 		rsa = EVP_PKEY_get1_RSA(pkey);
 		if (rsa == NULL) {
 			DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1181,16 +1180,6 @@ opensslrsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
 		}
 		RSA_get0_key(rsa, NULL, &ex, NULL);
-#else
-		if (rsa_check(pkey, pub != NULL ? pub->keydata.pkey : NULL) !=
-		    ISC_R_SUCCESS) {
-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-		}
-		if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) !=
-		    1) {
-			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-		}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 		if (ex == NULL) {
 			DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
@@ -1442,12 +1431,8 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	ENGINE *e = NULL;
 	isc_result_t ret = ISC_R_SUCCESS;
 	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	RSA *rsa = NULL, *pubrsa = NULL;
 	const BIGNUM *ex = NULL;
-#else
-	BIGNUM *ex = NULL;
-#endif
 
 	UNUSED(pin);
 
@@ -1464,12 +1449,10 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		DST_RET(dst__openssl_toresult2("ENGINE_load_public_key",
 					       DST_R_OPENSSLFAILURE));
 	}
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	pubrsa = EVP_PKEY_get1_RSA(pubpkey);
 	if (pubrsa == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
 	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
 	if (pkey == NULL) {
@@ -1480,7 +1463,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	key->engine = isc_mem_strdup(key->mctx, engine);
 	key->label = isc_mem_strdup(key->mctx, label);
 
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	if (rsa == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_OPENSSLFAILURE));
@@ -1489,14 +1471,6 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
 	}
 	RSA_get0_key(rsa, NULL, &ex, NULL);
-#else
-	if (rsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-	if (EVP_PKEY_get_bn_param(pkey, OSSL_PKEY_PARAM_RSA_E, &ex) != 1) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 
 	if (ex == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_INVALIDPRIVATEKEY));
@@ -1510,18 +1484,12 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 	pkey = NULL;
 
 err:
-#if OPENSSL_VERSION_NUMBER < 0x30000000L
 	if (rsa != NULL) {
 		RSA_free(rsa);
 	}
 	if (pubrsa != NULL) {
 		RSA_free(pubrsa);
 	}
-#else
-	if (ex != NULL) {
-		BN_free(ex);
-	}
-#endif /* OPENSSL_VERSION_NUMBER < 0x30000000L */
 	if (pkey != NULL) {
 		EVP_PKEY_free(pkey);
 	}