Merge branch 'tt-provider-engine' into 'main'

Fix keyfromlabel to not use engine parameter for provider keys

See merge request isc-projects/bind9!8153

CHANGES

@@ -1,3 +1,7 @@
+6223.	[func]		Make -E engine option for OpenSSL Engine API use only.
+			OpenSSL Provider API will now require engine to not be
+			set. [GL #8153]
+
 6222.	[func]		Fixes to provider/engine based ECDSA key handling. [GL !8152]
 
 6221.	[cleanup]	Refactor dns_rdataset internals, move rdatasetheader

lib/dns/dst_parse.c

@@ -189,10 +189,9 @@ check_rsa(const dst_private_t *priv, bool external) {
 
 	mask = (1ULL << TAG_SHIFT) - 1;
 
-	if (have[TAG_RSA_ENGINE & mask]) {
+	if (have[TAG_RSA_LABEL & mask]) {
 		ok = have[TAG_RSA_MODULUS & mask] &&
-		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
-		     have[TAG_RSA_LABEL & mask];
+		     have[TAG_RSA_PUBLICEXPONENT & mask];
 	} else {
 		ok = have[TAG_RSA_MODULUS & mask] &&
 		     have[TAG_RSA_PUBLICEXPONENT & mask] &&
@@ -234,11 +233,9 @@ check_ecdsa(const dst_private_t *priv, bool external) {
 
 	mask = (1ULL << TAG_SHIFT) - 1;
 
-	if (have[TAG_ECDSA_ENGINE & mask]) {
-		ok = have[TAG_ECDSA_LABEL & mask];
-	} else {
-		ok = have[TAG_ECDSA_PRIVATEKEY & mask];
-	}
+	ok = have[TAG_ECDSA_LABEL & mask] ||
+	     have[TAG_ECDSA_PRIVATEKEY & mask];
+
 	return (ok ? 0 : -1);
 }
 
@@ -270,11 +267,9 @@ check_eddsa(const dst_private_t *priv, bool external) {
 
 	mask = (1ULL << TAG_SHIFT) - 1;
 
-	if (have[TAG_EDDSA_ENGINE & mask]) {
-		ok = have[TAG_EDDSA_LABEL & mask];
-	} else {
-		ok = have[TAG_EDDSA_PRIVATEKEY & mask];
-	}
+	ok = have[TAG_EDDSA_LABEL & mask] ||
+	     have[TAG_EDDSA_PRIVATEKEY & mask];
+
 	return (ok ? 0 : -1);
 }
 

lib/dns/openssl_link.c

@@ -81,32 +81,28 @@ enable_fips_mode(void) {
 
 isc_result_t
 dst__openssl_init(const char *engine) {
-	isc_result_t result = ISC_R_SUCCESS;
-
 	enable_fips_mode();
 
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
 	if (engine != NULL && *engine == '\0') {
 		engine = NULL;
 	}
 
-	if (engine != NULL) {
-		global_engine = ENGINE_by_id(engine);
-		if (global_engine == NULL) {
-			result = DST_R_NOENGINE;
-			goto cleanup_rm;
-		}
-		if (!ENGINE_init(global_engine)) {
-			result = DST_R_NOENGINE;
-			goto cleanup_rm;
-		}
-		/* This will init the engine. */
-		if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) {
-			result = DST_R_NOENGINE;
-			goto cleanup_init;
-		}
+	if (engine == NULL) {
+		return (ISC_R_SUCCESS);
 	}
 
+#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
+	global_engine = ENGINE_by_id(engine);
+	if (global_engine == NULL) {
+		goto cleanup_rm;
+	}
+	if (!ENGINE_init(global_engine)) {
+		goto cleanup_rm;
+	}
+	/* This will init the engine. */
+	if (!ENGINE_set_default(global_engine, ENGINE_METHOD_ALL)) {
+		goto cleanup_init;
+	}
 	return (ISC_R_SUCCESS);
 cleanup_init:
 	ENGINE_finish(global_engine);
@@ -115,10 +111,8 @@ cleanup_rm:
 		ENGINE_free(global_engine);
 	}
 	global_engine = NULL;
-#else
-	UNUSED(engine);
 #endif /* if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000 */
-	return (result);
+	return (DST_R_NOENGINE);
 }
 
 void
@@ -242,9 +236,6 @@ dst__openssl_fromlabel_engine(int key_base_id, const char *engine,
 
 	UNUSED(pin);
 
-	if (engine == NULL) {
-		DST_RET(DST_R_NOENGINE);
-	}
 	e = dst__openssl_getengine(engine);
 	if (e == NULL) {
 		DST_RET(dst__openssl_toresult(DST_R_NOENGINE));
@@ -281,15 +272,13 @@ err:
 }
 
 static isc_result_t
-dst__openssl_fromlabel_provider(int key_base_id, const char *engine,
-				const char *label, const char *pin,
+dst__openssl_fromlabel_provider(int key_base_id, const char *label, const char *pin,
 				EVP_PKEY **ppub, EVP_PKEY **ppriv) {
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 	isc_result_t ret = DST_R_OPENSSLFAILURE;
 	OSSL_STORE_CTX *ctx = NULL;
 
 	UNUSED(pin);
-	UNUSED(engine);
 
 	ctx = OSSL_STORE_open(label, NULL, NULL, NULL, NULL);
 	if (!ctx) {
@@ -335,7 +324,6 @@ err:
 	return (ret);
 #else
 	UNUSED(key_base_id);
-	UNUSED(engine);
 	UNUSED(label);
 	UNUSED(pin);
 	UNUSED(ppub);
@@ -347,12 +335,9 @@ err:
 isc_result_t
 dst__openssl_fromlabel(int key_base_id, const char *engine, const char *label,
 		       const char *pin, EVP_PKEY **ppub, EVP_PKEY **ppriv) {
-	isc_result_t result;
-
-	result = dst__openssl_fromlabel_provider(key_base_id, engine, label,
-						 pin, ppub, ppriv);
-	if (result != DST_R_OPENSSLFAILURE) {
-		return (result);
+	if (engine == NULL) {
+		return (dst__openssl_fromlabel_provider(key_base_id, label,
+						        pin, ppub, ppriv));
 	}
 
 	return (dst__openssl_fromlabel_engine(key_base_id, engine, label, pin,

lib/dns/opensslecdsa_link.c

@@ -997,7 +997,9 @@ opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		goto err;
 	}
 
-	key->engine = isc_mem_strdup(key->mctx, engine);
+	if (engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
 	key->label = isc_mem_strdup(key->mctx, label);
 	key->key_size = EVP_PKEY_bits(privpkey);
 	key->keydata.pkeypair.priv = privpkey;

lib/dns/openssleddsa_link.c

@@ -527,7 +527,9 @@ openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		goto err;
 	}
 
-	key->engine = isc_mem_strdup(key->mctx, engine);
+	if (key->engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
 	key->label = isc_mem_strdup(key->mctx, label);
 	key->key_size = EVP_PKEY_bits(privpkey);
 	key->keydata.pkeypair.priv = privpkey;

lib/dns/opensslrsa_link.c

@@ -1051,7 +1051,9 @@ opensslrsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
 		DST_RET(ISC_R_RANGE);
 	}
 
-	key->engine = isc_mem_strdup(key->mctx, engine);
+	if (key->engine != NULL) {
+		key->engine = isc_mem_strdup(key->mctx, engine);
+	}
 	key->label = isc_mem_strdup(key->mctx, label);
 	key->key_size = EVP_PKEY_bits(privpkey);
 	key->keydata.pkeypair.priv = privpkey;