ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Remove DH_clear_flags call

Browse Source 
These calls have not been needed since OpenSSL 0.9.7h.

This dates to commit 704d6eeab1, "Work
around non-reentrancy in openssl by disabling precomputation in keys".
This was in the bundled OpenSSL 0.9.3a era and made two changes. First,
it registered a locking callback because, in those days, OpenSSL needed
a callback to support locks. Second, it set flags to disable various
bits of cached state on DH, DSA, and RSA objects.

Looking back in OpenSSL 0.9.3a, that cached state was not protected by a
lock:
https://github.com/openssl/openssl/blob/OpenSSL_0_9_3a/crypto/rsa/rsa_eay.c#L137-L142

However, this was fixed in OpenSSL 0.9.7h:
6ec8e63af6

The other flags (DSA and RSA) have since fallen away, DSA with the
removal of DSA altogether (3994b1f9c2) and
RSA with 3a8d4a316e, "openssl 0.9.6a and
higher don't have the RSA locking bug [...] other algorithms still don't
do locking when performing precomputation [...]".

That seems to be referring to this OpenSSL change, which indeed fixed it
for RSA but not others:
bb617a9646

The 0.9.7h change above fixed it across the board, but there was never a
similar update to the workaround for DSA and DH. With such OpenSSL
versions long since out of support, the last remains of this workaround
can finally be removed.
This commit is contained in:
David Benjamin
2022-06-13 23:37:55 -04:00
committed by Ondřej Surý
parent 723f5a0769
commit e507ea2c85
2 changed files with 0 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/dns/openssl_shim.h
View File

@@ -72,8 +72,6 @@ DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
int
DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
#define DH_clear_flags(d, f) ((d)->flags &= ~(f))
#endif /* !HAVE_DH_GET0_KEY */
#if !HAVE_ERR_GET_ERROR_ALL

3
lib/dns/openssldh_link.c
View File

@@ -492,7 +492,6 @@ openssldh_generate(dst_key_t *key, int generator, void (*callback)(int)) {
DST_RET(dst__openssl_toresult2("DH_generate_key",
DST_R_OPENSSLFAILURE));
}
DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
key->keydata.dh = dh;
dh = NULL;
#else
@@ -785,7 +784,6 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {
if (dh == NULL) {
DST_RET(dst__openssl_toresult(ISC_R_NOMEMORY));
}
DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
#else
bld = OSSL_PARAM_BLD_new();
if (bld == NULL) {
@@ -1116,7 +1114,6 @@ openssldh_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
if (dh == NULL) {
DST_RET(ISC_R_NOMEMORY);
}
DH_clear_flags(dh, DH_FLAG_CACHE_MONT_P);
#else
bld = OSSL_PARAM_BLD_new();
if (bld == NULL) {