Merge opensslecdsa and openssleddsa

The two algorithms are similar enough to have a single openssl api.

CHANGES

@@ -1,3 +1,6 @@
+5551.	[bug]		Fix a crash in dnssec-keyfromlabel when using EC keys.
+			[GL #2178]
+
 5550.	[func]		Print a warning when falling back to the "increment" SOA
 			serial method. [GL #2058]
 

doc/notes/notes-current.rst

@@ -67,6 +67,9 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
+- Fix a crash in ``dnssec-keyfromlabel`` when operating on a Elliptic Curve
+  algorithm key. [GL #2178]
+
 - The synthesised CNAME from a DNAME was incorrectly followed when the QTYPE
   was CNAME or ANY. [GL #2280]
 

lib/dns/Makefile.am

@@ -265,8 +265,7 @@ libdns_la_SOURCES +=		\
 	pkcs11rsa_link.c
 else !HAVE_PKCS11
 libdns_la_SOURCES +=		\
-	opensslecdsa_link.c	\
-	openssleddsa_link.c	\
+	opensslec_link.c	\
 	opensslrsa_link.c
 endif
 

lib/dns/dst_api.c

@@ -212,13 +212,13 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 				    DST_ALG_RSASHA256));
 	RETERR(dst__opensslrsa_init(&dst_t_func[DST_ALG_RSASHA512],
 				    DST_ALG_RSASHA512));
-	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
-	RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
+	RETERR(dst__opensslec_init(&dst_t_func[DST_ALG_ECDSA256]));
+	RETERR(dst__opensslec_init(&dst_t_func[DST_ALG_ECDSA384]));
 #ifdef HAVE_OPENSSL_ED25519
-	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519]));
+	RETERR(dst__opensslec_init(&dst_t_func[DST_ALG_ED25519]));
 #endif /* ifdef HAVE_OPENSSL_ED25519 */
 #ifdef HAVE_OPENSSL_ED448
-	RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448]));
+	RETERR(dst__opensslec_init(&dst_t_func[DST_ALG_ED448]));
 #endif /* ifdef HAVE_OPENSSL_ED448 */
 #endif /* USE_OPENSSL */
 

lib/dns/dst_internal.h

@@ -221,11 +221,9 @@ dst__openssldh_init(struct dst_func **funcp);
 isc_result_t
 dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
 isc_result_t
-dst__opensslecdsa_init(struct dst_func **funcp);
-#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
+dst__opensslec_init(struct dst_func **funcp);
 isc_result_t
-dst__openssleddsa_init(struct dst_func **funcp);
-#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
+dst__opensslec_init(struct dst_func **funcp);
 #endif /* USE_OPENSSL */
 #if USE_PKCS11
 isc_result_t

lib/dns/opensslecdsa_link.c

@@ -1,915 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#include <stdbool.h>
-
-#include <openssl/bn.h>
-#include <openssl/ecdsa.h>
-#include <openssl/err.h>
-#include <openssl/objects.h>
-#if !defined(OPENSSL_NO_ENGINE)
-#include <openssl/engine.h>
-#endif
-
-#include <isc/mem.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#ifndef NID_X9_62_prime256v1
-#error "P-256 group is not known (NID_X9_62_prime256v1)"
-#endif /* ifndef NID_X9_62_prime256v1 */
-#ifndef NID_secp384r1
-#error "P-384 group is not known (NID_secp384r1)"
-#endif /* ifndef NID_secp384r1 */
-
-#define DST_RET(a)        \
-	{                 \
-		ret = a;  \
-		goto err; \
-	}
-
-#if !HAVE_ECDSA_SIG_GET0
-/* From OpenSSL 1.1 */
-static void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
-	if (pr != NULL) {
-		*pr = sig->r;
-	}
-	if (ps != NULL) {
-		*ps = sig->s;
-	}
-}
-
-static int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
-	if (r == NULL || s == NULL) {
-		return (0);
-	}
-
-	BN_clear_free(sig->r);
-	BN_clear_free(sig->s);
-	sig->r = r;
-	sig->s = s;
-
-	return (1);
-}
-#endif /* !HAVE_ECDSA_SIG_GET0 */
-
-static isc_result_t
-opensslecdsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-	EVP_MD_CTX *evp_md_ctx;
-	const EVP_MD *type = NULL;
-
-	UNUSED(key);
-	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
-		dctx->key->key_alg == DST_ALG_ECDSA384);
-
-	evp_md_ctx = EVP_MD_CTX_create();
-	if (evp_md_ctx == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-	if (dctx->key->key_alg == DST_ALG_ECDSA256) {
-		type = EVP_sha256();
-	} else {
-		type = EVP_sha384();
-	}
-
-	if (!EVP_DigestInit_ex(evp_md_ctx, type, NULL)) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		return (dst__openssl_toresult3(
-			dctx->category, "EVP_DigestInit_ex", ISC_R_FAILURE));
-	}
-
-	dctx->ctxdata.evp_md_ctx = evp_md_ctx;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-opensslecdsa_destroyctx(dst_context_t *dctx) {
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
-		dctx->key->key_alg == DST_ALG_ECDSA384);
-
-	if (evp_md_ctx != NULL) {
-		EVP_MD_CTX_destroy(evp_md_ctx);
-		dctx->ctxdata.evp_md_ctx = NULL;
-	}
-}
-
-static isc_result_t
-opensslecdsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_ECDSA256 ||
-		dctx->key->key_alg == DST_ALG_ECDSA384);
-
-	if (!EVP_DigestUpdate(evp_md_ctx, data->base, data->length)) {
-		return (dst__openssl_toresult3(
-			dctx->category, "EVP_DigestUpdate", ISC_R_FAILURE));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static int
-BN_bn2bin_fixed(const BIGNUM *bn, unsigned char *buf, int size) {
-	int bytes = size - BN_num_bytes(bn);
-
-	while (bytes-- > 0) {
-		*buf++ = 0;
-	}
-	BN_bn2bin(bn, buf);
-	return (size);
-}
-
-static isc_result_t
-opensslecdsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_result_t ret;
-	dst_key_t *key = dctx->key;
-	isc_region_t region;
-	ECDSA_SIG *ecdsasig;
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	unsigned int dgstlen, siglen;
-	unsigned char digest[EVP_MAX_MD_SIZE];
-	const BIGNUM *r, *s;
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (eckey == NULL) {
-		return (ISC_R_FAILURE);
-	}
-
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		siglen = DNS_SIG_ECDSA256SIZE;
-	} else {
-		siglen = DNS_SIG_ECDSA384SIZE;
-	}
-
-	isc_buffer_availableregion(sig, &region);
-	if (region.length < siglen) {
-		DST_RET(ISC_R_NOSPACE);
-	}
-
-	if (!EVP_DigestFinal(evp_md_ctx, digest, &dgstlen)) {
-		DST_RET(dst__openssl_toresult3(
-			dctx->category, "EVP_DigestFinal", ISC_R_FAILURE));
-	}
-
-	ecdsasig = ECDSA_do_sign(digest, dgstlen, eckey);
-	if (ecdsasig == NULL) {
-		DST_RET(dst__openssl_toresult3(dctx->category, "ECDSA_do_sign",
-					       DST_R_SIGNFAILURE));
-	}
-	ECDSA_SIG_get0(ecdsasig, &r, &s);
-	BN_bn2bin_fixed(r, region.base, siglen / 2);
-	isc_region_consume(&region, siglen / 2);
-	BN_bn2bin_fixed(s, region.base, siglen / 2);
-	isc_region_consume(&region, siglen / 2);
-	ECDSA_SIG_free(ecdsasig);
-	isc_buffer_add(sig, siglen);
-	ret = ISC_R_SUCCESS;
-
-err:
-	EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_result_t ret;
-	dst_key_t *key = dctx->key;
-	int status;
-	unsigned char *cp = sig->base;
-	ECDSA_SIG *ecdsasig = NULL;
-	EVP_MD_CTX *evp_md_ctx = dctx->ctxdata.evp_md_ctx;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	unsigned int dgstlen, siglen;
-	unsigned char digest[EVP_MAX_MD_SIZE];
-	BIGNUM *r = NULL, *s = NULL;
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (eckey == NULL) {
-		return (ISC_R_FAILURE);
-	}
-
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		siglen = DNS_SIG_ECDSA256SIZE;
-	} else {
-		siglen = DNS_SIG_ECDSA384SIZE;
-	}
-
-	if (sig->length != siglen) {
-		return (DST_R_VERIFYFAILURE);
-	}
-
-	if (!EVP_DigestFinal_ex(evp_md_ctx, digest, &dgstlen)) {
-		DST_RET(dst__openssl_toresult3(
-			dctx->category, "EVP_DigestFinal_ex", ISC_R_FAILURE));
-	}
-
-	ecdsasig = ECDSA_SIG_new();
-	if (ecdsasig == NULL) {
-		DST_RET(ISC_R_NOMEMORY);
-	}
-	r = BN_bin2bn(cp, siglen / 2, NULL);
-	cp += siglen / 2;
-	s = BN_bin2bn(cp, siglen / 2, NULL);
-	ECDSA_SIG_set0(ecdsasig, r, s);
-	/* cp += siglen / 2; */
-
-	status = ECDSA_do_verify(digest, dgstlen, ecdsasig, eckey);
-	switch (status) {
-	case 1:
-		ret = ISC_R_SUCCESS;
-		break;
-	case 0:
-		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
-		break;
-	default:
-		ret = dst__openssl_toresult3(dctx->category, "ECDSA_do_verify",
-					     DST_R_VERIFYFAILURE);
-		break;
-	}
-
-err:
-	if (ecdsasig != NULL) {
-		ECDSA_SIG_free(ecdsasig);
-	}
-	EC_KEY_free(eckey);
-	return (ret);
-}
-
-static bool
-opensslecdsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	bool ret;
-	int status;
-	EVP_PKEY *pkey1 = key1->keydata.pkey;
-	EVP_PKEY *pkey2 = key2->keydata.pkey;
-	EC_KEY *eckey1 = NULL;
-	EC_KEY *eckey2 = NULL;
-	const BIGNUM *priv1, *priv2;
-
-	if (pkey1 == NULL && pkey2 == NULL) {
-		return (true);
-	} else if (pkey1 == NULL || pkey2 == NULL) {
-		return (false);
-	}
-
-	eckey1 = EVP_PKEY_get1_EC_KEY(pkey1);
-	eckey2 = EVP_PKEY_get1_EC_KEY(pkey2);
-	if (eckey1 == NULL && eckey2 == NULL) {
-		DST_RET(true);
-	} else if (eckey1 == NULL || eckey2 == NULL) {
-		DST_RET(false);
-	}
-
-	status = EVP_PKEY_cmp(pkey1, pkey2);
-	if (status != 1) {
-		DST_RET(false);
-	}
-
-	priv1 = EC_KEY_get0_private_key(eckey1);
-	priv2 = EC_KEY_get0_private_key(eckey2);
-	if (priv1 != NULL || priv2 != NULL) {
-		if (priv1 == NULL || priv2 == NULL) {
-			DST_RET(false);
-		}
-		if (BN_cmp(priv1, priv2) != 0) {
-			DST_RET(false);
-		}
-	}
-	ret = true;
-
-err:
-	if (eckey1 != NULL) {
-		EC_KEY_free(eckey1);
-	}
-	if (eckey2 != NULL) {
-		EC_KEY_free(eckey2);
-	}
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	int group_nid;
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-	UNUSED(unused);
-	UNUSED(callback);
-
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		group_nid = NID_X9_62_prime256v1;
-		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
-	} else {
-		group_nid = NID_secp384r1;
-		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
-	}
-
-	eckey = EC_KEY_new_by_curve_name(group_nid);
-	if (eckey == NULL) {
-		return (dst__openssl_toresult2("EC_KEY_new_by_curve_name",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	if (EC_KEY_generate_key(eckey) != 1) {
-		DST_RET(dst__openssl_toresult2("EC_KEY_generate_key",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL) {
-		DST_RET(ISC_R_NOMEMORY);
-	}
-	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
-		EVP_PKEY_free(pkey);
-		DST_RET(ISC_R_FAILURE);
-	}
-	key->keydata.pkey = pkey;
-	ret = ISC_R_SUCCESS;
-
-err:
-	EC_KEY_free(eckey);
-	return (ret);
-}
-
-static bool
-opensslecdsa_isprivate(const dst_key_t *key) {
-	bool ret;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(pkey);
-
-	ret = (eckey != NULL && EC_KEY_get0_private_key(eckey) != NULL);
-	if (eckey != NULL) {
-		EC_KEY_free(eckey);
-	}
-	return (ret);
-}
-
-static void
-opensslecdsa_destroy(dst_key_t *key) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-
-	EVP_PKEY_free(pkey);
-	key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-opensslecdsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	isc_region_t r;
-	int len;
-	unsigned char *cp;
-	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
-
-	REQUIRE(key->keydata.pkey != NULL);
-
-	pkey = key->keydata.pkey;
-	eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	if (eckey == NULL) {
-		return (dst__openssl_toresult(ISC_R_FAILURE));
-	}
-	len = i2o_ECPublicKey(eckey, NULL);
-	/* skip form */
-	len--;
-
-	isc_buffer_availableregion(data, &r);
-	if (r.length < (unsigned int)len) {
-		DST_RET(ISC_R_NOSPACE);
-	}
-	cp = buf;
-	if (!i2o_ECPublicKey(eckey, &cp)) {
-		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
-	}
-	memmove(r.base, buf + 1, len);
-	isc_buffer_add(data, len);
-	ret = ISC_R_SUCCESS;
-
-err:
-	EC_KEY_free(eckey);
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	isc_region_t r;
-	int group_nid;
-	unsigned int len;
-	const unsigned char *cp;
-	unsigned char buf[DNS_KEY_ECDSA384SIZE + 1];
-
-	REQUIRE(key->key_alg == DST_ALG_ECDSA256 ||
-		key->key_alg == DST_ALG_ECDSA384);
-
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		len = DNS_KEY_ECDSA256SIZE;
-		group_nid = NID_X9_62_prime256v1;
-	} else {
-		len = DNS_KEY_ECDSA384SIZE;
-		group_nid = NID_secp384r1;
-	}
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0) {
-		return (ISC_R_SUCCESS);
-	}
-	if (r.length < len) {
-		return (DST_R_INVALIDPUBLICKEY);
-	}
-
-	eckey = EC_KEY_new_by_curve_name(group_nid);
-	if (eckey == NULL) {
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-
-	buf[0] = POINT_CONVERSION_UNCOMPRESSED;
-	memmove(buf + 1, r.base, len);
-	cp = buf;
-	if (o2i_ECPublicKey(&eckey, (const unsigned char **)&cp,
-			    (long)len + 1) == NULL) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
-	}
-	if (EC_KEY_check_key(eckey) != 1) {
-		DST_RET(dst__openssl_toresult(DST_R_INVALIDPUBLICKEY));
-	}
-
-	pkey = EVP_PKEY_new();
-	if (pkey == NULL) {
-		DST_RET(ISC_R_NOMEMORY);
-	}
-	if (!EVP_PKEY_set1_EC_KEY(pkey, eckey)) {
-		EVP_PKEY_free(pkey);
-		DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
-	}
-
-	isc_buffer_forward(data, len);
-	key->keydata.pkey = pkey;
-	key->key_size = len * 4;
-	ret = ISC_R_SUCCESS;
-
-err:
-	if (eckey != NULL) {
-		EC_KEY_free(eckey);
-	}
-	return (ret);
-}
-
-static isc_result_t
-opensslecdsa_tofile(const dst_key_t *key, const char *directory) {
-	isc_result_t ret;
-	EVP_PKEY *pkey;
-	EC_KEY *eckey = NULL;
-	const BIGNUM *privkey;
-	dst_private_t priv;
-	unsigned char *buf = NULL;
-	unsigned short i;
-
-	if (key->keydata.pkey == NULL) {
-		return (DST_R_NULLKEY);
-	}
-
-	if (key->external) {
-		priv.nelements = 0;
-		return (dst__privstruct_writefile(key, &priv, directory));
-	}
-
-	pkey = key->keydata.pkey;
-	eckey = EVP_PKEY_get1_EC_KEY(pkey);
-	if (eckey == NULL) {
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	privkey = EC_KEY_get0_private_key(eckey);
-	if (privkey == NULL) {
-		ret = dst__openssl_toresult(DST_R_OPENSSLFAILURE);
-		goto err;
-	}
-
-	buf = isc_mem_get(key->mctx, BN_num_bytes(privkey));
-
-	i = 0;
-
-	priv.elements[i].tag = TAG_ECDSA_PRIVATEKEY;
-	priv.elements[i].length = BN_num_bytes(privkey);
-	BN_bn2bin(privkey, buf);
-	priv.elements[i].data = buf;
-	i++;
-
-	if (key->engine != NULL) {
-		priv.elements[i].tag = TAG_ECDSA_ENGINE;
-		priv.elements[i].length = (unsigned short)strlen(key->engine) +
-					  1;
-		priv.elements[i].data = (unsigned char *)key->engine;
-		i++;
-	}
-
-	if (key->label != NULL) {
-		priv.elements[i].tag = TAG_RSA_LABEL;
-		priv.elements[i].length = (unsigned short)strlen(key->label) +
-					  1;
-		priv.elements[i].data = (unsigned char *)key->label;
-		i++;
-	}
-
-	priv.nelements = i;
-	ret = dst__privstruct_writefile(key, &priv, directory);
-
-err:
-	EC_KEY_free(eckey);
-	if (buf != NULL) {
-		isc_mem_put(key->mctx, buf, BN_num_bytes(privkey));
-	}
-	return (ret);
-}
-
-static isc_result_t
-ecdsa_check(EC_KEY *eckey, EC_KEY *pubeckey) {
-	const EC_POINT *pubkey;
-
-	pubkey = EC_KEY_get0_public_key(pubeckey);
-	if (pubkey == NULL) {
-		return (ISC_R_SUCCESS);
-	}
-	if (EC_KEY_set_public_key(eckey, pubkey) != 1) {
-		return (ISC_R_SUCCESS);
-	}
-	if (EC_KEY_check_key(eckey) == 1) {
-		return (ISC_R_SUCCESS);
-	}
-
-	return (ISC_R_FAILURE);
-}
-
-static bool
-uses_engine(const dst_private_t *priv, const char **engine,
-	    const char **label) {
-	for (unsigned short i = 0; i < priv->nelements; i++) {
-		switch (priv->elements[i].tag) {
-		case TAG_ECDSA_ENGINE:
-			*engine = (char *)priv->elements[i].data;
-			break;
-		case TAG_ECDSA_LABEL:
-			*label = (char *)priv->elements[i].data;
-			break;
-		default:
-			break;
-		}
-	}
-	if (*label != NULL) {
-		return (true);
-	}
-
-	return (false);
-}
-
-static isc_result_t
-load_privkey_from_privstruct(EC_KEY *eckey, dst_private_t *priv) {
-	BIGNUM *privkey = BN_bin2bn(priv->elements[0].data,
-				    priv->elements[0].length, NULL);
-	isc_result_t result = ISC_R_SUCCESS;
-
-	if (privkey == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	if (!EC_KEY_set_private_key(eckey, privkey)) {
-		result = ISC_R_NOMEMORY;
-	}
-
-	BN_clear_free(privkey);
-	return (result);
-}
-
-#if !defined(OPENSSL_NO_ENGINE)
-static isc_result_t
-load_pubkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
-	if (engine == NULL || label == NULL) {
-		return (DST_R_NOENGINE);
-	}
-
-	ENGINE *ep = dst__openssl_getengine(engine);
-	;
-	if (ep == NULL) {
-		return (DST_R_NOENGINE);
-	}
-
-	EVP_PKEY *pubkey = ENGINE_load_private_key(ep, label, NULL, NULL);
-	if (pubkey == NULL) {
-		return (dst__openssl_toresult2("ENGINE_load_public_key",
-					       ISC_R_NOTFOUND));
-	}
-
-	eckey = EVP_PKEY_get1_EC_KEY(pubkey);
-	EVP_PKEY_free(pubkey);
-
-	if (eckey == NULL) {
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
-	if (engine == NULL || label == NULL) {
-		return (DST_R_NOENGINE);
-	}
-
-	ENGINE *ep = dst__openssl_getengine(engine);
-	;
-	if (ep == NULL) {
-		return (DST_R_NOENGINE);
-	}
-
-	EVP_PKEY *privkey = ENGINE_load_private_key(ep, label, NULL, NULL);
-	if (privkey == NULL) {
-		return (dst__openssl_toresult2("ENGINE_load_private_key",
-					       ISC_R_NOTFOUND));
-	}
-
-	eckey = EVP_PKEY_get1_EC_KEY(privkey);
-	EVP_PKEY_free(privkey);
-
-	if (eckey == NULL) {
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-
-	return (ISC_R_SUCCESS);
-}
-#else
-static isc_result_t
-load_pubkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
-	UNUSED(eckey);
-	UNUSED(engine);
-	UNUSED(label);
-
-	return (DST_R_NOENGINE);
-}
-
-static isc_result_t
-load_privkey_from_engine(EC_KEY *eckey, const char *engine, const char *label) {
-	UNUSED(eckey);
-	UNUSED(engine);
-	UNUSED(label);
-
-	return (DST_R_NOENGINE);
-}
-#endif
-
-static isc_result_t
-load_privkey(EC_KEY *eckey, dst_private_t *priv, const char **engine,
-	     const char **label) {
-	if (uses_engine(priv, engine, label)) {
-		return (load_privkey_from_engine(eckey, *engine, *label));
-	} else {
-		return (load_privkey_from_privstruct(eckey, priv));
-	}
-}
-
-static isc_result_t
-eckey_to_pkey(EC_KEY *eckey, EVP_PKEY **pkey) {
-	REQUIRE(pkey != NULL && *pkey == NULL);
-
-	*pkey = EVP_PKEY_new();
-	if (*pkey == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-	if (!EVP_PKEY_set1_EC_KEY(*pkey, eckey)) {
-		EVP_PKEY_free(*pkey);
-		*pkey = NULL;
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-finalize_eckey(dst_key_t *key, EC_KEY *eckey, const char *engine,
-	       const char *label) {
-	isc_result_t result = ISC_R_SUCCESS;
-	EVP_PKEY *pkey = NULL;
-
-	result = eckey_to_pkey(eckey, &pkey);
-	if (result != ISC_R_SUCCESS) {
-		return (result);
-	}
-
-	key->keydata.pkey = pkey;
-
-	if (label != NULL) {
-		key->label = isc_mem_strdup(key->mctx, label);
-		key->engine = isc_mem_strdup(key->mctx, engine);
-	}
-
-	if (key->key_alg == DST_ALG_ECDSA256) {
-		key->key_size = DNS_KEY_ECDSA256SIZE * 4;
-	} else {
-		key->key_size = DNS_KEY_ECDSA384SIZE * 4;
-	}
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-dst__key_to_eckey(dst_key_t *key, EC_KEY **eckey) {
-	REQUIRE(eckey != NULL && *eckey == NULL);
-
-	int group_nid;
-	switch (key->key_alg) {
-	case DST_ALG_ECDSA256:
-		group_nid = NID_X9_62_prime256v1;
-		break;
-	case DST_ALG_ECDSA384:
-		group_nid = NID_secp384r1;
-		break;
-	default:
-		INSIST(0);
-		ISC_UNREACHABLE();
-	}
-	*eckey = EC_KEY_new_by_curve_name(group_nid);
-	if (*eckey == NULL) {
-		return (dst__openssl_toresult(DST_R_OPENSSLFAILURE));
-	}
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-opensslecdsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t result = ISC_R_SUCCESS;
-	EC_KEY *eckey = NULL;
-	EC_KEY *pubeckey = NULL;
-	const char *engine = NULL;
-	const char *label = NULL;
-
-	/* read private key file */
-	result = dst__privstruct_parse(key, DST_ALG_ECDSA256, lexer, key->mctx,
-				       &priv);
-	if (result != ISC_R_SUCCESS) {
-		goto end;
-	}
-
-	if (key->external) {
-		if (priv.nelements != 0 || pub == NULL) {
-			result = DST_R_INVALIDPRIVATEKEY;
-			goto end;
-		}
-		key->keydata.pkey = pub->keydata.pkey;
-		pub->keydata.pkey = NULL;
-		goto end;
-	}
-
-	if (pub != NULL && pub->keydata.pkey != NULL) {
-		pubeckey = EVP_PKEY_get1_EC_KEY(pub->keydata.pkey);
-	}
-
-	result = dst__key_to_eckey(key, &eckey);
-	if (result != ISC_R_SUCCESS) {
-		goto end;
-	}
-
-	result = load_privkey(eckey, &priv, &engine, &label);
-	if (result != ISC_R_SUCCESS) {
-		goto end;
-	}
-
-	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
-		result = DST_R_INVALIDPRIVATEKEY;
-		goto end;
-	}
-
-	result = finalize_eckey(key, eckey, engine, label);
-
-end:
-	if (pubeckey != NULL) {
-		EC_KEY_free(pubeckey);
-	}
-	if (eckey != NULL) {
-		EC_KEY_free(eckey);
-	}
-	dst__privstruct_free(&priv, key->mctx);
-	isc_safe_memwipe(&priv, sizeof(priv));
-	return (result);
-}
-
-static isc_result_t
-opensslecdsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
-		       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
-	isc_result_t result = ISC_R_SUCCESS;
-	EC_KEY *eckey = NULL;
-	EC_KEY *pubeckey = NULL;
-
-	UNUSED(pin);
-
-	result = dst__key_to_eckey(key, &eckey);
-	if (result != ISC_R_SUCCESS) {
-		goto end;
-	}
-
-	result = dst__key_to_eckey(key, &pubeckey);
-	if (result != ISC_R_SUCCESS) {
-		goto end;
-	}
-
-	result = load_pubkey_from_engine(pubeckey, engine, label);
-	if (result != ISC_R_SUCCESS) {
-		goto end;
-	}
-
-	result = load_privkey_from_engine(eckey, engine, label);
-	if (result != ISC_R_SUCCESS) {
-		return (result);
-	}
-
-	if (ecdsa_check(eckey, pubeckey) != ISC_R_SUCCESS) {
-		result = DST_R_INVALIDPRIVATEKEY;
-		goto end;
-	}
-
-	result = finalize_eckey(key, eckey, engine, label);
-
-end:
-	if (pubeckey != NULL) {
-		EC_KEY_free(pubeckey);
-	}
-	if (eckey != NULL) {
-		EC_KEY_free(eckey);
-	}
-
-	return (result);
-#else
-	UNUSED(key);
-	UNUSED(engine);
-	UNUSED(label);
-	UNUSED(pin);
-	return (DST_R_NOENGINE);
-#endif
-}
-
-static dst_func_t opensslecdsa_functions = {
-	opensslecdsa_createctx,
-	NULL, /*%< createctx2 */
-	opensslecdsa_destroyctx,
-	opensslecdsa_adddata,
-	opensslecdsa_sign,
-	opensslecdsa_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	opensslecdsa_compare,
-	NULL, /*%< paramcompare */
-	opensslecdsa_generate,
-	opensslecdsa_isprivate,
-	opensslecdsa_destroy,
-	opensslecdsa_todns,
-	opensslecdsa_fromdns,
-	opensslecdsa_tofile,
-	opensslecdsa_parse,
-	NULL,			/*%< cleanup */
-	opensslecdsa_fromlabel, /*%< fromlabel */
-	NULL,			/*%< dump */
-	NULL,			/*%< restore */
-};
-
-isc_result_t
-dst__opensslecdsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL) {
-		*funcp = &opensslecdsa_functions;
-	}
-	return (ISC_R_SUCCESS);
-}

lib/dns/openssleddsa_link.c

@@ -1,696 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-/*! \file */
-
-#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
-
-#include <stdbool.h>
-
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/objects.h>
-#include <openssl/x509.h>
-#if !defined(OPENSSL_NO_ENGINE)
-#include <openssl/engine.h>
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
-
-#include <isc/mem.h>
-#include <isc/result.h>
-#include <isc/safe.h>
-#include <isc/string.h>
-#include <isc/util.h>
-
-#include <dns/keyvalues.h>
-
-#include <dst/result.h>
-
-#include "dst_internal.h"
-#include "dst_openssl.h"
-#include "dst_parse.h"
-
-#define DST_RET(a)        \
-	{                 \
-		ret = a;  \
-		goto err; \
-	}
-
-#if HAVE_OPENSSL_ED25519
-#ifndef NID_ED25519
-#error "Ed25519 group is not known (NID_ED25519)"
-#endif /* ifndef NID_ED25519 */
-#endif /* HAVE_OPENSSL_ED25519 */
-
-#if HAVE_OPENSSL_ED448
-#ifndef NID_ED448
-#error "Ed448 group is not known (NID_ED448)"
-#endif /* ifndef NID_ED448 */
-#endif /* HAVE_OPENSSL_ED448 */
-
-static isc_result_t
-raw_key_to_ossl(unsigned int key_alg, int private, const unsigned char *key,
-		size_t *key_len, EVP_PKEY **pkey) {
-	isc_result_t ret;
-	int pkey_type = EVP_PKEY_NONE;
-	size_t len = 0;
-
-#if HAVE_OPENSSL_ED25519
-	if (key_alg == DST_ALG_ED25519) {
-		pkey_type = EVP_PKEY_ED25519;
-		len = DNS_KEY_ED25519SIZE;
-	}
-#endif /* HAVE_OPENSSL_ED25519 */
-#if HAVE_OPENSSL_ED448
-	if (key_alg == DST_ALG_ED448) {
-		pkey_type = EVP_PKEY_ED448;
-		len = DNS_KEY_ED448SIZE;
-	}
-#endif /* HAVE_OPENSSL_ED448 */
-	if (pkey_type == EVP_PKEY_NONE) {
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-
-	ret = (private ? DST_R_INVALIDPRIVATEKEY : DST_R_INVALIDPUBLICKEY);
-	if (*key_len < len) {
-		return (ret);
-	}
-
-	if (private) {
-		*pkey = EVP_PKEY_new_raw_private_key(pkey_type, NULL, key, len);
-	} else {
-		*pkey = EVP_PKEY_new_raw_public_key(pkey_type, NULL, key, len);
-	}
-	if (*pkey == NULL) {
-		return (dst__openssl_toresult(ret));
-	}
-
-	*key_len = len;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
-		       const char *pin);
-
-static isc_result_t
-openssleddsa_createctx(dst_key_t *key, dst_context_t *dctx) {
-	isc_buffer_t *buf = NULL;
-
-	UNUSED(key);
-	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
-		dctx->key->key_alg == DST_ALG_ED448);
-
-	isc_buffer_allocate(dctx->mctx, &buf, 64);
-	dctx->ctxdata.generic = buf;
-
-	return (ISC_R_SUCCESS);
-}
-
-static void
-openssleddsa_destroyctx(dst_context_t *dctx) {
-	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
-		dctx->key->key_alg == DST_ALG_ED448);
-	if (buf != NULL) {
-		isc_buffer_free(&buf);
-	}
-	dctx->ctxdata.generic = NULL;
-}
-
-static isc_result_t
-openssleddsa_adddata(dst_context_t *dctx, const isc_region_t *data) {
-	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
-	isc_buffer_t *nbuf = NULL;
-	isc_region_t r;
-	unsigned int length;
-	isc_result_t result;
-
-	REQUIRE(dctx->key->key_alg == DST_ALG_ED25519 ||
-		dctx->key->key_alg == DST_ALG_ED448);
-
-	result = isc_buffer_copyregion(buf, data);
-	if (result == ISC_R_SUCCESS) {
-		return (ISC_R_SUCCESS);
-	}
-
-	length = isc_buffer_length(buf) + data->length + 64;
-	isc_buffer_allocate(dctx->mctx, &nbuf, length);
-	isc_buffer_usedregion(buf, &r);
-	(void)isc_buffer_copyregion(nbuf, &r);
-	(void)isc_buffer_copyregion(nbuf, data);
-	isc_buffer_free(&buf);
-	dctx->ctxdata.generic = nbuf;
-
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssleddsa_sign(dst_context_t *dctx, isc_buffer_t *sig) {
-	isc_result_t ret;
-	dst_key_t *key = dctx->key;
-	isc_region_t tbsreg;
-	isc_region_t sigreg;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
-	size_t siglen;
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-	if (ctx == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-	if (key->key_alg == DST_ALG_ED25519) {
-		siglen = DNS_SIG_ED25519SIZE;
-	} else {
-		siglen = DNS_SIG_ED448SIZE;
-	}
-
-	isc_buffer_availableregion(sig, &sigreg);
-	if (sigreg.length < (unsigned int)siglen) {
-		DST_RET(ISC_R_NOSPACE);
-	}
-
-	isc_buffer_usedregion(buf, &tbsreg);
-
-	if (EVP_DigestSignInit(ctx, NULL, NULL, NULL, pkey) != 1) {
-		DST_RET(dst__openssl_toresult3(
-			dctx->category, "EVP_DigestSignInit", ISC_R_FAILURE));
-	}
-	if (EVP_DigestSign(ctx, sigreg.base, &siglen, tbsreg.base,
-			   tbsreg.length) != 1) {
-		DST_RET(dst__openssl_toresult3(dctx->category, "EVP_DigestSign",
-					       DST_R_SIGNFAILURE));
-	}
-	isc_buffer_add(sig, (unsigned int)siglen);
-	ret = ISC_R_SUCCESS;
-
-err:
-	EVP_MD_CTX_free(ctx);
-	isc_buffer_free(&buf);
-	dctx->ctxdata.generic = NULL;
-
-	return (ret);
-}
-
-static isc_result_t
-openssleddsa_verify(dst_context_t *dctx, const isc_region_t *sig) {
-	isc_result_t ret;
-	dst_key_t *key = dctx->key;
-	int status;
-	isc_region_t tbsreg;
-	EVP_PKEY *pkey = key->keydata.pkey;
-	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
-	isc_buffer_t *buf = (isc_buffer_t *)dctx->ctxdata.generic;
-	unsigned int siglen = 0;
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-	if (ctx == NULL) {
-		return (ISC_R_NOMEMORY);
-	}
-
-#if HAVE_OPENSSL_ED25519
-	if (key->key_alg == DST_ALG_ED25519) {
-		siglen = DNS_SIG_ED25519SIZE;
-	}
-#endif /* if HAVE_OPENSSL_ED25519 */
-#if HAVE_OPENSSL_ED448
-	if (key->key_alg == DST_ALG_ED448) {
-		siglen = DNS_SIG_ED448SIZE;
-	}
-#endif /* if HAVE_OPENSSL_ED448 */
-	if (siglen == 0) {
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-
-	if (sig->length != siglen) {
-		return (DST_R_VERIFYFAILURE);
-	}
-
-	isc_buffer_usedregion(buf, &tbsreg);
-
-	if (EVP_DigestVerifyInit(ctx, NULL, NULL, NULL, pkey) != 1) {
-		DST_RET(dst__openssl_toresult3(
-			dctx->category, "EVP_DigestVerifyInit", ISC_R_FAILURE));
-	}
-
-	status = EVP_DigestVerify(ctx, sig->base, siglen, tbsreg.base,
-				  tbsreg.length);
-
-	switch (status) {
-	case 1:
-		ret = ISC_R_SUCCESS;
-		break;
-	case 0:
-		ret = dst__openssl_toresult(DST_R_VERIFYFAILURE);
-		break;
-	default:
-		ret = dst__openssl_toresult3(dctx->category, "EVP_DigestVerify",
-					     DST_R_VERIFYFAILURE);
-		break;
-	}
-
-err:
-	EVP_MD_CTX_free(ctx);
-	isc_buffer_free(&buf);
-	dctx->ctxdata.generic = NULL;
-
-	return (ret);
-}
-
-static bool
-openssleddsa_compare(const dst_key_t *key1, const dst_key_t *key2) {
-	int status;
-	EVP_PKEY *pkey1 = key1->keydata.pkey;
-	EVP_PKEY *pkey2 = key2->keydata.pkey;
-
-	if (pkey1 == NULL && pkey2 == NULL) {
-		return (true);
-	} else if (pkey1 == NULL || pkey2 == NULL) {
-		return (false);
-	}
-
-	status = EVP_PKEY_cmp(pkey1, pkey2);
-	if (status == 1) {
-		return (true);
-	}
-	return (false);
-}
-
-static isc_result_t
-openssleddsa_generate(dst_key_t *key, int unused, void (*callback)(int)) {
-	isc_result_t ret;
-	EVP_PKEY *pkey = NULL;
-	EVP_PKEY_CTX *ctx = NULL;
-	int nid = 0, status;
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-	UNUSED(unused);
-	UNUSED(callback);
-
-#if HAVE_OPENSSL_ED25519
-	if (key->key_alg == DST_ALG_ED25519) {
-		nid = NID_ED25519;
-		key->key_size = DNS_KEY_ED25519SIZE * 8;
-	}
-#endif /* if HAVE_OPENSSL_ED25519 */
-#if HAVE_OPENSSL_ED448
-	if (key->key_alg == DST_ALG_ED448) {
-		nid = NID_ED448;
-		key->key_size = DNS_KEY_ED448SIZE * 8;
-	}
-#endif /* if HAVE_OPENSSL_ED448 */
-	if (nid == 0) {
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-
-	ctx = EVP_PKEY_CTX_new_id(nid, NULL);
-	if (ctx == NULL) {
-		return (dst__openssl_toresult2("EVP_PKEY_CTX_new_id",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	status = EVP_PKEY_keygen_init(ctx);
-	if (status != 1) {
-		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen_init",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	status = EVP_PKEY_keygen(ctx, &pkey);
-	if (status != 1) {
-		DST_RET(dst__openssl_toresult2("EVP_PKEY_keygen",
-					       DST_R_OPENSSLFAILURE));
-	}
-
-	key->keydata.pkey = pkey;
-	ret = ISC_R_SUCCESS;
-
-err:
-	EVP_PKEY_CTX_free(ctx);
-	return (ret);
-}
-
-static bool
-openssleddsa_isprivate(const dst_key_t *key) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-	size_t len;
-
-	if (pkey == NULL) {
-		return (false);
-	}
-
-	if (EVP_PKEY_get_raw_private_key(pkey, NULL, &len) == 1 && len > 0) {
-		return (true);
-	}
-	/* can check if first error is EC_R_INVALID_PRIVATE_KEY */
-	while (ERR_get_error() != 0) {
-		/**/
-	}
-
-	return (false);
-}
-
-static void
-openssleddsa_destroy(dst_key_t *key) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-
-	EVP_PKEY_free(pkey);
-	key->keydata.pkey = NULL;
-}
-
-static isc_result_t
-openssleddsa_todns(const dst_key_t *key, isc_buffer_t *data) {
-	EVP_PKEY *pkey = key->keydata.pkey;
-	isc_region_t r;
-	size_t len;
-
-	REQUIRE(pkey != NULL);
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-	if (key->key_alg == DST_ALG_ED25519) {
-		len = DNS_KEY_ED25519SIZE;
-	} else {
-		len = DNS_KEY_ED448SIZE;
-	}
-
-	isc_buffer_availableregion(data, &r);
-	if (r.length < len) {
-		return (ISC_R_NOSPACE);
-	}
-
-	if (EVP_PKEY_get_raw_public_key(pkey, r.base, &len) != 1)
-		return (dst__openssl_toresult(ISC_R_FAILURE));
-
-	isc_buffer_add(data, len);
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssleddsa_fromdns(dst_key_t *key, isc_buffer_t *data) {
-	isc_result_t ret;
-	isc_region_t r;
-	size_t len;
-	EVP_PKEY *pkey;
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-	isc_buffer_remainingregion(data, &r);
-	if (r.length == 0) {
-		return (ISC_R_SUCCESS);
-	}
-
-	len = r.length;
-	ret = raw_key_to_ossl(key->key_alg, 0, r.base, &len, &pkey);
-	if (ret != ISC_R_SUCCESS)
-		return ret;
-
-	isc_buffer_forward(data, len);
-	key->keydata.pkey = pkey;
-	key->key_size = len * 8;
-	return (ISC_R_SUCCESS);
-}
-
-static isc_result_t
-openssleddsa_tofile(const dst_key_t *key, const char *directory) {
-	isc_result_t ret;
-	dst_private_t priv;
-	unsigned char *buf = NULL;
-	size_t len;
-	int i;
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-	if (key->keydata.pkey == NULL) {
-		return (DST_R_NULLKEY);
-	}
-
-	if (key->external) {
-		priv.nelements = 0;
-		return (dst__privstruct_writefile(key, &priv, directory));
-	}
-
-	i = 0;
-
-	if (openssleddsa_isprivate(key)) {
-		if (key->key_alg == DST_ALG_ED25519) {
-			len = DNS_KEY_ED25519SIZE;
-		} else {
-			len = DNS_KEY_ED448SIZE;
-		}
-		buf = isc_mem_get(key->mctx, len);
-		if (EVP_PKEY_get_raw_private_key(key->keydata.pkey, buf,
-						 &len) != 1)
-			DST_RET(dst__openssl_toresult(ISC_R_FAILURE));
-		priv.elements[i].tag = TAG_EDDSA_PRIVATEKEY;
-		priv.elements[i].length = len;
-		priv.elements[i].data = buf;
-		i++;
-	}
-	if (key->engine != NULL) {
-		priv.elements[i].tag = TAG_EDDSA_ENGINE;
-		priv.elements[i].length = (unsigned short)strlen(key->engine) +
-					  1;
-		priv.elements[i].data = (unsigned char *)key->engine;
-		i++;
-	}
-	if (key->label != NULL) {
-		priv.elements[i].tag = TAG_EDDSA_LABEL;
-		priv.elements[i].length = (unsigned short)strlen(key->label) +
-					  1;
-		priv.elements[i].data = (unsigned char *)key->label;
-		i++;
-	}
-
-	priv.nelements = i;
-	ret = dst__privstruct_writefile(key, &priv, directory);
-
-err:
-	if (buf != NULL) {
-		isc_mem_put(key->mctx, buf, len);
-	}
-	return (ret);
-}
-
-static isc_result_t
-eddsa_check(EVP_PKEY *pkey, EVP_PKEY *pubpkey) {
-	if (pubpkey == NULL) {
-		return (ISC_R_SUCCESS);
-	}
-	if (EVP_PKEY_cmp(pkey, pubpkey) == 1) {
-		return (ISC_R_SUCCESS);
-	}
-	return (ISC_R_FAILURE);
-}
-
-static isc_result_t
-openssleddsa_parse(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub) {
-	dst_private_t priv;
-	isc_result_t ret;
-	int i, privkey_index = -1;
-	const char *engine = NULL, *label = NULL;
-	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
-	size_t len;
-	isc_mem_t *mctx = key->mctx;
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-	/* read private key file */
-	ret = dst__privstruct_parse(key, DST_ALG_ED25519, lexer, mctx, &priv);
-	if (ret != ISC_R_SUCCESS) {
-		goto err;
-	}
-
-	if (key->external) {
-		if (priv.nelements != 0) {
-			DST_RET(DST_R_INVALIDPRIVATEKEY);
-		}
-		if (pub == NULL) {
-			DST_RET(DST_R_INVALIDPRIVATEKEY);
-		}
-		key->keydata.pkey = pub->keydata.pkey;
-		pub->keydata.pkey = NULL;
-		dst__privstruct_free(&priv, mctx);
-		isc_safe_memwipe(&priv, sizeof(priv));
-		return (ISC_R_SUCCESS);
-	}
-
-	if (pub != NULL) {
-		pubpkey = pub->keydata.pkey;
-	}
-
-	for (i = 0; i < priv.nelements; i++) {
-		switch (priv.elements[i].tag) {
-		case TAG_EDDSA_ENGINE:
-			engine = (char *)priv.elements[i].data;
-			break;
-		case TAG_EDDSA_LABEL:
-			label = (char *)priv.elements[i].data;
-			break;
-		case TAG_EDDSA_PRIVATEKEY:
-			privkey_index = i;
-			break;
-		default:
-			break;
-		}
-	}
-
-	if (label != NULL) {
-		ret = openssleddsa_fromlabel(key, engine, label, NULL);
-		if (ret != ISC_R_SUCCESS) {
-			goto err;
-		}
-		if (eddsa_check(key->keydata.pkey, pubpkey) != ISC_R_SUCCESS) {
-			DST_RET(DST_R_INVALIDPRIVATEKEY);
-		}
-		DST_RET(ISC_R_SUCCESS);
-	}
-
-	if (privkey_index < 0) {
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-
-	len = priv.elements[privkey_index].length;
-	ret = raw_key_to_ossl(key->key_alg, 1,
-			      priv.elements[privkey_index].data, &len, &pkey);
-	if (ret != ISC_R_SUCCESS) {
-		goto err;
-	}
-	if (eddsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
-		EVP_PKEY_free(pkey);
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-	key->keydata.pkey = pkey;
-	key->key_size = len * 8;
-	ret = ISC_R_SUCCESS;
-
-err:
-	dst__privstruct_free(&priv, mctx);
-	isc_safe_memwipe(&priv, sizeof(priv));
-	return (ret);
-}
-
-static isc_result_t
-openssleddsa_fromlabel(dst_key_t *key, const char *engine, const char *label,
-		       const char *pin) {
-#if !defined(OPENSSL_NO_ENGINE)
-	isc_result_t ret;
-	ENGINE *e;
-	EVP_PKEY *pkey = NULL, *pubpkey = NULL;
-	int baseid = EVP_PKEY_NONE;
-
-	UNUSED(pin);
-
-	REQUIRE(key->key_alg == DST_ALG_ED25519 ||
-		key->key_alg == DST_ALG_ED448);
-
-#if HAVE_OPENSSL_ED25519
-	if (key->key_alg == DST_ALG_ED25519) {
-		baseid = EVP_PKEY_ED25519;
-	}
-#endif /* if HAVE_OPENSSL_ED25519 */
-#if HAVE_OPENSSL_ED448
-	if (key->key_alg == DST_ALG_ED448) {
-		baseid = EVP_PKEY_ED448;
-	}
-#endif /* if HAVE_OPENSSL_ED448 */
-	if (baseid == EVP_PKEY_NONE) {
-		return (ISC_R_NOTIMPLEMENTED);
-	}
-
-	if (engine == NULL) {
-		return (DST_R_NOENGINE);
-	}
-	e = dst__openssl_getengine(engine);
-	if (e == NULL) {
-		return (DST_R_NOENGINE);
-	}
-	pkey = ENGINE_load_private_key(e, label, NULL, NULL);
-	if (pkey == NULL) {
-		return (dst__openssl_toresult2("ENGINE_load_private_key",
-					       ISC_R_NOTFOUND));
-	}
-	if (EVP_PKEY_base_id(pkey) != baseid) {
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-
-	pubpkey = ENGINE_load_public_key(e, label, NULL, NULL);
-	if (eddsa_check(pkey, pubpkey) != ISC_R_SUCCESS) {
-		DST_RET(DST_R_INVALIDPRIVATEKEY);
-	}
-
-	key->engine = isc_mem_strdup(key->mctx, engine);
-	key->label = isc_mem_strdup(key->mctx, label);
-	key->key_size = EVP_PKEY_bits(pkey);
-	key->keydata.pkey = pkey;
-	pkey = NULL;
-	ret = ISC_R_SUCCESS;
-
-err:
-	if (pubpkey != NULL) {
-		EVP_PKEY_free(pubpkey);
-	}
-	if (pkey != NULL) {
-		EVP_PKEY_free(pkey);
-	}
-	return (ret);
-#else  /* if !defined(OPENSSL_NO_ENGINE) */
-	UNUSED(key);
-	UNUSED(engine);
-	UNUSED(label);
-	UNUSED(pin);
-	return (DST_R_NOENGINE);
-#endif /* if !defined(OPENSSL_NO_ENGINE) */
-}
-
-static dst_func_t openssleddsa_functions = {
-	openssleddsa_createctx,
-	NULL, /*%< createctx2 */
-	openssleddsa_destroyctx,
-	openssleddsa_adddata,
-	openssleddsa_sign,
-	openssleddsa_verify,
-	NULL, /*%< verify2 */
-	NULL, /*%< computesecret */
-	openssleddsa_compare,
-	NULL, /*%< paramcompare */
-	openssleddsa_generate,
-	openssleddsa_isprivate,
-	openssleddsa_destroy,
-	openssleddsa_todns,
-	openssleddsa_fromdns,
-	openssleddsa_tofile,
-	openssleddsa_parse,
-	NULL, /*%< cleanup */
-	openssleddsa_fromlabel,
-	NULL, /*%< dump */
-	NULL, /*%< restore */
-};
-
-isc_result_t
-dst__openssleddsa_init(dst_func_t **funcp) {
-	REQUIRE(funcp != NULL);
-	if (*funcp == NULL) {
-		*funcp = &openssleddsa_functions;
-	}
-	return (ISC_R_SUCCESS);
-}
-
-#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */

lib/dns/win32/libdns.vcxproj.filters.in

@@ -298,10 +298,7 @@
     <ClCompile Include="..\openssldh_link.c">
       <Filter>Dst Source Files</Filter>
     </ClCompile>
-    <ClCompile Include="..\opensslecdsa_link.c">
-      <Filter>Dst Source Files</Filter>
-    </ClCompile>
-    <ClCompile Include="..\openssleddsa_link.c">
+    <ClCompile Include="..\opensslec_link.c">
       <Filter>Dst Source Files</Filter>
     </ClCompile>
     <ClCompile Include="..\opensslrsa_link.c">

lib/dns/win32/libdns.vcxproj.in

@@ -171,8 +171,7 @@
     <ClCompile Include="..\nsec3.c" />
     <ClCompile Include="..\nta.c" />
     <ClCompile Include="..\openssldh_link.c" />
-    <ClCompile Include="..\opensslecdsa_link.c" />
-    <ClCompile Include="..\openssleddsa_link.c" />
+    <ClCompile Include="..\opensslec_link.c" />
     <ClCompile Include="..\opensslrsa_link.c" />
     <ClCompile Include="..\openssl_link.c" />
     <ClCompile Include="..\order.c" />

util/copyrights

@@ -1428,8 +1428,7 @@
 ./lib/dns/nta.c					C	2014,2015,2016,2017,2018,2019,2020
 ./lib/dns/openssl_link.c			C.NAI	1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2012,2014,2015,2016,2017,2018,2019,2020
 ./lib/dns/openssldh_link.c			C.NAI	1999,2000,2001,2002,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/opensslecdsa_link.c			C	2012,2013,2014,2015,2016,2017,2018,2019,2020
-./lib/dns/openssleddsa_link.c			C	2017,2018,2019,2020
+./lib/dns/opensslec_link.c			C	2020
 ./lib/dns/opensslrsa_link.c			C	2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019,2020
 ./lib/dns/order.c				C	2002,2004,2005,2007,2015,2016,2017,2018,2019,2020
 ./lib/dns/peer.c				C	2000,2001,2003,2004,2005,2006,2007,2008,2009,2012,2013,2014,2015,2016,2017,2018,2019,2020