Commit 1fce0951 authored by Mark Andrews's avatar Mark Andrews

4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]

parent c970f162
4497. [port] Add support for OpenSSL 1.1.0. [RT #41284]
4496. [func] dig: add +idnout to control whether labels are
display in punycode or not. Requires idn support
to be enabled at compile time. [RT #43398]
......
......@@ -322,7 +322,7 @@ Building
systems.
For the server to support DNSSEC, you need to build it
with crypto support. You must have OpenSSL 0.9.5a
with crypto support. You must have OpenSSL 1.0.1t
or newer installed and specify "--with-openssl" on the
configure command line. If OpenSSL is installed under
a nonstandard prefix, you can tell configure where to
......
......@@ -688,8 +688,14 @@ parse_command_line(int argc, char *argv[]) {
#ifdef OPENSSL
printf("compiled with OpenSSL version: %s\n",
OPENSSL_VERSION_TEXT);
#if OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
printf("linked to OpenSSL version: %s\n",
OpenSSL_version(OPENSSL_VERSION));
#else
printf("linked to OpenSSL version: %s\n",
SSLeay_version(SSLEAY_VERSION));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
#endif
#ifdef HAVE_LIBXML2
printf("compiled with libxml2 version: %s\n",
......
......@@ -910,9 +910,42 @@ t2_sigchk(char *datapath, char *sigpath, char *keyname,
* signed at some earlier time, possibly with an entire different
* version or implementation of the DSA and RSA algorithms
*/
static const char *a2 =
"the dst module provides the capability to "
"verify data signed with the RSA and DSA algorithms";
isc_mem_t *t2_mctx = NULL;
isc_entropy_t *t2_ectx = NULL;
static int
t2_vfy_init(void) {
isc_result_t isc_result;
t2_mctx = NULL;
isc_result = isc_mem_create(0, 0, &t2_mctx);
if (isc_result != ISC_R_SUCCESS) {
t_info("isc_mem_create failed %s\n",
isc_result_totext(isc_result));
return(0);
}
t2_ectx = NULL;
isc_result = isc_entropy_create(t2_mctx, &t2_ectx);
if (isc_result != ISC_R_SUCCESS) {
t_info("isc_entropy_create failed %s\n",
isc_result_totext(isc_result));
return(0);
}
isc_result = isc_entropy_createfilesource(t2_ectx, "randomfile");
if (isc_result != ISC_R_SUCCESS) {
t_info("isc_entropy_create failed %s\n",
isc_result_totext(isc_result));
return(0);
}
isc_result = dst_lib_init(t2_mctx, t2_ectx, ISC_ENTROPY_BLOCKING);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_lib_init failed %s\n",
isc_result_totext(isc_result));
return(0);
}
return(1);
}
/*
* av == datafile, sigpath, keyname, keyid, alg, exp_result.
......@@ -929,9 +962,6 @@ t2_vfy(char **av) {
char *exp_result;
int nfails;
int nprobs;
isc_mem_t *mctx;
isc_entropy_t *ectx;
isc_result_t isc_result;
int result;
datapath = *av++;
......@@ -953,33 +983,6 @@ t2_vfy(char **av) {
return(T_UNRESOLVED);
}
mctx = NULL;
isc_result = isc_mem_create(0, 0, &mctx);
if (isc_result != ISC_R_SUCCESS) {
t_info("isc_mem_create failed %s\n",
isc_result_totext(isc_result));
return(T_UNRESOLVED);
}
ectx = NULL;
isc_result = isc_entropy_create(mctx, &ectx);
if (isc_result != ISC_R_SUCCESS) {
t_info("isc_entropy_create failed %s\n",
isc_result_totext(isc_result));
return(T_UNRESOLVED);
}
isc_result = isc_entropy_createfilesource(ectx, "randomfile");
if (isc_result != ISC_R_SUCCESS) {
t_info("isc_entropy_create failed %s\n",
isc_result_totext(isc_result));
return(T_UNRESOLVED);
}
isc_result = dst_lib_init(mctx, ectx, ISC_ENTROPY_BLOCKING);
if (isc_result != ISC_R_SUCCESS) {
t_info("dst_lib_init failed %s\n",
isc_result_totext(isc_result));
return(T_UNRESOLVED);
}
if (!dst_algorithm_supported(DST_ALG_RSAMD5)) {
dst_lib_destroy();
t_info("library built without crypto support\n");
......@@ -990,15 +993,9 @@ t2_vfy(char **av) {
datapath, sigpath, keyname, key, alg, exp_result);
t2_sigchk(datapath, sigpath, keyname, keyid,
algid, DST_TYPE_PRIVATE|DST_TYPE_PUBLIC,
mctx, exp_result,
t2_mctx, exp_result,
&nfails, &nprobs);
dst_lib_destroy();
isc_entropy_detach(&ectx);
isc_mem_destroy(&mctx);
result = T_UNRESOLVED;
if (nfails)
result = T_FAIL;
......@@ -1008,11 +1005,24 @@ t2_vfy(char **av) {
return(result);
}
static const char *a2 =
"the dst module provides the capability to "
"verify data signed with the RSA and DSA algorithms";
static void
t2(void) {
int result;
t_assert("dst", 2, T_REQUIRED, "%s", a2);
result = t_eval("dst_2_data", t2_vfy, 6);
if (!t2_vfy_init()) {
result = T_UNRESOLVED;
} else {
result = t_eval("dst_2_data", t2_vfy, 6);
dst_lib_destroy();
}
if (t2_ectx)
isc_entropy_detach(&t2_ectx);
if (t2_mctx)
isc_mem_destroy(&t2_mctx);
t_result(result);
}
......
......@@ -15916,8 +15916,8 @@ $as_echo "using OpenSSL from $use_openssl/lib and $use_openssl/include" >&6; }
saved_cc="$CC"
saved_cflags="$CFLAGS"
saved_libs="$LIBS"
CFLAGS="$CFLAGS $DST_OPENSSL_INC"
LIBS="$LIBS $DST_OPENSSL_LIBS"
CFLAGS="$DST_OPENSSL_INC $CFLAGS"
LIBS="$DST_OPENSSL_LIBS $LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether linking with OpenSSL works" >&5
$as_echo_n "checking whether linking with OpenSSL works... " >&6; }
if test "$cross_compiling" = yes; then :
......@@ -15955,13 +15955,24 @@ $as_echo_n "checking whether linking with OpenSSL requires -ldl... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
#include <openssl/crypto.h>
#else
#include <openssl/err.h>
#include <openssl/dso.h>
#endif
int
main ()
{
DSO_METHOD_dlfcn();
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
#else
DSO_METHOD_dlfcn();
#endif
;
return 0;
}
......@@ -15974,13 +15985,23 @@ else
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
#include <openssl/crypto.h>
#else
#include <openssl/err.h>
#include <openssl/dso.h>
#endif
int
main ()
{
DSO_METHOD_dlfcn();
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
#else
DSO_METHOD_dlfcn();
#endif
;
return 0;
}
......@@ -16027,7 +16048,7 @@ int main() {
OPENSSL_VERSION_NUMBER < 0x10002000L) ||
OPENSSL_VERSION_NUMBER >= 0x1000205fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n",
OPENSSL_VERSION_NUMBER);
printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
"Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
......@@ -16247,7 +16268,7 @@ else
#include <openssl/evp.h>
int main() {
EVP_CIPHER *aes128, *aes192, *aes256;
const EVP_CIPHER *aes128, *aes192, *aes256;
aes128 = EVP_aes_128_ecb();
aes192 = EVP_aes_192_ecb();
......@@ -16420,43 +16441,6 @@ $as_echo "yes" >&6; }
ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
ISC_OPENSSL_INC="$DST_OPENSSL_INC"
ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
saved_cflags="$CFLAGS"
save_libs="$LIBS"
CFLAGS="$CFLAGS $ISC_OPENSSL_INC"
LIBS="$LIBS $ISC_OPENSSL_LIBS"
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking HMAC_Init() return type" >&5
$as_echo_n "checking HMAC_Init() return type... " >&6; }
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
/* end confdefs.h. */
#include <openssl/hmac.h>
int
main ()
{
HMAC_CTX ctx;
int n = HMAC_Init(&ctx, NULL, 0, NULL);
n += HMAC_Update(&ctx, NULL, 0);
n += HMAC_Final(&ctx, NULL, NULL);
;
return 0;
}
_ACEOF
if ac_fn_c_try_compile "$LINENO"; then :
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: int" >&5
$as_echo "int" >&6; }
$as_echo "#define HMAC_RETURN_INT 1" >>confdefs.h
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: void" >&5
$as_echo "void" >&6; }
fi
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
CFLAGS="$saved_cflags"
LIBS="$save_libs"
;;
no)
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
......
......@@ -1595,8 +1595,8 @@ If you don't want OpenSSL, use --without-openssl])
saved_cc="$CC"
saved_cflags="$CFLAGS"
saved_libs="$LIBS"
CFLAGS="$CFLAGS $DST_OPENSSL_INC"
LIBS="$LIBS $DST_OPENSSL_LIBS"
CFLAGS="$DST_OPENSSL_INC $CFLAGS"
LIBS="$DST_OPENSSL_LIBS $LIBS"
AC_MSG_CHECKING(whether linking with OpenSSL works)
AC_TRY_RUN([
#include <openssl/err.h>
......@@ -1615,16 +1615,38 @@ shared library configuration (e.g., LD_LIBRARY_PATH).)],
AC_MSG_CHECKING(whether linking with OpenSSL requires -ldl)
AC_TRY_LINK([
#include <openssl/opensslv.h>
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
#include <openssl/crypto.h>
#else
#include <openssl/err.h>
#include <openssl/dso.h>
#endif
],
[
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
#else
DSO_METHOD_dlfcn();
#endif
],
[ DSO_METHOD_dlfcn(); ],
[AC_MSG_RESULT(no)],
[LIBS="$LIBS -ldl"
AC_TRY_LINK([
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
#include <openssl/crypto.h>
#else
#include <openssl/err.h>
#include <openssl/dso.h>
],[ DSO_METHOD_dlfcn(); ],
#endif
],
[
#if OPENSSL_VERSION_NUMBER >= 0x10100004L
OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL);
#else
DSO_METHOD_dlfcn();
#endif
],
[AC_MSG_RESULT(yes)
DST_OPENSSL_LIBS="$DST_OPENSSL_LIBS -ldl"
],
......@@ -1651,7 +1673,7 @@ int main() {
OPENSSL_VERSION_NUMBER < 0x10002000L) ||
OPENSSL_VERSION_NUMBER >= 0x1000205fL)
return (0);
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010x\n",
printf("\n\nFound OPENSSL_VERSION_NUMBER %#010lx\n",
OPENSSL_VERSION_NUMBER);
printf("Require OPENSSL_VERSION_NUMBER 0x009070cf or greater (0.9.7l)\n"
"Require OPENSSL_VERSION_NUMBER 0x0090804f or greater (0.9.8d)\n"
......@@ -1803,7 +1825,7 @@ int main() {
AC_TRY_RUN([
#include <openssl/evp.h>
int main() {
EVP_CIPHER *aes128, *aes192, *aes256;
const EVP_CIPHER *aes128, *aes192, *aes256;
aes128 = EVP_aes_128_ecb();
aes192 = EVP_aes_192_ecb();
......@@ -1953,22 +1975,6 @@ case $want_openssl_hash in
ISC_PLATFORM_OPENSSLHASH="#define ISC_PLATFORM_OPENSSLHASH 1"
ISC_OPENSSL_INC="$DST_OPENSSL_INC"
ISC_OPENSSL_LIBS="$DST_OPENSSL_LIBS"
saved_cflags="$CFLAGS"
save_libs="$LIBS"
CFLAGS="$CFLAGS $ISC_OPENSSL_INC"
LIBS="$LIBS $ISC_OPENSSL_LIBS"
AC_MSG_CHECKING([HMAC_Init() return type])
AC_TRY_COMPILE([
#include <openssl/hmac.h>],[
HMAC_CTX ctx;
int n = HMAC_Init(&ctx, NULL, 0, NULL);
n += HMAC_Update(&ctx, NULL, 0);
n += HMAC_Final(&ctx, NULL, NULL);],[
AC_MSG_RESULT(int)
AC_DEFINE(HMAC_RETURN_INT, 1, [HMAC_*() return ints])],[
AC_MSG_RESULT(void)])
CFLAGS="$saved_cflags"
LIBS="$save_libs"
;;
no)
AC_MSG_RESULT(no)
......
......@@ -18,7 +18,13 @@
#ifdef HAVE_OPENSSL_GOST
#include <openssl/evp.h>
typedef EVP_MD_CTX isc_gost_t;
typedef struct {
EVP_MD_CTX *ctx;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_MD_CTX _ctx;
#endif
} isc_gost_t;
#endif
#ifdef HAVE_PKCS11_GOST
#include <pk11/pk11.h>
......
......@@ -22,8 +22,10 @@
#include <openssl/crypto.h>
#include <openssl/bn.h>
#if !defined(OPENSSL_NO_ENGINE) && defined(CRYPTO_LOCK_ENGINE) && \
(OPENSSL_VERSION_NUMBER >= 0x0090707f)
#if !defined(OPENSSL_NO_ENGINE) && \
((defined(CRYPTO_LOCK_ENGINE) && \
(OPENSSL_VERSION_NUMBER >= 0x0090707f)) || \
(OPENSSL_VERSION_NUMBER >= 0x10100000L))
#define USE_ENGINE 1
#endif
......@@ -41,6 +43,15 @@
#define BN_GENCB_get_arg(x) ((x)->arg)
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
/*
* EVP_dss1() is a version of EVP_sha1() that was needed prior to
* 1.1.0 because there was a link between digests and signing algorithms;
* the link has been eliminated and EVP_sha1() can be used now instead.
*/
#define EVP_dss1 EVP_sha1
#endif
ISC_LANG_BEGINDECLS
isc_result_t
......
......@@ -102,6 +102,7 @@ entropy_add(const void *buf, int num, double entropy) {
}
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static void
lock_callback(int mode, int type, const char *file, int line) {
UNUSED(file);
......@@ -112,45 +113,59 @@ lock_callback(int mode, int type, const char *file, int line) {
UNLOCK(&locks[type]);
}
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
static unsigned long
id_callback(void) {
return ((unsigned long)isc_thread_self());
}
#endif
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
#define FLARG_PASS , __FILE__, __LINE__
#define FLARG
#define FILELINE
#else
#define FLARG , const char *file, int line
#define FILELINE , __FILE__, __LINE__
#if ISC_MEM_TRACKLINES
#define FLARG_PASS , file, line
#else
#define FLARG_PASS
#endif
#endif
static void *
mem_alloc(size_t size) {
mem_alloc(size_t size FLARG) {
#ifdef OPENSSL_LEAKS
void *ptr;
INSIST(dst__memory_pool != NULL);
ptr = isc_mem_allocate(dst__memory_pool, size);
ptr = isc__mem_allocate(dst__memory_pool, size FLARG_PASS);
return (ptr);
#else
INSIST(dst__memory_pool != NULL);
return (isc_mem_allocate(dst__memory_pool, size));
return (isc__mem_allocate(dst__memory_pool, size FLARG_PASS));
#endif
}
static void
mem_free(void *ptr) {
mem_free(void *ptr FLARG) {
INSIST(dst__memory_pool != NULL);
if (ptr != NULL)
isc_mem_free(dst__memory_pool, ptr);
isc__mem_free(dst__memory_pool, ptr FLARG_PASS);
}
static void *
mem_realloc(void *ptr, size_t size) {
mem_realloc(void *ptr, size_t size FLARG) {
#ifdef OPENSSL_LEAKS
void *rptr;
INSIST(dst__memory_pool != NULL);
rptr = isc_mem_reallocate(dst__memory_pool, ptr, size);
rptr = isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS);
return (rptr);
#else
INSIST(dst__memory_pool != NULL);
return (isc_mem_reallocate(dst__memory_pool, ptr, size));
return (isc__mem_reallocate(dst__memory_pool, ptr, size FLARG_PASS));
#endif
}
......@@ -171,20 +186,20 @@ dst__openssl_init(const char *engine) {
#endif
CRYPTO_set_mem_functions(mem_alloc, mem_realloc, mem_free);
nlocks = CRYPTO_num_locks();
locks = mem_alloc(sizeof(isc_mutex_t) * nlocks);
locks = mem_alloc(sizeof(isc_mutex_t) * nlocks FILELINE);
if (locks == NULL)
return (ISC_R_NOMEMORY);
result = isc_mutexblock_init(locks, nlocks);
if (result != ISC_R_SUCCESS)
goto cleanup_mutexalloc;
CRYPTO_set_locking_callback(lock_callback);
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
CRYPTO_set_locking_callback(lock_callback);
CRYPTO_set_id_callback(id_callback);
#endif
ERR_load_crypto_strings();
rm = mem_alloc(sizeof(RAND_METHOD));
rm = mem_alloc(sizeof(RAND_METHOD) FILELINE);
if (rm == NULL) {
result = ISC_R_NOMEMORY;
goto cleanup_mutexinit;
......@@ -250,20 +265,27 @@ dst__openssl_init(const char *engine) {
if (e != NULL)
ENGINE_free(e);
e = NULL;
mem_free(rm);
mem_free(rm FILELINE);
rm = NULL;
#endif
cleanup_mutexinit:
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
cleanup_mutexalloc:
mem_free(locks);
mem_free(locks FILELINE);
locks = NULL;
return (result);
}
void
dst__openssl_destroy(void) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
OPENSSL_cleanup();
if (rm != NULL) {
mem_free(rm FILELINE);
rm = NULL;
}
#else
/*
* Sequence taken from apps_shutdown() in <apps/apps.h>.
*/
......@@ -271,7 +293,7 @@ dst__openssl_destroy(void) {
#if OPENSSL_VERSION_NUMBER >= 0x00907000L
RAND_cleanup();
#endif
mem_free(rm);
mem_free(rm FILELINE);
rm = NULL;
}
#if (OPENSSL_VERSION_NUMBER >= 0x00907000L)
......@@ -303,16 +325,18 @@ dst__openssl_destroy(void) {
if (locks != NULL) {
CRYPTO_set_locking_callback(NULL);
DESTROYMUTEXBLOCK(locks, nlocks);
mem_free(locks);
mem_free(locks FILELINE);
locks = NULL;
}
#endif
}
static isc_result_t
toresult(isc_result_t fallback) {
isc_result_t result = fallback;
unsigned long err = ERR_get_error();
#ifdef HAVE_OPENSSL_ECDSA
#if defined(HAVE_OPENSSL_ECDSA) && \
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
int lib = ERR_GET_LIB(err);
#endif
int reason = ERR_GET_REASON(err);
......@@ -326,7 +350,8 @@ toresult(isc_result_t fallback) {
result = ISC_R_NOMEMORY;
break;
default:
#ifdef HAVE_OPENSSL_ECDSA
#if defined(HAVE_OPENSSL_ECDSA) && \
defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED)
if (lib == ERR_R_ECDSA_LIB &&
reason == ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) {
result = ISC_R_NOENTROPY;
......
......@@ -68,11 +68,74 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);
static BIGNUM *bn2, *bn768, *bn1024, *bn1536;
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
/*
* DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg
* are from OpenSSL 1.1.0.
*/
static void
DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {
if (pub_key != NULL)
*pub_key = dh->pub_key;
if (priv_key != NULL)
*priv_key = dh->priv_key;
}
static int
DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {
/* Note that it is valid for priv_key to be NULL */
if (pub_key == NULL)
return 0;
BN_free(dh->pub_key);
BN_free(dh->priv_key);
dh->pub_key = pub_key;
dh->priv_key = priv_key;
return 1;
}
static void
DH_get0_pqg(const DH *dh,
const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
{
if (p != NULL)
*p = dh->p;
if (q != NULL)
*q = dh->q;
if (g != NULL)
*g = dh->g;
}
static int
DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
/* q is optional */
if (p == NULL || g == NULL)
return(0);
BN_free(dh->p);
BN_free(dh->q);
BN_free(dh->g);
dh->p = p;
dh->q = q;
dh->g = g;
if (q != NULL) {
dh->length = BN_num_bits(q);
}
return(1);
}
#define DH_clear_flags(d, f) (d)->flags &= ~(f)
#endif
static isc_result_t
openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
isc_buffer_t *secret)
{
DH *dhpub, *dhpriv;
const BIGNUM *pub_key = NULL;
int ret;
isc_region_t r;
unsigned int len;
......@@ -87,7 +150,9 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
isc_buffer_availableregion(secret, &r);
if (r.length < len)
return (ISC_R_NOSPACE);
ret = DH_compute_key(r.base, dhpub->pub_key, dhpriv);
DH_get0_key(dhpub, &pub_key, NULL);
ret = DH_compute_key(r.base, pub_key, dhpriv);
if (ret <= 0)
return (dst__openssl_toresult2("DH_compute_key",
DST_R_COMPUTESECRETFAILURE));
......@@ -97,8 +162,10 @@ openssldh_computesecret(const dst_key_t *pub, const dst_key_t *priv,
static isc_boolean_t
openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
int status;
DH *dh1, *dh2;
const BIGNUM *pub_key1 = NULL, *pub_key2 = NULL;
const BIGNUM *priv_key1 = NULL, *priv_key2 = NULL;
const BIGNUM *p1 = NULL, *g1 = NULL, *p2 = NULL, *g2 = NULL;
dh1 = key1->keydata.dh;
dh2 = key2->keydata.dh;
......@@ -108,17 +175,19 @@ openssldh_compare(const dst_key_t *key1, const dst_key_t *key2) {
else if (dh1 == NULL || dh2 == NULL)
return (ISC_FALSE);
status = BN_cmp(dh1->p, dh2->p) ||
BN_cmp(dh1->g, dh2->g) ||
BN_cmp(dh1->pub_key, dh2->pub_key);
DH_get0_key(dh1, &pub_key1, &priv_key1);
DH_get0_key(dh2, &pub_key2, &priv_key2);
DH_get0_pqg(dh1, &p1, NULL, &g1);
DH_get0_pqg(dh2, &p2, NULL, &g2);
if (status != 0)
if (BN_cmp