Remove openssl engine method for loading the key

This is a contribution for loading engine key. OpenSSL engine is deprecated since OpenSSL 3.0 and James Bottomley has not agreed to the proposed license chagne. He is also okay with removing the feature from the current code base as it is obsolete with OpenSSL 3.0. The original commit ID was a0a8d801dd0d84e0ec844b9ca4c225df7 (plus subsequent fixes). Change-Id: I2d353a0cea0a62f289b8c1060244df66dd7a14cb Signed-off-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg27133.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit e7427bc)
OpenVPN · Oct 18, 2023 · 8bbc292 · 8bbc292
1 parent 3985da9
commit 8bbc292
Show file tree

Hide file tree

Showing 10 changed files with 0 additions and 279 deletions.
diff --git a/.gitignore b/.gitignore
@@ -58,10 +58,6 @@ tests/t_client-*-20??????-??????/
 t_client.rc
 t_client_ips.rc
 tests/unit_tests/**/*_testdriver
-tests/unit_tests/engine-key/client.key
-tests/unit_tests/engine-key/log.txt
-tests/unit_tests/engine-key/openssl.cnf
-tests/unit_tests/engine-key/passwd
 
 src/openvpn/openvpn
 include/openvpn-plugin.h

diff --git a/configure.ac b/configure.ac
@@ -1520,7 +1520,6 @@ AC_CONFIG_FILES([
         tests/unit_tests/openvpn/Makefile
         tests/unit_tests/plugins/Makefile
         tests/unit_tests/plugins/auth-pam/Makefile
-	tests/unit_tests/engine-key/Makefile
 	sample/Makefile
 ])
 AC_CONFIG_FILES([tests/t_client.sh], [chmod +x tests/t_client.sh])

diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
@@ -1374,66 +1374,6 @@ memcmp_constant_time(const void *a, const void *b, size_t size)
     return CRYPTO_memcmp(a, b, size);
 }
 
-#if HAVE_OPENSSL_ENGINE
-static int
-ui_reader(UI *ui, UI_STRING *uis)
-{
-    SSL_CTX *ctx = UI_get0_user_data(ui);
-
-    if (UI_get_string_type(uis) == UIT_PROMPT)
-    {
-        pem_password_cb *cb = SSL_CTX_get_default_passwd_cb(ctx);
-        void *d = SSL_CTX_get_default_passwd_cb_userdata(ctx);
-        char password[64];
-
-        cb(password, sizeof(password), 0, d);
-        UI_set_result(ui, uis, password);
-
-        return 1;
-    }
-    return 0;
-}
-#endif
-
-EVP_PKEY *
-engine_load_key(const char *file, SSL_CTX *ctx)
-{
-#if HAVE_OPENSSL_ENGINE
-    UI_METHOD *ui;
-    EVP_PKEY *pkey;
-
-    if (!engine_persist)
-    {
-        return NULL;
-    }
-
-    /* this will print out the error from BIO_read */
-    crypto_msg(M_INFO, "PEM_read_bio failed, now trying engine method to load private key");
-
-    ui = UI_create_method("openvpn");
-    if (!ui)
-    {
-        crypto_msg(M_FATAL, "Engine UI creation failed");
-        return NULL;
-    }
-
-    UI_method_set_reader(ui, ui_reader);
-
-    ENGINE_init(engine_persist);
-    pkey = ENGINE_load_private_key(engine_persist, file, ui, ctx);
-    ENGINE_finish(engine_persist);
-    if (!pkey)
-    {
-        crypto_msg(M_FATAL, "Engine could not load key file");
-    }
-
-    UI_destroy_method(ui);
-    return pkey;
-#else  /* if HAVE_OPENSSL_ENGINE */
-    return NULL;
-#endif /* if HAVE_OPENSSL_ENGINE */
-}
-
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 bool
 ssl_tls1_PRF(const uint8_t *seed, int seed_len, const uint8_t *secret,

diff --git a/src/openvpn/crypto_openssl.h b/src/openvpn/crypto_openssl.h
@@ -118,16 +118,4 @@ void crypto_print_openssl_errors(const unsigned int flags);
         msg((flags), __VA_ARGS__); \
     } while (false)
 
-/**
- * Load a key file from an engine
- *
- * @param file  The engine file to load
- * @param ui    The UI method for the password prompt
- * @param data  The data to pass to the UI method
- *
- * @return      The private key if successful or NULL if not
- */
-EVP_PKEY *
-engine_load_key(const char *file, SSL_CTX *ctx);
-
 #endif /* CRYPTO_OPENSSL_H_ */
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
@@ -1057,10 +1057,6 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
     pkey = PEM_read_bio_PrivateKey(in, NULL,
                                    SSL_CTX_get_default_passwd_cb(ctx->ctx),
                                    SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
-    if (!pkey)
-    {
-        pkey = engine_load_key(priv_key_file, ctx->ctx);
-    }
 
     if (!pkey || !SSL_CTX_use_PrivateKey(ssl_ctx, pkey))
     {

diff --git a/tests/unit_tests/Makefile.am b/tests/unit_tests/Makefile.am
@@ -2,7 +2,4 @@ AUTOMAKE_OPTIONS = foreign
 
 if ENABLE_UNITTESTS
 SUBDIRS = example_test openvpn plugins
-if OPENSSL_ENGINE
-SUBDIRS += engine-key
-endif
 endif
diff --git a/tests/unit_tests/engine-key/Makefile.am b/tests/unit_tests/engine-key/Makefile.am
diff --git a/tests/unit_tests/engine-key/check_engine_keys.sh b/tests/unit_tests/engine-key/check_engine_keys.sh
diff --git a/tests/unit_tests/engine-key/libtestengine.c b/tests/unit_tests/engine-key/libtestengine.c
diff --git a/tests/unit_tests/engine-key/openssl.cnf.in b/tests/unit_tests/engine-key/openssl.cnf.in