Bug#828594: virtuoso-opensource: FTBFS with openssl 1.1.0
control: tags -1 patch
control: forwarded -1 https://github.com/openlink/virtuoso-opensource/pull/583
On 2016-09-10 17:39:04 [+0200], Kurt Roeckx wrote:
> You already had to include that file to get it working, and that seems to be
> a message form 2001. So you really can't say they haven't been warned.
okay.
> > That part where I replaced d2i_ASN1_BOOLEAN() looks like
> > they copied it from old openssl code.
>
> I'm not sure that that code you replaced it with is correct or not.
this makes two people then.
> > @@ -854,16 +857,18 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
> > }
> >
> > certs = sk_X509_new_null ();
> > +#if HALP
> > if (store && store->objs)
> > {
> > for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
> > {
> > X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
> > - if (obj->type == X509_LU_X509)
> > + if (X509_OBJECT_get_type(obj) == X509_LU_X509)
> > sk_X509_push (certs, X509_dup (obj->data.x509));
> > }
> >
> > }
> > +#endif
>
> Are you looking for X509_STORE_get0_objects(store) instead of
> store->objs?
correct.
> > @@ -1488,6 +1496,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
> > int n, i, len;
> > char *s, *data_ptr;
> > BIO *mem = BIO_new (BIO_s_mem ());
> > +#if HALP
> > for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
> > {
> > ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
>
> I think you're looking for:
> for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
> {
> X509_NAME_ENTRY *ne = X509_NAME_get_entry(subj, i);
>
exactly. Thank you.
The patch attached should contain the changes. And I forwarded ported to
their latest develop branch and created a pull request.
>
> Kurt
Sebastian
>From 823092cccbd8e2ab9bfad6c3d3df791a7ffa76fc Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Date: Mon, 5 Sep 2016 10:49:54 +0000
Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0
Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
---
libsrc/Dk/Dkernel.c | 6 +-
libsrc/Wi/bif_crypto.c | 120 ++++++++++--------
libsrc/Wi/http.c | 2 +-
libsrc/Wi/xmlenc.c | 319 +++++++++++++++++++++++++++--------------------
libsrc/Wi/xmlenc.h | 193 ++++++++++++++++++++++++++--
libsrc/Wi/xmlenc_algos.c | 132 +++++++++++---------
libsrc/util/sslengine.c | 6 +-
7 files changed, 524 insertions(+), 254 deletions(-)
diff --git a/libsrc/Dk/Dkernel.c b/libsrc/Dk/Dkernel.c
index c8dfbf7..82c77cb 100644
--- a/libsrc/Dk/Dkernel.c
+++ b/libsrc/Dk/Dkernel.c
@@ -4930,7 +4930,11 @@ ssl_server_init ()
# if (OPENSSL_VERSION_NUMBER >= 0x00908000L)
SSL_library_init ();
# endif
- SSLeay_add_all_algorithms ();
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ SSLeay_add_all_algorithms();
+#else
+ OpenSSL_add_all_algorithms();
+#endif
PKCS12_PBE_add (); /* stub */
#ifdef NO_THREAD
diff --git a/libsrc/Wi/bif_crypto.c b/libsrc/Wi/bif_crypto.c
index c759d11..3bfc588 100644
--- a/libsrc/Wi/bif_crypto.c
+++ b/libsrc/Wi/bif_crypto.c
@@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg)
unsigned char temp[EVP_MAX_MD_SIZE];
unsigned int size = 0;
caddr_t res = NULL;
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
const EVP_MD *md = EVP_sha1 ();
if (alg == 1)
md = EVP_ripemd160 ();
- HMAC_Init (&ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md);
- box_hmac_1 (box, &ctx);
- HMAC_Final (&ctx, temp, &size);
+ ctx = HMAC_CTX_new();
+ if (!ctx)
+ return res;
+
+ HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL);
+ box_hmac_1 (box, ctx);
+ HMAC_Final (ctx, temp, &size);
if (size)
{
res = dk_alloc_box (size + 1, DV_SHORT_STRING);
memcpy (res, temp, size);
res[size] = 0;
}
+ HMAC_CTX_free(ctx);
return res;
}
@@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
{
int ii;
- opp = op;
- ii = d2i_ASN1_BOOLEAN (NULL, &opp, len + hl);
- if (ii < 0)
+ if (len + hl < 1)
{
if (BIO_write (bp, "Bad boolean\n", 12))
goto end;
}
- BIO_printf (bp, "%d", ii);
+ BIO_printf (bp, "%d", p[0]);
}
else if (tag == V_ASN1_BMPSTRING)
{
@@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
}
if (os != NULL)
{
- M_ASN1_OCTET_STRING_free (os);
+ ASN1_STRING_free (os);
os = NULL;
}
}
@@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
if (BIO_write (bp, "BAD INTEGER", 11) <= 0)
goto end;
}
- M_ASN1_INTEGER_free (bs);
+ ASN1_STRING_free (bs);
}
else if (tag == V_ASN1_ENUMERATED)
{
@@ -479,7 +482,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0)
goto end;
}
- M_ASN1_ENUMERATED_free (bs);
+ ASN1_STRING_free (bs);
}
else if (len > 0 && dump)
{
@@ -515,7 +518,7 @@ end:
if (o != NULL)
ASN1_OBJECT_free (o);
if (os != NULL)
- M_ASN1_OCTET_STRING_free (os);
+ ASN1_STRING_free (os);
*pp = p;
return (ret);
}
@@ -854,16 +857,20 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
}
certs = sk_X509_new_null ();
- if (store && store->objs)
+
+ if (store && X509_STORE_get0_objects(store))
{
- for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
+ STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
+
+ for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
{
- X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
- if (obj->type == X509_LU_X509)
- sk_X509_push (certs, X509_dup (obj->data.x509));
+ X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509)
+ sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
}
}
+
if (store)
X509_STORE_free (store);
in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -935,15 +942,19 @@ bif_smime_encrypt (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
sqlr_new_error ("42000", "CR006", "No recipient certificates");
certs = sk_X509_new_null ();
- if (store && store->objs)
+
+ if (store && X509_STORE_get0_objects(store))
{
- for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
+ STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
+
+ for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
{
- X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
- if (obj->type == X509_LU_X509)
- sk_X509_push (certs, X509_dup (obj->data.x509));
+ X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
+ if (X509_OBJECT_get_type(obj) == X509_LU_X509)
+ sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
}
}
+
if (store)
X509_STORE_free (store);
in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -1111,7 +1122,7 @@ x509_certificate_verify_cb (int ok, X509_STORE_CTX * ctx)
char *opts = (char *) X509_STORE_CTX_get_app_data (ctx);
if (!ok && opts)
{
- switch (ctx->error)
+ switch (X509_STORE_CTX_get_error(ctx))
{
case X509_V_ERR_CERT_HAS_EXPIRED:
if (strstr (opts, "expired"))
@@ -1208,7 +1219,7 @@ bif_x509_certificate_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** a
if (!i)
{
const char *err_str;
- err_str = X509_verify_cert_error_string (csc->error);
+ err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(csc));
*err_ret = srv_make_new_error ("22023", "CR015", "X509 error: %s", err_str);
}
@@ -1229,20 +1240,16 @@ err_ret:
#define VIRT_CERT_EXT "2.16.840.1.1113.1"
static caddr_t
-BN_box (BIGNUM * x)
+BN_box (const BIGNUM *x)
{
size_t buf_len, n;
caddr_t buf;
buf_len = (size_t) BN_num_bytes (x);
- if (buf_len <= BN_BYTES)
- buf = box_num ((unsigned long) x->d[0]);
- else
- {
- buf = dk_alloc_box (buf_len, DV_BIN);
- n = BN_bn2bin (x, (unsigned char *) buf);
- if (n != buf_len)
- GPF_T;
- }
+ /* did not figure out where buf is free()ed */
+ buf = dk_alloc_box (buf_len, DV_BIN);
+ n = BN_bn2bin (x, (unsigned char *) buf);
+ if (n != buf_len)
+ GPF_T;
return buf;
}
@@ -1419,7 +1426,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
int i;
char tmp[1024];
char *ext_oid = (char *) (BOX_ELEMENTS (args) > 4 ? bif_string_arg (qst, args, 4, "get_certificate_info") : VIRT_CERT_EXT);
- STACK_OF (X509_EXTENSION) * exts = cert->cert_info->extensions;
+ const STACK_OF (X509_EXTENSION) * exts = X509_get0_extensions(cert);
for (i = 0; i < sk_X509_EXTENSION_num (exts); i++)
{
X509_EXTENSION *ex = sk_X509_EXTENSION_value (exts, i);
@@ -1431,7 +1438,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
char *data_ptr;
BIO *mem = BIO_new (BIO_s_mem ());
if (!X509V3_EXT_print (mem, ex, 0, 0))
- M_ASN1_OCTET_STRING_print (mem, ex->value);
+ ASN1_STRING_print (mem, X509_EXTENSION_get_data(ex));
len = BIO_get_mem_data (mem, &data_ptr);
if (len > 0 && data_ptr)
{
@@ -1458,18 +1465,23 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
if (k)
{
#ifdef EVP_PKEY_RSA
- if (k->type == EVP_PKEY_RSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
{
- RSA *x = k->pkey.rsa;
- ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (x->e), BN_box (x->n));
+ const BIGNUM *n, *e;
+
+ RSA_get0_key(EVP_PKEY_get0_RSA(k), &n, &e, NULL);
+
+ ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (e), BN_box (n));
}
else
#endif
#ifdef EVP_PKEY_DSA
- if (k->type == EVP_PKEY_DSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
{
- DSA *x = k->pkey.dsa;
- ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (x->pub_key));
+ const BIGNUM *pub_key;
+
+ DSA_get0_key(EVP_PKEY_get0_DSA(k), &pub_key, NULL);
+ ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (pub_key));
}
else
#endif
@@ -1488,13 +1500,14 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
int n, i, len;
char *s, *data_ptr;
BIO *mem = BIO_new (BIO_s_mem ());
- for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
+
+ for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
{
- ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
- n = OBJ_obj2nid (ne->object);
+ ne = X509_NAME_get_entry(subj, i);
+ n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
if ((n == NID_undef) || ((s = OBJ_nid2sn (n)) == NULL))
{
- i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
+ i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
s = buffer;
}
if (!strcmp (s, attr))
@@ -1503,9 +1516,10 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
break;
}
}
+
if (ne_ret)
{
- ASN1_STRING_print (mem, ne_ret->value);
+ ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne_ret));
len = BIO_get_mem_data (mem, &data_ptr);
if (len > 0 && data_ptr)
{
@@ -1526,17 +1540,18 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
dk_set_t set = NULL;
caddr_t val;
BIO *mem = BIO_new (BIO_s_mem ());
- for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
+
+ for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
{
val = NULL;
- ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
- n = OBJ_obj2nid (ne->object);
+ ne = X509_NAME_get_entry(subj, i);
+ n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
if ((n == NID_undef) || ((s = OBJ_nid2sn (n)) == NULL))
{
- i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
+ i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
s = buffer;
}
- ASN1_STRING_print (mem, ne->value);
+ ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne));
len = BIO_get_mem_data (mem, &data_ptr);
if (len > 0 && data_ptr)
{
@@ -1550,6 +1565,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
}
BIO_free (mem);
ret = list_to_array (dk_set_nreverse (set));
+
break;
}
default:
diff --git a/libsrc/Wi/http.c b/libsrc/Wi/http.c
index 9963c2c..56d62e8 100644
--- a/libsrc/Wi/http.c
+++ b/libsrc/Wi/http.c
@@ -8356,7 +8356,7 @@ ssl_server_set_certificate (SSL_CTX* ssl_ctx, char * cert_name, char * key_name,
log_error ("SSL: The stored certificate '%s' can not be used as extra chain certificate", tok);
break;
}
- CRYPTO_add(&k->xek_x509->references, 1, CRYPTO_LOCK_X509);
+ X509_up_ref(k->xek_x509);
tok = strtok_r (NULL, ",", &tok_s);
}
dk_free_box (str);
diff --git a/libsrc/Wi/xmlenc.c b/libsrc/Wi/xmlenc.c
index 53101b1..32ac89a 100644
--- a/libsrc/Wi/xmlenc.c
+++ b/libsrc/Wi/xmlenc.c
@@ -1202,36 +1202,45 @@ void xenc_key_remove (xenc_key_t * key, int lock)
}
-static void
-genrsa_cb(int p, int n, void *arg)
-{
-#ifdef LINT
- p=n;
-#endif
-}
-
int
__xenc_key_rsa_init (char *name)
{
RSA *rsa = NULL;
- int num=1024;
- unsigned long f4=RSA_F4;
+ BIGNUM *bn = NULL;
int r;
+
xenc_key_t * pkey = xenc_get_key_by_name (name, 1);
if (NULL == pkey)
SQLR_NEW_KEY_ERROR (name);
- rsa=RSA_generate_key(num,f4,genrsa_cb,NULL);
+ rsa = RSA_new();
+ if (!rsa)
+ goto out;
+ bn = BN_new();
+ if (!bn)
+ goto out;
+ if (!BN_set_word(bn, RSA_F4))
+ goto out;
+
+ if (!RSA_generate_key_ex(rsa, 1024, bn, NULL))
+ goto out;
+
r = RSA_check_key(rsa);
+ if (r != 1)
+ goto out;
pkey->ki.rsa.pad = RSA_PKCS1_PADDING;
- if (rsa == NULL)
- {
- sqlr_new_error ("42000", "XENC06",
- "RSA parameters generation error");
- }
pkey->xek_rsa = rsa;
pkey->xek_private_rsa = rsa;
+ BN_free(bn);
return 0;
+out:
+ if (bn)
+ BN_free(bn);
+ if (rsa)
+ RSA_free(rsa);
+ sqlr_new_error ("42000", "XENC06",
+ "RSA parameters generation error");
+ return -1;
}
@@ -1423,19 +1432,19 @@ xenc_key_t * xenc_key_create_from_x509_cert (char * name, char * certificate, ch
if (pkey)
{
- switch (EVP_PKEY_type (pkey->type))
+ switch (EVP_PKEY_type (EVP_PKEY_id(pkey)))
{
case EVP_PKEY_DSA:
sign_algoname = DSIG_DSA_SHA1_ALGO;
enc_algoname = XENC_DSA_ALGO;
- dsa = pkey->pkey.dsa;
- private_dsa = private_key ? private_key->pkey.dsa : 0;
+ dsa = EVP_PKEY_get0_DSA(pkey);
+ private_dsa = private_key ? EVP_PKEY_get0_DSA(private_key) : 0;
break;
case EVP_PKEY_RSA:
sign_algoname = DSIG_RSA_SHA1_ALGO;
enc_algoname = XENC_RSA_ALGO;
- rsa = pkey->pkey.rsa;
- private_rsa = private_key ? private_key->pkey.rsa : 0;
+ rsa = EVP_PKEY_get0_RSA(pkey);
+ private_rsa = private_key ? EVP_PKEY_get0_RSA(private_key) : 0;
break;
default:
goto finish;
@@ -1484,13 +1493,6 @@ xenc_key_t * xenc_key_create_from_x509_cert (char * name, char * certificate, ch
return k;
}
-static void dh_cb(int p, int n, void *arg)
-{
-#ifdef LINT
- p=n;
-#endif
-}
-
static /*xenc_key_DSA_create */
caddr_t bif_xenc_key_dsa_create (caddr_t * qst, caddr_t * err_r, state_slot_t ** args)
{
@@ -1555,15 +1557,21 @@ caddr_t bif_xenc_key_DH_create (caddr_t * qst, caddr_t * err_r, state_slot_t **
dh = DH_new ();
bn_p = BN_bin2bn ((unsigned char *)mod, p_len, NULL);
bn_g = BN_bin2bn (g_bin, 1, NULL);
- dh->p = bn_p;
- dh->g = bn_g;
+ if (dh)
+ DH_set0_pqg(dh, bn_p, NULL, bn_g);
dk_free_box (mod_b64);
dk_free_box (mod);
}
else
{
- dh = DH_generate_parameters (num, g, dh_cb, NULL);
+ dh = DH_new();
+ if (dh) {
+ if (!DH_generate_parameters_ex(dh, num, g, NULL)) {
+ DH_free(dh);
+ dh = NULL;
+ }
+ }
}
if (!dh)
{
@@ -1593,7 +1601,7 @@ caddr_t bif_xenc_DH_get_params (caddr_t * qst, caddr_t * err_r, state_slot_t **
int n, len;
caddr_t buf = NULL, ret, b64;
DH *dh;
- BIGNUM *num;
+ const BIGNUM *num;
mutex_enter (xenc_keys_mtx);
key = xenc_get_key_by_name (name, 0);
@@ -1608,19 +1616,19 @@ caddr_t bif_xenc_DH_get_params (caddr_t * qst, caddr_t * err_r, state_slot_t **
switch (param)
{
case 1:
- num = dh->p;
+ DH_get0_pqg(dh, &num, NULL, NULL);
break;
case 2:
- num = dh->g;
+ DH_get0_pqg(dh, NULL, NULL, &num);
break;
case 3:
- num = dh->pub_key;
+ DH_get0_key(dh, &num, NULL);
break;
case 4:
- num = dh->priv_key;
+ DH_get0_key(dh, NULL, &num);
break;
default:
- num = dh->pub_key;
+ DH_get0_key(dh, &num, NULL);
}
buf_len = (size_t)BN_num_bytes(num);
@@ -1762,7 +1770,7 @@ xenc_key_len_get (const char * algo)
if (!algo)
len = 0;
else if (!strcmp (algo, XENC_TRIPLEDES_ALGO))
- len = 3 * sizeof (des_cblock);
+ len = 3 * sizeof (DES_cblock);
else if (!strcmp (algo, XENC_AES128_ALGO))
len = 128;
else if (!strcmp (algo, XENC_AES256_ALGO))
@@ -1778,9 +1786,17 @@ caddr_t bif_xenc_key_rsa_create (caddr_t * qst, caddr_t * err_r, state_slot_t **
xenc_key_t * k;
caddr_t name = bif_string_arg (qst, args, 0, "xenc_key_RSA_create");
int num = (int) bif_long_arg (qst, args, 1, "xenc_key_RSA_create");
- RSA *rsa = NULL;
+ RSA *rsa;
+ BIGNUM *bn;
EVP_PKEY *pk = NULL;
+ rsa = RSA_new();
+ bn = BN_new();
+ if (!rsa || !bn)
+ goto out;
+ if (!BN_set_word(bn, RSA_F4))
+ goto out;
+
mutex_enter (xenc_keys_mtx);
if (NULL == (k = xenc_key_create (name, XENC_RSA_ALGO , DSIG_RSA_SHA1_ALGO, 0)))
{
@@ -1788,12 +1804,11 @@ caddr_t bif_xenc_key_rsa_create (caddr_t * qst, caddr_t * err_r, state_slot_t **
SQLR_NEW_KEY_EXIST_ERROR (name);
}
- rsa = RSA_generate_key (num, RSA_F4, NULL, NULL);
-
- if (rsa == NULL)
- {
- sqlr_new_error ("42000", "XENC06", "RSA generation error");
- }
+ if (!RSA_generate_key_ex (rsa, num, bn, NULL)) {
+ mutex_leave (xenc_keys_mtx);
+ goto out;
+ }
+ BN_free(bn);
k->xek_rsa = RSAPublicKey_dup (rsa);
k->xek_private_rsa = rsa;
@@ -1807,6 +1822,13 @@ caddr_t bif_xenc_key_rsa_create (caddr_t * qst, caddr_t * err_r, state_slot_t **
mutex_leave (xenc_keys_mtx);
return NULL;
+out:
+ if (bn)
+ BN_free(bn);
+ if (rsa)
+ RSA_free(rsa);
+ sqlr_new_error ("42000", "XENC06", "RSA generation error");
+ return NULL;
}
xenc_key_t *
@@ -1814,7 +1836,7 @@ xenc_key_create_from_utok (u_tok_t * utok, caddr_t seed, wsse_ctx_t * ctx)
{
xenc_key_t * key;
P_SHA1_CTX * psha1;
- des_cblock _key[5];
+ DES_cblock _key[5];
int key_len = 0;
caddr_t * utok_opts = (caddr_t *) xenc_get_option (ctx->wc_opts, "UsernameToken", NULL);
caddr_t key_algo = xenc_get_option (utok_opts, "keyAlgorithm", XENC_TRIPLEDES_ALGO);
@@ -1843,13 +1865,13 @@ xenc_key_create_from_utok (u_tok_t * utok, caddr_t seed, wsse_ctx_t * ctx)
memset (&key->ki.triple_des.ks3, 0, sizeof (key->ki.triple_des.ks3));
memset (&key->ki.triple_des.iv, 0, sizeof (key->ki.triple_des.iv));
- des_set_key_unchecked(&_key[0], key->ki.triple_des.ks1);
- des_set_key_unchecked(&_key[1], key->ki.triple_des.ks2);
- des_set_key_unchecked(&_key[2], key->ki.triple_des.ks3);
+ DES_set_key_unchecked(&_key[0], &key->ki.triple_des.ks1);
+ DES_set_key_unchecked(&_key[1], &key->ki.triple_des.ks2);
+ DES_set_key_unchecked(&_key[2], &key->ki.triple_des.ks3);
- memcpy (key->ki.triple_des.k1, &_key[0], sizeof (des_cblock));
- memcpy (key->ki.triple_des.k2, &_key[1], sizeof (des_cblock));
- memcpy (key->ki.triple_des.k3, &_key[2], sizeof (des_cblock));
+ memcpy (key->ki.triple_des.k1, &_key[0], sizeof (DES_cblock));
+ memcpy (key->ki.triple_des.k2, &_key[1], sizeof (DES_cblock));
+ memcpy (key->ki.triple_des.k3, &_key[2], sizeof (DES_cblock));
break;
}
#ifdef AES_ENC_ENABLE
@@ -2002,7 +2024,13 @@ int __xenc_key_dsa_init (char *name, int lock)
SQLR_NEW_KEY_ERROR (name);
RAND_poll ();
- dsa = DSA_generate_parameters(num, NULL, 0, NULL, NULL, dh_cb, NULL);
+ dsa = DSA_new();
+ if (dsa) {
+ if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, NULL)) {
+ DSA_free(dsa);
+ dsa = NULL;
+ }
+ }
if (dsa == NULL)
{
sqlr_new_error ("42000", "XENC11",
@@ -2026,7 +2054,13 @@ int __xenc_key_dh_init (char *name, int lock)
if (NULL == pkey)
SQLR_NEW_KEY_ERROR (name);
- dh = DH_generate_parameters (num, g, dh_cb, NULL);
+ dh = DH_new();
+ if (dh) {
+ if (!DH_generate_parameters_ex(dh, num, g, NULL)) {
+ DH_free(dh);
+ dh = NULL;
+ }
+ }
if (!dh)
{
sqlr_new_error ("42000", "XENC11",
@@ -2073,7 +2107,7 @@ static
int __xenc_key_3des_init (char *name, char *pwd, int lock)
{
char _key[KEYSIZB+1];
- des_cblock key[3];
+ DES_cblock key[3];
xenc_key_t * pkey = xenc_get_key_by_name (name, lock);
if (NULL == pkey)
@@ -2093,13 +2127,13 @@ int __xenc_key_3des_init (char *name, char *pwd, int lock)
(unsigned char *)_key,
strlen(_key), 1, (unsigned char*) &key[0], pkey->ki.triple_des.iv);
- des_set_key_unchecked(&key[0], pkey->ki.triple_des.ks1);
- des_set_key_unchecked(&key[1], pkey->ki.triple_des.ks2);
- des_set_key_unchecked(&key[2], pkey->ki.triple_des.ks3);
+ DES_set_key_unchecked(&key[0], &pkey->ki.triple_des.ks1);
+ DES_set_key_unchecked(&key[1], &pkey->ki.triple_des.ks2);
+ DES_set_key_unchecked(&key[2], &pkey->ki.triple_des.ks3);
- memcpy (pkey->ki.triple_des.k1, &key[0], sizeof (des_cblock));
- memcpy (pkey->ki.triple_des.k2, &key[1], sizeof (des_cblock));
- memcpy (pkey->ki.triple_des.k3, &key[2], sizeof (des_cblock));
+ memcpy (pkey->ki.triple_des.k1, &key[0], sizeof (DES_cblock));
+ memcpy (pkey->ki.triple_des.k2, &key[1], sizeof (DES_cblock));
+ memcpy (pkey->ki.triple_des.k3, &key[2], sizeof (DES_cblock));
xenc_store_key (pkey, lock);
return 0;
@@ -2107,13 +2141,13 @@ int __xenc_key_3des_init (char *name, char *pwd, int lock)
void xenc_key_3des_init (xenc_key_t * pkey, unsigned char * k1, unsigned char * k2, unsigned char * k3)
{
- memcpy (pkey->ki.triple_des.k1, k1, sizeof (des_cblock));
- memcpy (pkey->ki.triple_des.k2, k2, sizeof (des_cblock));
- memcpy (pkey->ki.triple_des.k3, k3, sizeof (des_cblock));
+ memcpy (pkey->ki.triple_des.k1, k1, sizeof (DES_cblock));
+ memcpy (pkey->ki.triple_des.k2, k2, sizeof (DES_cblock));
+ memcpy (pkey->ki.triple_des.k3, k3, sizeof (DES_cblock));
- des_set_key_unchecked((const_des_cblock*) k1, pkey->ki.triple_des.ks1);
- des_set_key_unchecked((const_des_cblock*) k2, pkey->ki.triple_des.ks2);
- des_set_key_unchecked((const_des_cblock*) k3, pkey->ki.triple_des.ks3);
+ DES_set_key_unchecked((const_DES_cblock*) k1, &pkey->ki.triple_des.ks1);
+ DES_set_key_unchecked((const_DES_cblock*) k2, &pkey->ki.triple_des.ks2);
+ DES_set_key_unchecked((const_DES_cblock*) k3, &pkey->ki.triple_des.ks3);
}
@@ -2145,20 +2179,20 @@ caddr_t bif_xenc_key_3des_rand_create (caddr_t * qst, caddr_t * err_r, state_slo
{
caddr_t name = bif_key_name_arg (qst, args, 0, "xenc_key_3DES_rand_create");
xenc_key_t * k = 0;
- des_cblock k1;
- des_cblock k2;
- des_cblock k3;
- des_key_schedule ks1;
- des_key_schedule ks2;
- des_key_schedule ks3;
-
- des_random_key (&k1);
- des_random_key (&k2);
- des_random_key (&k3);
-
- if ( (des_set_key_checked (&k1, ks1) < 0) ||
- (des_set_key_checked (&k2, ks2) < 0) ||
- (des_set_key_checked (&k3, ks3) < 0) )
+ DES_cblock k1;
+ DES_cblock k2;
+ DES_cblock k3;
+ DES_key_schedule ks1;
+ DES_key_schedule ks2;
+ DES_key_schedule ks3;
+
+ DES_random_key (&k1);
+ DES_random_key (&k2);
+ DES_random_key (&k3);
+
+ if ( (DES_set_key_checked (&k1, &ks1) < 0) ||
+ (DES_set_key_checked (&k2, &ks2) < 0) ||
+ (DES_set_key_checked (&k3, &ks3) < 0) )
GPF_T; /* parity check failed, library error - could not check result of it's own work */
mutex_enter (xenc_keys_mtx);
@@ -2169,13 +2203,13 @@ caddr_t bif_xenc_key_3des_rand_create (caddr_t * qst, caddr_t * err_r, state_slo
mutex_leave (xenc_keys_mtx);
SQLR_NEW_KEY_EXIST_ERROR (name);
}
- memcpy (&k->ki.triple_des.k1, &k1, sizeof (des_cblock));
- memcpy (&k->ki.triple_des.k2, &k2, sizeof (des_cblock));
- memcpy (&k->ki.triple_des.k3, &k3, sizeof (des_cblock));
+ memcpy (&k->ki.triple_des.k1, &k1, sizeof (DES_cblock));
+ memcpy (&k->ki.triple_des.k2, &k2, sizeof (DES_cblock));
+ memcpy (&k->ki.triple_des.k3, &k3, sizeof (DES_cblock));
- memcpy (&k->ki.triple_des.ks1, &ks1, sizeof (des_key_schedule));
- memcpy (&k->ki.triple_des.ks2, &ks2, sizeof (des_key_schedule));
- memcpy (&k->ki.triple_des.ks3, &ks3, sizeof (des_key_schedule));
+ memcpy (&k->ki.triple_des.ks1, &ks1, sizeof (DES_key_schedule));
+ memcpy (&k->ki.triple_des.ks2, &ks2, sizeof (DES_key_schedule));
+ memcpy (&k->ki.triple_des.ks3, &ks3, sizeof (DES_key_schedule));
mutex_leave (xenc_keys_mtx);
@@ -2252,9 +2286,11 @@ bif_xenc_key_rsa_read (caddr_t * qst, caddr_t * err_r, state_slot_t ** args)
if (!p)
{
+ const BIGNUM *n, *e;
+
+ RSA_get0_key(r, &n, &e, NULL);
p = RSA_new ();
- p->n = BN_dup (r->n);
- p->e = BN_dup (r->e);
+ RSA_set0_key(p, BN_dup(n), BN_dup(e), NULL);
}
mutex_enter (xenc_keys_mtx);
@@ -2286,14 +2322,13 @@ bif_xenc_key_rsa_construct (caddr_t * qst, caddr_t * err_r, state_slot_t ** args
p = RSA_new ();
n = BN_bin2bn ((unsigned char *) mod, box_length (mod) - 1, NULL);
e = BN_bin2bn ((unsigned char *) exp, box_length (exp) - 1, NULL);
- p->n = n;
- p->e = e;
+ RSA_set0_key(p, n, e, NULL);
if (pexp)
{
pk = RSA_new ();
- pk->d = BN_bin2bn ((unsigned char *) pexp, box_length (pexp) - 1, NULL);
- pk->n = BN_dup (n);
- pk->e = BN_dup (e);
+ RSA_set0_key(p, BN_dup(n),
+ BN_dup(e),
+ BN_bin2bn ((unsigned char *) pexp, box_length (pexp) - 1, NULL));
}
mutex_enter (xenc_keys_mtx);
k = xenc_key_create (name, XENC_RSA_ALGO, DSIG_RSA_SHA1_ALGO, 0);
@@ -2565,9 +2600,9 @@ caddr_t bif_xenc_key_serialize (caddr_t * qst, caddr_t * err_r, state_slot_t **
if (k->xek_type == DSIG_KEY_3DES)
{
- memcpy (in_buf, k->ki.triple_des.k1, sizeof (des_cblock));
- memcpy (in_buf + sizeof (des_cblock), k->ki.triple_des.k2, sizeof (des_cblock));
- memcpy (in_buf + 2*sizeof (des_cblock), k->ki.triple_des.k3, sizeof (des_cblock));
+ memcpy (in_buf, k->ki.triple_des.k1, sizeof (DES_cblock));
+ memcpy (in_buf + sizeof (DES_cblock), k->ki.triple_des.k2, sizeof (DES_cblock));
+ memcpy (in_buf + 2*sizeof (DES_cblock), k->ki.triple_des.k3, sizeof (DES_cblock));
}
else if (k->xek_type == DSIG_KEY_RSA)
{
@@ -3989,7 +4024,7 @@ void xenc_tag_free (xenc_tag_t * t)
#endif
}
-xenc_tag_t * xenc_tag_add_child_BN (xenc_tag_t * tag, BIGNUM * bn)
+static xenc_tag_t * xenc_tag_add_child_BN (xenc_tag_t * tag, const BIGNUM * bn)
{
char * buffer = dk_alloc_box (BN_num_bytes (bn), DV_BIN);
char * buffer_base64 = dk_alloc_box (box_length (buffer) * 2, DV_STRING);
@@ -4014,12 +4049,15 @@ caddr_t ** xenc_generate_ext_info (xenc_key_t * key)
caddr_t ** array;
if (key->xek_type == DSIG_KEY_RSA)
{
+ const BIGNUM *rsa_n, *rsa_e;
+
+ RSA_get0_key(key->ki.rsa.rsa_st, &rsa_n, &rsa_e, NULL);
xenc_tag_t * rsakeyval = xenc_tag_create (DSIG_URI, ":RSAKeyValue");
xenc_tag_t * rsamodulus = xenc_tag_create (DSIG_URI, ":Modulus");
xenc_tag_t * rsaexponent = xenc_tag_create (DSIG_URI, ":Exponent");
- xenc_tag_add_child_BN (rsamodulus, key->ki.rsa.rsa_st->n);
- xenc_tag_add_child_BN (rsaexponent, key->ki.rsa.rsa_st->e);
+ xenc_tag_add_child_BN (rsamodulus, rsa_n);
+ xenc_tag_add_child_BN (rsaexponent, rsa_e);
xenc_tag_add_child (rsakeyval, xenc_tag_finalize (rsamodulus));
xenc_tag_add_child (rsakeyval, xenc_tag_finalize (rsaexponent));
@@ -4038,12 +4076,15 @@ caddr_t ** xenc_generate_ext_info (xenc_key_t * key)
xenc_tag_t * g = xenc_tag_create (DSIG_URI, ":G");
xenc_tag_t * y = xenc_tag_create (DSIG_URI, ":Y");
DSA * dsa = key->ki.dsa.dsa_st;
+ const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
+ DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g);
+ DSA_get0_key(dsa, &dsa_pub_key, NULL);
- xenc_tag_add_child_BN (p, dsa->p);
- xenc_tag_add_child_BN (p, dsa->q);
- xenc_tag_add_child_BN (p, dsa->g);
- xenc_tag_add_child_BN (p, dsa->pub_key);
+ xenc_tag_add_child_BN (p, dsa_p);
+ xenc_tag_add_child_BN (p, dsa_q);
+ xenc_tag_add_child_BN (p, dsa_g);
+ xenc_tag_add_child_BN (p, dsa_pub_key);
xenc_tag_add_child (dsakeyval, xenc_tag_finalize (p));
xenc_tag_add_child (dsakeyval, xenc_tag_finalize (q));
@@ -5980,7 +6021,7 @@ void xenc_kt_test ()
xenc_des3_decryptor (out, strses_length (out), in, key, &t);
key_data_2 = strses_string (in);
- if (memcmp (key_data, key_data_2, 3 * sizeof (des_cblock)))
+ if (memcmp (key_data, key_data_2, 3 * sizeof (DES_cblock)))
xenc_assert (0);
dk_free_box (key_data_2);
dk_free_box (key_data);
@@ -5988,13 +6029,13 @@ void xenc_kt_test ()
new_key = xenc_build_encrypted_key ("virtdev_test_rest", in, XENC_TRIPLEDES_ALGO, &t);
if (memcmp (new_key->ki.triple_des.k1,
- key->ki.triple_des.k1, sizeof (des_cblock)))
+ key->ki.triple_des.k1, sizeof (DES_cblock)))
xenc_assert (0);
if (memcmp (new_key->ki.triple_des.k2,
- key->ki.triple_des.k2, sizeof (des_cblock)))
+ key->ki.triple_des.k2, sizeof (DES_cblock)))
xenc_assert (0);
if (memcmp (new_key->ki.triple_des.k3,
- key->ki.triple_des.k3, sizeof (des_cblock)))
+ key->ki.triple_des.k3, sizeof (DES_cblock)))
xenc_assert (0);
strses_flush (in);
@@ -6090,7 +6131,7 @@ caddr_t xenc_x509_get_key_identifier (X509 * cert)
ret = dk_alloc_box (ikeyid->length, DV_BIN);
memcpy (ret, ikeyid->data, ikeyid->length);
- M_ASN1_OCTET_STRING_free(ikeyid);
+ ASN1_STRING_free(ikeyid);
return ret;
}
@@ -6150,7 +6191,7 @@ bif_x509_get_subject (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
ret = dk_alloc_box (ikeyid->length, DV_BIN);
memcpy (ret, ikeyid->data, ikeyid->length);
- M_ASN1_OCTET_STRING_free(ikeyid);
+ ASN1_STRING_free(ikeyid);
return ret;
}
@@ -6683,7 +6724,7 @@ bif_xenc_x509_csr_generate (caddr_t * qst, caddr_t * err_ret, state_slot_t ** ar
sk_X509_EXTENSION_push(st_exts, ex);
}
X509_REQ_add_extensions(x, st_exts);
- if (!X509_REQ_sign (x, pk, (pk->type == EVP_PKEY_RSA ? EVP_md5() : EVP_dss1())))
+ if (!X509_REQ_sign (x, pk, (EVP_PKEY_id(pk) == EVP_PKEY_RSA ? EVP_md5() : EVP_sha1())))
{
pk = NULL; /* keep one in the xenc_key */
*err_ret = srv_make_new_error ("42000", "XECXX", "Can not sign certificate : %s", get_ssl_error_text (buf, sizeof (buf)));
@@ -6811,23 +6852,23 @@ bif_xenc_x509_from_csr (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
sqlr_warning ("01V01", "QW001", "Unknown extension entry");
}
- if (!X509_sign (x, pk, (pk->type == EVP_PKEY_RSA ? EVP_md5() : EVP_dss1()) ))
+ if (!X509_sign (x, pk, (EVP_PKEY_id(pk) == EVP_PKEY_RSA ? EVP_md5() : EVP_sha1()) ))
{
pk = NULL; /* keep one in the xenc_key */
*err_ret = srv_make_new_error ("42000", "XECXX", "Can not sign certificate");
goto err;
}
- switch (EVP_PKEY_type (cli_pk->type))
+ switch (EVP_PKEY_type (EVP_PKEY_id(cli_pk)))
{
case EVP_PKEY_DSA:
sign_algoname = DSIG_DSA_SHA1_ALGO;
enc_algoname = XENC_DSA_ALGO;
- dsa = cli_pk->pkey.dsa;
+ dsa = EVP_PKEY_get0_DSA(cli_pk);
break;
case EVP_PKEY_RSA:
sign_algoname = DSIG_RSA_SHA1_ALGO;
enc_algoname = XENC_RSA_ALGO;
- rsa = cli_pk->pkey.rsa;
+ rsa = EVP_PKEY_get0_RSA(cli_pk);
break;
default:
*err_ret = srv_make_new_error ("42000", "XECXX", "The type of public key is not supported mus tbe RSA or DSA");
@@ -6975,16 +7016,16 @@ bif_xenc_pubkey_pem_export (caddr_t * qst, caddr_t * err_ret, state_slot_t ** ar
{
k = X509_get_pubkey (key->xek_x509);
#ifdef EVP_PKEY_RSA
- if (k->type == EVP_PKEY_RSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
{
- RSA * x = k->pkey.rsa;
+ RSA *x = EVP_PKEY_get0_RSA(k);
PEM_write_bio_RSA_PUBKEY (b, x);
}
#endif
#ifdef EVP_PKEY_DSA
- if (k->type == EVP_PKEY_DSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
{
- DSA * x = k->pkey.dsa;
+ DSA * x = EVP_PKEY_get0_DSA(k);
PEM_write_bio_DSA_PUBKEY (b, x);
}
#endif
@@ -7031,16 +7072,16 @@ bif_xenc_pubkey_der_export (caddr_t * qst, caddr_t * err_ret, state_slot_t ** ar
{
k = X509_get_pubkey (key->xek_x509);
#ifdef EVP_PKEY_RSA
- if (k->type == EVP_PKEY_RSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
{
- RSA * x = k->pkey.rsa;
+ RSA * x = EVP_PKEY_get0_RSA(k);
i2d_RSA_PUBKEY_bio (b, x);
}
#endif
#ifdef EVP_PKEY_DSA
- if (k->type == EVP_PKEY_DSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
{
- DSA * x = k->pkey.dsa;
+ DSA * x = EVP_PKEY_get0_DSA(k);
i2d_DSA_PUBKEY_bio (b, x);
}
#endif
@@ -7068,7 +7109,7 @@ err:
}
static caddr_t
-BN2binbox (BIGNUM * x)
+BN2binbox (const BIGNUM * x)
{
size_t buf_len, n;
caddr_t buf;
@@ -7103,8 +7144,14 @@ static caddr_t
xenc_rsa_pub_magic (RSA * x)
{
caddr_t ret;
- caddr_t n = BN2binbox (x->n); /* modulus */
- caddr_t e = BN2binbox (x->e); /* public exponent */
+ caddr_t n;
+ caddr_t e;
+ const BIGNUM *rsa_n, *rsa_e;
+
+ RSA_get0_key(x, &rsa_n, &rsa_e, NULL);
+ n = BN2binbox (rsa_n); /* modulus */
+ e = BN2binbox (rsa_e); /* public exponent */
+
n = xenc_encode_base64_binbox (n, 1);
e = xenc_encode_base64_binbox (e, 1);
ret = dk_alloc_box (box_length (n) + box_length (e) + 4 /* two dots - one trailing zero + RSA prefix */, DV_STRING);
@@ -7129,9 +7176,9 @@ bif_xenc_pubkey_magic_export (caddr_t * qst, caddr_t * err_ret, state_slot_t **
{
k = X509_get_pubkey (key->xek_x509);
#ifdef EVP_PKEY_RSA
- if (k->type == EVP_PKEY_RSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
{
- RSA * x = k->pkey.rsa;
+ RSA * x = EVP_PKEY_get0_RSA(k);
ret = xenc_rsa_pub_magic (x);
}
#endif
@@ -7172,10 +7219,16 @@ static caddr_t
xenc_rsa_pub_ssh_export (RSA * x)
{
static char * ssh_header = "\x00\x00\x00\x07ssh-rsa";
+ const BIGNUM *rsa_n, *rsa_e;
caddr_t ret;
int len, pos;
- caddr_t n = BN2binbox (x->n); /* modulus */
- caddr_t e = BN2binbox (x->e); /* public exponent */
+ caddr_t n;
+ caddr_t e;
+
+ RSA_get0_key(x, &rsa_n, &rsa_e, NULL);
+ n = BN2binbox (rsa_n); /* modulus */
+ e = BN2binbox (rsa_e); /* public exponent */
+
len = 11 + 8 + box_length (n) + box_length (e);
if (n[0] & 0x80)
len ++;
@@ -7206,9 +7259,9 @@ bif_xenc_pubkey_ssh_export (caddr_t * qst, caddr_t * err_ret, state_slot_t ** ar
{
k = X509_get_pubkey (key->xek_x509);
#ifdef EVP_PKEY_RSA
- if (k->type == EVP_PKEY_RSA)
+ if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
{
- RSA * x = k->pkey.rsa;
+ RSA * x = EVP_PKEY_get0_RSA(k);
ret = xenc_rsa_pub_ssh_export (x);
}
#endif
@@ -7241,7 +7294,7 @@ bif_xenc_SPKI_read (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
return NULL;
}
pk = NETSCAPE_SPKI_get_pubkey (spki);
- if (!pk || pk->type != EVP_PKEY_RSA)
+ if (!pk || EVP_PKEY_id(pk) != EVP_PKEY_RSA)
{
NETSCAPE_SPKI_free (spki);
*err_ret = srv_make_new_error ("42000", "XECXX", "Can not retrieve RSA key");
diff --git a/libsrc/Wi/xmlenc.h b/libsrc/Wi/xmlenc.h
index 958ef70..fdda104 100644
--- a/libsrc/Wi/xmlenc.h
+++ b/libsrc/Wi/xmlenc.h
@@ -36,6 +36,7 @@
#include <openssl/dsa.h>
#include <openssl/rsa.h>
#include <openssl/des.h>
+#include <openssl/hmac.h>
#ifdef AES_ENC_ENABLE
#include <openssl/aes.h>
@@ -312,15 +313,15 @@ struct xenc_key_s
} dsa;
struct dsig_des3_keyinfo_s
{
- des_cblock k1;
- des_cblock k2;
- des_cblock k3;
+ DES_cblock k1;
+ DES_cblock k2;
+ DES_cblock k3;
- des_key_schedule ks1;/* key schedule */
- des_key_schedule ks2;/* key schedule (for ede) */
- des_key_schedule ks3;/* key schedule (for ede3) */
+ DES_key_schedule ks1;/* key schedule */
+ DES_key_schedule ks2;/* key schedule (for ede) */
+ DES_key_schedule ks3;/* key schedule (for ede3) */
- des_cblock iv;
+ DES_cblock iv;
#define PKCS5_SALT_LEN 8
unsigned char salt[PKCS5_SALT_LEN];
} triple_des;
@@ -629,5 +630,183 @@ caddr_t * xml_find_any_child (caddr_t * curr, const char * name, const char * ur
extern dk_mutex_t * xenc_keys_mtx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+
+static inline HMAC_CTX *HMAC_CTX_new(void)
+{
+ HMAC_CTX *p;
+
+ p = calloc(1, sizeof(HMAC_CTX));
+ if (!p)
+ return p;
+ HMAC_CTX_init(p);
+ return p;
+}
+
+static inline void HMAC_CTX_free(HMAC_CTX *ctx)
+{
+ HMAC_CTX_cleanup(ctx);
+ free(ctx);
+}
+
+static inline void RSA_get0_key(const RSA *r, const BIGNUM **n,
+ const BIGNUM **e, const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = r->n;
+ if (e != NULL)
+ *e = r->e;
+ if (d != NULL)
+ *d = r->d;
+}
+
+static inline void RSA_get0_factors(const RSA *r, const BIGNUM **p,
+ const BIGNUM **q)
+{
+ if (p != NULL)
+ *p = r->p;
+ if (q != NULL)
+ *q = r->q;
+}
+
+static inline RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+ if (pkey->type != EVP_PKEY_RSA)
+ return NULL;
+ return pkey->pkey.rsa;
+}
+
+static inline void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
+ const BIGNUM **priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = dh->pub_key;
+ if (priv_key != NULL)
+ *priv_key = dh->priv_key;
+}
+
+
+static inline void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
+ const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = dh->p;
+ if (q != NULL)
+ *q = dh->q;
+ if (g != NULL)
+ *g = dh->g;
+}
+
+static inline DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
+{
+ if (pkey->type != EVP_PKEY_DSA)
+ return NULL;
+ return pkey->pkey.dsa;
+}
+
+static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+
+static inline int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+{
+ /* If the fields n and e in r are NULL, the corresponding input
+ * parameters MUST be non-NULL for n and e. d may be
+ * left NULL (in case only the public key is used).
+ */
+ if ((r->n == NULL && n == NULL)
+ || (r->e == NULL && e == NULL))
+ return 0;
+
+ if (n != NULL) {
+ BN_free(r->n);
+ r->n = n;
+ }
+ if (e != NULL) {
+ BN_free(r->e);
+ r->e = e;
+ }
+ if (d != NULL) {
+ BN_free(r->d);
+ r->d = d;
+ }
+
+ return 1;
+}
+
+static inline void DSA_get0_pqg(const DSA *d, const BIGNUM **p,
+ const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = d->p;
+ if (q != NULL)
+ *q = d->q;
+ if (g != NULL)
+ *g = d->g;
+}
+
+static inline void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
+ const BIGNUM **priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = d->pub_key;
+ if (priv_key != NULL)
+ *priv_key = d->priv_key;
+}
+
+static inline const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x)
+{
+ return x->cert_info->extensions;
+}
+
+static inline int X509_up_ref(X509 *x)
+{
+ return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
+}
+
+static inline STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v)
+{
+ return v->objs;
+}
+
+static inline int X509_OBJECT_get_type(const X509_OBJECT *a)
+{
+ return a->type;
+}
+
+static inline X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
+{
+ if (a == NULL || a->type != X509_LU_X509)
+ return NULL;
+ return a->data.x509;
+}
+
+#endif
+
#endif
diff --git a/libsrc/Wi/xmlenc_algos.c b/libsrc/Wi/xmlenc_algos.c
index 841b98f..654b7de 100644
--- a/libsrc/Wi/xmlenc_algos.c
+++ b/libsrc/Wi/xmlenc_algos.c
@@ -1149,7 +1149,7 @@ int
dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t * sign_out)
{
unsigned char * data;
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
unsigned char key_data[32 * 8];
unsigned char md [SHA256_DIGEST_LENGTH + 1];
unsigned char md64 [SHA256_DIGEST_LENGTH * 2 + 1];
@@ -1158,14 +1158,13 @@ dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
if (NULL == key)
return 0;
-
switch (key->xek_type)
{
case DSIG_KEY_3DES:
- memcpy (key_data, key->ki.triple_des.k1, sizeof (des_cblock));
- memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (des_cblock));
- memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (des_cblock));
- key_len = 3 * sizeof (des_cblock);
+ memcpy (key_data, key->ki.triple_des.k1, sizeof (DES_cblock));
+ memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (DES_cblock));
+ memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (DES_cblock));
+ key_len = 3 * sizeof (DES_cblock);
break;
#ifdef AES_ENC_ENABLE
case DSIG_KEY_AES:
@@ -1182,7 +1181,9 @@ dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
default:
return 0;
}
-
+ ctx = HMAC_CTX_new();
+ if (!ctx)
+ return 0;
data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
CATCH_READ_FAIL (ses_in)
@@ -1192,14 +1193,15 @@ dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
FAILED
{
dk_free_box ((box_t) data);
+ HMAC_CTX_free(ctx);
return 0;
}
END_READ_FAIL (ses_in);
- HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha256 ());
- HMAC_Update(&ctx, data, len);
- HMAC_Final(&ctx, md, &hmac_len);
- HMAC_cleanup(&ctx);
+ HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha256 (), NULL);
+ HMAC_Update(ctx, data, len);
+ HMAC_Final(ctx, md, &hmac_len);
+ HMAC_CTX_free(ctx);
if (hmac_len != SHA256_DIGEST_LENGTH)
GPF_T;
@@ -1220,7 +1222,7 @@ dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
int
dsig_hmac_sha256_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t digest)
{
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
unsigned char * data;
unsigned char key_data[3 * 8];
unsigned char md [SHA256_DIGEST_LENGTH + 1];
@@ -1234,10 +1236,10 @@ dsig_hmac_sha256_verify (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
switch (key->xek_type)
{
case DSIG_KEY_3DES:
- memcpy (key_data, key->ki.triple_des.k1, sizeof (des_cblock));
- memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (des_cblock));
- memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (des_cblock));
- key_len = 3 * sizeof (des_cblock);
+ memcpy (key_data, key->ki.triple_des.k1, sizeof (DES_cblock));
+ memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (DES_cblock));
+ memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (DES_cblock));
+ key_len = 3 * sizeof (DES_cblock);
break;
#ifdef AES_ENC_ENABLE
case DSIG_KEY_AES:
@@ -1249,6 +1251,9 @@ dsig_hmac_sha256_verify (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
return 0;
}
+ ctx = HMAC_CTX_new();
+ if (!ctx)
+ return 0;
data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
CATCH_READ_FAIL (ses_in)
@@ -1258,14 +1263,15 @@ dsig_hmac_sha256_verify (dk_session_t * ses_in, long len, xenc_key_t * key, cadd
FAILED
{
dk_free_box ((box_t) data);
+ HMAC_CTX_free(ctx);
return 0;
}
END_READ_FAIL (ses_in);
- HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha256 ());
- HMAC_Update(&ctx, data, len);
- HMAC_Final(&ctx, md, &hmac_len);
- HMAC_cleanup(&ctx);
+ HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha256 (), NULL);
+ HMAC_Update(ctx, data, len);
+ HMAC_Final(ctx, md, &hmac_len);
+ HMAC_CTX_free(ctx);
dk_free_box ((box_t) data);
len1 = xenc_encode_base64 ((char *)md, md64, hmac_len);
@@ -1586,7 +1592,7 @@ int
dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t * sign_out)
{
unsigned char * data;
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
unsigned char key_data[32 * 8];
unsigned char md [SHA_DIGEST_LENGTH + 1];
unsigned char md64 [SHA_DIGEST_LENGTH * 2 + 1];
@@ -1599,10 +1605,10 @@ dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
switch (key->xek_type)
{
case DSIG_KEY_3DES:
- memcpy (key_data, key->ki.triple_des.k1, sizeof (des_cblock));
- memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (des_cblock));
- memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (des_cblock));
- key_len = 3 * sizeof (des_cblock);
+ memcpy (key_data, key->ki.triple_des.k1, sizeof (DES_cblock));
+ memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (DES_cblock));
+ memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (DES_cblock));
+ key_len = 3 * sizeof (DES_cblock);
break;
#ifdef AES_ENC_ENABLE
case DSIG_KEY_AES:
@@ -1620,6 +1626,9 @@ dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
return 0;
}
+ ctx = HMAC_CTX_new();
+ if (!ctx)
+ return 0;
data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
CATCH_READ_FAIL (ses_in)
@@ -1629,14 +1638,15 @@ dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
FAILED
{
dk_free_box ((box_t) data);
+ HMAC_CTX_free(ctx);
return 0;
}
END_READ_FAIL (ses_in);
- HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha1 ());
- HMAC_Update(&ctx, data, len);
- HMAC_Final(&ctx, md, &hmac_len);
- HMAC_cleanup(&ctx);
+ HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha1 (), NULL);
+ HMAC_Update(ctx, data, len);
+ HMAC_Final(ctx, md, &hmac_len);
+ HMAC_CTX_free(ctx);
if (hmac_len != SHA_DIGEST_LENGTH)
GPF_T;
@@ -1657,7 +1667,7 @@ dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
int
dsig_hmac_sha1_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t digest)
{
- HMAC_CTX ctx;
+ HMAC_CTX *ctx;
unsigned char * data;
unsigned char key_data[3 * 8];
unsigned char md [SHA_DIGEST_LENGTH + 1];
@@ -1671,10 +1681,10 @@ dsig_hmac_sha1_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
switch (key->xek_type)
{
case DSIG_KEY_3DES:
- memcpy (key_data, key->ki.triple_des.k1, sizeof (des_cblock));
- memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (des_cblock));
- memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (des_cblock));
- key_len = 3 * sizeof (des_cblock);
+ memcpy (key_data, key->ki.triple_des.k1, sizeof (DES_KEY_SZ));
+ memcpy (key_data + 8, key->ki.triple_des.k2, sizeof (DES_KEY_SZ));
+ memcpy (key_data + 16, key->ki.triple_des.k3, sizeof (DES_KEY_SZ));
+ key_len = 3 * sizeof (DES_KEY_SZ);
break;
#ifdef AES_ENC_ENABLE
case DSIG_KEY_AES:
@@ -1686,6 +1696,9 @@ dsig_hmac_sha1_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
return 0;
}
+ ctx = HMAC_CTX_new();
+ if (!ctx)
+ return 0;
data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
CATCH_READ_FAIL (ses_in)
@@ -1695,14 +1708,15 @@ dsig_hmac_sha1_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_
FAILED
{
dk_free_box ((box_t) data);
+ HMAC_CTX_free(ctx);
return 0;
}
END_READ_FAIL (ses_in);
- HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha1 ());
- HMAC_Update(&ctx, data, len);
- HMAC_Final(&ctx, md, &hmac_len);
- HMAC_cleanup(&ctx);
+ HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha1 (), NULL);
+ HMAC_Update(ctx, data, len);
+ HMAC_Final(ctx, md, &hmac_len);
+ HMAC_CTX_free(ctx);
dk_free_box ((box_t) data);
len1 = xenc_encode_base64 ((char *)md, md64, hmac_len);
@@ -1763,7 +1777,7 @@ int xenc_aes_encryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_o
caddr_t outbuf_beg;
int len;
caddr_t encoded_out;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx;
unsigned char * ivec = &key->ki.aes.iv[0];
CATCH_READ_FAIL (ses_in)
@@ -1778,7 +1792,7 @@ int xenc_aes_encryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_o
END_READ_FAIL (ses_in);
#if 1
- EVP_CIPHER_CTX_init(&ctx);
+ ctx = EVP_CIPHER_CTX_new();
outbuf_beg = dk_alloc_box (box_length (text) + 16, DV_BIN);
memcpy (outbuf_beg, ivec, 16);
outbuf = outbuf_beg + 16;
@@ -1786,20 +1800,19 @@ int xenc_aes_encryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_o
switch (key->ki.aes.bits)
{
case 128:
- EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->ki.aes.k, ivec);
+ EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key->ki.aes.k, ivec);
break;
case 192:
- EVP_EncryptInit_ex(&ctx, EVP_aes_192_cbc(), NULL, key->ki.aes.k, ivec);
+ EVP_EncryptInit_ex(ctx, EVP_aes_192_cbc(), NULL, key->ki.aes.k, ivec);
break;
case 256:
- EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->ki.aes.k, ivec);
+ EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key->ki.aes.k, ivec);
break;
default:
GPF_T1 ("Unsupported key size");
}
- if(!EVP_EncryptUpdate(&ctx, (unsigned char *)outbuf, &outlen, (unsigned char *)text, box_length (text)))
+ if(!EVP_EncryptUpdate(ctx, (unsigned char *)outbuf, &outlen, (unsigned char *)text, box_length (text)))
{
- EVP_CIPHER_CTX_cleanup(&ctx);
dk_free_box (text);
dk_free_box (outbuf_beg);
xenc_report_error (t, 500, XENC_ENC_ERR, "AES encryption internal error #2");
@@ -1812,7 +1825,7 @@ int xenc_aes_encryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_o
xenc_report_error (t, 500, XENC_ENC_ERR, "AES encryption internal error #3");
} */
/* outlen += tmplen; */
- EVP_CIPHER_CTX_cleanup(&ctx);
+ EVP_CIPHER_CTX_free(ctx);
#else
outbuf_beg = dk_alloc_box (box_length (text) + 16 /* iv */, DV_BIN);
@@ -2045,6 +2058,7 @@ xenc_rsa_decryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_out,
int len = 0;
int keysize;
RSA * rsa = key->xek_private_rsa;
+ const BIGNUM *p, *q;
if (!seslen)
{
@@ -2057,9 +2071,9 @@ xenc_rsa_decryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_out,
xenc_report_error (t, 500 + strlen (key->xek_name), XENC_ENC_ERR, "could not make RSA decryption [key %s is not RSA]", key->xek_name);
return 0;
}
+ RSA_get0_factors(rsa, &p, &q);
if (!rsa ||
- !rsa->p ||
- !rsa->q)
+ !p || !q)
{
if (key->xek_x509_KI)
key = xenc_get_key_by_keyidentifier (key->xek_x509_KI, 1);
@@ -2240,13 +2254,13 @@ int xenc_des3_encryptor (dk_session_t * ses_in, long seslen, dk_session_t * ses_
}
- des_ede3_cbc_encrypt ((const unsigned char *)buf,
+ DES_ede3_cbc_encrypt ((const unsigned char *)buf,
(unsigned char *)out_buf,
(long)DES_BLOCK_LEN,
- key->ki.triple_des.ks1,
- key->ki.triple_des.ks2,
- key->ki.triple_des.ks3,
- (des_cblock*) _iv,
+ &key->ki.triple_des.ks1,
+ &key->ki.triple_des.ks2,
+ &key->ki.triple_des.ks3,
+ (DES_cblock*) _iv,
DES_ENCRYPT);
total_blocks++;
@@ -2352,7 +2366,7 @@ int xenc_des3_decryptor (dk_session_t * ses_in_base64, long seslen, dk_session_t
END_READ_FAIL (ses_in);
for (;!failed;)
{
- des_ede3_cbc_encrypt ((const unsigned char *)buf,
+ DES_ede3_cbc_encrypt ((const unsigned char *)buf,
(unsigned char *)out_buf,
(long)DES_BLOCK_LEN,
key->ki.triple_des.ks1,
@@ -2404,7 +2418,7 @@ int xenc_des3_decryptor (dk_session_t * ses_in_base64, long seslen, dk_session_t
char out_buf[DES_BLOCK_LEN + 1];
char *text, *text_beg;
long text_len;
- des_cblock iv;
+ DES_cblock iv;
int blocks;
if (!seslen)
@@ -2440,12 +2454,12 @@ int xenc_des3_decryptor (dk_session_t * ses_in_base64, long seslen, dk_session_t
memcpy (buf, text, DES_BLOCK_LEN);
text += DES_BLOCK_LEN;
- des_ede3_cbc_encrypt ((const unsigned char *)buf,
+ DES_ede3_cbc_encrypt ((const unsigned char *)buf,
(unsigned char *)out_buf,
(long)DES_BLOCK_LEN,
- key->ki.triple_des.ks1,
- key->ki.triple_des.ks2,
- key->ki.triple_des.ks3,
+ &key->ki.triple_des.ks1,
+ &key->ki.triple_des.ks2,
+ &key->ki.triple_des.ks3,
&iv,
DES_DECRYPT);
diff --git a/libsrc/util/sslengine.c b/libsrc/util/sslengine.c
index a0833fa..8cabf9c 100644
--- a/libsrc/util/sslengine.c
+++ b/libsrc/util/sslengine.c
@@ -29,7 +29,11 @@
int
ssl_engine_startup (void)
{
- CRYPTO_malloc_init ();
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+ CRYPTO_malloc_init ();
+#else
+ OPENSSL_malloc_init();
+#endif
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
--
2.9.3
Reply to: