1 Description: Fix FTBFS with openssl 1.1
2 Author: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
3 Bug-Debian: https://bugs.debian.org/828594
4 Forwarded: https://github.com/openlink/virtuoso-opensource/pull/583
5 Last-Update: Fri, 17 Aug 2018 14:21:44 +0200 (by Andreas Tille <tille@debian.org>)
9 From 823092cccbd8e2ab9bfad6c3d3df791a7ffa76fc Mon Sep 17 00:00:00 2001
10 From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
11 Date: Mon, 5 Sep 2016 10:49:54 +0000
12 Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0
14 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
16 libsrc/Dk/Dkernel.c | 6 +-
17 libsrc/Wi/bif_crypto.c | 120 ++++++++++--------
18 libsrc/Wi/http.c | 2 +-
19 libsrc/Wi/xmlenc.c | 319 +++++++++++++++++++++++++++--------------------
20 libsrc/Wi/xmlenc.h | 193 ++++++++++++++++++++++++++--
21 libsrc/Wi/xmlenc_algos.c | 132 +++++++++++---------
22 libsrc/util/sslengine.c | 6 +-
23 7 files changed, 524 insertions(+), 254 deletions(-)
25 --- a/libsrc/Wi/bif_crypto.c
26 +++ b/libsrc/Wi/bif_crypto.c
27 @@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int
28 unsigned char temp[EVP_MAX_MD_SIZE];
29 unsigned int size = 0;
33 const EVP_MD *md = EVP_sha1 ();
36 md = EVP_ripemd160 ();
38 - HMAC_Init (&ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md);
39 - box_hmac_1 (box, &ctx);
40 - HMAC_Final (&ctx, temp, &size);
41 + ctx = HMAC_CTX_new();
45 + HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL);
46 + box_hmac_1 (box, ctx);
47 + HMAC_Final (ctx, temp, &size);
50 res = dk_alloc_box (size + 1, DV_SHORT_STRING);
51 memcpy (res, temp, size);
58 @@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned ch
63 - ii = d2i_ASN1_BOOLEAN (NULL, (const unsigned char **)&opp, len + hl);
67 if (BIO_write (bp, "Bad boolean\n", 12))
70 - BIO_printf (bp, "%d", ii);
71 + BIO_printf (bp, "%d", p[0]);
73 else if (tag == V_ASN1_BMPSTRING)
75 @@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned ch
79 - M_ASN1_OCTET_STRING_free (os);
80 + ASN1_STRING_free (os);
84 @@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned ch
85 if (BIO_write (bp, "BAD INTEGER", 11) <= 0)
88 - M_ASN1_INTEGER_free (bs);
89 + ASN1_STRING_free (bs);
91 else if (tag == V_ASN1_ENUMERATED)
93 @@ -479,7 +482,7 @@ asn1_parse_to_xml (BIO * bp, unsigned ch
94 if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0)
97 - M_ASN1_ENUMERATED_free (bs);
98 + ASN1_STRING_free (bs);
100 else if (len > 0 && dump)
102 @@ -515,7 +518,7 @@ end:
104 ASN1_OBJECT_free (o);
106 - M_ASN1_OCTET_STRING_free (os);
107 + ASN1_STRING_free (os);
111 @@ -723,7 +726,7 @@ bio_to_strses (BIO * out_bio)
112 int len = BIO_get_mem_data (out_bio, &ptr);
113 int to_read = len, readed = 0;
115 - to_free = ((BUF_MEM *) out_bio->ptr)->data;
116 + to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data;
117 BIO_set_flags (out_bio, BIO_FLAGS_MEM_RDONLY);
118 CATCH_WRITE_FAIL (ses)
120 @@ -735,7 +738,7 @@ bio_to_strses (BIO * out_bio)
121 } while (to_read > 0);
123 END_WRITE_FAIL (ses);
124 - ((BUF_MEM *) out_bio->ptr)->data = to_free;
125 + ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free;
126 BIO_clear_flags (out_bio, BIO_FLAGS_MEM_RDONLY);
129 @@ -770,7 +773,7 @@ bif_smime_verify (caddr_t * qst, caddr_t
130 if (DV_TYPE_OF (msg) == DV_STRING_SESSION)
132 in_bio = strses_to_bio ((dk_session_t *) msg);
133 - to_free = ((BUF_MEM *) in_bio->ptr)->data;
134 + to_free = ((BUF_MEM *) BIO_get_data(in_bio))->data;
135 BIO_set_flags (in_bio, BIO_FLAGS_MEM_RDONLY);
138 @@ -780,7 +783,7 @@ bif_smime_verify (caddr_t * qst, caddr_t
139 p7 = SMIME_read_PKCS7 (in_bio, &data_bio);
142 - ((BUF_MEM *) in_bio->ptr)->data = to_free;
143 + ((BUF_MEM *) BIO_get_data(in_bio))->data = to_free;
144 BIO_clear_flags (in_bio, BIO_FLAGS_MEM_RDONLY);
147 @@ -924,16 +927,20 @@ bif_smime_sign (caddr_t * qst, caddr_t *
150 certs = sk_X509_new_null ();
151 - if (store && store->objs)
153 + if (store && X509_STORE_get0_objects(store))
155 - for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
156 + STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
158 + for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
160 - X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
161 - if (obj->type == X509_LU_X509)
162 - sk_X509_push (certs, X509_dup (obj->data.x509));
163 + X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
164 + if (X509_OBJECT_get_type(obj) == X509_LU_X509)
165 + sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
171 X509_STORE_free (store);
172 in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
173 @@ -1005,15 +1012,19 @@ bif_smime_encrypt (caddr_t * qst, caddr_
174 sqlr_new_error ("42000", "CR006", "No recipient certificates");
176 certs = sk_X509_new_null ();
177 - if (store && store->objs)
179 + if (store && X509_STORE_get0_objects(store))
181 - for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
182 + STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
184 + for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
186 - X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
187 - if (obj->type == X509_LU_X509)
188 - sk_X509_push (certs, X509_dup (obj->data.x509));
189 + X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
190 + if (X509_OBJECT_get_type(obj) == X509_LU_X509)
191 + sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
196 X509_STORE_free (store);
197 in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
198 @@ -1181,7 +1192,7 @@ x509_certificate_verify_cb (int ok, X509
199 char *opts = (char *) X509_STORE_CTX_get_app_data (ctx);
202 - switch (ctx->error)
203 + switch (X509_STORE_CTX_get_error(ctx))
205 case X509_V_ERR_CERT_HAS_EXPIRED:
206 if (strstr (opts, "expired"))
207 @@ -1287,7 +1298,7 @@ bif_x509_certificate_verify (caddr_t * q
211 - err_str = X509_verify_cert_error_string (csc->error);
212 + err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(csc));
213 *err_ret = srv_make_new_error ("22023", "CR015", "X509 error: %s", err_str);
216 @@ -1308,20 +1319,16 @@ err_ret:
217 #define VIRT_CERT_EXT "2.16.840.1.1113.1"
221 +BN_box (const BIGNUM *x)
225 buf_len = (size_t) BN_num_bytes (x);
226 - if (buf_len <= BN_BYTES)
227 - buf = box_num ((unsigned long) x->d[0]);
230 - buf = dk_alloc_box (buf_len, DV_BIN);
231 - n = BN_bn2bin (x, (unsigned char *) buf);
235 + /* did not figure out where buf is free()ed */
236 + buf = dk_alloc_box (buf_len, DV_BIN);
237 + n = BN_bn2bin (x, (unsigned char *) buf);
243 @@ -1498,7 +1505,7 @@ bif_get_certificate_info (caddr_t * qst,
246 char *ext_oid = (char *) (BOX_ELEMENTS (args) > 4 ? bif_string_arg (qst, args, 4, "get_certificate_info") : VIRT_CERT_EXT);
247 - STACK_OF (X509_EXTENSION) * exts = cert->cert_info->extensions;
248 + const STACK_OF (X509_EXTENSION) * exts = X509_get0_extensions(cert);
249 for (i = 0; i < sk_X509_EXTENSION_num (exts); i++)
251 X509_EXTENSION *ex = sk_X509_EXTENSION_value (exts, i);
252 @@ -1510,7 +1517,7 @@ bif_get_certificate_info (caddr_t * qst,
254 BIO *mem = BIO_new (BIO_s_mem ());
255 if (!X509V3_EXT_print (mem, ex, 0, 0))
256 - M_ASN1_OCTET_STRING_print (mem, ex->value);
257 + ASN1_STRING_print (mem, X509_EXTENSION_get_data(ex));
258 len = BIO_get_mem_data (mem, &data_ptr);
259 if (len > 0 && data_ptr)
261 @@ -1537,18 +1544,23 @@ bif_get_certificate_info (caddr_t * qst,
265 - if (k->type == EVP_PKEY_RSA)
266 + if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
268 - RSA *x = k->pkey.rsa;
269 - ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (x->e), BN_box (x->n));
270 + const BIGNUM *n, *e;
272 + RSA_get0_key(EVP_PKEY_get0_RSA(k), &n, &e, NULL);
274 + ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (e), BN_box (n));
279 - if (k->type == EVP_PKEY_DSA)
280 + if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
282 - DSA *x = k->pkey.dsa;
283 - ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (x->pub_key));
284 + const BIGNUM *pub_key;
286 + DSA_get0_key(EVP_PKEY_get0_DSA(k), &pub_key, NULL);
287 + ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (pub_key));
291 @@ -1567,13 +1579,13 @@ bif_get_certificate_info (caddr_t * qst,
294 BIO *mem = BIO_new (BIO_s_mem ());
295 - for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
296 + for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
298 - ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
299 - n = OBJ_obj2nid (ne->object);
300 + ne = X509_NAME_get_entry(subj, i);
301 + n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
302 if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL))
304 - i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
305 + i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
308 if (!strcmp (s, attr))
309 @@ -1582,9 +1594,10 @@ bif_get_certificate_info (caddr_t * qst,
316 - ASN1_STRING_print (mem, ne_ret->value);
317 + ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne_ret));
318 len = BIO_get_mem_data (mem, &data_ptr);
319 if (len > 0 && data_ptr)
321 @@ -1605,17 +1618,17 @@ bif_get_certificate_info (caddr_t * qst,
324 BIO *mem = BIO_new (BIO_s_mem ());
325 - for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
326 + for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
329 - ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
330 - n = OBJ_obj2nid (ne->object);
331 + ne = X509_NAME_get_entry(subj, i);
332 + n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
333 if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL))
335 - i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
336 + i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
339 - ASN1_STRING_print (mem, ne->value);
340 + ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne));
341 len = BIO_get_mem_data (mem, &data_ptr);
342 if (len > 0 && data_ptr)
344 @@ -1629,18 +1642,22 @@ bif_get_certificate_info (caddr_t * qst,
347 ret = list_to_array (dk_set_nreverse (set));
353 const unsigned char *s;
355 - const ASN1_STRING *sig = cert->signature;
356 - X509_ALGOR *sigalg = cert->sig_alg;
357 + const ASN1_STRING *sig;
358 + const X509_ALGOR *sigalg;
359 + const ASN1_OBJECT *sig_alg_algorithm;
363 - i2t_ASN1_OBJECT(buf,sizeof (buf), sigalg->algorithm);
364 + X509_get0_signature(&sig, &sigalg, cert);
365 + X509_ALGOR_get0(&sig_alg_algorithm, NULL, NULL, sigalg);
366 + i2t_ASN1_OBJECT(buf,sizeof (buf), sig_alg_algorithm);
370 @@ -1660,11 +1677,11 @@ bif_get_certificate_info (caddr_t * qst,
374 - if (k->type == EVP_PKEY_RSA)
375 + if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
379 - RSA *x = k->pkey.rsa;
380 + RSA *x = EVP_PKEY_get0_RSA(k);
381 b = BIO_new (BIO_s_mem());
382 i2d_RSA_PUBKEY_bio (b, x);
383 len = BIO_get_mem_data (b, &data_ptr);
384 --- a/libsrc/Wi/xmlenc.c
385 +++ b/libsrc/Wi/xmlenc.c
386 @@ -1215,36 +1215,45 @@ void xenc_key_remove (xenc_key_t * key,
391 -genrsa_cb(int p, int n, void *arg)
399 __xenc_key_rsa_init (char *name)
403 - unsigned long f4=RSA_F4;
407 xenc_key_t * pkey = xenc_get_key_by_name (name, 1);
409 SQLR_NEW_KEY_ERROR (name);
411 - rsa=RSA_generate_key(num,f4,genrsa_cb,NULL);
418 + if (!BN_set_word(bn, RSA_F4))
421 + if (!RSA_generate_key_ex(rsa, 1024, bn, NULL))
424 r = RSA_check_key(rsa);
427 pkey->ki.rsa.pad = RSA_PKCS1_PADDING;
430 - sqlr_new_error ("42000", "XENC06",
431 - "RSA parameters generation error");
434 pkey->xek_private_rsa = rsa;
442 + sqlr_new_error ("42000", "XENC06",
443 + "RSA parameters generation error");
448 @@ -1455,19 +1464,19 @@ xenc_key_t * xenc_key_create_from_x509_c
452 - switch (EVP_PKEY_type (pkey->type))
453 + switch (EVP_PKEY_type (EVP_PKEY_id(pkey)))
456 sign_algoname = DSIG_DSA_SHA1_ALGO;
457 enc_algoname = XENC_DSA_ALGO;
458 - dsa = pkey->pkey.dsa;
459 - private_dsa = private_key ? private_key->pkey.dsa : 0;
460 + dsa = EVP_PKEY_get0_DSA(pkey);
461 + private_dsa = private_key ? EVP_PKEY_get0_DSA(private_key) : 0;
464 sign_algoname = DSIG_RSA_SHA1_ALGO;
465 enc_algoname = XENC_RSA_ALGO;
466 - rsa = pkey->pkey.rsa;
467 - private_rsa = private_key ? private_key->pkey.rsa : 0;
468 + rsa = EVP_PKEY_get0_RSA(pkey);
469 + private_rsa = private_key ? EVP_PKEY_get0_RSA(private_key) : 0;
473 @@ -1516,13 +1525,6 @@ xenc_key_t * xenc_key_create_from_x509_c
477 -static void dh_cb(int p, int n, void *arg)
484 static /*xenc_key_DSA_create */
485 caddr_t bif_xenc_key_dsa_create (caddr_t * qst, caddr_t * err_r, state_slot_t ** args)
487 @@ -1588,15 +1590,21 @@ caddr_t bif_xenc_key_DH_create (caddr_t
489 bn_p = BN_bin2bn ((unsigned char *)mod, p_len, NULL);
490 bn_g = BN_bin2bn (g_bin, 1, NULL);
494 + DH_set0_pqg(dh, bn_p, NULL, bn_g);
496 dk_free_box (mod_b64);
501 - dh = DH_generate_parameters (num, g, dh_cb, NULL);
504 + if (!DH_generate_parameters_ex(dh, num, g, NULL)) {
512 @@ -1626,7 +1634,7 @@ caddr_t bif_xenc_DH_get_params (caddr_t
514 caddr_t buf = NULL, ret, b64;
519 mutex_enter (xenc_keys_mtx);
520 key = xenc_get_key_by_name (name, 0);
521 @@ -1641,19 +1649,19 @@ caddr_t bif_xenc_DH_get_params (caddr_t
526 + DH_get0_pqg(dh, &num, NULL, NULL);
530 + DH_get0_pqg(dh, NULL, NULL, &num);
534 + DH_get0_key(dh, &num, NULL);
537 - num = dh->priv_key;
538 + DH_get0_key(dh, NULL, &num);
542 + DH_get0_key(dh, &num, NULL);
545 buf_len = (size_t)BN_num_bytes(num);
546 @@ -1811,7 +1819,15 @@ caddr_t bif_xenc_key_rsa_create (caddr_t
548 caddr_t name = bif_string_arg (qst, args, 0, "xenc_key_RSA_create");
549 int num = (int) bif_long_arg (qst, args, 1, "xenc_key_RSA_create");
558 + if (!BN_set_word(bn, RSA_F4))
561 mutex_enter (xenc_keys_mtx);
562 if (NULL == (k = xenc_key_create (name, XENC_RSA_ALGO , DSIG_RSA_SHA1_ALGO, 0)))
563 @@ -1820,12 +1836,11 @@ caddr_t bif_xenc_key_rsa_create (caddr_t
564 SQLR_NEW_KEY_EXIST_ERROR (name);
567 - rsa = RSA_generate_key (num, RSA_F4, NULL, NULL);
571 - sqlr_new_error ("42000", "XENC06", "RSA generation error");
573 + if (!RSA_generate_key_ex (rsa, num, bn, NULL)) {
574 + mutex_leave (xenc_keys_mtx);
579 k->xek_rsa = RSAPublicKey_dup (rsa);
580 k->xek_private_rsa = rsa;
581 @@ -1839,6 +1854,13 @@ caddr_t bif_xenc_key_rsa_create (caddr_t
583 mutex_leave (xenc_keys_mtx);
590 + sqlr_new_error ("42000", "XENC06", "RSA generation error");
595 @@ -2034,7 +2056,13 @@ int __xenc_key_dsa_init (char *name, int
596 SQLR_NEW_KEY_ERROR (name);
599 - dsa = DSA_generate_parameters(num, NULL, 0, NULL, NULL, dh_cb, NULL);
602 + if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, NULL)) {
609 sqlr_new_error ("42000", "XENC11",
610 @@ -2058,7 +2086,13 @@ int __xenc_key_dh_init (char *name, int
612 SQLR_NEW_KEY_ERROR (name);
614 - dh = DH_generate_parameters (num, g, dh_cb, NULL);
617 + if (!DH_generate_parameters_ex(dh, num, g, NULL)) {
624 sqlr_new_error ("42000", "XENC11",
625 @@ -2280,12 +2314,12 @@ bif_xenc_key_rsa_read (caddr_t * qst, ca
627 in = BIO_new_mem_buf (key_base64, len);
628 pkey = d2i_PUBKEY_bio (in, NULL);
629 - if (pkey && pkey->type == EVP_PKEY_RSA)
630 - p = pkey->pkey.rsa;
631 + if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
632 + p = EVP_PKEY_get0_RSA(pkey);
634 pkkey = d2i_PrivateKey_bio (in, NULL);
635 - if (pkkey && pkkey->type == EVP_PKEY_RSA)
636 - r = pkkey->pkey.rsa;
637 + if (pkkey && EVP_PKEY_id(pkkey) == EVP_PKEY_RSA)
638 + r = EVP_PKEY_get0_RSA(pkkey);
642 @@ -2304,9 +2338,11 @@ bif_xenc_key_rsa_read (caddr_t * qst, ca
646 + const BIGNUM *n, *e;
648 + RSA_get0_key(r, &n, &e, NULL);
650 - p->n = BN_dup (r->n);
651 - p->e = BN_dup (r->e);
652 + RSA_set0_key(p, BN_dup(n), BN_dup(e), NULL);
655 mutex_enter (xenc_keys_mtx);
656 @@ -2355,14 +2391,13 @@ bif_xenc_key_rsa_construct (caddr_t * qs
658 n = BN_bin2bn ((unsigned char *) mod, box_length (mod) - 1, NULL);
659 e = BN_bin2bn ((unsigned char *) exp, box_length (exp) - 1, NULL);
662 + RSA_set0_key(p, n, e, NULL);
666 - pk->d = BN_bin2bn ((unsigned char *) pexp, box_length (pexp) - 1, NULL);
667 - pk->n = BN_dup (n);
668 - pk->e = BN_dup (e);
669 + RSA_set0_key(p, BN_dup(n),
671 + BN_bin2bn ((unsigned char *) pexp, box_length (pexp) - 1, NULL));
673 mutex_enter (xenc_keys_mtx);
674 k = xenc_key_create (name, XENC_RSA_ALGO, DSIG_RSA_SHA1_ALGO, 0);
675 @@ -4086,7 +4121,7 @@ void xenc_tag_free (xenc_tag_t * t)
679 -xenc_tag_t * xenc_tag_add_child_BN (xenc_tag_t * tag, BIGNUM * bn)
680 +static xenc_tag_t * xenc_tag_add_child_BN (xenc_tag_t * tag, const BIGNUM * bn)
682 char * buffer = dk_alloc_box (BN_num_bytes (bn), DV_BIN);
683 char * buffer_base64 = dk_alloc_box (box_length (buffer) * 2, DV_STRING);
684 @@ -4111,12 +4146,15 @@ caddr_t ** xenc_generate_ext_info (xenc_
686 if (key->xek_type == DSIG_KEY_RSA)
688 + const BIGNUM *rsa_n, *rsa_e;
690 + RSA_get0_key(key->ki.rsa.rsa_st, &rsa_n, &rsa_e, NULL);
691 xenc_tag_t * rsakeyval = xenc_tag_create (DSIG_URI, ":RSAKeyValue");
692 xenc_tag_t * rsamodulus = xenc_tag_create (DSIG_URI, ":Modulus");
693 xenc_tag_t * rsaexponent = xenc_tag_create (DSIG_URI, ":Exponent");
695 - xenc_tag_add_child_BN (rsamodulus, key->ki.rsa.rsa_st->n);
696 - xenc_tag_add_child_BN (rsaexponent, key->ki.rsa.rsa_st->e);
697 + xenc_tag_add_child_BN (rsamodulus, rsa_n);
698 + xenc_tag_add_child_BN (rsaexponent, rsa_e);
700 xenc_tag_add_child (rsakeyval, xenc_tag_finalize (rsamodulus));
701 xenc_tag_add_child (rsakeyval, xenc_tag_finalize (rsaexponent));
702 @@ -4135,12 +4173,15 @@ caddr_t ** xenc_generate_ext_info (xenc_
703 xenc_tag_t * g = xenc_tag_create (DSIG_URI, ":G");
704 xenc_tag_t * y = xenc_tag_create (DSIG_URI, ":Y");
705 DSA * dsa = key->ki.dsa.dsa_st;
706 + const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key;
708 + DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g);
709 + DSA_get0_key(dsa, &dsa_pub_key, NULL);
711 - xenc_tag_add_child_BN (p, dsa->p);
712 - xenc_tag_add_child_BN (p, dsa->q);
713 - xenc_tag_add_child_BN (p, dsa->g);
714 - xenc_tag_add_child_BN (p, dsa->pub_key);
715 + xenc_tag_add_child_BN (p, dsa_p);
716 + xenc_tag_add_child_BN (p, dsa_q);
717 + xenc_tag_add_child_BN (p, dsa_g);
718 + xenc_tag_add_child_BN (p, dsa_pub_key);
720 xenc_tag_add_child (dsakeyval, xenc_tag_finalize (p));
721 xenc_tag_add_child (dsakeyval, xenc_tag_finalize (q));
722 @@ -6187,7 +6228,7 @@ caddr_t xenc_x509_get_key_identifier (X5
724 ret = dk_alloc_box (ikeyid->length, DV_BIN);
725 memcpy (ret, ikeyid->data, ikeyid->length);
726 - M_ASN1_OCTET_STRING_free(ikeyid);
727 + ASN1_STRING_free(ikeyid);
731 @@ -6247,7 +6288,7 @@ bif_x509_get_subject (caddr_t * qst, cad
733 ret = dk_alloc_box (ikeyid->length, DV_BIN);
734 memcpy (ret, ikeyid->data, ikeyid->length);
735 - M_ASN1_OCTET_STRING_free(ikeyid);
736 + ASN1_STRING_free(ikeyid);
740 @@ -6806,7 +6847,7 @@ bif_xenc_x509_csr_generate (caddr_t * qs
741 sk_X509_EXTENSION_push(st_exts, ex);
743 X509_REQ_add_extensions(x, st_exts);
744 - if (!X509_REQ_sign (x, pk, (pk->type == EVP_PKEY_RSA ? EVP_md5() : EVP_dss1())))
745 + if (!X509_REQ_sign (x, pk, (EVP_PKEY_id(pk) == EVP_PKEY_RSA ? EVP_md5() : EVP_sha1())))
747 pk = NULL; /* keep one in the xenc_key */
748 *err_ret = srv_make_new_error ("42000", "XECXX", "Can not sign certificate : %s", get_ssl_error_text (buf, sizeof (buf)));
749 @@ -6945,17 +6986,17 @@ bif_xenc_x509_from_csr (caddr_t * qst, c
750 *err_ret = srv_make_new_error ("42000", "XECXX", "Can not sign certificate");
753 - switch (EVP_PKEY_type (cli_pk->type))
754 + switch (EVP_PKEY_type (EVP_PKEY_id(cli_pk)))
757 sign_algoname = DSIG_DSA_SHA1_ALGO;
758 enc_algoname = XENC_DSA_ALGO;
759 - dsa = cli_pk->pkey.dsa;
760 + dsa = EVP_PKEY_get0_DSA(cli_pk);
763 sign_algoname = DSIG_RSA_SHA1_ALGO;
764 enc_algoname = XENC_RSA_ALGO;
765 - rsa = cli_pk->pkey.rsa;
766 + rsa = EVP_PKEY_get0_RSA(cli_pk);
769 *err_ret = srv_make_new_error ("42000", "XECXX", "The type of public key is not supported mus tbe RSA or DSA");
770 @@ -7152,16 +7193,16 @@ bif_xenc_pubkey_pem_export (caddr_t * qs
772 k = X509_get_pubkey (key->xek_x509);
774 - if (k->type == EVP_PKEY_RSA)
775 + if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
777 - RSA * x = k->pkey.rsa;
778 + RSA *x = EVP_PKEY_get0_RSA(k);
779 PEM_write_bio_RSA_PUBKEY (b, x);
783 - if (k->type == EVP_PKEY_DSA)
784 + if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
786 - DSA * x = k->pkey.dsa;
787 + DSA * x = EVP_PKEY_get0_DSA(k);
788 PEM_write_bio_DSA_PUBKEY (b, x);
791 @@ -7208,16 +7249,16 @@ bif_xenc_pubkey_der_export (caddr_t * qs
793 k = X509_get_pubkey (key->xek_x509);
795 - if (k->type == EVP_PKEY_RSA)
796 + if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
798 - RSA * x = k->pkey.rsa;
799 + RSA * x = EVP_PKEY_get0_RSA(k);
800 i2d_RSA_PUBKEY_bio (b, x);
804 - if (k->type == EVP_PKEY_DSA)
805 + if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
807 - DSA * x = k->pkey.dsa;
808 + DSA * x = EVP_PKEY_get0_DSA(k);
809 i2d_DSA_PUBKEY_bio (b, x);
812 @@ -7245,7 +7286,7 @@ err:
816 -BN2binbox (BIGNUM * x)
817 +BN2binbox (const BIGNUM * x)
821 @@ -7280,8 +7321,14 @@ static caddr_t
822 xenc_rsa_pub_magic (RSA * x)
825 - caddr_t n = BN2binbox (x->n); /* modulus */
826 - caddr_t e = BN2binbox (x->e); /* public exponent */
829 + const BIGNUM *rsa_n, *rsa_e;
831 + RSA_get0_key(x, &rsa_n, &rsa_e, NULL);
832 + n = BN2binbox (rsa_n); /* modulus */
833 + e = BN2binbox (rsa_e); /* public exponent */
835 n = xenc_encode_base64_binbox (n, 1);
836 e = xenc_encode_base64_binbox (e, 1);
837 ret = dk_alloc_box (box_length (n) + box_length (e) + 4 /* two dots - one trailing zero + RSA prefix */, DV_STRING);
838 @@ -7306,9 +7353,9 @@ bif_xenc_pubkey_magic_export (caddr_t *
840 k = X509_get_pubkey (key->xek_x509);
842 - if (k->type == EVP_PKEY_RSA)
843 + if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
845 - RSA * x = k->pkey.rsa;
846 + RSA * x = EVP_PKEY_get0_RSA(k);
847 ret = xenc_rsa_pub_magic (x);
850 @@ -7349,10 +7396,16 @@ static caddr_t
851 xenc_rsa_pub_ssh_export (RSA * x)
853 static char * ssh_header = "\x00\x00\x00\x07ssh-rsa";
854 + const BIGNUM *rsa_n, *rsa_e;
857 - caddr_t n = BN2binbox (x->n); /* modulus */
858 - caddr_t e = BN2binbox (x->e); /* public exponent */
862 + RSA_get0_key(x, &rsa_n, &rsa_e, NULL);
863 + n = BN2binbox (rsa_n); /* modulus */
864 + e = BN2binbox (rsa_e); /* public exponent */
866 len = 11 + 8 + box_length (n) + box_length (e);
869 @@ -7383,9 +7436,9 @@ bif_xenc_pubkey_ssh_export (caddr_t * qs
871 k = X509_get_pubkey (key->xek_x509);
873 - if (k->type == EVP_PKEY_RSA)
874 + if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
876 - RSA * x = k->pkey.rsa;
877 + RSA * x = EVP_PKEY_get0_RSA(k);
878 ret = xenc_rsa_pub_ssh_export (x);
881 @@ -7418,7 +7471,7 @@ bif_xenc_SPKI_read (caddr_t * qst, caddr
884 pk = NETSCAPE_SPKI_get_pubkey (spki);
885 - if (!pk || pk->type != EVP_PKEY_RSA)
886 + if (!pk || EVP_PKEY_id(pk) != EVP_PKEY_RSA)
888 NETSCAPE_SPKI_free (spki);
889 *err_ret = srv_make_new_error ("42000", "XECXX", "Can not retrieve RSA key");
890 @@ -7595,14 +7648,14 @@ bif_xenc_x509_ca_certs_list (caddr_t * q
891 sec_check_dba ((QI*)qst, me);
892 in = BIO_new (BIO_s_mem ());
893 mutex_enter (xenc_keys_mtx);
894 - certs = CA_certs->objs;
895 + certs = X509_STORE_get0_objects(CA_certs);
896 len = sk_X509_OBJECT_num (certs);
897 for (i = 0; i < len; i++)
899 X509_OBJECT * obj = sk_X509_OBJECT_value (certs, i);
900 - if (obj->type == X509_LU_X509)
901 + if (X509_OBJECT_get_type(obj) == X509_LU_X509)
903 - X509 *x = obj->data.x509;
904 + X509 *x = X509_OBJECT_get0_X509(obj);
908 --- a/libsrc/Wi/xmlenc.h
909 +++ b/libsrc/Wi/xmlenc.h
911 #include <openssl/dsa.h>
912 #include <openssl/rsa.h>
913 #include <openssl/des.h>
914 +#include <openssl/hmac.h>
916 #ifdef AES_ENC_ENABLE
917 #include <openssl/aes.h>
918 @@ -631,5 +632,183 @@ caddr_t * xml_find_any_child (caddr_t *
920 extern dk_mutex_t * xenc_keys_mtx;
922 +#if OPENSSL_VERSION_NUMBER < 0x10100000
924 +static inline HMAC_CTX *HMAC_CTX_new(void)
928 + p = calloc(1, sizeof(HMAC_CTX));
935 +static inline void HMAC_CTX_free(HMAC_CTX *ctx)
937 + HMAC_CTX_cleanup(ctx);
941 +static inline void RSA_get0_key(const RSA *r, const BIGNUM **n,
942 + const BIGNUM **e, const BIGNUM **d)
952 +static inline void RSA_get0_factors(const RSA *r, const BIGNUM **p,
961 +static inline RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
963 + if (pkey->type != EVP_PKEY_RSA)
965 + return pkey->pkey.rsa;
968 +static inline void DH_get0_key(const DH *dh, const BIGNUM **pub_key,
969 + const BIGNUM **priv_key)
971 + if (pub_key != NULL)
972 + *pub_key = dh->pub_key;
973 + if (priv_key != NULL)
974 + *priv_key = dh->priv_key;
978 +static inline void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
989 +static inline DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
991 + if (pkey->type != EVP_PKEY_DSA)
993 + return pkey->pkey.dsa;
996 +static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
998 + /* If the fields p and g in d are NULL, the corresponding input
999 + * parameters MUST be non-NULL. q may remain NULL.
1001 + if ((dh->p == NULL && p == NULL)
1002 + || (dh->g == NULL && g == NULL))
1019 + dh->length = BN_num_bits(q);
1025 +static inline int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
1027 + /* If the fields n and e in r are NULL, the corresponding input
1028 + * parameters MUST be non-NULL for n and e. d may be
1029 + * left NULL (in case only the public key is used).
1031 + if ((r->n == NULL && n == NULL)
1032 + || (r->e == NULL && e == NULL))
1051 +static inline void DSA_get0_pqg(const DSA *d, const BIGNUM **p,
1052 + const BIGNUM **q, const BIGNUM **g)
1062 +static inline void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
1063 + const BIGNUM **priv_key)
1065 + if (pub_key != NULL)
1066 + *pub_key = d->pub_key;
1067 + if (priv_key != NULL)
1068 + *priv_key = d->priv_key;
1071 +static inline const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x)
1073 + return x->cert_info->extensions;
1076 +static inline int X509_up_ref(X509 *x)
1078 + return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
1081 +static inline STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v)
1086 +static inline int X509_OBJECT_get_type(const X509_OBJECT *a)
1091 +static inline X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
1093 + if (a == NULL || a->type != X509_LU_X509)
1095 + return a->data.x509;
1102 --- a/libsrc/Wi/xmlenc_algos.c
1103 +++ b/libsrc/Wi/xmlenc_algos.c
1104 @@ -1149,7 +1149,7 @@ int
1105 dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t * sign_out)
1107 unsigned char * data;
1110 unsigned char key_data[32 * 8];
1111 unsigned char md [SHA256_DIGEST_LENGTH + 1];
1112 unsigned char md64 [SHA256_DIGEST_LENGTH * 2 + 1];
1113 @@ -1182,7 +1182,9 @@ dsig_hmac_sha256_digest (dk_session_t *
1118 + ctx = HMAC_CTX_new();
1122 data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
1123 CATCH_READ_FAIL (ses_in)
1124 @@ -1192,14 +1194,15 @@ dsig_hmac_sha256_digest (dk_session_t *
1127 dk_free_box ((box_t) data);
1128 + HMAC_CTX_free(ctx);
1131 END_READ_FAIL (ses_in);
1133 - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha256 ());
1134 - HMAC_Update(&ctx, data, len);
1135 - HMAC_Final(&ctx, md, &hmac_len);
1136 - HMAC_cleanup(&ctx);
1137 + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha256 (), NULL);
1138 + HMAC_Update(ctx, data, len);
1139 + HMAC_Final(ctx, md, &hmac_len);
1140 + HMAC_CTX_free(ctx);
1142 if (hmac_len != SHA256_DIGEST_LENGTH)
1144 @@ -1220,7 +1223,7 @@ dsig_hmac_sha256_digest (dk_session_t *
1146 dsig_hmac_sha256_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t digest)
1150 unsigned char * data;
1151 unsigned char key_data[3 * 8];
1152 unsigned char md [SHA256_DIGEST_LENGTH + 1];
1153 @@ -1249,6 +1252,9 @@ dsig_hmac_sha256_verify (dk_session_t *
1157 + ctx = HMAC_CTX_new();
1161 data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
1162 CATCH_READ_FAIL (ses_in)
1163 @@ -1258,14 +1264,15 @@ dsig_hmac_sha256_verify (dk_session_t *
1166 dk_free_box ((box_t) data);
1167 + HMAC_CTX_free(ctx);
1170 END_READ_FAIL (ses_in);
1172 - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha256 ());
1173 - HMAC_Update(&ctx, data, len);
1174 - HMAC_Final(&ctx, md, &hmac_len);
1175 - HMAC_cleanup(&ctx);
1176 + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha256 (), NULL);
1177 + HMAC_Update(ctx, data, len);
1178 + HMAC_Final(ctx, md, &hmac_len);
1179 + HMAC_CTX_free(ctx);
1180 dk_free_box ((box_t) data);
1182 len1 = xenc_encode_base64 ((char *)md, md64, hmac_len);
1183 @@ -1586,7 +1593,7 @@ int
1184 dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t * sign_out)
1186 unsigned char * data;
1189 unsigned char key_data[32 * 8];
1190 unsigned char md [SHA_DIGEST_LENGTH + 1];
1191 unsigned char md64 [SHA_DIGEST_LENGTH * 2 + 1];
1192 @@ -1620,6 +1627,9 @@ dsig_hmac_sha1_digest (dk_session_t * se
1196 + ctx = HMAC_CTX_new();
1200 data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
1201 CATCH_READ_FAIL (ses_in)
1202 @@ -1629,14 +1639,15 @@ dsig_hmac_sha1_digest (dk_session_t * se
1205 dk_free_box ((box_t) data);
1206 + HMAC_CTX_free(ctx);
1209 END_READ_FAIL (ses_in);
1211 - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha1 ());
1212 - HMAC_Update(&ctx, data, len);
1213 - HMAC_Final(&ctx, md, &hmac_len);
1214 - HMAC_cleanup(&ctx);
1215 + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha1 (), NULL);
1216 + HMAC_Update(ctx, data, len);
1217 + HMAC_Final(ctx, md, &hmac_len);
1218 + HMAC_CTX_free(ctx);
1220 if (hmac_len != SHA_DIGEST_LENGTH)
1222 @@ -1657,7 +1668,7 @@ dsig_hmac_sha1_digest (dk_session_t * se
1224 dsig_hmac_sha1_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t digest)
1228 unsigned char * data;
1229 unsigned char key_data[3 * 8];
1230 unsigned char md [SHA_DIGEST_LENGTH + 1];
1231 @@ -1686,6 +1697,9 @@ dsig_hmac_sha1_verify (dk_session_t * se
1235 + ctx = HMAC_CTX_new();
1239 data = (unsigned char *) dk_alloc_box (len, DV_C_STRING);
1240 CATCH_READ_FAIL (ses_in)
1241 @@ -1695,14 +1709,15 @@ dsig_hmac_sha1_verify (dk_session_t * se
1244 dk_free_box ((box_t) data);
1245 + HMAC_CTX_free(ctx);
1248 END_READ_FAIL (ses_in);
1250 - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha1 ());
1251 - HMAC_Update(&ctx, data, len);
1252 - HMAC_Final(&ctx, md, &hmac_len);
1253 - HMAC_cleanup(&ctx);
1254 + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha1 (), NULL);
1255 + HMAC_Update(ctx, data, len);
1256 + HMAC_Final(ctx, md, &hmac_len);
1257 + HMAC_CTX_free(ctx);
1258 dk_free_box ((box_t) data);
1260 len1 = xenc_encode_base64 ((char *)md, md64, hmac_len);
1261 @@ -1763,7 +1778,7 @@ int xenc_aes_encryptor (dk_session_t * s
1264 caddr_t encoded_out;
1265 - EVP_CIPHER_CTX ctx;
1266 + EVP_CIPHER_CTX *ctx;
1267 unsigned char * ivec = &key->ki.aes.iv[0];
1269 CATCH_READ_FAIL (ses_in)
1270 @@ -1778,7 +1793,7 @@ int xenc_aes_encryptor (dk_session_t * s
1271 END_READ_FAIL (ses_in);
1274 - EVP_CIPHER_CTX_init(&ctx);
1275 + ctx = EVP_CIPHER_CTX_new();
1276 outbuf_beg = dk_alloc_box (box_length (text) + 16, DV_BIN);
1277 memcpy (outbuf_beg, ivec, 16);
1278 outbuf = outbuf_beg + 16;
1279 @@ -1786,20 +1801,19 @@ int xenc_aes_encryptor (dk_session_t * s
1280 switch (key->ki.aes.bits)
1283 - EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->ki.aes.k, ivec);
1284 + EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key->ki.aes.k, ivec);
1287 - EVP_EncryptInit_ex(&ctx, EVP_aes_192_cbc(), NULL, key->ki.aes.k, ivec);
1288 + EVP_EncryptInit_ex(ctx, EVP_aes_192_cbc(), NULL, key->ki.aes.k, ivec);
1291 - EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->ki.aes.k, ivec);
1292 + EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key->ki.aes.k, ivec);
1295 GPF_T1 ("Unsupported key size");
1297 - if(!EVP_EncryptUpdate(&ctx, (unsigned char *)outbuf, &outlen, (unsigned char *)text, box_length (text)))
1298 + if(!EVP_EncryptUpdate(ctx, (unsigned char *)outbuf, &outlen, (unsigned char *)text, box_length (text)))
1300 - EVP_CIPHER_CTX_cleanup(&ctx);
1302 dk_free_box (outbuf_beg);
1303 xenc_report_error (t, 500, XENC_ENC_ERR, "AES encryption internal error #2");
1304 @@ -1812,7 +1826,7 @@ int xenc_aes_encryptor (dk_session_t * s
1305 xenc_report_error (t, 500, XENC_ENC_ERR, "AES encryption internal error #3");
1307 /* outlen += tmplen; */
1308 - EVP_CIPHER_CTX_cleanup(&ctx);
1309 + EVP_CIPHER_CTX_free(ctx);
1312 outbuf_beg = dk_alloc_box (box_length (text) + 16 /* iv */, DV_BIN);
1313 @@ -2050,6 +2064,7 @@ xenc_rsa_decryptor (dk_session_t * ses_i
1316 RSA * rsa = key->xek_private_rsa;
1317 + const BIGNUM *p, *q;
1321 @@ -2062,9 +2077,9 @@ xenc_rsa_decryptor (dk_session_t * ses_i
1322 xenc_report_error (t, 500 + strlen (key->xek_name), XENC_ENC_ERR, "could not make RSA decryption [key %s is not RSA]", key->xek_name);
1325 + RSA_get0_factors(rsa, &p, &q);
1331 if (key->xek_x509_KI)
1332 key = xenc_get_key_by_keyidentifier (key->xek_x509_KI, 1);
1333 --- a/libsrc/util/sslengine.c
1334 +++ b/libsrc/util/sslengine.c
1337 ssl_engine_startup (void)
1339 - CRYPTO_malloc_init ();
1340 +#if OPENSSL_VERSION_NUMBER < 0x10100000
1341 + CRYPTO_malloc_init ();
1343 + OPENSSL_malloc_init();
1345 ERR_load_crypto_strings();
1346 OpenSSL_add_all_algorithms();
1348 --- a/libsrc/Wi/http.c
1349 +++ b/libsrc/Wi/http.c
1350 @@ -8886,7 +8886,7 @@ ssl_server_set_certificate (SSL_CTX* ssl
1351 log_error ("SSL: The stored certificate '%s' can not be used as extra chain certificate", tok);
1354 - CRYPTO_add(&k->xek_x509->references, 1, CRYPTO_LOCK_X509);
1355 + X509_up_ref(k->xek_x509);
1356 tok = strtok_r (NULL, ",", &tok_s);
1359 @@ -9949,7 +9949,7 @@ bif_https_renegotiate (caddr_t *qst, cad
1360 cli_ssl_get_error_string (err_buf, sizeof (err_buf));
1361 sqlr_new_error ("42000", "..002", "SSL_do_handshake failed %s", err_buf);
1363 - ssl->state = SSL_ST_ACCEPT;
1364 + SSL_set_accept_state(ssl);
1365 while (SSL_renegotiate_pending (ssl) && ctr < 1000)
1367 timeout_t to = { 0, 1000 };
1368 --- a/libsrc/Dk/Dkernel.c
1369 +++ b/libsrc/Dk/Dkernel.c
1370 @@ -5280,7 +5280,11 @@ ssl_server_init ()
1374 - SSLeay_add_all_algorithms ();
1375 +#if OPENSSL_VERSION_NUMBER < 0x10100000
1376 + SSLeay_add_all_algorithms();
1378 + OpenSSL_add_all_algorithms();
1380 PKCS12_PBE_add (); /* stub */
1385 @@ -881,17 +881,6 @@ AC_TRY_COMPILE([
1388 AC_MSG_CHECKING([OpenSSL version])
1390 -#include <openssl/opensslv.h>
1392 -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
1393 -#error OpenSSL version too new
1396 - AC_MSG_RESULT([< 1.1.0])
1398 - AC_MSG_ERROR([OpenSSL version 1.1.0 or greater is currently not supported.])
1401 AC_MSG_CHECKING([usability of the OpenSSL header files and library in ${openssl_dir}])
1403 --- virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c~ 2018-09-15 23:47:58.000000000 +0200
1404 +++ virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c 2018-09-15 23:52:13.471232310 +0200
1405 @@ -5149,9 +5149,12 @@ ssl_ctx_set_protocol_options(SSL_CTX *ct
1409 +#if defined (SSL_OP_NO_SSLv3)
1410 if (!strcasecmp (name, "SSLv3"))
1411 opt = SSL_PROTOCOL_SSLV3;
1412 - else if (!strcasecmp (name, "TLSv1") || !strcasecmp (name, "TLSv1.0"))
1415 + if (!strcasecmp (name, "TLSv1") || !strcasecmp (name, "TLSv1.0"))
1416 opt = SSL_PROTOCOL_TLSV1;
1417 #if defined (SSL_OP_NO_TLSv1_1)
1418 else if (!strcasecmp (name, "TLSv1_1") || !strcasecmp (name, "TLSv1.1"))
1419 --- virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c~ 2018-09-15 23:52:48.000000000 +0200
1420 +++ virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c 2018-09-15 23:58:57.068780828 +0200
1421 @@ -5087,6 +5087,7 @@ ssl_thread_setup ()
1422 #define SSL_PROTOCOL_TLSV1 (1<<2)
1423 #define SSL_PROTOCOL_TLSV1_1 (1<<3)
1424 #define SSL_PROTOCOL_TLSV1_2 (1<<4)
1425 +#define SSL_PROTOCOL_TLSV1_3 (1<<5)
1427 #if OPENSSL_VERSION_NUMBER >= 0x1000100FL
1428 #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2)
1429 --- virtuoso-opensource-7.2.5/libsrc/Wi/xmlenc.c~ 2018-09-16 00:08:33.000000000 +0200
1430 +++ virtuoso-opensource-7.2.5/libsrc/Wi/xmlenc.c 2018-09-16 00:20:07.956376505 +0200
1431 @@ -7073,19 +7073,21 @@ bif_xenc_pkcs12_export (caddr_t * qst, c
1435 - X509_STORE_CTX store_ctx;
1436 - X509_STORE_CTX_init (&store_ctx, CA_certs, x, NULL);
1437 - if (X509_verify_cert (&store_ctx) > 0)
1438 - chain = X509_STORE_CTX_get1_chain (&store_ctx);
1439 + X509_STORE_CTX *store_ctx;
1440 + store_ctx = EVP_MD_CTX_create();
1441 + if (!X509_STORE_CTX_init (store_ctx, CA_certs, x, NULL))
1443 + if (X509_verify_cert (store_ctx) > 0)
1444 + chain = X509_STORE_CTX_get1_chain (store_ctx);
1447 const char *err_str;
1448 - err_str = X509_verify_cert_error_string (store_ctx.error);
1449 + err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(store_ctx));
1450 *err_ret = srv_make_new_error ("22023", "XENCX", "X509 error: %s", err_str);
1451 - X509_STORE_CTX_cleanup (&store_ctx);
1452 + X509_STORE_CTX_free (store_ctx);
1455 - X509_STORE_CTX_cleanup (&store_ctx);
1456 + X509_STORE_CTX_free (store_ctx);
1459 certs = sk_X509_new_null ();