Description: Fix FTBFS with openssl 1.1 Author: Sebastian Andrzej Siewior Bug-Debian: https://bugs.debian.org/828594 Forwarded: https://github.com/openlink/virtuoso-opensource/pull/583 Last-Update: Fri, 17 Aug 2018 14:21:44 +0200 (by Andreas Tille ) --- From 823092cccbd8e2ab9bfad6c3d3df791a7ffa76fc Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior Date: Mon, 5 Sep 2016 10:49:54 +0000 Subject: [PATCH] virtuoso-opensource: build against openssl 1.1.0 Signed-off-by: Sebastian Andrzej Siewior --- libsrc/Dk/Dkernel.c | 6 +- libsrc/Wi/bif_crypto.c | 120 ++++++++++-------- libsrc/Wi/http.c | 2 +- libsrc/Wi/xmlenc.c | 319 +++++++++++++++++++++++++++-------------------- libsrc/Wi/xmlenc.h | 193 ++++++++++++++++++++++++++-- libsrc/Wi/xmlenc_algos.c | 132 +++++++++++--------- libsrc/util/sslengine.c | 6 +- 7 files changed, 524 insertions(+), 254 deletions(-) --- a/libsrc/Wi/bif_crypto.c +++ b/libsrc/Wi/bif_crypto.c @@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int unsigned char temp[EVP_MAX_MD_SIZE]; unsigned int size = 0; caddr_t res = NULL; - HMAC_CTX ctx; + HMAC_CTX *ctx; const EVP_MD *md = EVP_sha1 (); if (alg == 1) md = EVP_ripemd160 (); - HMAC_Init (&ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md); - box_hmac_1 (box, &ctx); - HMAC_Final (&ctx, temp, &size); + ctx = HMAC_CTX_new(); + if (!ctx) + return res; + + HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL); + box_hmac_1 (box, ctx); + HMAC_Final (ctx, temp, &size); if (size) { res = dk_alloc_box (size + 1, DV_SHORT_STRING); memcpy (res, temp, size); res[size] = 0; } + HMAC_CTX_free(ctx); return res; } @@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned ch { int ii; - opp = op; - ii = d2i_ASN1_BOOLEAN (NULL, (const unsigned char **)&opp, len + hl); - if (ii < 0) + if (len + hl < 1) { if (BIO_write (bp, "Bad boolean\n", 12)) goto end; } - BIO_printf (bp, "%d", ii); + BIO_printf (bp, "%d", p[0]); } else if (tag == V_ASN1_BMPSTRING) { @@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned ch } if (os != NULL) { - M_ASN1_OCTET_STRING_free (os); + ASN1_STRING_free (os); os = NULL; } } @@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned ch if (BIO_write (bp, "BAD INTEGER", 11) <= 0) goto end; } - M_ASN1_INTEGER_free (bs); + ASN1_STRING_free (bs); } else if (tag == V_ASN1_ENUMERATED) { @@ -479,7 +482,7 @@ asn1_parse_to_xml (BIO * bp, unsigned ch if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0) goto end; } - M_ASN1_ENUMERATED_free (bs); + ASN1_STRING_free (bs); } else if (len > 0 && dump) { @@ -515,7 +518,7 @@ end: if (o != NULL) ASN1_OBJECT_free (o); if (os != NULL) - M_ASN1_OCTET_STRING_free (os); + ASN1_STRING_free (os); *pp = p; return (ret); } @@ -723,7 +726,7 @@ bio_to_strses (BIO * out_bio) int len = BIO_get_mem_data (out_bio, &ptr); int to_read = len, readed = 0; - to_free = ((BUF_MEM *) out_bio->ptr)->data; + to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data; BIO_set_flags (out_bio, BIO_FLAGS_MEM_RDONLY); CATCH_WRITE_FAIL (ses) { @@ -735,7 +738,7 @@ bio_to_strses (BIO * out_bio) } while (to_read > 0); } END_WRITE_FAIL (ses); - ((BUF_MEM *) out_bio->ptr)->data = to_free; + ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free; BIO_clear_flags (out_bio, BIO_FLAGS_MEM_RDONLY); return ses; } @@ -770,7 +773,7 @@ bif_smime_verify (caddr_t * qst, caddr_t if (DV_TYPE_OF (msg) == DV_STRING_SESSION) { in_bio = strses_to_bio ((dk_session_t *) msg); - to_free = ((BUF_MEM *) in_bio->ptr)->data; + to_free = ((BUF_MEM *) BIO_get_data(in_bio))->data; BIO_set_flags (in_bio, BIO_FLAGS_MEM_RDONLY); } else @@ -780,7 +783,7 @@ bif_smime_verify (caddr_t * qst, caddr_t p7 = SMIME_read_PKCS7 (in_bio, &data_bio); if (to_free) { - ((BUF_MEM *) in_bio->ptr)->data = to_free; + ((BUF_MEM *) BIO_get_data(in_bio))->data = to_free; BIO_clear_flags (in_bio, BIO_FLAGS_MEM_RDONLY); } BIO_free (in_bio); @@ -924,16 +927,20 @@ bif_smime_sign (caddr_t * qst, caddr_t * } certs = sk_X509_new_null (); - if (store && store->objs) + + if (store && X509_STORE_get0_objects(store)) { - for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++) + STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store); + + for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++) { - X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx); - if (obj->type == X509_LU_X509) - sk_X509_push (certs, X509_dup (obj->data.x509)); + X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx); + if (X509_OBJECT_get_type(obj) == X509_LU_X509) + sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj))); } } + if (store) X509_STORE_free (store); in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1); @@ -1005,15 +1012,19 @@ bif_smime_encrypt (caddr_t * qst, caddr_ sqlr_new_error ("42000", "CR006", "No recipient certificates"); certs = sk_X509_new_null (); - if (store && store->objs) + + if (store && X509_STORE_get0_objects(store)) { - for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++) + STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store); + + for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++) { - X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx); - if (obj->type == X509_LU_X509) - sk_X509_push (certs, X509_dup (obj->data.x509)); + X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx); + if (X509_OBJECT_get_type(obj) == X509_LU_X509) + sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj))); } } + if (store) X509_STORE_free (store); in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1); @@ -1181,7 +1192,7 @@ x509_certificate_verify_cb (int ok, X509 char *opts = (char *) X509_STORE_CTX_get_app_data (ctx); if (!ok && opts) { - switch (ctx->error) + switch (X509_STORE_CTX_get_error(ctx)) { case X509_V_ERR_CERT_HAS_EXPIRED: if (strstr (opts, "expired")) @@ -1287,7 +1298,7 @@ bif_x509_certificate_verify (caddr_t * q if (!i) { const char *err_str; - err_str = X509_verify_cert_error_string (csc->error); + err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(csc)); *err_ret = srv_make_new_error ("22023", "CR015", "X509 error: %s", err_str); } @@ -1308,20 +1319,16 @@ err_ret: #define VIRT_CERT_EXT "2.16.840.1.1113.1" static caddr_t -BN_box (BIGNUM * x) +BN_box (const BIGNUM *x) { size_t buf_len, n; caddr_t buf; buf_len = (size_t) BN_num_bytes (x); - if (buf_len <= BN_BYTES) - buf = box_num ((unsigned long) x->d[0]); - else - { - buf = dk_alloc_box (buf_len, DV_BIN); - n = BN_bn2bin (x, (unsigned char *) buf); - if (n != buf_len) - GPF_T; - } + /* did not figure out where buf is free()ed */ + buf = dk_alloc_box (buf_len, DV_BIN); + n = BN_bn2bin (x, (unsigned char *) buf); + if (n != buf_len) + GPF_T; return buf; } @@ -1498,7 +1505,7 @@ bif_get_certificate_info (caddr_t * qst, int i; char tmp[1024]; char *ext_oid = (char *) (BOX_ELEMENTS (args) > 4 ? bif_string_arg (qst, args, 4, "get_certificate_info") : VIRT_CERT_EXT); - STACK_OF (X509_EXTENSION) * exts = cert->cert_info->extensions; + const STACK_OF (X509_EXTENSION) * exts = X509_get0_extensions(cert); for (i = 0; i < sk_X509_EXTENSION_num (exts); i++) { X509_EXTENSION *ex = sk_X509_EXTENSION_value (exts, i); @@ -1510,7 +1517,7 @@ bif_get_certificate_info (caddr_t * qst, char *data_ptr; BIO *mem = BIO_new (BIO_s_mem ()); if (!X509V3_EXT_print (mem, ex, 0, 0)) - M_ASN1_OCTET_STRING_print (mem, ex->value); + ASN1_STRING_print (mem, X509_EXTENSION_get_data(ex)); len = BIO_get_mem_data (mem, &data_ptr); if (len > 0 && data_ptr) { @@ -1537,18 +1544,23 @@ bif_get_certificate_info (caddr_t * qst, if (k) { #ifdef EVP_PKEY_RSA - if (k->type == EVP_PKEY_RSA) + if (EVP_PKEY_id(k) == EVP_PKEY_RSA) { - RSA *x = k->pkey.rsa; - ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (x->e), BN_box (x->n)); + const BIGNUM *n, *e; + + RSA_get0_key(EVP_PKEY_get0_RSA(k), &n, &e, NULL); + + ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (e), BN_box (n)); } else #endif #ifdef EVP_PKEY_DSA - if (k->type == EVP_PKEY_DSA) + if (EVP_PKEY_id(k) == EVP_PKEY_DSA) { - DSA *x = k->pkey.dsa; - ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (x->pub_key)); + const BIGNUM *pub_key; + + DSA_get0_key(EVP_PKEY_get0_DSA(k), &pub_key, NULL); + ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (pub_key)); } else #endif @@ -1567,13 +1579,13 @@ bif_get_certificate_info (caddr_t * qst, int n, i, len; char *s, *data_ptr; BIO *mem = BIO_new (BIO_s_mem ()); - for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++) + for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++) { - ne = sk_X509_NAME_ENTRY_value(subj->entries,i); - n = OBJ_obj2nid (ne->object); + ne = X509_NAME_get_entry(subj, i); + n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne)); if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL)) { - i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object); + i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne)); s = buffer; } if (!strcmp (s, attr)) @@ -1582,9 +1594,10 @@ bif_get_certificate_info (caddr_t * qst, break; } } + if (ne_ret) { - ASN1_STRING_print (mem, ne_ret->value); + ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne_ret)); len = BIO_get_mem_data (mem, &data_ptr); if (len > 0 && data_ptr) { @@ -1605,17 +1618,17 @@ bif_get_certificate_info (caddr_t * qst, dk_set_t set = NULL; caddr_t val; BIO *mem = BIO_new (BIO_s_mem ()); - for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++) + for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++) { val = NULL; - ne = sk_X509_NAME_ENTRY_value(subj->entries,i); - n = OBJ_obj2nid (ne->object); + ne = X509_NAME_get_entry(subj, i); + n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne)); if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL)) { - i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object); + i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne)); s = buffer; } - ASN1_STRING_print (mem, ne->value); + ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne)); len = BIO_get_mem_data (mem, &data_ptr); if (len > 0 && data_ptr) { @@ -1629,18 +1642,22 @@ bif_get_certificate_info (caddr_t * qst, } BIO_free (mem); ret = list_to_array (dk_set_nreverse (set)); + break; } case 12: { const unsigned char *s; int i, n; - const ASN1_STRING *sig = cert->signature; - X509_ALGOR *sigalg = cert->sig_alg; + const ASN1_STRING *sig; + const X509_ALGOR *sigalg; + const ASN1_OBJECT *sig_alg_algorithm; char buf[80]; caddr_t val; - i2t_ASN1_OBJECT(buf,sizeof (buf), sigalg->algorithm); + X509_get0_signature(&sig, &sigalg, cert); + X509_ALGOR_get0(&sig_alg_algorithm, NULL, NULL, sigalg); + i2t_ASN1_OBJECT(buf,sizeof (buf), sig_alg_algorithm); n = sig->length; s = sig->data; @@ -1660,11 +1677,11 @@ bif_get_certificate_info (caddr_t * qst, if (k) { #ifdef EVP_PKEY_RSA - if (k->type == EVP_PKEY_RSA) + if (EVP_PKEY_id(k) == EVP_PKEY_RSA) { char *data_ptr; int len; - RSA *x = k->pkey.rsa; + RSA *x = EVP_PKEY_get0_RSA(k); b = BIO_new (BIO_s_mem()); i2d_RSA_PUBKEY_bio (b, x); len = BIO_get_mem_data (b, &data_ptr); --- a/libsrc/Wi/xmlenc.c +++ b/libsrc/Wi/xmlenc.c @@ -1215,36 +1215,45 @@ void xenc_key_remove (xenc_key_t * key, } -static void -genrsa_cb(int p, int n, void *arg) -{ -#ifdef LINT - p=n; -#endif -} - int __xenc_key_rsa_init (char *name) { RSA *rsa = NULL; - int num=1024; - unsigned long f4=RSA_F4; + BIGNUM *bn = NULL; int r; + xenc_key_t * pkey = xenc_get_key_by_name (name, 1); if (NULL == pkey) SQLR_NEW_KEY_ERROR (name); - rsa=RSA_generate_key(num,f4,genrsa_cb,NULL); + rsa = RSA_new(); + if (!rsa) + goto out; + bn = BN_new(); + if (!bn) + goto out; + if (!BN_set_word(bn, RSA_F4)) + goto out; + + if (!RSA_generate_key_ex(rsa, 1024, bn, NULL)) + goto out; + r = RSA_check_key(rsa); + if (r != 1) + goto out; pkey->ki.rsa.pad = RSA_PKCS1_PADDING; - if (rsa == NULL) - { - sqlr_new_error ("42000", "XENC06", - "RSA parameters generation error"); - } pkey->xek_rsa = rsa; pkey->xek_private_rsa = rsa; + BN_free(bn); return 0; +out: + if (bn) + BN_free(bn); + if (rsa) + RSA_free(rsa); + sqlr_new_error ("42000", "XENC06", + "RSA parameters generation error"); + return -1; } @@ -1455,19 +1464,19 @@ xenc_key_t * xenc_key_create_from_x509_c if (pkey) { - switch (EVP_PKEY_type (pkey->type)) + switch (EVP_PKEY_type (EVP_PKEY_id(pkey))) { case EVP_PKEY_DSA: sign_algoname = DSIG_DSA_SHA1_ALGO; enc_algoname = XENC_DSA_ALGO; - dsa = pkey->pkey.dsa; - private_dsa = private_key ? private_key->pkey.dsa : 0; + dsa = EVP_PKEY_get0_DSA(pkey); + private_dsa = private_key ? EVP_PKEY_get0_DSA(private_key) : 0; break; case EVP_PKEY_RSA: sign_algoname = DSIG_RSA_SHA1_ALGO; enc_algoname = XENC_RSA_ALGO; - rsa = pkey->pkey.rsa; - private_rsa = private_key ? private_key->pkey.rsa : 0; + rsa = EVP_PKEY_get0_RSA(pkey); + private_rsa = private_key ? EVP_PKEY_get0_RSA(private_key) : 0; break; default: goto finish; @@ -1516,13 +1525,6 @@ xenc_key_t * xenc_key_create_from_x509_c return k; } -static void dh_cb(int p, int n, void *arg) -{ -#ifdef LINT - p=n; -#endif -} - static /*xenc_key_DSA_create */ caddr_t bif_xenc_key_dsa_create (caddr_t * qst, caddr_t * err_r, state_slot_t ** args) { @@ -1588,15 +1590,21 @@ caddr_t bif_xenc_key_DH_create (caddr_t dh = DH_new (); bn_p = BN_bin2bn ((unsigned char *)mod, p_len, NULL); bn_g = BN_bin2bn (g_bin, 1, NULL); - dh->p = bn_p; - dh->g = bn_g; + if (dh) + DH_set0_pqg(dh, bn_p, NULL, bn_g); dk_free_box (mod_b64); dk_free_box (mod); } else { - dh = DH_generate_parameters (num, g, dh_cb, NULL); + dh = DH_new(); + if (dh) { + if (!DH_generate_parameters_ex(dh, num, g, NULL)) { + DH_free(dh); + dh = NULL; + } + } } if (!dh) { @@ -1626,7 +1634,7 @@ caddr_t bif_xenc_DH_get_params (caddr_t int n, len; caddr_t buf = NULL, ret, b64; DH *dh; - BIGNUM *num; + const BIGNUM *num; mutex_enter (xenc_keys_mtx); key = xenc_get_key_by_name (name, 0); @@ -1641,19 +1649,19 @@ caddr_t bif_xenc_DH_get_params (caddr_t switch (param) { case 1: - num = dh->p; + DH_get0_pqg(dh, &num, NULL, NULL); break; case 2: - num = dh->g; + DH_get0_pqg(dh, NULL, NULL, &num); break; case 3: - num = dh->pub_key; + DH_get0_key(dh, &num, NULL); break; case 4: - num = dh->priv_key; + DH_get0_key(dh, NULL, &num); break; default: - num = dh->pub_key; + DH_get0_key(dh, &num, NULL); } buf_len = (size_t)BN_num_bytes(num); @@ -1811,7 +1819,15 @@ caddr_t bif_xenc_key_rsa_create (caddr_t xenc_key_t * k; caddr_t name = bif_string_arg (qst, args, 0, "xenc_key_RSA_create"); int num = (int) bif_long_arg (qst, args, 1, "xenc_key_RSA_create"); - RSA *rsa = NULL; + RSA *rsa; + BIGNUM *bn; + + rsa = RSA_new(); + bn = BN_new(); + if (!rsa || !bn) + goto out; + if (!BN_set_word(bn, RSA_F4)) + goto out; mutex_enter (xenc_keys_mtx); if (NULL == (k = xenc_key_create (name, XENC_RSA_ALGO , DSIG_RSA_SHA1_ALGO, 0))) @@ -1820,12 +1836,11 @@ caddr_t bif_xenc_key_rsa_create (caddr_t SQLR_NEW_KEY_EXIST_ERROR (name); } - rsa = RSA_generate_key (num, RSA_F4, NULL, NULL); - - if (rsa == NULL) - { - sqlr_new_error ("42000", "XENC06", "RSA generation error"); - } + if (!RSA_generate_key_ex (rsa, num, bn, NULL)) { + mutex_leave (xenc_keys_mtx); + goto out; + } + BN_free(bn); k->xek_rsa = RSAPublicKey_dup (rsa); k->xek_private_rsa = rsa; @@ -1839,6 +1854,13 @@ caddr_t bif_xenc_key_rsa_create (caddr_t mutex_leave (xenc_keys_mtx); return NULL; +out: + if (bn) + BN_free(bn); + if (rsa) + RSA_free(rsa); + sqlr_new_error ("42000", "XENC06", "RSA generation error"); + return NULL; } xenc_key_t * @@ -2034,7 +2056,13 @@ int __xenc_key_dsa_init (char *name, int SQLR_NEW_KEY_ERROR (name); RAND_poll (); - dsa = DSA_generate_parameters(num, NULL, 0, NULL, NULL, dh_cb, NULL); + dsa = DSA_new(); + if (dsa) { + if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, NULL)) { + DSA_free(dsa); + dsa = NULL; + } + } if (dsa == NULL) { sqlr_new_error ("42000", "XENC11", @@ -2058,7 +2086,13 @@ int __xenc_key_dh_init (char *name, int if (NULL == pkey) SQLR_NEW_KEY_ERROR (name); - dh = DH_generate_parameters (num, g, dh_cb, NULL); + dh = DH_new(); + if (dh) { + if (!DH_generate_parameters_ex(dh, num, g, NULL)) { + DH_free(dh); + dh = NULL; + } + } if (!dh) { sqlr_new_error ("42000", "XENC11", @@ -2280,12 +2314,12 @@ bif_xenc_key_rsa_read (caddr_t * qst, ca { in = BIO_new_mem_buf (key_base64, len); pkey = d2i_PUBKEY_bio (in, NULL); - if (pkey && pkey->type == EVP_PKEY_RSA) - p = pkey->pkey.rsa; + if (pkey && EVP_PKEY_id(pkey) == EVP_PKEY_RSA) + p = EVP_PKEY_get0_RSA(pkey); BIO_reset (in); pkkey = d2i_PrivateKey_bio (in, NULL); - if (pkkey && pkkey->type == EVP_PKEY_RSA) - r = pkkey->pkey.rsa; + if (pkkey && EVP_PKEY_id(pkkey) == EVP_PKEY_RSA) + r = EVP_PKEY_get0_RSA(pkkey); BIO_free (in); } else @@ -2304,9 +2338,11 @@ bif_xenc_key_rsa_read (caddr_t * qst, ca if (!p) { + const BIGNUM *n, *e; + + RSA_get0_key(r, &n, &e, NULL); p = RSA_new (); - p->n = BN_dup (r->n); - p->e = BN_dup (r->e); + RSA_set0_key(p, BN_dup(n), BN_dup(e), NULL); } mutex_enter (xenc_keys_mtx); @@ -2355,14 +2391,13 @@ bif_xenc_key_rsa_construct (caddr_t * qs p = RSA_new (); n = BN_bin2bn ((unsigned char *) mod, box_length (mod) - 1, NULL); e = BN_bin2bn ((unsigned char *) exp, box_length (exp) - 1, NULL); - p->n = n; - p->e = e; + RSA_set0_key(p, n, e, NULL); if (pexp) { pk = RSA_new (); - pk->d = BN_bin2bn ((unsigned char *) pexp, box_length (pexp) - 1, NULL); - pk->n = BN_dup (n); - pk->e = BN_dup (e); + RSA_set0_key(p, BN_dup(n), + BN_dup(e), + BN_bin2bn ((unsigned char *) pexp, box_length (pexp) - 1, NULL)); } mutex_enter (xenc_keys_mtx); k = xenc_key_create (name, XENC_RSA_ALGO, DSIG_RSA_SHA1_ALGO, 0); @@ -4086,7 +4121,7 @@ void xenc_tag_free (xenc_tag_t * t) #endif } -xenc_tag_t * xenc_tag_add_child_BN (xenc_tag_t * tag, BIGNUM * bn) +static xenc_tag_t * xenc_tag_add_child_BN (xenc_tag_t * tag, const BIGNUM * bn) { char * buffer = dk_alloc_box (BN_num_bytes (bn), DV_BIN); char * buffer_base64 = dk_alloc_box (box_length (buffer) * 2, DV_STRING); @@ -4111,12 +4146,15 @@ caddr_t ** xenc_generate_ext_info (xenc_ caddr_t ** array; if (key->xek_type == DSIG_KEY_RSA) { + const BIGNUM *rsa_n, *rsa_e; + + RSA_get0_key(key->ki.rsa.rsa_st, &rsa_n, &rsa_e, NULL); xenc_tag_t * rsakeyval = xenc_tag_create (DSIG_URI, ":RSAKeyValue"); xenc_tag_t * rsamodulus = xenc_tag_create (DSIG_URI, ":Modulus"); xenc_tag_t * rsaexponent = xenc_tag_create (DSIG_URI, ":Exponent"); - xenc_tag_add_child_BN (rsamodulus, key->ki.rsa.rsa_st->n); - xenc_tag_add_child_BN (rsaexponent, key->ki.rsa.rsa_st->e); + xenc_tag_add_child_BN (rsamodulus, rsa_n); + xenc_tag_add_child_BN (rsaexponent, rsa_e); xenc_tag_add_child (rsakeyval, xenc_tag_finalize (rsamodulus)); xenc_tag_add_child (rsakeyval, xenc_tag_finalize (rsaexponent)); @@ -4135,12 +4173,15 @@ caddr_t ** xenc_generate_ext_info (xenc_ xenc_tag_t * g = xenc_tag_create (DSIG_URI, ":G"); xenc_tag_t * y = xenc_tag_create (DSIG_URI, ":Y"); DSA * dsa = key->ki.dsa.dsa_st; + const BIGNUM *dsa_p, *dsa_q, *dsa_g, *dsa_pub_key; + DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g); + DSA_get0_key(dsa, &dsa_pub_key, NULL); - xenc_tag_add_child_BN (p, dsa->p); - xenc_tag_add_child_BN (p, dsa->q); - xenc_tag_add_child_BN (p, dsa->g); - xenc_tag_add_child_BN (p, dsa->pub_key); + xenc_tag_add_child_BN (p, dsa_p); + xenc_tag_add_child_BN (p, dsa_q); + xenc_tag_add_child_BN (p, dsa_g); + xenc_tag_add_child_BN (p, dsa_pub_key); xenc_tag_add_child (dsakeyval, xenc_tag_finalize (p)); xenc_tag_add_child (dsakeyval, xenc_tag_finalize (q)); @@ -6187,7 +6228,7 @@ caddr_t xenc_x509_get_key_identifier (X5 ret = dk_alloc_box (ikeyid->length, DV_BIN); memcpy (ret, ikeyid->data, ikeyid->length); - M_ASN1_OCTET_STRING_free(ikeyid); + ASN1_STRING_free(ikeyid); return ret; } @@ -6247,7 +6288,7 @@ bif_x509_get_subject (caddr_t * qst, cad ret = dk_alloc_box (ikeyid->length, DV_BIN); memcpy (ret, ikeyid->data, ikeyid->length); - M_ASN1_OCTET_STRING_free(ikeyid); + ASN1_STRING_free(ikeyid); return ret; } @@ -6806,7 +6847,7 @@ bif_xenc_x509_csr_generate (caddr_t * qs sk_X509_EXTENSION_push(st_exts, ex); } X509_REQ_add_extensions(x, st_exts); - if (!X509_REQ_sign (x, pk, (pk->type == EVP_PKEY_RSA ? EVP_md5() : EVP_dss1()))) + if (!X509_REQ_sign (x, pk, (EVP_PKEY_id(pk) == EVP_PKEY_RSA ? EVP_md5() : EVP_sha1()))) { pk = NULL; /* keep one in the xenc_key */ *err_ret = srv_make_new_error ("42000", "XECXX", "Can not sign certificate : %s", get_ssl_error_text (buf, sizeof (buf))); @@ -6945,17 +6986,17 @@ bif_xenc_x509_from_csr (caddr_t * qst, c *err_ret = srv_make_new_error ("42000", "XECXX", "Can not sign certificate"); goto err; } - switch (EVP_PKEY_type (cli_pk->type)) + switch (EVP_PKEY_type (EVP_PKEY_id(cli_pk))) { case EVP_PKEY_DSA: sign_algoname = DSIG_DSA_SHA1_ALGO; enc_algoname = XENC_DSA_ALGO; - dsa = cli_pk->pkey.dsa; + dsa = EVP_PKEY_get0_DSA(cli_pk); break; case EVP_PKEY_RSA: sign_algoname = DSIG_RSA_SHA1_ALGO; enc_algoname = XENC_RSA_ALGO; - rsa = cli_pk->pkey.rsa; + rsa = EVP_PKEY_get0_RSA(cli_pk); break; default: *err_ret = srv_make_new_error ("42000", "XECXX", "The type of public key is not supported mus tbe RSA or DSA"); @@ -7152,16 +7193,16 @@ bif_xenc_pubkey_pem_export (caddr_t * qs { k = X509_get_pubkey (key->xek_x509); #ifdef EVP_PKEY_RSA - if (k->type == EVP_PKEY_RSA) + if (EVP_PKEY_id(k) == EVP_PKEY_RSA) { - RSA * x = k->pkey.rsa; + RSA *x = EVP_PKEY_get0_RSA(k); PEM_write_bio_RSA_PUBKEY (b, x); } #endif #ifdef EVP_PKEY_DSA - if (k->type == EVP_PKEY_DSA) + if (EVP_PKEY_id(k) == EVP_PKEY_DSA) { - DSA * x = k->pkey.dsa; + DSA * x = EVP_PKEY_get0_DSA(k); PEM_write_bio_DSA_PUBKEY (b, x); } #endif @@ -7208,16 +7249,16 @@ bif_xenc_pubkey_der_export (caddr_t * qs { k = X509_get_pubkey (key->xek_x509); #ifdef EVP_PKEY_RSA - if (k->type == EVP_PKEY_RSA) + if (EVP_PKEY_id(k) == EVP_PKEY_RSA) { - RSA * x = k->pkey.rsa; + RSA * x = EVP_PKEY_get0_RSA(k); i2d_RSA_PUBKEY_bio (b, x); } #endif #ifdef EVP_PKEY_DSA - if (k->type == EVP_PKEY_DSA) + if (EVP_PKEY_id(k) == EVP_PKEY_DSA) { - DSA * x = k->pkey.dsa; + DSA * x = EVP_PKEY_get0_DSA(k); i2d_DSA_PUBKEY_bio (b, x); } #endif @@ -7245,7 +7286,7 @@ err: } static caddr_t -BN2binbox (BIGNUM * x) +BN2binbox (const BIGNUM * x) { size_t buf_len, n; caddr_t buf; @@ -7280,8 +7321,14 @@ static caddr_t xenc_rsa_pub_magic (RSA * x) { caddr_t ret; - caddr_t n = BN2binbox (x->n); /* modulus */ - caddr_t e = BN2binbox (x->e); /* public exponent */ + caddr_t n; + caddr_t e; + const BIGNUM *rsa_n, *rsa_e; + + RSA_get0_key(x, &rsa_n, &rsa_e, NULL); + n = BN2binbox (rsa_n); /* modulus */ + e = BN2binbox (rsa_e); /* public exponent */ + n = xenc_encode_base64_binbox (n, 1); e = xenc_encode_base64_binbox (e, 1); ret = dk_alloc_box (box_length (n) + box_length (e) + 4 /* two dots - one trailing zero + RSA prefix */, DV_STRING); @@ -7306,9 +7353,9 @@ bif_xenc_pubkey_magic_export (caddr_t * { k = X509_get_pubkey (key->xek_x509); #ifdef EVP_PKEY_RSA - if (k->type == EVP_PKEY_RSA) + if (EVP_PKEY_id(k) == EVP_PKEY_RSA) { - RSA * x = k->pkey.rsa; + RSA * x = EVP_PKEY_get0_RSA(k); ret = xenc_rsa_pub_magic (x); } #endif @@ -7349,10 +7396,16 @@ static caddr_t xenc_rsa_pub_ssh_export (RSA * x) { static char * ssh_header = "\x00\x00\x00\x07ssh-rsa"; + const BIGNUM *rsa_n, *rsa_e; caddr_t ret; int len, pos; - caddr_t n = BN2binbox (x->n); /* modulus */ - caddr_t e = BN2binbox (x->e); /* public exponent */ + caddr_t n; + caddr_t e; + + RSA_get0_key(x, &rsa_n, &rsa_e, NULL); + n = BN2binbox (rsa_n); /* modulus */ + e = BN2binbox (rsa_e); /* public exponent */ + len = 11 + 8 + box_length (n) + box_length (e); if (n[0] & 0x80) len ++; @@ -7383,9 +7436,9 @@ bif_xenc_pubkey_ssh_export (caddr_t * qs { k = X509_get_pubkey (key->xek_x509); #ifdef EVP_PKEY_RSA - if (k->type == EVP_PKEY_RSA) + if (EVP_PKEY_id(k) == EVP_PKEY_RSA) { - RSA * x = k->pkey.rsa; + RSA * x = EVP_PKEY_get0_RSA(k); ret = xenc_rsa_pub_ssh_export (x); } #endif @@ -7418,7 +7471,7 @@ bif_xenc_SPKI_read (caddr_t * qst, caddr return NULL; } pk = NETSCAPE_SPKI_get_pubkey (spki); - if (!pk || pk->type != EVP_PKEY_RSA) + if (!pk || EVP_PKEY_id(pk) != EVP_PKEY_RSA) { NETSCAPE_SPKI_free (spki); *err_ret = srv_make_new_error ("42000", "XECXX", "Can not retrieve RSA key"); @@ -7595,14 +7648,14 @@ bif_xenc_x509_ca_certs_list (caddr_t * q sec_check_dba ((QI*)qst, me); in = BIO_new (BIO_s_mem ()); mutex_enter (xenc_keys_mtx); - certs = CA_certs->objs; + certs = X509_STORE_get0_objects(CA_certs); len = sk_X509_OBJECT_num (certs); for (i = 0; i < len; i++) { X509_OBJECT * obj = sk_X509_OBJECT_value (certs, i); - if (obj->type == X509_LU_X509) + if (X509_OBJECT_get_type(obj) == X509_LU_X509) { - X509 *x = obj->data.x509; + X509 *x = X509_OBJECT_get0_X509(obj); caddr_t itm; int blen; BIO_reset (in); --- a/libsrc/Wi/xmlenc.h +++ b/libsrc/Wi/xmlenc.h @@ -38,6 +38,7 @@ #include #include #include +#include #ifdef AES_ENC_ENABLE #include @@ -631,5 +632,183 @@ caddr_t * xml_find_any_child (caddr_t * extern dk_mutex_t * xenc_keys_mtx; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + +static inline HMAC_CTX *HMAC_CTX_new(void) +{ + HMAC_CTX *p; + + p = calloc(1, sizeof(HMAC_CTX)); + if (!p) + return p; + HMAC_CTX_init(p); + return p; +} + +static inline void HMAC_CTX_free(HMAC_CTX *ctx) +{ + HMAC_CTX_cleanup(ctx); + free(ctx); +} + +static inline void RSA_get0_key(const RSA *r, const BIGNUM **n, + const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = r->n; + if (e != NULL) + *e = r->e; + if (d != NULL) + *d = r->d; +} + +static inline void RSA_get0_factors(const RSA *r, const BIGNUM **p, + const BIGNUM **q) +{ + if (p != NULL) + *p = r->p; + if (q != NULL) + *q = r->q; +} + +static inline RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_RSA) + return NULL; + return pkey->pkey.rsa; +} + +static inline void DH_get0_key(const DH *dh, const BIGNUM **pub_key, + const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = dh->pub_key; + if (priv_key != NULL) + *priv_key = dh->priv_key; +} + + +static inline void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, + const BIGNUM **g) +{ + if (p != NULL) + *p = dh->p; + if (q != NULL) + *q = dh->q; + if (g != NULL) + *g = dh->g; +} + +static inline DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_DSA) + return NULL; + return pkey->pkey.dsa; +} + +static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* If the fields p and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. q may remain NULL. + */ + if ((dh->p == NULL && p == NULL) + || (dh->g == NULL && g == NULL)) + return 0; + + if (p != NULL) { + BN_free(dh->p); + dh->p = p; + } + if (q != NULL) { + BN_free(dh->q); + dh->q = q; + } + if (g != NULL) { + BN_free(dh->g); + dh->g = g; + } + + if (q != NULL) { + dh->length = BN_num_bits(q); + } + + return 1; +} + +static inline int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + /* If the fields n and e in r are NULL, the corresponding input + * parameters MUST be non-NULL for n and e. d may be + * left NULL (in case only the public key is used). + */ + if ((r->n == NULL && n == NULL) + || (r->e == NULL && e == NULL)) + return 0; + + if (n != NULL) { + BN_free(r->n); + r->n = n; + } + if (e != NULL) { + BN_free(r->e); + r->e = e; + } + if (d != NULL) { + BN_free(r->d); + r->d = d; + } + + return 1; +} + +static inline void DSA_get0_pqg(const DSA *d, const BIGNUM **p, + const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = d->p; + if (q != NULL) + *q = d->q; + if (g != NULL) + *g = d->g; +} + +static inline void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, + const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = d->pub_key; + if (priv_key != NULL) + *priv_key = d->priv_key; +} + +static inline const STACK_OF(X509_EXTENSION) *X509_get0_extensions(const X509 *x) +{ + return x->cert_info->extensions; +} + +static inline int X509_up_ref(X509 *x) +{ + return CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); +} + +static inline STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v) +{ + return v->objs; +} + +static inline int X509_OBJECT_get_type(const X509_OBJECT *a) +{ + return a->type; +} + +static inline X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) +{ + if (a == NULL || a->type != X509_LU_X509) + return NULL; + return a->data.x509; +} + +#endif + #endif --- a/libsrc/Wi/xmlenc_algos.c +++ b/libsrc/Wi/xmlenc_algos.c @@ -1149,7 +1149,7 @@ int dsig_hmac_sha256_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t * sign_out) { unsigned char * data; - HMAC_CTX ctx; + HMAC_CTX *ctx; unsigned char key_data[32 * 8]; unsigned char md [SHA256_DIGEST_LENGTH + 1]; unsigned char md64 [SHA256_DIGEST_LENGTH * 2 + 1]; @@ -1182,7 +1182,9 @@ dsig_hmac_sha256_digest (dk_session_t * default: return 0; } - + ctx = HMAC_CTX_new(); + if (!ctx) + return 0; data = (unsigned char *) dk_alloc_box (len, DV_C_STRING); CATCH_READ_FAIL (ses_in) @@ -1192,14 +1194,15 @@ dsig_hmac_sha256_digest (dk_session_t * FAILED { dk_free_box ((box_t) data); + HMAC_CTX_free(ctx); return 0; } END_READ_FAIL (ses_in); - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha256 ()); - HMAC_Update(&ctx, data, len); - HMAC_Final(&ctx, md, &hmac_len); - HMAC_cleanup(&ctx); + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha256 (), NULL); + HMAC_Update(ctx, data, len); + HMAC_Final(ctx, md, &hmac_len); + HMAC_CTX_free(ctx); if (hmac_len != SHA256_DIGEST_LENGTH) GPF_T; @@ -1220,7 +1223,7 @@ dsig_hmac_sha256_digest (dk_session_t * int dsig_hmac_sha256_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t digest) { - HMAC_CTX ctx; + HMAC_CTX *ctx; unsigned char * data; unsigned char key_data[3 * 8]; unsigned char md [SHA256_DIGEST_LENGTH + 1]; @@ -1249,6 +1252,9 @@ dsig_hmac_sha256_verify (dk_session_t * return 0; } + ctx = HMAC_CTX_new(); + if (!ctx) + return 0; data = (unsigned char *) dk_alloc_box (len, DV_C_STRING); CATCH_READ_FAIL (ses_in) @@ -1258,14 +1264,15 @@ dsig_hmac_sha256_verify (dk_session_t * FAILED { dk_free_box ((box_t) data); + HMAC_CTX_free(ctx); return 0; } END_READ_FAIL (ses_in); - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha256 ()); - HMAC_Update(&ctx, data, len); - HMAC_Final(&ctx, md, &hmac_len); - HMAC_cleanup(&ctx); + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha256 (), NULL); + HMAC_Update(ctx, data, len); + HMAC_Final(ctx, md, &hmac_len); + HMAC_CTX_free(ctx); dk_free_box ((box_t) data); len1 = xenc_encode_base64 ((char *)md, md64, hmac_len); @@ -1586,7 +1593,7 @@ int dsig_hmac_sha1_digest (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t * sign_out) { unsigned char * data; - HMAC_CTX ctx; + HMAC_CTX *ctx; unsigned char key_data[32 * 8]; unsigned char md [SHA_DIGEST_LENGTH + 1]; unsigned char md64 [SHA_DIGEST_LENGTH * 2 + 1]; @@ -1620,6 +1627,9 @@ dsig_hmac_sha1_digest (dk_session_t * se return 0; } + ctx = HMAC_CTX_new(); + if (!ctx) + return 0; data = (unsigned char *) dk_alloc_box (len, DV_C_STRING); CATCH_READ_FAIL (ses_in) @@ -1629,14 +1639,15 @@ dsig_hmac_sha1_digest (dk_session_t * se FAILED { dk_free_box ((box_t) data); + HMAC_CTX_free(ctx); return 0; } END_READ_FAIL (ses_in); - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha1 ()); - HMAC_Update(&ctx, data, len); - HMAC_Final(&ctx, md, &hmac_len); - HMAC_cleanup(&ctx); + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha1 (), NULL); + HMAC_Update(ctx, data, len); + HMAC_Final(ctx, md, &hmac_len); + HMAC_CTX_free(ctx); if (hmac_len != SHA_DIGEST_LENGTH) GPF_T; @@ -1657,7 +1668,7 @@ dsig_hmac_sha1_digest (dk_session_t * se int dsig_hmac_sha1_verify (dk_session_t * ses_in, long len, xenc_key_t * key, caddr_t digest) { - HMAC_CTX ctx; + HMAC_CTX *ctx; unsigned char * data; unsigned char key_data[3 * 8]; unsigned char md [SHA_DIGEST_LENGTH + 1]; @@ -1686,6 +1697,9 @@ dsig_hmac_sha1_verify (dk_session_t * se return 0; } + ctx = HMAC_CTX_new(); + if (!ctx) + return 0; data = (unsigned char *) dk_alloc_box (len, DV_C_STRING); CATCH_READ_FAIL (ses_in) @@ -1695,14 +1709,15 @@ dsig_hmac_sha1_verify (dk_session_t * se FAILED { dk_free_box ((box_t) data); + HMAC_CTX_free(ctx); return 0; } END_READ_FAIL (ses_in); - HMAC_Init(&ctx, (void*) key_data , key_len, EVP_sha1 ()); - HMAC_Update(&ctx, data, len); - HMAC_Final(&ctx, md, &hmac_len); - HMAC_cleanup(&ctx); + HMAC_Init_ex(ctx, (void*) key_data , key_len, EVP_sha1 (), NULL); + HMAC_Update(ctx, data, len); + HMAC_Final(ctx, md, &hmac_len); + HMAC_CTX_free(ctx); dk_free_box ((box_t) data); len1 = xenc_encode_base64 ((char *)md, md64, hmac_len); @@ -1763,7 +1778,7 @@ int xenc_aes_encryptor (dk_session_t * s caddr_t outbuf_beg; int len; caddr_t encoded_out; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx; unsigned char * ivec = &key->ki.aes.iv[0]; CATCH_READ_FAIL (ses_in) @@ -1778,7 +1793,7 @@ int xenc_aes_encryptor (dk_session_t * s END_READ_FAIL (ses_in); #if 1 - EVP_CIPHER_CTX_init(&ctx); + ctx = EVP_CIPHER_CTX_new(); outbuf_beg = dk_alloc_box (box_length (text) + 16, DV_BIN); memcpy (outbuf_beg, ivec, 16); outbuf = outbuf_beg + 16; @@ -1786,20 +1801,19 @@ int xenc_aes_encryptor (dk_session_t * s switch (key->ki.aes.bits) { case 128: - EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL, key->ki.aes.k, ivec); + EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key->ki.aes.k, ivec); break; case 192: - EVP_EncryptInit_ex(&ctx, EVP_aes_192_cbc(), NULL, key->ki.aes.k, ivec); + EVP_EncryptInit_ex(ctx, EVP_aes_192_cbc(), NULL, key->ki.aes.k, ivec); break; case 256: - EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key->ki.aes.k, ivec); + EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key->ki.aes.k, ivec); break; default: GPF_T1 ("Unsupported key size"); } - if(!EVP_EncryptUpdate(&ctx, (unsigned char *)outbuf, &outlen, (unsigned char *)text, box_length (text))) + if(!EVP_EncryptUpdate(ctx, (unsigned char *)outbuf, &outlen, (unsigned char *)text, box_length (text))) { - EVP_CIPHER_CTX_cleanup(&ctx); dk_free_box (text); dk_free_box (outbuf_beg); xenc_report_error (t, 500, XENC_ENC_ERR, "AES encryption internal error #2"); @@ -1812,7 +1826,7 @@ int xenc_aes_encryptor (dk_session_t * s xenc_report_error (t, 500, XENC_ENC_ERR, "AES encryption internal error #3"); } */ /* outlen += tmplen; */ - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); #else outbuf_beg = dk_alloc_box (box_length (text) + 16 /* iv */, DV_BIN); @@ -2050,6 +2064,7 @@ xenc_rsa_decryptor (dk_session_t * ses_i int len = 0; int keysize; RSA * rsa = key->xek_private_rsa; + const BIGNUM *p, *q; if (!seslen) { @@ -2062,9 +2077,9 @@ xenc_rsa_decryptor (dk_session_t * ses_i xenc_report_error (t, 500 + strlen (key->xek_name), XENC_ENC_ERR, "could not make RSA decryption [key %s is not RSA]", key->xek_name); return 0; } + RSA_get0_factors(rsa, &p, &q); if (!rsa || - !rsa->p || - !rsa->q) + !p || !q) { if (key->xek_x509_KI) key = xenc_get_key_by_keyidentifier (key->xek_x509_KI, 1); --- a/libsrc/util/sslengine.c +++ b/libsrc/util/sslengine.c @@ -29,7 +29,11 @@ int ssl_engine_startup (void) { - CRYPTO_malloc_init (); +#if OPENSSL_VERSION_NUMBER < 0x10100000 + CRYPTO_malloc_init (); +#else + OPENSSL_malloc_init(); +#endif ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); --- a/libsrc/Wi/http.c +++ b/libsrc/Wi/http.c @@ -8886,7 +8886,7 @@ ssl_server_set_certificate (SSL_CTX* ssl log_error ("SSL: The stored certificate '%s' can not be used as extra chain certificate", tok); break; } - CRYPTO_add(&k->xek_x509->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(k->xek_x509); tok = strtok_r (NULL, ",", &tok_s); } dk_free_box (str); @@ -9949,7 +9949,7 @@ bif_https_renegotiate (caddr_t *qst, cad cli_ssl_get_error_string (err_buf, sizeof (err_buf)); sqlr_new_error ("42000", "..002", "SSL_do_handshake failed %s", err_buf); } - ssl->state = SSL_ST_ACCEPT; + SSL_set_accept_state(ssl); while (SSL_renegotiate_pending (ssl) && ctr < 1000) { timeout_t to = { 0, 1000 }; --- a/libsrc/Dk/Dkernel.c +++ b/libsrc/Dk/Dkernel.c @@ -5280,7 +5280,11 @@ ssl_server_init () } #endif - SSLeay_add_all_algorithms (); +#if OPENSSL_VERSION_NUMBER < 0x10100000 + SSLeay_add_all_algorithms(); +#else + OpenSSL_add_all_algorithms(); +#endif PKCS12_PBE_add (); /* stub */ #ifdef NO_THREAD --- a/configure.ac +++ b/configure.ac @@ -881,17 +881,6 @@ AC_TRY_COMPILE([ ]) AC_MSG_CHECKING([OpenSSL version]) -AC_TRY_COMPILE([ -#include -],[ -#if OPENSSL_VERSION_NUMBER >= 0x1010000fL -#error OpenSSL version too new -#endif - ],[ - AC_MSG_RESULT([< 1.1.0]) - ],[ - AC_MSG_ERROR([OpenSSL version 1.1.0 or greater is currently not supported.]) - ]) AC_MSG_CHECKING([usability of the OpenSSL header files and library in ${openssl_dir}]) AC_TRY_RUN([ --- virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c~ 2018-09-15 23:47:58.000000000 +0200 +++ virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c 2018-09-15 23:52:13.471232310 +0200 @@ -5149,9 +5149,12 @@ ssl_ctx_set_protocol_options(SSL_CTX *ct disable = 1; } +#if defined (SSL_OP_NO_SSLv3) if (!strcasecmp (name, "SSLv3")) opt = SSL_PROTOCOL_SSLV3; - else if (!strcasecmp (name, "TLSv1") || !strcasecmp (name, "TLSv1.0")) + else +#endif + if (!strcasecmp (name, "TLSv1") || !strcasecmp (name, "TLSv1.0")) opt = SSL_PROTOCOL_TLSV1; #if defined (SSL_OP_NO_TLSv1_1) else if (!strcasecmp (name, "TLSv1_1") || !strcasecmp (name, "TLSv1.1")) --- virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c~ 2018-09-15 23:52:48.000000000 +0200 +++ virtuoso-opensource-7.2.5/libsrc/Dk/Dkernel.c 2018-09-15 23:58:57.068780828 +0200 @@ -5087,6 +5087,7 @@ ssl_thread_setup () #define SSL_PROTOCOL_TLSV1 (1<<2) #define SSL_PROTOCOL_TLSV1_1 (1<<3) #define SSL_PROTOCOL_TLSV1_2 (1<<4) +#define SSL_PROTOCOL_TLSV1_3 (1<<5) #if OPENSSL_VERSION_NUMBER >= 0x1000100FL #define SSL_PROTOCOL_ALL (SSL_PROTOCOL_TLSV1_1|SSL_PROTOCOL_TLSV1_2) --- virtuoso-opensource-7.2.5/libsrc/Wi/xmlenc.c~ 2018-09-16 00:08:33.000000000 +0200 +++ virtuoso-opensource-7.2.5/libsrc/Wi/xmlenc.c 2018-09-16 00:20:07.956376505 +0200 @@ -7073,19 +7073,21 @@ bif_xenc_pkcs12_export (caddr_t * qst, c if (export_chain) { int i; - X509_STORE_CTX store_ctx; - X509_STORE_CTX_init (&store_ctx, CA_certs, x, NULL); - if (X509_verify_cert (&store_ctx) > 0) - chain = X509_STORE_CTX_get1_chain (&store_ctx); + X509_STORE_CTX *store_ctx; + store_ctx = EVP_MD_CTX_create(); + if (!X509_STORE_CTX_init (store_ctx, CA_certs, x, NULL)) + goto err; + if (X509_verify_cert (store_ctx) > 0) + chain = X509_STORE_CTX_get1_chain (store_ctx); else { const char *err_str; - err_str = X509_verify_cert_error_string (store_ctx.error); + err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(store_ctx)); *err_ret = srv_make_new_error ("22023", "XENCX", "X509 error: %s", err_str); - X509_STORE_CTX_cleanup (&store_ctx); + X509_STORE_CTX_free (store_ctx); goto err; } - X509_STORE_CTX_cleanup (&store_ctx); + X509_STORE_CTX_free (store_ctx); if (chain) { certs = sk_X509_new_null ();