Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
xmltooling
0021-CPPXT-110-OpenSSL-1.1-makes-DSA-opaque.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0021-CPPXT-110-OpenSSL-1.1-makes-DSA-opaque.patch of Package xmltooling
From c3693a3bba7b3ec30fb4d6272ab8b2f8224d3175 Mon Sep 17 00:00:00 2001 From: Rod Widdowson <rdw@steadingsoftware.com> Date: Fri, 15 Jul 2016 15:34:22 +0100 Subject: [PATCH 21/31] CPPXT-110 OpenSSL 1.1 makes DSA opaque https://issues.shibboleth.net/jira/browse/CPPXT-110 Add new functions to get the public and private key. Call the new DSA_get0_key function in 1.1 and reach into the structure otherwise. (reapplied - previously backed out in bae0dd53) --- .../security/impl/ExplicitKeyTrustEngine.cpp | 4 +++- xmltooling/security/impl/OpenSSLSupport.cpp | 27 +++++++++++++++++++++- xmltooling/security/impl/OpenSSLSupport.h | 7 ++++++ xmltooling/security/impl/SecurityHelper.cpp | 5 ++-- 4 files changed, 39 insertions(+), 4 deletions(-) diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp index 5f70a70..785d912 100644 --- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp +++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp @@ -34,12 +34,14 @@ #include "signature/Signature.h" #include "signature/SignatureValidator.h" #include "util/NDC.h" +#include "security/impl/OpenSSLSupport.h" #include <xercesc/util/XMLUniDefs.hpp> #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp> #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp> #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp> + using namespace xmlsignature; using namespace xmltooling::logging; using namespace xmltooling; @@ -277,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate( { DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA(); EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE)); - if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) { + if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) { if (evp) EVP_PKEY_free(evp); log.debug("end-entity certificate matches peer DSA key information"); diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp index bedf872..e5d79a7 100644 --- a/xmltooling/security/impl/OpenSSLSupport.cpp +++ b/xmltooling/security/impl/OpenSSLSupport.cpp @@ -29,6 +29,8 @@ #include <openssl/x509_vfy.h> #include <security/impl/OpenSSLSupport.h> +using namespace xmltooling; + X509StoreCtxRAII::X509StoreCtxRAII() : m_context(X509_STORE_CTX_new()) { } @@ -56,7 +58,8 @@ STACK_OF(X509) *X509StoreCtxRAII::get0Chain() { } // the API to set the trusted stack changed in OpenSSL1.1 -void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) { +void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) +{ if (m_context) { #if (OPENSSL_VERSION_NUMBER < 0x10100000L) X509_STORE_CTX_trusted_stack(m_context, sk); @@ -65,3 +68,25 @@ void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) { #endif } } + +BIGNUM *DSA_get0_pubkey(const DSA *dsa) +{ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + return dsa->pub_key; +#else + BIGNUM *result; + DSA_get0_key(dsa, &result, NULL); + return result; +#endif +} + +BIGNUM *DSA_get0_privkey(const DSA *dsa) +{ +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) + return dsa->priv_key; +#else + BIGNUM *result; + DSA_get0_key(dsa, NULL, &result); + return result; +#endif +} diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h index ffaa390..74bd710 100644 --- a/xmltooling/security/impl/OpenSSLSupport.h +++ b/xmltooling/security/impl/OpenSSLSupport.h @@ -33,6 +33,7 @@ # define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted) #endif +namespace xmltooling { // RAII for the now opaque X509_STORE_CTX class X509StoreCtxRAII { @@ -51,3 +52,9 @@ private: X509_STORE_CTX *m_context; }; + + + BIGNUM *DSA_get0_pubkey(const DSA *dsa); + BIGNUM *DSA_get0_privkey(const DSA *dsa); + +} diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp index 0c15f05..bb2f016 100644 --- a/xmltooling/security/impl/SecurityHelper.cpp +++ b/xmltooling/security/impl/SecurityHelper.cpp @@ -30,6 +30,7 @@ #include "security/OpenSSLCryptoX509CRL.h" #include "security/SecurityHelper.h" #include "security/X509Credential.h" +#include "security/impl/OpenSSLSupport.h" #include "soap/HTTPSOAPTransport.h" #include "util/NDC.h" @@ -504,7 +505,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key return false; const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA(); const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA(); - return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0); + return (dsa1 && dsa2 && BN_cmp(DSA_get0_pubkey(dsa1),DSA_get0_pubkey(dsa2)) == 0); } // For a private key, compare the private half. @@ -513,7 +514,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key return false; const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA(); const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA(); - return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0); + return (dsa1 && dsa2 && BN_cmp(DSA_get0_privkey(dsa1),DSA_get0_privkey(dsa2)) == 0); } #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC) -- 2.13.6
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor