File 0004-CPPXT-110-OpenSSL-1.1-makes-EVP_PKEY-opaqu... of Package xmltooling.29631

Overview Repositories Revisions Requests Users Attributes Meta

File 0004-CPPXT-110-OpenSSL-1.1-makes-EVP_PKEY-opaque.patch of Package xmltooling.29631

From 2c621579b639fa15f24589b2fbd5eeff72bd052f Mon Sep 17 00:00:00 2001
From: Rod Widdowson <rdw@steadingsoftware.com>
Date: Fri, 15 Jul 2016 17:18:25 +0100
Subject: [PATCH 04/31] CPPXT-110 OpenSSL 1.1 makes EVP_PKEY opaque

https://issues.shibboleth.net/jira/browse/CPPXT-110

The type field is available as EVP_PKEY_id() since 1.0
The RSA and DSA fields are availble as EVP_PKEY_get0_[RD]SA from 1.1

Add support macros to make that happen.
---
 .../security/impl/ExplicitKeyTrustEngine.cpp       |  6 ++--
 xmltooling/security/impl/OpenSSLSupport.cpp        | 33 ++++++++++++++++++++++
 xmltooling/security/impl/OpenSSLSupport.h          | 15 ++++++++--
 xmltooling/security/impl/SecurityHelper.cpp        |  8 +++---
 4 files changed, 53 insertions(+), 9 deletions(-)

diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 785d912..a4a5dd2 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -263,8 +263,8 @@ bool ExplicitKeyTrustEngine::validate(
                 {
                     RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
-                    if (rsa && evp && evp->type == EVP_PKEY_RSA &&
-                            BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
+                    if (rsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_RSA &&
+                            BN_cmp(RSA_get0_n(rsa),RSA_get0_n(EVP_PKEY_get0_RSA(evp))) == 0 && BN_cmp(RSA_get0_e(rsa), RSA_get0_e(EVP_PKEY_get0_RSA(evp))) == 0) {
                         if (evp)
                             EVP_PKEY_free(evp);
                         log.debug("end-entity certificate matches peer RSA key information");
@@ -279,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate(
                 {
                     DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
-                    if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) {
+                    if (dsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(EVP_PKEY_get0_DSA(evp))) == 0) {
                         if (evp)
                             EVP_PKEY_free(evp);
                         log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp
index d2e2a92..a936173 100644
--- a/xmltooling/security/impl/OpenSSLSupport.cpp
+++ b/xmltooling/security/impl/OpenSSLSupport.cpp
@@ -90,3 +90,36 @@ BIGNUM *DSA_get0_privkey(const DSA *dsa)
     return result;
 #endif
 }
+
+BIGNUM *RSA_get0_n(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return rsa->n;
+#else
+    BIGNUM *result;
+    RSA_get0_key(rsa, &result, NULL, NULL);
+    return result;
+#endif
+}
+
+BIGNUM *RSA_get0_e(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return rsa->e;
+#else
+    BIGNUM *result;
+    RSA_get0_key(rsa, NULL, &result, NULL);
+    return result;
+#endif
+}
+
+BIGNUM *RSA_get0_d(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return rsa->d;
+#else
+    BIGNUM *result;
+    RSA_get0_key(rsa, NULL, NULL, &result);
+    return result;
+#endif
+}
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index 74bd710..7519091 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -29,8 +29,15 @@
 // X509_STORE_CTX becomes opaque
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-#   define X509_STORE_CTX_get0_cert(ctx) (ctx->cert)
-#   define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted)
+#   define X509_STORE_CTX_get0_cert(_ctx_) ((_ctx_)->cert)
+#   define X509_STORE_CTX_get0_untrusted(_ctx_) ((_ctx_)->untrusted)
+
+#   define EVP_PKEY_get0_DSA(_pkey_) ((_pkey_)->pkey.dsa)
+#   define EVP_PKEY_get0_RSA(_pkey_) ((_pkey_)->pkey.rsa)
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x10000000L)
+#   define EVP_PKEY_id(_evp_) ((_evp_)->type)
 #endif
 
 namespace xmltooling {
@@ -57,4 +64,8 @@ namespace xmltooling {
     BIGNUM *DSA_get0_pubkey(const DSA *dsa);
     BIGNUM *DSA_get0_privkey(const DSA *dsa);
 
+    BIGNUM *RSA_get0_n(const RSA *rsa);
+    BIGNUM *RSA_get0_d(const RSA *rsa);
+    BIGNUM *RSA_get0_e(const RSA *rsa);
+
 }
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index bb2f016..e53ed8d 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -206,7 +206,7 @@ XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char*
     // Now map it to an XSEC wrapper.
     if (pkey) {
         XSECCryptoKey* ret=nullptr;
-        switch (pkey->type) {
+        switch (EVP_PKEY_id(pkey)) {
             case EVP_PKEY_RSA:
                 ret=new OpenSSLCryptoKeyRSA(pkey);
                 break;
@@ -487,7 +487,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
         const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
-        return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
+        return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_e(rsa1),RSA_get0_e(rsa2)) == 0);
     }
 
     // For a private key, compare the private half.
@@ -496,7 +496,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
         const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
-        return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
+        return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_d(rsa1),RSA_get0_d(rsa2)) == 0);
     }
 
     // If one key is public or both, just compare the public key half.
@@ -790,7 +790,7 @@ XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long bu
         // Now map it to an XSEC wrapper.
         XSECCryptoKey* ret = nullptr;
         try {
-            switch (pkey->type) {
+            switch (EVP_PKEY_id(pkey)) {
                 case EVP_PKEY_RSA:
                     ret = new OpenSSLCryptoKeyRSA(pkey);
                     break;
-- 
2.13.6

Places

File 0004-CPPXT-110-OpenSSL-1.1-makes-EVP_PKEY-opaque.patch of Package xmltooling.29631

Places