Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15
libqca-qt5
0003-Add-support-for-OpenSSL-1.1.0.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0003-Add-support-for-OpenSSL-1.1.0.patch of Package libqca-qt5
From 32bab34def80e08ca0b0d3a75f521369a8ee9ff0 Mon Sep 17 00:00:00 2001 From: Fabian Vogt <fabian@ritter-vogt.de> Date: Sat, 16 Dec 2017 22:29:40 +0100 Subject: [PATCH 3/3] Add support for OpenSSL 1.1.0 Test Plan: Ran the testsuite with OpenSSL 1.1.0g and 1.0.2j, all passed. Using this code with kdeconnect and okteta successfully on my system now. Reviewers: iromanov Differential Revision: https://phabricator.kde.org/D9416 --- plugins/qca-ossl/ossl110-compat.h | 283 ++++++++++++++++++ plugins/qca-ossl/qca-ossl.cpp | 587 +++++++++++++++++++++++++------------- unittest/tls/tlsunittest.cpp | 35 +-- 3 files changed, 687 insertions(+), 218 deletions(-) create mode 100644 plugins/qca-ossl/ossl110-compat.h diff --git a/plugins/qca-ossl/ossl110-compat.h b/plugins/qca-ossl/ossl110-compat.h new file mode 100644 index 0000000..ec15475 --- /dev/null +++ b/plugins/qca-ossl/ossl110-compat.h @@ -0,0 +1,283 @@ +/* + * Copyright (C) 2017 Gabriel Souza Franco <gabrielfrancosouza@gmail.com> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + * + */ + +#ifndef OSSL110COMPAT_H +#define OSSL110COMPAT_H + +#include <openssl/evp.h> +#include <openssl/hmac.h> +#include <openssl/rsa.h> +#include <openssl/dsa.h> + +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define RSA_F_RSA_METH_DUP 161 + +static void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +{ + if (pr) + *pr = sig->r; + if (ps) + *ps = sig->s; +} + +static int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (!sig) return 0; + sig->r = r; + sig->s = s; + return 1; +} + +static void DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p) + *p = dsa->p; + if (q) + *q = dsa->q; + if (g) + *g = dsa->g; +} + +static int DSA_set0_pqg(DSA *dsa, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + if (!dsa) return 0; + dsa->p = p; + dsa->q = q; + dsa->g = g; + return 1; +} + +static void RSA_get0_key(const RSA *rsa, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +{ + if (n) + *n = rsa->n; + if (e) + *e = rsa->e; + if (d) + *d = rsa->d; +} + +static int RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + if (!rsa) return 0; + rsa->n = n; + rsa->e = e; + rsa->d = d; + return 1; +} + +static void RSA_get0_factors(const RSA *rsa, const BIGNUM **p, const BIGNUM **q) +{ + if (p) + *p = rsa->p; + if (q) + *q = rsa->q; +} + +static int RSA_set0_factors(RSA *rsa, BIGNUM *p, BIGNUM *q) +{ + if (!rsa) return 0; + rsa->p = p; + rsa->q = q; + return 1; +} + +static void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p) + *p = dh->p; + if (q) + *q = dh->q; + if (g) + *g = dh->g; +} + +static int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + if (!dh) return 0; + dh->p = p; + dh->q = q; + dh->g = g; + return 1; +} + +static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key) + *pub_key = dh->pub_key; + if (priv_key) + *priv_key = dh->priv_key; +} + +static int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +{ + if (!dh) return 0; + dh->pub_key = pub_key; + dh->priv_key = priv_key; + return 1; +} + +static void DSA_get0_key(const DSA *dsa, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key) + *pub_key = dsa->pub_key; + if (priv_key) + *priv_key = dsa->priv_key; +} + +static int DSA_set0_key(DSA *dsa, BIGNUM *pub_key, BIGNUM *priv_key) +{ + if (!dsa) return 0; + dsa->pub_key = pub_key; + dsa->priv_key = priv_key; + return 1; +} + +static void X509_SIG_getm(const X509_SIG *sig, X509_ALGOR **palg, ASN1_OCTET_STRING **pdigest) +{ + if (palg) + *palg = sig->algor; + if (pdigest) + *pdigest = sig->digest; +} + +static void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg) +{ + if (psig) + *psig = req->signature; + if (palg) + *palg = req->sig_alg; +} + +static void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, const X509_ALGOR **palg) +{ + if (psig) + *psig = crl->signature; + if (palg) + *palg = crl->sig_alg; +} + +static RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth) +{ + if (!meth) + return NULL; + + RSA_METHOD *_meth = (RSA_METHOD *) OPENSSL_malloc(sizeof(*_meth)); + + if (!_meth) + { + RSAerr(RSA_F_RSA_METH_DUP, ERR_R_MALLOC_FAILURE); + return NULL; + } + + memcpy(_meth, meth, sizeof(*_meth)); + _meth->name = strdup(meth->name); + if (!_meth->name) { + OPENSSL_free(_meth); + RSAerr(RSA_F_RSA_METH_DUP, ERR_R_MALLOC_FAILURE); + return NULL; + } + + return _meth; +} + +static int RSA_meth_set_priv_enc(RSA_METHOD *rsa, int (*priv_enc) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding)) +{ + if (!rsa) return 0; + rsa->rsa_priv_enc = priv_enc; + return 1; +} + +static int RSA_meth_set_priv_dec(RSA_METHOD *rsa, int (*priv_dec) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding)) +{ + if (!rsa) return 0; + rsa->rsa_priv_dec = priv_dec; + return 1; +} + +static int RSA_meth_set_sign(RSA_METHOD *meth, int (*sign) (int type, const unsigned char *m, + unsigned int m_length, unsigned char *sigret, unsigned int *siglen, const RSA *rsa)) +{ + if (!meth) return 0; + meth->rsa_sign = sign; + return 1; +} + +static int RSA_meth_set_verify(RSA_METHOD *meth, int (*verify) (int dtype, const unsigned char *m, + unsigned int m_length, const unsigned char *sigbuf, unsigned int siglen, const RSA *rsa)) +{ + if (!meth) return 0; + meth->rsa_verify = verify; + return 1; +} + +static int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) +{ + if (!meth) return 0; + meth->finish = finish; + return 1; +} + +static HMAC_CTX *HMAC_CTX_new() +{ + HMAC_CTX *ctx = (HMAC_CTX *) OPENSSL_malloc(sizeof(HMAC_CTX)); + if (ctx) + HMAC_CTX_init(ctx); + return ctx; +} + +static void HMAC_CTX_free(HMAC_CTX *ctx) +{ + if (!ctx) + return; + HMAC_CTX_cleanup(ctx); + EVP_MD_CTX_cleanup(&ctx->i_ctx); + EVP_MD_CTX_cleanup(&ctx->o_ctx); + EVP_MD_CTX_cleanup(&ctx->md_ctx); + OPENSSL_free(ctx); +} + +#define ASN1_STRING_get0_data(...) (const unsigned char*)ASN1_STRING_data(__VA_ARGS__) + +#define EVP_MD_CTX_new(...) EVP_MD_CTX_create(__VA_ARGS__) +#define EVP_MD_CTX_free(...) EVP_MD_CTX_destroy(__VA_ARGS__) + +#define EVP_PKEY_up_ref(pkey) CRYPTO_add(&(pkey)->references, 1, CRYPTO_LOCK_EVP_PKEY) +#define X509_up_ref(cert) CRYPTO_add(&(cert)->references, 1, CRYPTO_LOCK_X509) +#define X509_CRL_up_ref(crl) CRYPTO_add(&(crl)->references, 1, CRYPTO_LOCK_X509_CRL) + +#define EVP_PKEY_id(pky) (pky)->type +#define EVP_PKEY_get0_DSA(pky) (pky)->pkey.dsa +#define EVP_PKEY_get0_RSA(pky) (pky)->pkey.rsa +#define EVP_PKEY_get0_DH(pky) (pky)->pkey.dh + +#define X509_CRL_get0_lastUpdate X509_CRL_get_lastUpdate +#define X509_CRL_get0_nextUpdate X509_CRL_get_nextUpdate + +#define X509_REQ_get_signature_nid(req) OBJ_obj2nid((req)->sig_alg->algorithm) +#define X509_CRL_get_signature_nid(crl) OBJ_obj2nid((crl)->sig_alg->algorithm) + +#define X509_REVOKED_get0_serialNumber(rev) (rev)->serialNumber +#define X509_REVOKED_get0_revocationDate(rev) (rev)->revocationDate + +#endif // OPENSSL_VERSION_NUMBER < 0x10100000L + +#endif // OSSL110COMPAT_H diff --git a/plugins/qca-ossl/qca-ossl.cpp b/plugins/qca-ossl/qca-ossl.cpp index f0b9431..3bbbfdc 100644 --- a/plugins/qca-ossl/qca-ossl.cpp +++ b/plugins/qca-ossl/qca-ossl.cpp @@ -1,6 +1,7 @@ /* * Copyright (C) 2004-2007 Justin Karneges <justin@affinix.com> * Copyright (C) 2004-2006 Brad Hards <bradh@frogmouth.net> + * Copyright (C) 2017 Fabian Vogt <fabian@ritter-vogt.de> * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -38,6 +39,8 @@ #include <openssl/pkcs12.h> #include <openssl/ssl.h> +#include "ossl110-compat.h" + #ifndef OSSL_097 // comment this out if you'd rather use openssl 0.9.6 #define OSSL_097 @@ -52,6 +55,16 @@ ((_STACK*) (1 ? p : (type*)0)) #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + #define OSSL_110 +#endif + +// OpenSSL 1.1.0 compatibility macros +#ifdef OSSL_110 +#define M_ASN1_IA5STRING_new() ASN1_IA5STRING_new() +#define RSA_F_RSA_EAY_PRIVATE_DECRYPT RSA_F_RSA_OSSL_PRIVATE_DECRYPT +#endif + using namespace QCA; namespace opensslQCAPlugin { @@ -93,7 +106,7 @@ static QByteArray bio2ba(BIO *b) return buf; } -static BigInteger bn2bi(BIGNUM *n) +static BigInteger bn2bi(const BIGNUM *n) { SecureArray buf(BN_num_bytes(n) + 1); buf[0] = 0; // positive @@ -109,7 +122,7 @@ static BIGNUM *bi2bn(const BigInteger &n) // take lowest bytes of BIGNUM to fit // pad with high byte zeroes to fit -static SecureArray bn2fixedbuf(BIGNUM *n, int size) +static SecureArray bn2fixedbuf(const BIGNUM *n, int size) { SecureArray buf(BN_num_bytes(n)); BN_bn2bin(n, (unsigned char *)buf.data()); @@ -127,8 +140,11 @@ static SecureArray dsasig_der_to_raw(const SecureArray &in) const unsigned char *inp = (const unsigned char *)in.data(); d2i_DSA_SIG(&sig, &inp, in.size()); - SecureArray part_r = bn2fixedbuf(sig->r, 20); - SecureArray part_s = bn2fixedbuf(sig->s, 20); + const BIGNUM *bnr, *bns; + DSA_SIG_get0(sig, &bnr, &bns); + + SecureArray part_r = bn2fixedbuf(bnr, 20); + SecureArray part_s = bn2fixedbuf(bns, 20); SecureArray result; result.append(part_r); result.append(part_s); @@ -143,12 +159,16 @@ static SecureArray dsasig_raw_to_der(const SecureArray &in) return SecureArray(); DSA_SIG *sig = DSA_SIG_new(); - SecureArray part_r(20); - SecureArray part_s(20); + SecureArray part_r(20); BIGNUM *bnr; + SecureArray part_s(20); BIGNUM *bns; memcpy(part_r.data(), in.data(), 20); memcpy(part_s.data(), in.data() + 20, 20); - sig->r = BN_bin2bn((const unsigned char *)part_r.data(), part_r.size(), NULL); - sig->s = BN_bin2bn((const unsigned char *)part_s.data(), part_s.size(), NULL); + bnr = BN_bin2bn((const unsigned char *)part_r.data(), part_r.size(), NULL); + bns = BN_bin2bn((const unsigned char *)part_s.data(), part_s.size(), NULL); + + if(DSA_SIG_set0(sig, bnr, bns) == 0) + return SecureArray(); + // Not documented what happens in the failure case, free bnr and bns? int len = i2d_DSA_SIG(sig, NULL); SecureArray result(len); @@ -1004,29 +1024,39 @@ public: opensslHashContext(const EVP_MD *algorithm, Provider *p, const QString &type) : HashContext(p, type) { m_algorithm = algorithm; - EVP_DigestInit( &m_context, m_algorithm ); + m_context = EVP_MD_CTX_new(); + EVP_DigestInit( m_context, m_algorithm ); + } + + opensslHashContext(const opensslHashContext &other) + : HashContext(other) + { + m_algorithm = other.m_algorithm; + m_context = EVP_MD_CTX_new(); + EVP_MD_CTX_copy_ex(m_context, other.m_context); } ~opensslHashContext() { - EVP_MD_CTX_cleanup(&m_context); + EVP_MD_CTX_free(m_context); } void clear() { - EVP_MD_CTX_cleanup(&m_context); - EVP_DigestInit( &m_context, m_algorithm ); + EVP_MD_CTX_free(m_context); + m_context = EVP_MD_CTX_new(); + EVP_DigestInit( m_context, m_algorithm ); } void update(const MemoryRegion &a) { - EVP_DigestUpdate( &m_context, (unsigned char*)a.data(), a.size() ); + EVP_DigestUpdate( m_context, (unsigned char*)a.data(), a.size() ); } MemoryRegion final() { SecureArray a( EVP_MD_size( m_algorithm ) ); - EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); + EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); return a; } @@ -1037,7 +1067,7 @@ public: protected: const EVP_MD *m_algorithm; - EVP_MD_CTX m_context; + EVP_MD_CTX *m_context; }; @@ -1047,7 +1077,21 @@ public: opensslPbkdf1Context(const EVP_MD *algorithm, Provider *p, const QString &type) : KDFContext(p, type) { m_algorithm = algorithm; - EVP_DigestInit( &m_context, m_algorithm ); + m_context = EVP_MD_CTX_new(); + EVP_DigestInit( m_context, m_algorithm ); + } + + opensslPbkdf1Context(const opensslPbkdf1Context &other) + : KDFContext(other) + { + m_algorithm = other.m_algorithm; + m_context = EVP_MD_CTX_new(); + EVP_MD_CTX_copy(m_context, other.m_context); + } + + ~opensslPbkdf1Context() + { + EVP_MD_CTX_free(m_context); } Provider::Context *clone() const @@ -1081,16 +1125,16 @@ public: DK = Tc<0..dkLen-1> */ // calculate T_1 - EVP_DigestUpdate( &m_context, (unsigned char*)secret.data(), secret.size() ); - EVP_DigestUpdate( &m_context, (unsigned char*)salt.data(), salt.size() ); + EVP_DigestUpdate( m_context, (unsigned char*)secret.data(), secret.size() ); + EVP_DigestUpdate( m_context, (unsigned char*)salt.data(), salt.size() ); SecureArray a( EVP_MD_size( m_algorithm ) ); - EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); + EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); // calculate T_2 up to T_c for ( unsigned int i = 2; i <= iterationCount; ++i ) { - EVP_DigestInit( &m_context, m_algorithm ); - EVP_DigestUpdate( &m_context, (unsigned char*)a.data(), a.size() ); - EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); + EVP_DigestInit( m_context, m_algorithm ); + EVP_DigestUpdate( m_context, (unsigned char*)a.data(), a.size() ); + EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); } // shrink a to become DK, of the required length @@ -1136,19 +1180,19 @@ public: DK = Tc<0..dkLen-1> */ // calculate T_1 - EVP_DigestUpdate( &m_context, (unsigned char*)secret.data(), secret.size() ); - EVP_DigestUpdate( &m_context, (unsigned char*)salt.data(), salt.size() ); + EVP_DigestUpdate( m_context, (unsigned char*)secret.data(), secret.size() ); + EVP_DigestUpdate( m_context, (unsigned char*)salt.data(), salt.size() ); SecureArray a( EVP_MD_size( m_algorithm ) ); - EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); + EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); // calculate T_2 up to T_c *iterationCount = 2 - 1; // <- Have to remove 1, unless it computes one timer.start(); // ^ time more than the base function // ^ with the same iterationCount while (timer.elapsed() < msecInterval) { - EVP_DigestInit( &m_context, m_algorithm ); - EVP_DigestUpdate( &m_context, (unsigned char*)a.data(), a.size() ); - EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); + EVP_DigestInit( m_context, m_algorithm ); + EVP_DigestUpdate( m_context, (unsigned char*)a.data(), a.size() ); + EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); ++(*iterationCount); } @@ -1163,7 +1207,7 @@ public: protected: const EVP_MD *m_algorithm; - EVP_MD_CTX m_context; + EVP_MD_CTX *m_context; }; class opensslPbkdf2Context : public KDFContext @@ -1231,12 +1275,28 @@ public: opensslHMACContext(const EVP_MD *algorithm, Provider *p, const QString &type) : MACContext(p, type) { m_algorithm = algorithm; - HMAC_CTX_init( &m_context ); + m_context = HMAC_CTX_new(); +#ifndef OSSL_110 + HMAC_CTX_init( m_context ); +#endif + } + + opensslHMACContext(const opensslHMACContext &other) + : MACContext(other) + { + m_algorithm = other.m_algorithm; + m_context = HMAC_CTX_new(); + HMAC_CTX_copy(m_context, other.m_context); + } + + ~opensslHMACContext() + { + HMAC_CTX_free(m_context); } void setup(const SymmetricKey &key) { - HMAC_Init_ex( &m_context, key.data(), key.size(), m_algorithm, 0 ); + HMAC_Init_ex( m_context, key.data(), key.size(), m_algorithm, 0 ); } KeyLength keyLength() const @@ -1246,14 +1306,18 @@ public: void update(const MemoryRegion &a) { - HMAC_Update( &m_context, (unsigned char *)a.data(), a.size() ); + HMAC_Update( m_context, (unsigned char *)a.data(), a.size() ); } void final(MemoryRegion *out) { SecureArray sa( EVP_MD_size( m_algorithm ), 0 ); - HMAC_Final(&m_context, (unsigned char *)sa.data(), 0 ); - HMAC_CTX_cleanup(&m_context); + HMAC_Final(m_context, (unsigned char *)sa.data(), 0 ); +#ifdef OSSL_110 + HMAC_CTX_reset(m_context); +#else + HMAC_CTX_cleanup(m_context); +#endif *out = sa; } @@ -1263,7 +1327,7 @@ public: } protected: - HMAC_CTX m_context; + HMAC_CTX *m_context; const EVP_MD *m_algorithm; }; @@ -1277,7 +1341,7 @@ class EVPKey public: enum State { Idle, SignActive, SignError, VerifyActive, VerifyError }; EVP_PKEY *pkey; - EVP_MD_CTX mdctx; + EVP_MD_CTX *mdctx; State state; bool raw_type; SecureArray raw; @@ -1287,19 +1351,23 @@ public: pkey = 0; raw_type = false; state = Idle; + mdctx = EVP_MD_CTX_new(); } EVPKey(const EVPKey &from) { pkey = from.pkey; - CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); + EVP_PKEY_up_ref(pkey); raw_type = false; state = Idle; + mdctx = EVP_MD_CTX_new(); + EVP_MD_CTX_copy(mdctx, from.mdctx); } ~EVPKey() { reset(); + EVP_MD_CTX_free(mdctx); } void reset() @@ -1322,8 +1390,8 @@ public: else { raw_type = false; - EVP_MD_CTX_init(&mdctx); - if(!EVP_SignInit_ex(&mdctx, type, NULL)) + EVP_MD_CTX_init(mdctx); + if(!EVP_SignInit_ex(mdctx, type, NULL)) state = SignError; } } @@ -1339,8 +1407,8 @@ public: else { raw_type = false; - EVP_MD_CTX_init(&mdctx); - if(!EVP_VerifyInit_ex(&mdctx, type, NULL)) + EVP_MD_CTX_init(mdctx); + if(!EVP_VerifyInit_ex(mdctx, type, NULL)) state = VerifyError; } } @@ -1352,7 +1420,7 @@ public: if (raw_type) raw += in; else - if(!EVP_SignUpdate(&mdctx, in.data(), (unsigned int)in.size())) + if(!EVP_SignUpdate(mdctx, in.data(), (unsigned int)in.size())) state = SignError; } else if(state == VerifyActive) @@ -1360,7 +1428,7 @@ public: if (raw_type) raw += in; else - if(!EVP_VerifyUpdate(&mdctx, in.data(), (unsigned int)in.size())) + if(!EVP_VerifyUpdate(mdctx, in.data(), (unsigned int)in.size())) state = VerifyError; } } @@ -1373,17 +1441,20 @@ public: unsigned int len = out.size(); if (raw_type) { - if (pkey->type == EVP_PKEY_RSA) + int type = EVP_PKEY_id(pkey); + + if (type == EVP_PKEY_RSA) { + RSA *rsa = EVP_PKEY_get0_RSA(pkey); if(RSA_private_encrypt (raw.size(), (unsigned char *)raw.data(), - (unsigned char *)out.data(), pkey->pkey.rsa, + (unsigned char *)out.data(), rsa, RSA_PKCS1_PADDING) == -1) { state = SignError; return SecureArray (); } } - else if (pkey->type == EVP_PKEY_DSA) + else if (type == EVP_PKEY_DSA) { state = SignError; return SecureArray (); @@ -1395,7 +1466,7 @@ public: } } else { - if(!EVP_SignFinal(&mdctx, (unsigned char *)out.data(), &len, pkey)) + if(!EVP_SignFinal(mdctx, (unsigned char *)out.data(), &len, pkey)) { state = SignError; return SecureArray(); @@ -1418,16 +1489,19 @@ public: SecureArray out(EVP_PKEY_size(pkey)); int len = 0; - if (pkey->type == EVP_PKEY_RSA) { + int type = EVP_PKEY_id(pkey); + + if (type == EVP_PKEY_RSA) { + RSA *rsa = EVP_PKEY_get0_RSA(pkey); if((len = RSA_public_decrypt (sig.size(), (unsigned char *)sig.data(), - (unsigned char *)out.data (), pkey->pkey.rsa, + (unsigned char *)out.data (), rsa, RSA_PKCS1_PADDING)) == -1) { state = VerifyError; return false; } } - else if (pkey->type == EVP_PKEY_DSA) + else if (type == EVP_PKEY_DSA) { state = VerifyError; return false; @@ -1447,7 +1521,7 @@ public: } else { - if(EVP_VerifyFinal(&mdctx, (unsigned char *)sig.data(), (unsigned int)sig.size(), pkey) != 1) + if(EVP_VerifyFinal(mdctx, (unsigned char *)sig.data(), (unsigned int)sig.size(), pkey) != 1) { state = VerifyError; return false; @@ -1561,9 +1635,11 @@ static bool make_dlgroup(const QByteArray &seed, int bits, int counter, DLParams return false; if(ret_counter != counter) return false; - params->p = bn2bi(dsa->p); - params->q = bn2bi(dsa->q); - params->g = bn2bi(dsa->g); + const BIGNUM *bnp, *bnq, *bng; + DSA_get0_pqg(dsa, &bnp, &bnq, &bng); + params->p = bn2bi(bnp); + params->q = bn2bi(bnq); + params->g = bn2bi(bng); DSA_free(dsa); return true; } @@ -1826,10 +1902,11 @@ public: return; // extract the public key into DER format - int len = i2d_RSAPublicKey(evp.pkey->pkey.rsa, NULL); + RSA *rsa_pkey = EVP_PKEY_get0_RSA(evp.pkey); + int len = i2d_RSAPublicKey(rsa_pkey, NULL); SecureArray result(len); unsigned char *p = (unsigned char *)result.data(); - i2d_RSAPublicKey(evp.pkey->pkey.rsa, &p); + i2d_RSAPublicKey(rsa_pkey, &p); p = (unsigned char *)result.data(); // put the DER public key back into openssl @@ -1852,7 +1929,7 @@ public: virtual int maximumEncryptSize(EncryptionAlgorithm alg) const { - RSA *rsa = evp.pkey->pkey.rsa; + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); int size = 0; switch(alg) { @@ -1867,7 +1944,7 @@ public: virtual SecureArray encrypt(const SecureArray &in, EncryptionAlgorithm alg) { - RSA *rsa = evp.pkey->pkey.rsa; + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); SecureArray buf = in; int max = maximumEncryptSize(alg); @@ -1900,7 +1977,7 @@ public: virtual bool decrypt(const SecureArray &in, SecureArray *out, EncryptionAlgorithm alg) { - RSA *rsa = evp.pkey->pkey.rsa; + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); SecureArray result(RSA_size(rsa)); int pad; @@ -2021,14 +2098,10 @@ public: evp.reset(); RSA *rsa = RSA_new(); - rsa->n = bi2bn(n); - rsa->e = bi2bn(e); - rsa->p = bi2bn(p); - rsa->q = bi2bn(q); - rsa->d = bi2bn(d); - - if(!rsa->n || !rsa->e || !rsa->p || !rsa->q || !rsa->d) + if(RSA_set0_key(rsa, bi2bn(n), bi2bn(e), bi2bn(d)) == 0 + || RSA_set0_factors(rsa, bi2bn(p), bi2bn(q)) == 0) { + // Free BIGNUMS? RSA_free(rsa); return; } @@ -2036,7 +2109,7 @@ public: // When private key has no Public Exponent (e) or Private Exponent (d) // need to disable blinding. Otherwise decryption will be broken. // http://www.mail-archive.com/openssl-users@openssl.org/msg63530.html - if(BN_is_zero(rsa->e) || BN_is_zero(rsa->d)) + if(e == BigInteger(0) || d == BigInteger(0)) RSA_blinding_off(rsa); evp.pkey = EVP_PKEY_new(); @@ -2049,10 +2122,7 @@ public: evp.reset(); RSA *rsa = RSA_new(); - rsa->n = bi2bn(n); - rsa->e = bi2bn(e); - - if(!rsa->n || !rsa->e) + if(RSA_set0_key(rsa, bi2bn(n), bi2bn(e), NULL) == 0) { RSA_free(rsa); return; @@ -2065,27 +2135,42 @@ public: virtual BigInteger n() const { - return bn2bi(evp.pkey->pkey.rsa->n); + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + const BIGNUM *bnn; + RSA_get0_key(rsa, &bnn, NULL, NULL); + return bn2bi(bnn); } virtual BigInteger e() const { - return bn2bi(evp.pkey->pkey.rsa->e); + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + const BIGNUM *bne; + RSA_get0_key(rsa, NULL, &bne, NULL); + return bn2bi(bne); } virtual BigInteger p() const { - return bn2bi(evp.pkey->pkey.rsa->p); + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + const BIGNUM *bnp; + RSA_get0_factors(rsa, &bnp, NULL); + return bn2bi(bnp); } virtual BigInteger q() const { - return bn2bi(evp.pkey->pkey.rsa->q); + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + const BIGNUM *bnq; + RSA_get0_factors(rsa, NULL, &bnq); + return bn2bi(bnq); } virtual BigInteger d() const { - return bn2bi(evp.pkey->pkey.rsa->d); + RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + const BIGNUM *bnd; + RSA_get0_key(rsa, NULL, NULL, &bnd); + return bn2bi(bnd); } private slots: @@ -2134,10 +2219,12 @@ public: virtual void run() { DSA *dsa = DSA_new(); - dsa->p = bi2bn(domain.p()); - dsa->q = bi2bn(domain.q()); - dsa->g = bi2bn(domain.g()); - if(!DSA_generate_key(dsa)) + BIGNUM *pne = bi2bn(domain.p()), + *qne = bi2bn(domain.q()), + *gne = bi2bn(domain.g()); + + if(!DSA_set0_pqg(dsa, pne, qne, gne) + || !DSA_generate_key(dsa)) { DSA_free(dsa); return; @@ -2212,10 +2299,11 @@ public: return; // extract the public key into DER format - int len = i2d_DSAPublicKey(evp.pkey->pkey.dsa, NULL); + DSA *dsa_pkey = EVP_PKEY_get0_DSA(evp.pkey); + int len = i2d_DSAPublicKey(dsa_pkey, NULL); SecureArray result(len); unsigned char *p = (unsigned char *)result.data(); - i2d_DSAPublicKey(evp.pkey->pkey.dsa, &p); + i2d_DSAPublicKey(dsa_pkey, &p); p = (unsigned char *)result.data(); // put the DER public key back into openssl @@ -2244,7 +2332,7 @@ public: else transformsig = false; - evp.startSign(EVP_dss1()); + evp.startSign(EVP_sha1()); } virtual void startVerify(SignatureAlgorithm, SignatureFormat format) @@ -2255,7 +2343,7 @@ public: else transformsig = false; - evp.startVerify(EVP_dss1()); + evp.startVerify(EVP_sha1()); } virtual void update(const MemoryRegion &in) @@ -2305,13 +2393,14 @@ public: evp.reset(); DSA *dsa = DSA_new(); - dsa->p = bi2bn(domain.p()); - dsa->q = bi2bn(domain.q()); - dsa->g = bi2bn(domain.g()); - dsa->pub_key = bi2bn(y); - dsa->priv_key = bi2bn(x); + BIGNUM *bnp = bi2bn(domain.p()); + BIGNUM *bnq = bi2bn(domain.q()); + BIGNUM *bng = bi2bn(domain.g()); + BIGNUM *bnpub_key = bi2bn(y); + BIGNUM *bnpriv_key = bi2bn(x); - if(!dsa->p || !dsa->q || !dsa->g || !dsa->pub_key || !dsa->priv_key) + if(!DSA_set0_pqg(dsa, bnp, bnq, bng) + || !DSA_set0_key(dsa, bnpub_key, bnpriv_key)) { DSA_free(dsa); return; @@ -2327,12 +2416,13 @@ public: evp.reset(); DSA *dsa = DSA_new(); - dsa->p = bi2bn(domain.p()); - dsa->q = bi2bn(domain.q()); - dsa->g = bi2bn(domain.g()); - dsa->pub_key = bi2bn(y); + BIGNUM *bnp = bi2bn(domain.p()); + BIGNUM *bnq = bi2bn(domain.q()); + BIGNUM *bng = bi2bn(domain.g()); + BIGNUM *bnpub_key = bi2bn(y); - if(!dsa->p || !dsa->q || !dsa->g || !dsa->pub_key) + if(!DSA_set0_pqg(dsa, bnp, bnq, bng) + || !DSA_set0_key(dsa, bnpub_key, NULL)) { DSA_free(dsa); return; @@ -2345,17 +2435,26 @@ public: virtual DLGroup domain() const { - return DLGroup(bn2bi(evp.pkey->pkey.dsa->p), bn2bi(evp.pkey->pkey.dsa->q), bn2bi(evp.pkey->pkey.dsa->g)); + DSA *dsa = EVP_PKEY_get0_DSA(evp.pkey); + const BIGNUM *bnp, *bnq, *bng; + DSA_get0_pqg(dsa, &bnp, &bnq, &bng); + return DLGroup(bn2bi(bnp), bn2bi(bnq), bn2bi(bng)); } virtual BigInteger y() const { - return bn2bi(evp.pkey->pkey.dsa->pub_key); + DSA *dsa = EVP_PKEY_get0_DSA(evp.pkey); + const BIGNUM *bnpub_key; + DSA_get0_key(dsa, &bnpub_key, NULL); + return bn2bi(bnpub_key); } virtual BigInteger x() const { - return bn2bi(evp.pkey->pkey.dsa->priv_key); + DSA *dsa = EVP_PKEY_get0_DSA(evp.pkey); + const BIGNUM *bnpriv_key; + DSA_get0_key(dsa, NULL, &bnpriv_key); + return bn2bi(bnpriv_key); } private slots: @@ -2404,9 +2503,10 @@ public: virtual void run() { DH *dh = DH_new(); - dh->p = bi2bn(domain.p()); - dh->g = bi2bn(domain.g()); - if(!DH_generate_key(dh)) + BIGNUM *bnp = bi2bn(domain.p()); + BIGNUM *bng = bi2bn(domain.g()); + if(!DH_set0_pqg(dh, bnp, NULL, bng) + || !DH_generate_key(dh)) { DH_free(dh); return; @@ -2478,11 +2578,14 @@ public: if(!sec) return; - DH *orig = evp.pkey->pkey.dh; + DH *orig = EVP_PKEY_get0_DH(evp.pkey); DH *dh = DH_new(); - dh->p = BN_dup(orig->p); - dh->g = BN_dup(orig->g); - dh->pub_key = BN_dup(orig->pub_key); + const BIGNUM *bnp, *bng, *bnpub_key; + DH_get0_pqg(orig, &bnp, NULL, &bng); + DH_get0_key(orig, &bnpub_key, NULL); + + DH_set0_key(dh, BN_dup(bnpub_key), NULL); + DH_set0_pqg(dh, BN_dup(bnp), NULL, BN_dup(bng)); evp.reset(); @@ -2498,10 +2601,13 @@ public: virtual SymmetricKey deriveKey(const PKeyBase &theirs) { - DH *dh = evp.pkey->pkey.dh; - DH *them = static_cast<const DHKey *>(&theirs)->evp.pkey->pkey.dh; + DH *dh = EVP_PKEY_get0_DH(evp.pkey); + DH *them = EVP_PKEY_get0_DH(static_cast<const DHKey *>(&theirs)->evp.pkey); + const BIGNUM *bnpub_key; + DH_get0_key(them, &bnpub_key, NULL); + SecureArray result(DH_size(dh)); - int ret = DH_compute_key((unsigned char *)result.data(), them->pub_key, dh); + int ret = DH_compute_key((unsigned char *)result.data(), bnpub_key, dh); if(ret <= 0) return SymmetricKey(); result.resize(ret); @@ -2531,12 +2637,13 @@ public: evp.reset(); DH *dh = DH_new(); - dh->p = bi2bn(domain.p()); - dh->g = bi2bn(domain.g()); - dh->pub_key = bi2bn(y); - dh->priv_key = bi2bn(x); + BIGNUM *bnp = bi2bn(domain.p()); + BIGNUM *bng = bi2bn(domain.g()); + BIGNUM *bnpub_key = bi2bn(y); + BIGNUM *bnpriv_key = bi2bn(x); - if(!dh->p || !dh->g || !dh->pub_key || !dh->priv_key) + if(!DH_set0_key(dh, bnpub_key, bnpriv_key) + || !DH_set0_pqg(dh, bnp, NULL, bng)) { DH_free(dh); return; @@ -2552,11 +2659,12 @@ public: evp.reset(); DH *dh = DH_new(); - dh->p = bi2bn(domain.p()); - dh->g = bi2bn(domain.g()); - dh->pub_key = bi2bn(y); + BIGNUM *bnp = bi2bn(domain.p()); + BIGNUM *bng = bi2bn(domain.g()); + BIGNUM *bnpub_key = bi2bn(y); - if(!dh->p || !dh->g || !dh->pub_key) + if(!DH_set0_key(dh, bnpub_key, NULL) + || !DH_set0_pqg(dh, bnp, NULL, bng)) { DH_free(dh); return; @@ -2569,17 +2677,26 @@ public: virtual DLGroup domain() const { - return DLGroup(bn2bi(evp.pkey->pkey.dh->p), bn2bi(evp.pkey->pkey.dh->g)); + DH *dh = EVP_PKEY_get0_DH(evp.pkey); + const BIGNUM *bnp, *bng; + DH_get0_pqg(dh, &bnp, NULL, &bng); + return DLGroup(bn2bi(bnp), bn2bi(bng)); } virtual BigInteger y() const { - return bn2bi(evp.pkey->pkey.dh->pub_key); + DH *dh = EVP_PKEY_get0_DH(evp.pkey); + const BIGNUM *bnpub_key; + DH_get0_key(dh, &bnpub_key, NULL); + return bn2bi(bnpub_key); } virtual BigInteger x() const { - return bn2bi(evp.pkey->pkey.dh->priv_key); + DH *dh = EVP_PKEY_get0_DH(evp.pkey); + const BIGNUM *bnpriv_key; + DH_get0_key(dh, NULL, &bnpriv_key); + return bn2bi(bnpriv_key); } private slots: @@ -2618,10 +2735,14 @@ public: { key = _key; RSA_set_method(rsa, rsa_method()); +#ifndef OSSL_110 rsa->flags |= RSA_FLAG_SIGN_VER; +#endif RSA_set_app_data(rsa, this); - rsa->n = bi2bn(_key.n()); - rsa->e = bi2bn(_key.e()); + BIGNUM *bnn = bi2bn(_key.n()); + BIGNUM *bne = bi2bn(_key.e()); + + RSA_set0_key(rsa, bnn, bne, NULL); } RSA_METHOD *rsa_method() @@ -2630,12 +2751,16 @@ public: if(!ops) { - ops = new RSA_METHOD(*RSA_get_default_method()); - ops->rsa_priv_enc = 0;//pkcs11_rsa_encrypt; - ops->rsa_priv_dec = rsa_priv_dec; - ops->rsa_sign = rsa_sign; - ops->rsa_verify = 0;//pkcs11_rsa_verify; - ops->finish = rsa_finish; + ops = RSA_meth_dup(RSA_get_default_method()); + RSA_meth_set_priv_enc(ops, NULL); //pkcs11_rsa_encrypt + RSA_meth_set_priv_dec(ops, rsa_priv_dec); //pkcs11_rsa_encrypt +#ifdef OSSL_110 + RSA_meth_set_sign(ops, NULL); +#else + RSA_meth_set_sign(ops, rsa_sign); +#endif + RSA_meth_set_verify(ops, NULL); //pkcs11_rsa_verify + RSA_meth_set_finish(ops, rsa_finish); } return ops; } @@ -2675,6 +2800,7 @@ public: return -1; } +#ifndef OSSL_110 static int rsa_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, const RSA *rsa) { QCA_RSA_METHOD *self = (QCA_RSA_METHOD *)RSA_get_app_data(rsa); @@ -2691,7 +2817,6 @@ public: } else { - // make X509 packet X509_SIG sig; ASN1_TYPE parameter; @@ -2765,6 +2890,7 @@ public: return 1; } +#endif static int rsa_finish(RSA *rsa) { @@ -2866,21 +2992,22 @@ public: PKeyBase *pkeyToBase(EVP_PKEY *pkey, bool sec) const { PKeyBase *nk = 0; - if(pkey->type == EVP_PKEY_RSA) + int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); + if(pkey_type == EVP_PKEY_RSA) { RSAKey *c = new RSAKey(provider()); c->evp.pkey = pkey; c->sec = sec; nk = c; } - else if(pkey->type == EVP_PKEY_DSA) + else if(pkey_type == EVP_PKEY_DSA) { DSAKey *c = new DSAKey(provider()); c->evp.pkey = pkey; c->sec = sec; nk = c; } - else if(pkey->type == EVP_PKEY_DH) + else if(pkey_type == EVP_PKEY_DH) { DHKey *c = new DHKey(provider()); c->evp.pkey = pkey; @@ -2898,8 +3025,10 @@ public: { EVP_PKEY *pkey = get_pkey(); + int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); + // OpenSSL does not have DH import/export support - if(pkey->type == EVP_PKEY_DH) + if(pkey_type == EVP_PKEY_DH) return QByteArray(); BIO *bo = BIO_new(BIO_s_mem()); @@ -2912,8 +3041,10 @@ public: { EVP_PKEY *pkey = get_pkey(); + int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); + // OpenSSL does not have DH import/export support - if(pkey->type == EVP_PKEY_DH) + if(pkey_type == EVP_PKEY_DH) return QString(); BIO *bo = BIO_new(BIO_s_mem()); @@ -2978,9 +3109,10 @@ public: return SecureArray(); EVP_PKEY *pkey = get_pkey(); + int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); // OpenSSL does not have DH import/export support - if(pkey->type == EVP_PKEY_DH) + if(pkey_type == EVP_PKEY_DH) return SecureArray(); BIO *bo = BIO_new(BIO_s_mem()); @@ -3007,9 +3139,10 @@ public: return QString(); EVP_PKEY *pkey = get_pkey(); + int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); // OpenSSL does not have DH import/export support - if(pkey->type == EVP_PKEY_DH) + if(pkey_type == EVP_PKEY_DH) return QString(); BIO *bo = BIO_new(BIO_s_mem()); @@ -3110,11 +3243,18 @@ public: crl = from.crl; if(cert) - CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(cert); if(req) + { +#ifdef OSSL_110 + // Not exposed, so copy + req = X509_REQ_dup(req); +#else CRYPTO_add(&req->references, 1, CRYPTO_LOCK_X509_REQ); +#endif + } if(crl) - CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL); + X509_CRL_up_ref(crl); } return *this; @@ -3220,7 +3360,7 @@ public: // // This code is mostly taken from OpenSSL v0.9.5a // by Eric Young -QDateTime ASN1_UTCTIME_QDateTime(ASN1_UTCTIME *tm, int *isGmt) +QDateTime ASN1_UTCTIME_QDateTime(const ASN1_UTCTIME *tm, int *isGmt) { QDateTime qdt; char *v; @@ -3318,7 +3458,7 @@ public: void fromX509(X509 *x) { - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); item.cert = x; make_props(); } @@ -3349,7 +3489,7 @@ public: if(priv.key()->type() == PKey::RSA) md = EVP_sha1(); else if(priv.key()->type() == PKey::DSA) - md = EVP_dss1(); + md = EVP_sha1(); else return false; @@ -3480,7 +3620,7 @@ public: const MyCertContext *our_cc = this; X509 *x = our_cc->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(untrusted_list, x); const MyCertContext *other_cc = static_cast<const MyCertContext *>(other); @@ -3595,14 +3735,30 @@ public: p.policies = get_cert_policies(ex); } - if (x->signature) +#ifdef OSSL_110 + const +#endif + ASN1_BIT_STRING *signature; + +#if OPENSSL_VERSION_NUMBER < 0x10002000L + signature = x->signature; +#else + X509_get0_signature(&signature, NULL, x); +#endif + + if(signature) { - p.sig = QByteArray(x->signature->length, 0); - for (int i=0; i< x->signature->length; i++) - p.sig[i] = x->signature->data[i]; + p.sig = QByteArray(signature->length, 0); + for (int i=0; i< signature->length; i++) + p.sig[i] = signature->data[i]; } - switch( OBJ_obj2nid(x->cert_info->signature->algorithm) ) + +#if OPENSSL_VERSION_NUMBER < 0x10002000L + switch ( OBJ_obj2nid(x->sig_alg->algorithm) ) +#else + switch( X509_get_signature_nid(x) ) +#endif { case NID_sha1WithRSAEncryption: p.sigalgo = QCA::EMSA3_SHA1; @@ -3634,7 +3790,11 @@ public: p.sigalgo = QCA::EMSA3_SHA512; break; default: - qDebug() << "Unknown signature value: " << OBJ_obj2nid(x->cert_info->signature->algorithm); +#if OPENSSL_VERSION_NUMBER < 0x10002000L + qDebug() << "Unknown signature value: " << OBJ_obj2nid(x->sig_alg->algorithm); +#else + qDebug() << "Unknown signature value: " << X509_get_signature_nid(x); +#endif p.sigalgo = QCA::SignatureUnknown; } @@ -3751,7 +3911,7 @@ public: if(privateKey -> key()->type() == PKey::RSA) md = EVP_sha1(); else if(privateKey -> key()->type() == PKey::DSA) - md = EVP_dss1(); + md = EVP_sha1(); else return 0; @@ -3934,7 +4094,7 @@ public: if(priv.key()->type() == PKey::RSA) md = EVP_sha1(); else if(priv.key()->type() == PKey::DSA) - md = EVP_dss1(); + md = EVP_sha1(); else return false; @@ -4095,14 +4255,17 @@ public: sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); - if (x->signature) + const ASN1_BIT_STRING *signature; + + X509_REQ_get0_signature(x, &signature, NULL); + if(signature) { - p.sig = QByteArray(x->signature->length, 0); - for (int i=0; i< x->signature->length; i++) - p.sig[i] = x->signature->data[i]; + p.sig = QByteArray(signature->length, 0); + for (int i=0; i< signature->length; i++) + p.sig[i] = signature->data[i]; } - switch( OBJ_obj2nid(x->sig_alg->algorithm) ) + switch( X509_REQ_get_signature_nid(x) ) { case NID_sha1WithRSAEncryption: p.sigalgo = QCA::EMSA3_SHA1; @@ -4122,7 +4285,7 @@ public: p.sigalgo = QCA::EMSA1_SHA1; break; default: - qDebug() << "Unknown signature value: " << OBJ_obj2nid(x->sig_alg->algorithm); + qDebug() << "Unknown signature value: " << X509_REQ_get_signature_nid(x); p.sigalgo = QCA::SignatureUnknown; } @@ -4186,7 +4349,7 @@ public: void fromX509(X509_CRL *x) { - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); + X509_CRL_up_ref(x); item.crl = x; make_props(); } @@ -4231,15 +4394,15 @@ public: issuer = get_cert_name(X509_CRL_get_issuer(x)); - p.thisUpdate = ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(x), NULL); - p.nextUpdate = ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(x), NULL); + p.thisUpdate = ASN1_UTCTIME_QDateTime(X509_CRL_get0_lastUpdate(x), NULL); + p.nextUpdate = ASN1_UTCTIME_QDateTime(X509_CRL_get0_nextUpdate(x), NULL); STACK_OF(X509_REVOKED)* revokeStack = X509_CRL_get_REVOKED(x); for (int i = 0; i < sk_X509_REVOKED_num(revokeStack); ++i) { X509_REVOKED *rev = sk_X509_REVOKED_value(revokeStack, i); - BigInteger serial = bn2bi(ASN1_INTEGER_to_BN(rev->serialNumber, NULL)); - QDateTime time = ASN1_UTCTIME_QDateTime( rev->revocationDate, NULL); + BigInteger serial = bn2bi(ASN1_INTEGER_to_BN(X509_REVOKED_get0_serialNumber(rev), NULL)); + QDateTime time = ASN1_UTCTIME_QDateTime( X509_REVOKED_get0_revocationDate(rev), NULL); QCA::CRLEntry::Reason reason = QCA::CRLEntry::Unspecified; int pos = X509_REVOKED_get_ext_by_NID(rev, NID_crl_reason, -1); if (pos != -1) { @@ -4288,13 +4451,18 @@ public: p.revoked.append(thisEntry); } - if (x->signature) + const ASN1_BIT_STRING *signature; + + X509_CRL_get0_signature(x, &signature, NULL); + if(signature) { - p.sig = QByteArray(x->signature->length, 0); - for (int i=0; i< x->signature->length; i++) - p.sig[i] = x->signature->data[i]; + p.sig = QByteArray(signature->length, 0); + for (int i=0; i< signature->length; i++) + p.sig[i] = signature->data[i]; } - switch( OBJ_obj2nid(x->sig_alg->algorithm) ) + + + switch( X509_CRL_get_signature_nid(x) ) { case NID_sha1WithRSAEncryption: p.sigalgo = QCA::EMSA3_SHA1; @@ -4326,7 +4494,7 @@ public: p.sigalgo = QCA::EMSA3_SHA512; break; default: - qWarning() << "Unknown signature value: " << OBJ_obj2nid(x->sig_alg->algorithm); + qWarning() << "Unknown signature value: " << X509_CRL_get_signature_nid(x); p.sigalgo = QCA::SignatureUnknown; } @@ -4487,21 +4655,21 @@ Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList { const MyCertContext *cc = static_cast<const MyCertContext *>(trusted[n]); X509 *x = cc->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(trusted_list, x); } for(n = 0; n < untrusted.count(); ++n) { const MyCertContext *cc = static_cast<const MyCertContext *>(untrusted[n]); X509 *x = cc->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(untrusted_list, x); } for(n = 0; n < crls.count(); ++n) { const MyCRLContext *cc = static_cast<const MyCRLContext *>(crls[n]); X509_CRL *x = cc->item.crl; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); + X509_CRL_up_ref(x); crl_list.append(x); } @@ -4526,7 +4694,7 @@ Validity MyCertContext::validate(const QList<CertContext*> &trusted, const QList int ret = X509_verify_cert(ctx); int err = -1; if(!ret) - err = ctx->error; + err = X509_STORE_CTX_get_error(ctx); // cleanup X509_STORE_CTX_free(ctx); @@ -4560,21 +4728,21 @@ Validity MyCertContext::validate_chain(const QList<CertContext*> &chain, const Q { const MyCertContext *cc = static_cast<const MyCertContext *>(trusted[n]); X509 *x = cc->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(trusted_list, x); } for(n = 1; n < chain.count(); ++n) { const MyCertContext *cc = static_cast<const MyCertContext *>(chain[n]); X509 *x = cc->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(untrusted_list, x); } for(n = 0; n < crls.count(); ++n) { const MyCRLContext *cc = static_cast<const MyCRLContext *>(crls[n]); X509_CRL *x = cc->item.crl; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); + X509_CRL_up_ref(x); crl_list.append(x); } @@ -4599,7 +4767,7 @@ Validity MyCertContext::validate_chain(const QList<CertContext*> &chain, const Q int ret = X509_verify_cert(ctx); int err = -1; if(!ret) - err = ctx->error; + err = X509_STORE_CTX_get_error(ctx); // grab the chain, which may not be fully populated STACK_OF(X509) *xchain = X509_STORE_CTX_get_chain(ctx); @@ -4663,7 +4831,7 @@ public: for(int n = 1; n < chain.count(); ++n) { X509 *x = static_cast<const MyCertContext *>(chain[n])->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(ca, x); } } @@ -5398,7 +5566,7 @@ public: OpenSSL_add_ssl_algorithms(); SSL_CTX *ctx = 0; switch (version) { -#ifndef OPENSSL_NO_SSL2 +#if !defined(OPENSSL_NO_SSL2) && !defined(OSSL_110) case TLS::SSL_v2: ctx = SSL_CTX_new(SSLv2_client_method()); break; @@ -5429,8 +5597,8 @@ public: STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); QStringList cipherList; for(int i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { - SSL_CIPHER *thisCipher = sk_SSL_CIPHER_value(sk, i); - cipherList += cipherIDtoString(version, thisCipher->id); + const SSL_CIPHER *thisCipher = sk_SSL_CIPHER_value(sk, i); + cipherList += cipherIDtoString(version, SSL_CIPHER_get_id(thisCipher)); } SSL_free(ssl); @@ -5807,13 +5975,15 @@ public: { SessionInfo sessInfo; - sessInfo.isCompressed = (0 != SSL_SESSION_get_compress_id(ssl->session)); + SSL_SESSION *session = SSL_get0_session(ssl); + sessInfo.isCompressed = (0 != SSL_SESSION_get_compress_id(session)); + int ssl_version = SSL_version(ssl); - if (ssl->version == TLS1_VERSION) + if (ssl_version == TLS1_VERSION) sessInfo.version = TLS::TLS_v1; - else if (ssl->version == SSL3_VERSION) + else if (ssl_version == SSL3_VERSION) sessInfo.version = TLS::SSL_v3; - else if (ssl->version == SSL2_VERSION) + else if (ssl_version == SSL2_VERSION) sessInfo.version = TLS::SSL_v2; else { qDebug("unexpected version response"); @@ -5821,7 +5991,7 @@ public: } sessInfo.cipherSuite = cipherIDtoString( sessInfo.version, - SSL_get_current_cipher(ssl)->id); + SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))); sessInfo.cipherMaxBits = SSL_get_cipher_bits(ssl, &(sessInfo.cipherBits)); @@ -6393,7 +6563,7 @@ public: for(int n = 0; n < nonroots.count(); ++n) { X509 *x = static_cast<MyCertContext *>(nonroots[n].context())->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(other_certs, x); } @@ -6435,7 +6605,7 @@ public: other_certs = sk_X509_new_null(); X509 *x = static_cast<MyCertContext *>(target.context())->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(other_certs, x); bi = BIO_new(BIO_s_mem()); @@ -6498,7 +6668,7 @@ public: for(int n = 0; n < untrusted_list.count(); ++n) { X509 *x = static_cast<MyCertContext *>(untrusted_list[n].context())->item.cert; - CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); + X509_up_ref(x); sk_X509_push(other_certs, x); } @@ -6749,14 +6919,27 @@ public: opensslCipherContext(const EVP_CIPHER *algorithm, const int pad, Provider *p, const QString &type) : CipherContext(p, type) { m_cryptoAlgorithm = algorithm; - EVP_CIPHER_CTX_init(&m_context); + m_context = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX_init(m_context); m_pad = pad; m_type = type; } + opensslCipherContext(const opensslCipherContext &other) + : CipherContext(other) + { + m_cryptoAlgorithm = other.m_cryptoAlgorithm; + m_context = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX_copy(m_context, other.m_context); + m_direction = other.m_direction; + m_pad = other.m_pad; + m_type = other.m_type; + } + ~opensslCipherContext() { - EVP_CIPHER_CTX_cleanup(&m_context); + EVP_CIPHER_CTX_cleanup(m_context); + EVP_CIPHER_CTX_free(m_context); } void setup(Direction dir, @@ -6769,20 +6952,20 @@ public: m_cryptoAlgorithm = EVP_des_ede(); } if (Encode == m_direction) { - EVP_EncryptInit_ex(&m_context, m_cryptoAlgorithm, 0, 0, 0); - EVP_CIPHER_CTX_set_key_length(&m_context, key.size()); - EVP_EncryptInit_ex(&m_context, 0, 0, + EVP_EncryptInit_ex(m_context, m_cryptoAlgorithm, 0, 0, 0); + EVP_CIPHER_CTX_set_key_length(m_context, key.size()); + EVP_EncryptInit_ex(m_context, 0, 0, (const unsigned char*)(key.data()), (const unsigned char*)(iv.data())); } else { - EVP_DecryptInit_ex(&m_context, m_cryptoAlgorithm, 0, 0, 0); - EVP_CIPHER_CTX_set_key_length(&m_context, key.size()); - EVP_DecryptInit_ex(&m_context, 0, 0, + EVP_DecryptInit_ex(m_context, m_cryptoAlgorithm, 0, 0, 0); + EVP_CIPHER_CTX_set_key_length(m_context, key.size()); + EVP_DecryptInit_ex(m_context, 0, 0, (const unsigned char*)(key.data()), (const unsigned char*)(iv.data())); } - EVP_CIPHER_CTX_set_padding(&m_context, m_pad); + EVP_CIPHER_CTX_set_padding(m_context, m_pad); } Provider::Context *clone() const @@ -6792,7 +6975,7 @@ public: int blockSize() const { - return EVP_CIPHER_CTX_block_size(&m_context); + return EVP_CIPHER_CTX_block_size(m_context); } bool update(const SecureArray &in, SecureArray *out) @@ -6805,7 +6988,7 @@ public: out->resize(in.size()+blockSize()); int resultLength; if (Encode == m_direction) { - if (0 == EVP_EncryptUpdate(&m_context, + if (0 == EVP_EncryptUpdate(m_context, (unsigned char*)out->data(), &resultLength, (unsigned char*)in.data(), @@ -6813,7 +6996,7 @@ public: return false; } } else { - if (0 == EVP_DecryptUpdate(&m_context, + if (0 == EVP_DecryptUpdate(m_context, (unsigned char*)out->data(), &resultLength, (unsigned char*)in.data(), @@ -6830,13 +7013,13 @@ public: out->resize(blockSize()); int resultLength; if (Encode == m_direction) { - if (0 == EVP_EncryptFinal_ex(&m_context, + if (0 == EVP_EncryptFinal_ex(m_context, (unsigned char*)out->data(), &resultLength)) { return false; } } else { - if (0 == EVP_DecryptFinal_ex(&m_context, + if (0 == EVP_DecryptFinal_ex(m_context, (unsigned char*)out->data(), &resultLength)) { return false; @@ -6871,7 +7054,7 @@ public: protected: - EVP_CIPHER_CTX m_context; + EVP_CIPHER_CTX *m_context; const EVP_CIPHER *m_cryptoAlgorithm; Direction m_direction; int m_pad; diff --git a/unittest/tls/tlsunittest.cpp b/unittest/tls/tlsunittest.cpp index 38caf2d..ba8ed94 100644 --- a/unittest/tls/tlsunittest.cpp +++ b/unittest/tls/tlsunittest.cpp @@ -60,14 +60,16 @@ void TLSUnitTest::testCipherList() QCA::TLS *tls = new QCA::TLS(QCA::TLS::Stream, 0, "qca-ossl"); QStringList cipherList = tls->supportedCipherSuites(QCA::TLS::TLS_v1); QVERIFY( cipherList.contains("TLS_DHE_RSA_WITH_AES_256_CBC_SHA") ); - QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_AES_256_CBC_SHA") ); QVERIFY( cipherList.contains("TLS_RSA_WITH_AES_256_CBC_SHA") ); - QVERIFY( cipherList.contains("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA") ); - QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA") ); - QVERIFY( cipherList.contains("TLS_RSA_WITH_3DES_EDE_CBC_SHA") ); QVERIFY( cipherList.contains("TLS_DHE_RSA_WITH_AES_128_CBC_SHA") ); - QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_AES_128_CBC_SHA") ); - QVERIFY( cipherList.contains("TLS_RSA_WITH_AES_128_CBC_SHA") ); + + // openSUSE TW OpenSSL 1.1 does not have this + // QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_AES_256_CBC_SHA") ); + // QVERIFY( cipherList.contains("TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA") ); + // QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA") ); + // QVERIFY( cipherList.contains("TLS_RSA_WITH_3DES_EDE_CBC_SHA") ); + // QVERIFY( cipherList.contains("TLS_RSA_WITH_AES_128_CBC_SHA") ); + // QVERIFY( cipherList.contains("TLS_DHE_DSS_WITH_AES_128_CBC_SHA") ); // Fedora 26 openssl has no this cipher suites. // QVERIFY( cipherList.contains("TLS_RSA_WITH_RC4_128_SHA") ); @@ -89,16 +91,17 @@ void TLSUnitTest::testCipherList() // QVERIFY( cipherList.contains("TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5") ); // QVERIFY( cipherList.contains("TLS_RSA_EXPORT_WITH_RC4_40_MD5") ); - cipherList = tls->supportedCipherSuites(QCA::TLS::SSL_v3); - QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_AES_256_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_AES_256_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_RSA_WITH_AES_256_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_RSA_WITH_3DES_EDE_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_AES_128_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_AES_128_CBC_SHA") ); - QVERIFY( cipherList.contains("SSL_RSA_WITH_AES_128_CBC_SHA") ); + // OpenSSL 1.1 in openSUSE TW has it disabled by default + // cipherList = tls->supportedCipherSuites(QCA::TLS::SSL_v3); + // QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_AES_256_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_AES_256_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_RSA_WITH_AES_256_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_RSA_WITH_3DES_EDE_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_AES_128_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_AES_128_CBC_SHA") ); + // QVERIFY( cipherList.contains("SSL_RSA_WITH_AES_128_CBC_SHA") ); // QVERIFY( cipherList.contains("SSL_DHE_RSA_WITH_DES_CBC_SHA") ); // QVERIFY( cipherList.contains("SSL_DHE_DSS_WITH_DES_CBC_SHA") ); -- 2.15.0
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor