File 0021-CPPXT-110-OpenSSL-1.1-makes-DSA-opaque.patch of Package xmltooling

Overview Repositories Revisions Requests Users Attributes Meta

File 0021-CPPXT-110-OpenSSL-1.1-makes-DSA-opaque.patch of Package xmltooling

From c3693a3bba7b3ec30fb4d6272ab8b2f8224d3175 Mon Sep 17 00:00:00 2001
From: Rod Widdowson <rdw@steadingsoftware.com>
Date: Fri, 15 Jul 2016 15:34:22 +0100
Subject: [PATCH 21/31] CPPXT-110 OpenSSL 1.1 makes DSA opaque

https://issues.shibboleth.net/jira/browse/CPPXT-110

Add new functions to get the public and private key.

Call the new DSA_get0_key function in 1.1 and reach into
the structure otherwise.

(reapplied - previously backed out in bae0dd53)
---
 .../security/impl/ExplicitKeyTrustEngine.cpp       |  4 +++-
 xmltooling/security/impl/OpenSSLSupport.cpp        | 27 +++++++++++++++++++++-
 xmltooling/security/impl/OpenSSLSupport.h          |  7 ++++++
 xmltooling/security/impl/SecurityHelper.cpp        |  5 ++--
 4 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 5f70a70..785d912 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -34,12 +34,14 @@
 #include "signature/Signature.h"
 #include "signature/SignatureValidator.h"
 #include "util/NDC.h"
+#include "security/impl/OpenSSLSupport.h"
 
 #include <xercesc/util/XMLUniDefs.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
 
+
 using namespace xmlsignature;
 using namespace xmltooling::logging;
 using namespace xmltooling;
@@ -277,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate(
                 {
                     DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
-                    if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
+                    if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) {
                         if (evp)
                             EVP_PKEY_free(evp);
                         log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp
index bedf872..e5d79a7 100644
--- a/xmltooling/security/impl/OpenSSLSupport.cpp
+++ b/xmltooling/security/impl/OpenSSLSupport.cpp
@@ -29,6 +29,8 @@
 #include <openssl/x509_vfy.h> 
 #include <security/impl/OpenSSLSupport.h>
 
+using namespace xmltooling;
+
 X509StoreCtxRAII::X509StoreCtxRAII() : m_context(X509_STORE_CTX_new()) {
 }
 
@@ -56,7 +58,8 @@ STACK_OF(X509) *X509StoreCtxRAII::get0Chain() {
 }
 
 // the API to set the trusted stack changed in OpenSSL1.1
-void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) {
+void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk)
+{
     if (m_context) {
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
         X509_STORE_CTX_trusted_stack(m_context, sk);
@@ -65,3 +68,25 @@ void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) {
 #endif
     }
 }
+
+BIGNUM *DSA_get0_pubkey(const DSA *dsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return dsa->pub_key;
+#else
+    BIGNUM *result;
+    DSA_get0_key(dsa, &result, NULL);
+    return result;
+#endif
+}
+
+BIGNUM *DSA_get0_privkey(const DSA *dsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return dsa->priv_key;
+#else
+    BIGNUM *result;
+    DSA_get0_key(dsa, NULL, &result);
+    return result;
+#endif
+}
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index ffaa390..74bd710 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -33,6 +33,7 @@
 #   define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted)
 #endif
 
+namespace xmltooling {
     // RAII for the now opaque X509_STORE_CTX
     class X509StoreCtxRAII
     {
@@ -51,3 +52,9 @@
     private:
         X509_STORE_CTX *m_context;
     };
+
+
+    BIGNUM *DSA_get0_pubkey(const DSA *dsa);
+    BIGNUM *DSA_get0_privkey(const DSA *dsa);
+
+}
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index 0c15f05..bb2f016 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -30,6 +30,7 @@
 #include "security/OpenSSLCryptoX509CRL.h"
 #include "security/SecurityHelper.h"
 #include "security/X509Credential.h"
+#include "security/impl/OpenSSLSupport.h"
 #include "soap/HTTPSOAPTransport.h"
 #include "util/NDC.h"
 
@@ -504,7 +505,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
         const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
-        return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
+        return (dsa1 && dsa2 && BN_cmp(DSA_get0_pubkey(dsa1),DSA_get0_pubkey(dsa2)) == 0);
     }
 
     // For a private key, compare the private half.
@@ -513,7 +514,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
         const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
-        return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
+        return (dsa1 && dsa2 && BN_cmp(DSA_get0_privkey(dsa1),DSA_get0_privkey(dsa2)) == 0);
     }
 
 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)
-- 
2.13.6

Places

File 0021-CPPXT-110-OpenSSL-1.1-makes-DSA-opaque.patch of Package xmltooling

Places