control: tags -1 patch On 2016-06-26 21:52:11 [-0700], John Belmonte wrote: > I'll have to upgrade to a newer upstream version. Looks like this was > addressed in 1.2.21.
1.2.22 plus the patch attached and it builds again :) Sebastian
>From 7ab8a4ab41ad6096a5bfbe5937680454abe56b44 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Wed, 31 Aug 2016 23:25:37 +0200 Subject: [PATCH] openssl: get it build against openssl 1.1.0 and earlier Tried to get it done as little intrusive as possible. It compiles against 1.1.0 and 1.0.2h. Testsuite passes/fails in the same way. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- src/openssl/evp.c | 253 +++++++++++++++++++++++++--------------- src/openssl/kt_rsa.c | 41 ++++--- src/openssl/openssl11_wrapper.h | 153 ++++++++++++++++++++++++ src/openssl/signatures.c | 112 +++++++----------- src/openssl/x509vfy.c | 87 +++++++++++--- 5 files changed, 444 insertions(+), 202 deletions(-) create mode 100644 src/openssl/openssl11_wrapper.h diff --git a/src/openssl/evp.c b/src/openssl/evp.c index 328602bc6335..b83efffa1e5a 100644 --- a/src/openssl/evp.c +++ b/src/openssl/evp.c @@ -23,6 +23,7 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/bn.h> #include <xmlsec/openssl/evp.h> +#include "openssl11_wrapper.h" /************************************************************************** * @@ -182,7 +183,7 @@ xmlSecOpenSSLEvpKeyDup(EVP_PKEY* pKey) { xmlSecAssert2(pKey != NULL, NULL); - ret = CRYPTO_add(&pKey->references,1,CRYPTO_LOCK_EVP_PKEY); + ret = EVP_PKEY_up_ref(pKey); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -210,7 +211,7 @@ xmlSecOpenSSLEvpKeyAdopt(EVP_PKEY *pKey) { xmlSecAssert2(pKey != NULL, NULL); - switch(pKey->type) { + switch(EVP_PKEY_id(pKey)) { #ifndef XMLSEC_NO_RSA case EVP_PKEY_RSA: data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataRsaId); @@ -296,7 +297,7 @@ xmlSecOpenSSLEvpKeyAdopt(EVP_PKEY *pKey) { NULL, NULL, XMLSEC_ERRORS_R_INVALID_TYPE, - "evp key type %d not supported", pKey->type); + "evp key type %d not supported", EVP_PKEY_id(pKey)); return(NULL); } @@ -530,9 +531,9 @@ xmlSecOpenSSLKeyDataDsaGetDsa(xmlSecKeyDataPtr data) { xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), NULL); pKey = xmlSecOpenSSLKeyDataDsaGetEvp(data); - xmlSecAssert2((pKey == NULL) || (pKey->type == EVP_PKEY_DSA), NULL); + xmlSecAssert2((pKey == NULL) || (EVP_PKEY_id(pKey) == EVP_PKEY_DSA), NULL); - return((pKey != NULL) ? pKey->pkey.dsa : (DSA*)NULL); + return pKey ? EVP_PKEY_get0_DSA(pKey) : NULL; } /** @@ -548,7 +549,7 @@ int xmlSecOpenSSLKeyDataDsaAdoptEvp(xmlSecKeyDataPtr data, EVP_PKEY* pKey) { xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), -1); xmlSecAssert2(pKey != NULL, -1); - xmlSecAssert2(pKey->type == EVP_PKEY_DSA, -1); + xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_DSA, -1); return(xmlSecOpenSSLEvpKeyDataAdoptEvp(data, pKey)); } @@ -593,9 +594,11 @@ xmlSecOpenSSLKeyDataDsaFinalize(xmlSecKeyDataPtr data) { static int xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlSecKeyDataPtr data; + xmlSecKeyDataPtr data = NULL; xmlNodePtr cur; - DSA *dsa; + DSA *dsa = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL; + BIGNUM *priv_key = NULL, *pub_key = NULL; int ret; xmlSecAssert2(id == xmlSecOpenSSLKeyDataDsaId, -1); @@ -619,7 +622,7 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "DSA_new", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(node->children); @@ -632,18 +635,17 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, XMLSEC_ERRORS_R_INVALID_NODE, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAP)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } - if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->p)) == NULL) { + + if(xmlSecOpenSSLNodeGetBNValue(cur, &p) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAP)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); @@ -655,18 +657,16 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, XMLSEC_ERRORS_R_INVALID_NODE, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAQ)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } - if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->q)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &q) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAQ)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); @@ -678,33 +678,30 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, XMLSEC_ERRORS_R_INVALID_NODE, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAG)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } - if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->g)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &g) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAG)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeDSAX, xmlSecNs))) { /* next is X node. It is REQUIRED for private key but * we are not sure exactly what do we read */ - if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->priv_key)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &priv_key) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAX)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); } @@ -717,17 +714,15 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, XMLSEC_ERRORS_R_INVALID_NODE, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAY)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } - if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->pub_key)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &pub_key) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAY)); - DSA_free(dsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); @@ -752,8 +747,7 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeGetName(cur)), XMLSEC_ERRORS_R_UNEXPECTED_NODE, XMLSEC_ERRORS_NO_MESSAGE); - DSA_free(dsa); - return(-1); + goto err_cleanup; } data = xmlSecKeyDataCreate(id); @@ -763,10 +757,20 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "xmlSecKeyDataCreate", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - DSA_free(dsa); - return(-1); + goto err_cleanup; } + if (!DSA_set0_pqg(dsa, p, q, g)) + goto err_cleanup; + p = NULL; + q = NULL; + g = NULL; + + if (!DSA_set0_key(dsa, pub_key, priv_key)) + goto err_cleanup; + pub_key = NULL; + priv_key = NULL; + ret = xmlSecOpenSSLKeyDataDsaAdoptDsa(data, dsa); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -774,9 +778,7 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "xmlSecOpenSSLKeyDataDsaAdoptDsa", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - xmlSecKeyDataDestroy(data); - DSA_free(dsa); - return(-1); + goto err_cleanup; } ret = xmlSecKeySetValue(key, data); @@ -786,11 +788,27 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "xmlSecKeySetValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - xmlSecKeyDataDestroy(data); - return(-1); + goto err_cleanup; } return(0); + +err_cleanup: + if (dsa) + DSA_free(dsa); + if (p) + BN_free(p); + if (q) + BN_free(q); + if (g) + BN_free(g); + if (priv_key) + BN_free(priv_key); + if (pub_key) + BN_free(pub_key); + if (data) + xmlSecKeyDataDestroy(data); + return -1; } static int @@ -799,6 +817,8 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr cur; DSA* dsa; int ret; + const BIGNUM *p, *q, *g; + const BIGNUM *priv_key, *pub_key; xmlSecAssert2(id == xmlSecOpenSSLKeyDataDsaId, -1); xmlSecAssert2(key != NULL, -1); @@ -814,8 +834,10 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, return(0); } + DSA_get0_pqg(dsa, &p, &q, &g); + /* first is P node */ - xmlSecAssert2(dsa->p != NULL, -1); + xmlSecAssert2(p != NULL, -1); cur = xmlSecAddChild(node, xmlSecNodeDSAP, xmlSecDSigNs); if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -826,7 +848,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeDSAP)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->p, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, p, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -838,7 +860,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, } /* next is Q node. */ - xmlSecAssert2(dsa->q != NULL, -1); + xmlSecAssert2(q != NULL, -1); cur = xmlSecAddChild(node, xmlSecNodeDSAQ, xmlSecDSigNs); if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -849,7 +871,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeDSAQ)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->q, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, q, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -861,7 +883,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, } /* next is G node. */ - xmlSecAssert2(dsa->g != NULL, -1); + xmlSecAssert2(g != NULL, -1); cur = xmlSecAddChild(node, xmlSecNodeDSAG, xmlSecDSigNs); if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -872,7 +894,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeDSAG)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->g, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, g, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -883,8 +905,10 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, return(-1); } + DSA_get0_key(dsa, &pub_key, &priv_key); + /* next is X node: write it ONLY for private keys and ONLY if it is requested */ - if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (dsa->priv_key != NULL)) { + if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (priv_key != NULL)) { cur = xmlSecAddChild(node, xmlSecNodeDSAX, xmlSecNs); if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -895,7 +919,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeDSAX)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->priv_key, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, priv_key, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -908,7 +932,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, } /* next is Y node. */ - xmlSecAssert2(dsa->pub_key != NULL, -1); + xmlSecAssert2(pub_key != NULL, -1); cur = xmlSecAddChild(node, xmlSecNodeDSAY, xmlSecDSigNs); if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -919,7 +943,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeDSAY)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->pub_key, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, pub_key, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -991,16 +1015,23 @@ xmlSecOpenSSLKeyDataDsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlS static xmlSecKeyDataType xmlSecOpenSSLKeyDataDsaGetType(xmlSecKeyDataPtr data) { DSA* dsa; + const BIGNUM *p, *q, *g; + const BIGNUM *priv_key, *pub_key; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), xmlSecKeyDataTypeUnknown); dsa = xmlSecOpenSSLKeyDataDsaGetDsa(data); - if((dsa != NULL) && (dsa->p != NULL) && (dsa->q != NULL) && - (dsa->g != NULL) && (dsa->pub_key != NULL)) { + if (!dsa) + return xmlSecKeyDataTypeUnknown; - if(dsa->priv_key != NULL) { + DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, &priv_key); + + if (p && q && g && pub_key) { + + if (priv_key) { return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic); - } else if(dsa->engine != NULL) { + } else if (DSA_get0_engine(dsa)) { /* * !!! HACK !!! Also see RSA key * We assume here that engine *always* has private key. @@ -1019,14 +1050,18 @@ xmlSecOpenSSLKeyDataDsaGetType(xmlSecKeyDataPtr data) { static xmlSecSize xmlSecOpenSSLKeyDataDsaGetSize(xmlSecKeyDataPtr data) { DSA* dsa; + const BIGNUM *p; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), 0); dsa = xmlSecOpenSSLKeyDataDsaGetDsa(data); - if((dsa != NULL) && (dsa->p != NULL)) { - return(BN_num_bits(dsa->p)); - } - return(0); + if (!dsa) + return 0; + + DSA_get0_pqg(dsa, &p, NULL, NULL); + if (!p) + return 0; + return BN_num_bits(p); } static void @@ -1194,9 +1229,9 @@ xmlSecOpenSSLKeyDataEcdsaGetEcdsa(xmlSecKeyDataPtr data) { xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataEcdsaId), NULL); pKey = xmlSecOpenSSLKeyDataEcdsaGetEvp(data); - xmlSecAssert2((pKey == NULL) || (pKey->type == EVP_PKEY_EC), NULL); + xmlSecAssert2((pKey == NULL) || (EVP_PKEY_id(pKey) == EVP_PKEY_EC), NULL); - return((pKey != NULL) ? pKey->pkey.ec : (EC_KEY*)NULL); + return pKey ? EVP_PKEY_get0_EC_KEY(pKey) : NULL; } /** @@ -1212,7 +1247,7 @@ int xmlSecOpenSSLKeyDataEcdsaAdoptEvp(xmlSecKeyDataPtr data, EVP_PKEY* pKey) { xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataEcdsaId), -1); xmlSecAssert2(pKey != NULL, -1); - xmlSecAssert2(pKey->type == EVP_PKEY_EC, -1); + xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_EC, -1); return(xmlSecOpenSSLEvpKeyDataAdoptEvp(data, pKey)); } @@ -1515,9 +1550,9 @@ xmlSecOpenSSLKeyDataRsaGetRsa(xmlSecKeyDataPtr data) { xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), NULL); pKey = xmlSecOpenSSLKeyDataRsaGetEvp(data); - xmlSecAssert2((pKey == NULL) || (pKey->type == EVP_PKEY_RSA), NULL); + xmlSecAssert2((pKey == NULL) || (EVP_PKEY_id(pKey) == EVP_PKEY_RSA), NULL); - return((pKey != NULL) ? pKey->pkey.rsa : (RSA*)NULL); + return pKey ? EVP_PKEY_get0_RSA(pKey) : NULL; } /** @@ -1533,7 +1568,7 @@ int xmlSecOpenSSLKeyDataRsaAdoptEvp(xmlSecKeyDataPtr data, EVP_PKEY* pKey) { xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), -1); xmlSecAssert2(pKey != NULL, -1); - xmlSecAssert2(pKey->type == EVP_PKEY_RSA, -1); + xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_RSA, -1); return(xmlSecOpenSSLEvpKeyDataAdoptEvp(data, pKey)); } @@ -1578,9 +1613,10 @@ xmlSecOpenSSLKeyDataRsaFinalize(xmlSecKeyDataPtr data) { static int xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { - xmlSecKeyDataPtr data; + xmlSecKeyDataPtr data = NULL; xmlNodePtr cur; RSA *rsa; + BIGNUM *n = NULL, *e = NULL, *d = NULL; int ret; xmlSecAssert2(id == xmlSecOpenSSLKeyDataRsaId, -1); @@ -1617,18 +1653,16 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, XMLSEC_ERRORS_R_INVALID_NODE, "node=%s", xmlSecErrorsSafeString(xmlSecNodeRSAModulus)); - RSA_free(rsa); - return(-1); + goto err_cleanup; } - if(xmlSecOpenSSLNodeGetBNValue(cur, &(rsa->n)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &n) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeRSAModulus)); - RSA_free(rsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); @@ -1640,33 +1674,30 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, XMLSEC_ERRORS_R_INVALID_NODE, "node=%s", xmlSecErrorsSafeString(xmlSecNodeRSAExponent)); - RSA_free(rsa); - return(-1); + goto err_cleanup; } - if(xmlSecOpenSSLNodeGetBNValue(cur, &(rsa->e)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &e) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeRSAExponent)); - RSA_free(rsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeRSAPrivateExponent, xmlSecNs))) { /* next is X node. It is REQUIRED for private key but * we are not sure exactly what do we read */ - if(xmlSecOpenSSLNodeGetBNValue(cur, &(rsa->d)) == NULL) { + if(xmlSecOpenSSLNodeGetBNValue(cur, &d) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), "xmlSecOpenSSLNodeGetBNValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, "node=%s", xmlSecErrorsSafeString(xmlSecNodeRSAPrivateExponent)); - RSA_free(rsa); - return(-1); + goto err_cleanup; } cur = xmlSecGetNextElementNode(cur->next); } @@ -1677,10 +1708,15 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeGetName(cur)), XMLSEC_ERRORS_R_INVALID_NODE, "no nodes expected"); - RSA_free(rsa); - return(-1); + goto err_cleanup; } + if (!RSA_set0_key(rsa, n, e, d)) + goto err_cleanup; + n = NULL; + e = NULL; + d = NULL; + data = xmlSecKeyDataCreate(id); if(data == NULL ) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -1688,8 +1724,7 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "xmlSecKeyDataCreate", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - RSA_free(rsa); - return(-1); + goto err_cleanup; } ret = xmlSecOpenSSLKeyDataRsaAdoptRsa(data, rsa); @@ -1699,9 +1734,7 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "xmlSecOpenSSLKeyDataRsaAdoptRsa", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - xmlSecKeyDataDestroy(data); - RSA_free(rsa); - return(-1); + goto err_cleanup; } ret = xmlSecKeySetValue(key, data); @@ -1711,11 +1744,23 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key, "xmlSecKeySetValue", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - xmlSecKeyDataDestroy(data); - return(-1); + goto err_cleanup; } return(0); + +err_cleanup: + if (rsa) + RSA_free(rsa); + if (n) + BN_free(n); + if (e) + BN_free(e); + if (d) + BN_free(d); + if (data) + xmlSecKeyDataDestroy(data); + return -1; } static int @@ -1723,6 +1768,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) { xmlNodePtr cur; RSA* rsa; + const BIGNUM *n, *e, *d; int ret; xmlSecAssert2(id == xmlSecOpenSSLKeyDataRsaId, -1); @@ -1738,6 +1784,9 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, /* we can have only private key or public key */ return(0); } + if (!rsa) + return -1; + RSA_get0_key(rsa, &n, &e, &d); /* first is Modulus node */ cur = xmlSecAddChild(node, xmlSecNodeRSAModulus, xmlSecDSigNs); @@ -1750,7 +1799,8 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeRSAModulus)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, rsa->n, 1); + + ret = xmlSecOpenSSLNodeSetBNValue(cur, n, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -1772,7 +1822,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeRSAExponent)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, rsa->e, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, e, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -1784,7 +1834,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, } /* next is PrivateExponent node: write it ONLY for private keys and ONLY if it is requested */ - if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (rsa->d != NULL)) { + if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (d != NULL)) { cur = xmlSecAddChild(node, xmlSecNodeRSAPrivateExponent, xmlSecNs); if(cur == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -1795,7 +1845,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, xmlSecErrorsSafeString(xmlSecNodeRSAPrivateExponent)); return(-1); } - ret = xmlSecOpenSSLNodeSetBNValue(cur, rsa->d, 1); + ret = xmlSecOpenSSLNodeSetBNValue(cur, d, 1); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)), @@ -1886,14 +1936,19 @@ xmlSecOpenSSLKeyDataRsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlS static xmlSecKeyDataType xmlSecOpenSSLKeyDataRsaGetType(xmlSecKeyDataPtr data) { RSA* rsa; + const BIGNUM *n, *e, *d; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), xmlSecKeyDataTypeUnknown); rsa = xmlSecOpenSSLKeyDataRsaGetRsa(data); - if((rsa != NULL) && (rsa->n != NULL) && (rsa->e != NULL)) { - if(rsa->d != NULL) { + if (!rsa) + return xmlSecKeyDataTypeUnknown; + + RSA_get0_key(rsa, &n, &e, &d); + if (n && e ) { + if (d) { return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic); - } else if((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) { + } else if (RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY)) { /* * !!! HACK !!! Also see DSA key * We assume here that engine *always* has private key. @@ -1912,12 +1967,16 @@ xmlSecOpenSSLKeyDataRsaGetType(xmlSecKeyDataPtr data) { static xmlSecSize xmlSecOpenSSLKeyDataRsaGetSize(xmlSecKeyDataPtr data) { RSA* rsa; + const BIGNUM *n; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), 0); rsa = xmlSecOpenSSLKeyDataRsaGetRsa(data); - if((rsa != NULL) && (rsa->n != NULL)) { - return(BN_num_bits(rsa->n)); + if (!rsa) + return 0; + RSA_get0_key(rsa, &n, NULL, NULL); + if (n) { + return BN_num_bits(n); } return(0); } diff --git a/src/openssl/kt_rsa.c b/src/openssl/kt_rsa.c index 8d47e4277510..0d6fa10f6225 100644 --- a/src/openssl/kt_rsa.c +++ b/src/openssl/kt_rsa.c @@ -34,6 +34,7 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/evp.h> #include <xmlsec/openssl/bn.h> +#include "openssl11_wrapper.h" /************************************************************************** * @@ -166,6 +167,7 @@ static int xmlSecOpenSSLRsaPkcs1SetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { xmlSecOpenSSLRsaPkcs1CtxPtr ctx; EVP_PKEY* pKey; + RSA *rsa; xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaPkcs1Id), -1); xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); @@ -186,8 +188,9 @@ xmlSecOpenSSLRsaPkcs1SetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { XMLSEC_ERRORS_NO_MESSAGE); return(-1); } - xmlSecAssert2(pKey->type == EVP_PKEY_RSA, -1); - xmlSecAssert2(pKey->pkey.rsa != NULL, -1); + xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_RSA, -1); + rsa = EVP_PKEY_get0_RSA(pKey); + xmlSecAssert2(rsa != NULL, -1); ctx->pKey = xmlSecOpenSSLEvpKeyDup(pKey); if(ctx->pKey == NULL) { @@ -253,6 +256,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr xmlSecBufferPtr in, out; xmlSecSize inSize, outSize; xmlSecSize keySize; + RSA *rsa; int ret; xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaPkcs1Id), -1); @@ -263,10 +267,11 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr ctx = xmlSecOpenSSLRsaPkcs1GetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->pKey != NULL, -1); - xmlSecAssert2(ctx->pKey->type == EVP_PKEY_RSA, -1); - xmlSecAssert2(ctx->pKey->pkey.rsa != NULL, -1); + xmlSecAssert2(EVP_PKEY_id(ctx->pKey) == EVP_PKEY_RSA, -1); + rsa = EVP_PKEY_get0_RSA(ctx->pKey); + xmlSecAssert2(rsa != NULL, -1); - keySize = RSA_size(ctx->pKey->pkey.rsa); + keySize = RSA_size(rsa); xmlSecAssert2(keySize > 0, -1); in = &(transform->inBuf); @@ -308,7 +313,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr if(transform->operation == xmlSecTransformOperationEncrypt) { ret = RSA_public_encrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), - ctx->pKey->pkey.rsa, RSA_PKCS1_PADDING); + rsa, RSA_PKCS1_PADDING); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -321,7 +326,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr } else { ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), - ctx->pKey->pkey.rsa, RSA_PKCS1_PADDING); + rsa, RSA_PKCS1_PADDING); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -574,6 +579,7 @@ static int xmlSecOpenSSLRsaOaepSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { xmlSecOpenSSLRsaOaepCtxPtr ctx; EVP_PKEY* pKey; + RSA *rsa; xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaOaepId), -1); xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1); @@ -594,8 +600,9 @@ xmlSecOpenSSLRsaOaepSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { XMLSEC_ERRORS_NO_MESSAGE); return(-1); } - xmlSecAssert2(pKey->type == EVP_PKEY_RSA, -1); - xmlSecAssert2(pKey->pkey.rsa != NULL, -1); + xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_RSA, -1); + rsa = EVP_PKEY_get0_RSA(pKey); + xmlSecAssert2(rsa != NULL, -1); ctx->pKey = xmlSecOpenSSLEvpKeyDup(pKey); if(ctx->pKey == NULL) { @@ -662,6 +669,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr xmlSecBufferPtr in, out; xmlSecSize inSize, outSize; xmlSecSize keySize; + RSA *rsa; int ret; xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaOaepId), -1); @@ -672,10 +680,11 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr ctx = xmlSecOpenSSLRsaOaepGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->pKey != NULL, -1); - xmlSecAssert2(ctx->pKey->type == EVP_PKEY_RSA, -1); - xmlSecAssert2(ctx->pKey->pkey.rsa != NULL, -1); + xmlSecAssert2(EVP_PKEY_id(ctx->pKey) == EVP_PKEY_RSA, -1); + rsa = EVP_PKEY_get0_RSA(ctx->pKey); + xmlSecAssert2(rsa != NULL, -1); - keySize = RSA_size(ctx->pKey->pkey.rsa); + keySize = RSA_size(rsa); xmlSecAssert2(keySize > 0, -1); in = &(transform->inBuf); @@ -719,7 +728,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr /* encode w/o OAEPParams --> simple */ ret = RSA_public_encrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), - ctx->pKey->pkey.rsa, RSA_PKCS1_OAEP_PADDING); + rsa, RSA_PKCS1_OAEP_PADDING); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -761,7 +770,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr /* encode with OAEPParams */ ret = RSA_public_encrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), - ctx->pKey->pkey.rsa, RSA_NO_PADDING); + rsa, RSA_NO_PADDING); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -774,7 +783,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr } else if((transform->operation == xmlSecTransformOperationDecrypt) && (paramsSize == 0)) { ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), - ctx->pKey->pkey.rsa, RSA_PKCS1_OAEP_PADDING); + rsa, RSA_PKCS1_OAEP_PADDING); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -798,7 +807,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr } ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), - ctx->pKey->pkey.rsa, RSA_NO_PADDING); + rsa, RSA_NO_PADDING); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), diff --git a/src/openssl/openssl11_wrapper.h b/src/openssl/openssl11_wrapper.h new file mode 100644 index 000000000000..9eedee43d239 --- /dev/null +++ b/src/openssl/openssl11_wrapper.h @@ -0,0 +1,153 @@ +#ifndef __XMLSEC_OPENSSL11_WRAPPER_H__ +#define __XMLSEC_OPENSSL11_WRAPPER_H__ + +#if OPENSSL_VERSION_NUMBER < 0x10100000 +#define EVP_PKEY_up_ref(_k) \ + CRYPTO_add(&((_k)->references), 1, CRYPTO_LOCK_EVP_PKEY) +#define EVP_PKEY_id(_x) _x->type +#define EVP_PKEY_get0_DSA(_x) ((_x != NULL) ? _x->pkey.dsa : (DSA*)NULL) +#define EVP_PKEY_get0_EC_KEY(_x) ((_x != NULL) ? _x->pkey.ec : (EC_KEY*)NULL) +#define EVP_PKEY_get0_RSA(_x) ((_x != NULL) ? _x->pkey.rsa : (RSA*)NULL) + +static inline void DSA_get0_pqg(const DSA *d, + const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = d->p; + if (q != NULL) + *q = d->q; + if (g != NULL) + *g = d->g; +} + +static inline void DSA_get0_key(const DSA *d, + const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = d->pub_key; + if (priv_key != NULL) + *priv_key = d->priv_key; +} + +static inline void RSA_get0_key(const RSA *r, + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = r->n; + if (e != NULL) + *e = r->e; + if (d != NULL) + *d = r->d; +} + +#define RSA_test_flags(_rsa, _flags) (_rsa->flags & _flags) + +static inline void DSA_SIG_get0(const DSA_SIG *sig, + const BIGNUM **pr, const BIGNUM **ps) +{ + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +static inline void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, + const BIGNUM **ps) +{ + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +static inline int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return 0; + BN_clear_free(sig->r); + BN_clear_free(sig->s); + sig->r = r; + sig->s = s; + return 1; +} + +static inline int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return 0; + BN_clear_free(sig->r); + BN_clear_free(sig->s); + sig->r = r; + sig->s = s; + return 1; +} + +static inline ENGINE *DSA_get0_engine(DSA *d) +{ + return d->engine; +} + +static inline int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + if ((r->n == NULL && n == NULL) + || (r->e == NULL && e == NULL)) + return 0; + + if (n != NULL) { + BN_free(r->n); + r->n = n; + } + if (e != NULL) { + BN_free(r->e); + r->e = e; + } + if (d != NULL) { + BN_free(r->d); + r->d = d; + } + + return 1; +} + +static inline int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + if ((d->p == NULL && p == NULL) + || (d->q == NULL && q == NULL) + || (d->g == NULL && g == NULL)) + return 0; + + if (p != NULL) { + BN_free(d->p); + d->p = p; + } + if (q != NULL) { + BN_free(d->q); + d->q = q; + } + if (g != NULL) { + BN_free(d->g); + d->g = g; + } + + return 1; +} + +static inline int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +{ + if (d->pub_key == NULL && pub_key == NULL) + return 0; + + if (pub_key != NULL) { + BN_free(d->pub_key); + d->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(d->priv_key); + d->priv_key = priv_key; + } + + return 1; +} + +#endif +#endif diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c index 5cb6f7b85d66..76d3eec298f4 100644 --- a/src/openssl/signatures.c +++ b/src/openssl/signatures.c @@ -21,6 +21,7 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/evp.h> +#include "openssl11_wrapper.h" /* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html): * @@ -31,47 +32,8 @@ #define EVP_MD_CTX_free(x) EVP_MD_CTX_destroy((x)) #define EVP_MD_CTX_md_data(x) ((x)->md_data) -#ifndef XMLSEC_NO_DSA -/* we expect the r/s to be NOT NULL */ -static void ECDSA_SIG_get0(BIGNUM **pr, BIGNUM **ps, ECDSA_SIG *sig) { - if (pr != NULL) { - if(sig->r == NULL) { - sig->r = BN_new(); - } - *pr = sig->r; - } - if (ps != NULL) { - if(sig->s == NULL) { - sig->s = BN_new(); - } - *ps = sig->s; - } -} -#endif /* XMLSEC_NO_ECDSA */ - #endif /* !defined(XMLSEC_OPENSSL_110) */ -/* Preparation for OpenSSL 1.1.0 compatibility: we expect the r/s to be NOT NULL */ -#ifndef XMLSEC_NO_DSA -static void DSA_SIG_get0(BIGNUM **pr, BIGNUM **ps, DSA_SIG *sig) { - if (pr != NULL) { - if(sig->r == NULL) { - sig->r = BN_new(); - } - *pr = sig->r; - } - if (ps != NULL) { - if(sig->s == NULL) { - sig->s = BN_new(); - } - *ps = sig->s; - } -} -#endif /* XMLSEC_NO_DSA */ - - - - /************************************************************************** * * Internal OpenSSL signatures ctx: forward declarations @@ -610,7 +572,7 @@ static int xmlSecOpenSSLSignatureDsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr out) { DSA * dsaKey = NULL; DSA_SIG *sig = NULL; - BIGNUM *rr = NULL, *ss = NULL; + const BIGNUM *rr = NULL, *ss = NULL; xmlSecByte *outData; xmlSecSize dsaSignSize, signHalfSize, rSize, sSize; int res = -1; @@ -666,7 +628,7 @@ xmlSecOpenSSLSignatureDsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr } /* get signature components */ - DSA_SIG_get0(&rr, &ss, sig); + DSA_SIG_get0(sig, &rr, &ss); if((rr == NULL) || (ss == NULL)) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -790,7 +752,7 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy /* create/read signature */ sig = DSA_SIG_new(); - if (sig == NULL) { + if (!sig) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "DSA_SIG_new", @@ -799,18 +761,7 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy goto done; } - /* get signature components */ - DSA_SIG_get0(&rr, &ss, sig); - if((rr == NULL) || (ss == NULL)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "DSA_SIG_get0", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - rr = BN_bin2bn(signData, signHalfSize, rr); + rr = BN_bin2bn(signData, signHalfSize, NULL); if(rr == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -819,7 +770,7 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy XMLSEC_ERRORS_NO_MESSAGE); goto done; } - ss = BN_bin2bn(signData + signHalfSize, signHalfSize, ss); + ss = BN_bin2bn(signData + signHalfSize, signHalfSize, NULL); if(ss == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -829,6 +780,18 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy goto done; } + if (!DSA_SIG_set0(sig, rr, ss)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_SIG_set0", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + rr = NULL; + ss = NULL; + /* verify signature */ ret = DSA_do_verify(ctx->dgst, ctx->dgstSize, sig, dsaKey); if(ret < 0) { @@ -855,7 +818,10 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy if(dsaKey != NULL) { DSA_free(dsaKey); } - + if (rr) + BN_clear_free(rr); + if (ss) + BN_clear_free(ss); /* done */ return(res); } @@ -1033,7 +999,7 @@ static int xmlSecOpenSSLSignatureEcdsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr out) { EC_KEY * ecKey = NULL; ECDSA_SIG *sig = NULL; - BIGNUM *rr = NULL, *ss = NULL; + const BIGNUM *rr = NULL, *ss = NULL; xmlSecByte *outData; xmlSecSize signHalfSize, rSize, sSize; int res = -1; @@ -1079,7 +1045,7 @@ xmlSecOpenSSLSignatureEcdsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPt } /* get signature components */ - ECDSA_SIG_get0(&rr, &ss, sig); + ECDSA_SIG_get0(sig, &rr, &ss); if((rr == NULL) || (ss == NULL)) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -1206,18 +1172,7 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec goto done; } - /* get signature components */ - ECDSA_SIG_get0(&rr, &ss, sig); - if((rr == NULL) || (ss == NULL)) { - xmlSecError(XMLSEC_ERRORS_HERE, - NULL, - "ECDSA_SIG_get0", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; - } - - rr = BN_bin2bn(signData, signHalfSize, rr); + rr = BN_bin2bn(signData, signHalfSize, NULL); if(rr == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -1226,7 +1181,7 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec XMLSEC_ERRORS_NO_MESSAGE); goto done; } - ss = BN_bin2bn(signData + signHalfSize, signHalfSize, ss); + ss = BN_bin2bn(signData + signHalfSize, signHalfSize, NULL); if(ss == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -1236,6 +1191,17 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec goto done; } + if (!ECDSA_SIG_set0(sig, rr, ss)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "ECDSA_SIG_set0()", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + rr = NULL; + ss = NULL; + /* verify signature */ ret = ECDSA_do_verify(ctx->dgst, ctx->dgstSize, sig, ecKey); if(ret < 0) { @@ -1262,6 +1228,10 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec if(ecKey != NULL) { EC_KEY_free(ecKey); } + if (rr) + BN_clear_free(rr); + if (ss) + BN_clear_free(ss); /* done */ return(res); diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c index 5560526b2aa5..03faad86edab 100644 --- a/src/openssl/x509vfy.c +++ b/src/openssl/x509vfy.c @@ -40,6 +40,29 @@ /* new API from OpenSSL 1.1.0 */ #if !defined(XMLSEC_OPENSSL_110) #define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber) + +static void X509_OBJECT_free(X509_OBJECT *a) +{ + if (a == NULL) + return; + X509_OBJECT_free_contents(a); + free(a); +} + +static X509_OBJECT *X509_OBJECT_new() +{ + X509_OBJECT *ret = calloc(1, sizeof(*ret)); + + return ret; +} + +static inline X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a) +{ + if (a == NULL) + return NULL; + return a->data.x509; +} + #endif /* !defined(XMLSEC_OPENSSL_110) */ /************************************************************************** @@ -181,6 +204,7 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509 * res = NULL; X509 * cert; X509 * err_cert = NULL; + X509_STORE_CTX *xsc; char buf[256]; int err = 0; int i; @@ -190,6 +214,16 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* xmlSecAssert2(certs != NULL, NULL); xmlSecAssert2(keyInfoCtx != NULL, NULL); + xsc = X509_STORE_CTX_new(); + if (!xsc) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_STORE_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + ctx = xmlSecOpenSSLX509StoreGetCtx(store); xmlSecAssert2(ctx != NULL, NULL); xmlSecAssert2(ctx->xst != NULL, NULL); @@ -289,11 +323,10 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* for(i = 0; i < sk_X509_num(certs2); ++i) { cert = sk_X509_value(certs2, i); if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) { - X509_STORE_CTX xsc; - X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2); + X509_STORE_CTX_init (xsc, ctx->xst, cert, certs2); if(keyInfoCtx->certsVerificationTime > 0) { - X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime); + X509_STORE_CTX_set_time(xsc, 0, keyInfoCtx->certsVerificationTime); } { @@ -319,15 +352,15 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509_VERIFY_PARAM_set_depth(vpm, 9); X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); - X509_STORE_CTX_set0_param(&xsc, vpm); + X509_STORE_CTX_set0_param(xsc, vpm); } - ret = X509_verify_cert(&xsc); - err_cert = X509_STORE_CTX_get_current_cert(&xsc); - err = X509_STORE_CTX_get_error(&xsc); + ret = X509_verify_cert(xsc); + err_cert = X509_STORE_CTX_get_current_cert(xsc); + err = X509_STORE_CTX_get_error(xsc); - X509_STORE_CTX_cleanup (&xsc); + X509_STORE_CTX_cleanup (xsc); if(ret == 1) { res = cert; @@ -417,6 +450,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* if(crls2 != NULL) { sk_X509_CRL_free(crls2); } + if (xsc) + X509_STORE_CTX_free(xsc); return(res); } @@ -729,34 +764,44 @@ xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) { *****************************************************************************/ static int xmlSecOpenSSLX509VerifyCRL(X509_STORE* xst, X509_CRL *crl ) { - X509_STORE_CTX xsc; - X509_OBJECT xobj; + X509_STORE_CTX *xsc; + X509_OBJECT *xobj; EVP_PKEY *pkey; int ret; xmlSecAssert2(xst != NULL, -1); xmlSecAssert2(crl != NULL, -1); - X509_STORE_CTX_init(&xsc, xst, NULL, NULL); - ret = X509_STORE_get_by_subject(&xsc, X509_LU_X509, - X509_CRL_get_issuer(crl), &xobj); + xsc = X509_STORE_CTX_new(); + xobj = X509_OBJECT_new(); + if (!xsc || !xobj) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "X509_STORE_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto err; + } + + X509_STORE_CTX_init(xsc, xst, NULL, NULL); + ret = X509_STORE_get_by_subject(xsc, X509_LU_X509, + X509_CRL_get_issuer(crl), xobj); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "X509_STORE_get_by_subject", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + goto err; } - pkey = X509_get_pubkey(xobj.data.x509); - X509_OBJECT_free_contents(&xobj); + pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj)); if(pkey == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "X509_get_pubkey", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - return(-1); + goto err; } ret = X509_CRL_verify(crl, pkey); EVP_PKEY_free(pkey); @@ -767,8 +812,14 @@ xmlSecOpenSSLX509VerifyCRL(X509_STORE* xst, X509_CRL *crl ) { XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); } - X509_STORE_CTX_cleanup (&xsc); + X509_STORE_CTX_free(xsc); + X509_OBJECT_free(xobj); return((ret == 1) ? 1 : 0); + +err: + X509_STORE_CTX_free(xsc); + X509_OBJECT_free(xobj); + return -1; } static X509* -- 2.9.3