control: tags -1 patch
On 2016-06-26 21:52:11 [-0700], John Belmonte wrote:
> I'll have to upgrade to a newer upstream version. Looks like this was
> addressed in 1.2.21.
1.2.22 plus the patch attached and it builds again :)
Sebastian
>From 7ab8a4ab41ad6096a5bfbe5937680454abe56b44 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Wed, 31 Aug 2016 23:25:37 +0200
Subject: [PATCH] openssl: get it build against openssl 1.1.0 and earlier
Tried to get it done as little intrusive as possible. It compiles
against 1.1.0 and 1.0.2h. Testsuite passes/fails in the same way.
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
src/openssl/evp.c | 253 +++++++++++++++++++++++++---------------
src/openssl/kt_rsa.c | 41 ++++---
src/openssl/openssl11_wrapper.h | 153 ++++++++++++++++++++++++
src/openssl/signatures.c | 112 +++++++-----------
src/openssl/x509vfy.c | 87 +++++++++++---
5 files changed, 444 insertions(+), 202 deletions(-)
create mode 100644 src/openssl/openssl11_wrapper.h
diff --git a/src/openssl/evp.c b/src/openssl/evp.c
index 328602bc6335..b83efffa1e5a 100644
--- a/src/openssl/evp.c
+++ b/src/openssl/evp.c
@@ -23,6 +23,7 @@
#include <xmlsec/openssl/crypto.h>
#include <xmlsec/openssl/bn.h>
#include <xmlsec/openssl/evp.h>
+#include "openssl11_wrapper.h"
/**************************************************************************
*
@@ -182,7 +183,7 @@ xmlSecOpenSSLEvpKeyDup(EVP_PKEY* pKey) {
xmlSecAssert2(pKey != NULL, NULL);
- ret = CRYPTO_add(&pKey->references,1,CRYPTO_LOCK_EVP_PKEY);
+ ret = EVP_PKEY_up_ref(pKey);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -210,7 +211,7 @@ xmlSecOpenSSLEvpKeyAdopt(EVP_PKEY *pKey) {
xmlSecAssert2(pKey != NULL, NULL);
- switch(pKey->type) {
+ switch(EVP_PKEY_id(pKey)) {
#ifndef XMLSEC_NO_RSA
case EVP_PKEY_RSA:
data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataRsaId);
@@ -296,7 +297,7 @@ xmlSecOpenSSLEvpKeyAdopt(EVP_PKEY *pKey) {
NULL,
NULL,
XMLSEC_ERRORS_R_INVALID_TYPE,
- "evp key type %d not supported", pKey->type);
+ "evp key type %d not supported", EVP_PKEY_id(pKey));
return(NULL);
}
@@ -530,9 +531,9 @@ xmlSecOpenSSLKeyDataDsaGetDsa(xmlSecKeyDataPtr data) {
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), NULL);
pKey = xmlSecOpenSSLKeyDataDsaGetEvp(data);
- xmlSecAssert2((pKey == NULL) || (pKey->type == EVP_PKEY_DSA), NULL);
+ xmlSecAssert2((pKey == NULL) || (EVP_PKEY_id(pKey) == EVP_PKEY_DSA), NULL);
- return((pKey != NULL) ? pKey->pkey.dsa : (DSA*)NULL);
+ return pKey ? EVP_PKEY_get0_DSA(pKey) : NULL;
}
/**
@@ -548,7 +549,7 @@ int
xmlSecOpenSSLKeyDataDsaAdoptEvp(xmlSecKeyDataPtr data, EVP_PKEY* pKey) {
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), -1);
xmlSecAssert2(pKey != NULL, -1);
- xmlSecAssert2(pKey->type == EVP_PKEY_DSA, -1);
+ xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_DSA, -1);
return(xmlSecOpenSSLEvpKeyDataAdoptEvp(data, pKey));
}
@@ -593,9 +594,11 @@ xmlSecOpenSSLKeyDataDsaFinalize(xmlSecKeyDataPtr data) {
static int
xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
- xmlSecKeyDataPtr data;
+ xmlSecKeyDataPtr data = NULL;
xmlNodePtr cur;
- DSA *dsa;
+ DSA *dsa = NULL;
+ BIGNUM *p = NULL, *q = NULL, *g = NULL;
+ BIGNUM *priv_key = NULL, *pub_key = NULL;
int ret;
xmlSecAssert2(id == xmlSecOpenSSLKeyDataDsaId, -1);
@@ -619,7 +622,7 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"DSA_new",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(node->children);
@@ -632,18 +635,17 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
XMLSEC_ERRORS_R_INVALID_NODE,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAP));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->p)) == NULL) {
+
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &p) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAP));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
@@ -655,18 +657,16 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
XMLSEC_ERRORS_R_INVALID_NODE,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAQ));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->q)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &q) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAQ));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
@@ -678,33 +678,30 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
XMLSEC_ERRORS_R_INVALID_NODE,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAG));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->g)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &g) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAG));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeDSAX, xmlSecNs))) {
/* next is X node. It is REQUIRED for private key but
* we are not sure exactly what do we read */
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->priv_key)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &priv_key) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAX));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
}
@@ -717,17 +714,15 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
XMLSEC_ERRORS_R_INVALID_NODE,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeDSAY));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(dsa->pub_key)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &pub_key) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s", xmlSecErrorsSafeString(xmlSecNodeDSAY));
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
@@ -752,8 +747,7 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
XMLSEC_ERRORS_R_UNEXPECTED_NODE,
XMLSEC_ERRORS_NO_MESSAGE);
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
data = xmlSecKeyDataCreate(id);
@@ -763,10 +757,20 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"xmlSecKeyDataCreate",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
+ if (!DSA_set0_pqg(dsa, p, q, g))
+ goto err_cleanup;
+ p = NULL;
+ q = NULL;
+ g = NULL;
+
+ if (!DSA_set0_key(dsa, pub_key, priv_key))
+ goto err_cleanup;
+ pub_key = NULL;
+ priv_key = NULL;
+
ret = xmlSecOpenSSLKeyDataDsaAdoptDsa(data, dsa);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -774,9 +778,7 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"xmlSecOpenSSLKeyDataDsaAdoptDsa",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- xmlSecKeyDataDestroy(data);
- DSA_free(dsa);
- return(-1);
+ goto err_cleanup;
}
ret = xmlSecKeySetValue(key, data);
@@ -786,11 +788,27 @@ xmlSecOpenSSLKeyDataDsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"xmlSecKeySetValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- xmlSecKeyDataDestroy(data);
- return(-1);
+ goto err_cleanup;
}
return(0);
+
+err_cleanup:
+ if (dsa)
+ DSA_free(dsa);
+ if (p)
+ BN_free(p);
+ if (q)
+ BN_free(q);
+ if (g)
+ BN_free(g);
+ if (priv_key)
+ BN_free(priv_key);
+ if (pub_key)
+ BN_free(pub_key);
+ if (data)
+ xmlSecKeyDataDestroy(data);
+ return -1;
}
static int
@@ -799,6 +817,8 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlNodePtr cur;
DSA* dsa;
int ret;
+ const BIGNUM *p, *q, *g;
+ const BIGNUM *priv_key, *pub_key;
xmlSecAssert2(id == xmlSecOpenSSLKeyDataDsaId, -1);
xmlSecAssert2(key != NULL, -1);
@@ -814,8 +834,10 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
return(0);
}
+ DSA_get0_pqg(dsa, &p, &q, &g);
+
/* first is P node */
- xmlSecAssert2(dsa->p != NULL, -1);
+ xmlSecAssert2(p != NULL, -1);
cur = xmlSecAddChild(node, xmlSecNodeDSAP, xmlSecDSigNs);
if(cur == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -826,7 +848,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeDSAP));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->p, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, p, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -838,7 +860,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
}
/* next is Q node. */
- xmlSecAssert2(dsa->q != NULL, -1);
+ xmlSecAssert2(q != NULL, -1);
cur = xmlSecAddChild(node, xmlSecNodeDSAQ, xmlSecDSigNs);
if(cur == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -849,7 +871,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeDSAQ));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->q, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, q, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -861,7 +883,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
}
/* next is G node. */
- xmlSecAssert2(dsa->g != NULL, -1);
+ xmlSecAssert2(g != NULL, -1);
cur = xmlSecAddChild(node, xmlSecNodeDSAG, xmlSecDSigNs);
if(cur == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -872,7 +894,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeDSAG));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->g, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, g, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -883,8 +905,10 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
return(-1);
}
+ DSA_get0_key(dsa, &pub_key, &priv_key);
+
/* next is X node: write it ONLY for private keys and ONLY if it is requested */
- if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (dsa->priv_key != NULL)) {
+ if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (priv_key != NULL)) {
cur = xmlSecAddChild(node, xmlSecNodeDSAX, xmlSecNs);
if(cur == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -895,7 +919,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeDSAX));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->priv_key, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, priv_key, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -908,7 +932,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
}
/* next is Y node. */
- xmlSecAssert2(dsa->pub_key != NULL, -1);
+ xmlSecAssert2(pub_key != NULL, -1);
cur = xmlSecAddChild(node, xmlSecNodeDSAY, xmlSecDSigNs);
if(cur == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -919,7 +943,7 @@ xmlSecOpenSSLKeyDataDsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeDSAY));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, dsa->pub_key, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, pub_key, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -991,16 +1015,23 @@ xmlSecOpenSSLKeyDataDsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlS
static xmlSecKeyDataType
xmlSecOpenSSLKeyDataDsaGetType(xmlSecKeyDataPtr data) {
DSA* dsa;
+ const BIGNUM *p, *q, *g;
+ const BIGNUM *priv_key, *pub_key;
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), xmlSecKeyDataTypeUnknown);
dsa = xmlSecOpenSSLKeyDataDsaGetDsa(data);
- if((dsa != NULL) && (dsa->p != NULL) && (dsa->q != NULL) &&
- (dsa->g != NULL) && (dsa->pub_key != NULL)) {
+ if (!dsa)
+ return xmlSecKeyDataTypeUnknown;
- if(dsa->priv_key != NULL) {
+ DSA_get0_pqg(dsa, &p, &q, &g);
+ DSA_get0_key(dsa, &pub_key, &priv_key);
+
+ if (p && q && g && pub_key) {
+
+ if (priv_key) {
return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
- } else if(dsa->engine != NULL) {
+ } else if (DSA_get0_engine(dsa)) {
/*
* !!! HACK !!! Also see RSA key
* We assume here that engine *always* has private key.
@@ -1019,14 +1050,18 @@ xmlSecOpenSSLKeyDataDsaGetType(xmlSecKeyDataPtr data) {
static xmlSecSize
xmlSecOpenSSLKeyDataDsaGetSize(xmlSecKeyDataPtr data) {
DSA* dsa;
+ const BIGNUM *p;
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), 0);
dsa = xmlSecOpenSSLKeyDataDsaGetDsa(data);
- if((dsa != NULL) && (dsa->p != NULL)) {
- return(BN_num_bits(dsa->p));
- }
- return(0);
+ if (!dsa)
+ return 0;
+
+ DSA_get0_pqg(dsa, &p, NULL, NULL);
+ if (!p)
+ return 0;
+ return BN_num_bits(p);
}
static void
@@ -1194,9 +1229,9 @@ xmlSecOpenSSLKeyDataEcdsaGetEcdsa(xmlSecKeyDataPtr data) {
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataEcdsaId), NULL);
pKey = xmlSecOpenSSLKeyDataEcdsaGetEvp(data);
- xmlSecAssert2((pKey == NULL) || (pKey->type == EVP_PKEY_EC), NULL);
+ xmlSecAssert2((pKey == NULL) || (EVP_PKEY_id(pKey) == EVP_PKEY_EC), NULL);
- return((pKey != NULL) ? pKey->pkey.ec : (EC_KEY*)NULL);
+ return pKey ? EVP_PKEY_get0_EC_KEY(pKey) : NULL;
}
/**
@@ -1212,7 +1247,7 @@ int
xmlSecOpenSSLKeyDataEcdsaAdoptEvp(xmlSecKeyDataPtr data, EVP_PKEY* pKey) {
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataEcdsaId), -1);
xmlSecAssert2(pKey != NULL, -1);
- xmlSecAssert2(pKey->type == EVP_PKEY_EC, -1);
+ xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_EC, -1);
return(xmlSecOpenSSLEvpKeyDataAdoptEvp(data, pKey));
}
@@ -1515,9 +1550,9 @@ xmlSecOpenSSLKeyDataRsaGetRsa(xmlSecKeyDataPtr data) {
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), NULL);
pKey = xmlSecOpenSSLKeyDataRsaGetEvp(data);
- xmlSecAssert2((pKey == NULL) || (pKey->type == EVP_PKEY_RSA), NULL);
+ xmlSecAssert2((pKey == NULL) || (EVP_PKEY_id(pKey) == EVP_PKEY_RSA), NULL);
- return((pKey != NULL) ? pKey->pkey.rsa : (RSA*)NULL);
+ return pKey ? EVP_PKEY_get0_RSA(pKey) : NULL;
}
/**
@@ -1533,7 +1568,7 @@ int
xmlSecOpenSSLKeyDataRsaAdoptEvp(xmlSecKeyDataPtr data, EVP_PKEY* pKey) {
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), -1);
xmlSecAssert2(pKey != NULL, -1);
- xmlSecAssert2(pKey->type == EVP_PKEY_RSA, -1);
+ xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_RSA, -1);
return(xmlSecOpenSSLEvpKeyDataAdoptEvp(data, pKey));
}
@@ -1578,9 +1613,10 @@ xmlSecOpenSSLKeyDataRsaFinalize(xmlSecKeyDataPtr data) {
static int
xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
- xmlSecKeyDataPtr data;
+ xmlSecKeyDataPtr data = NULL;
xmlNodePtr cur;
RSA *rsa;
+ BIGNUM *n = NULL, *e = NULL, *d = NULL;
int ret;
xmlSecAssert2(id == xmlSecOpenSSLKeyDataRsaId, -1);
@@ -1617,18 +1653,16 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
XMLSEC_ERRORS_R_INVALID_NODE,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeRSAModulus));
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(rsa->n)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &n) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeRSAModulus));
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
@@ -1640,33 +1674,30 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
XMLSEC_ERRORS_R_INVALID_NODE,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeRSAExponent));
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(rsa->e)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &e) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeRSAExponent));
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
if((cur != NULL) && (xmlSecCheckNodeName(cur, xmlSecNodeRSAPrivateExponent, xmlSecNs))) {
/* next is X node. It is REQUIRED for private key but
* we are not sure exactly what do we read */
- if(xmlSecOpenSSLNodeGetBNValue(cur, &(rsa->d)) == NULL) {
+ if(xmlSecOpenSSLNodeGetBNValue(cur, &d) == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
"xmlSecOpenSSLNodeGetBNValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
"node=%s",
xmlSecErrorsSafeString(xmlSecNodeRSAPrivateExponent));
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
cur = xmlSecGetNextElementNode(cur->next);
}
@@ -1677,10 +1708,15 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
XMLSEC_ERRORS_R_INVALID_NODE,
"no nodes expected");
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
+ if (!RSA_set0_key(rsa, n, e, d))
+ goto err_cleanup;
+ n = NULL;
+ e = NULL;
+ d = NULL;
+
data = xmlSecKeyDataCreate(id);
if(data == NULL ) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1688,8 +1724,7 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"xmlSecKeyDataCreate",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
ret = xmlSecOpenSSLKeyDataRsaAdoptRsa(data, rsa);
@@ -1699,9 +1734,7 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"xmlSecOpenSSLKeyDataRsaAdoptRsa",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- xmlSecKeyDataDestroy(data);
- RSA_free(rsa);
- return(-1);
+ goto err_cleanup;
}
ret = xmlSecKeySetValue(key, data);
@@ -1711,11 +1744,23 @@ xmlSecOpenSSLKeyDataRsaXmlRead(xmlSecKeyDataId id, xmlSecKeyPtr key,
"xmlSecKeySetValue",
XMLSEC_ERRORS_R_XMLSEC_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- xmlSecKeyDataDestroy(data);
- return(-1);
+ goto err_cleanup;
}
return(0);
+
+err_cleanup:
+ if (rsa)
+ RSA_free(rsa);
+ if (n)
+ BN_free(n);
+ if (e)
+ BN_free(e);
+ if (d)
+ BN_free(d);
+ if (data)
+ xmlSecKeyDataDestroy(data);
+ return -1;
}
static int
@@ -1723,6 +1768,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlNodePtr node, xmlSecKeyInfoCtxPtr keyInfoCtx) {
xmlNodePtr cur;
RSA* rsa;
+ const BIGNUM *n, *e, *d;
int ret;
xmlSecAssert2(id == xmlSecOpenSSLKeyDataRsaId, -1);
@@ -1738,6 +1784,9 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
/* we can have only private key or public key */
return(0);
}
+ if (!rsa)
+ return -1;
+ RSA_get0_key(rsa, &n, &e, &d);
/* first is Modulus node */
cur = xmlSecAddChild(node, xmlSecNodeRSAModulus, xmlSecDSigNs);
@@ -1750,7 +1799,8 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeRSAModulus));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, rsa->n, 1);
+
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, n, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -1772,7 +1822,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeRSAExponent));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, rsa->e, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, e, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -1784,7 +1834,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
}
/* next is PrivateExponent node: write it ONLY for private keys and ONLY if it is requested */
- if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (rsa->d != NULL)) {
+ if(((keyInfoCtx->keyReq.keyType & xmlSecKeyDataTypePrivate) != 0) && (d != NULL)) {
cur = xmlSecAddChild(node, xmlSecNodeRSAPrivateExponent, xmlSecNs);
if(cur == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
@@ -1795,7 +1845,7 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key,
xmlSecErrorsSafeString(xmlSecNodeRSAPrivateExponent));
return(-1);
}
- ret = xmlSecOpenSSLNodeSetBNValue(cur, rsa->d, 1);
+ ret = xmlSecOpenSSLNodeSetBNValue(cur, d, 1);
if(ret < 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecKeyDataKlassGetName(id)),
@@ -1886,14 +1936,19 @@ xmlSecOpenSSLKeyDataRsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlS
static xmlSecKeyDataType
xmlSecOpenSSLKeyDataRsaGetType(xmlSecKeyDataPtr data) {
RSA* rsa;
+ const BIGNUM *n, *e, *d;
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), xmlSecKeyDataTypeUnknown);
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(data);
- if((rsa != NULL) && (rsa->n != NULL) && (rsa->e != NULL)) {
- if(rsa->d != NULL) {
+ if (!rsa)
+ return xmlSecKeyDataTypeUnknown;
+
+ RSA_get0_key(rsa, &n, &e, &d);
+ if (n && e ) {
+ if (d) {
return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic);
- } else if((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) {
+ } else if (RSA_test_flags(rsa, RSA_FLAG_EXT_PKEY)) {
/*
* !!! HACK !!! Also see DSA key
* We assume here that engine *always* has private key.
@@ -1912,12 +1967,16 @@ xmlSecOpenSSLKeyDataRsaGetType(xmlSecKeyDataPtr data) {
static xmlSecSize
xmlSecOpenSSLKeyDataRsaGetSize(xmlSecKeyDataPtr data) {
RSA* rsa;
+ const BIGNUM *n;
xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), 0);
rsa = xmlSecOpenSSLKeyDataRsaGetRsa(data);
- if((rsa != NULL) && (rsa->n != NULL)) {
- return(BN_num_bits(rsa->n));
+ if (!rsa)
+ return 0;
+ RSA_get0_key(rsa, &n, NULL, NULL);
+ if (n) {
+ return BN_num_bits(n);
}
return(0);
}
diff --git a/src/openssl/kt_rsa.c b/src/openssl/kt_rsa.c
index 8d47e4277510..0d6fa10f6225 100644
--- a/src/openssl/kt_rsa.c
+++ b/src/openssl/kt_rsa.c
@@ -34,6 +34,7 @@
#include <xmlsec/openssl/crypto.h>
#include <xmlsec/openssl/evp.h>
#include <xmlsec/openssl/bn.h>
+#include "openssl11_wrapper.h"
/**************************************************************************
*
@@ -166,6 +167,7 @@ static int
xmlSecOpenSSLRsaPkcs1SetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
xmlSecOpenSSLRsaPkcs1CtxPtr ctx;
EVP_PKEY* pKey;
+ RSA *rsa;
xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaPkcs1Id), -1);
xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
@@ -186,8 +188,9 @@ xmlSecOpenSSLRsaPkcs1SetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
- xmlSecAssert2(pKey->type == EVP_PKEY_RSA, -1);
- xmlSecAssert2(pKey->pkey.rsa != NULL, -1);
+ xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_RSA, -1);
+ rsa = EVP_PKEY_get0_RSA(pKey);
+ xmlSecAssert2(rsa != NULL, -1);
ctx->pKey = xmlSecOpenSSLEvpKeyDup(pKey);
if(ctx->pKey == NULL) {
@@ -253,6 +256,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
xmlSecBufferPtr in, out;
xmlSecSize inSize, outSize;
xmlSecSize keySize;
+ RSA *rsa;
int ret;
xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaPkcs1Id), -1);
@@ -263,10 +267,11 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
ctx = xmlSecOpenSSLRsaPkcs1GetCtx(transform);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->pKey != NULL, -1);
- xmlSecAssert2(ctx->pKey->type == EVP_PKEY_RSA, -1);
- xmlSecAssert2(ctx->pKey->pkey.rsa != NULL, -1);
+ xmlSecAssert2(EVP_PKEY_id(ctx->pKey) == EVP_PKEY_RSA, -1);
+ rsa = EVP_PKEY_get0_RSA(ctx->pKey);
+ xmlSecAssert2(rsa != NULL, -1);
- keySize = RSA_size(ctx->pKey->pkey.rsa);
+ keySize = RSA_size(rsa);
xmlSecAssert2(keySize > 0, -1);
in = &(transform->inBuf);
@@ -308,7 +313,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
if(transform->operation == xmlSecTransformOperationEncrypt) {
ret = RSA_public_encrypt(inSize, xmlSecBufferGetData(in),
xmlSecBufferGetData(out),
- ctx->pKey->pkey.rsa, RSA_PKCS1_PADDING);
+ rsa, RSA_PKCS1_PADDING);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -321,7 +326,7 @@ xmlSecOpenSSLRsaPkcs1Process(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
} else {
ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in),
xmlSecBufferGetData(out),
- ctx->pKey->pkey.rsa, RSA_PKCS1_PADDING);
+ rsa, RSA_PKCS1_PADDING);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -574,6 +579,7 @@ static int
xmlSecOpenSSLRsaOaepSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
xmlSecOpenSSLRsaOaepCtxPtr ctx;
EVP_PKEY* pKey;
+ RSA *rsa;
xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaOaepId), -1);
xmlSecAssert2((transform->operation == xmlSecTransformOperationEncrypt) || (transform->operation == xmlSecTransformOperationDecrypt), -1);
@@ -594,8 +600,9 @@ xmlSecOpenSSLRsaOaepSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
XMLSEC_ERRORS_NO_MESSAGE);
return(-1);
}
- xmlSecAssert2(pKey->type == EVP_PKEY_RSA, -1);
- xmlSecAssert2(pKey->pkey.rsa != NULL, -1);
+ xmlSecAssert2(EVP_PKEY_id(pKey) == EVP_PKEY_RSA, -1);
+ rsa = EVP_PKEY_get0_RSA(pKey);
+ xmlSecAssert2(rsa != NULL, -1);
ctx->pKey = xmlSecOpenSSLEvpKeyDup(pKey);
if(ctx->pKey == NULL) {
@@ -662,6 +669,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
xmlSecBufferPtr in, out;
xmlSecSize inSize, outSize;
xmlSecSize keySize;
+ RSA *rsa;
int ret;
xmlSecAssert2(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaOaepId), -1);
@@ -672,10 +680,11 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
ctx = xmlSecOpenSSLRsaOaepGetCtx(transform);
xmlSecAssert2(ctx != NULL, -1);
xmlSecAssert2(ctx->pKey != NULL, -1);
- xmlSecAssert2(ctx->pKey->type == EVP_PKEY_RSA, -1);
- xmlSecAssert2(ctx->pKey->pkey.rsa != NULL, -1);
+ xmlSecAssert2(EVP_PKEY_id(ctx->pKey) == EVP_PKEY_RSA, -1);
+ rsa = EVP_PKEY_get0_RSA(ctx->pKey);
+ xmlSecAssert2(rsa != NULL, -1);
- keySize = RSA_size(ctx->pKey->pkey.rsa);
+ keySize = RSA_size(rsa);
xmlSecAssert2(keySize > 0, -1);
in = &(transform->inBuf);
@@ -719,7 +728,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
/* encode w/o OAEPParams --> simple */
ret = RSA_public_encrypt(inSize, xmlSecBufferGetData(in),
xmlSecBufferGetData(out),
- ctx->pKey->pkey.rsa, RSA_PKCS1_OAEP_PADDING);
+ rsa, RSA_PKCS1_OAEP_PADDING);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -761,7 +770,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
/* encode with OAEPParams */
ret = RSA_public_encrypt(inSize, xmlSecBufferGetData(in),
xmlSecBufferGetData(out),
- ctx->pKey->pkey.rsa, RSA_NO_PADDING);
+ rsa, RSA_NO_PADDING);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -774,7 +783,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
} else if((transform->operation == xmlSecTransformOperationDecrypt) && (paramsSize == 0)) {
ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in),
xmlSecBufferGetData(out),
- ctx->pKey->pkey.rsa, RSA_PKCS1_OAEP_PADDING);
+ rsa, RSA_PKCS1_OAEP_PADDING);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
@@ -798,7 +807,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr
}
ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in),
xmlSecBufferGetData(out),
- ctx->pKey->pkey.rsa, RSA_NO_PADDING);
+ rsa, RSA_NO_PADDING);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
diff --git a/src/openssl/openssl11_wrapper.h b/src/openssl/openssl11_wrapper.h
new file mode 100644
index 000000000000..9eedee43d239
--- /dev/null
+++ b/src/openssl/openssl11_wrapper.h
@@ -0,0 +1,153 @@
+#ifndef __XMLSEC_OPENSSL11_WRAPPER_H__
+#define __XMLSEC_OPENSSL11_WRAPPER_H__
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+#define EVP_PKEY_up_ref(_k) \
+ CRYPTO_add(&((_k)->references), 1, CRYPTO_LOCK_EVP_PKEY)
+#define EVP_PKEY_id(_x) _x->type
+#define EVP_PKEY_get0_DSA(_x) ((_x != NULL) ? _x->pkey.dsa : (DSA*)NULL)
+#define EVP_PKEY_get0_EC_KEY(_x) ((_x != NULL) ? _x->pkey.ec : (EC_KEY*)NULL)
+#define EVP_PKEY_get0_RSA(_x) ((_x != NULL) ? _x->pkey.rsa : (RSA*)NULL)
+
+static inline void DSA_get0_pqg(const DSA *d,
+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+ if (p != NULL)
+ *p = d->p;
+ if (q != NULL)
+ *q = d->q;
+ if (g != NULL)
+ *g = d->g;
+}
+
+static inline void DSA_get0_key(const DSA *d,
+ const BIGNUM **pub_key, const BIGNUM **priv_key)
+{
+ if (pub_key != NULL)
+ *pub_key = d->pub_key;
+ if (priv_key != NULL)
+ *priv_key = d->priv_key;
+}
+
+static inline void RSA_get0_key(const RSA *r,
+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+ if (n != NULL)
+ *n = r->n;
+ if (e != NULL)
+ *e = r->e;
+ if (d != NULL)
+ *d = r->d;
+}
+
+#define RSA_test_flags(_rsa, _flags) (_rsa->flags & _flags)
+
+static inline void DSA_SIG_get0(const DSA_SIG *sig,
+ const BIGNUM **pr, const BIGNUM **ps)
+{
+ if (pr != NULL)
+ *pr = sig->r;
+ if (ps != NULL)
+ *ps = sig->s;
+}
+
+static inline void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr,
+ const BIGNUM **ps)
+{
+ if (pr != NULL)
+ *pr = sig->r;
+ if (ps != NULL)
+ *ps = sig->s;
+}
+
+static inline int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+ if (r == NULL || s == NULL)
+ return 0;
+ BN_clear_free(sig->r);
+ BN_clear_free(sig->s);
+ sig->r = r;
+ sig->s = s;
+ return 1;
+}
+
+static inline int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+ if (r == NULL || s == NULL)
+ return 0;
+ BN_clear_free(sig->r);
+ BN_clear_free(sig->s);
+ sig->r = r;
+ sig->s = s;
+ return 1;
+}
+
+static inline ENGINE *DSA_get0_engine(DSA *d)
+{
+ return d->engine;
+}
+
+static inline int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+{
+ if ((r->n == NULL && n == NULL)
+ || (r->e == NULL && e == NULL))
+ return 0;
+
+ if (n != NULL) {
+ BN_free(r->n);
+ r->n = n;
+ }
+ if (e != NULL) {
+ BN_free(r->e);
+ r->e = e;
+ }
+ if (d != NULL) {
+ BN_free(r->d);
+ r->d = d;
+ }
+
+ return 1;
+}
+
+static inline int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ if ((d->p == NULL && p == NULL)
+ || (d->q == NULL && q == NULL)
+ || (d->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(d->p);
+ d->p = p;
+ }
+ if (q != NULL) {
+ BN_free(d->q);
+ d->q = q;
+ }
+ if (g != NULL) {
+ BN_free(d->g);
+ d->g = g;
+ }
+
+ return 1;
+}
+
+static inline int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
+{
+ if (d->pub_key == NULL && pub_key == NULL)
+ return 0;
+
+ if (pub_key != NULL) {
+ BN_free(d->pub_key);
+ d->pub_key = pub_key;
+ }
+ if (priv_key != NULL) {
+ BN_free(d->priv_key);
+ d->priv_key = priv_key;
+ }
+
+ return 1;
+}
+
+#endif
+#endif
diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c
index 5cb6f7b85d66..76d3eec298f4 100644
--- a/src/openssl/signatures.c
+++ b/src/openssl/signatures.c
@@ -21,6 +21,7 @@
#include <xmlsec/openssl/crypto.h>
#include <xmlsec/openssl/evp.h>
+#include "openssl11_wrapper.h"
/* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html):
*
@@ -31,47 +32,8 @@
#define EVP_MD_CTX_free(x) EVP_MD_CTX_destroy((x))
#define EVP_MD_CTX_md_data(x) ((x)->md_data)
-#ifndef XMLSEC_NO_DSA
-/* we expect the r/s to be NOT NULL */
-static void ECDSA_SIG_get0(BIGNUM **pr, BIGNUM **ps, ECDSA_SIG *sig) {
- if (pr != NULL) {
- if(sig->r == NULL) {
- sig->r = BN_new();
- }
- *pr = sig->r;
- }
- if (ps != NULL) {
- if(sig->s == NULL) {
- sig->s = BN_new();
- }
- *ps = sig->s;
- }
-}
-#endif /* XMLSEC_NO_ECDSA */
-
#endif /* !defined(XMLSEC_OPENSSL_110) */
-/* Preparation for OpenSSL 1.1.0 compatibility: we expect the r/s to be NOT NULL */
-#ifndef XMLSEC_NO_DSA
-static void DSA_SIG_get0(BIGNUM **pr, BIGNUM **ps, DSA_SIG *sig) {
- if (pr != NULL) {
- if(sig->r == NULL) {
- sig->r = BN_new();
- }
- *pr = sig->r;
- }
- if (ps != NULL) {
- if(sig->s == NULL) {
- sig->s = BN_new();
- }
- *ps = sig->s;
- }
-}
-#endif /* XMLSEC_NO_DSA */
-
-
-
-
/**************************************************************************
*
* Internal OpenSSL signatures ctx: forward declarations
@@ -610,7 +572,7 @@ static int
xmlSecOpenSSLSignatureDsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr out) {
DSA * dsaKey = NULL;
DSA_SIG *sig = NULL;
- BIGNUM *rr = NULL, *ss = NULL;
+ const BIGNUM *rr = NULL, *ss = NULL;
xmlSecByte *outData;
xmlSecSize dsaSignSize, signHalfSize, rSize, sSize;
int res = -1;
@@ -666,7 +628,7 @@ xmlSecOpenSSLSignatureDsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr
}
/* get signature components */
- DSA_SIG_get0(&rr, &ss, sig);
+ DSA_SIG_get0(sig, &rr, &ss);
if((rr == NULL) || (ss == NULL)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -790,7 +752,7 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy
/* create/read signature */
sig = DSA_SIG_new();
- if (sig == NULL) {
+ if (!sig) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"DSA_SIG_new",
@@ -799,18 +761,7 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy
goto done;
}
- /* get signature components */
- DSA_SIG_get0(&rr, &ss, sig);
- if((rr == NULL) || (ss == NULL)) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "DSA_SIG_get0",
- XMLSEC_ERRORS_R_CRYPTO_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- goto done;
- }
-
- rr = BN_bin2bn(signData, signHalfSize, rr);
+ rr = BN_bin2bn(signData, signHalfSize, NULL);
if(rr == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -819,7 +770,7 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
- ss = BN_bin2bn(signData + signHalfSize, signHalfSize, ss);
+ ss = BN_bin2bn(signData + signHalfSize, signHalfSize, NULL);
if(ss == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -829,6 +780,18 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy
goto done;
}
+ if (!DSA_SIG_set0(sig, rr, ss)) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "DSA_SIG_set0",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto done;
+ }
+
+ rr = NULL;
+ ss = NULL;
+
/* verify signature */
ret = DSA_do_verify(ctx->dgst, ctx->dgstSize, sig, dsaKey);
if(ret < 0) {
@@ -855,7 +818,10 @@ xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecBy
if(dsaKey != NULL) {
DSA_free(dsaKey);
}
-
+ if (rr)
+ BN_clear_free(rr);
+ if (ss)
+ BN_clear_free(ss);
/* done */
return(res);
}
@@ -1033,7 +999,7 @@ static int
xmlSecOpenSSLSignatureEcdsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr out) {
EC_KEY * ecKey = NULL;
ECDSA_SIG *sig = NULL;
- BIGNUM *rr = NULL, *ss = NULL;
+ const BIGNUM *rr = NULL, *ss = NULL;
xmlSecByte *outData;
xmlSecSize signHalfSize, rSize, sSize;
int res = -1;
@@ -1079,7 +1045,7 @@ xmlSecOpenSSLSignatureEcdsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPt
}
/* get signature components */
- ECDSA_SIG_get0(&rr, &ss, sig);
+ ECDSA_SIG_get0(sig, &rr, &ss);
if((rr == NULL) || (ss == NULL)) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1206,18 +1172,7 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec
goto done;
}
- /* get signature components */
- ECDSA_SIG_get0(&rr, &ss, sig);
- if((rr == NULL) || (ss == NULL)) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- NULL,
- "ECDSA_SIG_get0",
- XMLSEC_ERRORS_R_CRYPTO_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
- goto done;
- }
-
- rr = BN_bin2bn(signData, signHalfSize, rr);
+ rr = BN_bin2bn(signData, signHalfSize, NULL);
if(rr == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1226,7 +1181,7 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec
XMLSEC_ERRORS_NO_MESSAGE);
goto done;
}
- ss = BN_bin2bn(signData + signHalfSize, signHalfSize, ss);
+ ss = BN_bin2bn(signData + signHalfSize, signHalfSize, NULL);
if(ss == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
@@ -1236,6 +1191,17 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec
goto done;
}
+ if (!ECDSA_SIG_set0(sig, rr, ss)) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "ECDSA_SIG_set0()",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto done;
+ }
+ rr = NULL;
+ ss = NULL;
+
/* verify signature */
ret = ECDSA_do_verify(ctx->dgst, ctx->dgstSize, sig, ecKey);
if(ret < 0) {
@@ -1262,6 +1228,10 @@ xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSec
if(ecKey != NULL) {
EC_KEY_free(ecKey);
}
+ if (rr)
+ BN_clear_free(rr);
+ if (ss)
+ BN_clear_free(ss);
/* done */
return(res);
diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c
index 5560526b2aa5..03faad86edab 100644
--- a/src/openssl/x509vfy.c
+++ b/src/openssl/x509vfy.c
@@ -40,6 +40,29 @@
/* new API from OpenSSL 1.1.0 */
#if !defined(XMLSEC_OPENSSL_110)
#define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber)
+
+static void X509_OBJECT_free(X509_OBJECT *a)
+{
+ if (a == NULL)
+ return;
+ X509_OBJECT_free_contents(a);
+ free(a);
+}
+
+static X509_OBJECT *X509_OBJECT_new()
+{
+ X509_OBJECT *ret = calloc(1, sizeof(*ret));
+
+ return ret;
+}
+
+static inline X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
+{
+ if (a == NULL)
+ return NULL;
+ return a->data.x509;
+}
+
#endif /* !defined(XMLSEC_OPENSSL_110) */
/**************************************************************************
@@ -181,6 +204,7 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
X509 * res = NULL;
X509 * cert;
X509 * err_cert = NULL;
+ X509_STORE_CTX *xsc;
char buf[256];
int err = 0;
int i;
@@ -190,6 +214,16 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
xmlSecAssert2(certs != NULL, NULL);
xmlSecAssert2(keyInfoCtx != NULL, NULL);
+ xsc = X509_STORE_CTX_new();
+ if (!xsc) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)),
+ "X509_STORE_CTX_new",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto done;
+ }
+
ctx = xmlSecOpenSSLX509StoreGetCtx(store);
xmlSecAssert2(ctx != NULL, NULL);
xmlSecAssert2(ctx->xst != NULL, NULL);
@@ -289,11 +323,10 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
for(i = 0; i < sk_X509_num(certs2); ++i) {
cert = sk_X509_value(certs2, i);
if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) {
- X509_STORE_CTX xsc;
- X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2);
+ X509_STORE_CTX_init (xsc, ctx->xst, cert, certs2);
if(keyInfoCtx->certsVerificationTime > 0) {
- X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime);
+ X509_STORE_CTX_set_time(xsc, 0, keyInfoCtx->certsVerificationTime);
}
{
@@ -319,15 +352,15 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
X509_VERIFY_PARAM_set_depth(vpm, 9);
X509_VERIFY_PARAM_set_flags(vpm, vpm_flags);
- X509_STORE_CTX_set0_param(&xsc, vpm);
+ X509_STORE_CTX_set0_param(xsc, vpm);
}
- ret = X509_verify_cert(&xsc);
- err_cert = X509_STORE_CTX_get_current_cert(&xsc);
- err = X509_STORE_CTX_get_error(&xsc);
+ ret = X509_verify_cert(xsc);
+ err_cert = X509_STORE_CTX_get_current_cert(xsc);
+ err = X509_STORE_CTX_get_error(xsc);
- X509_STORE_CTX_cleanup (&xsc);
+ X509_STORE_CTX_cleanup (xsc);
if(ret == 1) {
res = cert;
@@ -417,6 +450,8 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509*
if(crls2 != NULL) {
sk_X509_CRL_free(crls2);
}
+ if (xsc)
+ X509_STORE_CTX_free(xsc);
return(res);
}
@@ -729,34 +764,44 @@ xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) {
*****************************************************************************/
static int
xmlSecOpenSSLX509VerifyCRL(X509_STORE* xst, X509_CRL *crl ) {
- X509_STORE_CTX xsc;
- X509_OBJECT xobj;
+ X509_STORE_CTX *xsc;
+ X509_OBJECT *xobj;
EVP_PKEY *pkey;
int ret;
xmlSecAssert2(xst != NULL, -1);
xmlSecAssert2(crl != NULL, -1);
- X509_STORE_CTX_init(&xsc, xst, NULL, NULL);
- ret = X509_STORE_get_by_subject(&xsc, X509_LU_X509,
- X509_CRL_get_issuer(crl), &xobj);
+ xsc = X509_STORE_CTX_new();
+ xobj = X509_OBJECT_new();
+ if (!xsc || !xobj) {
+ xmlSecError(XMLSEC_ERRORS_HERE,
+ NULL,
+ "X509_STORE_CTX_new",
+ XMLSEC_ERRORS_R_CRYPTO_FAILED,
+ XMLSEC_ERRORS_NO_MESSAGE);
+ goto err;
+ }
+
+ X509_STORE_CTX_init(xsc, xst, NULL, NULL);
+ ret = X509_STORE_get_by_subject(xsc, X509_LU_X509,
+ X509_CRL_get_issuer(crl), xobj);
if(ret <= 0) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"X509_STORE_get_by_subject",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- return(-1);
+ goto err;
}
- pkey = X509_get_pubkey(xobj.data.x509);
- X509_OBJECT_free_contents(&xobj);
+ pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj));
if(pkey == NULL) {
xmlSecError(XMLSEC_ERRORS_HERE,
NULL,
"X509_get_pubkey",
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
- return(-1);
+ goto err;
}
ret = X509_CRL_verify(crl, pkey);
EVP_PKEY_free(pkey);
@@ -767,8 +812,14 @@ xmlSecOpenSSLX509VerifyCRL(X509_STORE* xst, X509_CRL *crl ) {
XMLSEC_ERRORS_R_CRYPTO_FAILED,
XMLSEC_ERRORS_NO_MESSAGE);
}
- X509_STORE_CTX_cleanup (&xsc);
+ X509_STORE_CTX_free(xsc);
+ X509_OBJECT_free(xobj);
return((ret == 1) ? 1 : 0);
+
+err:
+ X509_STORE_CTX_free(xsc);
+ X509_OBJECT_free(xobj);
+ return -1;
}
static X509*
--
2.9.3
