diff options
| author | Andy Fiddaman <omnios@citrus-it.co.uk> | 2018-01-16 21:39:56 +0000 |
|---|---|---|
| committer | Dan McDonald <danmcd@smartos-build.work.kebe.com> | 2018-05-02 13:45:46 -0400 |
| commit | d594fdf0d7d2cb2b3f01fd505d73eab566617b91 (patch) | |
| tree | 617dbbf507779f55da965e1e676c69e95de96c29 /usr/src/lib/libkmf | |
| parent | 21010238a099cd373426f6caba5f6d15a0bc918d (diff) | |
| download | illumos-joyent-openssl.tar.gz | |
8982 Support building with OpenSSL 1.1 Reviewed by: Dominik Hassler <hadfl@omniosce.org> Reviewed by: Igor Kozhukhov <igor@dilos.org> Reviewed by: Ken Mays <maybird1776@yahoo.com> Reviewed by: Jason King <jason.king@joyent.com>openssl
Diffstat (limited to 'usr/src/lib/libkmf')
4 files changed, 909 insertions, 313 deletions
diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/Makefile.com b/usr/src/lib/libkmf/plugins/kmf_openssl/Makefile.com index 72432160c7..5c327cae00 100644 --- a/usr/src/lib/libkmf/plugins/kmf_openssl/Makefile.com +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/Makefile.com @@ -27,7 +27,7 @@ LIBRARY= kmf_openssl.a VERS= .1 -OBJECTS= openssl_spi.o +OBJECTS= openssl_spi.o compat.o include $(SRC)/lib/Makefile.lib diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c new file mode 100644 index 0000000000..b64064cb7b --- /dev/null +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c @@ -0,0 +1,446 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <string.h> +#include <openssl/bio.h> +#include <openssl/engine.h> +#include "compat.h" + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +static void * +OPENSSL_zalloc(size_t num) +{ + void *ret = OPENSSL_malloc(num); + + if (ret != NULL) + (void) memset(ret, 0, num); + return (ret); +} + +int +RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) +{ + /* + * If the fields n and e in r are NULL, the corresponding input + * parameters MUST be non-NULL for n and e. d may be + * left NULL (in case only the public key is used). + */ + if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) + return (0); + + if (n != NULL) { + BN_free(r->n); + r->n = n; + } + if (e != NULL) { + BN_free(r->e); + r->e = e; + } + if (d != NULL) { + BN_free(r->d); + r->d = d; + } + + return (1); +} + +int +RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) +{ + /* + * If the fields p and q in r are NULL, the corresponding input + * parameters MUST be non-NULL. + */ + if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) + return (0); + + if (p != NULL) { + BN_free(r->p); + r->p = p; + } + if (q != NULL) { + BN_free(r->q); + r->q = q; + } + + return (1); +} + +int +RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) +{ + /* + * If the fields dmp1, dmq1 and iqmp in r are NULL, the + * corresponding input parameters MUST be non-NULL. + */ + if ((r->dmp1 == NULL && dmp1 == NULL) || + (r->dmq1 == NULL && dmq1 == NULL) || + (r->iqmp == NULL && iqmp == NULL)) + return (0); + + if (dmp1 != NULL) { + BN_free(r->dmp1); + r->dmp1 = dmp1; + } + if (dmq1 != NULL) { + BN_free(r->dmq1); + r->dmq1 = dmq1; + } + if (iqmp != NULL) { + BN_free(r->iqmp); + r->iqmp = iqmp; + } + + return (1); +} + +void +RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) +{ + if (n != NULL) + *n = r->n; + if (e != NULL) + *e = r->e; + if (d != NULL) + *d = r->d; +} + +void +RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +{ + if (p != NULL) + *p = r->p; + if (q != NULL) + *q = r->q; +} + +void +RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp) +{ + if (dmp1 != NULL) + *dmp1 = r->dmp1; + if (dmq1 != NULL) + *dmq1 = r->dmq1; + if (iqmp != NULL) + *iqmp = r->iqmp; +} + +void +DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, + const BIGNUM **g) +{ + if (p != NULL) + *p = d->p; + if (q != NULL) + *q = d->q; + if (g != NULL) + *g = d->g; +} + +int +DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* + * If the fields p, q and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. + */ + if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || + (d->g == NULL && g == NULL)) + return (0); + + if (p != NULL) { + BN_free(d->p); + d->p = p; + } + if (q != NULL) { + BN_free(d->q); + d->q = q; + } + if (g != NULL) { + BN_free(d->g); + d->g = g; + } + + return (1); +} + +void +DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = d->pub_key; + if (priv_key != NULL) + *priv_key = d->priv_key; +} + +int +DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) +{ + /* + * If the field pub_key in d is NULL, the corresponding input + * parameters MUST be non-NULL. The priv_key field may + * be left NULL. + */ + if (d->pub_key == NULL && pub_key == NULL) + return (0); + + if (pub_key != NULL) { + BN_free(d->pub_key); + d->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(d->priv_key); + d->priv_key = priv_key; + } + + return (1); +} + +void +DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +{ + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +int +DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return (0); + BN_clear_free(sig->r); + BN_clear_free(sig->s); + sig->r = r; + sig->s = s; + return (1); +} + +DSA * +EVP_PKEY_get0_DSA(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_DSA) + return (NULL); + return (pkey->pkey.dsa); +} + +void +ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) +{ + if (pr != NULL) + *pr = sig->r; + if (ps != NULL) + *ps = sig->s; +} + +int +ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) +{ + if (r == NULL || s == NULL) + return (0); + BN_clear_free(sig->r); + BN_clear_free(sig->s); + sig->r = r; + sig->s = s; + return (1); +} + +void +DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = dh->p; + if (q != NULL) + *q = dh->q; + if (g != NULL) + *g = dh->g; +} + +int +DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) +{ + /* + * If the fields p and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. q may remain NULL. + */ + if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) + return (0); + + if (p != NULL) { + BN_free(dh->p); + dh->p = p; + } + if (q != NULL) { + BN_free(dh->q); + dh->q = q; + } + if (g != NULL) { + BN_free(dh->g); + dh->g = g; + } + + if (q != NULL) { + dh->length = BN_num_bits(q); + } + + return (1); +} + +void +DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = dh->pub_key; + if (priv_key != NULL) + *priv_key = dh->priv_key; +} + +int +DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) +{ + /* + * If the field pub_key in dh is NULL, the corresponding input + * parameters MUST be non-NULL. The priv_key field may + * be left NULL. + */ + if (dh->pub_key == NULL && pub_key == NULL) + return (0); + + if (pub_key != NULL) { + BN_free(dh->pub_key); + dh->pub_key = pub_key; + } + if (priv_key != NULL) { + BN_free(dh->priv_key); + dh->priv_key = priv_key; + } + + return (1); +} + +int +DH_set_length(DH *dh, long length) +{ + dh->length = length; + return (1); +} + +const unsigned char * +EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) +{ + return (ctx->iv); +} + +unsigned char * +EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) +{ + return (ctx->iv); +} + +EVP_MD_CTX * +EVP_MD_CTX_new(void) +{ + return (OPENSSL_zalloc(sizeof (EVP_MD_CTX))); +} + +void +EVP_MD_CTX_free(EVP_MD_CTX *ctx) +{ + (void) EVP_MD_CTX_cleanup(ctx); + OPENSSL_free(ctx); +} + +RSA_METHOD * +RSA_meth_dup(const RSA_METHOD *meth) +{ + RSA_METHOD *ret; + + ret = OPENSSL_malloc(sizeof (RSA_METHOD)); + + if (ret != NULL) { + (void) memcpy(ret, meth, sizeof (*meth)); + ret->name = OPENSSL_strdup(meth->name); + if (ret->name == NULL) { + OPENSSL_free(ret); + return (NULL); + } + } + + return (ret); +} + +int +RSA_meth_set1_name(RSA_METHOD *meth, const char *name) +{ + char *tmpname; + + tmpname = OPENSSL_strdup(name); + if (tmpname == NULL) { + return (0); + } + + OPENSSL_free((char *)meth->name); + meth->name = tmpname; + + return (1); +} + +int +RSA_meth_set_priv_enc(RSA_METHOD *meth, + int (*priv_enc) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding)) +{ + meth->rsa_priv_enc = priv_enc; + return (1); +} + +int +RSA_meth_set_priv_dec(RSA_METHOD *meth, + int (*priv_dec) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding)) +{ + meth->rsa_priv_dec = priv_dec; + return (1); +} + +int +RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) +{ + meth->finish = finish; + return (1); +} + +void +RSA_meth_free(RSA_METHOD *meth) +{ + if (meth != NULL) { + OPENSSL_free((char *)meth->name); + OPENSSL_free(meth); + } +} + +int +RSA_bits(const RSA *r) +{ + return (BN_num_bits(r->n)); +} + +RSA * +EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +{ + if (pkey->type != EVP_PKEY_RSA) { + return (NULL); + } + return (pkey->pkey.rsa); +} + +#endif /* OPENSSL_VERSION_NUMBER */ diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h new file mode 100644 index 0000000000..6613eb8d6d --- /dev/null +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h @@ -0,0 +1,91 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#ifndef LIBCRYPTO_COMPAT_H +#define LIBCRYPTO_COMPAT_H + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +#include <openssl/rsa.h> +#include <openssl/dsa.h> +#include <openssl/ecdsa.h> +#include <openssl/dh.h> +#include <openssl/evp.h> + +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); +int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); +int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); +void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, + const BIGNUM **d); +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, + const BIGNUM **dmq1, const BIGNUM **iqmp); + +void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, + const BIGNUM **g); +int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); +void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, + const BIGNUM **priv_key); +int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); + +void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); +DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey); + +void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); +int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); + +void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, + const BIGNUM **g); +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); +int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); +int DH_set_length(DH *dh, long length); + +const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); +unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); +EVP_MD_CTX *EVP_MD_CTX_new(void); +void EVP_MD_CTX_free(EVP_MD_CTX *ctx); +#define EVP_CIPHER_impl_ctx_size(e) e->ctx_size +#define EVP_CIPHER_CTX_get_cipher_data(ctx) ctx->cipher_data + +RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); +int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); +#define RSA_meth_get_finish(meth) meth->finish +int RSA_meth_set_priv_enc(RSA_METHOD *meth, + int (*priv_enc) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding)); +int RSA_meth_set_priv_dec(RSA_METHOD *meth, + int (*priv_dec) (int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding)); +int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)); +void RSA_meth_free(RSA_METHOD *meth); + +int RSA_bits(const RSA *r); + +RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); + +#define OCSP_resp_get0_certs(bs) ((bs)->certs) +#define PKCS12_SAFEBAG_get0_attr(bag, attr) PKCS12_get_attr(bag, attr) +#define PKCS12_SAFEBAG_get_nid(bag) M_PKCS12_bag_type(bag) +#define PKCS12_SAFEBAG_get0_p8inf(bag) ((bag)->value.keybag) +#define PKCS12_SAFEBAG_get0_safes(bag) ((bag)->value.safes) +#define PKCS12_SAFEBAG_create_cert PKCS12_x5092certbag +#define PKCS12_SAFEBAG_create_pkcs8_encrypt PKCS12_MAKE_SHKEYBAG +#define PKCS12_SAFEBAG_get_bag_nid M_PKCS12_cert_bag_type +#define PKCS12_SAFEBAG_get1_cert PKCS12_certbag2x509 +#define X509_REVOKED_get0_serialNumber(revoke) ((revoke)->serialNumber) +#define X509_CRL_get0_lastUpdate(xcrl) X509_CRL_get_lastUpdate(xcrl) +#define X509_CRL_get0_nextUpdate(xcrl) X509_CRL_get_nextUpdate(xcrl) +#define X509_getm_notBefore X509_get_notBefore +#define X509_getm_notAfter X509_get_notAfter + +#endif /* OPENSSL_VERSION_NUMBER */ + +#endif /* LIBCRYPTO_COMPAT_H */ diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c index 46aea6a2aa..3ca328ff05 100644 --- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c @@ -5,6 +5,7 @@ */ /* * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved. + * Copyright 2018 OmniOS Community Edition (OmniOSce) Association. */ /* * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL @@ -80,7 +81,6 @@ #include <openssl/bn.h> #include <openssl/asn1.h> #include <openssl/err.h> -#include <openssl/bn.h> #include <openssl/x509.h> #include <openssl/rsa.h> #include <openssl/dsa.h> @@ -91,6 +91,7 @@ #include <openssl/ocsp.h> #include <openssl/des.h> #include <openssl/rand.h> +#include "compat.h" #define PRINT_ANY_EXTENSION (\ KMF_X509_EXT_KEY_USAGE |\ @@ -137,6 +138,7 @@ static uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, /* * Declare some new macros for managing stacks of EVP_PKEYS. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L DECLARE_STACK_OF(EVP_PKEY) #define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY) @@ -147,6 +149,11 @@ DECLARE_STACK_OF(EVP_PKEY) #define sk_EVP_PKEY_pop_free(st, free_func) SKM_sk_pop_free(EVP_PKEY, (st), \ (free_func)) +#else +/* LINTED E_STATIC_UNUSED */ +DEFINE_STACK_OF(EVP_PKEY) +#endif + mutex_t init_lock = DEFAULTMUTEX; static int ssl_initialized = 0; static BIO *bio_err = NULL; @@ -293,6 +300,7 @@ KMF_PLUGIN_FUNCLIST openssl_plugin_table = NULL /* Finalize */ }; +#if OPENSSL_VERSION_NUMBER < 0x10100000L static mutex_t *lock_cs; static long *lock_count; @@ -313,11 +321,14 @@ thread_id() { return ((unsigned long)thr_self()); } +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ KMF_PLUGIN_FUNCLIST * KMF_Plugin_Initialize() { +#if OPENSSL_VERSION_NUMBER < 0x10100000L int i; +#endif (void) mutex_lock(&init_lock); if (!ssl_initialized) { @@ -335,8 +346,11 @@ KMF_Plugin_Initialize() "X509v3 Freshest CRL"); (void) OBJ_create("2.5.29.54", "inhibitAnyPolicy", "X509v3 Inhibit Any-Policy"); + +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* * Set up for thread-safe operation. + * This is not required for OpenSSL 1.1 */ lock_cs = OPENSSL_malloc(CRYPTO_num_locks() * sizeof (mutex_t)); if (lock_cs == NULL) { @@ -360,10 +374,11 @@ KMF_Plugin_Initialize() if (CRYPTO_get_locking_callback() == NULL) CRYPTO_set_locking_callback((void (*)())locking_cb); - OpenSSL_add_all_algorithms(); + (void) OpenSSL_add_all_algorithms(); /* Enable error strings for reporting */ - ERR_load_crypto_strings(); + (void) ERR_load_crypto_strings(); +#endif ssl_initialized = 1; } @@ -371,6 +386,7 @@ KMF_Plugin_Initialize() return (&openssl_plugin_table); } + /* * Convert an SSL DN to a KMF DN. */ @@ -485,7 +501,7 @@ check_cert(X509 *xcert, char *issuer, char *subject, KMF_BIGINT *serial, if (rv != KMF_OK) return (KMF_ERR_BAD_PARAMETER); - rv = get_x509_dn(xcert->cert_info->issuer, &certIssuerDN); + rv = get_x509_dn(X509_get_issuer_name(xcert), &certIssuerDN); if (rv != KMF_OK) { kmf_free_dn(&issuerDN); return (KMF_ERR_BAD_PARAMETER); @@ -500,7 +516,7 @@ check_cert(X509 *xcert, char *issuer, char *subject, KMF_BIGINT *serial, goto cleanup; } - rv = get_x509_dn(xcert->cert_info->subject, &certSubjectDN); + rv = get_x509_dn(X509_get_subject_name(xcert), &certSubjectDN); if (rv != KMF_OK) { rv = KMF_ERR_BAD_PARAMETER; goto cleanup; @@ -514,7 +530,7 @@ check_cert(X509 *xcert, char *issuer, char *subject, KMF_BIGINT *serial, BIGNUM *bn; /* Comparing BIGNUMs is a pain! */ - bn = ASN1_INTEGER_to_BN(xcert->cert_info->serialNumber, NULL); + bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(xcert), NULL); if (bn != NULL) { int bnlen = BN_num_bytes(bn); @@ -1420,17 +1436,13 @@ ssl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out, case KMF_FORMAT_RAWKEY: /* same as ASN.1 */ case KMF_FORMAT_ASN1: - if (pkey->type == EVP_PKEY_RSA) { - rsa = EVP_PKEY_get1_RSA(pkey); + if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) { if (private) rv = i2d_RSAPrivateKey_bio(out, rsa); else rv = i2d_RSAPublicKey_bio(out, rsa); - RSA_free(rsa); - } else if (pkey->type == EVP_PKEY_DSA) { - dsa = EVP_PKEY_get1_DSA(pkey); + } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) { rv = i2d_DSAPrivateKey_bio(out, dsa); - DSA_free(dsa); } if (rv == 1) { rv = KMF_OK; @@ -1439,8 +1451,7 @@ ssl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out, } break; case KMF_FORMAT_PEM: - if (pkey->type == EVP_PKEY_RSA) { - rsa = EVP_PKEY_get1_RSA(pkey); + if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) { if (private) rv = PEM_write_bio_RSAPrivateKey(out, rsa, NULL, NULL, 0, NULL, @@ -1448,13 +1459,10 @@ ssl_write_key(KMF_HANDLE *kmfh, KMF_ENCODE_FORMAT format, BIO *out, else rv = PEM_write_bio_RSAPublicKey(out, rsa); - RSA_free(rsa); - } else if (pkey->type == EVP_PKEY_DSA) { - dsa = EVP_PKEY_get1_DSA(pkey); + } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) { rv = PEM_write_bio_DSAPrivateKey(out, dsa, NULL, NULL, 0, NULL, (cred != NULL ? cred->cred : NULL)); - DSA_free(dsa); } if (rv == 1) { @@ -1477,7 +1485,8 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, { KMF_RETURN rv = KMF_OK; KMF_HANDLE *kmfh = (KMF_HANDLE *)handle; - uint32_t eValue = 0x010001; + uint32_t eValue = RSA_F4; + BIGNUM *eValue_bn = NULL; RSA *sslPrivKey = NULL; DSA *sslDSAKey = NULL; EVP_PKEY *eprikey = NULL; @@ -1489,6 +1498,14 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, boolean_t storekey = TRUE; KMF_KEY_ALG keytype = KMF_RSA; + eValue_bn = BN_new(); + if (eValue_bn == NULL) + return (KMF_ERR_MEMORY); + if (BN_set_word(eValue_bn, eValue) == 0) { + rv = KMF_ERR_KEYGEN_FAILED; + goto cleanup; + } + rv = kmf_get_attr(KMF_STOREKEY_BOOL_ATTR, attrlist, numattr, &storekey, NULL); if (rv != KMF_OK) { @@ -1503,12 +1520,16 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, rv = KMF_OK; pubkey = kmf_get_attr_ptr(KMF_PUBKEY_HANDLE_ATTR, attrlist, numattr); - if (pubkey == NULL) - return (KMF_ERR_BAD_PARAMETER); + if (pubkey == NULL) { + rv = KMF_ERR_BAD_PARAMETER; + goto cleanup; + } privkey = kmf_get_attr_ptr(KMF_PRIVKEY_HANDLE_ATTR, attrlist, numattr); - if (privkey == NULL) - return (KMF_ERR_BAD_PARAMETER); + if (privkey == NULL) { + rv = KMF_ERR_BAD_PARAMETER; + goto cleanup; + } (void) memset(pubkey, 0, sizeof (KMF_KEY_HANDLE)); (void) memset(privkey, 0, sizeof (KMF_KEY_HANDLE)); @@ -1535,6 +1556,10 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, rsaexp->val != NULL) { /* LINTED E_BAD_PTR_CAST_ALIGN */ eValue = *(uint32_t *)rsaexp->val; + if (BN_set_word(eValue_bn, eValue) == 0) { + rv = KMF_ERR_BAD_PARAMETER; + goto cleanup; + } } else { rv = KMF_ERR_BAD_PARAMETER; goto cleanup; @@ -1554,8 +1579,10 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, goto cleanup; } - sslPrivKey = RSA_generate_key(keylen, eValue, NULL, NULL); - if (sslPrivKey == NULL) { + sslPrivKey = RSA_new(); + if (sslPrivKey == NULL || + RSA_generate_key_ex(sslPrivKey, keylen, eValue_bn, NULL) + == 0) { SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; } else { @@ -1575,27 +1602,27 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, pubkey->keyp = (void *)epubkey; } } else if (keytype == KMF_DSA) { - DSA *dp; + BIGNUM *p, *q, *g; + sslDSAKey = DSA_new(); if (sslDSAKey == NULL) { SET_ERROR(kmfh, ERR_get_error()); return (KMF_ERR_MEMORY); } - if ((sslDSAKey->p = BN_bin2bn(P, sizeof (P), sslDSAKey->p)) == - NULL) { + p = BN_bin2bn(P, sizeof (P), NULL); + q = BN_bin2bn(Q, sizeof (Q), NULL); + g = BN_bin2bn(G, sizeof (G), NULL); + if (p == NULL || q == NULL || g == NULL) { + BN_free(p); + BN_free(q); + BN_free(g); SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; goto cleanup; } - if ((sslDSAKey->q = BN_bin2bn(Q, sizeof (Q), sslDSAKey->q)) == - NULL) { - SET_ERROR(kmfh, ERR_get_error()); - rv = KMF_ERR_KEYGEN_FAILED; - goto cleanup; - } - if ((sslDSAKey->g = BN_bin2bn(G, sizeof (G), sslDSAKey->g)) == - NULL) { + + if (DSA_set0_pqg(sslDSAKey, p, q, g) == 0) { SET_ERROR(kmfh, ERR_get_error()); rv = KMF_ERR_KEYGEN_FAILED; goto cleanup; @@ -1618,56 +1645,18 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, rv = KMF_ERR_KEYGEN_FAILED; goto cleanup; } - dp = DSA_new(); - /* Make a copy for the public key */ - if (dp != NULL) { - if ((dp->p = BN_new()) == NULL) { - SET_ERROR(kmfh, ERR_get_error()); - rv = KMF_ERR_MEMORY; - DSA_free(dp); - goto cleanup; - } - if ((dp->q = BN_new()) == NULL) { - SET_ERROR(kmfh, ERR_get_error()); - rv = KMF_ERR_MEMORY; - BN_free(dp->p); - DSA_free(dp); - goto cleanup; - } - if ((dp->g = BN_new()) == NULL) { - SET_ERROR(kmfh, ERR_get_error()); - rv = KMF_ERR_MEMORY; - BN_free(dp->q); - BN_free(dp->p); - DSA_free(dp); - goto cleanup; - } - if ((dp->pub_key = BN_new()) == NULL) { - SET_ERROR(kmfh, ERR_get_error()); - rv = KMF_ERR_MEMORY; - BN_free(dp->q); - BN_free(dp->p); - BN_free(dp->g); - DSA_free(dp); - goto cleanup; - } - (void) BN_copy(dp->p, sslDSAKey->p); - (void) BN_copy(dp->q, sslDSAKey->q); - (void) BN_copy(dp->g, sslDSAKey->g); - (void) BN_copy(dp->pub_key, sslDSAKey->pub_key); - pubkey->kstype = KMF_KEYSTORE_OPENSSL; - pubkey->keyalg = KMF_DSA; - pubkey->keyclass = KMF_ASYM_PUB; - pubkey->israw = FALSE; + pubkey->kstype = KMF_KEYSTORE_OPENSSL; + pubkey->keyalg = KMF_DSA; + pubkey->keyclass = KMF_ASYM_PUB; + pubkey->israw = FALSE; - if (EVP_PKEY_set1_DSA(epubkey, sslDSAKey)) { - pubkey->keyp = (void *)epubkey; - } else { - SET_ERROR(kmfh, ERR_get_error()); - rv = KMF_ERR_KEYGEN_FAILED; - goto cleanup; - } + if (EVP_PKEY_set1_DSA(epubkey, sslDSAKey)) { + pubkey->keyp = (void *)epubkey; + } else { + SET_ERROR(kmfh, ERR_get_error()); + rv = KMF_ERR_KEYGEN_FAILED; + goto cleanup; } } @@ -1719,6 +1708,9 @@ OpenSSL_CreateKeypair(KMF_HANDLE_T handle, int numattr, } cleanup: + if (eValue_bn != NULL) + BN_free(eValue_bn); + if (rv != KMF_OK) { if (eprikey != NULL) EVP_PKEY_free(eprikey); @@ -1759,7 +1751,7 @@ cleanup: * all of the bits. */ static int -fixbnlen(BIGNUM *bn, unsigned char *buf, int len) { +fixbnlen(const BIGNUM *bn, unsigned char *buf, int len) { int bytes = len - BN_num_bytes(bn); /* prepend with leading 0x00 if necessary */ @@ -1781,7 +1773,7 @@ OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key, KMF_RETURN ret = KMF_OK; KMF_HANDLE *kmfh = (KMF_HANDLE *)handle; KMF_ALGORITHM_INDEX AlgId; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; const EVP_MD *md; if (key == NULL || AlgOID == NULL || @@ -1826,19 +1818,20 @@ OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key, } output->Length = len; } else { - (void) EVP_MD_CTX_init(&ctx); - (void) EVP_SignInit_ex(&ctx, md, NULL); - (void) EVP_SignUpdate(&ctx, tobesigned->Data, + if ((ctx = EVP_MD_CTX_new()) == NULL) + return (KMF_ERR_MEMORY); + (void) EVP_SignInit_ex(ctx, md, NULL); + (void) EVP_SignUpdate(ctx, tobesigned->Data, (uint32_t)tobesigned->Length); len = (uint32_t)output->Length; p = output->Data; - if (!EVP_SignFinal(&ctx, p, (uint32_t *)&len, pkey)) { + if (!EVP_SignFinal(ctx, p, (uint32_t *)&len, pkey)) { SET_ERROR(kmfh, ERR_get_error()); len = 0; ret = KMF_ERR_INTERNAL; } output->Length = len; - (void) EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(ctx); } } else if (key->keyalg == KMF_DSA) { DSA *dsa = EVP_PKEY_get1_DSA(key->keyp); @@ -1863,11 +1856,12 @@ OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key, * not all mechanisms return ASN.1 encodings (PKCS#11 * and NSS return raw signature data). */ - EVP_MD_CTX_init(&ctx); - (void) EVP_DigestInit_ex(&ctx, md, NULL); - (void) EVP_DigestUpdate(&ctx, tobesigned->Data, + if ((ctx = EVP_MD_CTX_new()) == NULL) + return (KMF_ERR_MEMORY); + (void) EVP_DigestInit_ex(ctx, md, NULL); + (void) EVP_DigestUpdate(ctx, tobesigned->Data, tobesigned->Length); - (void) EVP_DigestFinal_ex(&ctx, hash, &hashlen); + (void) EVP_DigestFinal_ex(ctx, hash, &hashlen); /* Only sign first 20 bytes for SHA2 */ if (AlgId == KMF_ALGID_SHA256WithDSA) @@ -1875,17 +1869,20 @@ OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key, dsasig = DSA_do_sign(hash, hashlen, dsa); if (dsasig != NULL) { int i; - output->Length = i = fixbnlen(dsasig->r, output->Data, + const BIGNUM *r, *s; + + DSA_SIG_get0(dsasig, &r, &s); + output->Length = i = fixbnlen(r, output->Data, hashlen); - output->Length += fixbnlen(dsasig->s, &output->Data[i], + output->Length += fixbnlen(s, &output->Data[i], hashlen); DSA_SIG_free(dsasig); } else { SET_ERROR(kmfh, ERR_get_error()); } - (void) EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(ctx); } else { return (KMF_ERR_BAD_PARAMETER); } @@ -2023,17 +2020,11 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, X509 *xcert = NULL; unsigned char *outbuf = NULL; unsigned char *outbuf_p; - char *tmpstr = NULL; int j; int ext_index, nid, len; BIO *mem = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10000000L - STACK *emlst = NULL; -#else STACK_OF(OPENSSL_STRING) *emlst = NULL; -#endif X509_EXTENSION *ex; - X509_CINF *ci; if (pcert == NULL || pcert->Data == NULL || pcert->Length == 0) { return (KMF_ERR_BAD_PARAMETER); @@ -2075,9 +2066,8 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, break; case KMF_CERT_VERSION: - tmpstr = i2s_ASN1_INTEGER(NULL, xcert->cert_info->version); - (void) strncpy(resultStr, tmpstr, KMF_CERT_PRINTABLE_LEN); - OPENSSL_free(tmpstr); + (void) snprintf(resultStr, KMF_CERT_PRINTABLE_LEN, + "%ld", X509_get_version(xcert)); len = strlen(resultStr); break; @@ -2090,17 +2080,20 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, break; case KMF_CERT_NOTBEFORE: - (void) ASN1_TIME_print(mem, X509_get_notBefore(xcert)); + (void) ASN1_TIME_print(mem, X509_getm_notBefore(xcert)); len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN); break; case KMF_CERT_NOTAFTER: - (void) ASN1_TIME_print(mem, X509_get_notAfter(xcert)); + (void) ASN1_TIME_print(mem, X509_getm_notAfter(xcert)); len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN); break; case KMF_CERT_PUBKEY_DATA: { + RSA *rsa; + DSA *dsa; + EVP_PKEY *pkey = X509_get_pubkey(xcert); if (pkey == NULL) { SET_ERROR(kmfh, ERR_get_error()); @@ -2108,15 +2101,16 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, goto out; } - if (pkey->type == EVP_PKEY_RSA) { + if ((rsa = EVP_PKEY_get0_RSA(pkey)) != NULL) { (void) BIO_printf(mem, "RSA Public Key: (%d bit)\n", - BN_num_bits(pkey->pkey.rsa->n)); - (void) RSA_print(mem, pkey->pkey.rsa, 0); - } else if (pkey->type == EVP_PKEY_DSA) { + RSA_bits(rsa)); + (void) RSA_print(mem, rsa, 0); + + } else if ((dsa = EVP_PKEY_get0_DSA(pkey)) != NULL) { (void) BIO_printf(mem, "%12sDSA Public Key:\n", ""); - (void) DSA_print(mem, pkey->pkey.dsa, 0); + (void) DSA_print(mem, dsa, 0); } else { (void) BIO_printf(mem, "%12sUnknown Public Key:\n", ""); @@ -2128,30 +2122,50 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, break; case KMF_CERT_SIGNATURE_ALG: case KMF_CERT_PUBKEY_ALG: - if (flag == KMF_CERT_SIGNATURE_ALG) { - len = i2a_ASN1_OBJECT(mem, - xcert->sig_alg->algorithm); - } else { - len = i2a_ASN1_OBJECT(mem, - xcert->cert_info->key->algor->algorithm); - } + { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + ASN1_OBJECT *alg = NULL; +#else + const ASN1_OBJECT *alg = NULL; +#endif + + if (flag == KMF_CERT_SIGNATURE_ALG) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + alg = xcert->sig_alg->algorithm; +#else + const X509_ALGOR *sig_alg = NULL; + + X509_get0_signature(NULL, &sig_alg, xcert); + if (sig_alg != NULL) + X509_ALGOR_get0(&alg, NULL, NULL, + sig_alg); +#endif + } else { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + alg = xcert->cert_info->key->algor->algorithm; +#else + X509_PUBKEY *key = X509_get_X509_PUBKEY(xcert); + + if (key != NULL) + (void) X509_PUBKEY_get0_param( + (ASN1_OBJECT **)&alg, NULL, 0, + NULL, key); +#endif + } - if (len > 0) { - len = BIO_read(mem, resultStr, - KMF_CERT_PRINTABLE_LEN); + if (alg == NULL) + len = -1; + else if ((len = i2a_ASN1_OBJECT(mem, alg)) > 0) + len = BIO_read(mem, resultStr, + KMF_CERT_PRINTABLE_LEN); } break; case KMF_CERT_EMAIL: emlst = X509_get1_email(xcert); -#if OPENSSL_VERSION_NUMBER < 0x10000000L - for (j = 0; j < sk_num(emlst); j++) - (void) BIO_printf(mem, "%s\n", sk_value(emlst, j)); -#else for (j = 0; j < sk_OPENSSL_STRING_num(emlst); j++) (void) BIO_printf(mem, "%s\n", sk_OPENSSL_STRING_value(emlst, j)); -#endif len = BIO_gets(mem, resultStr, KMF_CERT_PRINTABLE_LEN); X509_email_free(emlst); @@ -2176,16 +2190,15 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, ret = KMF_ERR_EXTENSION_NOT_FOUND; goto out; } - ci = xcert->cert_info; - ext_index = X509v3_get_ext_by_NID(ci->extensions, nid, -1); + ext_index = X509_get_ext_by_NID(xcert, nid, -1); if (ext_index == -1) { SET_ERROR(kmfh, ERR_get_error()); ret = KMF_ERR_EXTENSION_NOT_FOUND; goto out; } - ex = X509v3_get_ext(ci->extensions, ext_index); + ex = X509_get_ext(xcert, ext_index); (void) i2a_ASN1_OBJECT(mem, X509_EXTENSION_get_object(ex)); @@ -2197,7 +2210,8 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, } if (!X509V3_EXT_print(mem, ex, X509V3_EXT_DUMP_UNKNOWN, 4)) { (void) BIO_printf(mem, "%*s", 4, ""); - (void) M_ASN1_OCTET_STRING_print(mem, ex->value); + (void) ASN1_STRING_print(mem, + X509_EXTENSION_get_data(ex)); } if (BIO_write(mem, "\n", 1) <= 0) { SET_ERROR(kmfh, ERR_get_error()); @@ -2478,22 +2492,36 @@ end: } /* ocsp_find_signer_sk() is copied from openssl source */ -static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_RESPID *id) +static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_BASICRESP *bs) { int i; unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; + const ASN1_OCTET_STRING *pid; + +#if OPENSSL_VERSION_NUMBER < 0x10100000L + OCSP_RESPID *id = bs->tbsResponseData->responderId; - /* Easy if lookup by name */ if (id->type == V_OCSP_RESPID_NAME) return (X509_find_by_subject(certs, id->value.byName)); + pid = id->value.byKey; +#else + const X509_NAME *pname; + + if (OCSP_resp_get0_id(bs, &pid, &pname) == 0) + return (NULL); + + if (pname != NULL) + return (X509_find_by_subject(certs, (X509_NAME *)pname)); +#endif + /* Lookup by key hash */ /* If key hash isn't SHA1 length then forget it */ - if (id->value.byKey->length != SHA_DIGEST_LENGTH) + if (pid->length != SHA_DIGEST_LENGTH) return (NULL); - keyhash = id->value.byKey->data; + keyhash = pid->data; /* Calculate hash of each key and compare */ for (i = 0; i < sk_X509_num(certs); i++) { /* LINTED E_BAD_PTR_CAST_ALIGN */ @@ -2513,13 +2541,14 @@ ocsp_find_signer(X509 **psigner, OCSP_BASICRESP *bs, STACK_OF(X509) *certs, X509_STORE *st, unsigned long flags) { X509 *signer; - OCSP_RESPID *rid = bs->tbsResponseData->responderId; - if ((signer = ocsp_find_signer_sk(certs, rid))) { + if ((signer = ocsp_find_signer_sk(certs, bs))) { *psigner = signer; return (2); } + if (!(flags & OCSP_NOINTERN) && - (signer = ocsp_find_signer_sk(bs->certs, rid))) { + (signer = ocsp_find_signer_sk( + (STACK_OF(X509) *)OCSP_resp_get0_certs(bs), bs))) { *psigner = signer; return (1); } @@ -2542,10 +2571,13 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs, STACK_OF(X509) *cert_stack = NULL; X509 *signer = NULL; X509 *issuer = NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_PKEY *skey = NULL; +#else + STACK_OF(X509) *cert_stack2 = NULL; +#endif unsigned char *ptmp; - if (bs == NULL || issuer_cert == NULL) return (KMF_ERR_BAD_PARAMETER); @@ -2599,6 +2631,7 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs, } /* Verify the signature of the response */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L skey = X509_get_pubkey(signer); if (skey == NULL) { ret = KMF_ERR_OCSP_BAD_SIGNER; @@ -2606,6 +2639,25 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs, } ret = OCSP_BASICRESP_verify(bs, skey, 0); +#else + /* + * Technique based on + * https://mta.openssl.org/pipermail/openssl-users/ + * 2017-October/006814.html + */ + if ((cert_stack2 = sk_X509_new_null()) == NULL) { + ret = KMF_ERR_INTERNAL; + goto end; + } + + if (sk_X509_push(cert_stack2, signer) == NULL) { + ret = KMF_ERR_INTERNAL; + goto end; + } + + ret = OCSP_basic_verify(bs, cert_stack2, NULL, OCSP_NOVERIFY); +#endif + if (ret == 0) { ret = KMF_ERR_OCSP_RESPONSE_SIGNATURE; goto end; @@ -2620,9 +2672,15 @@ end: X509_free(signer); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (skey != NULL) { EVP_PKEY_free(skey); } +#else + if (cert_stack2 != NULL) { + sk_X509_free(cert_stack2); + } +#endif if (cert_stack != NULL) { sk_X509_free(cert_stack); @@ -2631,8 +2689,6 @@ end: return (ret); } - - KMF_RETURN OpenSSL_GetOCSPStatusForCert(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist) @@ -2821,9 +2877,9 @@ fetch_key(KMF_HANDLE_T handle, char *path, return (KMF_ERR_KEY_NOT_FOUND); } if (key != NULL) { - if (pkey->type == EVP_PKEY_RSA) + if (EVP_PKEY_get0_RSA(pkey) != NULL) key->keyalg = KMF_RSA; - else if (pkey->type == EVP_PKEY_DSA) + else if (EVP_PKEY_get0_DSA(pkey) != NULL) key->keyalg = KMF_DSA; key->kstype = KMF_KEYSTORE_OPENSSL; @@ -3020,11 +3076,12 @@ OpenSSL_FindKey(KMF_HANDLE_T handle, static int add_alias_to_bag(PKCS12_SAFEBAG *bag, X509 *xcert) { - if (xcert != NULL && xcert->aux != NULL && - xcert->aux->alias != NULL) { + unsigned char *alias; + int len; + + if (xcert != NULL && (alias = X509_alias_get0(xcert, &len)) != NULL) { if (PKCS12_add_friendlyname_asc(bag, - (const char *)xcert->aux->alias->data, - xcert->aux->alias->length) == 0) + (const char *)alias, len) == 0) return (0); } return (1); @@ -3043,7 +3100,7 @@ add_cert_to_safe(X509 *sslcert, KMF_CREDENTIAL *cred, return (NULL); /* Convert cert from X509 struct to PKCS#12 bag */ - bag = PKCS12_x5092certbag(sslcert); + bag = PKCS12_SAFEBAG_create_cert(sslcert); if (bag == NULL) { goto out; } @@ -3088,7 +3145,7 @@ add_key_to_safe(EVP_PKEY *pkey, KMF_CREDENTIAL *cred, return (NULL); } /* Put the shrouded key into a PKCS#12 bag. */ - bag = PKCS12_MAKE_SHKEYBAG( + bag = PKCS12_SAFEBAG_create_pkcs8_encrypt( NID_pbe_WithSHA1And3_Key_TripleDES_CBC, cred->cred, cred->credlen, NULL, 0, PKCS12_DEFAULT_ITER, p8); @@ -3127,55 +3184,71 @@ static EVP_PKEY * ImportRawRSAKey(KMF_RAW_RSA_KEY *key) { RSA *rsa = NULL; - EVP_PKEY *newkey = NULL; + EVP_PKEY *newkey = NULL; + BIGNUM *n = NULL, *e = NULL, *d = NULL, + *p = NULL, *q = NULL, + *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; if ((rsa = RSA_new()) == NULL) - return (NULL); + goto cleanup; - if ((rsa->n = BN_bin2bn(key->mod.val, key->mod.len, rsa->n)) == NULL) - return (NULL); + if ((n = BN_bin2bn(key->mod.val, key->mod.len, NULL)) == NULL) + goto cleanup; - if ((rsa->e = BN_bin2bn(key->pubexp.val, key->pubexp.len, rsa->e)) == - NULL) - return (NULL); + if ((e = BN_bin2bn(key->pubexp.val, key->pubexp.len, NULL)) == NULL) + goto cleanup; - if (key->priexp.val != NULL) - if ((rsa->d = BN_bin2bn(key->priexp.val, key->priexp.len, - rsa->d)) == NULL) - return (NULL); + if (key->priexp.val != NULL && + (d = BN_bin2bn(key->priexp.val, key->priexp.len, NULL)) == NULL) + goto cleanup; - if (key->prime1.val != NULL) - if ((rsa->p = BN_bin2bn(key->prime1.val, key->prime1.len, - rsa->p)) == NULL) - return (NULL); + if (key->prime1.val != NULL && + (p = BN_bin2bn(key->prime1.val, key->prime1.len, NULL)) == NULL) + goto cleanup; - if (key->prime2.val != NULL) - if ((rsa->q = BN_bin2bn(key->prime2.val, key->prime2.len, - rsa->q)) == NULL) - return (NULL); + if (key->prime2.val != NULL && + (q = BN_bin2bn(key->prime2.val, key->prime2.len, NULL)) == NULL) + goto cleanup; - if (key->exp1.val != NULL) - if ((rsa->dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len, - rsa->dmp1)) == NULL) - return (NULL); + if (key->exp1.val != NULL && + (dmp1 = BN_bin2bn(key->exp1.val, key->exp1.len, NULL)) == NULL) + goto cleanup; - if (key->exp2.val != NULL) - if ((rsa->dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len, - rsa->dmq1)) == NULL) - return (NULL); + if (key->exp2.val != NULL && + (dmq1 = BN_bin2bn(key->exp2.val, key->exp2.len, NULL)) == NULL) + goto cleanup; - if (key->coef.val != NULL) - if ((rsa->iqmp = BN_bin2bn(key->coef.val, key->coef.len, - rsa->iqmp)) == NULL) - return (NULL); + if (key->coef.val != NULL && + (iqmp = BN_bin2bn(key->coef.val, key->coef.len, NULL)) == NULL) + goto cleanup; + + if (RSA_set0_key(rsa, n, e, d) == 0) + goto cleanup; + n = e = d = NULL; + if (RSA_set0_factors(rsa, p, q) == 0) + goto cleanup; + p = q = NULL; + if (RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp) == 0) + goto cleanup; + dmp1 = dmq1 = iqmp = NULL; if ((newkey = EVP_PKEY_new()) == NULL) - return (NULL); + goto cleanup; (void) EVP_PKEY_set1_RSA(newkey, rsa); +cleanup: /* The original key must be freed once here or it leaks memory */ - RSA_free(rsa); + if (rsa) + RSA_free(rsa); + BN_free(n); + BN_free(e); + BN_free(d); + BN_free(p); + BN_free(q); + BN_free(dmp1); + BN_free(dmq1); + BN_free(iqmp); return (newkey); } @@ -3184,40 +3257,52 @@ static EVP_PKEY * ImportRawDSAKey(KMF_RAW_DSA_KEY *key) { DSA *dsa = NULL; - EVP_PKEY *newkey = NULL; + EVP_PKEY *newkey = NULL; + BIGNUM *p = NULL, *q = NULL, *g = NULL, + *priv_key = NULL, *pub_key = NULL; if ((dsa = DSA_new()) == NULL) - return (NULL); + goto cleanup; - if ((dsa->p = BN_bin2bn(key->prime.val, key->prime.len, - dsa->p)) == NULL) - return (NULL); + if ((p = BN_bin2bn(key->prime.val, key->prime.len, NULL)) == NULL) + goto cleanup; - if ((dsa->q = BN_bin2bn(key->subprime.val, key->subprime.len, - dsa->q)) == NULL) - return (NULL); + if ((q = BN_bin2bn(key->subprime.val, key->subprime.len, NULL)) == NULL) + goto cleanup; - if ((dsa->g = BN_bin2bn(key->base.val, key->base.len, - dsa->g)) == NULL) - return (NULL); + if ((g = BN_bin2bn(key->base.val, key->base.len, NULL)) == NULL) + goto cleanup; - if ((dsa->priv_key = BN_bin2bn(key->value.val, key->value.len, - dsa->priv_key)) == NULL) - return (NULL); + if ((priv_key = BN_bin2bn(key->value.val, key->value.len, + NULL)) == NULL) + goto cleanup; - if (key->pubvalue.val != NULL) { - if ((dsa->pub_key = BN_bin2bn(key->pubvalue.val, - key->pubvalue.len, dsa->pub_key)) == NULL) - return (NULL); - } + if (key->pubvalue.val != NULL && (pub_key = + BN_bin2bn(key->pubvalue.val, key->pubvalue.len, NULL)) == NULL) + goto cleanup; + + if (DSA_set0_pqg(dsa, p, q, g) == 0) + goto cleanup; + p = q = g = NULL; + if (DSA_set0_key(dsa, pub_key, priv_key) == 0) + goto cleanup; + pub_key = priv_key = 0; if ((newkey = EVP_PKEY_new()) == NULL) - return (NULL); + goto cleanup; (void) EVP_PKEY_set1_DSA(newkey, dsa); +cleanup: /* The original key must be freed once here or it leaks memory */ - DSA_free(dsa); + if (dsa) + DSA_free(dsa); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(priv_key); + BN_free(pub_key); + return (newkey); } @@ -3732,7 +3817,7 @@ err: } static KMF_RETURN -openssl_parse_bags(STACK_OF(PKCS12_SAFEBAG) *bags, char *pin, +openssl_parse_bags(const STACK_OF(PKCS12_SAFEBAG) *bags, char *pin, STACK_OF(EVP_PKEY) *keys, STACK_OF(X509) *certs) { KMF_RETURN ret; @@ -3759,28 +3844,13 @@ set_pkey_attrib(EVP_PKEY *pkey, ASN1_TYPE *attrib, int nid) if (pkey == NULL || attrib == NULL) return (KMF_ERR_BAD_PARAMETER); - if (pkey->attributes == NULL) { - pkey->attributes = sk_X509_ATTRIBUTE_new_null(); - if (pkey->attributes == NULL) - return (KMF_ERR_MEMORY); - } attr = X509_ATTRIBUTE_create(nid, attrib->type, attrib->value.ptr); if (attr != NULL) { int i; - X509_ATTRIBUTE *a; - for (i = 0; - i < sk_X509_ATTRIBUTE_num(pkey->attributes); i++) { - /* LINTED E_BAD_PTR_CASE_ALIGN */ - a = sk_X509_ATTRIBUTE_value(pkey->attributes, i); - if (OBJ_obj2nid(a->object) == nid) { - X509_ATTRIBUTE_free(a); - /* LINTED E_BAD_PTR_CAST_ALIGN */ - (void) sk_X509_ATTRIBUTE_set(pkey->attributes, - i, attr); - return (KMF_OK); - } - } - if (sk_X509_ATTRIBUTE_push(pkey->attributes, attr) == NULL) { + + if ((i = EVP_PKEY_get_attr_by_NID(pkey, nid, -1)) != -1) + (void) EVP_PKEY_delete_attr(pkey, i); + if (EVP_PKEY_add1_attr(pkey, attr) == 0) { X509_ATTRIBUTE_free(attr); return (KMF_ERR_MEMORY); } @@ -3799,18 +3869,19 @@ openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen, PKCS8_PRIV_KEY_INFO *p8 = NULL; EVP_PKEY *pkey = NULL; X509 *xcert = NULL; - ASN1_TYPE *keyid = NULL; - ASN1_TYPE *fname = NULL; + const ASN1_TYPE *keyid = NULL; + const ASN1_TYPE *fname = NULL; uchar_t *data = NULL; - keyid = PKCS12_get_attr(bag, NID_localKeyID); - fname = PKCS12_get_attr(bag, NID_friendlyName); + keyid = PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID); + fname = PKCS12_SAFEBAG_get0_attr(bag, NID_friendlyName); - switch (M_PKCS12_bag_type(bag)) { + switch (PKCS12_SAFEBAG_get_nid(bag)) { case NID_keyBag: if (keylist == NULL) goto end; - pkey = EVP_PKCS82PKEY(bag->value.keybag); + pkey = EVP_PKCS82PKEY( + PKCS12_SAFEBAG_get0_p8inf(bag)); if (pkey == NULL) ret = KMF_ERR_PKCS12_FORMAT; @@ -3818,7 +3889,7 @@ openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen, case NID_pkcs8ShroudedKeyBag: if (keylist == NULL) goto end; - p8 = M_PKCS12_decrypt_skey(bag, pass, passlen); + p8 = PKCS12_decrypt_skey(bag, pass, passlen); if (p8 == NULL) return (KMF_ERR_AUTH_FAILED); pkey = EVP_PKCS82PKEY(p8); @@ -3829,9 +3900,10 @@ openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen, case NID_certBag: if (certlist == NULL) goto end; - if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate) + if (PKCS12_SAFEBAG_get_bag_nid(bag) != + NID_x509Certificate) return (KMF_ERR_PKCS12_FORMAT); - xcert = M_PKCS12_certbag2x509(bag); + xcert = PKCS12_SAFEBAG_get1_cert(bag); if (xcert == NULL) { ret = KMF_ERR_PKCS12_FORMAT; goto end; @@ -3865,8 +3937,9 @@ openssl_parse_bag(PKCS12_SAFEBAG *bag, char *pass, int passlen, xcert = NULL; break; case NID_safeContentsBag: - return (openssl_parse_bags(bag->value.safes, pass, - keylist, certlist)); + return (openssl_parse_bags( + PKCS12_SAFEBAG_get0_safes(bag), + pass, keylist, certlist)); default: ret = KMF_ERR_PKCS12_FORMAT; break; @@ -4076,35 +4149,41 @@ exportRawRSAKey(RSA *rsa, KMF_RAW_KEY_DATA *key) KMF_RETURN rv; KMF_RAW_RSA_KEY *kmfkey = &key->rawdata.rsa; + const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmpq, *iqmp; + + RSA_get0_key(rsa, &n, &e, &d); + RSA_get0_factors(rsa, &p, &q); + RSA_get0_crt_params(rsa, &dmp1, &dmpq, &iqmp); + (void) memset(kmfkey, 0, sizeof (KMF_RAW_RSA_KEY)); - if ((rv = sslBN2KMFBN(rsa->n, &kmfkey->mod)) != KMF_OK) + if ((rv = sslBN2KMFBN((BIGNUM *)n, &kmfkey->mod)) != KMF_OK) goto cleanup; - if ((rv = sslBN2KMFBN(rsa->e, &kmfkey->pubexp)) != KMF_OK) + if ((rv = sslBN2KMFBN((BIGNUM *)e, &kmfkey->pubexp)) != KMF_OK) goto cleanup; - if (rsa->d != NULL) - if ((rv = sslBN2KMFBN(rsa->d, &kmfkey->priexp)) != KMF_OK) + if (d != NULL) + if ((rv = sslBN2KMFBN((BIGNUM *)d, &kmfkey->priexp)) != KMF_OK) goto cleanup; - if (rsa->p != NULL) - if ((rv = sslBN2KMFBN(rsa->p, &kmfkey->prime1)) != KMF_OK) + if (p != NULL) + if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime1)) != KMF_OK) goto cleanup; - if (rsa->q != NULL) - if ((rv = sslBN2KMFBN(rsa->q, &kmfkey->prime2)) != KMF_OK) + if (q != NULL) + if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->prime2)) != KMF_OK) goto cleanup; - if (rsa->dmp1 != NULL) - if ((rv = sslBN2KMFBN(rsa->dmp1, &kmfkey->exp1)) != KMF_OK) + if (dmp1 != NULL) + if ((rv = sslBN2KMFBN((BIGNUM *)dmp1, &kmfkey->exp1)) != KMF_OK) goto cleanup; - if (rsa->dmq1 != NULL) - if ((rv = sslBN2KMFBN(rsa->dmq1, &kmfkey->exp2)) != KMF_OK) + if (dmpq != NULL) + if ((rv = sslBN2KMFBN((BIGNUM *)dmpq, &kmfkey->exp2)) != KMF_OK) goto cleanup; - if (rsa->iqmp != NULL) - if ((rv = sslBN2KMFBN(rsa->iqmp, &kmfkey->coef)) != KMF_OK) + if (iqmp != NULL) + if ((rv = sslBN2KMFBN((BIGNUM *)iqmp, &kmfkey->coef)) != KMF_OK) goto cleanup; cleanup: if (rv != KMF_OK) @@ -4126,18 +4205,22 @@ exportRawDSAKey(DSA *dsa, KMF_RAW_KEY_DATA *key) { KMF_RETURN rv; KMF_RAW_DSA_KEY *kmfkey = &key->rawdata.dsa; + const BIGNUM *p, *q, *g, *priv_key; + + DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, NULL, &priv_key); (void) memset(kmfkey, 0, sizeof (KMF_RAW_DSA_KEY)); - if ((rv = sslBN2KMFBN(dsa->p, &kmfkey->prime)) != KMF_OK) + if ((rv = sslBN2KMFBN((BIGNUM *)p, &kmfkey->prime)) != KMF_OK) goto cleanup; - if ((rv = sslBN2KMFBN(dsa->q, &kmfkey->subprime)) != KMF_OK) + if ((rv = sslBN2KMFBN((BIGNUM *)q, &kmfkey->subprime)) != KMF_OK) goto cleanup; - if ((rv = sslBN2KMFBN(dsa->g, &kmfkey->base)) != KMF_OK) + if ((rv = sslBN2KMFBN((BIGNUM *)g, &kmfkey->base)) != KMF_OK) goto cleanup; - if ((rv = sslBN2KMFBN(dsa->priv_key, &kmfkey->value)) != KMF_OK) + if ((rv = sslBN2KMFBN((BIGNUM *)priv_key, &kmfkey->value)) != KMF_OK) goto cleanup; cleanup: @@ -4220,68 +4303,44 @@ add_key_to_list(KMF_RAW_KEY_DATA **keylist, return (KMF_OK); } -static X509_ATTRIBUTE * -find_attr(STACK_OF(X509_ATTRIBUTE) *attrs, int nid) -{ - X509_ATTRIBUTE *a; - int i; - - if (attrs == NULL) - return (NULL); - - for (i = 0; i < sk_X509_ATTRIBUTE_num(attrs); i++) { - /* LINTED E_BAD_PTR_CAST_ALIGN */ - a = sk_X509_ATTRIBUTE_value(attrs, i); - if (OBJ_obj2nid(a->object) == nid) - return (a); - } - return (NULL); -} - static KMF_RETURN convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key) { KMF_RETURN rv = KMF_OK; X509_ATTRIBUTE *attr; + RSA *rsa; + DSA *dsa; + int loc; if (pkey == NULL || key == NULL) return (KMF_ERR_BAD_PARAMETER); /* Convert SSL key to raw key */ - switch (pkey->type) { - case EVP_PKEY_RSA: - rv = exportRawRSAKey(EVP_PKEY_get1_RSA(pkey), - key); - if (rv != KMF_OK) - return (rv); - break; - case EVP_PKEY_DSA: - rv = exportRawDSAKey(EVP_PKEY_get1_DSA(pkey), - key); - if (rv != KMF_OK) - return (rv); - break; - default: - return (KMF_ERR_BAD_PARAMETER); - } + if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) { + rv = exportRawRSAKey(rsa, key); + if (rv != KMF_OK) + return (rv); + } else if ((dsa = EVP_PKEY_get1_DSA(pkey)) != NULL) { + rv = exportRawDSAKey(dsa, key); + if (rv != KMF_OK) + return (rv); + } else + return (KMF_ERR_BAD_PARAMETER); + /* * If friendlyName, add it to record. */ - attr = find_attr(pkey->attributes, NID_friendlyName); - if (attr != NULL) { + + if ((loc = EVP_PKEY_get_attr_by_NID(pkey, + NID_friendlyName, -1)) != -1 && + (attr = EVP_PKEY_get_attr(pkey, loc))) { ASN1_TYPE *ty = NULL; - int numattr = sk_ASN1_TYPE_num(attr->value.set); - if (attr->single == 0 && numattr > 0) { - /* LINTED E_BAD_PTR_CAST_ALIGN */ - ty = sk_ASN1_TYPE_value(attr->value.set, 0); + int numattr = X509_ATTRIBUTE_count(attr); + if (numattr > 0) { + ty = X509_ATTRIBUTE_get0_type(attr, 0); } if (ty != NULL) { -#if OPENSSL_VERSION_NUMBER < 0x10000000L - key->label = uni2asc(ty->value.bmpstring->data, - ty->value.bmpstring->length); -#else key->label = OPENSSL_uni2asc(ty->value.bmpstring->data, ty->value.bmpstring->length); -#endif } } else { key->label = NULL; @@ -4290,14 +4349,13 @@ convertToRawKey(EVP_PKEY *pkey, KMF_RAW_KEY_DATA *key) /* * If KeyID, add it to record as a KMF_DATA object. */ - attr = find_attr(pkey->attributes, NID_localKeyID); - if (attr != NULL) { + if ((loc = EVP_PKEY_get_attr_by_NID(pkey, + NID_localKeyID, -1)) != -1 && + (attr = EVP_PKEY_get_attr(pkey, loc)) != NULL) { ASN1_TYPE *ty = NULL; - int numattr = sk_ASN1_TYPE_num(attr->value.set); - if (attr->single == 0 && numattr > 0) { - /* LINTED E_BAD_PTR_CAST_ALIGN */ - ty = sk_ASN1_TYPE_value(attr->value.set, 0); - } + int numattr = X509_ATTRIBUTE_count(attr); + if (numattr > 0) + ty = X509_ATTRIBUTE_get0_type(attr, 0); key->id.Data = (uchar_t *)malloc( ty->value.octet_string->length); if (key->id.Data == NULL) @@ -5406,7 +5464,8 @@ OpenSSL_FindCertInCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist) } /* Check if the certificate and the CRL have same issuer */ - if (X509_NAME_cmp(xcert->cert_info->issuer, xcrl->crl->issuer) != 0) { + if (X509_NAME_cmp(X509_get_issuer_name(xcert), + X509_CRL_get_issuer(xcrl)) != 0) { ret = KMF_ERR_ISSUER; goto end; } @@ -5423,8 +5482,8 @@ OpenSSL_FindCertInCRL(KMF_HANDLE_T handle, int numattr, KMF_ATTRIBUTE *attrlist) for (i = 0; i < sk_X509_REVOKED_num(revoke_stack); i++) { /* LINTED E_BAD_PTR_CAST_ALIGN */ revoke = sk_X509_REVOKED_value(revoke_stack, i); - if (ASN1_INTEGER_cmp(xcert->cert_info->serialNumber, - revoke->serialNumber) == 0) { + if (ASN1_INTEGER_cmp(X509_get_serialNumber(xcert), + X509_REVOKED_get0_serialNumber(revoke)) == 0) { break; } } @@ -5567,13 +5626,13 @@ OpenSSL_CheckCRLDate(KMF_HANDLE_T handle, char *crlname) ret = KMF_ERR_BAD_CRLFILE; goto cleanup; } - i = X509_cmp_time(X509_CRL_get_lastUpdate(xcrl), NULL); + i = X509_cmp_time(X509_CRL_get0_lastUpdate(xcrl), NULL); if (i >= 0) { ret = KMF_ERR_VALIDITY_PERIOD; goto cleanup; } - if (X509_CRL_get_nextUpdate(xcrl)) { - i = X509_cmp_time(X509_CRL_get_nextUpdate(xcrl), NULL); + if (X509_CRL_get0_nextUpdate(xcrl)) { + i = X509_cmp_time(X509_CRL_get0_nextUpdate(xcrl), NULL); if (i <= 0) { ret = KMF_ERR_VALIDITY_PERIOD; |