6429 SMB domain join doesn't work with libreSSL

9546 Restore support for building against LibreSSL 9547 Remove KMF dependency on insecure encryption types Reviewed by: Andy Fiddaman <af@citrus-it.net> Reviewed by: Vitaliy Gusev <gusev.vitaliy@icloud.com> Reviewed by: Ken Mays <kmays2000@gmail.com> Approved by: Dan McDonald <danmcd@joyent.com>
author: Andrew Stormont <astormont@racktopsystems.com> 2018-06-01 12:10:19 +0100
committer: Dan McDonald <danmcd@joyent.com> 2018-06-22 12:51:15 -0400
commit: 553e44ce7e541a9e1404b1ead92be0753668710a (patch)
tree: 1b2eb1ed8c26ec87e33276509e52e2bb3b9cbf62 /usr/src
parent: 8fe0f5406dd0bce37c6d2a4b0f94746fe3bc1a06 (diff)
download: illumos-joyent-553e44ce7e541a9e1404b1ead92be0753668710a.tar.gz
6 files changed, 148 insertions, 157 deletions
diff --git a/usr/src/cmd/sendmail/src/tls.c b/usr/src/cmd/sendmail/src/tls.c
index 605d91635a..ab17456d78 100644
--- a/usr/src/cmd/sendmail/src/tls.c
+++ b/usr/src/cmd/sendmail/src/tls.c
@@ -3,6 +3,7 @@
  *	All rights reserved.
  * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
  * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2018 RackTop Systems.
  *
  * By using this file, you agree to the terms and conditions set
  * forth in the LICENSE file which can be found at the top level of
@@ -39,7 +40,7 @@ static int	tls_verify_log __P((int, X509_STORE_CTX *, char *));
 #  include <openssl/dh.h>
 #  include <openssl/dsa.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 /*
  * This compatibility function is taken from
@@ -319,7 +320,7 @@ bool
 init_tls_library()
 {
 	/* basic TLS initialization, ignore result for now */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	/* No longer available (nor necessary) in OpenSSL 1.1 */
 	SSL_library_init();
 	SSL_load_error_strings();
diff --git a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c
index 00ad9a3afc..3ae2f2a362 100644
--- a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c
+++ b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c
@@ -32,6 +32,7 @@
  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
  * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2018 RackTop Systems.
  */
 
 #include <errno.h>
@@ -370,7 +371,7 @@ unsigned char pkinit_4096_dhprime[4096/8] = {
     0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
 };
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 /*
  * Many things have changed in OpenSSL 1.1. The code in this file has been
  * updated to use the v1.1 APIs but some are new and require emulation
@@ -463,11 +464,7 @@ __DH_get0_key(const DH *dh, const BIGNUM **pub, const BIGNUM **priv)
         *priv = dh->priv_key;
 }
 
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-
-/* Solaris Kerberos */
-static k5_mutex_t oids_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
-static int pkinit_oids_refs = 0;
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER */
 
 krb5_error_code
 pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) {
@@ -603,73 +600,43 @@ pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx)
 static krb5_error_code
 pkinit_init_pkinit_oids(pkinit_plg_crypto_context ctx)
 {
-    krb5_error_code retval = ENOMEM;
-    int nid = 0;
-
-    /*
-     * If OpenSSL already knows about the OID, use the
-     * existing definition. Otherwise, create an OID object.
-     */
-    #define CREATE_OBJ_IF_NEEDED(oid, vn, sn, ln) \
-	nid = OBJ_txt2nid(oid); \
-	if (nid == NID_undef) { \
-	    nid = OBJ_create(oid, sn, ln); \
-	    if (nid == NID_undef) { \
-		pkiDebug("Error creating oid object for '%s'\n", oid); \
-		goto out; \
-	    } \
-	} \
-	ctx->vn = OBJ_nid2obj(nid);
-
-    /* Solaris Kerberos */
-    retval = k5_mutex_lock(&oids_mutex);
-    if (retval != 0)
-	goto out;
-
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.2", id_pkinit_san,
-			 "id-pkinit-san", "KRB5PrincipalName");
-
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.1", id_pkinit_authData,
-			 "id-pkinit-authdata", "PKINIT signedAuthPack");
-
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.2", id_pkinit_DHKeyData,
-			 "id-pkinit-DHKeyData", "PKINIT dhSignedData");
-
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.3", id_pkinit_rkeyData,
-			 "id-pkinit-rkeyData", "PKINIT encKeyPack");
+    ctx->id_pkinit_san = OBJ_txt2obj("1.3.6.1.5.2.2", 1);
+    if (ctx->id_pkinit_san == NULL)
+        return ENOMEM;
 
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.4", id_pkinit_KPClientAuth,
-			 "id-pkinit-KPClientAuth", "PKINIT Client EKU");
+    ctx->id_pkinit_authData = OBJ_txt2obj("1.3.6.1.5.2.3.1", 1);
+    if (ctx->id_pkinit_authData == NULL)
+        return ENOMEM;
 
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.5", id_pkinit_KPKdc,
-			 "id-pkinit-KPKdc", "KDC EKU");
+    ctx->id_pkinit_DHKeyData = OBJ_txt2obj("1.3.6.1.5.2.3.2", 1);
+    if (ctx->id_pkinit_DHKeyData == NULL)
+        return ENOMEM;
 
-#if 0
-    CREATE_OBJ_IF_NEEDED("1.2.840.113549.1.7.1", id_pkinit_authData9,
-			 "id-pkcs7-data", "PKCS7 data");
-#else
-    /* See note in pkinit_pkcs7type2oid() */
-    ctx->id_pkinit_authData9 = NULL;
-#endif
+    ctx->id_pkinit_rkeyData = OBJ_txt2obj("1.3.6.1.5.2.3.3", 1);
+    if (ctx->id_pkinit_rkeyData == NULL)
+        return ENOMEM;
 
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.2", id_ms_kp_sc_logon,
-			 "id-ms-kp-sc-logon EKU", "Microsoft SmartCard Login EKU");
+    ctx->id_pkinit_KPClientAuth = OBJ_txt2obj("1.3.6.1.5.2.3.4", 1);
+    if (ctx->id_pkinit_KPClientAuth == NULL)
+        return ENOMEM;
 
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.3", id_ms_san_upn,
-			 "id-ms-san-upn", "Microsoft Universal Principal Name");
+    ctx->id_pkinit_KPKdc = OBJ_txt2obj("1.3.6.1.5.2.3.5", 1);
+    if (ctx->id_pkinit_KPKdc == NULL)
+        return ENOMEM;
 
-    CREATE_OBJ_IF_NEEDED("1.3.6.1.5.5.7.3.1", id_kp_serverAuth,
-			 "id-kp-serverAuth EKU", "Server Authentication EKU");
+    ctx->id_ms_kp_sc_logon = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.2", 1);
+    if (ctx->id_ms_kp_sc_logon == NULL)
+        return ENOMEM;
 
-    /* Success */
-    retval = 0;
+    ctx->id_ms_san_upn = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1);
+    if (ctx->id_ms_san_upn == NULL)
+        return ENOMEM;
 
-    pkinit_oids_refs++;
-    /* Solaris Kerberos */
-    k5_mutex_unlock(&oids_mutex);
+    ctx->id_kp_serverAuth = OBJ_txt2obj("1.3.6.1.5.5.7.3.1", 1);
+    if (ctx->id_kp_serverAuth == NULL)
+        return ENOMEM;
 
-out:
-    return retval;
+    return 0;
 }
 
 static krb5_error_code
@@ -748,22 +715,15 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx)
 {
     if (ctx == NULL)
 	return;
-
-    /* Only call OBJ_cleanup once! */
-    /* Solaris Kerberos: locking */
-    k5_mutex_lock(&oids_mutex);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    /*
-     * In OpenSSL versions prior to 1.1.0, OBJ_cleanup() cleaned up OpenSSL's
-     * internal object table. This function is deprecated in version 1.1.0.
-     * No explicit de-initialisation is now required.
-     */
-    if (--pkinit_oids_refs == 0)
-	OBJ_cleanup();
-#else
-    pkinit_oids_refs--;
-#endif
-    k5_mutex_unlock(&oids_mutex);
+    ASN1_OBJECT_free(ctx->id_pkinit_san);
+    ASN1_OBJECT_free(ctx->id_pkinit_authData);
+    ASN1_OBJECT_free(ctx->id_pkinit_DHKeyData);
+    ASN1_OBJECT_free(ctx->id_pkinit_rkeyData);
+    ASN1_OBJECT_free(ctx->id_pkinit_KPClientAuth);
+    ASN1_OBJECT_free(ctx->id_pkinit_KPKdc);
+    ASN1_OBJECT_free(ctx->id_ms_kp_sc_logon);
+    ASN1_OBJECT_free(ctx->id_ms_san_upn);
+    ASN1_OBJECT_free(ctx->id_kp_serverAuth);
 }
 
 static DH *
@@ -953,6 +913,55 @@ pkinit_identity_set_prompter(pkinit_identity_crypto_context id_cryptoctx,
     return 0;
 }
 
+/* Create a CMS ContentInfo of type oid containing the octet string in data. */
+static krb5_error_code
+create_contentinfo(krb5_context context,
+		   ASN1_OBJECT *oid,
+		   unsigned char *data,
+		   size_t data_len,
+		   PKCS7 **p7_out)
+{
+    PKCS7 *p7 = NULL;
+    ASN1_OCTET_STRING *ostr = NULL;
+
+    *p7_out = NULL;
+
+    ostr = ASN1_OCTET_STRING_new();
+    if (ostr == NULL)
+        goto oom;
+    if (!ASN1_OCTET_STRING_set(ostr, (unsigned char *)data, data_len))
+        goto oom;
+
+    p7 = PKCS7_new();
+    if (p7 == NULL)
+        goto oom;
+    p7->type = OBJ_dup(oid);
+    if (p7->type == NULL)
+        goto oom;
+
+    if (OBJ_obj2nid(oid) == NID_pkcs7_data) {
+        /* Draft 9 uses id-pkcs7-data for signed data.  For this type OpenSSL
+         * expects an octet string in d.data. */
+        p7->d.data = ostr;
+    } else {
+        p7->d.other = ASN1_TYPE_new();
+        if (p7->d.other == NULL)
+            goto oom;
+        p7->d.other->type = V_ASN1_OCTET_STRING;
+        p7->d.other->value.octet_string = ostr;
+    }
+
+    *p7_out = p7;
+    return 0;
+
+oom:
+    if (ostr != NULL)
+        ASN1_OCTET_STRING_free(ostr);
+    if (p7 != NULL)
+        PKCS7_free(p7);
+    return ENOMEM;
+}
+
 /* ARGSUSED */
 krb5_error_code
 cms_signeddata_create(krb5_context context,
@@ -972,7 +981,6 @@ cms_signeddata_create(krb5_context context,
     PKCS7_SIGNED *p7s = NULL;
     PKCS7_SIGNER_INFO *p7si = NULL;
     unsigned char *p;
-    ASN1_TYPE *pkinit_data = NULL;
     STACK_OF(X509) * cert_stack = NULL;
     ASN1_OCTET_STRING *digest_attr = NULL;
     EVP_MD_CTX *ctx = NULL, *ctx2 = NULL;
@@ -988,7 +996,7 @@ cms_signeddata_create(krb5_context context,
     unsigned int alg_len = 0, digest_len = 0;
     unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL;
     X509 *cert = NULL;
-    ASN1_OBJECT *oid = NULL;
+    ASN1_OBJECT *oid = NULL, *oid_copy;
 
     /* Solaris Kerberos */
     if (signed_data == NULL)
@@ -1120,8 +1128,11 @@ cms_signeddata_create(krb5_context context,
 				   V_ASN1_OCTET_STRING, (char *) digest_attr);
 
 	/* create a content-type attr */
+	oid_copy = OBJ_dup(oid);
+	if (oid_copy == NULL)
+		goto cleanup2;
 	PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType,
-				   V_ASN1_OBJECT, oid);
+				   V_ASN1_OBJECT, oid_copy);
 
 	/* create the signature over signed attributes. get DER encoded value */
 	/* This is the place where smartcard signature needs to be calculated */
@@ -1223,26 +1234,7 @@ cms_signeddata_create(krb5_context context,
 	goto cleanup2;
 
     /* start on adding data to the pkcs7 signed */
-    if ((inner_p7 = PKCS7_new()) == NULL)
-	goto cleanup2;
-    if ((pkinit_data = ASN1_TYPE_new()) == NULL)
-	goto cleanup2;
-    pkinit_data->type = V_ASN1_OCTET_STRING;
-    if ((pkinit_data->value.octet_string = ASN1_OCTET_STRING_new()) == NULL)
-	goto cleanup2;
-    if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, data,
-			       (int)data_len)) {
-	unsigned long err = ERR_peek_error();
-	retval = KRB5KDC_ERR_PREAUTH_FAILED;
-	krb5_set_error_message(context, retval, "%s\n",
-			       ERR_error_string(err, NULL));
-	pkiDebug("failed to add pkcs7 data\n");
-	goto cleanup2;
-    }
-
-    if (!PKCS7_set0_type_other(inner_p7, OBJ_obj2nid(oid), pkinit_data))
-	goto cleanup2;
-
+    retval = create_contentinfo(context, oid, data, data_len, &inner_p7);
     if (p7s->contents != NULL)
 	PKCS7_free(p7s->contents);
     p7s->contents = inner_p7;
@@ -1355,7 +1347,6 @@ cms_signeddata_verify(krb5_context context,
 		     "/tmp/client_received_pkcs7_signeddata");
 #endif
 
-    /* Do this early enough to create the shadow OID for pkcs7-data if needed */
     oid = pkinit_pkcs7type2oid(plgctx, cms_msg_type);
     if (oid == NULL)
 	goto cleanup;
@@ -2650,7 +2641,7 @@ openssl_init()
     if (ret == 0) {
 	if (!did_init) {
 	    /* initialize openssl routines */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	    /*
 	     * As of version 1.1.0, OpenSSL will automatically allocate
 	     * resources as-needed.
@@ -2712,7 +2703,7 @@ cleanup:
     return retval;
 }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 static DH *
 pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len)
@@ -2828,7 +2819,7 @@ pkinit_decode_dh_params(DH **a, unsigned char **pp, unsigned int len)
 	return dh;
 }
 
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER */
 
 static krb5_error_code
 pkinit_create_sequence_of_principal_identifiers(
@@ -3333,31 +3324,11 @@ openssl_callback_ignore_crls(int ok, X509_STORE_CTX * ctx)
 static ASN1_OBJECT *
 pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type)
 {
-    int nid;
-
     switch (pkcs7_type) {
 	case CMS_SIGN_CLIENT:
 	    return cryptoctx->id_pkinit_authData;
 	case CMS_SIGN_DRAFT9:
-	    /*
-	     * Delay creating this OID until we know we need it.
-	     * It shadows an existing OpenSSL oid.  If it
-	     * is created too early, it breaks things like
-	     * the use of pkcs12 (which uses pkcs7 structures).
-	     * We need this shadow version because our code
-	     * depends on the "other" type to be unknown to the
-	     * OpenSSL code.
-	     */
-	    if (cryptoctx->id_pkinit_authData9 == NULL) {
-		pkiDebug("%s: Creating shadow instance of pkcs7-data oid\n",
-			 __FUNCTION__);
-		nid = OBJ_create("1.2.840.113549.1.7.1", "id-pkcs7-data",
-				 "PKCS7 data");
-		if (nid == NID_undef)
-		    return NULL;
-		cryptoctx->id_pkinit_authData9 = OBJ_nid2obj(nid);
-	    }
-	    return cryptoctx->id_pkinit_authData9;
+	    return OBJ_nid2obj(NID_pkcs7_data);
 	case CMS_SIGN_SERVER:
 	    return cryptoctx->id_pkinit_DHKeyData;
 	case CMS_ENVEL_SERVER:
@@ -4664,7 +4635,7 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx,
 	attrs[nattrs].ulValueLen = sizeof keytype;
 	nattrs++;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	rsa = priv->pkey.rsa;
 	rsan = rsa->n;
 	n_len = BN_num_bytes(rsan);
diff --git a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h
index 2f3e0ccae4..22fa5126b3 100644
--- a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h
+++ b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h
@@ -31,6 +31,7 @@
 /*
  * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved.
  * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2018 RackTop Systems.
  */
 
 #ifndef _PKINIT_CRYPTO_OPENSSL_H
@@ -50,7 +51,7 @@
 #include <openssl/pem.h>
 #include <openssl/rsa.h>
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #include <openssl/asn1_mac.h>
 #else
 #include <openssl/asn1t.h>
@@ -118,7 +119,6 @@ struct _pkinit_plg_crypto_context {
     DH *dh_2048;
     DH *dh_4096;
     ASN1_OBJECT *id_pkinit_authData;
-    ASN1_OBJECT *id_pkinit_authData9;
     ASN1_OBJECT *id_pkinit_DHKeyData;
     ASN1_OBJECT *id_pkinit_rkeyData;
     ASN1_OBJECT *id_pkinit_san;
@@ -285,7 +285,7 @@ wrap_signeddata(unsigned char *data, unsigned int data_len,
 
 /* This handy macro borrowed from crypto/x509v3/v3_purp.c */
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 #define ku_reject(x, usage) \
 	(((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage)))
 #else
diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c
index b64064cb7b..0a17b32a6a 100644
--- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c
+++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c
@@ -1,5 +1,6 @@
 /*
  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018 RackTop Systems.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -12,7 +13,7 @@
 #include <openssl/engine.h>
 #include "compat.h"
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 static void *
 OPENSSL_zalloc(size_t num)
@@ -443,4 +444,4 @@ EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 	return (pkey->pkey.rsa);
 }
 
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* OPENSSL_VERSION_NUMBER || LIBRESSL_VERSION_NUMBER */
diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h
index 6613eb8d6d..9373c88639 100644
--- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h
+++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h
@@ -1,5 +1,6 @@
 /*
  * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2018 RackTop Systems.
  *
  * Licensed under the OpenSSL license (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -10,7 +11,7 @@
 #ifndef LIBCRYPTO_COMPAT_H
 #define	LIBCRYPTO_COMPAT_H
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
@@ -86,6 +87,6 @@ RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
 #define	X509_getm_notBefore  X509_get_notBefore
 #define	X509_getm_notAfter X509_get_notAfter
 
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* OPENSSL_VERSION_NUMBER || LIBRESSL_VERSION_NUMBER */
 
 #endif /* LIBCRYPTO_COMPAT_H */
diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
index 3ca328ff05..1faa4bea34 100644
--- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
+++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c
@@ -6,6 +6,7 @@
 /*
  * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved.
  * Copyright 2018 OmniOS Community Edition (OmniOSce) Association.
+ * Copyright 2018 RackTop Systems.
  */
 /*
  * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
@@ -138,7 +139,7 @@ static uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a,
 /*
  * Declare some new macros for managing stacks of EVP_PKEYS.
  */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 DECLARE_STACK_OF(EVP_PKEY)
 
 #define	sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY)
@@ -300,7 +301,7 @@ KMF_PLUGIN_FUNCLIST openssl_plugin_table =
 	NULL	/* Finalize */
 };
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 static mutex_t *lock_cs;
 static long *lock_count;
 
@@ -321,12 +322,12 @@ thread_id()
 {
 	return ((unsigned long)thr_self());
 }
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER */
 
 KMF_PLUGIN_FUNCLIST *
 KMF_Plugin_Initialize()
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	int i;
 #endif
 
@@ -347,7 +348,7 @@ KMF_Plugin_Initialize()
 		(void) OBJ_create("2.5.29.54", "inhibitAnyPolicy",
 		    "X509v3 Inhibit Any-Policy");
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 		/*
 		 * Set up for thread-safe operation.
 		 * This is not required for OpenSSL 1.1
@@ -1791,20 +1792,36 @@ OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key,
 		EVP_PKEY *pkey = (EVP_PKEY *)key->keyp;
 		uchar_t *p;
 		int len;
-		if (AlgId == KMF_ALGID_MD5WithRSA)
+		switch (AlgId) {
+#ifndef	OPENSSL_NO_MD5
+		case KMF_ALGID_MD5WithRSA:
 			md = EVP_md5();
-		else if (AlgId == KMF_ALGID_SHA1WithRSA)
+			break;
+#endif
+#ifndef	OPENSSL_NO_SHA
+		case KMF_ALGID_SHA1WithRSA:
 			md = EVP_sha1();
-		else if (AlgId == KMF_ALGID_SHA256WithRSA)
+			break;
+#endif
+#ifndef	OPENSSL_NO_SHA256
+		case KMF_ALGID_SHA256WithRSA:
 			md = EVP_sha256();
-		else if (AlgId == KMF_ALGID_SHA384WithRSA)
+			break;
+#endif
+#ifndef	OPENSSL_NO_SHA512
+		case KMF_ALGID_SHA384WithRSA:
 			md = EVP_sha384();
-		else if (AlgId == KMF_ALGID_SHA512WithRSA)
+			break;
+		case KMF_ALGID_SHA512WithRSA:
 			md = EVP_sha512();
-		else if (AlgId == KMF_ALGID_RSA)
+			break;
+#endif
+		case KMF_ALGID_RSA:
 			md = NULL;
-		else
+			break;
+		default:
 			return (KMF_ERR_BAD_ALGORITHM);
+		}
 
 		if ((md == NULL) && (AlgId == KMF_ALGID_RSA)) {
 			RSA *rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)pkey);
@@ -2123,14 +2140,14 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert,
 	case KMF_CERT_SIGNATURE_ALG:
 	case KMF_CERT_PUBKEY_ALG:
 		{
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 			ASN1_OBJECT *alg = NULL;
 #else
 			const ASN1_OBJECT *alg = NULL;
 #endif
 
 			if (flag == KMF_CERT_SIGNATURE_ALG) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 				alg = xcert->sig_alg->algorithm;
 #else
 				const X509_ALGOR *sig_alg = NULL;
@@ -2141,7 +2158,7 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert,
 					    sig_alg);
 #endif
 			} else {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 				alg = xcert->cert_info->key->algor->algorithm;
 #else
 				X509_PUBKEY *key = X509_get_X509_PUBKEY(xcert);
@@ -2498,7 +2515,7 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_BASICRESP *bs)
 	unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash;
 	const ASN1_OCTET_STRING *pid;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	OCSP_RESPID *id = bs->tbsResponseData->responderId;
 
 	if (id->type == V_OCSP_RESPID_NAME)
@@ -2571,7 +2588,7 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs,
 	STACK_OF(X509) *cert_stack = NULL;
 	X509 *signer = NULL;
 	X509 *issuer = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	EVP_PKEY *skey = NULL;
 #else
 	STACK_OF(X509) *cert_stack2 = NULL;
@@ -2631,7 +2648,7 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs,
 	}
 
 	/* Verify the signature of the response */
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	skey = X509_get_pubkey(signer);
 	if (skey == NULL) {
 		ret = KMF_ERR_OCSP_BAD_SIGNER;
@@ -2672,7 +2689,7 @@ end:
 		X509_free(signer);
 	}
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 	if (skey != NULL) {
 		EVP_PKEY_free(skey);
 	}
author	Andrew Stormont <astormont@racktopsystems.com>	2018-06-01 12:10:19 +0100
committer	Dan McDonald <danmcd@joyent.com>	2018-06-22 12:51:15 -0400
commit	553e44ce7e541a9e1404b1ead92be0753668710a (patch)
tree	1b2eb1ed8c26ec87e33276509e52e2bb3b9cbf62 /usr/src
parent	8fe0f5406dd0bce37c6d2a4b0f94746fe3bc1a06 (diff)
download	illumos-joyent-553e44ce7e541a9e1404b1ead92be0753668710a.tar.gz