diff options
| author | markd <markd@pkgsrc.org> | 2018-01-31 09:14:55 +0000 |
|---|---|---|
| committer | markd <markd@pkgsrc.org> | 2018-01-31 09:14:55 +0000 |
| commit | d2eed88e2923ad1dd3d703781a738786a9754d16 (patch) | |
| tree | 98cd35b3cb22f7148815f16273ed8336046a2c8b /security | |
| parent | b1ab9ffc9a1d1babdaf8c0f26609bf9c3fbf82c2 (diff) | |
| download | pkgsrc-d2eed88e2923ad1dd3d703781a738786a9754d16.tar.gz | |
qca2{,-qt5}{,-gnupg,-ossl}: update to 2.1.0
New in 2.1.0
- Ported to Qt5 (Qt4 also supported)
- New building system. CMake instead of qmake
- Added CTR symetric cipher support to qca core
- Added no padding encryption algorithm to qca core
- qcatool2 renamed to qcatool
- fixed crash in qcatool when only options provided on command line without
any commands
- Use plugins installation path as hard-coded runtime plugins search path
- Added new functiion pluginPaths
- Added functions to get runtime QCA version
- Fixed 'no watch file' warnings in FileWatch
- Added EME_PKCS1v15_SSL Encryption Algorithm
- New implementation of SafeTimer to prevent crashes
- Updated certificates for unittests
- RSA Keys are permutable, can encrypt with private and decrypt with public
- Add unloadProvider() function for symmetry with insertProvider()
- Overloaded "makeKey" to derive a password depending on a time factor
- Remove pointer to deinit() routine from QCoreApplication at deinitialization
- Fix a couple of crashes where all plugins might not be available
- Fix operating on keys with unrelated expired subkeys
- Fixed timers in Synchronizer class
- Dropped randomunittest
- Fixed many unittests
- qca-gnupg: internal refactoring
- qca-gnupg: try both gpg and gpg2 to find gnupg executable
- qca-gnupg: fixed some encodings problem
- qca-ossl: no DSA_* dl groups in FIPS specification
- qca-ossl: added missed signatures to CRLContext
- qca-ossl: fixed certs time zone
- qca-nss: fixed KeyLenght for Cipher
- qca-botan: fixed getting result size for ciphers
Diffstat (limited to 'security')
30 files changed, 2277 insertions, 462 deletions
diff --git a/security/qca2-gnupg/Makefile b/security/qca2-gnupg/Makefile index 09a1a784db1..13fc42d3991 100644 --- a/security/qca2-gnupg/Makefile +++ b/security/qca2-gnupg/Makefile @@ -1,29 +1,25 @@ -# $NetBSD: Makefile,v 1.21 2017/08/29 12:23:25 wiz Exp $ +# $NetBSD: Makefile,v 1.22 2018/01/31 09:14:55 markd Exp $ -DISTNAME= qca-gnupg-2.0.0-beta3 -PKGNAME= qca2-gnupg-${DISTNAME:S/-beta/beta/:C/.*-//} -PKGREVISION= 18 -CATEGORIES= security -MASTER_SITES= http://delta.affinix.com/download/qca/2.0/plugins/ -EXTRACT_SUFX= .tar.bz2 +PKGNAME= qca2-gnupg-${DISTNAME:C/.*-//} -MAINTAINER= jfranz@bsdprojects.net -HOMEPAGE= http://delta.affinix.com/qca/ COMMENT= Cross-platform crypto API for QT - GnuPG plugin -LICENSE= gnu-lgpl-v2.1 + +.include "../../security/qca2/Makefile.common" DEPENDS+= gnupg2-[0-9]*:../../security/gnupg2 -USE_TOOLS+= gmake -USE_LIBTOOL= yes -HAS_CONFIGURE= yes -USE_LANGUAGES= c c++ +BUILD_DIRS= plugins/qca-gnupg + +CMAKE_ARGS+= -DQT4_BUILD=ON +CMAKE_ARGS+= -DBUILD_PLUGINS=gnupg +CMAKE_ARGS+= -DBUILD_TOOLS=OFF +CMAKE_ARGS+= -DINST_QCA_LIB_NAME=-lqca -CONFIGURE_ARGS+= --qtdir=${QTDIR} -CONFIGURE_ARGS+= --with-qca=${QTDIR} -CONFIGURE_ARGS+= --plugins-path=${DESTDIR}${QTDIR}/plugins -#CONFIGURE_ARGS+= --with-openssl-inc=${SSLBASE}/include -#CONFIGURE_ARGS+= --with-openssl-lib=${SSLBASE}/lib +SUBST_CLASSES+= libname +SUBST_STAGE.libname= post-patch +SUBST_MESSAGE.libname= Use installed lib. +SUBST_FILES.libname= plugins/qca-gnupg/CMakeLists.txt +SUBST_SED.libname= -e 's:{QCA_LIB_NAME}:{INST_QCA_LIB_NAME}:' .include "../../security/qca2/buildlink3.mk" .include "../../mk/bsd.pkg.mk" diff --git a/security/qca2-gnupg/PLIST b/security/qca2-gnupg/PLIST index 179fb68eaa6..15b970dae3f 100644 --- a/security/qca2-gnupg/PLIST +++ b/security/qca2-gnupg/PLIST @@ -1,2 +1,2 @@ -@comment $NetBSD: PLIST,v 1.1.1.1 2011/10/18 00:46:58 schnoebe Exp $ -qt4/plugins/crypto/libqca-gnupg.la +@comment $NetBSD: PLIST,v 1.2 2018/01/31 09:14:55 markd Exp $ +qt4/plugins/crypto/libqca-gnupg.so diff --git a/security/qca2-gnupg/distinfo b/security/qca2-gnupg/distinfo deleted file mode 100644 index 8bb401fa877..00000000000 --- a/security/qca2-gnupg/distinfo +++ /dev/null @@ -1,6 +0,0 @@ -$NetBSD: distinfo,v 1.2 2015/11/04 01:18:06 agc Exp $ - -SHA1 (qca-gnupg-2.0.0-beta3.tar.bz2) = 77e3874b9ed427e281b23b9bf41ecc95e74f7053 -RMD160 (qca-gnupg-2.0.0-beta3.tar.bz2) = 2531d81179e0b78cc3689c7891b4c6c60d56a422 -SHA512 (qca-gnupg-2.0.0-beta3.tar.bz2) = b9e0591e861a57c10accbdf91ba6ff5f3cd272254bcd1425a44cdce2689cb626fbf9d62f2657724f293f5ca60dfb4bc5aa7ada850b768f6cba6bb388b97bbdc7 -Size (qca-gnupg-2.0.0-beta3.tar.bz2) = 38177 bytes diff --git a/security/qca2-ossl/Makefile b/security/qca2-ossl/Makefile index cf78ea2a59e..971d3043a4e 100644 --- a/security/qca2-ossl/Makefile +++ b/security/qca2-ossl/Makefile @@ -1,27 +1,23 @@ -# $NetBSD: Makefile,v 1.34 2016/03/29 23:04:01 khorben Exp $ +# $NetBSD: Makefile,v 1.35 2018/01/31 09:14:56 markd Exp $ -DISTNAME= qca-ossl-2.0.0-beta3 -PKGNAME= qca2-ossl-${DISTNAME:S/-beta/beta/:C/.*-//} -PKGREVISION= 30 -CATEGORIES= security -MASTER_SITES= http://delta.affinix.com/download/qca/2.0/plugins/ -EXTRACT_SUFX= .tar.bz2 +PKGNAME= qca2-ossl-${DISTNAME:C/.*-//} -MAINTAINER= pkgsrc-users@NetBSD.org -HOMEPAGE= http://delta.affinix.com/qca/ COMMENT= Cross-platform crypto API for QT - OpenSSL plugin -USE_TOOLS+= gmake -USE_LIBTOOL= yes -HAS_CONFIGURE= yes -USE_LANGUAGES= c c++ +.include "../../security/qca2/Makefile.common" -CONFIGURE_ARGS+= --qtdir=${QTDIR} -CONFIGURE_ARGS+= --with-qca=${QTDIR} -CONFIGURE_ARGS+= --with-openssl-inc=${SSLBASE}/include -CONFIGURE_ARGS+= --with-openssl-lib=${SSLBASE}/lib +BUILD_DIRS= plugins/qca-ossl -INSTALL_MAKE_FLAGS+= INSTALL_ROOT=${DESTDIR} +CMAKE_ARGS+= -DQT4_BUILD=ON +CMAKE_ARGS+= -DBUILD_PLUGINS=ossl +CMAKE_ARGS+= -DBUILD_TOOLS=OFF +CMAKE_ARGS+= -DINST_QCA_LIB_NAME=-lqca + +SUBST_CLASSES+= libname +SUBST_STAGE.libname= post-patch +SUBST_MESSAGE.libname= Use installed lib. +SUBST_FILES.libname= plugins/qca-ossl/CMakeLists.txt +SUBST_SED.libname= -e 's:{QCA_LIB_NAME}:{INST_QCA_LIB_NAME}:' .include "../../security/qca2/buildlink3.mk" .include "../../security/openssl/buildlink3.mk" diff --git a/security/qca2-ossl/PLIST b/security/qca2-ossl/PLIST index 3cf80bd1fba..d6978d1301e 100644 --- a/security/qca2-ossl/PLIST +++ b/security/qca2-ossl/PLIST @@ -1,2 +1,2 @@ -@comment $NetBSD: PLIST,v 1.1.1.1 2007/12/20 20:20:17 jdolecek Exp $ -qt4/plugins/crypto/libqca-ossl.la +@comment $NetBSD: PLIST,v 1.2 2018/01/31 09:14:56 markd Exp $ +qt4/plugins/crypto/libqca-ossl.so diff --git a/security/qca2-ossl/distinfo b/security/qca2-ossl/distinfo deleted file mode 100644 index 99ec70241ec..00000000000 --- a/security/qca2-ossl/distinfo +++ /dev/null @@ -1,7 +0,0 @@ -$NetBSD: distinfo,v 1.5 2016/03/29 23:04:01 khorben Exp $ - -SHA1 (qca-ossl-2.0.0-beta3.tar.bz2) = dd925e8732ff76f24f9f90f4094abaf2f0ac27bf -RMD160 (qca-ossl-2.0.0-beta3.tar.bz2) = c979c3c3427eb45e8866e28746f83966e8bcf3c2 -SHA512 (qca-ossl-2.0.0-beta3.tar.bz2) = 17b30099c1bc8650757d71fd9e7824831b132cedc920f59832cb5a8096b90932834e05f3f77ed34e213fdadf881625710e1311ae4fcc4c0919a1684adb4525b8 -Size (qca-ossl-2.0.0-beta3.tar.bz2) = 49188 bytes -SHA1 (patch-aa) = 186e34288e91383a3a13a5bfbde109f80d9d71e3 diff --git a/security/qca2-ossl/patches/patch-aa b/security/qca2-ossl/patches/patch-aa deleted file mode 100644 index 4d21ef6add6..00000000000 --- a/security/qca2-ossl/patches/patch-aa +++ /dev/null @@ -1,303 +0,0 @@ -$NetBSD: patch-aa,v 1.3 2016/03/29 23:04:01 khorben Exp $ - -Remove support for SSLv2 - ---- qca-ossl.cpp.orig 2007-12-11 06:34:57.000000000 +0000 -+++ qca-ossl.cpp -@@ -42,6 +42,15 @@ - #define OSSL_097 - #endif - -+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L -+// OpenSSL 1.0.0 makes a few changes that aren't very C++ friendly... -+// Among other things, CHECKED_PTR_OF returns a void*, but is used in -+// contexts requiring STACK pointers. -+#undef CHECKED_PTR_OF -+#define CHECKED_PTR_OF(type, p) \ -+ ((_STACK*) (1 ? p : (type*)0)) -+#endif -+ - using namespace QCA; - - namespace opensslQCAPlugin { -@@ -327,7 +336,7 @@ static X509_EXTENSION *new_subject_key_i - X509V3_CTX ctx; - X509V3_set_ctx_nodb(&ctx); - X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0); -- X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash"); -+ X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char *)"hash"); - return ex; - } - -@@ -1182,6 +1191,7 @@ public: - { - pkey = from.pkey; - CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); -+ raw_type = false; - state = Idle; - } - -@@ -1226,6 +1236,7 @@ public: - } - else - { -+ raw_type = false; - EVP_MD_CTX_init(&mdctx); - if(!EVP_VerifyInit_ex(&mdctx, type, NULL)) - state = VerifyError; -@@ -1771,8 +1782,10 @@ public: - md = EVP_sha1(); - else if(alg == EMSA3_MD5) - md = EVP_md5(); -+#ifdef HAVE_OPENSSL_MD2 - else if(alg == EMSA3_MD2) - md = EVP_md2(); -+#endif - else if(alg == EMSA3_RIPEMD160) - md = EVP_ripemd160(); - else if(alg == EMSA3_Raw) -@@ -1789,8 +1802,10 @@ public: - md = EVP_sha1(); - else if(alg == EMSA3_MD5) - md = EVP_md5(); -+#ifdef HAVE_OPENSSL_MD2 - else if(alg == EMSA3_MD2) - md = EVP_md2(); -+#endif - else if(alg == EMSA3_RIPEMD160) - md = EVP_ripemd160(); - else if(alg == EMSA3_Raw) -@@ -3385,9 +3400,11 @@ public: - case NID_md5WithRSAEncryption: - p.sigalgo = QCA::EMSA3_MD5; - break; -+#ifdef HAVE_OPENSSL_MD2 - case NID_md2WithRSAEncryption: - p.sigalgo = QCA::EMSA3_MD2; - break; -+#endif - case NID_ripemd160WithRSA: - p.sigalgo = QCA::EMSA3_RIPEMD160; - break; -@@ -3871,9 +3888,11 @@ public: - case NID_md5WithRSAEncryption: - p.sigalgo = QCA::EMSA3_MD5; - break; -+#ifdef HAVE_OPENSSL_MD2 - case NID_md2WithRSAEncryption: - p.sigalgo = QCA::EMSA3_MD2; - break; -+#endif - case NID_ripemd160WithRSA: - p.sigalgo = QCA::EMSA3_RIPEMD160; - break; -@@ -4061,9 +4080,11 @@ public: - case NID_md5WithRSAEncryption: - p.sigalgo = QCA::EMSA3_MD5; - break; -+#ifdef HAVE_OPENSSL_MD2 - case NID_md2WithRSAEncryption: - p.sigalgo = QCA::EMSA3_MD2; - break; -+#endif - case NID_ripemd160WithRSA: - p.sigalgo = QCA::EMSA3_RIPEMD160; - break; -@@ -5128,14 +5149,21 @@ public: - v_eof = false; - } - -+ // dummy verification function for SSL_set_verify() -+ static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx) -+ { -+ Q_UNUSED(preverify_ok); -+ Q_UNUSED(x509_ctx); -+ -+ // don't terminate handshake in case of verification failure -+ return 1; -+ } -+ - virtual QStringList supportedCipherSuites(const TLS::Version &version) const - { - OpenSSL_add_ssl_algorithms(); - SSL_CTX *ctx = 0; - switch (version) { -- case TLS::SSL_v2: -- ctx = SSL_CTX_new(SSLv2_client_method()); -- break; - case TLS::SSL_v3: - ctx = SSL_CTX_new(SSLv3_client_method()); - break; -@@ -5151,6 +5179,8 @@ public: - if (NULL == ctx) - return QStringList(); - -+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2); -+ - SSL *ssl = SSL_new(ctx); - if (NULL == ssl) { - SSL_CTX_free(ctx); -@@ -5692,6 +5722,14 @@ public: - } - } - -+ // request a certificate from the client, if in server mode -+ if(serv) -+ { -+ SSL_set_verify(ssl, -+ SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE, -+ ssl_verify_callback); -+ } -+ - return true; - } - -@@ -6155,6 +6193,7 @@ public: - i2d_PKCS7_bio(bo, p7); - //PEM_write_bio_PKCS7(bo, p7); - out = bio2ba(bo); -+ PKCS7_free(p7); - } - else - { -@@ -6582,7 +6621,9 @@ static QStringList all_hash_types() - list += "sha1"; - list += "sha0"; - list += "ripemd160"; -+#ifdef HAVE_OPENSSL_MD2 - list += "md2"; -+#endif - list += "md4"; - list += "md5"; - #ifdef SHA224_DIGEST_LENGTH -@@ -6597,9 +6638,11 @@ static QStringList all_hash_types() - #ifdef SHA512_DIGEST_LENGTH - list += "sha512"; - #endif -+/* - #ifdef OBJ_whirlpool - list += "whirlpool"; - #endif -+*/ - return list; - } - -@@ -6671,7 +6714,7 @@ public: - { - } - -- Context *clone() const -+ Provider::Context *clone() const - { - return new opensslInfoContext(*this); - } -@@ -6692,6 +6735,34 @@ public: - } - }; - -+class opensslRandomContext : public RandomContext -+{ -+public: -+ opensslRandomContext(QCA::Provider *p) : RandomContext(p) -+ { -+ } -+ -+ Context *clone() const -+ { -+ return new opensslRandomContext(*this); -+ } -+ -+ QCA::SecureArray nextBytes(int size) -+ { -+ QCA::SecureArray buf(size); -+ int r; -+ // FIXME: loop while we don't have enough random bytes. -+ while (true) { -+ r = RAND_bytes((unsigned char*)(buf.data()), size); -+ if (r == 1) break; // success -+ r = RAND_pseudo_bytes((unsigned char*)(buf.data()), -+ size); -+ if (r >= 0) break; // accept insecure random numbers -+ } -+ return buf; -+ } -+}; -+ - } - - using namespace opensslQCAPlugin; -@@ -6711,11 +6782,14 @@ public: - OpenSSL_add_all_algorithms(); - ERR_load_crypto_strings(); - -- srand(time(NULL)); -- char buf[128]; -- for(int n = 0; n < 128; ++n) -- buf[n] = rand(); -- RAND_seed(buf, 128); -+ // seed the RNG if it's not seeded yet -+ if (RAND_status() == 0) { -+ qsrand(time(NULL)); -+ char buf[128]; -+ for(int n = 0; n < 128; ++n) -+ buf[n] = qrand(); -+ RAND_seed(buf, 128); -+ } - - openssl_initted = true; - } -@@ -6754,10 +6828,13 @@ public: - QStringList features() const - { - QStringList list; -+ list += "random"; - list += all_hash_types(); - list += all_mac_types(); - list += all_cipher_types(); -+#ifdef HAVE_OPENSSL_MD2 - list += "pbkdf1(md2)"; -+#endif - list += "pbkdf1(sha1)"; - list += "pbkdf2(sha1)"; - list += "pkey"; -@@ -6780,7 +6857,9 @@ public: - Context *createContext(const QString &type) - { - //OpenSSL_add_all_digests(); -- if ( type == "info" ) -+ if ( type == "random" ) -+ return new opensslRandomContext(this); -+ else if ( type == "info" ) - return new opensslInfoContext(this); - else if ( type == "sha1" ) - return new opensslHashContext( EVP_sha1(), this, type); -@@ -6788,8 +6867,10 @@ public: - return new opensslHashContext( EVP_sha(), this, type); - else if ( type == "ripemd160" ) - return new opensslHashContext( EVP_ripemd160(), this, type); -+#ifdef HAVE_OPENSSL_MD2 - else if ( type == "md2" ) - return new opensslHashContext( EVP_md2(), this, type); -+#endif - else if ( type == "md4" ) - return new opensslHashContext( EVP_md4(), this, type); - else if ( type == "md5" ) -@@ -6810,14 +6891,18 @@ public: - else if ( type == "sha512" ) - return new opensslHashContext( EVP_sha512(), this, type); - #endif -+/* - #ifdef OBJ_whirlpool - else if ( type == "whirlpool" ) - return new opensslHashContext( EVP_whirlpool(), this, type); - #endif -+*/ - else if ( type == "pbkdf1(sha1)" ) - return new opensslPbkdf1Context( EVP_sha1(), this, type ); -+#ifdef HAVE_OPENSSL_MD2 - else if ( type == "pbkdf1(md2)" ) - return new opensslPbkdf1Context( EVP_md2(), this, type ); -+#endif - else if ( type == "pbkdf2(sha1)" ) - return new opensslPbkdf2Context( this, type ); - else if ( type == "hmac(md5)" ) diff --git a/security/qca2-qt5-gnupg/DESCR b/security/qca2-qt5-gnupg/DESCR new file mode 100644 index 00000000000..7c6d9141d34 --- /dev/null +++ b/security/qca2-qt5-gnupg/DESCR @@ -0,0 +1,17 @@ +Taking a hint from the similarly-named Java Cryptography Architecture, +QCA aims to provide a straightforward and cross-platform crypto +API, using Qt datatypes and conventions. QCA separates the API from +the implementation, using plugins known as Providers. The advantage +of this model is to allow applications to avoid linking to or +explicitly depending on any particular cryptographic library. This +allows one to easily change or upgrade crypto implementations +without even needing to recompile the application. QCA should work +everywhere Qt does, including Windows/Unix/MacOSX. + +Capabilities: +TLS, CMS, X.509, RSA, DSA, Diffie-Hellman, PKCS#7, PKCS#12, SHA0, +SHA1, SHA224, SHA256, SHA384, SHA512, MD2, MD4, MD5, RIPEMD160, +Blowfish, DES, 3DES, AES128, AES192, AES256, CAST5, HMAC(SHA1, MD5, +RIPEMD160), PBKDF1(MD2, SHA1), PBKDF2(SHA1) + +This is the GnuPG plugin. diff --git a/security/qca2-qt5-gnupg/Makefile b/security/qca2-qt5-gnupg/Makefile new file mode 100644 index 00000000000..062133c7317 --- /dev/null +++ b/security/qca2-qt5-gnupg/Makefile @@ -0,0 +1,24 @@ +# $NetBSD: Makefile,v 1.1 2018/01/31 09:14:56 markd Exp $ + +PKGNAME= qca2-qt5-gnupg-${DISTNAME:C/.*-//} + +COMMENT= Cross-platform crypto API for QT5 - GnuPG plugin + +.include "../../security/qca2/Makefile.common" + +DEPENDS+= gnupg2-[0-9]*:../../security/gnupg2 + +BUILD_DIRS= plugins/qca-gnupg + +CMAKE_ARGS+= -DBUILD_PLUGINS=gnupg +CMAKE_ARGS+= -DBUILD_TOOLS=OFF +CMAKE_ARGS+= -DINST_QCA_LIB_NAME=-lqca-qt5 + +SUBST_CLASSES+= libname +SUBST_STAGE.libname= post-patch +SUBST_MESSAGE.libname= Use installed lib. +SUBST_FILES.libname= plugins/qca-gnupg/CMakeLists.txt +SUBST_SED.libname= -e 's:{QCA_LIB_NAME}:{INST_QCA_LIB_NAME}:' + +.include "../../security/qca2-qt5/buildlink3.mk" +.include "../../mk/bsd.pkg.mk" diff --git a/security/qca2-qt5-gnupg/PLIST b/security/qca2-qt5-gnupg/PLIST new file mode 100644 index 00000000000..2a361f5be99 --- /dev/null +++ b/security/qca2-qt5-gnupg/PLIST @@ -0,0 +1,2 @@ +@comment $NetBSD: PLIST,v 1.1 2018/01/31 09:14:56 markd Exp $ +qt5/plugins/crypto/libqca-gnupg.so diff --git a/security/qca2-qt5-ossl/DESCR b/security/qca2-qt5-ossl/DESCR new file mode 100644 index 00000000000..8686fe8eb6e --- /dev/null +++ b/security/qca2-qt5-ossl/DESCR @@ -0,0 +1,15 @@ +Taking a hint from the similarly-named Java Cryptography Architecture, +QCA aims to provide a straightforward and cross-platform crypto +API, using Qt datatypes and conventions. QCA separates the API from +the implementation, using plugins known as Providers. The advantage +of this model is to allow applications to avoid linking to or +explicitly depending on any particular cryptographic library. This +allows one to easily change or upgrade crypto implementations +without even needing to recompile the application. QCA should work +everywhere Qt does, including Windows/Unix/MacOSX. + +Capabilities: +TLS, CMS, X.509, RSA, DSA, Diffie-Hellman, PKCS#7, PKCS#12, SHA0, +SHA1, SHA224, SHA256, SHA384, SHA512, MD2, MD4, MD5, RIPEMD160, +Blowfish, DES, 3DES, AES128, AES192, AES256, CAST5, HMAC(SHA1, MD5, +RIPEMD160), PBKDF1(MD2, SHA1), PBKDF2(SHA1) diff --git a/security/qca2-qt5-ossl/Makefile b/security/qca2-qt5-ossl/Makefile new file mode 100644 index 00000000000..c08f68c8d75 --- /dev/null +++ b/security/qca2-qt5-ossl/Makefile @@ -0,0 +1,23 @@ +# $NetBSD: Makefile,v 1.1 2018/01/31 09:14:56 markd Exp $ + +PKGNAME= qca2-qt5-ossl-${DISTNAME:C/.*-//} + +COMMENT= Cross-platform crypto API for QT5 - OpenSSL plugin + +.include "../../security/qca2/Makefile.common" + +BUILD_DIRS= plugins/qca-ossl + +CMAKE_ARGS+= -DBUILD_PLUGINS=ossl +CMAKE_ARGS+= -DBUILD_TOOLS=OFF +CMAKE_ARGS+= -DINST_QCA_LIB_NAME=-lqca-qt5 + +SUBST_CLASSES+= libname +SUBST_STAGE.libname= post-patch +SUBST_MESSAGE.libname= Use installed lib. +SUBST_FILES.libname= plugins/qca-ossl/CMakeLists.txt +SUBST_SED.libname= -e 's:{QCA_LIB_NAME}:{INST_QCA_LIB_NAME}:' + +.include "../../security/qca2-qt5/buildlink3.mk" +.include "../../security/openssl/buildlink3.mk" +.include "../../mk/bsd.pkg.mk" diff --git a/security/qca2-qt5-ossl/PLIST b/security/qca2-qt5-ossl/PLIST new file mode 100644 index 00000000000..0caa4937c41 --- /dev/null +++ b/security/qca2-qt5-ossl/PLIST @@ -0,0 +1,2 @@ +@comment $NetBSD: PLIST,v 1.1 2018/01/31 09:14:56 markd Exp $ +qt5/plugins/crypto/libqca-ossl.so diff --git a/security/qca2-qt5/DESCR b/security/qca2-qt5/DESCR new file mode 100644 index 00000000000..7389c8bcb16 --- /dev/null +++ b/security/qca2-qt5/DESCR @@ -0,0 +1,16 @@ +Taking a hint from the similarly-named Java Cryptography Architecture, +QCA aims to provide a straightforward and cross-platform crypto +API, using Qt datatypes and conventions. QCA separates the API from +the implementation, using plugins known as Providers. The advantage +of this model is to allow applications to avoid linking to or +explicitly depending on any particular cryptographic library. This +allows one to easily change or upgrade crypto implementations +without even needing to recompile the application. QCA should work +everywhere Qt does, including Windows/Unix/MacOSX. + +Features: +* SSL/TLS +* X509 +* RSA +* Hashing (SHA1, MD5) +* Ciphers (Blowfish, 3DES, AES) diff --git a/security/qca2-qt5/Makefile b/security/qca2-qt5/Makefile new file mode 100644 index 00000000000..61aedfb98b3 --- /dev/null +++ b/security/qca2-qt5/Makefile @@ -0,0 +1,23 @@ +# $NetBSD: Makefile,v 1.1 2018/01/31 09:14:56 markd Exp $ + +PKGNAME= qca2-qt5-${DISTNAME:C/.*-//} + +COMMENT= Cross-platform crypto API for QT5 + +.include "../../security/qca2/Makefile.common" + +DEPENDS+= mozilla-rootcerts-[0-9]*:../../security/mozilla-rootcerts + +INSTALLATION_DIRS= lib/pkgconfig + +CMAKE_ARGS+= -DBUILD_PLUGINS=none +CMAKE_ARGS+= -DQCA_MAN_INSTALL_DIR=${PREFIX}/${PKGMANDIR} + +PKGCONFIG_OVERRIDE= lib/pkgconfig/qca2-qt5.pc +PKGCONFIG_OVERRIDE_STAGE= post-configure + +post-install: + ${INSTALL_DATA} ${DESTDIR}${QTDIR}/lib/pkgconfig/qca2-qt5.pc ${DESTDIR}${PREFIX}/lib/pkgconfig/qca2-qt5.pc + +.include "../../x11/qt5-qtbase/buildlink3.mk" +.include "../../mk/bsd.pkg.mk" diff --git a/security/qca2-qt5/PLIST b/security/qca2-qt5/PLIST new file mode 100644 index 00000000000..9f649583e77 --- /dev/null +++ b/security/qca2-qt5/PLIST @@ -0,0 +1,31 @@ +@comment $NetBSD: PLIST,v 1.1 2018/01/31 09:14:56 markd Exp $ +lib/pkgconfig/qca2-qt5.pc +man/man1/qcatool-qt5.1 +qt5/bin/mozcerts-qt5 +qt5/bin/qcatool-qt5 +qt5/include/Qca-qt5/QtCrypto/QtCrypto +qt5/include/Qca-qt5/QtCrypto/qca.h +qt5/include/Qca-qt5/QtCrypto/qca_basic.h +qt5/include/Qca-qt5/QtCrypto/qca_cert.h +qt5/include/Qca-qt5/QtCrypto/qca_core.h +qt5/include/Qca-qt5/QtCrypto/qca_export.h +qt5/include/Qca-qt5/QtCrypto/qca_keystore.h +qt5/include/Qca-qt5/QtCrypto/qca_publickey.h +qt5/include/Qca-qt5/QtCrypto/qca_safetimer.h +qt5/include/Qca-qt5/QtCrypto/qca_securelayer.h +qt5/include/Qca-qt5/QtCrypto/qca_securemessage.h +qt5/include/Qca-qt5/QtCrypto/qca_support.h +qt5/include/Qca-qt5/QtCrypto/qca_textfilter.h +qt5/include/Qca-qt5/QtCrypto/qca_tools.h +qt5/include/Qca-qt5/QtCrypto/qca_version.h +qt5/include/Qca-qt5/QtCrypto/qcaprovider.h +qt5/include/Qca-qt5/QtCrypto/qpipe.h +qt5/lib/cmake/Qca-qt5/Qca-qt5Config.cmake +qt5/lib/cmake/Qca-qt5/Qca-qt5ConfigVersion.cmake +qt5/lib/cmake/Qca-qt5/Qca-qt5Targets-noconfig.cmake +qt5/lib/cmake/Qca-qt5/Qca-qt5Targets.cmake +qt5/lib/libqca-qt5.so +qt5/lib/libqca-qt5.so.2 +qt5/lib/libqca-qt5.so.${PKGVERSION} +qt5/lib/pkgconfig/qca2-qt5.pc +qt5/mkspecs/features/crypto.prf diff --git a/security/qca2-qt5/buildlink3.mk b/security/qca2-qt5/buildlink3.mk new file mode 100644 index 00000000000..fee16aaf05a --- /dev/null +++ b/security/qca2-qt5/buildlink3.mk @@ -0,0 +1,14 @@ +# $NetBSD: buildlink3.mk,v 1.1 2018/01/31 09:14:56 markd Exp $ + +BUILDLINK_TREE+= qca2-qt5 + +.if !defined(QCA2_QT5_BUILDLINK3_MK) +QCA2_QT5_BUILDLINK3_MK:= + +BUILDLINK_API_DEPENDS.qca2-qt5+= qca2-qt5>=2.1.3 +BUILDLINK_PKGSRCDIR.qca2-qt5?= ../../security/qca2-qt5 + +.include "../../x11/qt5-qtbase/buildlink3.mk" +.endif # QCA2_QT5_BUILDLINK3_MK + +BUILDLINK_TREE+= -qca2-qt5 diff --git a/security/qca2/Makefile b/security/qca2/Makefile index 69dcf9899e5..e676ffd2ae7 100644 --- a/security/qca2/Makefile +++ b/security/qca2/Makefile @@ -1,31 +1,21 @@ -# $NetBSD: Makefile,v 1.38 2016/03/05 11:27:55 jperkin Exp $ +# $NetBSD: Makefile,v 1.39 2018/01/31 09:14:55 markd Exp $ -DISTNAME= qca-2.0.3 PKGNAME= qca2-${DISTNAME:C/.*-//} -PKGREVISION= 20 -CATEGORIES= security -MASTER_SITES= http://delta.affinix.com/download/qca/2.0/ -EXTRACT_SUFX= .tar.bz2 -MAINTAINER= pkgsrc-users@NetBSD.org -HOMEPAGE= http://delta.affinix.com/qca/ COMMENT= Cross-platform crypto API for QT -LICENSE= gnu-lgpl-v2.1 - -USE_TOOLS+= gmake -USE_LIBTOOL= yes -HAS_CONFIGURE= yes -USE_LANGUAGES= c++ -INSTALL_MAKE_FLAGS+= INSTALL_ROOT=${DESTDIR:Q} - -INSTALLATION_DIRS= qt4/include qt4/lib qt4/plugins/crypto lib/pkgconfig - -# install under qt4 prefix to not clash with qca 1.x -CONFIGURE_ARGS+= --prefix=${QTDIR} -CONFIGURE_ARGS+= --qtdir=${QTDIR} -CONFIGURE_ARGS+= --disable-tests -CONFIGURE_ARGS+= --certstore-internal -CONFIGURE_ARGS+= --no-framework + +.include "Makefile.common" + +DEPENDS+= mozilla-rootcerts-[0-9]*:../../security/mozilla-rootcerts + +INSTALLATION_DIRS= lib/pkgconfig + +CMAKE_ARGS+= -DBUILD_PLUGINS=none +CMAKE_ARGS+= -DQT4_BUILD=ON +CMAKE_ARGS+= -DQCA_MAN_INSTALL_DIR=${PREFIX}/${PKGMANDIR} + +PKGCONFIG_OVERRIDE= lib/pkgconfig/qca2.pc +PKGCONFIG_OVERRIDE_STAGE= post-configure post-install: ${INSTALL_DATA} ${DESTDIR}${QTDIR}/lib/pkgconfig/qca2.pc ${DESTDIR}${PREFIX}/lib/pkgconfig/qca2.pc diff --git a/security/qca2/Makefile.common b/security/qca2/Makefile.common new file mode 100644 index 00000000000..f94e46c8a87 --- /dev/null +++ b/security/qca2/Makefile.common @@ -0,0 +1,27 @@ +# $NetBSD: Makefile.common,v 1.1 2018/01/31 09:14:55 markd Exp $ + +DISTNAME= qca-2.1.3 +CATEGORIES= security +MASTER_SITES= ${MASTER_SITE_KDE:=qca/2.1.3/src/} +EXTRACT_SUFX= .tar.xz + +MAINTAINER= pkgsrc-users@NetBSD.org +HOMEPAGE= http://delta.affinix.com/qca/ +LICENSE= gnu-lgpl-v2.1 + +PATCHDIR= ${.CURDIR}/../../security/qca2/patches +DISTINFO_FILE= ${.CURDIR}/../../security/qca2/distinfo + +USE_TOOLS+= gmake +USE_CMAKE= yes +USE_LANGUAGES= c c++ + +# install under qt4 prefix to not clash with qca 1.x +CMAKE_ARGS+= -DQCA_INSTALL_IN_QT_PREFIX=ON +CMAKE_ARGS+= -DOSX_FRAMEWORK=OFF +CMAKE_ARGS+= -DBUILD_TESTS=OFF + +SUBST_CLASSES+= certs +SUBST_STAGE.certs= post-patch +SUBST_FILES.certs= CMakeLists.txt +SUBST_VARS.certs= PREFIX diff --git a/security/qca2/PLIST b/security/qca2/PLIST index 67ca742471e..1dae0f259de 100644 --- a/security/qca2/PLIST +++ b/security/qca2/PLIST @@ -1,6 +1,8 @@ -@comment $NetBSD: PLIST,v 1.6 2014/08/26 20:59:40 joerg Exp $ +@comment $NetBSD: PLIST,v 1.7 2018/01/31 09:14:55 markd Exp $ lib/pkgconfig/qca2.pc -qt4/bin/qcatool2 +man/man1/qcatool.1 +qt4/bin/mozcerts +qt4/bin/qcatool qt4/include/QtCrypto/QtCrypto qt4/include/QtCrypto/qca.h qt4/include/QtCrypto/qca_basic.h @@ -9,16 +11,21 @@ qt4/include/QtCrypto/qca_core.h qt4/include/QtCrypto/qca_export.h qt4/include/QtCrypto/qca_keystore.h qt4/include/QtCrypto/qca_publickey.h +qt4/include/QtCrypto/qca_safetimer.h qt4/include/QtCrypto/qca_securelayer.h qt4/include/QtCrypto/qca_securemessage.h qt4/include/QtCrypto/qca_support.h qt4/include/QtCrypto/qca_textfilter.h qt4/include/QtCrypto/qca_tools.h +qt4/include/QtCrypto/qca_version.h qt4/include/QtCrypto/qcaprovider.h qt4/include/QtCrypto/qpipe.h -qt4/lib/libqca.la -qt4/lib/libqca.prl +qt4/lib/cmake/Qca/QcaConfig.cmake +qt4/lib/cmake/Qca/QcaConfigVersion.cmake +qt4/lib/cmake/Qca/QcaTargets-noconfig.cmake +qt4/lib/cmake/Qca/QcaTargets.cmake +qt4/lib/libqca.so +qt4/lib/libqca.so.2 +qt4/lib/libqca.so.${PKGVERSION} qt4/lib/pkgconfig/qca2.pc qt4/mkspecs/features/crypto.prf -qt4/share/qca/certs/README -qt4/share/qca/certs/rootcerts.pem diff --git a/security/qca2/distinfo b/security/qca2/distinfo index d8a94260f85..5444c1a3f8e 100644 --- a/security/qca2/distinfo +++ b/security/qca2/distinfo @@ -1,10 +1,11 @@ -$NetBSD: distinfo,v 1.8 2018/01/23 12:57:04 jperkin Exp $ +$NetBSD: distinfo,v 1.9 2018/01/31 09:14:55 markd Exp $ -SHA1 (qca-2.0.3.tar.bz2) = 9c868b05b81dce172c41b813de4de68554154c60 -RMD160 (qca-2.0.3.tar.bz2) = 333cfdce91fedfaec09c205528de52d7b569c521 -SHA512 (qca-2.0.3.tar.bz2) = c1120ffb373e294fbcc76e21dc2f503ebd3398b26d0ffa7ab7ee3a3e1a4228159358b59c2673ac4a1c2363771e61da54a5080b201c65d586ceda2e3b2facc1bb -Size (qca-2.0.3.tar.bz2) = 4530731 bytes -SHA1 (patch-aa) = e2e9544eafec8020e8758736aa48ab87b014bf10 -SHA1 (patch-app.pri) = 48f3842f49cd0bebc6e944a689e4d89f99990057 -SHA1 (patch-configure) = c114e4f6c2982f8293d37b332a44781fd884412b -SHA1 (patch-src_botantools_botan_botan_secmem.h) = 4cb74801291dadb4d2c15c741bbb3b836135fcd9 +SHA1 (qca-2.1.3.tar.xz) = b5426f9b0c0cdaec4a069091bb9fc476ef363289 +RMD160 (qca-2.1.3.tar.xz) = 3577bd164bdf41147cfa0e8b4c5db01bde7d20de +SHA512 (qca-2.1.3.tar.xz) = 0aec277e0695da2e45298f0a9006213829fe4c449a79969e472947db54f45000ba6e22361b782465bdc03f269b7301d318c843f5a83db459a118e58a03f3116a +Size (qca-2.1.3.tar.xz) = 686340 bytes +SHA1 (patch-CMakeLists.txt) = 4867c54f8bff523233a11201bdb021e6e81a10ed +SHA1 (patch-plugins_qca-ossl_CMakeLists.txt) = a03e1c2e2d6c89b36060795f6f47c9b513dbf395 +SHA1 (patch-plugins_qca-ossl_libcrypto-compat.c) = 965e4db85e12df55057b3d030c568977b83fb708 +SHA1 (patch-plugins_qca-ossl_libcrypto-compat.h) = 957641557f6767e7c559d3cafba61060029d4e46 +SHA1 (patch-plugins_qca-ossl_qca-ossl.cpp) = bc1ed58f69b1a1c27f7e71b6d5c00a25a49cb37c diff --git a/security/qca2/patches/patch-CMakeLists.txt b/security/qca2/patches/patch-CMakeLists.txt new file mode 100644 index 00000000000..92b2d1a7b7a --- /dev/null +++ b/security/qca2/patches/patch-CMakeLists.txt @@ -0,0 +1,14 @@ +$NetBSD: patch-CMakeLists.txt,v 1.1 2018/01/31 09:14:55 markd Exp $ + +Add mozilla-rootcerts certstore to list + +--- CMakeLists.txt.orig 2018-01-31 20:15:27.000000000 +0000 ++++ CMakeLists.txt +@@ -304,6 +304,7 @@ else ( WIN32 ) + "/etc/pki/tls/cert.pem" + "/etc/ssl/ca-bundle.pem" + "/usr/share/curl/curl-ca-bundle.crt" ++ "@PREFIX@/share/mozilla-rootcerts/cacert.pem" + ) + foreach (_current_try ${toTry}) + if(EXISTS ${_current_try}) diff --git a/security/qca2/patches/patch-aa b/security/qca2/patches/patch-aa deleted file mode 100644 index f5759778631..00000000000 --- a/security/qca2/patches/patch-aa +++ /dev/null @@ -1,26 +0,0 @@ -$NetBSD: patch-aa,v 1.3 2018/01/23 12:57:05 jperkin Exp $ - -Don't override QMAKE_MACOSX_DEPLOYMENT_TARGET. - ---- src/src.pro.orig 2010-11-27 21:14:12.000000000 +0000 -+++ src/src.pro -@@ -81,8 +81,6 @@ mac: { - SOURCES += $$QCA_CPP/qca_systemstore_mac.cpp - LIBS += -framework Carbon -framework Security - QMAKE_LFLAGS_SONAME = -Wl,-install_name,"$$LIBDIR/" -- -- QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.3 - } - - mac:lib_bundle: { -@@ -108,10 +106,6 @@ unix: { - incfiles.files = $$PUBLIC_HEADERS - incfiles.files += $$QCA_INC/qca.h $$QCA_INC/QtCrypto - !lib_bundle:INSTALLS += incfiles -- -- manfiles.path = $$DATADIR/man/man1 -- manfiles.files = $$QCA_BASE/man/qcatool2.1 -- INSTALLS += manfiles - } - - !debug_and_release|build_pass { diff --git a/security/qca2/patches/patch-app.pri b/security/qca2/patches/patch-app.pri deleted file mode 100644 index 0ac64e4fcec..00000000000 --- a/security/qca2/patches/patch-app.pri +++ /dev/null @@ -1,14 +0,0 @@ -$NetBSD: patch-app.pri,v 1.1 2018/01/23 12:57:05 jperkin Exp $ - -Don't override QMAKE_MACOSX_DEPLOYMENT_TARGET. - ---- app.pri.orig 2009-04-24 21:12:15.000000000 +0000 -+++ app.pri -@@ -1,7 +1,5 @@ - include(confapp.pri) - --mac:QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.3 -- - exists(crypto.prf) { - # our apps should build against the qca in this tree - include(crypto.prf) diff --git a/security/qca2/patches/patch-configure b/security/qca2/patches/patch-configure deleted file mode 100644 index a08089afc50..00000000000 --- a/security/qca2/patches/patch-configure +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-configure,v 1.1 2012/01/16 20:36:08 adam Exp $ - ---- configure.orig 2012-01-16 20:32:17.000000000 +0000 -+++ configure -@@ -977,7 +977,7 @@ public: - { - bundled = false; - --#if defined(Q_OS_WIN) || defined(Q_OS_MAC) -+#if defined(Q_OS_WIN) - // use built-in - return true; - #else diff --git a/security/qca2/patches/patch-plugins_qca-ossl_CMakeLists.txt b/security/qca2/patches/patch-plugins_qca-ossl_CMakeLists.txt new file mode 100644 index 00000000000..fdaef805ef4 --- /dev/null +++ b/security/qca2/patches/patch-plugins_qca-ossl_CMakeLists.txt @@ -0,0 +1,15 @@ +$NetBSD: patch-plugins_qca-ossl_CMakeLists.txt,v 1.1 2018/01/31 09:14:55 markd Exp $ + +openssl 1.1 support + +--- plugins/qca-ossl/CMakeLists.txt.orig 2018-01-30 20:26:20.512731852 +0000 ++++ plugins/qca-ossl/CMakeLists.txt +@@ -32,7 +32,7 @@ if(OPENSSL_FOUND) + message(WARNING "qca-ossl will be compiled without SHA-0 digest algorithm support") + endif(HAVE_OPENSSL_SHA0) + +- set(QCA_OSSL_SOURCES qca-ossl.cpp) ++ set(QCA_OSSL_SOURCES libcrypto-compat.c qca-ossl.cpp) + + my_automoc( QCA_OSSL_SOURCES ) + diff --git a/security/qca2/patches/patch-plugins_qca-ossl_libcrypto-compat.c b/security/qca2/patches/patch-plugins_qca-ossl_libcrypto-compat.c new file mode 100644 index 00000000000..f30bdf3230d --- /dev/null +++ b/security/qca2/patches/patch-plugins_qca-ossl_libcrypto-compat.c @@ -0,0 +1,417 @@ +$NetBSD: patch-plugins_qca-ossl_libcrypto-compat.c,v 1.1 2018/01/31 09:14:55 markd Exp $ + +openssl 1.1 support + +--- plugins/qca-ossl/libcrypto-compat.c.orig 2018-01-30 20:34:52.547356534 +0000 ++++ plugins/qca-ossl/libcrypto-compat.c +@@ -0,0 +1,410 @@ ++/* ++ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include <openssl/evp.h> ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include <string.h> ++#include <openssl/engine.h> ++ ++static void *OPENSSL_zalloc(size_t num) ++{ ++ void *ret = OPENSSL_malloc(num); ++ ++ if (ret != NULL) ++ memset(ret, 0, num); ++ return ret; ++} ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) ++{ ++ /* If the fields n and e in r are NULL, the corresponding input ++ * parameters MUST be non-NULL for n and e. d may be ++ * left NULL (in case only the public key is used). ++ */ ++ if ((r->n == NULL && n == NULL) ++ || (r->e == NULL && e == NULL)) ++ return 0; ++ ++ if (n != NULL) { ++ BN_free(r->n); ++ r->n = n; ++ } ++ if (e != NULL) { ++ BN_free(r->e); ++ r->e = e; ++ } ++ if (d != NULL) { ++ BN_free(r->d); ++ r->d = d; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) ++{ ++ /* If the fields p and q in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->p == NULL && p == NULL) ++ || (r->q == NULL && q == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(r->p); ++ r->p = p; ++ } ++ if (q != NULL) { ++ BN_free(r->q); ++ r->q = q; ++ } ++ ++ return 1; ++} ++ ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) ++{ ++ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((r->dmp1 == NULL && dmp1 == NULL) ++ || (r->dmq1 == NULL && dmq1 == NULL) ++ || (r->iqmp == NULL && iqmp == NULL)) ++ return 0; ++ ++ if (dmp1 != NULL) { ++ BN_free(r->dmp1); ++ r->dmp1 = dmp1; ++ } ++ if (dmq1 != NULL) { ++ BN_free(r->dmq1); ++ r->dmq1 = dmq1; ++ } ++ if (iqmp != NULL) { ++ BN_free(r->iqmp); ++ r->iqmp = iqmp; ++ } ++ ++ return 1; ++} ++ ++void RSA_get0_key(const RSA *r, ++ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) ++{ ++ if (n != NULL) ++ *n = r->n; ++ if (e != NULL) ++ *e = r->e; ++ if (d != NULL) ++ *d = r->d; ++} ++ ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) ++{ ++ if (p != NULL) ++ *p = r->p; ++ if (q != NULL) ++ *q = r->q; ++} ++ ++void RSA_get0_crt_params(const RSA *r, ++ const BIGNUM **dmp1, const BIGNUM **dmq1, ++ const BIGNUM **iqmp) ++{ ++ if (dmp1 != NULL) ++ *dmp1 = r->dmp1; ++ if (dmq1 != NULL) ++ *dmq1 = r->dmq1; ++ if (iqmp != NULL) ++ *iqmp = r->iqmp; ++} ++ ++void DSA_get0_pqg(const DSA *d, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = d->p; ++ if (q != NULL) ++ *q = d->q; ++ if (g != NULL) ++ *g = d->g; ++} ++ ++int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p, q and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. ++ */ ++ if ((d->p == NULL && p == NULL) ++ || (d->q == NULL && q == NULL) ++ || (d->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(d->p); ++ d->p = p; ++ } ++ if (q != NULL) { ++ BN_free(d->q); ++ d->q = q; ++ } ++ if (g != NULL) { ++ BN_free(d->g); ++ d->g = g; ++ } ++ ++ return 1; ++} ++ ++void DSA_get0_key(const DSA *d, ++ const BIGNUM **pub_key, const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = d->pub_key; ++ if (priv_key != NULL) ++ *priv_key = d->priv_key; ++} ++ ++int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) ++{ ++ /* If the field pub_key in d is NULL, the corresponding input ++ * parameters MUST be non-NULL. The priv_key field may ++ * be left NULL. ++ */ ++ if (d->pub_key == NULL && pub_key == NULL) ++ return 0; ++ ++ if (pub_key != NULL) { ++ BN_free(d->pub_key); ++ d->pub_key = pub_key; ++ } ++ if (priv_key != NULL) { ++ BN_free(d->priv_key); ++ d->priv_key = priv_key; ++ } ++ ++ return 1; ++} ++ ++void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) ++{ ++ if (pr != NULL) ++ *pr = sig->r; ++ if (ps != NULL) ++ *ps = sig->s; ++} ++ ++int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) ++{ ++ if (r == NULL || s == NULL) ++ return 0; ++ BN_clear_free(sig->r); ++ BN_clear_free(sig->s); ++ sig->r = r; ++ sig->s = s; ++ return 1; ++} ++ ++void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) ++{ ++ if (pr != NULL) ++ *pr = sig->r; ++ if (ps != NULL) ++ *ps = sig->s; ++} ++ ++int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) ++{ ++ if (r == NULL || s == NULL) ++ return 0; ++ BN_clear_free(sig->r); ++ BN_clear_free(sig->s); ++ sig->r = r; ++ sig->s = s; ++ return 1; ++} ++ ++void DH_get0_pqg(const DH *dh, ++ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) ++{ ++ if (p != NULL) ++ *p = dh->p; ++ if (q != NULL) ++ *q = dh->q; ++ if (g != NULL) ++ *g = dh->g; ++} ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++ ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) ++{ ++ if (pub_key != NULL) ++ *pub_key = dh->pub_key; ++ if (priv_key != NULL) ++ *priv_key = dh->priv_key; ++} ++ ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) ++{ ++ /* If the field pub_key in dh is NULL, the corresponding input ++ * parameters MUST be non-NULL. The priv_key field may ++ * be left NULL. ++ */ ++ if (dh->pub_key == NULL && pub_key == NULL) ++ return 0; ++ ++ if (pub_key != NULL) { ++ BN_free(dh->pub_key); ++ dh->pub_key = pub_key; ++ } ++ if (priv_key != NULL) { ++ BN_free(dh->priv_key); ++ dh->priv_key = priv_key; ++ } ++ ++ return 1; ++} ++ ++int DH_set_length(DH *dh, long length) ++{ ++ dh->length = length; ++ return 1; ++} ++ ++const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) ++{ ++ return ctx->iv; ++} ++ ++unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) ++{ ++ return ctx->iv; ++} ++ ++EVP_MD_CTX *EVP_MD_CTX_new(void) ++{ ++ return OPENSSL_zalloc(sizeof(EVP_MD_CTX)); ++} ++ ++void EVP_MD_CTX_free(EVP_MD_CTX *ctx) ++{ ++ EVP_MD_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++} ++ ++RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth) ++{ ++ RSA_METHOD *ret; ++ ++ ret = OPENSSL_malloc(sizeof(RSA_METHOD)); ++ ++ if (ret != NULL) { ++ memcpy(ret, meth, sizeof(*meth)); ++ ret->name = OPENSSL_strdup(meth->name); ++ if (ret->name == NULL) { ++ OPENSSL_free(ret); ++ return NULL; ++ } ++ } ++ ++ return ret; ++} ++ ++int RSA_meth_set1_name(RSA_METHOD *meth, const char *name) ++{ ++ char *tmpname; ++ ++ tmpname = OPENSSL_strdup(name); ++ if (tmpname == NULL) { ++ return 0; ++ } ++ ++ OPENSSL_free((char *)meth->name); ++ meth->name = tmpname; ++ ++ return 1; ++} ++ ++int RSA_meth_set_priv_enc(RSA_METHOD *meth, ++ int (*priv_enc) (int flen, const unsigned char *from, ++ unsigned char *to, RSA *rsa, ++ int padding)) ++{ ++ meth->rsa_priv_enc = priv_enc; ++ return 1; ++} ++ ++int RSA_meth_set_priv_dec(RSA_METHOD *meth, ++ int (*priv_dec) (int flen, const unsigned char *from, ++ unsigned char *to, RSA *rsa, ++ int padding)) ++{ ++ meth->rsa_priv_dec = priv_dec; ++ return 1; ++} ++ ++int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) ++{ ++ meth->finish = finish; ++ return 1; ++} ++ ++void RSA_meth_free(RSA_METHOD *meth) ++{ ++ if (meth != NULL) { ++ OPENSSL_free((char *)meth->name); ++ OPENSSL_free(meth); ++ } ++} ++ ++int RSA_bits(const RSA *r) ++{ ++ return (BN_num_bits(r->n)); ++} ++ ++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) ++{ ++ if (pkey->type != EVP_PKEY_RSA) { ++ return NULL; ++ } ++ return pkey->pkey.rsa; ++} ++ ++ ++#endif /* OPENSSL_VERSION_NUMBER */ diff --git a/security/qca2/patches/patch-plugins_qca-ossl_libcrypto-compat.h b/security/qca2/patches/patch-plugins_qca-ossl_libcrypto-compat.h new file mode 100644 index 00000000000..2fe7bd24095 --- /dev/null +++ b/security/qca2/patches/patch-plugins_qca-ossl_libcrypto-compat.h @@ -0,0 +1,64 @@ +$NetBSD: patch-plugins_qca-ossl_libcrypto-compat.h,v 1.1 2018/01/31 09:14:55 markd Exp $ + +openssl 1.1 support + +--- plugins/qca-ossl/libcrypto-compat.h.orig 2018-01-30 20:34:52.547356534 +0000 ++++ plugins/qca-ossl/libcrypto-compat.h +@@ -0,0 +1,57 @@ ++#ifndef LIBCRYPTO_COMPAT_H ++#define LIBCRYPTO_COMPAT_H ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include <openssl/rsa.h> ++#include <openssl/dsa.h> ++#include <openssl/ecdsa.h> ++#include <openssl/dh.h> ++#include <openssl/evp.h> ++ ++int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); ++int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); ++int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); ++void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); ++void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); ++void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); ++ ++void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); ++int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); ++void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key); ++int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); ++ ++void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); ++int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); ++ ++void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); ++int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); ++ ++void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); ++void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); ++int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); ++int DH_set_length(DH *dh, long length); ++ ++const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); ++unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); ++EVP_MD_CTX *EVP_MD_CTX_new(void); ++void EVP_MD_CTX_free(EVP_MD_CTX *ctx); ++#define EVP_CIPHER_impl_ctx_size(e) e->ctx_size ++#define EVP_CIPHER_CTX_get_cipher_data(ctx) ctx->cipher_data ++ ++RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); ++int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); ++#define RSA_meth_get_finish(meth) meth->finish ++int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); ++int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); ++int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)); ++void RSA_meth_free(RSA_METHOD *meth); ++ ++int RSA_bits(const RSA *r); ++ ++RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); ++ ++#endif /* OPENSSL_VERSION_NUMBER */ ++ ++#endif /* LIBCRYPTO_COMPAT_H */ diff --git a/security/qca2/patches/patch-plugins_qca-ossl_qca-ossl.cpp b/security/qca2/patches/patch-plugins_qca-ossl_qca-ossl.cpp new file mode 100644 index 00000000000..67ef345d48b --- /dev/null +++ b/security/qca2/patches/patch-plugins_qca-ossl_qca-ossl.cpp @@ -0,0 +1,1503 @@ +$NetBSD: patch-plugins_qca-ossl_qca-ossl.cpp,v 1.1 2018/01/31 09:14:55 markd Exp $ + +openssl 1.1 support + +--- plugins/qca-ossl/qca-ossl.cpp.orig 2017-02-06 12:29:44.000000000 +0000 ++++ plugins/qca-ossl/qca-ossl.cpp +@@ -1,6 +1,7 @@ + /* + * Copyright (C) 2004-2007 Justin Karneges <justin@affinix.com> + * Copyright (C) 2004-2006 Brad Hards <bradh@frogmouth.net> ++ * Copyright (C) 2017 Fabian Vogt <fabian@ritter-vogt.de> + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public +@@ -38,6 +39,10 @@ + #include <openssl/pkcs12.h> + #include <openssl/ssl.h> + ++extern "C" { ++#include "libcrypto-compat.h" ++} ++ + #ifndef OSSL_097 + // comment this out if you'd rather use openssl 0.9.6 + #define OSSL_097 +@@ -52,6 +57,73 @@ + ((_STACK*) (1 ? p : (type*)0)) + #endif + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ #define OSSL_110 ++#endif ++ ++// OpenSSL 1.1.0 compatibility macros ++#ifdef OSSL_110 ++#define M_ASN1_IA5STRING_new() ASN1_IA5STRING_new() ++#else ++static HMAC_CTX *HMAC_CTX_new() { return new HMAC_CTX(); } ++static void HMAC_CTX_free(HMAC_CTX *x) { free(x); } ++static void EVP_PKEY_up_ref(EVP_PKEY *x) { CRYPTO_add(&x->references, 1, CRYPTO_LOCK_EVP_PKEY); } ++static void X509_up_ref(X509 *x) { CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); } ++static void X509_CRL_up_ref(X509_CRL *x) { CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); } ++static DSA *EVP_PKEY_get0_DSA(EVP_PKEY *x) { return x->pkey.dsa; } ++static DH *EVP_PKEY_get0_DH(EVP_PKEY *x) { return x->pkey.dh; } ++static int RSA_meth_set_sign(RSA_METHOD *meth, ++ int (*sign) (int type, const unsigned char *m, ++ unsigned int m_length, ++ unsigned char *sigret, unsigned int *siglen, ++ const RSA *rsa)) ++{ ++ meth->rsa_sign = sign; ++ return 1; ++} ++int RSA_meth_set_verify(RSA_METHOD *meth, ++ int (*verify) (int dtype, const unsigned char *m, ++ unsigned int m_length, ++ const unsigned char *sigbuf, ++ unsigned int siglen, const RSA *rsa)) ++{ ++ meth->rsa_verify = verify; ++ return 1; ++} ++void X509_REQ_get0_signature(const X509_REQ *req, const ASN1_BIT_STRING **psig, ++ const X509_ALGOR **palg) ++{ ++ if (psig != NULL) ++ *psig = req->signature; ++ if (palg != NULL) ++ *palg = req->sig_alg; ++} ++int X509_REQ_get_signature_nid(const X509_REQ *req) ++{ ++ return OBJ_obj2nid(req->sig_alg->algorithm); ++} ++void X509_CRL_get0_signature(const X509_CRL *crl, const ASN1_BIT_STRING **psig, ++ const X509_ALGOR **palg) ++{ ++ if (psig != NULL) ++ *psig = crl->signature; ++ if (palg != NULL) ++ *palg = crl->sig_alg; ++} ++int X509_CRL_get_signature_nid(const X509_CRL *crl) ++{ ++ return OBJ_obj2nid(crl->sig_alg->algorithm); ++} ++const ASN1_INTEGER *X509_REVOKED_get0_serialNumber(const X509_REVOKED *x) ++{ ++ return x->serialNumber; ++} ++const ASN1_TIME *X509_REVOKED_get0_revocationDate(const X509_REVOKED *x) ++{ ++ return x->revocationDate; ++} ++#endif ++ + using namespace QCA; + + namespace opensslQCAPlugin { +@@ -93,7 +165,7 @@ static QByteArray bio2ba(BIO *b) + return buf; + } + +-static BigInteger bn2bi(BIGNUM *n) ++static BigInteger bn2bi(const BIGNUM *n) + { + SecureArray buf(BN_num_bytes(n) + 1); + buf[0] = 0; // positive +@@ -109,7 +181,7 @@ static BIGNUM *bi2bn(const BigInteger &n + + // take lowest bytes of BIGNUM to fit + // pad with high byte zeroes to fit +-static SecureArray bn2fixedbuf(BIGNUM *n, int size) ++static SecureArray bn2fixedbuf(const BIGNUM *n, int size) + { + SecureArray buf(BN_num_bytes(n)); + BN_bn2bin(n, (unsigned char *)buf.data()); +@@ -127,8 +199,16 @@ static SecureArray dsasig_der_to_raw(con + const unsigned char *inp = (const unsigned char *)in.data(); + d2i_DSA_SIG(&sig, &inp, in.size()); + +- SecureArray part_r = bn2fixedbuf(sig->r, 20); +- SecureArray part_s = bn2fixedbuf(sig->s, 20); ++ const BIGNUM *bnr, *bns; ++ ++#ifdef OSSL_110 ++ DSA_SIG_get0(sig, &bnr, &bns); ++#else ++ bnr = sig->r; bns = sig->s; ++#endif ++ ++ SecureArray part_r = bn2fixedbuf(bnr, 20); ++ SecureArray part_s = bn2fixedbuf(bns, 20); + SecureArray result; + result.append(part_r); + result.append(part_s); +@@ -143,12 +223,20 @@ static SecureArray dsasig_raw_to_der(con + return SecureArray(); + + DSA_SIG *sig = DSA_SIG_new(); +- SecureArray part_r(20); +- SecureArray part_s(20); ++ SecureArray part_r(20); BIGNUM *bnr; ++ SecureArray part_s(20); BIGNUM *bns; + memcpy(part_r.data(), in.data(), 20); + memcpy(part_s.data(), in.data() + 20, 20); +- sig->r = BN_bin2bn((const unsigned char *)part_r.data(), part_r.size(), NULL); +- sig->s = BN_bin2bn((const unsigned char *)part_s.data(), part_s.size(), NULL); ++ bnr = BN_bin2bn((const unsigned char *)part_r.data(), part_r.size(), NULL); ++ bns = BN_bin2bn((const unsigned char *)part_s.data(), part_s.size(), NULL); ++ ++#ifdef OSSL_110 ++ if(DSA_SIG_set0(sig, bnr, bns) == 0) ++ return SecureArray(); ++ // Not documented what happens in the failure case, free bnr and bns? ++#else ++ sig->r = bnr; sig->s = bns; ++#endif + + int len = i2d_DSA_SIG(sig, NULL); + SecureArray result(len); +@@ -1004,29 +1092,39 @@ public: + opensslHashContext(const EVP_MD *algorithm, Provider *p, const QString &type) : HashContext(p, type) + { + m_algorithm = algorithm; +- EVP_DigestInit( &m_context, m_algorithm ); ++ m_context = EVP_MD_CTX_new(); ++ EVP_DigestInit( m_context, m_algorithm ); ++ } ++ ++ opensslHashContext(const opensslHashContext &other) ++ : HashContext(other) ++ { ++ m_algorithm = other.m_algorithm; ++ m_context = EVP_MD_CTX_new(); ++ EVP_MD_CTX_copy_ex(m_context, other.m_context); + } + + ~opensslHashContext() + { +- EVP_MD_CTX_cleanup(&m_context); ++ EVP_MD_CTX_free(m_context); + } + + void clear() + { +- EVP_MD_CTX_cleanup(&m_context); +- EVP_DigestInit( &m_context, m_algorithm ); ++ EVP_MD_CTX_free(m_context); ++ m_context = EVP_MD_CTX_new(); ++ EVP_DigestInit( m_context, m_algorithm ); + } + + void update(const MemoryRegion &a) + { +- EVP_DigestUpdate( &m_context, (unsigned char*)a.data(), a.size() ); ++ EVP_DigestUpdate( m_context, (unsigned char*)a.data(), a.size() ); + } + + MemoryRegion final() + { + SecureArray a( EVP_MD_size( m_algorithm ) ); +- EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); ++ EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); + return a; + } + +@@ -1037,7 +1135,7 @@ public: + + protected: + const EVP_MD *m_algorithm; +- EVP_MD_CTX m_context; ++ EVP_MD_CTX *m_context; + }; + + +@@ -1047,7 +1145,21 @@ public: + opensslPbkdf1Context(const EVP_MD *algorithm, Provider *p, const QString &type) : KDFContext(p, type) + { + m_algorithm = algorithm; +- EVP_DigestInit( &m_context, m_algorithm ); ++ m_context = EVP_MD_CTX_new(); ++ EVP_DigestInit( m_context, m_algorithm ); ++ } ++ ++ opensslPbkdf1Context(const opensslPbkdf1Context &other) ++ : KDFContext(other) ++ { ++ m_algorithm = other.m_algorithm; ++ m_context = EVP_MD_CTX_new(); ++ EVP_MD_CTX_copy(m_context, other.m_context); ++ } ++ ++ ~opensslPbkdf1Context() ++ { ++ EVP_MD_CTX_free(m_context); + } + + Provider::Context *clone() const +@@ -1081,16 +1193,16 @@ public: + DK = Tc<0..dkLen-1> + */ + // calculate T_1 +- EVP_DigestUpdate( &m_context, (unsigned char*)secret.data(), secret.size() ); +- EVP_DigestUpdate( &m_context, (unsigned char*)salt.data(), salt.size() ); ++ EVP_DigestUpdate( m_context, (unsigned char*)secret.data(), secret.size() ); ++ EVP_DigestUpdate( m_context, (unsigned char*)salt.data(), salt.size() ); + SecureArray a( EVP_MD_size( m_algorithm ) ); +- EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); ++ EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); + + // calculate T_2 up to T_c + for ( unsigned int i = 2; i <= iterationCount; ++i ) { +- EVP_DigestInit( &m_context, m_algorithm ); +- EVP_DigestUpdate( &m_context, (unsigned char*)a.data(), a.size() ); +- EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); ++ EVP_DigestInit( m_context, m_algorithm ); ++ EVP_DigestUpdate( m_context, (unsigned char*)a.data(), a.size() ); ++ EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); + } + + // shrink a to become DK, of the required length +@@ -1136,19 +1248,19 @@ public: + DK = Tc<0..dkLen-1> + */ + // calculate T_1 +- EVP_DigestUpdate( &m_context, (unsigned char*)secret.data(), secret.size() ); +- EVP_DigestUpdate( &m_context, (unsigned char*)salt.data(), salt.size() ); ++ EVP_DigestUpdate( m_context, (unsigned char*)secret.data(), secret.size() ); ++ EVP_DigestUpdate( m_context, (unsigned char*)salt.data(), salt.size() ); + SecureArray a( EVP_MD_size( m_algorithm ) ); +- EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); ++ EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); + + // calculate T_2 up to T_c + *iterationCount = 2 - 1; // <- Have to remove 1, unless it computes one + timer.start(); // ^ time more than the base function + // ^ with the same iterationCount + while (timer.elapsed() < msecInterval) { +- EVP_DigestInit( &m_context, m_algorithm ); +- EVP_DigestUpdate( &m_context, (unsigned char*)a.data(), a.size() ); +- EVP_DigestFinal( &m_context, (unsigned char*)a.data(), 0 ); ++ EVP_DigestInit( m_context, m_algorithm ); ++ EVP_DigestUpdate( m_context, (unsigned char*)a.data(), a.size() ); ++ EVP_DigestFinal( m_context, (unsigned char*)a.data(), 0 ); + ++(*iterationCount); + } + +@@ -1163,7 +1275,7 @@ public: + + protected: + const EVP_MD *m_algorithm; +- EVP_MD_CTX m_context; ++ EVP_MD_CTX *m_context; + }; + + class opensslPbkdf2Context : public KDFContext +@@ -1231,12 +1343,28 @@ public: + opensslHMACContext(const EVP_MD *algorithm, Provider *p, const QString &type) : MACContext(p, type) + { + m_algorithm = algorithm; +- HMAC_CTX_init( &m_context ); ++ m_context = HMAC_CTX_new(); ++#ifndef OSSL_110 ++ HMAC_CTX_init( m_context ); ++#endif ++ } ++ ++ opensslHMACContext(const opensslHMACContext &other) ++ : MACContext(other) ++ { ++ m_algorithm = other.m_algorithm; ++ m_context = HMAC_CTX_new(); ++ HMAC_CTX_copy(m_context, other.m_context); ++ } ++ ++ ~opensslHMACContext() ++ { ++ HMAC_CTX_free(m_context); + } + + void setup(const SymmetricKey &key) + { +- HMAC_Init_ex( &m_context, key.data(), key.size(), m_algorithm, 0 ); ++ HMAC_Init_ex( m_context, key.data(), key.size(), m_algorithm, 0 ); + } + + KeyLength keyLength() const +@@ -1246,14 +1374,18 @@ public: + + void update(const MemoryRegion &a) + { +- HMAC_Update( &m_context, (unsigned char *)a.data(), a.size() ); ++ HMAC_Update( m_context, (unsigned char *)a.data(), a.size() ); + } + + void final(MemoryRegion *out) + { + SecureArray sa( EVP_MD_size( m_algorithm ), 0 ); +- HMAC_Final(&m_context, (unsigned char *)sa.data(), 0 ); +- HMAC_CTX_cleanup(&m_context); ++ HMAC_Final(m_context, (unsigned char *)sa.data(), 0 ); ++#ifdef OSSL_110 ++ HMAC_CTX_reset(m_context); ++#else ++ HMAC_CTX_cleanup(m_context); ++#endif + *out = sa; + } + +@@ -1263,7 +1395,7 @@ public: + } + + protected: +- HMAC_CTX m_context; ++ HMAC_CTX *m_context; + const EVP_MD *m_algorithm; + }; + +@@ -1277,7 +1409,7 @@ class EVPKey + public: + enum State { Idle, SignActive, SignError, VerifyActive, VerifyError }; + EVP_PKEY *pkey; +- EVP_MD_CTX mdctx; ++ EVP_MD_CTX *mdctx; + State state; + bool raw_type; + SecureArray raw; +@@ -1287,19 +1419,23 @@ public: + pkey = 0; + raw_type = false; + state = Idle; ++ mdctx = EVP_MD_CTX_new(); + } + + EVPKey(const EVPKey &from) + { + pkey = from.pkey; +- CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY); ++ EVP_PKEY_up_ref(pkey); + raw_type = false; + state = Idle; ++ mdctx = EVP_MD_CTX_new(); ++ EVP_MD_CTX_copy(mdctx, from.mdctx); + } + + ~EVPKey() + { + reset(); ++ EVP_MD_CTX_free(mdctx); + } + + void reset() +@@ -1322,8 +1458,8 @@ public: + else + { + raw_type = false; +- EVP_MD_CTX_init(&mdctx); +- if(!EVP_SignInit_ex(&mdctx, type, NULL)) ++ EVP_MD_CTX_init(mdctx); ++ if(!EVP_SignInit_ex(mdctx, type, NULL)) + state = SignError; + } + } +@@ -1339,8 +1475,8 @@ public: + else + { + raw_type = false; +- EVP_MD_CTX_init(&mdctx); +- if(!EVP_VerifyInit_ex(&mdctx, type, NULL)) ++ EVP_MD_CTX_init(mdctx); ++ if(!EVP_VerifyInit_ex(mdctx, type, NULL)) + state = VerifyError; + } + } +@@ -1352,7 +1488,7 @@ public: + if (raw_type) + raw += in; + else +- if(!EVP_SignUpdate(&mdctx, in.data(), (unsigned int)in.size())) ++ if(!EVP_SignUpdate(mdctx, in.data(), (unsigned int)in.size())) + state = SignError; + } + else if(state == VerifyActive) +@@ -1360,7 +1496,7 @@ public: + if (raw_type) + raw += in; + else +- if(!EVP_VerifyUpdate(&mdctx, in.data(), (unsigned int)in.size())) ++ if(!EVP_VerifyUpdate(mdctx, in.data(), (unsigned int)in.size())) + state = VerifyError; + } + } +@@ -1373,17 +1509,24 @@ public: + unsigned int len = out.size(); + if (raw_type) + { +- if (pkey->type == EVP_PKEY_RSA) ++ int type; ++#ifdef OSSL_110 ++ type = EVP_PKEY_id(pkey); ++#else ++ type = pkey->type; ++#endif ++ if (type == EVP_PKEY_RSA) + { ++ RSA *rsa = EVP_PKEY_get0_RSA(pkey); + if(RSA_private_encrypt (raw.size(), (unsigned char *)raw.data(), +- (unsigned char *)out.data(), pkey->pkey.rsa, ++ (unsigned char *)out.data(), rsa, + RSA_PKCS1_PADDING) == -1) { + + state = SignError; + return SecureArray (); + } + } +- else if (pkey->type == EVP_PKEY_DSA) ++ else if (type == EVP_PKEY_DSA) + { + state = SignError; + return SecureArray (); +@@ -1395,7 +1538,7 @@ public: + } + } + else { +- if(!EVP_SignFinal(&mdctx, (unsigned char *)out.data(), &len, pkey)) ++ if(!EVP_SignFinal(mdctx, (unsigned char *)out.data(), &len, pkey)) + { + state = SignError; + return SecureArray(); +@@ -1418,16 +1561,24 @@ public: + SecureArray out(EVP_PKEY_size(pkey)); + int len = 0; + +- if (pkey->type == EVP_PKEY_RSA) { ++ int type; ++#ifdef OSSL_110 ++ type = EVP_PKEY_type(EVP_PKEY_id(pkey)); ++#else ++ type = pkey->type; ++#endif ++ ++ if (type == EVP_PKEY_RSA) { ++ RSA *rsa = EVP_PKEY_get0_RSA(pkey); + if((len = RSA_public_decrypt (sig.size(), (unsigned char *)sig.data(), +- (unsigned char *)out.data (), pkey->pkey.rsa, ++ (unsigned char *)out.data (), rsa, + RSA_PKCS1_PADDING)) == -1) { + + state = VerifyError; + return false; + } + } +- else if (pkey->type == EVP_PKEY_DSA) ++ else if (type == EVP_PKEY_DSA) + { + state = VerifyError; + return false; +@@ -1447,7 +1598,7 @@ public: + } + else + { +- if(EVP_VerifyFinal(&mdctx, (unsigned char *)sig.data(), (unsigned int)sig.size(), pkey) != 1) ++ if(EVP_VerifyFinal(mdctx, (unsigned char *)sig.data(), (unsigned int)sig.size(), pkey) != 1) + { + state = VerifyError; + return false; +@@ -1561,9 +1712,11 @@ static bool make_dlgroup(const QByteArra + return false; + if(ret_counter != counter) + return false; +- params->p = bn2bi(dsa->p); +- params->q = bn2bi(dsa->q); +- params->g = bn2bi(dsa->g); ++ const BIGNUM *bnp, *bnq, *bng; ++ DSA_get0_pqg(dsa, &bnp, &bnq, &bng); ++ params->p = bn2bi(bnp); ++ params->q = bn2bi(bnq); ++ params->g = bn2bi(bng); + DSA_free(dsa); + return true; + } +@@ -1826,10 +1979,11 @@ public: + return; + + // extract the public key into DER format +- int len = i2d_RSAPublicKey(evp.pkey->pkey.rsa, NULL); ++ RSA *rsa_pkey = EVP_PKEY_get0_RSA(evp.pkey); ++ int len = i2d_RSAPublicKey(rsa_pkey, NULL); + SecureArray result(len); + unsigned char *p = (unsigned char *)result.data(); +- i2d_RSAPublicKey(evp.pkey->pkey.rsa, &p); ++ i2d_RSAPublicKey(rsa_pkey, &p); + p = (unsigned char *)result.data(); + + // put the DER public key back into openssl +@@ -1852,7 +2006,7 @@ public: + + virtual int maximumEncryptSize(EncryptionAlgorithm alg) const + { +- RSA *rsa = evp.pkey->pkey.rsa; ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + int size = 0; + switch(alg) + { +@@ -1867,7 +2021,7 @@ public: + + virtual SecureArray encrypt(const SecureArray &in, EncryptionAlgorithm alg) + { +- RSA *rsa = evp.pkey->pkey.rsa; ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + SecureArray buf = in; + int max = maximumEncryptSize(alg); + +@@ -1900,7 +2054,7 @@ public: + + virtual bool decrypt(const SecureArray &in, SecureArray *out, EncryptionAlgorithm alg) + { +- RSA *rsa = evp.pkey->pkey.rsa; ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); + SecureArray result(RSA_size(rsa)); + int pad; + +@@ -2021,14 +2175,10 @@ public: + evp.reset(); + + RSA *rsa = RSA_new(); +- rsa->n = bi2bn(n); +- rsa->e = bi2bn(e); +- rsa->p = bi2bn(p); +- rsa->q = bi2bn(q); +- rsa->d = bi2bn(d); +- +- if(!rsa->n || !rsa->e || !rsa->p || !rsa->q || !rsa->d) ++ if(RSA_set0_key(rsa, bi2bn(n), bi2bn(e), bi2bn(d)) == 0 ++ || RSA_set0_factors(rsa, bi2bn(p), bi2bn(q)) == 0) + { ++ // Free BIGNUMS? + RSA_free(rsa); + return; + } +@@ -2036,7 +2186,7 @@ public: + // When private key has no Public Exponent (e) or Private Exponent (d) + // need to disable blinding. Otherwise decryption will be broken. + // http://www.mail-archive.com/openssl-users@openssl.org/msg63530.html +- if(BN_is_zero(rsa->e) || BN_is_zero(rsa->d)) ++ if(e == BigInteger(0) || d == BigInteger(0)) + RSA_blinding_off(rsa); + + evp.pkey = EVP_PKEY_new(); +@@ -2049,10 +2199,7 @@ public: + evp.reset(); + + RSA *rsa = RSA_new(); +- rsa->n = bi2bn(n); +- rsa->e = bi2bn(e); +- +- if(!rsa->n || !rsa->e) ++ if(RSA_set0_key(rsa, bi2bn(n), bi2bn(e), NULL) == 0) + { + RSA_free(rsa); + return; +@@ -2065,27 +2212,42 @@ public: + + virtual BigInteger n() const + { +- return bn2bi(evp.pkey->pkey.rsa->n); ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); ++ const BIGNUM *bnn; ++ RSA_get0_key(rsa, &bnn, NULL, NULL); ++ return bn2bi(bnn); + } + + virtual BigInteger e() const + { +- return bn2bi(evp.pkey->pkey.rsa->e); ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); ++ const BIGNUM *bne; ++ RSA_get0_key(rsa, NULL, &bne, NULL); ++ return bn2bi(bne); + } + + virtual BigInteger p() const + { +- return bn2bi(evp.pkey->pkey.rsa->p); ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); ++ const BIGNUM *bnp; ++ RSA_get0_factors(rsa, &bnp, NULL); ++ return bn2bi(bnp); + } + + virtual BigInteger q() const + { +- return bn2bi(evp.pkey->pkey.rsa->q); ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); ++ const BIGNUM *bnq; ++ RSA_get0_factors(rsa, NULL, &bnq); ++ return bn2bi(bnq); + } + + virtual BigInteger d() const + { +- return bn2bi(evp.pkey->pkey.rsa->d); ++ RSA *rsa = EVP_PKEY_get0_RSA(evp.pkey); ++ const BIGNUM *bnd; ++ RSA_get0_key(rsa, NULL, NULL, &bnd); ++ return bn2bi(bnd); + } + + private slots: +@@ -2134,10 +2296,12 @@ public: + virtual void run() + { + DSA *dsa = DSA_new(); +- dsa->p = bi2bn(domain.p()); +- dsa->q = bi2bn(domain.q()); +- dsa->g = bi2bn(domain.g()); +- if(!DSA_generate_key(dsa)) ++ BIGNUM *pne = bi2bn(domain.p()), ++ *qne = bi2bn(domain.q()), ++ *gne = bi2bn(domain.g()); ++ ++ if(!DSA_set0_pqg(dsa, pne, qne, gne) ++ || !DSA_generate_key(dsa)) + { + DSA_free(dsa); + return; +@@ -2212,10 +2376,11 @@ public: + return; + + // extract the public key into DER format +- int len = i2d_DSAPublicKey(evp.pkey->pkey.dsa, NULL); ++ DSA *dsa_pkey = EVP_PKEY_get0_DSA(evp.pkey); ++ int len = i2d_DSAPublicKey(dsa_pkey, NULL); + SecureArray result(len); + unsigned char *p = (unsigned char *)result.data(); +- i2d_DSAPublicKey(evp.pkey->pkey.dsa, &p); ++ i2d_DSAPublicKey(dsa_pkey, &p); + p = (unsigned char *)result.data(); + + // put the DER public key back into openssl +@@ -2244,7 +2409,7 @@ public: + else + transformsig = false; + +- evp.startSign(EVP_dss1()); ++ evp.startSign(EVP_sha1()); + } + + virtual void startVerify(SignatureAlgorithm, SignatureFormat format) +@@ -2255,7 +2420,7 @@ public: + else + transformsig = false; + +- evp.startVerify(EVP_dss1()); ++ evp.startVerify(EVP_sha1()); + } + + virtual void update(const MemoryRegion &in) +@@ -2305,13 +2470,14 @@ public: + evp.reset(); + + DSA *dsa = DSA_new(); +- dsa->p = bi2bn(domain.p()); +- dsa->q = bi2bn(domain.q()); +- dsa->g = bi2bn(domain.g()); +- dsa->pub_key = bi2bn(y); +- dsa->priv_key = bi2bn(x); ++ BIGNUM *bnp = bi2bn(domain.p()); ++ BIGNUM *bnq = bi2bn(domain.q()); ++ BIGNUM *bng = bi2bn(domain.g()); ++ BIGNUM *bnpub_key = bi2bn(y); ++ BIGNUM *bnpriv_key = bi2bn(x); + +- if(!dsa->p || !dsa->q || !dsa->g || !dsa->pub_key || !dsa->priv_key) ++ if(!DSA_set0_pqg(dsa, bnp, bnq, bng) ++ || !DSA_set0_key(dsa, bnpub_key, bnpriv_key)) + { + DSA_free(dsa); + return; +@@ -2327,12 +2493,13 @@ public: + evp.reset(); + + DSA *dsa = DSA_new(); +- dsa->p = bi2bn(domain.p()); +- dsa->q = bi2bn(domain.q()); +- dsa->g = bi2bn(domain.g()); +- dsa->pub_key = bi2bn(y); ++ BIGNUM *bnp = bi2bn(domain.p()); ++ BIGNUM *bnq = bi2bn(domain.q()); ++ BIGNUM *bng = bi2bn(domain.g()); ++ BIGNUM *bnpub_key = bi2bn(y); + +- if(!dsa->p || !dsa->q || !dsa->g || !dsa->pub_key) ++ if(!DSA_set0_pqg(dsa, bnp, bnq, bng) ++ || !DSA_set0_key(dsa, bnpub_key, NULL)) + { + DSA_free(dsa); + return; +@@ -2345,17 +2512,26 @@ public: + + virtual DLGroup domain() const + { +- return DLGroup(bn2bi(evp.pkey->pkey.dsa->p), bn2bi(evp.pkey->pkey.dsa->q), bn2bi(evp.pkey->pkey.dsa->g)); ++ DSA *dsa = EVP_PKEY_get0_DSA(evp.pkey); ++ const BIGNUM *bnp, *bnq, *bng; ++ DSA_get0_pqg(dsa, &bnp, &bnq, &bng); ++ return DLGroup(bn2bi(bnp), bn2bi(bnq), bn2bi(bng)); + } + + virtual BigInteger y() const + { +- return bn2bi(evp.pkey->pkey.dsa->pub_key); ++ DSA *dsa = EVP_PKEY_get0_DSA(evp.pkey); ++ const BIGNUM *bnpub_key; ++ DSA_get0_key(dsa, &bnpub_key, NULL); ++ return bn2bi(bnpub_key); + } + + virtual BigInteger x() const + { +- return bn2bi(evp.pkey->pkey.dsa->priv_key); ++ DSA *dsa = EVP_PKEY_get0_DSA(evp.pkey); ++ const BIGNUM *bnpriv_key; ++ DSA_get0_key(dsa, NULL, &bnpriv_key); ++ return bn2bi(bnpriv_key); + } + + private slots: +@@ -2404,9 +2580,10 @@ public: + virtual void run() + { + DH *dh = DH_new(); +- dh->p = bi2bn(domain.p()); +- dh->g = bi2bn(domain.g()); +- if(!DH_generate_key(dh)) ++ BIGNUM *bnp = bi2bn(domain.p()); ++ BIGNUM *bng = bi2bn(domain.g()); ++ if(!DH_set0_pqg(dh, bnp, NULL, bng) ++ || !DH_generate_key(dh)) + { + DH_free(dh); + return; +@@ -2478,11 +2655,14 @@ public: + if(!sec) + return; + +- DH *orig = evp.pkey->pkey.dh; ++ DH *orig = EVP_PKEY_get0_DH(evp.pkey); + DH *dh = DH_new(); +- dh->p = BN_dup(orig->p); +- dh->g = BN_dup(orig->g); +- dh->pub_key = BN_dup(orig->pub_key); ++ const BIGNUM *bnp, *bng, *bnpub_key; ++ DH_get0_pqg(orig, &bnp, NULL, &bng); ++ DH_get0_key(orig, &bnpub_key, NULL); ++ ++ DH_set0_key(dh, BN_dup(bnpub_key), NULL); ++ DH_set0_pqg(dh, BN_dup(bnp), NULL, BN_dup(bng)); + + evp.reset(); + +@@ -2498,10 +2678,13 @@ public: + + virtual SymmetricKey deriveKey(const PKeyBase &theirs) + { +- DH *dh = evp.pkey->pkey.dh; +- DH *them = static_cast<const DHKey *>(&theirs)->evp.pkey->pkey.dh; ++ DH *dh = EVP_PKEY_get0_DH(evp.pkey); ++ DH *them = EVP_PKEY_get0_DH(static_cast<const DHKey *>(&theirs)->evp.pkey); ++ const BIGNUM *bnpub_key; ++ DH_get0_key(them, &bnpub_key, NULL); ++ + SecureArray result(DH_size(dh)); +- int ret = DH_compute_key((unsigned char *)result.data(), them->pub_key, dh); ++ int ret = DH_compute_key((unsigned char *)result.data(), bnpub_key, dh); + if(ret <= 0) + return SymmetricKey(); + result.resize(ret); +@@ -2531,12 +2714,13 @@ public: + evp.reset(); + + DH *dh = DH_new(); +- dh->p = bi2bn(domain.p()); +- dh->g = bi2bn(domain.g()); +- dh->pub_key = bi2bn(y); +- dh->priv_key = bi2bn(x); ++ BIGNUM *bnp = bi2bn(domain.p()); ++ BIGNUM *bng = bi2bn(domain.g()); ++ BIGNUM *bnpub_key = bi2bn(y); ++ BIGNUM *bnpriv_key = bi2bn(x); + +- if(!dh->p || !dh->g || !dh->pub_key || !dh->priv_key) ++ if(!DH_set0_key(dh, bnpub_key, bnpriv_key) ++ || !DH_set0_pqg(dh, bnp, NULL, bng)) + { + DH_free(dh); + return; +@@ -2552,11 +2736,12 @@ public: + evp.reset(); + + DH *dh = DH_new(); +- dh->p = bi2bn(domain.p()); +- dh->g = bi2bn(domain.g()); +- dh->pub_key = bi2bn(y); ++ BIGNUM *bnp = bi2bn(domain.p()); ++ BIGNUM *bng = bi2bn(domain.g()); ++ BIGNUM *bnpub_key = bi2bn(y); + +- if(!dh->p || !dh->g || !dh->pub_key) ++ if(!DH_set0_key(dh, bnpub_key, NULL) ++ || !DH_set0_pqg(dh, bnp, NULL, bng)) + { + DH_free(dh); + return; +@@ -2569,17 +2754,26 @@ public: + + virtual DLGroup domain() const + { +- return DLGroup(bn2bi(evp.pkey->pkey.dh->p), bn2bi(evp.pkey->pkey.dh->g)); ++ DH *dh = EVP_PKEY_get0_DH(evp.pkey); ++ const BIGNUM *bnp, *bng; ++ DH_get0_pqg(dh, &bnp, NULL, &bng); ++ return DLGroup(bn2bi(bnp), bn2bi(bng)); + } + + virtual BigInteger y() const + { +- return bn2bi(evp.pkey->pkey.dh->pub_key); ++ DH *dh = EVP_PKEY_get0_DH(evp.pkey); ++ const BIGNUM *bnpub_key; ++ DH_get0_key(dh, &bnpub_key, NULL); ++ return bn2bi(bnpub_key); + } + + virtual BigInteger x() const + { +- return bn2bi(evp.pkey->pkey.dh->priv_key); ++ DH *dh = EVP_PKEY_get0_DH(evp.pkey); ++ const BIGNUM *bnpriv_key; ++ DH_get0_key(dh, NULL, &bnpriv_key); ++ return bn2bi(bnpriv_key); + } + + private slots: +@@ -2618,10 +2812,14 @@ public: + { + key = _key; + RSA_set_method(rsa, rsa_method()); ++#ifndef OSSL_110 + rsa->flags |= RSA_FLAG_SIGN_VER; ++#endif + RSA_set_app_data(rsa, this); +- rsa->n = bi2bn(_key.n()); +- rsa->e = bi2bn(_key.e()); ++ BIGNUM *bnn = bi2bn(_key.n()); ++ BIGNUM *bne = bi2bn(_key.e()); ++ ++ RSA_set0_key(rsa, bnn, bne, NULL); + } + + RSA_METHOD *rsa_method() +@@ -2630,12 +2828,16 @@ public: + + if(!ops) + { +- ops = new RSA_METHOD(*RSA_get_default_method()); +- ops->rsa_priv_enc = 0;//pkcs11_rsa_encrypt; +- ops->rsa_priv_dec = rsa_priv_dec; +- ops->rsa_sign = rsa_sign; +- ops->rsa_verify = 0;//pkcs11_rsa_verify; +- ops->finish = rsa_finish; ++ ops = RSA_meth_dup(RSA_get_default_method()); ++ RSA_meth_set_priv_enc(ops, NULL); //pkcs11_rsa_encrypt ++ RSA_meth_set_priv_dec(ops, rsa_priv_dec); //pkcs11_rsa_encrypt ++#ifdef OSSL_110 ++ RSA_meth_set_sign(ops, NULL); ++#else ++ RSA_meth_set_sign(ops, rsa_sign); ++#endif ++ RSA_meth_set_verify(ops, NULL); //pkcs11_rsa_verify ++ RSA_meth_set_finish(ops, rsa_finish); + } + return ops; + } +@@ -2654,7 +2856,11 @@ public: + } + else + { ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); ++#else + RSAerr(RSA_F_RSA_EAY_PRIVATE_DECRYPT, RSA_R_UNKNOWN_PADDING_TYPE); ++#endif + return -1; + } + +@@ -2675,6 +2881,7 @@ public: + return -1; + } + ++#ifndef OSSL_110 + static int rsa_sign(int type, const unsigned char *m, unsigned int m_len, unsigned char *sigret, unsigned int *siglen, const RSA *rsa) + { + QCA_RSA_METHOD *self = (QCA_RSA_METHOD *)RSA_get_app_data(rsa); +@@ -2691,7 +2898,6 @@ public: + } + else + { +- + // make X509 packet + X509_SIG sig; + ASN1_TYPE parameter; +@@ -2765,6 +2971,7 @@ public: + + return 1; + } ++#endif + + static int rsa_finish(RSA *rsa) + { +@@ -2866,21 +3073,22 @@ public: + PKeyBase *pkeyToBase(EVP_PKEY *pkey, bool sec) const + { + PKeyBase *nk = 0; +- if(pkey->type == EVP_PKEY_RSA) ++ int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); ++ if(pkey_type == EVP_PKEY_RSA) + { + RSAKey *c = new RSAKey(provider()); + c->evp.pkey = pkey; + c->sec = sec; + nk = c; + } +- else if(pkey->type == EVP_PKEY_DSA) ++ else if(pkey_type == EVP_PKEY_DSA) + { + DSAKey *c = new DSAKey(provider()); + c->evp.pkey = pkey; + c->sec = sec; + nk = c; + } +- else if(pkey->type == EVP_PKEY_DH) ++ else if(pkey_type == EVP_PKEY_DH) + { + DHKey *c = new DHKey(provider()); + c->evp.pkey = pkey; +@@ -2898,8 +3106,10 @@ public: + { + EVP_PKEY *pkey = get_pkey(); + ++ int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); ++ + // OpenSSL does not have DH import/export support +- if(pkey->type == EVP_PKEY_DH) ++ if(pkey_type == EVP_PKEY_DH) + return QByteArray(); + + BIO *bo = BIO_new(BIO_s_mem()); +@@ -2912,8 +3122,10 @@ public: + { + EVP_PKEY *pkey = get_pkey(); + ++ int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); ++ + // OpenSSL does not have DH import/export support +- if(pkey->type == EVP_PKEY_DH) ++ if(pkey_type == EVP_PKEY_DH) + return QString(); + + BIO *bo = BIO_new(BIO_s_mem()); +@@ -2978,9 +3190,10 @@ public: + return SecureArray(); + + EVP_PKEY *pkey = get_pkey(); ++ int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); + + // OpenSSL does not have DH import/export support +- if(pkey->type == EVP_PKEY_DH) ++ if(pkey_type == EVP_PKEY_DH) + return SecureArray(); + + BIO *bo = BIO_new(BIO_s_mem()); +@@ -3007,9 +3220,10 @@ public: + return QString(); + + EVP_PKEY *pkey = get_pkey(); ++ int pkey_type = EVP_PKEY_type(EVP_PKEY_id(pkey)); + + // OpenSSL does not have DH import/export support +- if(pkey->type == EVP_PKEY_DH) ++ if(pkey_type == EVP_PKEY_DH) + return QString(); + + BIO *bo = BIO_new(BIO_s_mem()); +@@ -3110,11 +3324,18 @@ public: + crl = from.crl; + + if(cert) +- CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(cert); + if(req) ++ { ++#ifdef OSSL_110 ++ // Not exposed, so copy ++ req = X509_REQ_dup(req); ++#else + CRYPTO_add(&req->references, 1, CRYPTO_LOCK_X509_REQ); ++#endif ++ } + if(crl) +- CRYPTO_add(&crl->references, 1, CRYPTO_LOCK_X509_CRL); ++ X509_CRL_up_ref(crl); + } + + return *this; +@@ -3220,7 +3441,7 @@ public: + // + // This code is mostly taken from OpenSSL v0.9.5a + // by Eric Young +-QDateTime ASN1_UTCTIME_QDateTime(ASN1_UTCTIME *tm, int *isGmt) ++QDateTime ASN1_UTCTIME_QDateTime(const ASN1_UTCTIME *tm, int *isGmt) + { + QDateTime qdt; + char *v; +@@ -3318,7 +3539,7 @@ public: + + void fromX509(X509 *x) + { +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + item.cert = x; + make_props(); + } +@@ -3349,7 +3570,7 @@ public: + if(priv.key()->type() == PKey::RSA) + md = EVP_sha1(); + else if(priv.key()->type() == PKey::DSA) +- md = EVP_dss1(); ++ md = EVP_sha1(); + else + return false; + +@@ -3480,7 +3701,7 @@ public: + + const MyCertContext *our_cc = this; + X509 *x = our_cc->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(untrusted_list, x); + + const MyCertContext *other_cc = static_cast<const MyCertContext *>(other); +@@ -3595,7 +3816,23 @@ public: + p.policies = get_cert_policies(ex); + } + +- if (x->signature) ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++#ifdef OSSL_110 ++ const ++#endif ++ ASN1_BIT_STRING *signature; ++ ++ X509_get0_signature(&signature, NULL, x); ++ if(signature) ++ { ++ p.sig = QByteArray(signature->length, 0); ++ for (int i=0; i< signature->length; i++) ++ p.sig[i] = signature->data[i]; ++ } ++ ++ switch( X509_get_signature_nid(x) ) ++#else ++ if(x->signature) + { + p.sig = QByteArray(x->signature->length, 0); + for (int i=0; i< x->signature->length; i++) +@@ -3603,6 +3840,7 @@ public: + } + + switch( OBJ_obj2nid(x->cert_info->signature->algorithm) ) ++#endif + { + case NID_sha1WithRSAEncryption: + p.sigalgo = QCA::EMSA3_SHA1; +@@ -3634,7 +3872,11 @@ public: + p.sigalgo = QCA::EMSA3_SHA512; + break; + default: ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ qDebug() << "Unknown signature value: " << X509_get_signature_nid(x); ++#else + qDebug() << "Unknown signature value: " << OBJ_obj2nid(x->cert_info->signature->algorithm); ++#endif + p.sigalgo = QCA::SignatureUnknown; + } + +@@ -3751,7 +3993,7 @@ public: + if(privateKey -> key()->type() == PKey::RSA) + md = EVP_sha1(); + else if(privateKey -> key()->type() == PKey::DSA) +- md = EVP_dss1(); ++ md = EVP_sha1(); + else + return 0; + +@@ -3934,7 +4176,7 @@ public: + if(priv.key()->type() == PKey::RSA) + md = EVP_sha1(); + else if(priv.key()->type() == PKey::DSA) +- md = EVP_dss1(); ++ md = EVP_sha1(); + else + return false; + +@@ -4095,14 +4337,17 @@ public: + + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + +- if (x->signature) ++ const ASN1_BIT_STRING *signature; ++ ++ X509_REQ_get0_signature(x, &signature, NULL); ++ if(signature) + { +- p.sig = QByteArray(x->signature->length, 0); +- for (int i=0; i< x->signature->length; i++) +- p.sig[i] = x->signature->data[i]; ++ p.sig = QByteArray(signature->length, 0); ++ for (int i=0; i< signature->length; i++) ++ p.sig[i] = signature->data[i]; + } + +- switch( OBJ_obj2nid(x->sig_alg->algorithm) ) ++ switch( X509_REQ_get_signature_nid(x) ) + { + case NID_sha1WithRSAEncryption: + p.sigalgo = QCA::EMSA3_SHA1; +@@ -4122,7 +4367,7 @@ public: + p.sigalgo = QCA::EMSA1_SHA1; + break; + default: +- qDebug() << "Unknown signature value: " << OBJ_obj2nid(x->sig_alg->algorithm); ++ qDebug() << "Unknown signature value: " << X509_REQ_get_signature_nid(x); + p.sigalgo = QCA::SignatureUnknown; + } + +@@ -4186,7 +4431,7 @@ public: + + void fromX509(X509_CRL *x) + { +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); ++ X509_CRL_up_ref(x); + item.crl = x; + make_props(); + } +@@ -4238,8 +4483,8 @@ public: + + for (int i = 0; i < sk_X509_REVOKED_num(revokeStack); ++i) { + X509_REVOKED *rev = sk_X509_REVOKED_value(revokeStack, i); +- BigInteger serial = bn2bi(ASN1_INTEGER_to_BN(rev->serialNumber, NULL)); +- QDateTime time = ASN1_UTCTIME_QDateTime( rev->revocationDate, NULL); ++ BigInteger serial = bn2bi(ASN1_INTEGER_to_BN(X509_REVOKED_get0_serialNumber(rev), NULL)); ++ QDateTime time = ASN1_UTCTIME_QDateTime( X509_REVOKED_get0_revocationDate(rev), NULL); + QCA::CRLEntry::Reason reason = QCA::CRLEntry::Unspecified; + int pos = X509_REVOKED_get_ext_by_NID(rev, NID_crl_reason, -1); + if (pos != -1) { +@@ -4288,13 +4533,18 @@ public: + p.revoked.append(thisEntry); + } + +- if (x->signature) ++ const ASN1_BIT_STRING *signature; ++ ++ X509_CRL_get0_signature(x, &signature, NULL); ++ if(signature) + { +- p.sig = QByteArray(x->signature->length, 0); +- for (int i=0; i< x->signature->length; i++) +- p.sig[i] = x->signature->data[i]; ++ p.sig = QByteArray(signature->length, 0); ++ for (int i=0; i< signature->length; i++) ++ p.sig[i] = signature->data[i]; + } +- switch( OBJ_obj2nid(x->sig_alg->algorithm) ) ++ ++ ++ switch( X509_CRL_get_signature_nid(x) ) + { + case NID_sha1WithRSAEncryption: + p.sigalgo = QCA::EMSA3_SHA1; +@@ -4326,7 +4576,7 @@ public: + p.sigalgo = QCA::EMSA3_SHA512; + break; + default: +- qWarning() << "Unknown signature value: " << OBJ_obj2nid(x->sig_alg->algorithm); ++ qWarning() << "Unknown signature value: " << X509_CRL_get_signature_nid(x); + p.sigalgo = QCA::SignatureUnknown; + } + +@@ -4487,21 +4737,21 @@ Validity MyCertContext::validate(const Q + { + const MyCertContext *cc = static_cast<const MyCertContext *>(trusted[n]); + X509 *x = cc->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(trusted_list, x); + } + for(n = 0; n < untrusted.count(); ++n) + { + const MyCertContext *cc = static_cast<const MyCertContext *>(untrusted[n]); + X509 *x = cc->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(untrusted_list, x); + } + for(n = 0; n < crls.count(); ++n) + { + const MyCRLContext *cc = static_cast<const MyCRLContext *>(crls[n]); + X509_CRL *x = cc->item.crl; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); ++ X509_CRL_up_ref(x); + crl_list.append(x); + } + +@@ -4526,7 +4776,7 @@ Validity MyCertContext::validate(const Q + int ret = X509_verify_cert(ctx); + int err = -1; + if(!ret) +- err = ctx->error; ++ err = X509_STORE_CTX_get_error(ctx); + + // cleanup + X509_STORE_CTX_free(ctx); +@@ -4560,21 +4810,21 @@ Validity MyCertContext::validate_chain(c + { + const MyCertContext *cc = static_cast<const MyCertContext *>(trusted[n]); + X509 *x = cc->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(trusted_list, x); + } + for(n = 1; n < chain.count(); ++n) + { + const MyCertContext *cc = static_cast<const MyCertContext *>(chain[n]); + X509 *x = cc->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(untrusted_list, x); + } + for(n = 0; n < crls.count(); ++n) + { + const MyCRLContext *cc = static_cast<const MyCRLContext *>(crls[n]); + X509_CRL *x = cc->item.crl; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509_CRL); ++ X509_CRL_up_ref(x); + crl_list.append(x); + } + +@@ -4599,7 +4849,7 @@ Validity MyCertContext::validate_chain(c + int ret = X509_verify_cert(ctx); + int err = -1; + if(!ret) +- err = ctx->error; ++ err = X509_STORE_CTX_get_error(ctx); + + // grab the chain, which may not be fully populated + STACK_OF(X509) *xchain = X509_STORE_CTX_get_chain(ctx); +@@ -4663,7 +4913,7 @@ public: + for(int n = 1; n < chain.count(); ++n) + { + X509 *x = static_cast<const MyCertContext *>(chain[n])->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(ca, x); + } + } +@@ -5398,7 +5648,7 @@ public: + OpenSSL_add_ssl_algorithms(); + SSL_CTX *ctx = 0; + switch (version) { +-#ifndef OPENSSL_NO_SSL2 ++#if !defined(OPENSSL_NO_SSL2) && !defined(OSSL_110) + case TLS::SSL_v2: + ctx = SSL_CTX_new(SSLv2_client_method()); + break; +@@ -5429,8 +5679,8 @@ public: + STACK_OF(SSL_CIPHER) *sk = SSL_get_ciphers(ssl); + QStringList cipherList; + for(int i = 0; i < sk_SSL_CIPHER_num(sk); ++i) { +- SSL_CIPHER *thisCipher = sk_SSL_CIPHER_value(sk, i); +- cipherList += cipherIDtoString(version, thisCipher->id); ++ const SSL_CIPHER *thisCipher = sk_SSL_CIPHER_value(sk, i); ++ cipherList += cipherIDtoString(version, SSL_CIPHER_get_id(thisCipher)); + } + + SSL_free(ssl); +@@ -5807,13 +6057,15 @@ public: + { + SessionInfo sessInfo; + +- sessInfo.isCompressed = (0 != SSL_SESSION_get_compress_id(ssl->session)); ++ SSL_SESSION *session = SSL_get0_session(ssl); ++ sessInfo.isCompressed = (0 != SSL_SESSION_get_compress_id(session)); ++ int ssl_version = SSL_version(ssl); + +- if (ssl->version == TLS1_VERSION) ++ if (ssl_version == TLS1_VERSION) + sessInfo.version = TLS::TLS_v1; +- else if (ssl->version == SSL3_VERSION) ++ else if (ssl_version == SSL3_VERSION) + sessInfo.version = TLS::SSL_v3; +- else if (ssl->version == SSL2_VERSION) ++ else if (ssl_version == SSL2_VERSION) + sessInfo.version = TLS::SSL_v2; + else { + qDebug("unexpected version response"); +@@ -5821,7 +6073,7 @@ public: + } + + sessInfo.cipherSuite = cipherIDtoString( sessInfo.version, +- SSL_get_current_cipher(ssl)->id); ++ SSL_CIPHER_get_id(SSL_get_current_cipher(ssl))); + + sessInfo.cipherMaxBits = SSL_get_cipher_bits(ssl, &(sessInfo.cipherBits)); + +@@ -6393,7 +6645,7 @@ public: + for(int n = 0; n < nonroots.count(); ++n) + { + X509 *x = static_cast<MyCertContext *>(nonroots[n].context())->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(other_certs, x); + } + +@@ -6435,7 +6687,7 @@ public: + + other_certs = sk_X509_new_null(); + X509 *x = static_cast<MyCertContext *>(target.context())->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(other_certs, x); + + bi = BIO_new(BIO_s_mem()); +@@ -6498,7 +6750,7 @@ public: + for(int n = 0; n < untrusted_list.count(); ++n) + { + X509 *x = static_cast<MyCertContext *>(untrusted_list[n].context())->item.cert; +- CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509); ++ X509_up_ref(x); + sk_X509_push(other_certs, x); + } + +@@ -6749,14 +7001,27 @@ public: + opensslCipherContext(const EVP_CIPHER *algorithm, const int pad, Provider *p, const QString &type) : CipherContext(p, type) + { + m_cryptoAlgorithm = algorithm; +- EVP_CIPHER_CTX_init(&m_context); ++ m_context = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_init(m_context); + m_pad = pad; + m_type = type; + } + ++ opensslCipherContext(const opensslCipherContext &other) ++ : CipherContext(other) ++ { ++ m_cryptoAlgorithm = other.m_cryptoAlgorithm; ++ m_context = EVP_CIPHER_CTX_new(); ++ EVP_CIPHER_CTX_copy(m_context, other.m_context); ++ m_direction = other.m_direction; ++ m_pad = other.m_pad; ++ m_type = other.m_type; ++ } ++ + ~opensslCipherContext() + { +- EVP_CIPHER_CTX_cleanup(&m_context); ++ EVP_CIPHER_CTX_cleanup(m_context); ++ EVP_CIPHER_CTX_free(m_context); + } + + void setup(Direction dir, +@@ -6769,20 +7034,20 @@ public: + m_cryptoAlgorithm = EVP_des_ede(); + } + if (Encode == m_direction) { +- EVP_EncryptInit_ex(&m_context, m_cryptoAlgorithm, 0, 0, 0); +- EVP_CIPHER_CTX_set_key_length(&m_context, key.size()); +- EVP_EncryptInit_ex(&m_context, 0, 0, ++ EVP_EncryptInit_ex(m_context, m_cryptoAlgorithm, 0, 0, 0); ++ EVP_CIPHER_CTX_set_key_length(m_context, key.size()); ++ EVP_EncryptInit_ex(m_context, 0, 0, + (const unsigned char*)(key.data()), + (const unsigned char*)(iv.data())); + } else { +- EVP_DecryptInit_ex(&m_context, m_cryptoAlgorithm, 0, 0, 0); +- EVP_CIPHER_CTX_set_key_length(&m_context, key.size()); +- EVP_DecryptInit_ex(&m_context, 0, 0, ++ EVP_DecryptInit_ex(m_context, m_cryptoAlgorithm, 0, 0, 0); ++ EVP_CIPHER_CTX_set_key_length(m_context, key.size()); ++ EVP_DecryptInit_ex(m_context, 0, 0, + (const unsigned char*)(key.data()), + (const unsigned char*)(iv.data())); + } + +- EVP_CIPHER_CTX_set_padding(&m_context, m_pad); ++ EVP_CIPHER_CTX_set_padding(m_context, m_pad); + } + + Provider::Context *clone() const +@@ -6792,7 +7057,7 @@ public: + + int blockSize() const + { +- return EVP_CIPHER_CTX_block_size(&m_context); ++ return EVP_CIPHER_CTX_block_size(m_context); + } + + bool update(const SecureArray &in, SecureArray *out) +@@ -6805,7 +7070,7 @@ public: + out->resize(in.size()+blockSize()); + int resultLength; + if (Encode == m_direction) { +- if (0 == EVP_EncryptUpdate(&m_context, ++ if (0 == EVP_EncryptUpdate(m_context, + (unsigned char*)out->data(), + &resultLength, + (unsigned char*)in.data(), +@@ -6813,7 +7078,7 @@ public: + return false; + } + } else { +- if (0 == EVP_DecryptUpdate(&m_context, ++ if (0 == EVP_DecryptUpdate(m_context, + (unsigned char*)out->data(), + &resultLength, + (unsigned char*)in.data(), +@@ -6830,13 +7095,13 @@ public: + out->resize(blockSize()); + int resultLength; + if (Encode == m_direction) { +- if (0 == EVP_EncryptFinal_ex(&m_context, ++ if (0 == EVP_EncryptFinal_ex(m_context, + (unsigned char*)out->data(), + &resultLength)) { + return false; + } + } else { +- if (0 == EVP_DecryptFinal_ex(&m_context, ++ if (0 == EVP_DecryptFinal_ex(m_context, + (unsigned char*)out->data(), + &resultLength)) { + return false; +@@ -6871,7 +7136,7 @@ public: + + + protected: +- EVP_CIPHER_CTX m_context; ++ EVP_CIPHER_CTX *m_context; + const EVP_CIPHER *m_cryptoAlgorithm; + Direction m_direction; + int m_pad; diff --git a/security/qca2/patches/patch-src_botantools_botan_botan_secmem.h b/security/qca2/patches/patch-src_botantools_botan_botan_secmem.h deleted file mode 100644 index 664abc1d61a..00000000000 --- a/security/qca2/patches/patch-src_botantools_botan_botan_secmem.h +++ /dev/null @@ -1,13 +0,0 @@ -$NetBSD: patch-src_botantools_botan_botan_secmem.h,v 1.1 2012/01/16 20:36:08 adam Exp $ - ---- src/botantools/botan/botan/secmem.h.orig 2012-01-16 18:21:07.000000000 +0000 -+++ src/botantools/botan/botan/secmem.h -@@ -214,7 +214,7 @@ class SecureVector : public MemoryRegion - - SecureVector(u32bit n = 0) { MemoryRegion<T>::init(true, n); } - SecureVector(const T in[], u32bit n) -- { MemoryRegion<T>::init(true); set(in, n); } -+ { MemoryRegion<T>::init(true); this->set(in, n); } - SecureVector(const MemoryRegion<T>& in) - { MemoryRegion<T>::init(true); set(in); } - SecureVector(const MemoryRegion<T>& in1, const MemoryRegion<T>& in2) |