From ad4e93a462c4effbb0f48c0a75f594570308f938 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 23 Feb 2017 13:23:45 +0100 Subject: [PATCH] Few more OpenSSL 1.1.0 incompatibilities --- tool/Makefile.am | 2 +- tool/openssl-compat.c | 30 ++++++++++++++++++++++++++++++ tool/openssl-compat.h | 7 +++++++ tool/util.c | 26 +++++++++++++------------- tool/yubico-piv-tool.c | 16 ++++++++++------ ykcs11/openssl_utils.c | 20 ++++++++++++-------- 6 files changed, 73 insertions(+), 28 deletions(-) diff --git a/tool/Makefile.am b/tool/Makefile.am index aa024a0..45206e3 100644 --- a/tool/Makefile.am +++ b/tool/Makefile.am @@ -40,7 +40,7 @@ noinst_LTLIBRARIES = libpiv_cmd.la libpiv_util.la libpiv_cmd_la_SOURCES = cmdline.ggo cmdline.c cmdline.h libpiv_cmd_la_CFLAGS = -libpiv_util_la_SOURCES = util.c util.h openssl-compat.c +libpiv_util_la_SOURCES = util.c util.h openssl-compat.c openssl-compat.h libpiv_util_la_LIBADD = $(top_builddir)/lib/libykpiv.la $(OPENSSL_LIBS) cmdline.c cmdline.h: cmdline.ggo Makefile.am $(top_srcdir)/configure.ac diff --git a/tool/openssl-compat.c b/tool/openssl-compat.c index b8b274b..229c6bf 100644 --- a/tool/openssl-compat.c +++ b/tool/openssl-compat.c @@ -7,6 +7,7 @@ * https://www.openssl.org/source/license.html */ +#include #if OPENSSL_VERSION_NUMBER < 0x10100000L #include @@ -50,4 +51,33 @@ void RSA_get0_key(const RSA *r, *d = r->d; } +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) +{ + if (p != NULL) + *p = r->p; + if (q != NULL) + *q = r->q; +} + +void RSA_get0_crt_params(const RSA *r, + const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp) +{ + if (dmp1 != NULL) + *dmp1 = r->dmp1; + if (dmq1 != NULL) + *dmq1 = r->dmq1; + if (iqmp != NULL) + *iqmp = r->iqmp; +} + +void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg, + ASN1_OCTET_STRING **pdigest) +{ + if (palg) + *palg = sig->algor; + if (pdigest) + *pdigest = sig->digest; +} + #endif /* OPENSSL_VERSION_NUMBER */ diff --git a/tool/openssl-compat.h b/tool/openssl-compat.h index d5e9f7a..95bdd84 100644 --- a/tool/openssl-compat.h +++ b/tool/openssl-compat.h @@ -17,10 +17,17 @@ #include #include #include +#include int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); +void RSA_get0_crt_params(const RSA *r, + const BIGNUM **dmp1, const BIGNUM **dmq1, + const BIGNUM **iqmp); +void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg, + ASN1_OCTET_STRING **pdigest); #endif /* OPENSSL_VERSION_NUMBER */ #endif /* LIBCRYPTO_COMPAT_H */ diff --git a/tool/util.c b/tool/util.c index 678de85..63e2716 100644 --- a/tool/util.c +++ b/tool/util.c @@ -438,23 +438,23 @@ bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len) { } bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) { - X509_SIG digestInfo; - X509_ALGOR algor; + X509_SIG *digestInfo; + X509_ALGOR *algor; ASN1_TYPE parameter; - ASN1_OCTET_STRING digest; + ASN1_OCTET_STRING *digest; unsigned char data[1024]; memcpy(data, in, in_len); - digestInfo.algor = &algor; - digestInfo.algor->algorithm = OBJ_nid2obj(nid); - digestInfo.algor->parameter = ¶meter; - digestInfo.algor->parameter->type = V_ASN1_NULL; - digestInfo.algor->parameter->value.ptr = NULL; - digestInfo.digest = &digest; - digestInfo.digest->data = data; - digestInfo.digest->length = (int)in_len; - *out_len = (unsigned int)i2d_X509_SIG(&digestInfo, &out); + digestInfo = X509_SIG_new(); + X509_SIG_getm(digestInfo, &algor, &digest); + algor = X509_ALGOR_new(); + X509_ALGOR_set0(algor, OBJ_nid2obj(nid), V_ASN1_NULL, ¶meter); + parameter.type = V_ASN1_NULL; + parameter.value.ptr = NULL; + digest->data = data; + digest->length = (int)in_len; + *out_len = (unsigned int)i2d_X509_SIG(digestInfo, &out); return true; } @@ -637,7 +637,7 @@ int SSH_write_X509(FILE *fp, X509 *x) { return ret; } - switch (pkey->type) { + switch (EVP_PKEY_id(pkey)) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: { RSA *rsa; diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 5bf5df4..a980a29 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -411,39 +411,43 @@ static bool import_key(ykpiv_state *state, enum enum_key_format key_format, unsigned char dmp1[128]; unsigned char dmq1[128]; unsigned char iqmp[128]; + const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp; int element_len = 128; if(algorithm == YKPIV_ALGO_RSA1024) { element_len = 64; } - if((set_component(e, rsa_private_key->e, 3) == false) || + RSA_get0_key(rsa_private_key, NULL, &bn_e, NULL); + RSA_get0_factors(rsa_private_key, &bn_p, &bn_q); + RSA_get0_crt_params(rsa_private_key, &bn_dmp1, &bn_dmq1, &bn_iqmp); + if((set_component(e, bn_e, 3) == false) || !(e[0] == 0x01 && e[1] == 0x00 && e[2] == 0x01)) { fprintf(stderr, "Invalid public exponent for import (only 0x10001 supported)\n"); goto import_out; } - if(set_component(p, rsa_private_key->p, element_len) == false) { + if(set_component(p, bn_p, element_len) == false) { fprintf(stderr, "Failed setting p component.\n"); goto import_out; } - if(set_component(q, rsa_private_key->q, element_len) == false) { + if(set_component(q, bn_q, element_len) == false) { fprintf(stderr, "Failed setting q component.\n"); goto import_out; } - if(set_component(dmp1, rsa_private_key->dmp1, element_len) == false) { + if(set_component(dmp1, bn_dmp1, element_len) == false) { fprintf(stderr, "Failed setting dmp1 component.\n"); goto import_out; } - if(set_component(dmq1, rsa_private_key->dmq1, element_len) == false) { + if(set_component(dmq1, bn_dmq1, element_len) == false) { fprintf(stderr, "Failed setting dmq1 component.\n"); goto import_out; } - if(set_component(iqmp, rsa_private_key->iqmp, element_len) == false) { + if(set_component(iqmp, bn_iqmp, element_len) == false) { fprintf(stderr, "Failed setting iqmp component.\n"); goto import_out; } diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c index 4ceb704..b1899df 100644 --- a/ykcs11/openssl_utils.c +++ b/ykcs11/openssl_utils.c @@ -31,6 +31,7 @@ #include "openssl_utils.h" #include #include "../tool/util.h" // TODO: share this better? +#include "../tool/openssl-compat.h" // TODO: share this better? #include "debug.h" #include @@ -115,8 +116,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa, if(bignum_e == NULL) goto create_empty_cert_cleanup; - rsa->n = bignum_n; - rsa->e = bignum_e; + RSA_set0_key(rsa, bignum_n, bignum_e, NULL); if (EVP_PKEY_set1_RSA(key, rsa) == 0) goto create_empty_cert_cleanup; @@ -316,7 +316,7 @@ CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key) { CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) { - switch (key->type) { + switch (EVP_PKEY_id(key)) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: return CKK_RSA; @@ -349,18 +349,20 @@ CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key) { CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { RSA *rsa; + const BIGNUM *n; rsa = EVP_PKEY_get1_RSA(key); if (rsa == NULL) return CKR_FUNCTION_FAILED; - if ((CK_ULONG)BN_num_bytes(rsa->n) > *len) { + RSA_get0_key(rsa, &n, NULL, NULL); + if ((CK_ULONG)BN_num_bytes(n) > *len) { RSA_free(rsa); rsa = NULL; return CKR_BUFFER_TOO_SMALL; } - *len = (CK_ULONG)BN_bn2bin(rsa->n, data); + *len = (CK_ULONG)BN_bn2bin(n, data); RSA_free(rsa); rsa = NULL; @@ -372,18 +374,20 @@ CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) CK_ULONG e = 0; RSA *rsa; + const BIGNUM *bn_e; rsa = EVP_PKEY_get1_RSA(key); if (rsa == NULL) return CKR_FUNCTION_FAILED; - if ((CK_ULONG)BN_num_bytes(rsa->e) > *len) { + RSA_get0_key(rsa, NULL, &bn_e, NULL); + if ((CK_ULONG)BN_num_bytes(bn_e) > *len) { RSA_free(rsa); rsa = NULL; return CKR_BUFFER_TOO_SMALL; } - *len = (CK_ULONG)BN_bn2bin(rsa->e, data); + *len = (CK_ULONG)BN_bn2bin(bn_e, data); RSA_free(rsa); rsa = NULL; @@ -406,7 +410,7 @@ CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) { const EC_POINT *ecp; point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED; - switch(key->type) { + switch(EVP_PKEY_id(key)) { case EVP_PKEY_RSA: case EVP_PKEY_RSA2: