Few more OpenSSL 1.1.0 incompatibilities
This commit is contained in:
+1
-1
@@ -40,7 +40,7 @@ noinst_LTLIBRARIES = libpiv_cmd.la libpiv_util.la
|
|||||||
libpiv_cmd_la_SOURCES = cmdline.ggo cmdline.c cmdline.h
|
libpiv_cmd_la_SOURCES = cmdline.ggo cmdline.c cmdline.h
|
||||||
libpiv_cmd_la_CFLAGS =
|
libpiv_cmd_la_CFLAGS =
|
||||||
|
|
||||||
libpiv_util_la_SOURCES = util.c util.h openssl-compat.c
|
libpiv_util_la_SOURCES = util.c util.h openssl-compat.c openssl-compat.h
|
||||||
libpiv_util_la_LIBADD = $(top_builddir)/lib/libykpiv.la $(OPENSSL_LIBS)
|
libpiv_util_la_LIBADD = $(top_builddir)/lib/libykpiv.la $(OPENSSL_LIBS)
|
||||||
|
|
||||||
cmdline.c cmdline.h: cmdline.ggo Makefile.am $(top_srcdir)/configure.ac
|
cmdline.c cmdline.h: cmdline.ggo Makefile.am $(top_srcdir)/configure.ac
|
||||||
|
|||||||
@@ -7,6 +7,7 @@
|
|||||||
* https://www.openssl.org/source/license.html
|
* https://www.openssl.org/source/license.html
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <openssl/opensslv.h>
|
||||||
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
@@ -50,4 +51,33 @@ void RSA_get0_key(const RSA *r,
|
|||||||
*d = r->d;
|
*d = r->d;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
|
||||||
|
{
|
||||||
|
if (p != NULL)
|
||||||
|
*p = r->p;
|
||||||
|
if (q != NULL)
|
||||||
|
*q = r->q;
|
||||||
|
}
|
||||||
|
|
||||||
|
void RSA_get0_crt_params(const RSA *r,
|
||||||
|
const BIGNUM **dmp1, const BIGNUM **dmq1,
|
||||||
|
const BIGNUM **iqmp)
|
||||||
|
{
|
||||||
|
if (dmp1 != NULL)
|
||||||
|
*dmp1 = r->dmp1;
|
||||||
|
if (dmq1 != NULL)
|
||||||
|
*dmq1 = r->dmq1;
|
||||||
|
if (iqmp != NULL)
|
||||||
|
*iqmp = r->iqmp;
|
||||||
|
}
|
||||||
|
|
||||||
|
void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
|
||||||
|
ASN1_OCTET_STRING **pdigest)
|
||||||
|
{
|
||||||
|
if (palg)
|
||||||
|
*palg = sig->algor;
|
||||||
|
if (pdigest)
|
||||||
|
*pdigest = sig->digest;
|
||||||
|
}
|
||||||
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
|
|||||||
@@ -17,10 +17,17 @@
|
|||||||
#include <openssl/ecdsa.h>
|
#include <openssl/ecdsa.h>
|
||||||
#include <openssl/dh.h>
|
#include <openssl/dh.h>
|
||||||
#include <openssl/evp.h>
|
#include <openssl/evp.h>
|
||||||
|
#include <openssl/x509.h>
|
||||||
|
|
||||||
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
|
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
|
||||||
void RSA_get0_key(const RSA *r,
|
void RSA_get0_key(const RSA *r,
|
||||||
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
|
const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
|
||||||
|
void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
|
||||||
|
void RSA_get0_crt_params(const RSA *r,
|
||||||
|
const BIGNUM **dmp1, const BIGNUM **dmq1,
|
||||||
|
const BIGNUM **iqmp);
|
||||||
|
void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
|
||||||
|
ASN1_OCTET_STRING **pdigest);
|
||||||
|
|
||||||
#endif /* OPENSSL_VERSION_NUMBER */
|
#endif /* OPENSSL_VERSION_NUMBER */
|
||||||
#endif /* LIBCRYPTO_COMPAT_H */
|
#endif /* LIBCRYPTO_COMPAT_H */
|
||||||
|
|||||||
+13
-13
@@ -438,23 +438,23 @@ bool set_component(unsigned char *in_ptr, const BIGNUM *bn, int element_len) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
|
bool prepare_rsa_signature(const unsigned char *in, unsigned int in_len, unsigned char *out, unsigned int *out_len, int nid) {
|
||||||
X509_SIG digestInfo;
|
X509_SIG *digestInfo;
|
||||||
X509_ALGOR algor;
|
X509_ALGOR *algor;
|
||||||
ASN1_TYPE parameter;
|
ASN1_TYPE parameter;
|
||||||
ASN1_OCTET_STRING digest;
|
ASN1_OCTET_STRING *digest;
|
||||||
unsigned char data[1024];
|
unsigned char data[1024];
|
||||||
|
|
||||||
memcpy(data, in, in_len);
|
memcpy(data, in, in_len);
|
||||||
|
|
||||||
digestInfo.algor = &algor;
|
digestInfo = X509_SIG_new();
|
||||||
digestInfo.algor->algorithm = OBJ_nid2obj(nid);
|
X509_SIG_getm(digestInfo, &algor, &digest);
|
||||||
digestInfo.algor->parameter = ¶meter;
|
algor = X509_ALGOR_new();
|
||||||
digestInfo.algor->parameter->type = V_ASN1_NULL;
|
X509_ALGOR_set0(algor, OBJ_nid2obj(nid), V_ASN1_NULL, ¶meter);
|
||||||
digestInfo.algor->parameter->value.ptr = NULL;
|
parameter.type = V_ASN1_NULL;
|
||||||
digestInfo.digest = &digest;
|
parameter.value.ptr = NULL;
|
||||||
digestInfo.digest->data = data;
|
digest->data = data;
|
||||||
digestInfo.digest->length = (int)in_len;
|
digest->length = (int)in_len;
|
||||||
*out_len = (unsigned int)i2d_X509_SIG(&digestInfo, &out);
|
*out_len = (unsigned int)i2d_X509_SIG(digestInfo, &out);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -637,7 +637,7 @@ int SSH_write_X509(FILE *fp, X509 *x) {
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
switch (pkey->type) {
|
switch (EVP_PKEY_id(pkey)) {
|
||||||
case EVP_PKEY_RSA:
|
case EVP_PKEY_RSA:
|
||||||
case EVP_PKEY_RSA2: {
|
case EVP_PKEY_RSA2: {
|
||||||
RSA *rsa;
|
RSA *rsa;
|
||||||
|
|||||||
+10
-6
@@ -411,39 +411,43 @@ static bool import_key(ykpiv_state *state, enum enum_key_format key_format,
|
|||||||
unsigned char dmp1[128];
|
unsigned char dmp1[128];
|
||||||
unsigned char dmq1[128];
|
unsigned char dmq1[128];
|
||||||
unsigned char iqmp[128];
|
unsigned char iqmp[128];
|
||||||
|
const BIGNUM *bn_e, *bn_p, *bn_q, *bn_dmp1, *bn_dmq1, *bn_iqmp;
|
||||||
|
|
||||||
int element_len = 128;
|
int element_len = 128;
|
||||||
if(algorithm == YKPIV_ALGO_RSA1024) {
|
if(algorithm == YKPIV_ALGO_RSA1024) {
|
||||||
element_len = 64;
|
element_len = 64;
|
||||||
}
|
}
|
||||||
|
|
||||||
if((set_component(e, rsa_private_key->e, 3) == false) ||
|
RSA_get0_key(rsa_private_key, NULL, &bn_e, NULL);
|
||||||
|
RSA_get0_factors(rsa_private_key, &bn_p, &bn_q);
|
||||||
|
RSA_get0_crt_params(rsa_private_key, &bn_dmp1, &bn_dmq1, &bn_iqmp);
|
||||||
|
if((set_component(e, bn_e, 3) == false) ||
|
||||||
!(e[0] == 0x01 && e[1] == 0x00 && e[2] == 0x01)) {
|
!(e[0] == 0x01 && e[1] == 0x00 && e[2] == 0x01)) {
|
||||||
fprintf(stderr, "Invalid public exponent for import (only 0x10001 supported)\n");
|
fprintf(stderr, "Invalid public exponent for import (only 0x10001 supported)\n");
|
||||||
goto import_out;
|
goto import_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(set_component(p, rsa_private_key->p, element_len) == false) {
|
if(set_component(p, bn_p, element_len) == false) {
|
||||||
fprintf(stderr, "Failed setting p component.\n");
|
fprintf(stderr, "Failed setting p component.\n");
|
||||||
goto import_out;
|
goto import_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(set_component(q, rsa_private_key->q, element_len) == false) {
|
if(set_component(q, bn_q, element_len) == false) {
|
||||||
fprintf(stderr, "Failed setting q component.\n");
|
fprintf(stderr, "Failed setting q component.\n");
|
||||||
goto import_out;
|
goto import_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(set_component(dmp1, rsa_private_key->dmp1, element_len) == false) {
|
if(set_component(dmp1, bn_dmp1, element_len) == false) {
|
||||||
fprintf(stderr, "Failed setting dmp1 component.\n");
|
fprintf(stderr, "Failed setting dmp1 component.\n");
|
||||||
goto import_out;
|
goto import_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(set_component(dmq1, rsa_private_key->dmq1, element_len) == false) {
|
if(set_component(dmq1, bn_dmq1, element_len) == false) {
|
||||||
fprintf(stderr, "Failed setting dmq1 component.\n");
|
fprintf(stderr, "Failed setting dmq1 component.\n");
|
||||||
goto import_out;
|
goto import_out;
|
||||||
}
|
}
|
||||||
|
|
||||||
if(set_component(iqmp, rsa_private_key->iqmp, element_len) == false) {
|
if(set_component(iqmp, bn_iqmp, element_len) == false) {
|
||||||
fprintf(stderr, "Failed setting iqmp component.\n");
|
fprintf(stderr, "Failed setting iqmp component.\n");
|
||||||
goto import_out;
|
goto import_out;
|
||||||
}
|
}
|
||||||
|
|||||||
+12
-8
@@ -31,6 +31,7 @@
|
|||||||
#include "openssl_utils.h"
|
#include "openssl_utils.h"
|
||||||
#include <stdbool.h>
|
#include <stdbool.h>
|
||||||
#include "../tool/util.h" // TODO: share this better?
|
#include "../tool/util.h" // TODO: share this better?
|
||||||
|
#include "../tool/openssl-compat.h" // TODO: share this better?
|
||||||
#include "debug.h"
|
#include "debug.h"
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
@@ -115,8 +116,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
|
|||||||
if(bignum_e == NULL)
|
if(bignum_e == NULL)
|
||||||
goto create_empty_cert_cleanup;
|
goto create_empty_cert_cleanup;
|
||||||
|
|
||||||
rsa->n = bignum_n;
|
RSA_set0_key(rsa, bignum_n, bignum_e, NULL);
|
||||||
rsa->e = bignum_e;
|
|
||||||
|
|
||||||
if (EVP_PKEY_set1_RSA(key, rsa) == 0)
|
if (EVP_PKEY_set1_RSA(key, rsa) == 0)
|
||||||
goto create_empty_cert_cleanup;
|
goto create_empty_cert_cleanup;
|
||||||
@@ -316,7 +316,7 @@ CK_RV do_store_pubk(X509 *cert, EVP_PKEY **key) {
|
|||||||
|
|
||||||
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) {
|
CK_KEY_TYPE do_get_key_type(EVP_PKEY *key) {
|
||||||
|
|
||||||
switch (key->type) {
|
switch (EVP_PKEY_id(key)) {
|
||||||
case EVP_PKEY_RSA:
|
case EVP_PKEY_RSA:
|
||||||
case EVP_PKEY_RSA2:
|
case EVP_PKEY_RSA2:
|
||||||
return CKK_RSA;
|
return CKK_RSA;
|
||||||
@@ -349,18 +349,20 @@ CK_ULONG do_get_rsa_modulus_length(EVP_PKEY *key) {
|
|||||||
|
|
||||||
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
CK_RV do_get_modulus(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
||||||
RSA *rsa;
|
RSA *rsa;
|
||||||
|
const BIGNUM *n;
|
||||||
|
|
||||||
rsa = EVP_PKEY_get1_RSA(key);
|
rsa = EVP_PKEY_get1_RSA(key);
|
||||||
if (rsa == NULL)
|
if (rsa == NULL)
|
||||||
return CKR_FUNCTION_FAILED;
|
return CKR_FUNCTION_FAILED;
|
||||||
|
|
||||||
if ((CK_ULONG)BN_num_bytes(rsa->n) > *len) {
|
RSA_get0_key(rsa, &n, NULL, NULL);
|
||||||
|
if ((CK_ULONG)BN_num_bytes(n) > *len) {
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
rsa = NULL;
|
rsa = NULL;
|
||||||
return CKR_BUFFER_TOO_SMALL;
|
return CKR_BUFFER_TOO_SMALL;
|
||||||
}
|
}
|
||||||
|
|
||||||
*len = (CK_ULONG)BN_bn2bin(rsa->n, data);
|
*len = (CK_ULONG)BN_bn2bin(n, data);
|
||||||
|
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
rsa = NULL;
|
rsa = NULL;
|
||||||
@@ -372,18 +374,20 @@ CK_RV do_get_public_exponent(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len)
|
|||||||
|
|
||||||
CK_ULONG e = 0;
|
CK_ULONG e = 0;
|
||||||
RSA *rsa;
|
RSA *rsa;
|
||||||
|
const BIGNUM *bn_e;
|
||||||
|
|
||||||
rsa = EVP_PKEY_get1_RSA(key);
|
rsa = EVP_PKEY_get1_RSA(key);
|
||||||
if (rsa == NULL)
|
if (rsa == NULL)
|
||||||
return CKR_FUNCTION_FAILED;
|
return CKR_FUNCTION_FAILED;
|
||||||
|
|
||||||
if ((CK_ULONG)BN_num_bytes(rsa->e) > *len) {
|
RSA_get0_key(rsa, NULL, &bn_e, NULL);
|
||||||
|
if ((CK_ULONG)BN_num_bytes(bn_e) > *len) {
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
rsa = NULL;
|
rsa = NULL;
|
||||||
return CKR_BUFFER_TOO_SMALL;
|
return CKR_BUFFER_TOO_SMALL;
|
||||||
}
|
}
|
||||||
|
|
||||||
*len = (CK_ULONG)BN_bn2bin(rsa->e, data);
|
*len = (CK_ULONG)BN_bn2bin(bn_e, data);
|
||||||
|
|
||||||
RSA_free(rsa);
|
RSA_free(rsa);
|
||||||
rsa = NULL;
|
rsa = NULL;
|
||||||
@@ -406,7 +410,7 @@ CK_RV do_get_public_key(EVP_PKEY *key, CK_BYTE_PTR data, CK_ULONG_PTR len) {
|
|||||||
const EC_POINT *ecp;
|
const EC_POINT *ecp;
|
||||||
point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
|
point_conversion_form_t pcf = POINT_CONVERSION_UNCOMPRESSED;
|
||||||
|
|
||||||
switch(key->type) {
|
switch(EVP_PKEY_id(key)) {
|
||||||
case EVP_PKEY_RSA:
|
case EVP_PKEY_RSA:
|
||||||
case EVP_PKEY_RSA2:
|
case EVP_PKEY_RSA2:
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user