Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From b572350a922187d43dd4629c3b43e19979fae3ef Mon Sep 17 00:00:00 2001 |
| 2 | From: Eneas U de Queiroz <cote2004-github@yahoo.com> |
| 3 | Date: Tue, 25 Sep 2018 15:30:04 +0800 |
| 4 | Subject: [PATCH] ipsec-tools: add openssl 1.1 support |
| 5 | |
| 6 | To: equeiroz@troianet.com.br |
| 7 | |
| 8 | This patch updates the calls to openssl 1.1 API, and adds a |
| 9 | compatibility layer so it compiles with (at least) openssl 1.0.2, I |
| 10 | haven't tested it with lower versions, but all that's needed is to edit |
| 11 | the openssl_compat.* files and add the missing functions there--they're |
| 12 | usually trivial. |
| 13 | |
| 14 | Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com> |
| 15 | |
| 16 | Upstream-Status: Submitted [https://sourceforge.net/p/ipsec-tools/mailman/message/36327963/] |
| 17 | https://github.com/openwrt/packages/blob/master/net/ipsec-tools/patches/015-openssl-1.1.patch |
| 18 | |
| 19 | Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> |
| 20 | --- |
| 21 | src/racoon/Makefile.am | 10 +-- |
| 22 | src/racoon/algorithm.c | 6 +- |
| 23 | src/racoon/crypto_openssl.c | 197 +++++++++++++++++++++------------------- |
| 24 | src/racoon/crypto_openssl.h | 2 +- |
| 25 | src/racoon/eaytest.c | 7 +- |
| 26 | src/racoon/ipsec_doi.c | 2 +- |
| 27 | src/racoon/openssl_compat.c | 213 ++++++++++++++++++++++++++++++++++++++++++++ |
| 28 | src/racoon/openssl_compat.h | 45 ++++++++++ |
| 29 | src/racoon/plainrsa-gen.c | 41 +++++---- |
| 30 | src/racoon/prsa_par.y | 28 ++++-- |
| 31 | src/racoon/rsalist.c | 5 +- |
| 32 | 11 files changed, 430 insertions(+), 126 deletions(-) |
| 33 | create mode 100644 src/racoon/openssl_compat.c |
| 34 | create mode 100644 src/racoon/openssl_compat.h |
| 35 | |
| 36 | diff --git a/src/racoon/Makefile.am b/src/racoon/Makefile.am |
| 37 | index 0662957..272b009 100644 |
| 38 | --- a/src/racoon/Makefile.am |
| 39 | +++ b/src/racoon/Makefile.am |
| 40 | @@ -4,7 +4,7 @@ sbin_PROGRAMS = racoon racoonctl plainrsa-gen |
| 41 | noinst_PROGRAMS = eaytest |
| 42 | include_racoon_HEADERS = racoonctl.h var.h vmbuf.h misc.h gcmalloc.h admin.h \ |
| 43 | schedule.h sockmisc.h isakmp_var.h isakmp.h isakmp_xauth.h \ |
| 44 | - isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h |
| 45 | + isakmp_cfg.h isakmp_unity.h ipsec_doi.h evt.h openssl_compat.h |
| 46 | lib_LTLIBRARIES = libracoon.la |
| 47 | |
| 48 | adminsockdir=${localstatedir}/racoon |
| 49 | @@ -32,7 +32,7 @@ racoon_SOURCES = \ |
| 50 | gssapi.c dnssec.c getcertsbyname.c privsep.c \ |
| 51 | pfkey.c admin.c evt.c ipsec_doi.c oakley.c grabmyaddr.c vendorid.c \ |
| 52 | policy.c localconf.c remoteconf.c crypto_openssl.c algorithm.c \ |
| 53 | - proposal.c sainfo.c strnames.c \ |
| 54 | + openssl_compat.c proposal.c sainfo.c strnames.c \ |
| 55 | plog.c logger.c schedule.c str2val.c \ |
| 56 | safefile.c backupsa.c genlist.c rsalist.c \ |
| 57 | cftoken.l cfparse.y prsa_tok.l prsa_par.y |
| 58 | @@ -51,12 +51,12 @@ libracoon_la_SOURCES = kmpstat.c vmbuf.c sockmisc.c misc.c |
| 59 | libracoon_la_CFLAGS = -DNOUSE_PRIVSEP $(AM_CFLAGS) |
| 60 | |
| 61 | plainrsa_gen_SOURCES = plainrsa-gen.c plog.c \ |
| 62 | - crypto_openssl.c logger.c |
| 63 | + crypto_openssl.c logger.c openssl_compat.c |
| 64 | EXTRA_plainrsa_gen_SOURCES = $(MISSING_ALGOS) |
| 65 | plainrsa_gen_LDADD = $(CRYPTOBJS) vmbuf.o misc.o |
| 66 | plainrsa_gen_DEPENDENCIES = $(CRYPTOBJS) vmbuf.o misc.o |
| 67 | |
| 68 | -eaytest_SOURCES = eaytest.c plog.c logger.c |
| 69 | +eaytest_SOURCES = eaytest.c plog.c logger.c openssl_compat.c |
| 70 | EXTRA_eaytest_SOURCES = missing/crypto/sha2/sha2.c |
| 71 | eaytest_LDADD = crypto_openssl_test.o vmbuf.o str2val.o misc_noplog.o \ |
| 72 | $(CRYPTOBJS) |
| 73 | @@ -75,7 +75,7 @@ noinst_HEADERS = \ |
| 74 | debugrm.h isakmp.h misc.h sainfo.h \ |
| 75 | dhgroup.h isakmp_agg.h netdb_dnssec.h schedule.h \ |
| 76 | isakmp_cfg.h isakmp_xauth.h isakmp_unity.h isakmp_frag.h \ |
| 77 | - throttle.h privsep.h \ |
| 78 | + throttle.h privsep.h openssl_compat.h \ |
| 79 | cfparse_proto.h cftoken_proto.h genlist.h rsalist.h \ |
| 80 | missing/crypto/sha2/sha2.h missing/crypto/rijndael/rijndael_local.h \ |
| 81 | missing/crypto/rijndael/rijndael-api-fst.h \ |
| 82 | diff --git a/src/racoon/algorithm.c b/src/racoon/algorithm.c |
| 83 | index 3fd50f6..66c874b 100644 |
| 84 | --- a/src/racoon/algorithm.c |
| 85 | +++ b/src/racoon/algorithm.c |
| 86 | @@ -128,7 +128,7 @@ static struct enc_algorithm oakley_encdef[] = { |
| 87 | { "aes", algtype_aes, OAKLEY_ATTR_ENC_ALG_AES, 16, |
| 88 | eay_aes_encrypt, eay_aes_decrypt, |
| 89 | eay_aes_weakkey, eay_aes_keylen, }, |
| 90 | -#ifdef HAVE_OPENSSL_CAMELLIA_H |
| 91 | +#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) |
| 92 | { "camellia", algtype_camellia, OAKLEY_ATTR_ENC_ALG_CAMELLIA, 16, |
| 93 | eay_camellia_encrypt, eay_camellia_decrypt, |
| 94 | eay_camellia_weakkey, eay_camellia_keylen, }, |
| 95 | @@ -168,7 +168,7 @@ static struct enc_algorithm ipsec_encdef[] = { |
| 96 | { "twofish", algtype_twofish, IPSECDOI_ESP_TWOFISH, 16, |
| 97 | NULL, NULL, |
| 98 | NULL, eay_twofish_keylen, }, |
| 99 | -#ifdef HAVE_OPENSSL_IDEA_H |
| 100 | +#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) |
| 101 | { "3idea", algtype_3idea, IPSECDOI_ESP_3IDEA, 8, |
| 102 | NULL, NULL, |
| 103 | NULL, NULL, }, |
| 104 | @@ -179,7 +179,7 @@ static struct enc_algorithm ipsec_encdef[] = { |
| 105 | { "rc4", algtype_rc4, IPSECDOI_ESP_RC4, 8, |
| 106 | NULL, NULL, |
| 107 | NULL, NULL, }, |
| 108 | -#ifdef HAVE_OPENSSL_CAMELLIA_H |
| 109 | +#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) |
| 110 | { "camellia", algtype_camellia, IPSECDOI_ESP_CAMELLIA, 16, |
| 111 | NULL, NULL, |
| 112 | NULL, eay_camellia_keylen, }, |
| 113 | diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c |
| 114 | index 55b076a..8fb358f 100644 |
| 115 | --- a/src/racoon/crypto_openssl.c |
| 116 | +++ b/src/racoon/crypto_openssl.c |
| 117 | @@ -90,6 +90,7 @@ |
| 118 | #endif |
| 119 | #endif |
| 120 | #include "plog.h" |
| 121 | +#include "openssl_compat.h" |
| 122 | |
| 123 | #define USE_NEW_DES_API |
| 124 | |
| 125 | @@ -316,9 +317,12 @@ eay_cmp_asn1dn(n1, n2) |
| 126 | i = idx+1; |
| 127 | goto end; |
| 128 | } |
| 129 | - if ((ea->value->length == 1 && ea->value->data[0] == '*') || |
| 130 | - (eb->value->length == 1 && eb->value->data[0] == '*')) { |
| 131 | - if (OBJ_cmp(ea->object,eb->object)) { |
| 132 | + ASN1_STRING *sa = X509_NAME_ENTRY_get_data(ea); |
| 133 | + ASN1_STRING *sb = X509_NAME_ENTRY_get_data(eb); |
| 134 | + if ((ASN1_STRING_length(sa) == 1 && ASN1_STRING_get0_data(sa)[0] == '*') || |
| 135 | + (ASN1_STRING_length(sb) == 1 && ASN1_STRING_get0_data(sb)[0] == '*')) { |
| 136 | + if (OBJ_cmp(X509_NAME_ENTRY_get_object(ea), |
| 137 | + X509_NAME_ENTRY_get_object(eb))) { |
| 138 | i = idx+1; |
| 139 | goto end; |
| 140 | } |
| 141 | @@ -430,7 +434,7 @@ cb_check_cert_local(ok, ctx) |
| 142 | |
| 143 | if (!ok) { |
| 144 | X509_NAME_oneline( |
| 145 | - X509_get_subject_name(ctx->current_cert), |
| 146 | + X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), |
| 147 | buf, |
| 148 | 256); |
| 149 | /* |
| 150 | @@ -438,7 +442,8 @@ cb_check_cert_local(ok, ctx) |
| 151 | * ok if they are self signed. But we should still warn |
| 152 | * the user. |
| 153 | */ |
| 154 | - switch (ctx->error) { |
| 155 | + int ctx_error = X509_STORE_CTX_get_error(ctx); |
| 156 | + switch (ctx_error) { |
| 157 | case X509_V_ERR_CERT_HAS_EXPIRED: |
| 158 | case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: |
| 159 | case X509_V_ERR_INVALID_CA: |
| 160 | @@ -453,9 +458,9 @@ cb_check_cert_local(ok, ctx) |
| 161 | } |
| 162 | plog(log_tag, LOCATION, NULL, |
| 163 | "%s(%d) at depth:%d SubjectName:%s\n", |
| 164 | - X509_verify_cert_error_string(ctx->error), |
| 165 | - ctx->error, |
| 166 | - ctx->error_depth, |
| 167 | + X509_verify_cert_error_string(ctx_error), |
| 168 | + ctx_error, |
| 169 | + X509_STORE_CTX_get_error_depth(ctx), |
| 170 | buf); |
| 171 | } |
| 172 | ERR_clear_error(); |
| 173 | @@ -477,10 +482,11 @@ cb_check_cert_remote(ok, ctx) |
| 174 | |
| 175 | if (!ok) { |
| 176 | X509_NAME_oneline( |
| 177 | - X509_get_subject_name(ctx->current_cert), |
| 178 | + X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), |
| 179 | buf, |
| 180 | 256); |
| 181 | - switch (ctx->error) { |
| 182 | + int ctx_error=X509_STORE_CTX_get_error(ctx); |
| 183 | + switch (ctx_error) { |
| 184 | case X509_V_ERR_UNABLE_TO_GET_CRL: |
| 185 | ok = 1; |
| 186 | log_tag = LLV_WARNING; |
| 187 | @@ -490,9 +496,9 @@ cb_check_cert_remote(ok, ctx) |
| 188 | } |
| 189 | plog(log_tag, LOCATION, NULL, |
| 190 | "%s(%d) at depth:%d SubjectName:%s\n", |
| 191 | - X509_verify_cert_error_string(ctx->error), |
| 192 | - ctx->error, |
| 193 | - ctx->error_depth, |
| 194 | + X509_verify_cert_error_string(ctx_error), |
| 195 | + ctx_error, |
| 196 | + X509_STORE_CTX_get_error_depth(ctx), |
| 197 | buf); |
| 198 | } |
| 199 | ERR_clear_error(); |
| 200 | @@ -516,14 +522,15 @@ eay_get_x509asn1subjectname(cert) |
| 201 | if (x509 == NULL) |
| 202 | goto error; |
| 203 | |
| 204 | + X509_NAME *subject_name = X509_get_subject_name(x509); |
| 205 | /* get the length of the name */ |
| 206 | - len = i2d_X509_NAME(x509->cert_info->subject, NULL); |
| 207 | + len = i2d_X509_NAME(subject_name, NULL); |
| 208 | name = vmalloc(len); |
| 209 | if (!name) |
| 210 | goto error; |
| 211 | /* get the name */ |
| 212 | bp = (unsigned char *) name->v; |
| 213 | - len = i2d_X509_NAME(x509->cert_info->subject, &bp); |
| 214 | + len = i2d_X509_NAME(subject_name, &bp); |
| 215 | |
| 216 | X509_free(x509); |
| 217 | |
| 218 | @@ -661,15 +668,16 @@ eay_get_x509asn1issuername(cert) |
| 219 | if (x509 == NULL) |
| 220 | goto error; |
| 221 | |
| 222 | + X509_NAME *issuer_name = X509_get_issuer_name(x509); |
| 223 | /* get the length of the name */ |
| 224 | - len = i2d_X509_NAME(x509->cert_info->issuer, NULL); |
| 225 | + len = i2d_X509_NAME(issuer_name, NULL); |
| 226 | name = vmalloc(len); |
| 227 | if (name == NULL) |
| 228 | goto error; |
| 229 | |
| 230 | /* get the name */ |
| 231 | bp = (unsigned char *) name->v; |
| 232 | - len = i2d_X509_NAME(x509->cert_info->issuer, &bp); |
| 233 | + len = i2d_X509_NAME(issuer_name, &bp); |
| 234 | |
| 235 | X509_free(x509); |
| 236 | |
| 237 | @@ -850,7 +858,7 @@ eay_check_x509sign(source, sig, cert) |
| 238 | return -1; |
| 239 | } |
| 240 | |
| 241 | - res = eay_rsa_verify(source, sig, evp->pkey.rsa); |
| 242 | + res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp)); |
| 243 | |
| 244 | EVP_PKEY_free(evp); |
| 245 | X509_free(x509); |
| 246 | @@ -992,7 +1000,7 @@ eay_get_x509sign(src, privkey) |
| 247 | if (evp == NULL) |
| 248 | return NULL; |
| 249 | |
| 250 | - sig = eay_rsa_sign(src, evp->pkey.rsa); |
| 251 | + sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); |
| 252 | |
| 253 | EVP_PKEY_free(evp); |
| 254 | |
| 255 | @@ -1079,7 +1087,11 @@ eay_strerror() |
| 256 | int line, flags; |
| 257 | unsigned long es; |
| 258 | |
| 259 | +#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
| 260 | + es = 0; /* even when allowed by OPENSSL_API_COMPAT, it is defined as 0 */ |
| 261 | +#else |
| 262 | es = CRYPTO_thread_id(); |
| 263 | +#endif |
| 264 | |
| 265 | while ((l = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0){ |
| 266 | n = snprintf(ebuf + len, sizeof(ebuf) - len, |
| 267 | @@ -1100,7 +1112,7 @@ vchar_t * |
| 268 | evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc) |
| 269 | { |
| 270 | vchar_t *res; |
| 271 | - EVP_CIPHER_CTX ctx; |
| 272 | + EVP_CIPHER_CTX *ctx; |
| 273 | |
| 274 | if (!e) |
| 275 | return NULL; |
| 276 | @@ -1111,7 +1123,7 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc |
| 277 | if ((res = vmalloc(data->l)) == NULL) |
| 278 | return NULL; |
| 279 | |
| 280 | - EVP_CIPHER_CTX_init(&ctx); |
| 281 | + ctx = EVP_CIPHER_CTX_new(); |
| 282 | |
| 283 | switch(EVP_CIPHER_nid(e)){ |
| 284 | case NID_bf_cbc: |
| 285 | @@ -1125,54 +1137,41 @@ evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc |
| 286 | /* XXX: can we do that also for algos with a fixed key size ? |
| 287 | */ |
| 288 | /* init context without key/iv |
| 289 | - */ |
| 290 | - if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc)) |
| 291 | - { |
| 292 | - OpenSSL_BUG(); |
| 293 | - vfree(res); |
| 294 | - return NULL; |
| 295 | - } |
| 296 | + */ |
| 297 | + if (!EVP_CipherInit(ctx, e, NULL, NULL, enc)) |
| 298 | + goto out; |
| 299 | |
| 300 | - /* update key size |
| 301 | - */ |
| 302 | - if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l)) |
| 303 | - { |
| 304 | - OpenSSL_BUG(); |
| 305 | - vfree(res); |
| 306 | - return NULL; |
| 307 | - } |
| 308 | - |
| 309 | - /* finalize context init with desired key size |
| 310 | - */ |
| 311 | - if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v, |
| 312 | + /* update key size |
| 313 | + */ |
| 314 | + if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l)) |
| 315 | + goto out; |
| 316 | + |
| 317 | + /* finalize context init with desired key size |
| 318 | + */ |
| 319 | + if (!EVP_CipherInit(ctx, NULL, (u_char *) key->v, |
| 320 | (u_char *) iv->v, enc)) |
| 321 | - { |
| 322 | - OpenSSL_BUG(); |
| 323 | - vfree(res); |
| 324 | - return NULL; |
| 325 | - } |
| 326 | + goto out; |
| 327 | break; |
| 328 | default: |
| 329 | - if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, |
| 330 | - (u_char *) iv->v, enc)) { |
| 331 | - OpenSSL_BUG(); |
| 332 | - vfree(res); |
| 333 | - return NULL; |
| 334 | - } |
| 335 | + if (!EVP_CipherInit(ctx, e, (u_char *) key->v, |
| 336 | + (u_char *) iv->v, enc)) |
| 337 | + goto out; |
| 338 | } |
| 339 | |
| 340 | /* disable openssl padding */ |
| 341 | - EVP_CIPHER_CTX_set_padding(&ctx, 0); |
| 342 | + EVP_CIPHER_CTX_set_padding(ctx, 0); |
| 343 | |
| 344 | - if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) { |
| 345 | - OpenSSL_BUG(); |
| 346 | - vfree(res); |
| 347 | - return NULL; |
| 348 | - } |
| 349 | + if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l)) |
| 350 | + goto out; |
| 351 | |
| 352 | - EVP_CIPHER_CTX_cleanup(&ctx); |
| 353 | + EVP_CIPHER_CTX_free(ctx); |
| 354 | |
| 355 | return res; |
| 356 | +out: |
| 357 | + EVP_CIPHER_CTX_free(ctx); |
| 358 | + OpenSSL_BUG(); |
| 359 | + vfree(res); |
| 360 | + return NULL; |
| 361 | } |
| 362 | |
| 363 | int |
| 364 | @@ -1230,7 +1229,7 @@ eay_des_keylen(len) |
| 365 | return evp_keylen(len, EVP_des_cbc()); |
| 366 | } |
| 367 | |
| 368 | -#ifdef HAVE_OPENSSL_IDEA_H |
| 369 | +#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) |
| 370 | /* |
| 371 | * IDEA-CBC |
| 372 | */ |
| 373 | @@ -1587,7 +1586,7 @@ eay_aes_keylen(len) |
| 374 | return len; |
| 375 | } |
| 376 | |
| 377 | -#if defined(HAVE_OPENSSL_CAMELLIA_H) |
| 378 | +#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) |
| 379 | /* |
| 380 | * CAMELLIA-CBC |
| 381 | */ |
| 382 | @@ -1680,9 +1679,9 @@ eay_hmac_init(key, md) |
| 383 | vchar_t *key; |
| 384 | const EVP_MD *md; |
| 385 | { |
| 386 | - HMAC_CTX *c = racoon_malloc(sizeof(*c)); |
| 387 | + HMAC_CTX *c = HMAC_CTX_new(); |
| 388 | |
| 389 | - HMAC_Init(c, key->v, key->l, md); |
| 390 | + HMAC_Init_ex(c, key->v, key->l, md, NULL); |
| 391 | |
| 392 | return (caddr_t)c; |
| 393 | } |
| 394 | @@ -1761,8 +1760,7 @@ eay_hmacsha2_512_final(c) |
| 395 | |
| 396 | HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); |
| 397 | res->l = l; |
| 398 | - HMAC_cleanup((HMAC_CTX *)c); |
| 399 | - (void)racoon_free(c); |
| 400 | + HMAC_CTX_free((HMAC_CTX *)c); |
| 401 | |
| 402 | if (SHA512_DIGEST_LENGTH != res->l) { |
| 403 | plog(LLV_ERROR, LOCATION, NULL, |
| 404 | @@ -1811,8 +1809,7 @@ eay_hmacsha2_384_final(c) |
| 405 | |
| 406 | HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); |
| 407 | res->l = l; |
| 408 | - HMAC_cleanup((HMAC_CTX *)c); |
| 409 | - (void)racoon_free(c); |
| 410 | + HMAC_CTX_free((HMAC_CTX *)c); |
| 411 | |
| 412 | if (SHA384_DIGEST_LENGTH != res->l) { |
| 413 | plog(LLV_ERROR, LOCATION, NULL, |
| 414 | @@ -1861,8 +1858,7 @@ eay_hmacsha2_256_final(c) |
| 415 | |
| 416 | HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); |
| 417 | res->l = l; |
| 418 | - HMAC_cleanup((HMAC_CTX *)c); |
| 419 | - (void)racoon_free(c); |
| 420 | + HMAC_CTX_free((HMAC_CTX *)c); |
| 421 | |
| 422 | if (SHA256_DIGEST_LENGTH != res->l) { |
| 423 | plog(LLV_ERROR, LOCATION, NULL, |
| 424 | @@ -1912,8 +1908,7 @@ eay_hmacsha1_final(c) |
| 425 | |
| 426 | HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); |
| 427 | res->l = l; |
| 428 | - HMAC_cleanup((HMAC_CTX *)c); |
| 429 | - (void)racoon_free(c); |
| 430 | + HMAC_CTX_free((HMAC_CTX *)c); |
| 431 | |
| 432 | if (SHA_DIGEST_LENGTH != res->l) { |
| 433 | plog(LLV_ERROR, LOCATION, NULL, |
| 434 | @@ -1962,8 +1957,7 @@ eay_hmacmd5_final(c) |
| 435 | |
| 436 | HMAC_Final((HMAC_CTX *)c, (unsigned char *) res->v, &l); |
| 437 | res->l = l; |
| 438 | - HMAC_cleanup((HMAC_CTX *)c); |
| 439 | - (void)racoon_free(c); |
| 440 | + HMAC_CTX_free((HMAC_CTX *)c); |
| 441 | |
| 442 | if (MD5_DIGEST_LENGTH != res->l) { |
| 443 | plog(LLV_ERROR, LOCATION, NULL, |
| 444 | @@ -2266,6 +2260,7 @@ eay_dh_generate(prime, g, publen, pub, priv) |
| 445 | u_int32_t g; |
| 446 | { |
| 447 | BIGNUM *p = NULL; |
| 448 | + BIGNUM *BNg = NULL; |
| 449 | DH *dh = NULL; |
| 450 | int error = -1; |
| 451 | |
| 452 | @@ -2276,25 +2271,28 @@ eay_dh_generate(prime, g, publen, pub, priv) |
| 453 | |
| 454 | if ((dh = DH_new()) == NULL) |
| 455 | goto end; |
| 456 | - dh->p = p; |
| 457 | - p = NULL; /* p is now part of dh structure */ |
| 458 | - dh->g = NULL; |
| 459 | - if ((dh->g = BN_new()) == NULL) |
| 460 | + if ((BNg = BN_new()) == NULL) |
| 461 | goto end; |
| 462 | - if (!BN_set_word(dh->g, g)) |
| 463 | + if (!BN_set_word(BNg, g)) |
| 464 | goto end; |
| 465 | + if (! DH_set0_pqg(dh, p, NULL, BNg)) |
| 466 | + goto end; |
| 467 | + BNg = NULL; |
| 468 | + p = NULL; /* p is now part of dh structure */ |
| 469 | |
| 470 | if (publen != 0) |
| 471 | - dh->length = publen; |
| 472 | + DH_set_length(dh, publen); |
| 473 | |
| 474 | /* generate public and private number */ |
| 475 | if (!DH_generate_key(dh)) |
| 476 | goto end; |
| 477 | |
| 478 | /* copy results to buffers */ |
| 479 | - if (eay_bn2v(pub, dh->pub_key) < 0) |
| 480 | + BIGNUM *pub_key, *priv_key; |
| 481 | + DH_get0_key(dh, (const BIGNUM**) &pub_key, (const BIGNUM**) &priv_key); |
| 482 | + if (eay_bn2v(pub, pub_key) < 0) |
| 483 | goto end; |
| 484 | - if (eay_bn2v(priv, dh->priv_key) < 0) { |
| 485 | + if (eay_bn2v(priv, priv_key) < 0) { |
| 486 | vfree(*pub); |
| 487 | goto end; |
| 488 | } |
| 489 | @@ -2306,6 +2304,8 @@ end: |
| 490 | DH_free(dh); |
| 491 | if (p != 0) |
| 492 | BN_free(p); |
| 493 | + if (BNg != 0) |
| 494 | + BN_free(BNg); |
| 495 | return(error); |
| 496 | } |
| 497 | |
| 498 | @@ -2319,6 +2319,10 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) |
| 499 | int l; |
| 500 | unsigned char *v = NULL; |
| 501 | int error = -1; |
| 502 | + BIGNUM *p = BN_new(); |
| 503 | + BIGNUM *BNg = BN_new(); |
| 504 | + BIGNUM *pub_key = BN_new(); |
| 505 | + BIGNUM *priv_key = BN_new(); |
| 506 | |
| 507 | /* make public number to compute */ |
| 508 | if (eay_v2bn(&dh_pub, pub2) < 0) |
| 509 | @@ -2327,19 +2331,21 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) |
| 510 | /* make DH structure */ |
| 511 | if ((dh = DH_new()) == NULL) |
| 512 | goto end; |
| 513 | - if (eay_v2bn(&dh->p, prime) < 0) |
| 514 | + if (p == NULL || BNg == NULL || pub_key == NULL || priv_key == NULL) |
| 515 | goto end; |
| 516 | - if (eay_v2bn(&dh->pub_key, pub) < 0) |
| 517 | + |
| 518 | + if (eay_v2bn(&p, prime) < 0) |
| 519 | goto end; |
| 520 | - if (eay_v2bn(&dh->priv_key, priv) < 0) |
| 521 | + if (eay_v2bn(&pub_key, pub) < 0) |
| 522 | goto end; |
| 523 | - dh->length = pub2->l * 8; |
| 524 | - |
| 525 | - dh->g = NULL; |
| 526 | - if ((dh->g = BN_new()) == NULL) |
| 527 | + if (eay_v2bn(&priv_key, priv) < 0) |
| 528 | goto end; |
| 529 | - if (!BN_set_word(dh->g, g)) |
| 530 | + if (!BN_set_word(BNg, g)) |
| 531 | goto end; |
| 532 | + DH_set0_key(dh, pub_key, priv_key); |
| 533 | + DH_set_length(dh, pub2->l * 8); |
| 534 | + DH_set0_pqg(dh, p, NULL, BNg); |
| 535 | + pub_key = priv_key = p = BNg = NULL; |
| 536 | |
| 537 | if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL) |
| 538 | goto end; |
| 539 | @@ -2350,6 +2356,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) |
| 540 | error = 0; |
| 541 | |
| 542 | end: |
| 543 | + if (p != NULL) |
| 544 | + BN_free(p); |
| 545 | + if (BNg != NULL) |
| 546 | + BN_free(BNg); |
| 547 | + if (pub_key != NULL) |
| 548 | + BN_free(pub_key); |
| 549 | + if (priv_key != NULL) |
| 550 | + BN_free(priv_key); |
| 551 | if (dh_pub != NULL) |
| 552 | BN_free(dh_pub); |
| 553 | if (dh != NULL) |
| 554 | @@ -2400,12 +2414,14 @@ eay_bn2v(var, bn) |
| 555 | void |
| 556 | eay_init() |
| 557 | { |
| 558 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 559 | OpenSSL_add_all_algorithms(); |
| 560 | ERR_load_crypto_strings(); |
| 561 | #ifdef HAVE_OPENSSL_ENGINE_H |
| 562 | ENGINE_load_builtin_engines(); |
| 563 | ENGINE_register_all_complete(); |
| 564 | #endif |
| 565 | +#endif |
| 566 | } |
| 567 | |
| 568 | vchar_t * |
| 569 | @@ -2504,8 +2520,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf) |
| 570 | goto out; |
| 571 | } |
| 572 | |
| 573 | - rsa_pub->n = mod; |
| 574 | - rsa_pub->e = exp; |
| 575 | + RSA_set0_key(rsa_pub, mod, exp, NULL); |
| 576 | |
| 577 | out: |
| 578 | return rsa_pub; |
| 579 | @@ -2582,5 +2597,5 @@ eay_random() |
| 580 | const char * |
| 581 | eay_version() |
| 582 | { |
| 583 | - return SSLeay_version(SSLEAY_VERSION); |
| 584 | + return OpenSSL_version(OPENSSL_VERSION); |
| 585 | } |
| 586 | diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h |
| 587 | index 66fac73..ee5b765 100644 |
| 588 | --- a/src/racoon/crypto_openssl.h |
| 589 | +++ b/src/racoon/crypto_openssl.h |
| 590 | @@ -124,7 +124,7 @@ extern vchar_t *eay_aes_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); |
| 591 | extern int eay_aes_weakkey __P((vchar_t *)); |
| 592 | extern int eay_aes_keylen __P((int)); |
| 593 | |
| 594 | -#if defined(HAVE_OPENSSL_CAMELLIA_H) |
| 595 | +#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) |
| 596 | /* Camellia */ |
| 597 | extern vchar_t *eay_camellia_encrypt __P((vchar_t *, vchar_t *, vchar_t *)); |
| 598 | extern vchar_t *eay_camellia_decrypt __P((vchar_t *, vchar_t *, vchar_t *)); |
| 599 | diff --git a/src/racoon/eaytest.c b/src/racoon/eaytest.c |
| 600 | index d609e4f..d2d20da 100644 |
| 601 | --- a/src/racoon/eaytest.c |
| 602 | +++ b/src/racoon/eaytest.c |
| 603 | @@ -62,6 +62,7 @@ |
| 604 | #include "dhgroup.h" |
| 605 | #include "crypto_openssl.h" |
| 606 | #include "gnuc.h" |
| 607 | +#include "openssl_compat.h" |
| 608 | |
| 609 | #include "package_version.h" |
| 610 | |
| 611 | @@ -103,7 +104,7 @@ rsa_verify_with_pubkey(src, sig, pubkey_txt) |
| 612 | printf ("PEM_read_PUBKEY(): %s\n", eay_strerror()); |
| 613 | return -1; |
| 614 | } |
| 615 | - error = eay_check_rsasign(src, sig, evp->pkey.rsa); |
| 616 | + error = eay_check_rsasign(src, sig, EVP_PKEY_get0_RSA(evp)); |
| 617 | |
| 618 | return error; |
| 619 | } |
| 620 | @@ -698,7 +699,7 @@ ciphertest(ac, av) |
| 621 | eay_cast_encrypt, eay_cast_decrypt) < 0) |
| 622 | return -1; |
| 623 | |
| 624 | -#ifdef HAVE_OPENSSL_IDEA_H |
| 625 | +#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) |
| 626 | if (ciphertest_1 ("IDEA", |
| 627 | &data, 8, |
| 628 | &key, key.l, |
| 629 | @@ -715,7 +716,7 @@ ciphertest(ac, av) |
| 630 | eay_rc5_encrypt, eay_rc5_decrypt) < 0) |
| 631 | return -1; |
| 632 | #endif |
| 633 | -#if defined(HAVE_OPENSSL_CAMELLIA_H) |
| 634 | +#if defined(HAVE_OPENSSL_CAMELLIA_H) && ! defined(OPENSSL_NO_CAMELLIA) |
| 635 | if (ciphertest_1 ("CAMELLIA", |
| 636 | &data, 16, |
| 637 | &key, key.l, |
| 638 | diff --git a/src/racoon/ipsec_doi.c b/src/racoon/ipsec_doi.c |
| 639 | index 08e4325..7b1604d 100644 |
| 640 | --- a/src/racoon/ipsec_doi.c |
| 641 | +++ b/src/racoon/ipsec_doi.c |
| 642 | @@ -715,7 +715,7 @@ out: |
| 643 | /* key length must not be specified on some algorithms */ |
| 644 | if (keylen) { |
| 645 | if (sa->enctype == OAKLEY_ATTR_ENC_ALG_DES |
| 646 | -#ifdef HAVE_OPENSSL_IDEA_H |
| 647 | +#if defined(HAVE_OPENSSL_IDEA_H) && ! defined(OPENSSL_NO_IDEA) |
| 648 | || sa->enctype == OAKLEY_ATTR_ENC_ALG_IDEA |
| 649 | #endif |
| 650 | || sa->enctype == OAKLEY_ATTR_ENC_ALG_3DES) { |
| 651 | diff --git a/src/racoon/openssl_compat.c b/src/racoon/openssl_compat.c |
| 652 | new file mode 100644 |
| 653 | index 0000000..864b5fb |
| 654 | --- /dev/null |
| 655 | +++ b/src/racoon/openssl_compat.c |
| 656 | @@ -0,0 +1,213 @@ |
| 657 | +/* |
| 658 | + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. |
| 659 | + * |
| 660 | + * Licensed under the OpenSSL license (the "License"). You may not use |
| 661 | + * this file except in compliance with the License. You can obtain a copy |
| 662 | + * in the file LICENSE in the source distribution or at |
| 663 | + * https://www.openssl.org/source/license.html |
| 664 | + */ |
| 665 | + |
| 666 | +#include "openssl_compat.h" |
| 667 | + |
| 668 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 669 | + |
| 670 | +#include <string.h> |
| 671 | + |
| 672 | +static void *OPENSSL_zalloc(size_t num) |
| 673 | +{ |
| 674 | + void *ret = OPENSSL_malloc(num); |
| 675 | + |
| 676 | + if (ret != NULL) |
| 677 | + memset(ret, 0, num); |
| 678 | + return ret; |
| 679 | +} |
| 680 | + |
| 681 | +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) |
| 682 | +{ |
| 683 | + /* If the fields n and e in r are NULL, the corresponding input |
| 684 | + * parameters MUST be non-NULL for n and e. d may be |
| 685 | + * left NULL (in case only the public key is used). |
| 686 | + */ |
| 687 | + if ((r->n == NULL && n == NULL) |
| 688 | + || (r->e == NULL && e == NULL)) |
| 689 | + return 0; |
| 690 | + |
| 691 | + if (n != NULL) { |
| 692 | + BN_free(r->n); |
| 693 | + r->n = n; |
| 694 | + } |
| 695 | + if (e != NULL) { |
| 696 | + BN_free(r->e); |
| 697 | + r->e = e; |
| 698 | + } |
| 699 | + if (d != NULL) { |
| 700 | + BN_free(r->d); |
| 701 | + r->d = d; |
| 702 | + } |
| 703 | + |
| 704 | + return 1; |
| 705 | +} |
| 706 | + |
| 707 | +int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) |
| 708 | +{ |
| 709 | + /* If the fields p and q in r are NULL, the corresponding input |
| 710 | + * parameters MUST be non-NULL. |
| 711 | + */ |
| 712 | + if ((r->p == NULL && p == NULL) |
| 713 | + || (r->q == NULL && q == NULL)) |
| 714 | + return 0; |
| 715 | + |
| 716 | + if (p != NULL) { |
| 717 | + BN_free(r->p); |
| 718 | + r->p = p; |
| 719 | + } |
| 720 | + if (q != NULL) { |
| 721 | + BN_free(r->q); |
| 722 | + r->q = q; |
| 723 | + } |
| 724 | + |
| 725 | + return 1; |
| 726 | +} |
| 727 | + |
| 728 | +int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) |
| 729 | +{ |
| 730 | + /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input |
| 731 | + * parameters MUST be non-NULL. |
| 732 | + */ |
| 733 | + if ((r->dmp1 == NULL && dmp1 == NULL) |
| 734 | + || (r->dmq1 == NULL && dmq1 == NULL) |
| 735 | + || (r->iqmp == NULL && iqmp == NULL)) |
| 736 | + return 0; |
| 737 | + |
| 738 | + if (dmp1 != NULL) { |
| 739 | + BN_free(r->dmp1); |
| 740 | + r->dmp1 = dmp1; |
| 741 | + } |
| 742 | + if (dmq1 != NULL) { |
| 743 | + BN_free(r->dmq1); |
| 744 | + r->dmq1 = dmq1; |
| 745 | + } |
| 746 | + if (iqmp != NULL) { |
| 747 | + BN_free(r->iqmp); |
| 748 | + r->iqmp = iqmp; |
| 749 | + } |
| 750 | + |
| 751 | + return 1; |
| 752 | +} |
| 753 | + |
| 754 | +void RSA_get0_key(const RSA *r, |
| 755 | + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) |
| 756 | +{ |
| 757 | + if (n != NULL) |
| 758 | + *n = r->n; |
| 759 | + if (e != NULL) |
| 760 | + *e = r->e; |
| 761 | + if (d != NULL) |
| 762 | + *d = r->d; |
| 763 | +} |
| 764 | + |
| 765 | +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) |
| 766 | +{ |
| 767 | + if (p != NULL) |
| 768 | + *p = r->p; |
| 769 | + if (q != NULL) |
| 770 | + *q = r->q; |
| 771 | +} |
| 772 | + |
| 773 | +void RSA_get0_crt_params(const RSA *r, |
| 774 | + const BIGNUM **dmp1, const BIGNUM **dmq1, |
| 775 | + const BIGNUM **iqmp) |
| 776 | +{ |
| 777 | + if (dmp1 != NULL) |
| 778 | + *dmp1 = r->dmp1; |
| 779 | + if (dmq1 != NULL) |
| 780 | + *dmq1 = r->dmq1; |
| 781 | + if (iqmp != NULL) |
| 782 | + *iqmp = r->iqmp; |
| 783 | +} |
| 784 | + |
| 785 | +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) |
| 786 | +{ |
| 787 | + /* If the fields p and g in d are NULL, the corresponding input |
| 788 | + * parameters MUST be non-NULL. q may remain NULL. |
| 789 | + */ |
| 790 | + if ((dh->p == NULL && p == NULL) |
| 791 | + || (dh->g == NULL && g == NULL)) |
| 792 | + return 0; |
| 793 | + |
| 794 | + if (p != NULL) { |
| 795 | + BN_free(dh->p); |
| 796 | + dh->p = p; |
| 797 | + } |
| 798 | + if (q != NULL) { |
| 799 | + BN_free(dh->q); |
| 800 | + dh->q = q; |
| 801 | + } |
| 802 | + if (g != NULL) { |
| 803 | + BN_free(dh->g); |
| 804 | + dh->g = g; |
| 805 | + } |
| 806 | + |
| 807 | + if (q != NULL) { |
| 808 | + dh->length = BN_num_bits(q); |
| 809 | + } |
| 810 | + |
| 811 | + return 1; |
| 812 | +} |
| 813 | + |
| 814 | +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) |
| 815 | +{ |
| 816 | + if (pub_key != NULL) |
| 817 | + *pub_key = dh->pub_key; |
| 818 | + if (priv_key != NULL) |
| 819 | + *priv_key = dh->priv_key; |
| 820 | +} |
| 821 | + |
| 822 | +int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) |
| 823 | +{ |
| 824 | + /* If the field pub_key in dh is NULL, the corresponding input |
| 825 | + * parameters MUST be non-NULL. The priv_key field may |
| 826 | + * be left NULL. |
| 827 | + */ |
| 828 | + if (dh->pub_key == NULL && pub_key == NULL) |
| 829 | + return 0; |
| 830 | + |
| 831 | + if (pub_key != NULL) { |
| 832 | + BN_free(dh->pub_key); |
| 833 | + dh->pub_key = pub_key; |
| 834 | + } |
| 835 | + if (priv_key != NULL) { |
| 836 | + BN_free(dh->priv_key); |
| 837 | + dh->priv_key = priv_key; |
| 838 | + } |
| 839 | + |
| 840 | + return 1; |
| 841 | +} |
| 842 | + |
| 843 | +int DH_set_length(DH *dh, long length) |
| 844 | +{ |
| 845 | + dh->length = length; |
| 846 | + return 1; |
| 847 | +} |
| 848 | + |
| 849 | +HMAC_CTX *HMAC_CTX_new(void) |
| 850 | +{ |
| 851 | + return OPENSSL_zalloc(sizeof(HMAC_CTX)); |
| 852 | +} |
| 853 | + |
| 854 | +void HMAC_CTX_free(HMAC_CTX *ctx) |
| 855 | +{ |
| 856 | + HMAC_CTX_cleanup(ctx); |
| 857 | + OPENSSL_free(ctx); |
| 858 | +} |
| 859 | + |
| 860 | +RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) |
| 861 | +{ |
| 862 | + if (pkey->type != EVP_PKEY_RSA) { |
| 863 | + return NULL; |
| 864 | + } |
| 865 | + return pkey->pkey.rsa; |
| 866 | +} |
| 867 | + |
| 868 | + |
| 869 | +#endif /* OPENSSL_VERSION_NUMBER */ |
| 870 | diff --git a/src/racoon/openssl_compat.h b/src/racoon/openssl_compat.h |
| 871 | new file mode 100644 |
| 872 | index 0000000..9e152c2 |
| 873 | --- /dev/null |
| 874 | +++ b/src/racoon/openssl_compat.h |
| 875 | @@ -0,0 +1,45 @@ |
| 876 | +#ifndef OPENSSL_COMPAT_H |
| 877 | +#define OPENSSL_COMPAT_H |
| 878 | + |
| 879 | +#include <openssl/opensslv.h> |
| 880 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 881 | + |
| 882 | +#include <openssl/rsa.h> |
| 883 | +#include <openssl/dh.h> |
| 884 | +#include <openssl/evp.h> |
| 885 | +#include <openssl/hmac.h> |
| 886 | + |
| 887 | +int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); |
| 888 | +int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); |
| 889 | +int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); |
| 890 | +void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); |
| 891 | +void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); |
| 892 | +void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); |
| 893 | + |
| 894 | +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); |
| 895 | +void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); |
| 896 | +int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); |
| 897 | +int DH_set_length(DH *dh, long length); |
| 898 | + |
| 899 | +HMAC_CTX *HMAC_CTX_new(void); |
| 900 | +void HMAC_CTX_free(HMAC_CTX* ctx); |
| 901 | + |
| 902 | +RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); |
| 903 | + |
| 904 | +#define ASN1_STRING_length(s) s->length |
| 905 | +#define ASN1_STRING_get0_data(s) s->data |
| 906 | + |
| 907 | +#define X509_get_subject_name(x) x->cert_info->subject |
| 908 | +#define X509_get_issuer_name(x) x->cert_info->issuer |
| 909 | +#define X509_NAME_ENTRY_get_data(n) n->value |
| 910 | +#define X509_NAME_ENTRY_get_object(n) n->object |
| 911 | +#define X509_STORE_CTX_get_current_cert(ctx) ctx->current_cert |
| 912 | +#define X509_STORE_CTX_get_error(ctx) ctx->error |
| 913 | +#define X509_STORE_CTX_get_error_depth(ctx) ctx->error_depth |
| 914 | + |
| 915 | +#define OPENSSL_VERSION SSLEAY_VERSION |
| 916 | +#define OpenSSL_version SSLeay_version |
| 917 | + |
| 918 | +#endif /* OPENSSL_VERSION_NUMBER */ |
| 919 | + |
| 920 | +#endif /* OPENSSL_COMPAT_H */ |
| 921 | diff --git a/src/racoon/plainrsa-gen.c b/src/racoon/plainrsa-gen.c |
| 922 | index cad1861..b949b08 100644 |
| 923 | --- a/src/racoon/plainrsa-gen.c |
| 924 | +++ b/src/racoon/plainrsa-gen.c |
| 925 | @@ -60,6 +60,7 @@ |
| 926 | #include "vmbuf.h" |
| 927 | #include "plog.h" |
| 928 | #include "crypto_openssl.h" |
| 929 | +#include "openssl_compat.h" |
| 930 | |
| 931 | #include "package_version.h" |
| 932 | |
| 933 | @@ -90,12 +91,14 @@ mix_b64_pubkey(const RSA *key) |
| 934 | char *binbuf; |
| 935 | long binlen, ret; |
| 936 | vchar_t *res; |
| 937 | - |
| 938 | - binlen = 1 + BN_num_bytes(key->e) + BN_num_bytes(key->n); |
| 939 | + const BIGNUM *e, *n; |
| 940 | + |
| 941 | + RSA_get0_key(key, &n, &e, NULL); |
| 942 | + binlen = 1 + BN_num_bytes(e) + BN_num_bytes(n); |
| 943 | binbuf = malloc(binlen); |
| 944 | memset(binbuf, 0, binlen); |
| 945 | - binbuf[0] = BN_bn2bin(key->e, (unsigned char *) &binbuf[1]); |
| 946 | - ret = BN_bn2bin(key->n, (unsigned char *) (&binbuf[binbuf[0] + 1])); |
| 947 | + binbuf[0] = BN_bn2bin(e, (unsigned char *) &binbuf[1]); |
| 948 | + ret = BN_bn2bin(n, (unsigned char *) (&binbuf[binbuf[0] + 1])); |
| 949 | if (1 + binbuf[0] + ret != binlen) { |
| 950 | plog(LLV_ERROR, LOCATION, NULL, |
| 951 | "Pubkey generation failed. This is really strange...\n"); |
| 952 | @@ -131,16 +134,20 @@ print_rsa_key(FILE *fp, const RSA *key) |
| 953 | |
| 954 | fprintf(fp, "# : PUB 0s%s\n", pubkey64->v); |
| 955 | fprintf(fp, ": RSA\t{\n"); |
| 956 | - fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(key->n)); |
| 957 | + const BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; |
| 958 | + RSA_get0_key(key, &n, &e, &d); |
| 959 | + RSA_get0_factors(key, &p, &q); |
| 960 | + RSA_get0_crt_params(key, &dmp1, &dmq1, &iqmp); |
| 961 | + fprintf(fp, "\t# RSA %d bits\n", BN_num_bits(n)); |
| 962 | fprintf(fp, "\t# pubkey=0s%s\n", pubkey64->v); |
| 963 | - fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(key->n))); |
| 964 | - fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(key->e))); |
| 965 | - fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(key->d))); |
| 966 | - fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(key->p))); |
| 967 | - fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(key->q))); |
| 968 | - fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(key->dmp1))); |
| 969 | - fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(key->dmq1))); |
| 970 | - fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(key->iqmp))); |
| 971 | + fprintf(fp, "\tModulus: 0x%s\n", lowercase(BN_bn2hex(n))); |
| 972 | + fprintf(fp, "\tPublicExponent: 0x%s\n", lowercase(BN_bn2hex(e))); |
| 973 | + fprintf(fp, "\tPrivateExponent: 0x%s\n", lowercase(BN_bn2hex(d))); |
| 974 | + fprintf(fp, "\tPrime1: 0x%s\n", lowercase(BN_bn2hex(p))); |
| 975 | + fprintf(fp, "\tPrime2: 0x%s\n", lowercase(BN_bn2hex(q))); |
| 976 | + fprintf(fp, "\tExponent1: 0x%s\n", lowercase(BN_bn2hex(dmp1))); |
| 977 | + fprintf(fp, "\tExponent2: 0x%s\n", lowercase(BN_bn2hex(dmq1))); |
| 978 | + fprintf(fp, "\tCoefficient: 0x%s\n", lowercase(BN_bn2hex(iqmp))); |
| 979 | fprintf(fp, " }\n"); |
| 980 | |
| 981 | vfree(pubkey64); |
| 982 | @@ -203,11 +210,13 @@ int |
| 983 | gen_rsa_key(FILE *fp, size_t bits, unsigned long exp) |
| 984 | { |
| 985 | int ret; |
| 986 | - RSA *key; |
| 987 | + RSA *key = RSA_new(); |
| 988 | + BIGNUM *e = BN_new(); |
| 989 | |
| 990 | - key = RSA_generate_key(bits, exp, NULL, NULL); |
| 991 | - if (!key) { |
| 992 | + BN_set_word(e, exp); |
| 993 | + if (! RSA_generate_key_ex(key, bits, e, NULL)) { |
| 994 | fprintf(stderr, "RSA_generate_key(): %s\n", eay_strerror()); |
| 995 | + RSA_free(key); |
| 996 | return -1; |
| 997 | } |
| 998 | |
| 999 | diff --git a/src/racoon/prsa_par.y b/src/racoon/prsa_par.y |
| 1000 | index 1987e4d..27ce4c6 100644 |
| 1001 | --- a/src/racoon/prsa_par.y |
| 1002 | +++ b/src/racoon/prsa_par.y |
| 1003 | @@ -68,6 +68,7 @@ |
| 1004 | #include "isakmp_var.h" |
| 1005 | #include "handler.h" |
| 1006 | #include "crypto_openssl.h" |
| 1007 | +#include "openssl_compat.h" |
| 1008 | #include "sockmisc.h" |
| 1009 | #include "rsalist.h" |
| 1010 | |
| 1011 | @@ -85,7 +86,18 @@ char *prsa_cur_fname = NULL; |
| 1012 | struct genlist *prsa_cur_list = NULL; |
| 1013 | enum rsa_key_type prsa_cur_type = RSA_TYPE_ANY; |
| 1014 | |
| 1015 | -static RSA *rsa_cur; |
| 1016 | +struct my_rsa_st { |
| 1017 | + BIGNUM *n; |
| 1018 | + BIGNUM *e; |
| 1019 | + BIGNUM *d; |
| 1020 | + BIGNUM *p; |
| 1021 | + BIGNUM *q; |
| 1022 | + BIGNUM *dmp1; |
| 1023 | + BIGNUM *dmq1; |
| 1024 | + BIGNUM *iqmp; |
| 1025 | +}; |
| 1026 | + |
| 1027 | +static struct my_rsa_st *rsa_cur; |
| 1028 | |
| 1029 | void |
| 1030 | prsaerror(const char *s, ...) |
| 1031 | @@ -201,8 +213,12 @@ rsa_statement: |
| 1032 | rsa_cur->iqmp = NULL; |
| 1033 | } |
| 1034 | } |
| 1035 | - $$ = rsa_cur; |
| 1036 | - rsa_cur = RSA_new(); |
| 1037 | + RSA * rsa_tmp = RSA_new(); |
| 1038 | + RSA_set0_key(rsa_tmp, rsa_cur->n, rsa_cur->e, rsa_cur->d); |
| 1039 | + RSA_set0_factors(rsa_tmp, rsa_cur->p, rsa_cur->q); |
| 1040 | + RSA_set0_crt_params(rsa_tmp, rsa_cur->dmp1, rsa_cur->dmq1, rsa_cur->iqmp); |
| 1041 | + $$ = rsa_tmp; |
| 1042 | + memset(rsa_cur, 0, sizeof(struct my_rsa_st)); |
| 1043 | } |
| 1044 | | TAG_PUB BASE64 |
| 1045 | { |
| 1046 | @@ -351,10 +367,12 @@ prsa_parse_file(struct genlist *list, char *fname, enum rsa_key_type type) |
| 1047 | prsa_cur_fname = fname; |
| 1048 | prsa_cur_list = list; |
| 1049 | prsa_cur_type = type; |
| 1050 | - rsa_cur = RSA_new(); |
| 1051 | + rsa_cur = malloc(sizeof(struct my_rsa_st)); |
| 1052 | + memset(rsa_cur, 0, sizeof(struct my_rsa_st)); |
| 1053 | ret = prsaparse(); |
| 1054 | if (rsa_cur) { |
| 1055 | - RSA_free(rsa_cur); |
| 1056 | + memset(rsa_cur, 0, sizeof(struct my_rsa_st)); |
| 1057 | + free(rsa_cur); |
| 1058 | rsa_cur = NULL; |
| 1059 | } |
| 1060 | fclose (fp); |
| 1061 | diff --git a/src/racoon/rsalist.c b/src/racoon/rsalist.c |
| 1062 | index f152c82..96e8363 100644 |
| 1063 | --- a/src/racoon/rsalist.c |
| 1064 | +++ b/src/racoon/rsalist.c |
| 1065 | @@ -52,6 +52,7 @@ |
| 1066 | #include "genlist.h" |
| 1067 | #include "remoteconf.h" |
| 1068 | #include "crypto_openssl.h" |
| 1069 | +#include "openssl_compat.h" |
| 1070 | |
| 1071 | #ifndef LIST_FIRST |
| 1072 | #define LIST_FIRST(head) ((head)->lh_first) |
| 1073 | @@ -98,7 +99,9 @@ rsa_key_dup(struct rsa_key *key) |
| 1074 | return NULL; |
| 1075 | |
| 1076 | if (key->rsa) { |
| 1077 | - new->rsa = key->rsa->d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa); |
| 1078 | + const BIGNUM *d; |
| 1079 | + RSA_get0_key(key->rsa, NULL, NULL, &d); |
| 1080 | + new->rsa = (d != NULL ? RSAPrivateKey_dup(key->rsa) : RSAPublicKey_dup(key->rsa)); |
| 1081 | if (new->rsa == NULL) |
| 1082 | goto dup_error; |
| 1083 | } |
| 1084 | -- |
| 1085 | 2.7.4 |
| 1086 | |