[xmltooling] 15/24: CPPXT-110 OpenSSL 1.1 makes EVP_PKEY opaque

Ferenc Wágner wferi at moszumanska.debian.org
Fri Dec 16 11:56:12 UTC 2016


This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch master
in repository xmltooling.

commit e4e09e450ace3072b3bf442ca9e6120672c751a7
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date:   Fri Jul 15 17:18:25 2016 +0100

    CPPXT-110 OpenSSL 1.1 makes EVP_PKEY opaque
    
    https://issues.shibboleth.net/jira/browse/CPPXT-110
    
    The type field is available as EVP_PKEY_id() since 1.0
    The RSA and DSA fields are availble as EVP_PKEY_get0_[RD]SA from 1.1
    
    Add support macros to make that happen.
    
    (reapplied - previously backed out in bae0dd53)
---
 .../security/impl/ExplicitKeyTrustEngine.cpp       |  6 ++--
 xmltooling/security/impl/OpenSSLSupport.cpp        | 33 ++++++++++++++++++++++
 xmltooling/security/impl/OpenSSLSupport.h          | 15 ++++++++--
 xmltooling/security/impl/SecurityHelper.cpp        |  8 +++---
 4 files changed, 53 insertions(+), 9 deletions(-)

diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 785d912..a4a5dd2 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -263,8 +263,8 @@ bool ExplicitKeyTrustEngine::validate(
                 {
                     RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
-                    if (rsa && evp && evp->type == EVP_PKEY_RSA &&
-                            BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
+                    if (rsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_RSA &&
+                            BN_cmp(RSA_get0_n(rsa),RSA_get0_n(EVP_PKEY_get0_RSA(evp))) == 0 && BN_cmp(RSA_get0_e(rsa), RSA_get0_e(EVP_PKEY_get0_RSA(evp))) == 0) {
                         if (evp)
                             EVP_PKEY_free(evp);
                         log.debug("end-entity certificate matches peer RSA key information");
@@ -279,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate(
                 {
                     DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
-                    if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) {
+                    if (dsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(EVP_PKEY_get0_DSA(evp))) == 0) {
                         if (evp)
                             EVP_PKEY_free(evp);
                         log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp
index e5d79a7..28dd378 100644
--- a/xmltooling/security/impl/OpenSSLSupport.cpp
+++ b/xmltooling/security/impl/OpenSSLSupport.cpp
@@ -90,3 +90,36 @@ BIGNUM *DSA_get0_privkey(const DSA *dsa)
     return result;
 #endif
 }
+
+BIGNUM *RSA_get0_n(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return rsa->n;
+#else
+    BIGNUM *result;
+    RSA_get0_key(rsa, &result, NULL, NULL);
+    return result;
+#endif
+}
+
+BIGNUM *RSA_get0_e(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return rsa->e;
+#else
+    BIGNUM *result;
+    RSA_get0_key(rsa, NULL, &result, NULL);
+    return result;
+#endif
+}
+
+BIGNUM *RSA_get0_d(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return rsa->d;
+#else
+    BIGNUM *result;
+    RSA_get0_key(rsa, NULL, NULL, &result);
+    return result;
+#endif
+}
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index 74bd710..7519091 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -29,8 +29,15 @@
 // X509_STORE_CTX becomes opaque
 
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-#   define X509_STORE_CTX_get0_cert(ctx) (ctx->cert)
-#   define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted)
+#   define X509_STORE_CTX_get0_cert(_ctx_) ((_ctx_)->cert)
+#   define X509_STORE_CTX_get0_untrusted(_ctx_) ((_ctx_)->untrusted)
+
+#   define EVP_PKEY_get0_DSA(_pkey_) ((_pkey_)->pkey.dsa)
+#   define EVP_PKEY_get0_RSA(_pkey_) ((_pkey_)->pkey.rsa)
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x10000000L)
+#   define EVP_PKEY_id(_evp_) ((_evp_)->type)
 #endif
 
 namespace xmltooling {
@@ -57,4 +64,8 @@ namespace xmltooling {
     BIGNUM *DSA_get0_pubkey(const DSA *dsa);
     BIGNUM *DSA_get0_privkey(const DSA *dsa);
 
+    BIGNUM *RSA_get0_n(const RSA *rsa);
+    BIGNUM *RSA_get0_d(const RSA *rsa);
+    BIGNUM *RSA_get0_e(const RSA *rsa);
+
 }
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index bb2f016..e53ed8d 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -206,7 +206,7 @@ XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char*
     // Now map it to an XSEC wrapper.
     if (pkey) {
         XSECCryptoKey* ret=nullptr;
-        switch (pkey->type) {
+        switch (EVP_PKEY_id(pkey)) {
             case EVP_PKEY_RSA:
                 ret=new OpenSSLCryptoKeyRSA(pkey);
                 break;
@@ -487,7 +487,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
         const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
-        return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
+        return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_e(rsa1),RSA_get0_e(rsa2)) == 0);
     }
 
     // For a private key, compare the private half.
@@ -496,7 +496,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
         const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
-        return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
+        return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_d(rsa1),RSA_get0_d(rsa2)) == 0);
     }
 
     // If one key is public or both, just compare the public key half.
@@ -790,7 +790,7 @@ XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long bu
         // Now map it to an XSEC wrapper.
         XSECCryptoKey* ret = nullptr;
         try {
-            switch (pkey->type) {
+            switch (EVP_PKEY_id(pkey)) {
                 case EVP_PKEY_RSA:
                     ret = new OpenSSLCryptoKeyRSA(pkey);
                     break;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git



More information about the Pkg-shibboleth-devel mailing list