[xmltooling] 03/07: CPPXT-110 OpenSSL 1.1 makes DSA opaque

Ferenc Wágner wferi at moszumanska.debian.org
Fri Sep 2 19:55:52 UTC 2016 

This is an automated email from the git hooks/post-receive script.

wferi pushed a commit to branch master
in repository xmltooling.

commit c866e22f5c205e8e168145147fc066cac8c50fc3
Author: Rod Widdowson <rdw at steadingsoftware.com>
Date:   Fri Jul 15 15:34:22 2016 +0100

    CPPXT-110 OpenSSL 1.1 makes DSA opaque
    
    https://issues.shibboleth.net/jira/browse/CPPXT-110
    
    Add new functions to get the public and private key.
    Call the new DSA_get0_key function in 1.1 and reach into
    the structure otherwise.
---
 .../security/impl/ExplicitKeyTrustEngine.cpp       |  4 +++-
 xmltooling/security/impl/OpenSSLSupport.cpp        | 27 +++++++++++++++++++++-
 xmltooling/security/impl/OpenSSLSupport.h          |  7 ++++++
 xmltooling/security/impl/SecurityHelper.cpp        |  5 ++--
 4 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 5f70a70..785d912 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -34,12 +34,14 @@
 #include "signature/Signature.h"
 #include "signature/SignatureValidator.h"
 #include "util/NDC.h"
+#include "security/impl/OpenSSLSupport.h"
 
 #include <xercesc/util/XMLUniDefs.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyDSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoKeyRSA.hpp>
 #include <xsec/enc/OpenSSL/OpenSSLCryptoX509.hpp>
 
+
 using namespace xmlsignature;
 using namespace xmltooling::logging;
 using namespace xmltooling;
@@ -277,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate(
                 {
                     DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
                     EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
-                    if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(dsa->pub_key,evp->pkey.dsa->pub_key) == 0) {
+                    if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) {
                         if (evp)
                             EVP_PKEY_free(evp);
                         log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp
index 581cc9f..d2e2a92 100644
--- a/xmltooling/security/impl/OpenSSLSupport.cpp
+++ b/xmltooling/security/impl/OpenSSLSupport.cpp
@@ -29,6 +29,8 @@
 #include <openssl/x509_vfy.h> 
 #include <security\impl\OpenSSLSupport.h>
 
+using namespace xmltooling;
+
 X509StoreCtxRAII::X509StoreCtxRAII() : m_context(X509_STORE_CTX_new()) {
 }
 
@@ -56,7 +58,8 @@ STACK_OF(X509) *X509StoreCtxRAII::get0Chain() {
 }
 
 // the API to set the trusted stack changed in OpenSSL1.1
-void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) {
+void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk)
+{
     if (m_context) {
 #if (OPENSSL_VERSION_NUMBER < 0x10100000L)
         X509_STORE_CTX_trusted_stack(m_context, sk);
@@ -65,3 +68,25 @@ void X509StoreCtxRAII::set0TrustedStack(STACK_OF(X509) *sk) {
 #endif
     }
 }
+
+BIGNUM *DSA_get0_pubkey(const DSA *dsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return dsa->pub_key;
+#else
+    BIGNUM *result;
+    DSA_get0_key(dsa, &result, NULL);
+    return result;
+#endif
+}
+
+BIGNUM *DSA_get0_privkey(const DSA *dsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+    return dsa->priv_key;
+#else
+    BIGNUM *result;
+    DSA_get0_key(dsa, NULL, &result);
+    return result;
+#endif
+}
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index ffaa390..74bd710 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -33,6 +33,7 @@
 #   define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted)
 #endif
 
+namespace xmltooling {
     // RAII for the now opaque X509_STORE_CTX
     class X509StoreCtxRAII
     {
@@ -51,3 +52,9 @@
     private:
         X509_STORE_CTX *m_context;
     };
+
+
+    BIGNUM *DSA_get0_pubkey(const DSA *dsa);
+    BIGNUM *DSA_get0_privkey(const DSA *dsa);
+
+}
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index 0c15f05..bb2f016 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -30,6 +30,7 @@
 #include "security/OpenSSLCryptoX509CRL.h"
 #include "security/SecurityHelper.h"
 #include "security/X509Credential.h"
+#include "security/impl/OpenSSLSupport.h"
 #include "soap/HTTPSOAPTransport.h"
 #include "util/NDC.h"
 
@@ -504,7 +505,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
         const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
-        return (dsa1 && dsa2 && BN_cmp(dsa1->pub_key,dsa2->pub_key) == 0);
+        return (dsa1 && dsa2 && BN_cmp(DSA_get0_pubkey(dsa1),DSA_get0_pubkey(dsa2)) == 0);
     }
 
     // For a private key, compare the private half.
@@ -513,7 +514,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
             return false;
         const DSA* dsa1 = static_cast<const OpenSSLCryptoKeyDSA&>(key1).getOpenSSLDSA();
         const DSA* dsa2 = static_cast<const OpenSSLCryptoKeyDSA&>(key2).getOpenSSLDSA();
-        return (dsa1 && dsa2 && BN_cmp(dsa1->priv_key,dsa2->priv_key) == 0);
+        return (dsa1 && dsa2 && BN_cmp(DSA_get0_privkey(dsa1),DSA_get0_privkey(dsa2)) == 0);
     }
 
 #if defined(XMLTOOLING_XMLSEC_ECC) && defined(XMLTOOLING_OPENSSL_HAVE_EC)

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-shibboleth/xmltooling.git

More information about the Pkg-shibboleth-devel mailing list