File 0004-CPPXT-110-OpenSSL-1.1-makes-EVP_PKEY-opaque.patch of Package xmltooling.10707
From 2c621579b639fa15f24589b2fbd5eeff72bd052f Mon Sep 17 00:00:00 2001
From: Rod Widdowson <rdw@steadingsoftware.com>
Date: Fri, 15 Jul 2016 17:18:25 +0100
Subject: [PATCH 04/31] CPPXT-110 OpenSSL 1.1 makes EVP_PKEY opaque
https://issues.shibboleth.net/jira/browse/CPPXT-110
The type field is available as EVP_PKEY_id() since 1.0
The RSA and DSA fields are availble as EVP_PKEY_get0_[RD]SA from 1.1
Add support macros to make that happen.
---
.../security/impl/ExplicitKeyTrustEngine.cpp | 6 ++--
xmltooling/security/impl/OpenSSLSupport.cpp | 33 ++++++++++++++++++++++
xmltooling/security/impl/OpenSSLSupport.h | 15 ++++++++--
xmltooling/security/impl/SecurityHelper.cpp | 8 +++---
4 files changed, 53 insertions(+), 9 deletions(-)
diff --git a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
index 785d912..a4a5dd2 100644
--- a/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
+++ b/xmltooling/security/impl/ExplicitKeyTrustEngine.cpp
@@ -263,8 +263,8 @@ bool ExplicitKeyTrustEngine::validate(
{
RSA* rsa = static_cast<OpenSSLCryptoKeyRSA*>(key)->getOpenSSLRSA();
EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (rsa && evp && evp->type == EVP_PKEY_RSA &&
- BN_cmp(rsa->n,evp->pkey.rsa->n) == 0 && BN_cmp(rsa->e,evp->pkey.rsa->e) == 0) {
+ if (rsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_RSA &&
+ BN_cmp(RSA_get0_n(rsa),RSA_get0_n(EVP_PKEY_get0_RSA(evp))) == 0 && BN_cmp(RSA_get0_e(rsa), RSA_get0_e(EVP_PKEY_get0_RSA(evp))) == 0) {
if (evp)
EVP_PKEY_free(evp);
log.debug("end-entity certificate matches peer RSA key information");
@@ -279,7 +279,7 @@ bool ExplicitKeyTrustEngine::validate(
{
DSA* dsa = static_cast<OpenSSLCryptoKeyDSA*>(key)->getOpenSSLDSA();
EVP_PKEY* evp = X509_PUBKEY_get(X509_get_X509_PUBKEY(certEE));
- if (dsa && evp && evp->type == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(evp->pkey.dsa)) == 0) {
+ if (dsa && evp && EVP_PKEY_id(evp) == EVP_PKEY_DSA && BN_cmp(DSA_get0_pubkey(dsa),DSA_get0_pubkey(EVP_PKEY_get0_DSA(evp))) == 0) {
if (evp)
EVP_PKEY_free(evp);
log.debug("end-entity certificate matches peer DSA key information");
diff --git a/xmltooling/security/impl/OpenSSLSupport.cpp b/xmltooling/security/impl/OpenSSLSupport.cpp
index d2e2a92..a936173 100644
--- a/xmltooling/security/impl/OpenSSLSupport.cpp
+++ b/xmltooling/security/impl/OpenSSLSupport.cpp
@@ -90,3 +90,36 @@ BIGNUM *DSA_get0_privkey(const DSA *dsa)
return result;
#endif
}
+
+BIGNUM *RSA_get0_n(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ return rsa->n;
+#else
+ BIGNUM *result;
+ RSA_get0_key(rsa, &result, NULL, NULL);
+ return result;
+#endif
+}
+
+BIGNUM *RSA_get0_e(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ return rsa->e;
+#else
+ BIGNUM *result;
+ RSA_get0_key(rsa, NULL, &result, NULL);
+ return result;
+#endif
+}
+
+BIGNUM *RSA_get0_d(const RSA *rsa)
+{
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ return rsa->d;
+#else
+ BIGNUM *result;
+ RSA_get0_key(rsa, NULL, NULL, &result);
+ return result;
+#endif
+}
diff --git a/xmltooling/security/impl/OpenSSLSupport.h b/xmltooling/security/impl/OpenSSLSupport.h
index 74bd710..7519091 100644
--- a/xmltooling/security/impl/OpenSSLSupport.h
+++ b/xmltooling/security/impl/OpenSSLSupport.h
@@ -29,8 +29,15 @@
// X509_STORE_CTX becomes opaque
#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-# define X509_STORE_CTX_get0_cert(ctx) (ctx->cert)
-# define X509_STORE_CTX_get0_untrusted(ctx) (ctx->untrusted)
+# define X509_STORE_CTX_get0_cert(_ctx_) ((_ctx_)->cert)
+# define X509_STORE_CTX_get0_untrusted(_ctx_) ((_ctx_)->untrusted)
+
+# define EVP_PKEY_get0_DSA(_pkey_) ((_pkey_)->pkey.dsa)
+# define EVP_PKEY_get0_RSA(_pkey_) ((_pkey_)->pkey.rsa)
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x10000000L)
+# define EVP_PKEY_id(_evp_) ((_evp_)->type)
#endif
namespace xmltooling {
@@ -57,4 +64,8 @@ namespace xmltooling {
BIGNUM *DSA_get0_pubkey(const DSA *dsa);
BIGNUM *DSA_get0_privkey(const DSA *dsa);
+ BIGNUM *RSA_get0_n(const RSA *rsa);
+ BIGNUM *RSA_get0_d(const RSA *rsa);
+ BIGNUM *RSA_get0_e(const RSA *rsa);
+
}
diff --git a/xmltooling/security/impl/SecurityHelper.cpp b/xmltooling/security/impl/SecurityHelper.cpp
index bb2f016..e53ed8d 100644
--- a/xmltooling/security/impl/SecurityHelper.cpp
+++ b/xmltooling/security/impl/SecurityHelper.cpp
@@ -206,7 +206,7 @@ XSECCryptoKey* SecurityHelper::loadKeyFromFile(const char* pathname, const char*
// Now map it to an XSEC wrapper.
if (pkey) {
XSECCryptoKey* ret=nullptr;
- switch (pkey->type) {
+ switch (EVP_PKEY_id(pkey)) {
case EVP_PKEY_RSA:
ret=new OpenSSLCryptoKeyRSA(pkey);
break;
@@ -487,7 +487,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
- return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->e,rsa2->e) == 0);
+ return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_e(rsa1),RSA_get0_e(rsa2)) == 0);
}
// For a private key, compare the private half.
@@ -496,7 +496,7 @@ bool SecurityHelper::matches(const XSECCryptoKey& key1, const XSECCryptoKey& key
return false;
const RSA* rsa1 = static_cast<const OpenSSLCryptoKeyRSA&>(key1).getOpenSSLRSA();
const RSA* rsa2 = static_cast<const OpenSSLCryptoKeyRSA&>(key2).getOpenSSLRSA();
- return (rsa1 && rsa2 && BN_cmp(rsa1->n,rsa2->n) == 0 && BN_cmp(rsa1->d,rsa2->d) == 0);
+ return (rsa1 && rsa2 && BN_cmp(RSA_get0_n(rsa1),RSA_get0_n(rsa2)) == 0 && BN_cmp(RSA_get0_d(rsa1),RSA_get0_d(rsa2)) == 0);
}
// If one key is public or both, just compare the public key half.
@@ -790,7 +790,7 @@ XSECCryptoKey* SecurityHelper::fromDEREncoding(const char* buf, unsigned long bu
// Now map it to an XSEC wrapper.
XSECCryptoKey* ret = nullptr;
try {
- switch (pkey->type) {
+ switch (EVP_PKEY_id(pkey)) {
case EVP_PKEY_RSA:
ret = new OpenSSLCryptoKeyRSA(pkey);
break;
--
2.13.6
