File knot-openssl-1.1+.patch of Package knot
Index: knot-1.6.8/src/libknot/tsig-op.c
===================================================================
--- knot-1.6.8.orig/src/libknot/tsig-op.c
+++ knot-1.6.8/src/libknot/tsig-op.c
@@ -111,43 +111,81 @@ static int knot_tsig_compute_digest(cons
dbg_tsig_detail("Wire for signing is %zu bytes long.\n", wire_len);
/* Compute digest. */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX *ctx;
+ ctx = HMAC_CTX_new();
+#else
HMAC_CTX ctx;
+#endif
switch (tsig_alg) {
case KNOT_TSIG_ALG_HMAC_MD5:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_md5(), NULL);
+#else
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_md5());
+#endif
break;
case KNOT_TSIG_ALG_HMAC_SHA1:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha1(), NULL);
+#else
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha1());
+#endif
break;
case KNOT_TSIG_ALG_HMAC_SHA224:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha224(), NULL);
+#else
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha224());
+#endif
break;
case KNOT_TSIG_ALG_HMAC_SHA256:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha256(), NULL);
+#else
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha256());
+#endif
break;
case KNOT_TSIG_ALG_HMAC_SHA384:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha384(), NULL);
+#else
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha384());
+#endif
break;
case KNOT_TSIG_ALG_HMAC_SHA512:
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Init_ex(ctx, key->secret.data, key->secret.size, EVP_sha512(), NULL);
+#else
HMAC_Init(&ctx, key->secret.data,
key->secret.size, EVP_sha512());
+#endif
break;
default:
return KNOT_ENOTSUP;
} /* switch */
unsigned tmp_dig_len = *digest_len;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_Update(ctx, (const unsigned char *)wire, wire_len);
+ HMAC_Final(ctx, digest, &tmp_dig_len);
+#else
HMAC_Update(&ctx, (const unsigned char *)wire, wire_len);
HMAC_Final(&ctx, digest, &tmp_dig_len);
+#endif
*digest_len = tmp_dig_len;
- HMAC_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ HMAC_CTX_free(ctx);
+#else
+ HMAC_CTX_cleanup(&ctx);
+#endif
return KNOT_EOK;
}
Index: knot-1.6.8/src/libknot/dnssec/sign.c
===================================================================
--- knot-1.6.8.orig/src/libknot/dnssec/sign.c
+++ knot-1.6.8/src/libknot/dnssec/sign.c
@@ -307,6 +307,19 @@ static int rsa_create_pkey(const knot_ke
return KNOT_ENOMEM;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *rsa_n = binary_to_bn(¶ms->modulus);
+ BIGNUM *rsa_e = binary_to_bn(¶ms->public_exponent);
+ BIGNUM *rsa_d = binary_to_bn(¶ms->private_exponent);
+ BIGNUM *rsa_p = binary_to_bn(¶ms->prime_one);
+ BIGNUM *rsa_q = binary_to_bn(¶ms->prime_two);
+ BIGNUM *rsa_dmp1 = binary_to_bn(¶ms->exponent_one);
+ BIGNUM *rsa_dmq1 = binary_to_bn(¶ms->exponent_two);
+ BIGNUM *rsa_iqmp = binary_to_bn(¶ms->coefficient);
+ RSA_set0_key(rsa, rsa_n, rsa_e, rsa_d);
+ RSA_set0_factors(rsa, rsa_p, rsa_q);
+ RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp);
+#else
rsa->n = binary_to_bn(¶ms->modulus);
rsa->e = binary_to_bn(¶ms->public_exponent);
rsa->d = binary_to_bn(¶ms->private_exponent);
@@ -315,6 +328,7 @@ static int rsa_create_pkey(const knot_ke
rsa->dmp1 = binary_to_bn(¶ms->exponent_one);
rsa->dmq1 = binary_to_bn(¶ms->exponent_two);
rsa->iqmp = binary_to_bn(¶ms->coefficient);
+#endif
if (RSA_check_key(rsa) != 1) {
RSA_free(rsa);
@@ -345,11 +359,21 @@ static int dsa_create_pkey(const knot_ke
return KNOT_ENOMEM;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM *dsa_p = binary_to_bn(¶ms->prime);
+ BIGNUM *dsa_q = binary_to_bn(¶ms->subprime);
+ BIGNUM *dsa_g = binary_to_bn(¶ms->base);
+ BIGNUM *dsa_priv_key = binary_to_bn(¶ms->private_value);
+ BIGNUM *dsa_pub_key = binary_to_bn(¶ms->public_value);
+ DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g);
+ DSA_set0_key(dsa, dsa_pub_key, dsa_priv_key);
+#else
dsa->p = binary_to_bn(¶ms->prime);
dsa->q = binary_to_bn(¶ms->subprime);
dsa->g = binary_to_bn(¶ms->base);
dsa->priv_key = binary_to_bn(¶ms->private_value);
dsa->pub_key = binary_to_bn(¶ms->public_value);
+#endif
if (!EVP_PKEY_assign_DSA(key, dsa)) {
DSA_free(dsa);
@@ -402,6 +426,12 @@ static int dsa_sign_write(const knot_dns
return KNOT_ENOMEM;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const BIGNUM **decoded_r;
+ const BIGNUM **decoded_s;
+ DSA_SIG_get0(decoded, decoded_r, decoded_s);
+#endif
+
const uint8_t *decode_scan = raw_signature;
if (!d2i_DSA_SIG(&decoded, &decode_scan, (long)raw_size)) {
DSA_SIG_free(decoded);
@@ -415,13 +445,23 @@ static int dsa_sign_write(const knot_dns
// T (1 byte), R (20 bytes), S (20 bytes)
uint8_t *signature_t = signature;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ uint8_t *signature_r = signature + 21 - BN_num_bytes(*decoded_r);
+ uint8_t *signature_s = signature + 41 - BN_num_bytes(*decoded_s);
+#else
uint8_t *signature_r = signature + 21 - BN_num_bytes(decoded->r);
uint8_t *signature_s = signature + 41 - BN_num_bytes(decoded->s);
+#endif
memset(signature, '\0', output_size);
*signature_t = 0x00; //! \todo Take from public key. Only recommended.
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BN_bn2bin(*decoded_r, signature_r);
+ BN_bn2bin(*decoded_s, signature_s);
+#else
BN_bn2bin(decoded->r, signature_r);
BN_bn2bin(decoded->s, signature_s);
+#endif
DSA_SIG_free(decoded);
@@ -453,8 +493,15 @@ static int dsa_sign_verify(const knot_dn
return KNOT_ENOMEM;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM **decoded_r;
+ BIGNUM **decoded_s;
+ DSA_SIG_get0(decoded, (const BIGNUM **)decoded_r, (const BIGNUM **)decoded_s);
+ DSA_SIG_set0(decoded, BN_bin2bn(signature_r, 20, *decoded_r), BN_bin2bn(signature_s, 20, *decoded_s));
+#else
decoded->r = BN_bin2bn(signature_r, 20, decoded->r);
decoded->s = BN_bin2bn(signature_s, 20, decoded->s);
+#endif
size_t max_size = EVP_PKEY_size(context->key->data->private_key);
uint8_t *raw_signature = malloc(max_size);
@@ -631,6 +678,12 @@ static int ecdsa_sign_write(const knot_d
return KNOT_ENOMEM;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ const BIGNUM **decoded_r;
+ const BIGNUM **decoded_s;
+ ECDSA_SIG_get0(decoded, decoded_r, decoded_s);
+#endif
+
const uint8_t *decode_scan = raw_signature;
if (!d2i_ECDSA_SIG(&decoded, &decode_scan, (long)raw_size)) {
ECDSA_SIG_free(decoded);
@@ -640,6 +693,7 @@ static int ecdsa_sign_write(const knot_d
free(raw_signature);
+
// convert to format defined by RFC 6605 (EC DSA for DNSSEC)
// R and S parameters are encoded in halves of the output signature
@@ -648,12 +702,18 @@ static int ecdsa_sign_write(const knot_d
size_t param_size = output_size / 2;
memset(signature, '\0', output_size);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ signature_r = signature + param_size - BN_num_bytes(*decoded_r);
+ signature_s = signature + param_size - BN_num_bytes(*decoded_s);
+ BN_bn2bin(*decoded_r, signature_r);
+ BN_bn2bin(*decoded_s, signature_s);
+#else
signature_r = signature + param_size - BN_num_bytes(decoded->r);
signature_s = signature + 2 * param_size - BN_num_bytes(decoded->s);
BN_bn2bin(decoded->r, signature_r);
BN_bn2bin(decoded->s, signature_s);
-
+#endif
ECDSA_SIG_free(decoded);
return KNOT_EOK;
@@ -684,8 +744,15 @@ static int ecdsa_sign_verify(const knot_
return KNOT_ENOMEM;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ BIGNUM **decoded_r;
+ BIGNUM **decoded_s;
+ ECDSA_SIG_get0(decoded, (const BIGNUM **)decoded_r, (const BIGNUM **)decoded_s);
+ ECDSA_SIG_set0(decoded, BN_bin2bn(signature_r, parameter_size, *decoded_r), BN_bin2bn(signature_s, parameter_size, *decoded_s));
+#else
decoded->r = BN_bin2bn(signature_r, parameter_size, decoded->r);
decoded->s = BN_bin2bn(signature_s, parameter_size, decoded->s);
+#endif
size_t max_size = EVP_PKEY_size(context->key->data->private_key);
uint8_t *raw_signature = malloc(max_size);
Index: knot-1.6.8/src/libknot/dnssec/crypto.c
===================================================================
--- knot-1.6.8.orig/src/libknot/dnssec/crypto.c
+++ knot-1.6.8/src/libknot/dnssec/crypto.c
@@ -123,10 +123,14 @@ static unsigned long openssl_threadid_cb
/*- pluggable engines -------------------------------------------------------*/
#if KNOT_ENABLE_GOST && !defined(LIBRESSL_VERSION_NUMBER)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#define KNOT_LOAD_GOST 1
#else
#undef KNOT_LOAD_GOST
#endif
+#else
+ #undef KNOT_LOAD_GOST
+#endif
#if KNOT_LOAD_GOST
Index: knot-1.6.8/src/libknot/rrtype/nsec3.c
===================================================================
--- knot-1.6.8.orig/src/libknot/rrtype/nsec3.c
+++ knot-1.6.8/src/libknot/rrtype/nsec3.c
@@ -47,20 +47,33 @@ static int nsec3_sha1(const uint8_t *sal
return KNOT_EINVAL;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *mdctx;
+ mdctx = EVP_MD_CTX_new();
+#else
EVP_MD_CTX mdctx;
EVP_MD_CTX_init(&mdctx);
+#endif
unsigned int result_size = 0;
uint8_t *result = (uint8_t *)malloc(EVP_MD_size(EVP_sha1()));
if (result == NULL) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(mdctx);
+#else
EVP_MD_CTX_cleanup(&mdctx);
+#endif
return KNOT_ENOMEM;
}
uint8_t *data_low = knot_strtolower(data, data_size);
if (data_low == NULL) {
free(result);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(mdctx);
+#else
EVP_MD_CTX_cleanup(&mdctx);
+#endif
return KNOT_ENOMEM;
}
@@ -68,15 +81,27 @@ static int nsec3_sha1(const uint8_t *sal
unsigned int in_size = data_size;
for (int i = 0; i <= iterations; i++) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_DigestInit_ex(mdctx, EVP_sha1(), NULL);
+#else
EVP_DigestInit_ex(&mdctx, EVP_sha1(), NULL);
-
+#endif
int success_ops =
- EVP_DigestUpdate(&mdctx, in, in_size) +
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_DigestUpdate(mdctx, in, in_size) +
+ EVP_DigestUpdate(mdctx, salt, salt_length) +
+ EVP_DigestFinal_ex(mdctx, result, &result_size);
+#else
+ EVP_DigestUpdate(&mdctx, in, in_size) +
EVP_DigestUpdate(&mdctx, salt, salt_length) +
EVP_DigestFinal_ex(&mdctx, result, &result_size);
-
+#endif
if (success_ops != 3) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(mdctx);
+#else
EVP_MD_CTX_cleanup(&mdctx);
+#endif
free(result);
free(data_low);
return KNOT_NSEC3_ECOMPUTE_HASH;
@@ -85,8 +110,11 @@ static int nsec3_sha1(const uint8_t *sal
in = result;
in_size = result_size;
}
-
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(mdctx);
+#else
EVP_MD_CTX_cleanup(&mdctx);
+#endif
free(data_low);
*digest = result;
