Added support for OpenSSL 1.1

Some KOpenSSLProxy methods have been renamed to be consistent
with OpenSSL 1.1 API names and to prevent hidden API changes.
To ensure API / ABI compatibility, the original methods are
still included but have been marked as deprecated.

+ SSLv23_client_method => TLS_client_method
+ X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted
+ sk_dup => OPENSSL_sk_dup
+ sk_free => OPENSSL_sk_free
+ sk_new => OPENSSL_sk_new
+ sk_num => OPENSSL_sk_num
+ sk_pop => OPENSSL_sk_pop
+ sk_push => OPENSSL_sk_push
+ sk_value => OPENSSL_sk_value

Additional methods have been added to KOpenSSLProxy to support
the new OpenSSL 1.1 API functions that provide access to the
(now) opaque SSL structures. Compatibility with OpenSSL < 1.1
is handled internally in KOpenSSLProxy.

+ BIO_get_data
+ DSA_get0_key
+ DSA_get0_pqg
+ EVP_PKEY_base_id
+ EVP_PKEY_get0_DSA
+ EVP_PKEY_get0_RSA
+ RSA_get0_key
+ X509_CRL_get0_lastUpdate
+ X509_CRL_get0_nextUpdate
+ X509_OBJECT_get0_X509
+ X509_OBJECT_get_type
+ X509_STORE_CTX_get_current_cert
+ X509_STORE_CTX_get_error
+ X509_STORE_CTX_get_error_depth
+ X509_STORE_CTX_set_error
+ X509_STORE_get0_objects
+ X509_STORE_set_verify_cb
+ X509_get0_signature
+ X509_getm_notAfter
+ X509_getm_notBefore
+ X509_subject_name_cmp
+ _SSL_session_reused
+ _SSL_set_options

Method "KSSL::setSession" has been renamed to "KSSL::takeSession"
and its functionality has changed: the session is now transferred
from the argument object to the invoked object. Since it is only
used internally in TDE and the functionality is different, the
method with the previous name has not been preserved.

Signed-off-by: Slávek Banko <[email protected]>
Signed-off-by: Michele Calgaro <[email protected]>
(cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453)

1 files changed, 64 insertions, 40 deletions

diff --git a/tdeio/kssl/ksslcertificate.cc b/tdeio/kssl/ksslcertificate.cc
index 2b7bed2bb..2df78fef7 100644
--- a/tdeio/kssl/ksslcertificate.cc
+++ b/tdeio/kssl/ksslcertificate.cc
@@ -198,7 +198,7 @@ TQString rc = "";
 	if (!t)
 		return rc;
 	rc = t;
-	d->kossl->OPENSSL_free(t);
+	d->kossl->CRYPTO_free(t);
 #endif
 return rc;
 }
@@ -225,14 +225,17 @@ TQString rc = "";
 char *s;
 int n, i;
 
-	i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm);
+	const ASN1_BIT_STRING *signature = 0L;
+	const X509_ALGOR *sig_alg = 0L;
+	d->kossl->X509_get0_signature(&signature, &sig_alg, d->m_cert);
+	i = d->kossl->OBJ_obj2nid(sig_alg->algorithm);
 	rc = i18n("Signature Algorithm: ");
 	rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i));
 
 	rc += "\n";
 	rc += i18n("Signature Contents:");
-	n = d->m_cert->signature->length;
-	s = (char *)d->m_cert->signature->data;
+	n = signature->length;
+	s = (char *)signature->data;
 	for (i = 0; i < n; i++) {
 		if (i%20 != 0) rc += ":";
 		else rc += "\n";
@@ -254,8 +257,8 @@ void KSSLCertificate::getEmails(TQStringList &to) const {
 	
 	STACK *s = d->kossl->X509_get1_email(d->m_cert);
 	if (s) {
-		for(int n=0; n < s->num; n++) {
-			to.append(d->kossl->sk_value(s,n));
+		for(int n=0; n < d->kossl->OPENSSL_sk_num(s); n++) {
+			to.append(d->kossl->OPENSSL_sk_value(s,n));
 		}
 		d->kossl->X509_email_free(s);
 	}
@@ -336,12 +339,12 @@ TQString rc = "";
 	EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
 	if (pkey) {
 		#ifndef NO_RSA
-			if (pkey->type == EVP_PKEY_RSA)
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
 				rc = "RSA";
 			else
 		#endif
 		#ifndef NO_DSA
-			if (pkey->type == EVP_PKEY_DSA)
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA)
 				rc = "DSA";
 			else
 		#endif
@@ -364,10 +367,14 @@ char *x = NULL;
 	if (pkey) {
 		rc = i18n("Unknown", "Unknown key algorithm");
 		#ifndef NO_RSA
-			if (pkey->type == EVP_PKEY_RSA) {
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
 				rc = i18n("Key type: RSA (%1 bit)") + "\n";
 
-				x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n);
+				RSA *pkey_rsa = d->kossl->EVP_PKEY_get0_RSA(pkey);
+				const BIGNUM *bn_n = 0L;
+				const BIGNUM *bn_e = 0L;
+				d->kossl->RSA_get0_key(pkey_rsa, &bn_n, &bn_e, NULL);
+				x = d->kossl->BN_bn2hex(bn_n);
 				rc += i18n("Modulus: ");
 				rc = rc.arg(strlen(x)*4);
 				for (unsigned int i = 0; i < strlen(x); i++) {
@@ -378,18 +385,26 @@ char *x = NULL;
 					rc += x[i];
 				}
 				rc += "\n";
-				d->kossl->OPENSSL_free(x);
+				d->kossl->CRYPTO_free(x);
 
-				x = d->kossl->BN_bn2hex(pkey->pkey.rsa->e);
+				x = d->kossl->BN_bn2hex(bn_e);
 				rc += i18n("Exponent: 0x") + x + "\n";
-				d->kossl->OPENSSL_free(x);
+				d->kossl->CRYPTO_free(x);
 			}
 		#endif
 		#ifndef NO_DSA
-			if (pkey->type == EVP_PKEY_DSA) {
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) {
 				rc = i18n("Key type: DSA (%1 bit)") + "\n";
 
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p);
+				DSA *pkey_dsa = d->kossl->EVP_PKEY_get0_DSA(pkey);
+				const BIGNUM *bn_p = 0L;
+				const BIGNUM *bn_q = 0L;
+				const BIGNUM *bn_g = 0L;
+				const BIGNUM *bn_pub_key = 0L;
+				d->kossl->DSA_get0_pqg(pkey_dsa, &bn_p, &bn_q, &bn_g);
+				d->kossl->DSA_get0_key(pkey_dsa, &bn_pub_key, NULL);
+
+				x = d->kossl->BN_bn2hex(bn_p);
 				rc += i18n("Prime: ");
 				// hack - this may not be always accurate
 				rc = rc.arg(strlen(x)*4) ;
@@ -401,9 +416,9 @@ char *x = NULL;
 					rc += x[i];
 				}
 				rc += "\n";
-				d->kossl->OPENSSL_free(x);
+				d->kossl->CRYPTO_free(x);
 
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->q);
+				x = d->kossl->BN_bn2hex(bn_q);
 				rc += i18n("160 bit prime factor: ");
 				for (unsigned int i = 0; i < strlen(x); i++) {
 					if (i%40 != 0 && i%2 == 0)
@@ -413,9 +428,9 @@ char *x = NULL;
 					rc += x[i];
 				}
 				rc += "\n";
-				d->kossl->OPENSSL_free(x);
+				d->kossl->CRYPTO_free(x);
 	
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->g);
+				x = d->kossl->BN_bn2hex(bn_g);
 				rc += TQString("g: ");
 				for (unsigned int i = 0; i < strlen(x); i++) {
 					if (i%40 != 0 && i%2 == 0)
@@ -425,9 +440,9 @@ char *x = NULL;
 					rc += x[i];
 				}
 				rc += "\n";
-				d->kossl->OPENSSL_free(x);
+				d->kossl->CRYPTO_free(x);
 	
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->pub_key);
+				x = d->kossl->BN_bn2hex(bn_pub_key);
 				rc += i18n("Public key: ");
 				for (unsigned int i = 0; i < strlen(x); i++) {
 					if (i%40 != 0 && i%2 == 0)
@@ -437,7 +452,7 @@ char *x = NULL;
 					rc += x[i];
 				}
 				rc += "\n";
-				d->kossl->OPENSSL_free(x);
+				d->kossl->CRYPTO_free(x);
 			}
 		#endif
 		d->kossl->EVP_PKEY_free(pkey);
@@ -459,7 +474,7 @@ TQString rc = "";
 		return rc;
 
 	rc = t;
-	d->kossl->OPENSSL_free(t);
+	d->kossl->CRYPTO_free(t);
 #endif
 
 return rc;
@@ -696,7 +711,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
 			return errors;
 		}
 
-		X509_STORE_set_verify_cb_func(certStore, X509Callback);
+		d->kossl->X509_STORE_set_verify_cb(certStore, X509Callback);
 
 		certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file());
 		if (!certLookup) {
@@ -727,7 +742,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
 
 		d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL);
 		if (d->_chain.isValid()) {
-			d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
+			d->kossl->X509_STORE_CTX_set0_untrusted(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
 		}
 
 		//kdDebug(7029) << "KSSL setting CRL.............." << endl;
@@ -738,9 +753,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
 		KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0;
 		KSSL_X509CallBack_ca_found = false;
 
-		certStoreCTX->error = X509_V_OK;
+		d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
 		d->kossl->X509_verify_cert(certStoreCTX);
-		int errcode = certStoreCTX->error;
+		int errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
 		if (ca && !KSSL_X509CallBack_ca_found) {
 			ksslv = KSSLCertificate::Irrelevant;
 		} else {
@@ -753,9 +768,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
 			d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX,
 						X509_PURPOSE_NS_SSL_SERVER);
 
-			certStoreCTX->error = X509_V_OK;
+			d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
 			d->kossl->X509_verify_cert(certStoreCTX);
-			errcode = certStoreCTX->error;
+			errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
 			ksslv = processError(errcode);
 		}
 		d->kossl->X509_STORE_CTX_free(certStoreCTX);
@@ -888,7 +903,7 @@ return rc;
 
 TQString KSSLCertificate::getNotBefore() const {
 #ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
+return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
 #else
 return TQString::null;
 #endif
@@ -897,7 +912,7 @@ return TQString::null;
 
 TQString KSSLCertificate::getNotAfter() const {
 #ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
+return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
 #else
 return TQString::null;
 #endif
@@ -906,7 +921,7 @@ return TQString::null;
 
 TQDateTime KSSLCertificate::getQDTNotBefore() const {
 #ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
+return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
 #else
 return TQDateTime::currentDateTime();
 #endif
@@ -915,7 +930,7 @@ return TQDateTime::currentDateTime();
 
 TQDateTime KSSLCertificate::getQDTNotAfter() const {
 #ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
+return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
 #else
 return TQDateTime::currentDateTime();
 #endif
@@ -924,7 +939,7 @@ return TQDateTime::currentDateTime();
 
 TQDateTime KSSLCertificate::getQDTLastUpdate() const {
 #ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
+return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_lastUpdate(d->m_cert_crl), NULL);
 #else
 return TQDateTime::currentDateTime();
 #endif
@@ -933,7 +948,7 @@ return TQDateTime::currentDateTime();
 
 TQDateTime KSSLCertificate::getQDTNextUpdate() const {
 #ifdef KSSL_HAVE_SSL
-return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
+return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_nextUpdate(d->m_cert_crl), NULL);
 #else
 return TQDateTime::currentDateTime();
 #endif
@@ -1053,6 +1068,15 @@ return qba;
 
 
 #define NETSCAPE_CERT_HDR     "certificate"
+#ifdef KSSL_HAVE_SSL
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+typedef struct NETSCAPE_X509_st
+{
+	ASN1_OCTET_STRING *header;
+	X509 *cert;
+} NETSCAPE_X509;
+#endif
+#endif
 
 // what a piece of crap this is
 TQByteArray KSSLCertificate::toNetscape() {
@@ -1062,8 +1086,8 @@ TQByteArray qba;
 	NETSCAPE_X509 nx;
 	ASN1_OCTET_STRING hdr;
 #else
-   ASN1_HEADER ah;
-   ASN1_OCTET_STRING os;
+  ASN1_HEADER ah;
+  ASN1_OCTET_STRING os;
 #endif
 	KTempFile ktf;
 
@@ -1159,10 +1183,10 @@ TQStringList KSSLCertificate::subjAltNames() const {
 		return rc;
 	}
 
-	int cnt = d->kossl->sk_GENERAL_NAME_num(names);
+	int cnt = d->kossl->OPENSSL_sk_num(names);
 
 	for (int i = 0; i < cnt; i++) {
-		const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->sk_value(names, i);
+		const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->OPENSSL_sk_value(names, i);
 		if (val->type != GEN_DNS) {
 			continue;
 		}
@@ -1174,7 +1198,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
 			rc += s;
 		}
 	}
-	d->kossl->sk_free(names);
+	d->kossl->OPENSSL_sk_free(names);
 #endif
 	return rc;
 }