From b8802de2c09b31fce7717a500cd5ffe8bada1b27 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= Date: Sun, 1 Jan 2017 19:35:39 +0100 Subject: Added support for OpenSSL 1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some KOpenSSLProxy methods have been renamed to be consistent with OpenSSL 1.1 API names and to prevent hidden API changes. To ensure API / ABI compatibility, the original methods are still included but have been marked as deprecated. + SSLv23_client_method => TLS_client_method + X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted + sk_dup => OPENSSL_sk_dup + sk_free => OPENSSL_sk_free + sk_new => OPENSSL_sk_new + sk_num => OPENSSL_sk_num + sk_pop => OPENSSL_sk_pop + sk_push => OPENSSL_sk_push + sk_value => OPENSSL_sk_value Additional methods have been added to KOpenSSLProxy to support the new OpenSSL 1.1 API functions that provide access to the (now) opaque SSL structures. Compatibility with OpenSSL < 1.1 is handled internally in KOpenSSLProxy. + BIO_get_data + DSA_get0_key + DSA_get0_pqg + EVP_PKEY_base_id + EVP_PKEY_get0_DSA + EVP_PKEY_get0_RSA + RSA_get0_key + X509_CRL_get0_lastUpdate + X509_CRL_get0_nextUpdate + X509_OBJECT_get0_X509 + X509_OBJECT_get_type + X509_STORE_CTX_get_current_cert + X509_STORE_CTX_get_error + X509_STORE_CTX_get_error_depth + X509_STORE_CTX_set_error + X509_STORE_get0_objects + X509_STORE_set_verify_cb + X509_get0_signature + X509_getm_notAfter + X509_getm_notBefore + X509_subject_name_cmp + _SSL_session_reused + _SSL_set_options Method "KSSL::setSession" has been renamed to "KSSL::takeSession" and its functionality has changed: the session is now transferred from the argument object to the invoked object. Since it is only used internally in TDE and the functionality is different, the method with the previous name has not been preserved. Signed-off-by: Slávek Banko Signed-off-by: Michele Calgaro (cherry picked from commit e1861cb6811f7bac405ece204407ca46c000a453) --- tdeio/kssl/ksslcertificate.cc | 104 ++++++++++++++++++++++++++---------------- 1 file changed, 64 insertions(+), 40 deletions(-) (limited to 'tdeio/kssl/ksslcertificate.cc') diff --git a/tdeio/kssl/ksslcertificate.cc b/tdeio/kssl/ksslcertificate.cc index 2b7bed2bb..2df78fef7 100644 --- a/tdeio/kssl/ksslcertificate.cc +++ b/tdeio/kssl/ksslcertificate.cc @@ -198,7 +198,7 @@ TQString rc = ""; if (!t) return rc; rc = t; - d->kossl->OPENSSL_free(t); + d->kossl->CRYPTO_free(t); #endif return rc; } @@ -225,14 +225,17 @@ TQString rc = ""; char *s; int n, i; - i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm); + const ASN1_BIT_STRING *signature = 0L; + const X509_ALGOR *sig_alg = 0L; + d->kossl->X509_get0_signature(&signature, &sig_alg, d->m_cert); + i = d->kossl->OBJ_obj2nid(sig_alg->algorithm); rc = i18n("Signature Algorithm: "); rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i)); rc += "\n"; rc += i18n("Signature Contents:"); - n = d->m_cert->signature->length; - s = (char *)d->m_cert->signature->data; + n = signature->length; + s = (char *)signature->data; for (i = 0; i < n; i++) { if (i%20 != 0) rc += ":"; else rc += "\n"; @@ -254,8 +257,8 @@ void KSSLCertificate::getEmails(TQStringList &to) const { STACK *s = d->kossl->X509_get1_email(d->m_cert); if (s) { - for(int n=0; n < s->num; n++) { - to.append(d->kossl->sk_value(s,n)); + for(int n=0; n < d->kossl->OPENSSL_sk_num(s); n++) { + to.append(d->kossl->OPENSSL_sk_value(s,n)); } d->kossl->X509_email_free(s); } @@ -336,12 +339,12 @@ TQString rc = ""; EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert); if (pkey) { #ifndef NO_RSA - if (pkey->type == EVP_PKEY_RSA) + if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) rc = "RSA"; else #endif #ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) + if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) rc = "DSA"; else #endif @@ -364,10 +367,14 @@ char *x = NULL; if (pkey) { rc = i18n("Unknown", "Unknown key algorithm"); #ifndef NO_RSA - if (pkey->type == EVP_PKEY_RSA) { + if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) { rc = i18n("Key type: RSA (%1 bit)") + "\n"; - x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n); + RSA *pkey_rsa = d->kossl->EVP_PKEY_get0_RSA(pkey); + const BIGNUM *bn_n = 0L; + const BIGNUM *bn_e = 0L; + d->kossl->RSA_get0_key(pkey_rsa, &bn_n, &bn_e, NULL); + x = d->kossl->BN_bn2hex(bn_n); rc += i18n("Modulus: "); rc = rc.arg(strlen(x)*4); for (unsigned int i = 0; i < strlen(x); i++) { @@ -378,18 +385,26 @@ char *x = NULL; rc += x[i]; } rc += "\n"; - d->kossl->OPENSSL_free(x); + d->kossl->CRYPTO_free(x); - x = d->kossl->BN_bn2hex(pkey->pkey.rsa->e); + x = d->kossl->BN_bn2hex(bn_e); rc += i18n("Exponent: 0x") + x + "\n"; - d->kossl->OPENSSL_free(x); + d->kossl->CRYPTO_free(x); } #endif #ifndef NO_DSA - if (pkey->type == EVP_PKEY_DSA) { + if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) { rc = i18n("Key type: DSA (%1 bit)") + "\n"; - x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p); + DSA *pkey_dsa = d->kossl->EVP_PKEY_get0_DSA(pkey); + const BIGNUM *bn_p = 0L; + const BIGNUM *bn_q = 0L; + const BIGNUM *bn_g = 0L; + const BIGNUM *bn_pub_key = 0L; + d->kossl->DSA_get0_pqg(pkey_dsa, &bn_p, &bn_q, &bn_g); + d->kossl->DSA_get0_key(pkey_dsa, &bn_pub_key, NULL); + + x = d->kossl->BN_bn2hex(bn_p); rc += i18n("Prime: "); // hack - this may not be always accurate rc = rc.arg(strlen(x)*4) ; @@ -401,9 +416,9 @@ char *x = NULL; rc += x[i]; } rc += "\n"; - d->kossl->OPENSSL_free(x); + d->kossl->CRYPTO_free(x); - x = d->kossl->BN_bn2hex(pkey->pkey.dsa->q); + x = d->kossl->BN_bn2hex(bn_q); rc += i18n("160 bit prime factor: "); for (unsigned int i = 0; i < strlen(x); i++) { if (i%40 != 0 && i%2 == 0) @@ -413,9 +428,9 @@ char *x = NULL; rc += x[i]; } rc += "\n"; - d->kossl->OPENSSL_free(x); + d->kossl->CRYPTO_free(x); - x = d->kossl->BN_bn2hex(pkey->pkey.dsa->g); + x = d->kossl->BN_bn2hex(bn_g); rc += TQString("g: "); for (unsigned int i = 0; i < strlen(x); i++) { if (i%40 != 0 && i%2 == 0) @@ -425,9 +440,9 @@ char *x = NULL; rc += x[i]; } rc += "\n"; - d->kossl->OPENSSL_free(x); + d->kossl->CRYPTO_free(x); - x = d->kossl->BN_bn2hex(pkey->pkey.dsa->pub_key); + x = d->kossl->BN_bn2hex(bn_pub_key); rc += i18n("Public key: "); for (unsigned int i = 0; i < strlen(x); i++) { if (i%40 != 0 && i%2 == 0) @@ -437,7 +452,7 @@ char *x = NULL; rc += x[i]; } rc += "\n"; - d->kossl->OPENSSL_free(x); + d->kossl->CRYPTO_free(x); } #endif d->kossl->EVP_PKEY_free(pkey); @@ -459,7 +474,7 @@ TQString rc = ""; return rc; rc = t; - d->kossl->OPENSSL_free(t); + d->kossl->CRYPTO_free(t); #endif return rc; @@ -696,7 +711,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi return errors; } - X509_STORE_set_verify_cb_func(certStore, X509Callback); + d->kossl->X509_STORE_set_verify_cb(certStore, X509Callback); certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file()); if (!certLookup) { @@ -727,7 +742,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL); if (d->_chain.isValid()) { - d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain()); + d->kossl->X509_STORE_CTX_set0_untrusted(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain()); } //kdDebug(7029) << "KSSL setting CRL.............." << endl; @@ -738,9 +753,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0; KSSL_X509CallBack_ca_found = false; - certStoreCTX->error = X509_V_OK; + d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK); d->kossl->X509_verify_cert(certStoreCTX); - int errcode = certStoreCTX->error; + int errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX); if (ca && !KSSL_X509CallBack_ca_found) { ksslv = KSSLCertificate::Irrelevant; } else { @@ -753,9 +768,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX, X509_PURPOSE_NS_SSL_SERVER); - certStoreCTX->error = X509_V_OK; + d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK); d->kossl->X509_verify_cert(certStoreCTX); - errcode = certStoreCTX->error; + errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX); ksslv = processError(errcode); } d->kossl->X509_STORE_CTX_free(certStoreCTX); @@ -888,7 +903,7 @@ return rc; TQString KSSLCertificate::getNotBefore() const { #ifdef KSSL_HAVE_SSL -return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert)); +return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert)); #else return TQString::null; #endif @@ -897,7 +912,7 @@ return TQString::null; TQString KSSLCertificate::getNotAfter() const { #ifdef KSSL_HAVE_SSL -return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert)); +return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert)); #else return TQString::null; #endif @@ -906,7 +921,7 @@ return TQString::null; TQDateTime KSSLCertificate::getQDTNotBefore() const { #ifdef KSSL_HAVE_SSL -return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL); +return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL); #else return TQDateTime::currentDateTime(); #endif @@ -915,7 +930,7 @@ return TQDateTime::currentDateTime(); TQDateTime KSSLCertificate::getQDTNotAfter() const { #ifdef KSSL_HAVE_SSL -return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL); +return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL); #else return TQDateTime::currentDateTime(); #endif @@ -924,7 +939,7 @@ return TQDateTime::currentDateTime(); TQDateTime KSSLCertificate::getQDTLastUpdate() const { #ifdef KSSL_HAVE_SSL -return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL); +return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_lastUpdate(d->m_cert_crl), NULL); #else return TQDateTime::currentDateTime(); #endif @@ -933,7 +948,7 @@ return TQDateTime::currentDateTime(); TQDateTime KSSLCertificate::getQDTNextUpdate() const { #ifdef KSSL_HAVE_SSL -return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL); +return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_nextUpdate(d->m_cert_crl), NULL); #else return TQDateTime::currentDateTime(); #endif @@ -1053,6 +1068,15 @@ return qba; #define NETSCAPE_CERT_HDR "certificate" +#ifdef KSSL_HAVE_SSL +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +typedef struct NETSCAPE_X509_st +{ + ASN1_OCTET_STRING *header; + X509 *cert; +} NETSCAPE_X509; +#endif +#endif // what a piece of crap this is TQByteArray KSSLCertificate::toNetscape() { @@ -1062,8 +1086,8 @@ TQByteArray qba; NETSCAPE_X509 nx; ASN1_OCTET_STRING hdr; #else - ASN1_HEADER ah; - ASN1_OCTET_STRING os; + ASN1_HEADER ah; + ASN1_OCTET_STRING os; #endif KTempFile ktf; @@ -1159,10 +1183,10 @@ TQStringList KSSLCertificate::subjAltNames() const { return rc; } - int cnt = d->kossl->sk_GENERAL_NAME_num(names); + int cnt = d->kossl->OPENSSL_sk_num(names); for (int i = 0; i < cnt; i++) { - const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->sk_value(names, i); + const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->OPENSSL_sk_value(names, i); if (val->type != GEN_DNS) { continue; } @@ -1174,7 +1198,7 @@ TQStringList KSSLCertificate::subjAltNames() const { rc += s; } } - d->kossl->sk_free(names); + d->kossl->OPENSSL_sk_free(names); #endif return rc; } -- cgit v1.2.1