On 12-06-17 15:43, log...@free.fr wrote:
> From: Emmanuel Deloget <log...@free.fr>
>
> OpenSSL 1.1 does not allow us to directly access the internal of
> any data type, including EVP_PKEY. We have to use the defined
> functions to do so.
>
> Compatibility with OpenSSL 1.0 is kept by defining the corresponding
> functions when they are not found in the library.
>
> Signed-off-by: Emmanuel Deloget <log...@free.fr>
> ---
> configure.ac | 3 +++
> src/openvpn/openssl_compat.h | 42 ++++++++++++++++++++++++++++++++++++++++++
> src/openvpn/ssl_openssl.c | 6 +++---
> 3 files changed, 48 insertions(+), 3 deletions(-)
>
> diff --git a/configure.ac b/configure.ac
> index 9d5e340b..a92e8142 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -926,6 +926,9 @@ if test "${enable_crypto}" = "yes" -a
> "${with_crypto_library}" = "openssl"; then
> X509_STORE_get0_objects \
> X509_OBJECT_free \
> X509_OBJECT_get_type \
> + EVP_PKEY_id \
> + EVP_PKEY_get0_RSA \
> + EVP_PKEY_get0_DSA \
> RSA_meth_new \
> RSA_meth_free \
> RSA_meth_set_pub_enc \
> diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
> index 29a7588c..0d82cf25 100644
> --- a/src/openvpn/openssl_compat.h
> +++ b/src/openvpn/openssl_compat.h
> @@ -134,6 +134,48 @@ X509_OBJECT_get_type(const X509_OBJECT *obj)
> }
> #endif
>
> +#if !defined(HAVE_EVP_PKEY_GET0_RSA)
> +/**
> + * Get the RSA object of a public key
> + *
> + * @param pkey Public key object
> + * @return The underlying RSA object
> + */
> +static inline RSA *
> +EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
> +{
> + return pkey ? pkey->pkey.rsa : NULL;
> +}
> +#endif
> +
> +#if !defined(HAVE_EVP_PKEY_ID)
> +/**
> + * Get the PKEY type
> + *
> + * @param pkey Public key object
> + * @return The key type
> + */
> +static inline int
> +EVP_PKEY_id(const EVP_PKEY *pkey)
> +{
> + return pkey ? pkey->type : EVP_PKEY_NONE;
> +}
> +#endif
> +
> +#if !defined(HAVE_EVP_PKEY_GET0_DSA)
> +/**
> + * Get the DSA object of a public key
> + *
> + * @param pkey Public key object
> + * @return The underlying DSA object
> + */
> +static inline DSA *
> +EVP_PKEY_get0_DSA(EVP_PKEY *pkey)
> +{
> + return pkey ? pkey->pkey.dsa : NULL;
> +}
> +#endif
> +
> #if !defined(HAVE_RSA_METH_NEW)
> /**
> * Allocate a new RSA method object
> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
> index a082c3cd..1c73641c 100644
> --- a/src/openvpn/ssl_openssl.c
> +++ b/src/openvpn/ssl_openssl.c
> @@ -1072,7 +1072,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx
> *ctx,
> /* get the public key */
> EVP_PKEY *pkey = X509_get0_pubkey(cert);
> ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
> - pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
> + pub_rsa = EVP_PKEY_get0_RSA(pkey);
>
> /* initialize RSA object */
> rsa->n = BN_dup(pub_rsa->n);
> @@ -1677,13 +1677,13 @@ print_details(struct key_state_ssl *ks_ssl, const
> char *prefix)
> EVP_PKEY *pkey = X509_get_pubkey(cert);
> if (pkey != NULL)
> {
> - if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
> + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey)
> != NULL
> && pkey->pkey.rsa->n != NULL)
> {
> openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
> BN_num_bits(pkey->pkey.rsa->n));
> }
> - else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
> + else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA &&
> EVP_PKEY_get0_DSA(pkey) != NULL
> && pkey->pkey.dsa->p != NULL)
> {
> openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
>
Patch content is the same as in the ACK'ed version from v7 - so ACK to
this one too.
-Steffan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
