Hello, I spend some time to compile unbound-1.5.9 and ldns-1.6.17 with openssl-1.1.0b. The current results you find attached.
WARNING: unbound and ldns compile - unbound with warnings. treat the patches as if it will break major things - no guarantee! don't use them as they are. please comment and review! Andreas
Description: experimental support for openssl-1.1.x Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: unbound-1.5.9/validator/val_secalgo.c =================================================================== --- unbound-1.5.9.orig/validator/val_secalgo.c +++ unbound-1.5.9/validator/val_secalgo.c @@ -601,7 +601,11 @@ verify_canonrrset(sldns_buffer* buf, int log_err("EVP_MD_CTX_new: malloc failure"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + else if(docrypto_free) OPENSSL_free(sigblock); +#else else if(docrypto_free) CRYPTO_free(sigblock); +#endif return sec_status_unchecked; } if(EVP_VerifyInit(ctx, digest_type) == 0) { @@ -609,7 +613,11 @@ verify_canonrrset(sldns_buffer* buf, int EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + else if(docrypto_free) OPENSSL_free(sigblock); +#else else if(docrypto_free) CRYPTO_free(sigblock); +#endif return sec_status_unchecked; } if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), @@ -618,7 +626,11 @@ verify_canonrrset(sldns_buffer* buf, int EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + else if(docrypto_free) OPENSSL_free(sigblock); +#else else if(docrypto_free) CRYPTO_free(sigblock); +#endif return sec_status_unchecked; } @@ -632,7 +644,11 @@ verify_canonrrset(sldns_buffer* buf, int EVP_PKEY_free(evp_key); if(dofree) free(sigblock); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + else if(docrypto_free) OPENSSL_free(sigblock); +#else else if(docrypto_free) CRYPTO_free(sigblock); +#endif if(res == 1) { return sec_status_secure; Index: unbound-1.5.9/daemon/remote.c =================================================================== --- unbound-1.5.9.orig/daemon/remote.c +++ unbound-1.5.9/daemon/remote.c @@ -144,6 +144,57 @@ timeval_divide(struct timeval* avg, cons * (some openssl versions reject DH that is 'too small', eg. 512). */ #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +DH *get_dh2048() +{ + static unsigned char dhp_2048[] = { + 0xFF, 0x47, 0x1F, 0x71, 0x99, 0xD8, 0x6F, 0x18, 0xE5, 0x29, + 0x60, 0x48, 0xA4, 0x96, 0x93, 0x08, 0x5E, 0x39, 0x5A, 0xB8, + 0x39, 0xAF, 0x86, 0x1E, 0xA9, 0x4C, 0x4E, 0xFE, 0x9D, 0x58, + 0xF2, 0x84, 0x25, 0x69, 0x46, 0x87, 0xB9, 0xD9, 0x91, 0x1C, + 0x85, 0x47, 0xF3, 0xF9, 0x93, 0x1F, 0xC7, 0x22, 0x8A, 0x52, + 0x3F, 0xF4, 0x97, 0xC7, 0x3A, 0xAE, 0x1F, 0x32, 0x8C, 0xEA, + 0xA1, 0x60, 0xD0, 0xD9, 0x61, 0xA4, 0xE9, 0xA5, 0x85, 0xAF, + 0x95, 0xBB, 0xAE, 0x5C, 0xB2, 0x08, 0x49, 0x5B, 0xFA, 0x17, + 0xB9, 0x0D, 0x7B, 0x79, 0x4F, 0x0B, 0xF5, 0x2B, 0xC0, 0x4B, + 0xD1, 0x8C, 0xAC, 0x2F, 0x14, 0xDC, 0x5D, 0xAC, 0x65, 0x6C, + 0x56, 0xF5, 0x67, 0x16, 0x75, 0x78, 0xAC, 0x96, 0x3D, 0x4D, + 0xB5, 0x0E, 0x3D, 0xFB, 0x11, 0x72, 0x60, 0x5D, 0xE8, 0x66, + 0x98, 0x21, 0xBC, 0x8B, 0xC2, 0x35, 0xB5, 0xB1, 0x3A, 0x11, + 0x98, 0xED, 0xF8, 0x06, 0x8C, 0x03, 0xE4, 0xBF, 0xCA, 0x6C, + 0xC7, 0x4A, 0xCE, 0x51, 0x64, 0x2C, 0x2D, 0x40, 0x8E, 0xC4, + 0x9F, 0x86, 0xBA, 0x89, 0x94, 0xE0, 0x8F, 0xBA, 0x59, 0x1A, + 0xE3, 0x22, 0x52, 0xEF, 0xFE, 0x1E, 0x16, 0x40, 0x42, 0xD8, + 0x36, 0x4B, 0xFC, 0x53, 0x01, 0xE3, 0x44, 0x7F, 0x93, 0x69, + 0x6A, 0x4F, 0x57, 0x24, 0x30, 0x47, 0xE7, 0xF5, 0x12, 0xBE, + 0x61, 0x92, 0xE7, 0x63, 0xE9, 0x0F, 0x5F, 0x0B, 0x64, 0x6C, + 0xF1, 0xA7, 0xE0, 0xB3, 0x49, 0xBB, 0x20, 0xB0, 0xA1, 0x26, + 0x4D, 0xD7, 0xAC, 0x2E, 0x7C, 0x15, 0x34, 0x9C, 0xE9, 0x18, + 0x5C, 0xB2, 0x1A, 0x92, 0x3C, 0xC8, 0x92, 0x76, 0x90, 0x44, + 0x17, 0x2B, 0x34, 0x2B, 0x8F, 0x44, 0xC1, 0x6F, 0x1E, 0x56, + 0xBD, 0x25, 0x71, 0xBE, 0xC0, 0x60, 0x5E, 0x28, 0x3D, 0x37, + 0x5C, 0xAC, 0xC2, 0x13, 0xCC, 0xEB + }; + static unsigned char dhg_2048[] = { + 0x02 + }; + DH *dh = DH_new(); + BIGNUM *dhp_bn, *dhg_bn; + + if (dh == NULL) + return NULL; + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); + if (dhp_bn == NULL || dhg_bn == NULL + || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { + DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); + return NULL; + } + return dh; +} +#else DH *get_dh2048() { static unsigned char dh2048_p[]={ @@ -182,6 +233,7 @@ DH *get_dh2048() { DH_free(dh); return(NULL); } return(dh); } +#endif #endif /* SPLINT */ struct daemon_remote* Index: unbound-1.5.9/sldns/keyraw.c =================================================================== --- unbound-1.5.9.orig/sldns/keyraw.c +++ unbound-1.5.9/sldns/keyraw.c @@ -216,10 +216,15 @@ sldns_key_buf2dsa_raw(unsigned char* key return NULL; } #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_set0_pqg(dsa, P, Q, G); + DSA_set0_key(dsa, Y, NULL); +#else dsa->p = P; dsa->q = Q; dsa->g = G; dsa->pub_key = Y; +#endif #endif /* splint */ return dsa; @@ -274,8 +279,12 @@ sldns_key_buf2rsa_raw(unsigned char* key return NULL; } #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + RSA_set0_key(rsa, modulus, exponent, NULL); +#else rsa->n = modulus; rsa->e = exponent; +#endif #endif /* splint */ return rsa; Index: unbound-1.5.9/util/net_help.c =================================================================== --- unbound-1.5.9.orig/util/net_help.c +++ unbound-1.5.9/util/net_help.c @@ -784,6 +784,23 @@ void* outgoing_ssl_fd(void* sslctx, int } #if defined(HAVE_SSL) && defined(OPENSSL_THREADS) && !defined(THREADS_DISABLED) && defined(CRYPTO_LOCK) +/* + * build log "unused function ub_crypto_id_cb and ub_crypto_lock_cb" + * maybe related: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=657 + * which mention a documentation update + * + * from openssl-1.1.0b/CHANGES: + * + * OpenSSL now uses a new threading API. It is no longer necessary to + * set locking callbacks to use OpenSSL in a multi-threaded environment. There + * are two supported threading models: pthreads and windows threads. It is + * also possible to configure OpenSSL at compile time for "no-threads". The + * old threading API should no longer be used. The functions have been + * replaced with "no-op" compatibility macros. + * + * XXX: the folling code should be treat as broken until reviewed by experts + * TODO: review + */ /** global lock list for openssl locks */ static lock_basic_t *ub_openssl_locks = NULL;
Description: experimental support openssl-1.1.x Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: ldns-1.6.17/configure =================================================================== --- ldns-1.6.17.orig/configure +++ ldns-1.6.17/configure @@ -14501,10 +14501,10 @@ $as_echo "found in $ssldir" >&6; } fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_init in -lcrypto" >&5 -$as_echo_n "checking for HMAC_CTX_init in -lcrypto... " >&6; } - LIBS="$LIBS -lcrypto" - LIBSSL_LIBS="$LIBSSL_LIBS -lcrypto" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for HMAC_CTX_reset in -lcrypto" >&5 +$as_echo_n "checking for HMAC_CTX_reset in -lcrypto... " >&6; } + LIBS="$LIBS `pkg-config --libs libcrypto`" + LIBSSL_LIBS="$LIBSSL_LIBS `pkg-config --libs libcrypto`" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -14512,8 +14512,8 @@ int main () { - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); + int HMAC_CTX_reset(void); + (void)HMAC_CTX_reset(); ; return 0; @@ -14545,8 +14545,8 @@ int main () { - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); + int HMAC_CTX_reset(void); + (void)HMAC_CTX_reset(); ; return 0; @@ -14577,8 +14577,8 @@ int main () { - int HMAC_CTX_init(void); - (void)HMAC_CTX_init(); + int HMAC_CTX_reset(void); + (void)HMAC_CTX_reset(); ; return 0; @@ -14985,7 +14985,7 @@ esac if test "x$HAVE_SSL" = "xyes"; then -LIBSSL_SSL_LIBS="-lssl $LIBSSL_LIBS" +LIBSSL_SSL_LIBS="`pkg-config --libs libssl` $LIBSSL_LIBS" fi CPPFLAGS=$tmp_CPPFLAGS Index: ldns-1.6.17/dane.c =================================================================== --- ldns-1.6.17.orig/dane.c +++ ldns-1.6.17/dane.c @@ -312,6 +312,7 @@ ldns_dane_pkix_get_last_self_signed(X509 ldns_status s; X509_STORE* empty_store = NULL; X509_STORE_CTX* vrfy_ctx; + int err; assert(out_cert != NULL); @@ -327,8 +328,9 @@ ldns_dane_pkix_get_last_self_signed(X509 } (void) X509_verify_cert(vrfy_ctx); - if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || - vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ + err = X509_STORE_CTX_get_error(vrfy_ctx); + if (err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || + err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx); s = LDNS_STATUS_OK; Index: ldns-1.6.17/dnssec.c =================================================================== --- ldns-1.6.17.orig/dnssec.c +++ ldns-1.6.17/dnssec.c @@ -376,10 +376,15 @@ ldns_key_buf2dsa_raw(unsigned char* key, return NULL; } #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER < 0x10100000L dsa->p = P; dsa->q = Q; dsa->g = G; dsa->pub_key = Y; +#else + DSA_set0_pqg(dsa, P, Q, G); + DSA_set0_key(dsa, Y, NULL); +#endif #endif /* splint */ return dsa; @@ -444,8 +449,12 @@ ldns_key_buf2rsa_raw(unsigned char* key, return NULL; } #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER < 0x10100000L rsa->n = modulus; rsa->e = exponent; +#else + RSA_set0_key(rsa, modulus, exponent, NULL); +#endif #endif /* splint */ return rsa; @@ -1711,6 +1720,10 @@ ldns_convert_dsa_rrsig_asn12rdf(const ld DSA_SIG *dsasig; unsigned char *dsasig_data = (unsigned char*)ldns_buffer_begin(sig); size_t byte_offset; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *dsasig_r; + const BIGNUM *dsasig_s; +#endif dsasig = d2i_DSA_SIG(NULL, (const unsigned char **)&dsasig_data, @@ -1726,22 +1739,38 @@ ldns_convert_dsa_rrsig_asn12rdf(const ld return NULL; } dsasig_data[0] = 0; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_SIG_get0(dsasig, &dsasig_r, NULL); + byte_offset = (size_t) (20 - BN_num_bytes(dsasig_r)); +#else byte_offset = (size_t) (20 - BN_num_bytes(dsasig->r)); +#endif if (byte_offset > 20) { DSA_SIG_free(dsasig); LDNS_FREE(dsasig_data); return NULL; } memset(&dsasig_data[1], 0, byte_offset); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_SIG_get0(dsasig, &dsasig_r, &dsasig_s); + BN_bn2bin(dsasig_r, &dsasig_data[1 + byte_offset]); + byte_offset = (size_t) (20 - BN_num_bytes(dsasig_s)); +#else BN_bn2bin(dsasig->r, &dsasig_data[1 + byte_offset]); byte_offset = (size_t) (20 - BN_num_bytes(dsasig->s)); +#endif if (byte_offset > 20) { DSA_SIG_free(dsasig); LDNS_FREE(dsasig_data); return NULL; } memset(&dsasig_data[21], 0, byte_offset); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_SIG_get0(dsasig, NULL, &dsasig_s); + BN_bn2bin(dsasig_s, &dsasig_data[21 + byte_offset]); +#else BN_bn2bin(dsasig->s, &dsasig_data[21 + byte_offset]); +#endif sigdata_rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, 41, dsasig_data); if(!sigdata_rdf) { @@ -1784,8 +1813,12 @@ ldns_convert_dsa_rrsig_rdf2asn1(ldns_buf return LDNS_STATUS_MEM_ERR; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_SIG_set0(dsasig, R, S); +#else dsasig->r = R; dsasig->s = S; +#endif raw_sig_len = i2d_DSA_SIG(dsasig, &raw_sig); if (raw_sig_len < 0) { @@ -1809,22 +1842,40 @@ ldns_rdf * ldns_convert_ecdsa_rrsig_asn12rdf(const ldns_buffer *sig, const long sig_len) { ECDSA_SIG* ecdsa_sig; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *ecdsa_sig_r; + const BIGNUM *ecdsa_sig_s; +#endif unsigned char *data = (unsigned char*)ldns_buffer_begin(sig); ldns_rdf* rdf; ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len); if(!ecdsa_sig) return NULL; /* "r | s". */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ECDSA_SIG_get0(ecdsa_sig, &ecdsa_sig_r, &ecdsa_sig_s); + data = LDNS_XMALLOC(unsigned char, + BN_num_bytes(ecdsa_sig_r) + BN_num_bytes(ecdsa_sig_s)); +#else data = LDNS_XMALLOC(unsigned char, BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)); +#endif if(!data) { ECDSA_SIG_free(ecdsa_sig); return NULL; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ECDSA_SIG_get0(ecdsa_sig, &ecdsa_sig_r, &ecdsa_sig_s); + BN_bn2bin(ecdsa_sig_r, data); + BN_bn2bin(ecdsa_sig_s, data+BN_num_bytes(ecdsa_sig_r)); + rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)( + BN_num_bytes(ecdsa_sig_r) + BN_num_bytes(ecdsa_sig_s)), data); +#else BN_bn2bin(ecdsa_sig->r, data); BN_bn2bin(ecdsa_sig->s, data+BN_num_bytes(ecdsa_sig->r)); rdf = ldns_rdf_new(LDNS_RDF_TYPE_B64, (size_t)( BN_num_bytes(ecdsa_sig->r) + BN_num_bytes(ecdsa_sig->s)), data); +#endif ECDSA_SIG_free(ecdsa_sig); return rdf; } @@ -1834,6 +1885,10 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_b const ldns_rdf *sig_rdf) { ECDSA_SIG* sig; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *sig_r; + BIGNUM *sig_s; +#endif int raw_sig_len; long bnsize = (long)ldns_rdf_size(sig_rdf) / 2; /* if too short, or not even length, do not bother */ @@ -1843,6 +1898,17 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_b /* use the raw data to parse two evenly long BIGNUMs, "r | s". */ sig = ECDSA_SIG_new(); if(!sig) return LDNS_STATUS_MEM_ERR; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + sig_r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf), + bnsize, NULL); + sig_s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize, + bnsize, NULL); + if(!sig_r || !sig_s) { + ECDSA_SIG_free(sig); + return LDNS_STATUS_MEM_ERR; + } + ECDSA_SIG_set0(sig, sig_r, sig_s); +#else sig->r = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf), bnsize, sig->r); sig->s = BN_bin2bn((const unsigned char*)ldns_rdf_data(sig_rdf)+bnsize, @@ -1851,6 +1917,7 @@ ldns_convert_ecdsa_rrsig_rdf2asn1(ldns_b ECDSA_SIG_free(sig); return LDNS_STATUS_MEM_ERR; } +#endif raw_sig_len = i2d_ECDSA_SIG(sig, NULL); if (ldns_buffer_reserve(target_buffer, (size_t) raw_sig_len)) { Index: ldns-1.6.17/dnssec_sign.c =================================================================== --- ldns-1.6.17.orig/dnssec_sign.c +++ ldns-1.6.17/dnssec_sign.c @@ -127,7 +127,13 @@ ldns_sign_public_buffer(ldns_buffer *sig b64rdf = ldns_sign_public_evp( sign_buf, ldns_key_evp_key(current_key), +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_dss1()); +#else + EVP_sha1()); + /* man 3 EVP_dss1, last sentence + and https://lists.debian.org/debian-devel/2016/06/msg00505.html */ +#endif break; case LDNS_SIGN_RSASHA1: case LDNS_SIGN_RSASHA1_NSEC3: @@ -316,6 +322,10 @@ ldns_sign_public_dsa(ldns_buffer *to_sig uint8_t *data; size_t pad; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *sig_r; + const BIGNUM *sig_s; +#endif b64sig = ldns_buffer_new(LDNS_MAX_PACKETLEN); if (!b64sig) { return NULL; @@ -342,17 +352,35 @@ ldns_sign_public_dsa(ldns_buffer *to_sig } data[0] = 1; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_SIG_get0(sig, &sig_r, NULL); + pad = 20 - (size_t) BN_num_bytes(sig_r); +#else pad = 20 - (size_t) BN_num_bytes(sig->r); +#endif if (pad > 0) { memset(data + 1, 0, pad); } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_bn2bin(sig_r, (unsigned char *) (data + 1) + pad); +#else BN_bn2bin(sig->r, (unsigned char *) (data + 1) + pad); +#endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DSA_SIG_get0(sig, NULL, &sig_s); + pad = 20 - (size_t) BN_num_bytes(sig_s); +#else pad = 20 - (size_t) BN_num_bytes(sig->s); +#endif if (pad > 0) { memset(data + 1 + SHA_DIGEST_LENGTH, 0, pad); } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_bn2bin(sig_s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); +#else BN_bn2bin(sig->s, (unsigned char *) (data + 1 + SHA_DIGEST_LENGTH + pad)); +#endif sigdata_rdf = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, 1 + 2 * SHA_DIGEST_LENGTH, @@ -372,7 +400,11 @@ ldns_pkey_is_ecdsa(EVP_PKEY* pkey) { EC_KEY* ec; const EC_GROUP* g; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if(EVP_PKEY_type(EVP_PKEY_id(pkey)) != EVP_PKEY_EC) +#else if(EVP_PKEY_type(pkey->type) != EVP_PKEY_EC) +#endif return 0; ec = EVP_PKEY_get1_EC_KEY(pkey); g = EC_KEY_get0_group(ec); @@ -401,7 +433,11 @@ ldns_sign_public_evp(ldns_buffer *to_sig unsigned int siglen; ldns_rdf *sigdata_rdf; ldns_buffer *b64sig; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *ctx; +#else EVP_MD_CTX ctx; +#endif const EVP_MD *md_type; int r; @@ -419,19 +455,37 @@ ldns_sign_public_evp(ldns_buffer *to_sig return NULL; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + /* see https://www.openssl.org/news/cl110.txt */ + ctx = EVP_MD_CTX_new(); + if (!ctx) { + return NULL; + } + r = EVP_SignInit(ctx, md_type); + if(r == 1) { + r = EVP_SignUpdate(ctx, (unsigned char*) + ldns_buffer_begin(to_sign), + ldns_buffer_position(to_sign)); +#else EVP_MD_CTX_init(&ctx); r = EVP_SignInit(&ctx, md_type); if(r == 1) { r = EVP_SignUpdate(&ctx, (unsigned char*) ldns_buffer_begin(to_sign), ldns_buffer_position(to_sign)); +#endif } else { ldns_buffer_free(b64sig); return NULL; } if(r == 1) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + r = EVP_SignFinal(ctx, (unsigned char*) + ldns_buffer_begin(b64sig), &siglen, key); +#else r = EVP_SignFinal(&ctx, (unsigned char*) ldns_buffer_begin(b64sig), &siglen, key); +#endif } else { ldns_buffer_free(b64sig); return NULL; @@ -443,10 +497,18 @@ ldns_sign_public_evp(ldns_buffer *to_sig /* unfortunately, OpenSSL output is differenct from DNS DSA format */ #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (EVP_PKEY_type(EVP_PKEY_id(key)) == EVP_PKEY_DSA) { +#else if (EVP_PKEY_type(key->type) == EVP_PKEY_DSA) { +#endif sigdata_rdf = ldns_convert_dsa_rrsig_asn12rdf(b64sig, siglen); #ifdef USE_ECDSA +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + } else if(EVP_PKEY_type(EVP_PKEY_id(key)) == EVP_PKEY_EC && +#else } else if(EVP_PKEY_type(key->type) == EVP_PKEY_EC && +#endif ldns_pkey_is_ecdsa(key)) { sigdata_rdf = ldns_convert_ecdsa_rrsig_asn12rdf(b64sig, siglen); #endif @@ -457,7 +519,12 @@ ldns_sign_public_evp(ldns_buffer *to_sig } #endif /* splint */ ldns_buffer_free(b64sig); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX_free(ctx); + /* see https://www.openssl.org/news/cl110.txt */ +#else EVP_MD_CTX_cleanup(&ctx); +#endif return sigdata_rdf; } Index: ldns-1.6.17/dnssec_verify.c =================================================================== --- ldns-1.6.17.orig/dnssec_verify.c +++ ldns-1.6.17/dnssec_verify.c @@ -2485,9 +2485,31 @@ ldns_status ldns_verify_rrsig_evp_raw(unsigned char *sig, size_t siglen, ldns_buffer *rrset, EVP_PKEY *key, const EVP_MD *digest_type) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *ctx; +#else EVP_MD_CTX ctx; +#endif int res; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + /* see https://www.openssl.org/news/cl110.txt */ + ctx = EVP_MD_CTX_new(); + if (!ctx) { + /* TODO how to communicate internal SSL error? + let caller use ssl's get_error() */ + return LDNS_STATUS_SSL_ERR; + } + EVP_VerifyInit(ctx, digest_type); + EVP_VerifyUpdate(ctx, + ldns_buffer_begin(rrset), + ldns_buffer_position(rrset)); + + res = EVP_VerifyFinal(ctx, sig, (unsigned int) siglen, key); + + /* see https://www.openssl.org/news/cl110.txt */ + EVP_MD_CTX_free(ctx); +#else EVP_MD_CTX_init(&ctx); EVP_VerifyInit(&ctx, digest_type); @@ -2497,6 +2519,7 @@ ldns_verify_rrsig_evp_raw(unsigned char res = EVP_VerifyFinal(&ctx, sig, (unsigned int) siglen, key); EVP_MD_CTX_cleanup(&ctx); +#endif if (res == 1) { return LDNS_STATUS_OK; @@ -2554,7 +2577,13 @@ ldns_verify_rrsig_dsa_raw(unsigned char* siglen, rrset, evp_key, +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_dss1()); +#else + /* man 3 EVP_dss1, last sentence + and https://lists.debian.org/debian-devel/2016/06/msg00505.html */ + EVP_sha1()); +#endif } else { result = LDNS_STATUS_SSL_ERR; } Index: ldns-1.6.17/host2str.c =================================================================== --- ldns-1.6.17.orig/host2str.c +++ ldns-1.6.17/host2str.c @@ -2011,7 +2011,22 @@ ldns_key2buffer_str(ldns_buffer *output, * print to buf */ ldns_buffer_printf(output, "Modulus: "); #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *rsa_n; + const BIGNUM *rsa_e; + const BIGNUM *rsa_d; + const BIGNUM *rsa_p; + const BIGNUM *rsa_q; + const BIGNUM *rsa_dmp1; + const BIGNUM *rsa_dmq1; + const BIGNUM *rsa_iqmp; + RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); + RSA_get0_factors(rsa, &rsa_p, &rsa_q); + RSA_get0_crt_params(rsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp); + i = (uint16_t)BN_bn2bin(rsa_n, bignum); +#else i = (uint16_t)BN_bn2bin(rsa->n, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2023,7 +2038,11 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_rdf_deep_free(b64_bignum); ldns_buffer_printf(output, "\n"); ldns_buffer_printf(output, "PublicExponent: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + i = (uint16_t)BN_bn2bin(rsa_e, bignum); +#else i = (uint16_t)BN_bn2bin(rsa->e, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2036,8 +2055,13 @@ ldns_key2buffer_str(ldns_buffer *output, ldns_buffer_printf(output, "\n"); ldns_buffer_printf(output, "PrivateExponent: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (rsa_d) { + i = (uint16_t)BN_bn2bin(rsa_d, bignum); +#else if (rsa->d) { i = (uint16_t)BN_bn2bin(rsa->d, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2053,8 +2077,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Prime1: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (rsa_p) { + i = (uint16_t)BN_bn2bin(rsa_p, bignum); +#else if (rsa->p) { i = (uint16_t)BN_bn2bin(rsa->p, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2070,8 +2099,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Prime2: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (rsa_q) { + i = (uint16_t)BN_bn2bin(rsa_q, bignum); +#else if (rsa->q) { i = (uint16_t)BN_bn2bin(rsa->q, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2087,8 +2121,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Exponent1: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (rsa_dmp1) { + i = (uint16_t)BN_bn2bin(rsa_dmp1, bignum); +#else if (rsa->dmp1) { i = (uint16_t)BN_bn2bin(rsa->dmp1, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2104,8 +2143,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Exponent2: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (rsa_dmq1) { + i = (uint16_t)BN_bn2bin(rsa_dmq1, bignum); +#else if (rsa->dmq1) { i = (uint16_t)BN_bn2bin(rsa->dmq1, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2121,8 +2165,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Coefficient: "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (rsa_iqmp) { + i = (uint16_t)BN_bn2bin(rsa_iqmp, bignum); +#else if (rsa->iqmp) { i = (uint16_t)BN_bn2bin(rsa->iqmp, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2155,8 +2204,20 @@ ldns_key2buffer_str(ldns_buffer *output, * print to buf */ ldns_buffer_printf(output, "Prime(p): "); #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *dsa_p; + const BIGNUM *dsa_q; + const BIGNUM *dsa_g; + const BIGNUM *dsa_pub_key; + const BIGNUM *dsa_priv_key; + DSA_get0_pqg(dsa, &dsa_p, &dsa_q, &dsa_g); + DSA_get0_key(dsa, &dsa_pub_key, &dsa_priv_key); + if (dsa_p) { + i = (uint16_t)BN_bn2bin(dsa_p, bignum); +#else if (dsa->p) { i = (uint16_t)BN_bn2bin(dsa->p, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2172,8 +2233,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Subprime(q): "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (dsa_q) { + i = (uint16_t)BN_bn2bin(dsa_q, bignum); +#else if (dsa->q) { i = (uint16_t)BN_bn2bin(dsa->q, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2189,8 +2255,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Base(g): "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (dsa_g) { + i = (uint16_t)BN_bn2bin(dsa_g, bignum); +#else if (dsa->g) { i = (uint16_t)BN_bn2bin(dsa->g, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2206,8 +2277,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Private_value(x): "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (dsa_priv_key) { + i = (uint16_t)BN_bn2bin(dsa_priv_key, bignum); +#else if (dsa->priv_key) { i = (uint16_t)BN_bn2bin(dsa->priv_key, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } @@ -2223,8 +2299,13 @@ ldns_key2buffer_str(ldns_buffer *output, } ldns_buffer_printf(output, "Public_value(y): "); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (dsa_pub_key) { + i = (uint16_t)BN_bn2bin(dsa_pub_key, bignum); +#else if (dsa->pub_key) { i = (uint16_t)BN_bn2bin(dsa->pub_key, bignum); +#endif if (i > LDNS_MAX_KEYLEN) { goto error; } Index: ldns-1.6.17/keys.c =================================================================== --- ldns-1.6.17.orig/keys.c +++ ldns-1.6.17/keys.c @@ -556,6 +556,16 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * RSA *rsa; uint8_t *buf; int i; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *rsa_n = NULL; + BIGNUM *rsa_e = NULL; + BIGNUM *rsa_d = NULL; + BIGNUM *rsa_p = NULL; + BIGNUM *rsa_q = NULL; + BIGNUM *rsa_dmp1 = NULL; + BIGNUM *rsa_dmq1 = NULL; + BIGNUM *rsa_iqmp = NULL; +#endif d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); @@ -574,8 +584,13 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_n = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_n) { +#else rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->n) { +#endif goto error; } @@ -584,8 +599,13 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_e = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_e) { +#else rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->e) { +#endif goto error; } @@ -594,18 +614,33 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_d = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_d) { +#else rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->d) { +#endif + goto error; + } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!RSA_set0_key(rsa, rsa_n, rsa_e, rsa_d)) { goto error; } +#endif /* Prime1, rsa->p */ if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_p = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_p) { +#else rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->p) { +#endif goto error; } @@ -614,18 +649,33 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_q = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_q) { +#else rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->q) { +#endif + goto error; + } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!RSA_set0_factors(rsa, rsa_p, rsa_q)) { goto error; } +#endif /* Exponent1, rsa->dmp1 */ if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_dmp1) { +#else rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->dmp1) { +#endif goto error; } @@ -634,8 +684,13 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_dmq1) { +#else rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->dmq1) { +#endif goto error; } @@ -644,10 +699,20 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + rsa_iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!rsa_iqmp) { +#else rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!rsa->iqmp) { +#endif + goto error; + } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!(RSA_set0_crt_params(rsa, rsa_dmp1, rsa_dmq1, rsa_iqmp))) { goto error; } +#endif #endif /* splint */ LDNS_FREE(buf); @@ -655,6 +720,16 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int * return rsa; error: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_free(rsa_n); + BN_free(rsa_e); + BN_free(rsa_d); + BN_free(rsa_p); + BN_free(rsa_q); + BN_free(rsa_dmp1); + BN_free(rsa_dmq1); + BN_free(rsa_iqmp); +#endif RSA_free(rsa); LDNS_FREE(d); LDNS_FREE(buf); @@ -675,6 +750,14 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_ DSA *dsa; uint8_t *buf; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *dsa_p = NULL; + BIGNUM *dsa_q = NULL; + BIGNUM *dsa_g = NULL; + BIGNUM *dsa_priv_key = NULL; + BIGNUM *dsa_pub_key = NULL; +#endif + d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); dsa = DSA_new(); @@ -690,8 +773,13 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_ } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + dsa_p = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa_p) { +#else dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!dsa->p) { +#endif goto error; } @@ -700,8 +788,13 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_ goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + dsa_q = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa_q) { +#else dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!dsa->q) { +#endif goto error; } @@ -710,18 +803,33 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_ goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + dsa_g = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa_g) { +#else dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!dsa->g) { +#endif + goto error; + } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!(DSA_set0_pqg(dsa, dsa_p, dsa_q, dsa_g))) { goto error; } +#endif /* Private key, dsa->priv_key */ if (ldns_fget_keyword_data_l(f, "Private_valuex", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + dsa_priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa_priv_key) { +#else dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!dsa->priv_key) { +#endif goto error; } @@ -730,10 +838,20 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_ goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + dsa_pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dsa_pub_key) { +#else dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); if (!dsa->pub_key) { +#endif + goto error; + } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (!(DSA_set0_key(dsa, dsa_pub_key, dsa_priv_key))) { goto error; } +#endif #endif /* splint */ LDNS_FREE(buf); @@ -742,6 +860,13 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_ return dsa; error: +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_free(dsa_p); + BN_free(dsa_q); + BN_free(dsa_g); + BN_free(dsa_priv_key); + BN_free(dsa_pub_key); +#endif LDNS_FREE(d); LDNS_FREE(buf); DSA_free(dsa); @@ -825,6 +950,9 @@ ldns_key_new_frm_algorithm(ldns_signing_ # ifdef USE_ECDSA EC_KEY *ec = NULL; # endif +# if OPENSSL_VERSION_NUMBER >= 0x10100000L + BIGNUM *e = BN_new(); +# endif #else int i; uint16_t offset = 0; @@ -842,8 +970,15 @@ ldns_key_new_frm_algorithm(ldns_signing_ case LDNS_SIGN_RSASHA256: case LDNS_SIGN_RSASHA512: #ifdef HAVE_SSL +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_set_word(e, RSA_F4); + r = RSA_new(); /* TODO: RSA_new() may fail */ + if (!BN_set_word(e, RSA_F4) || !RSA_generate_key_ex(r, (int)size, e, NULL)) { + BN_free(e); +#else r = RSA_generate_key((int)size, RSA_F4, NULL, NULL); if(!r) { +#endif ldns_key_free(k); return NULL; } @@ -858,8 +993,13 @@ ldns_key_new_frm_algorithm(ldns_signing_ case LDNS_SIGN_DSA: case LDNS_SIGN_DSA_NSEC3: #ifdef HAVE_SSL +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + d = DSA_new(); /* TODO: DSA_new() may fail */ + if (!DSA_generate_parameters_ex(d, (int)size, NULL, 0, NULL, NULL, NULL)) { +#else d = DSA_generate_parameters((int)size, NULL, 0, NULL, NULL, NULL, NULL); if (!d) { +#endif ldns_key_free(k); return NULL; } @@ -1289,6 +1429,18 @@ ldns_key_rsa2bin(unsigned char *data, RS return false; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *k_n; + const BIGNUM *k_e; + RSA_get0_key(k, &k_n, &k_e, NULL); + if (BN_num_bytes(k_e) <= 256) { + /* normally only this path is executed (small factors are + * more common + */ + data[0] = (unsigned char) BN_num_bytes(k_e); + i = BN_bn2bin(k_e, data + 1); + j = BN_bn2bin(k_n, data + i + 1); +#else if (BN_num_bytes(k->e) <= 256) { /* normally only this path is executed (small factors are * more common @@ -1296,15 +1448,28 @@ ldns_key_rsa2bin(unsigned char *data, RS data[0] = (unsigned char) BN_num_bytes(k->e); i = BN_bn2bin(k->e, data + 1); j = BN_bn2bin(k->n, data + i + 1); +#endif *size = (uint16_t) i + j; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + } else if (BN_num_bytes(k_e) <= 65536) { +#else } else if (BN_num_bytes(k->e) <= 65536) { +#endif data[0] = 0; /* BN_bn2bin does bigendian, _uint16 also */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k_e)); + + BN_bn2bin(k_e, data + 3); + BN_bn2bin(k_n, data + 4 + BN_num_bytes(k_e)); + *size = (uint16_t) BN_num_bytes(k_n) + 6; +#else ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e)); BN_bn2bin(k->e, data + 3); BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e)); *size = (uint16_t) BN_num_bytes(k->n) + 6; +#endif } else { return false; } @@ -1322,7 +1487,17 @@ ldns_key_dsa2bin(unsigned char *data, DS } /* See RFC2536 */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + const BIGNUM *k_p; + const BIGNUM *k_q; + const BIGNUM *k_g; + const BIGNUM *k_pub_key; + DSA_get0_pqg(k, &k_p, &k_q, &k_g); + DSA_get0_key(k, &k_pub_key, NULL); + *size = (uint16_t)BN_num_bytes(k_p); +#else *size = (uint16_t)BN_num_bytes(k->p); +#endif T = (*size - 64) / 8; memcpy(data, &T, 1); @@ -1336,10 +1511,17 @@ ldns_key_dsa2bin(unsigned char *data, DS /* size = 64 + (T * 8); */ data[0] = (unsigned char)T; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + BN_bn2bin(k_q, data + 1 ); /* 20 octects */ + BN_bn2bin(k_p, data + 21 ); /* offset octects */ + BN_bn2bin(k_g, data + 21 + *size); /* offset octets */ + BN_bn2bin(k_pub_key, data + 21 + *size + *size); /* offset octets */ +#else BN_bn2bin(k->q, data + 1 ); /* 20 octects */ BN_bn2bin(k->p, data + 21 ); /* offset octects */ BN_bn2bin(k->g, data + 21 + *size); /* offset octets */ BN_bn2bin(k->pub_key, data + 21 + *size + *size); /* offset octets */ +#endif *size = 21 + (*size * 3); return true; } Index: ldns-1.6.17/examples/ldns-dane.c =================================================================== --- ldns-1.6.17.orig/examples/ldns-dane.c +++ ldns-1.6.17/examples/ldns-dane.c @@ -1637,8 +1637,12 @@ main(int argc, char* const* argv) ssl_err("could not SSL_get_certificate"); } #ifndef S_SPLINT_S +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + extra_certs = X509_STORE_CTX_get1_chain(ctx); +#else extra_certs = ctx->extra_certs; #endif +#endif switch (mode) { case CREATE: dane_create(tlsas, tlsa_owner, certificate_usage, Index: ldns-1.6.17/drill/drill.c =================================================================== --- ldns-1.6.17.orig/drill/drill.c +++ ldns-1.6.17/drill/drill.c @@ -974,7 +974,11 @@ main(int argc, char *argv[]) xfree(tsig_algorithm); #ifdef HAVE_SSL +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ERR_remove_thread_state(NULL); +#else ERR_remove_state(0); +#endif CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); EVP_cleanup(); Index: ldns-1.6.17/examples/ldns-signzone.c =================================================================== --- ldns-1.6.17.orig/examples/ldns-signzone.c +++ ldns-1.6.17/examples/ldns-signzone.c @@ -376,7 +376,12 @@ main(int argc, char *argv[]) keys = ldns_key_list_new(); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN, NULL); + /* TODO: is OPENSSL_INIT_ENGINE_ALL_BUILTIN a good selection? */ +#else OPENSSL_config(NULL); +#endif while ((c = getopt(argc, argv, "a:bde:f:i:k:no:ps:t:vAE:K:")) != -1) { switch (c) {
