From: Felix Dörre Date: Fri, 2 Dec 2016 11:31:19 +0000 (+0000) Subject: upd: port src to openssl 1.1 X-Git-Url: http://www.controwiki.de/?a=commitdiff_plain;h=3a45e813dfbb75ac7f9069b9799d2c5ac9e47140;p=cassiopeia.git upd: port src to openssl 1.1 --- diff --git a/src/apps/client.cpp b/src/apps/client.cpp index 9a7add6..ad4e6b5 100644 --- a/src/apps/client.cpp +++ b/src/apps/client.cpp @@ -16,6 +16,7 @@ #include "io/bios.h" #include "io/slipBio.h" #include "config.h" +#include #ifdef NO_DAEMON #define DAEMON false @@ -81,7 +82,8 @@ int main( int argc, const char* argv[] ) { } std::shared_ptr jp = std::make_shared( sqlHost, sqlUser, sqlPass, sqlDB ); std::shared_ptr b = openSerial( serialPath ); - std::shared_ptr slip1( BIO_new( toBio() ), BIO_free ); + std::shared_ptr m( toBio(), BIO_meth_free); + std::shared_ptr slip1( BIO_new( m.get() ), BIO_free ); static_cast( slip1->ptr )->setTarget( std::make_shared( b ), false ); auto sign = std::make_shared( slip1, generateSSLContext( false ) ); // std::shared_ptr sign( new SimpleOpensslSigner() ); diff --git a/src/crypto/CRL.cpp b/src/crypto/CRL.cpp index 41fbe8b..f7aa6a5 100644 --- a/src/crypto/CRL.cpp +++ b/src/crypto/CRL.cpp @@ -42,11 +42,9 @@ std::string CRL::revoke( std::string serial, std::string time ) { X509_REVOKED_set_serialNumber( rev, ser.get() ); if( time != "" ) { - const unsigned char* data = ( unsigned char* )( time.data() ); - d2i_ASN1_TIME( &rev->revocationDate, &data, time.size() ); - } else { - X509_REVOKED_set_revocationDate( rev, tmptm.get() ); + ASN1_TIME_set_string( tmptm.get(), time.data() ); } + X509_REVOKED_set_revocationDate( rev, tmptm.get() ); X509_CRL_add0_revoked( crl.get(), rev ); @@ -107,17 +105,21 @@ std::string CRL::toString() { } std::string CRL::getSignature() { - int len = i2d_X509_ALGOR( crl->sig_alg, NULL ); - len += i2d_ASN1_BIT_STRING( crl->signature, NULL ); - len += i2d_ASN1_TIME( crl->crl->lastUpdate, NULL ); - len += i2d_ASN1_TIME( crl->crl->nextUpdate, NULL ); + const X509_ALGOR *palg; + const ASN1_BIT_STRING *psig; + + X509_CRL_get0_signature(crl.get(), &psig, &palg); + int len = i2d_X509_ALGOR( const_cast(palg), NULL ); + len += i2d_ASN1_BIT_STRING( const_cast(psig), NULL ); + len += i2d_ASN1_TIME( const_cast(X509_CRL_get0_lastUpdate(crl.get())), NULL ); + len += i2d_ASN1_TIME( const_cast(X509_CRL_get0_nextUpdate(crl.get())), NULL ); unsigned char* buffer = ( unsigned char* ) OPENSSL_malloc( len ); unsigned char* pos = buffer; - i2d_X509_ALGOR( crl->sig_alg, &pos ); - i2d_ASN1_BIT_STRING( crl->signature, &pos ); - i2d_ASN1_TIME( crl->crl->lastUpdate, &pos ); - i2d_ASN1_TIME( crl->crl->nextUpdate, &pos ); + i2d_X509_ALGOR( const_cast(palg), &pos ); + i2d_ASN1_BIT_STRING( const_cast(psig), &pos ); + i2d_ASN1_TIME( const_cast(X509_CRL_get0_lastUpdate(crl.get())), &pos ); + i2d_ASN1_TIME( const_cast(X509_CRL_get0_nextUpdate(crl.get())), &pos ); std::string res = std::string( ( char* ) buffer, len ); OPENSSL_free( buffer ); @@ -126,19 +128,33 @@ std::string CRL::getSignature() { void CRL::setSignature( std::string signature ) { X509_CRL_sort( crl.get() ); + X509_ALGOR *palg; + ASN1_BIT_STRING *psig; + // this is not intended use of the OPENSSL-API but API-limitations leave us with no other options. + X509_CRL_get0_signature(crl.get(), const_cast(&psig), const_cast(&palg)); + const unsigned char* data = ( unsigned char* )( signature.data() ); const unsigned char* buffer = data; - d2i_X509_ALGOR( &crl->sig_alg, &buffer, signature.size() ); - d2i_ASN1_BIT_STRING( &crl->signature, &buffer, signature.size() + data - buffer ); - d2i_ASN1_TIME( &crl->crl->lastUpdate, &buffer, signature.size() + data - buffer ); - d2i_ASN1_TIME( &crl->crl->nextUpdate, &buffer, signature.size() + data - buffer ); + X509_ALGOR *alg = d2i_X509_ALGOR( NULL, &buffer, signature.size() ); + ASN1_BIT_STRING *sig = d2i_ASN1_BIT_STRING( NULL, &buffer, signature.size() + data - buffer ); + ASN1_TIME *a1 = d2i_ASN1_TIME( NULL, &buffer, signature.size() + data - buffer ); + ASN1_TIME *a2 = d2i_ASN1_TIME( NULL, &buffer, signature.size() + data - buffer ); + *palg = *alg; + *psig = *sig; + X509_CRL_set1_lastUpdate( crl.get(), a1); + X509_CRL_set1_nextUpdate( crl.get(), a2); + + //X509_ALGOR_free(alg); + //ASN1_BIT_STRING_free(sig); + ASN1_TIME_free(a1); + ASN1_TIME_free(a2); } bool CRL::needsResign() { time_t current; time( ¤t ); current += 60 * 60;// 1 hour - auto time = X509_CRL_get_nextUpdate( crl.get() ); + auto time = X509_CRL_get0_nextUpdate( crl.get() ); if( !time ) { return true; diff --git a/src/crypto/X509.cpp b/src/crypto/X509.cpp index 1c78a51..37bb900 100644 --- a/src/crypto/X509.cpp +++ b/src/crypto/X509.cpp @@ -133,7 +133,9 @@ void X509Cert::setPubkeyFrom( std::shared_ptr req ) { } void X509Cert::setSerialNumber( BIGNUM* num ) { - BN_to_ASN1_INTEGER( num , target->cert_info->serialNumber ); + ASN1_INTEGER *i = BN_to_ASN1_INTEGER( num, NULL); + X509_set_serialNumber(target.get(), i); + ASN1_INTEGER_free(i); } void X509Cert::setTimes( uint32_t before, uint32_t after ) { @@ -154,7 +156,7 @@ static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc goto merr; } - if( !( ext_oct = M_ASN1_OCTET_STRING_new() ) ) { + if( !( ext_oct = ASN1_OCTET_STRING_new() ) ) { goto merr; } @@ -167,7 +169,7 @@ static X509_EXTENSION* do_ext_i2d( int ext_nid, int crit, ASN1_VALUE* ext_struc goto merr; } - M_ASN1_OCTET_STRING_free( ext_oct ); + ASN1_OCTET_STRING_free( ext_oct ); return ext; merr: @@ -206,7 +208,7 @@ void X509Cert::setExtensions( std::shared_ptr caCert, std::vectortype = name->type == "DNS" ? GEN_DNS : name->type == "email" ? GEN_EMAIL : 0; // GEN_EMAIL; if( !gen->type - || !( gen->d.ia5 = M_ASN1_IA5STRING_new() ) + || !( gen->d.ia5 = ASN1_IA5STRING_new() ) || !ASN1_STRING_set( gen->d.ia5, name->content.data(), name->content.size() ) ) { GENERAL_NAME_free( gen ); throw std::runtime_error("initing iasting5 failed"); @@ -260,7 +262,7 @@ std::shared_ptr X509Cert::sign( std::shared_ptr caK auto res = std::make_shared(); res->certificate = std::string( buf->data, buf->data + buf->length ); - std::shared_ptr ser( ASN1_INTEGER_to_BN( target->cert_info->serialNumber, NULL ), BN_free ); + std::shared_ptr ser( ASN1_INTEGER_to_BN( X509_get_serialNumber(target.get()), NULL ), BN_free ); if( !ser ) { throw std::runtime_error("Failed to retrieve certificate serial of signed certificate."); diff --git a/src/crypto/remoteSigner.cpp b/src/crypto/remoteSigner.cpp index 1c32ba0..a953458 100644 --- a/src/crypto/remoteSigner.cpp +++ b/src/crypto/remoteSigner.cpp @@ -114,13 +114,13 @@ std::shared_ptr RemoteSigner::sign( std::shared_ptr pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ) ); + std::shared_ptr pem( PEM_read_bio_X509( bios.get(), NULL, 0, NULL ), X509_free ); if( !pem ) { throw std::runtime_error("Pem was not readable"); } - std::shared_ptr ser( ASN1_INTEGER_to_BN( pem->cert_info->serialNumber, NULL ), BN_free ); + std::shared_ptr ser( ASN1_INTEGER_to_BN( X509_get_serialNumber(pem.get()), NULL), BN_free ); std::shared_ptr serStr( BN_bn2hex( ser.get() ), []( char* p ) { diff --git a/src/crypto/sslUtil.cpp b/src/crypto/sslUtil.cpp index 39df1ff..3b63769 100644 --- a/src/crypto/sslUtil.cpp +++ b/src/crypto/sslUtil.cpp @@ -91,7 +91,7 @@ static std::shared_ptr dh_param; std::shared_ptr generateSSLContext( bool server ) { std::shared_ptr ctx = std::shared_ptr( - SSL_CTX_new( TLSv1_2_method() ), + SSL_CTX_new( TLS_method() ), []( SSL_CTX* p ) { SSL_CTX_free( p ); } ); @@ -125,14 +125,13 @@ std::shared_ptr generateSSLContext( bool server ) { } else { dh_param = std::shared_ptr( DH_new(), DH_free ); logger::note( "Generating DH params" ); - BN_GENCB cb; - cb.ver = 2; - cb.arg = 0; - cb.cb.cb_2 = gencb; + BN_GENCB *cb = BN_GENCB_new(); + BN_GENCB_set(cb, gencb, NULL); - if( !DH_generate_parameters_ex( dh_param.get(), 2048, 5, &cb ) ) { + if( !DH_generate_parameters_ex( dh_param.get(), 2048, 5, cb ) ) { throw std::runtime_error("DH generation failed"); } + BN_GENCB_free(cb); std::cout << std::endl; paramfile = std::shared_ptr( fopen( "dh_param.pem", "w" ), fclose ); @@ -194,7 +193,7 @@ extern std::string crtPrefix; CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name ) { ca = loadX509FromFile( path + "/ca.crt" ); caKey = loadPkeyFromFile( path + "/ca.key" ); - ASN1_TIME* tm = X509_get_notBefore( ca ); + ASN1_TIME* tm = X509_get_notBefore( ca.get() ); notBefore = std::shared_ptr( tm, ASN1_TIME_free ); std::size_t pos = name.find("_"); if (pos == std::string::npos) { @@ -210,7 +209,7 @@ CAConfig::CAConfig( const std::string& name ) : path( "ca/" + name ), name( name std::string timeToString( std::shared_ptr time ) { std::shared_ptr gtime( ASN1_TIME_to_generalizedtime( time.get(), 0 ) ); - std::string strdate( ( char* ) ASN1_STRING_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) ); + std::string strdate( ( char* ) ASN1_STRING_get0_data( gtime.get() ), ASN1_STRING_length( gtime.get() ) ); logger::notef("openssl formatted me a date: %s", strdate); if( strdate[strdate.size() - 1] != 'Z' ) { diff --git a/src/crypto/sslUtil.h b/src/crypto/sslUtil.h index 0799899..569c200 100644 --- a/src/crypto/sslUtil.h +++ b/src/crypto/sslUtil.h @@ -2,6 +2,7 @@ #include #include +#include #include #include #include diff --git a/src/io/bios.h b/src/io/bios.h index e1f26b4..b1acf18 100644 --- a/src/io/bios.h +++ b/src/io/bios.h @@ -2,6 +2,27 @@ #include +struct bio_st { + const BIO_METHOD *method; + /* bio, mode, argp, argi, argl, ret */ + long (*callback) (struct bio_st *, int, const char *, int, long, long); + char *cb_arg; /* first argument for the callback */ + int init; + int shutdown; + int flags; /* extra storage */ + int retry_reason; + int num; + void *ptr; + struct bio_st *next_bio; /* used by filter BIOs */ + struct bio_st *prev_bio; /* used by filter BIOs */ + int references; + uint64_t num_read; + uint64_t num_write; + CRYPTO_EX_DATA ex_data; + CRYPTO_RWLOCK *lock; +}; + + #define BIO_TYPE_CUSTOM 0xff class OpensslBIO { @@ -47,18 +68,14 @@ BIO_METHOD* toBio() { template BIO_METHOD* toBio( int ( *newfunc )( BIO* ) ) { - static BIO_METHOD new_method = { - T::typeID, - T::getName(), - BIOWrapper::write, - BIOWrapper::read, - BIOWrapper::puts, - BIOWrapper::gets, - BIOWrapper::ctrl, - newfunc, - BIOWrapper::free, - NULL, - }; - - return &new_method; + BIO_METHOD *meth = BIO_meth_new(T::typeID, T::getName()); + BIO_meth_set_write(meth, BIOWrapper::write); + BIO_meth_set_read(meth, BIOWrapper::read); + BIO_meth_set_puts(meth, BIOWrapper::puts); + BIO_meth_set_gets(meth, BIOWrapper::gets); + BIO_meth_set_ctrl(meth, BIOWrapper::ctrl); + BIO_meth_set_destroy(meth, BIOWrapper::free); + BIO_meth_set_create(meth, newfunc); + + return meth; }