From 54264f4ccd9b8080cb33af5e15374c583a3262d2 Mon Sep 17 00:00:00 2001 From: Sumant Gupta Date: Thu, 4 Jul 2019 14:17:06 +0530 Subject: [PATCH 1/2] OpenSSL-1-1-1 support This patch provides support for compiling libEST for OpenSSL-1.1.1 OpenSSL version is: OpenSSL 1.1.1 11 Sep 2018 --- example/client/estclient.c | 19 ++++++++- example/proxy/estproxy.c | 13 +++++- example/server/estserver.c | 26 ++++++++++++ example/server/ossl_srv.c | 61 +++++++++++++++++++++++++--- example/util/utils.c | 4 ++ src/est/est.c | 8 ++++ src/est/est.h | 20 ++++++++- src/est/est_client.c | 83 +++++++++++++++++++++++++++++++++++++- src/est/est_locl.h | 6 +++ src/est/est_ossl_util.c | 6 +++ src/est/est_server.c | 20 ++++++++- 11 files changed, 253 insertions(+), 13 deletions(-) diff --git a/example/client/estclient.c b/example/client/estclient.c index ea3336a..bcdc1c7 100644 --- a/example/client/estclient.c +++ b/example/client/estclient.c @@ -368,7 +368,14 @@ static int client_manual_cert_verify(X509 *cur_cert, int openssl_cert_error) * This fingerprint can be checked against the anticipated value to determine * whether or not the server's cert should be approved. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L X509_signature_print(bio_err, cur_cert->sig_alg, cur_cert->signature); +#else + const ASN1_BIT_STRING *asn1_sig = NULL; + const X509_ALGOR *sig_type = NULL; + X509_get0_signature(&asn1_sig, &sig_type, cur_cert); + X509_signature_print(bio_err, sig_type, asn1_sig); +#endif BIO_free(bio_err); @@ -398,7 +405,11 @@ static X509_REQ *read_csr (char *csr_file) /* * Read in the csr */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L csrin = BIO_new(BIO_s_file_internal()); +#else + csrin = BIO_new(BIO_s_file()); +#endif if (BIO_read_filename(csrin, csr_file) <= 0) { printf("\nUnable to read CSR file %s\n", csr_file); return (NULL); @@ -758,7 +769,6 @@ static void worker_thread (void *ptr) exit(1); } - if (srp) { rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd); if (rv != EST_ERR_NONE) { @@ -766,7 +776,6 @@ static void worker_thread (void *ptr) exit(1); } } - if (token_auth_mode) { rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb); if (rv != EST_ERR_NONE) { @@ -935,7 +944,9 @@ static void worker_thread (void *ptr) if (verbose) printf("\nEnding thread %d", tctx->thread_id); free(tctx); ERR_clear_error(); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ERR_remove_thread_state(NULL); +#endif } @@ -1275,7 +1286,11 @@ int main (int argc, char **argv) * Read in the current client certificate */ if (client_cert_file[0]) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L certin = BIO_new(BIO_s_file_internal()); +#else + certin = BIO_new(BIO_s_file()); +#endif if (BIO_read_filename(certin, client_cert_file) <= 0) { printf("\nUnable to read client certificate file %s\n", client_cert_file); exit(1); diff --git a/example/proxy/estproxy.c b/example/proxy/estproxy.c index 74890dd..0c10546 100644 --- a/example/proxy/estproxy.c +++ b/example/proxy/estproxy.c @@ -269,8 +269,11 @@ static int process_ssl_srp_auth (SSL *s, int *ad, void *arg) if (!login) return (-1); - +#if OPENSSL_VERSION_NUMBER < 0x10100000L user = SRP_VBASE_get_by_user(srp_db, login); +#else + user = SRP_VBASE_get1_by_user(srp_db, login); +#endif if (user == NULL) { printf("User doesn't exist in SRP database\n"); @@ -494,7 +497,11 @@ int main (int argc, char **argv) /* * Read in the local server certificate */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L certin = BIO_new(BIO_s_file_internal()); +#else + certin = BIO_new(BIO_s_file()); +#endif if (BIO_read_filename(certin, certfile) <= 0) { printf("\nUnable to read server certificate file %s\n", certfile); exit(1); @@ -514,7 +521,11 @@ int main (int argc, char **argv) /* * Read in the server's private key */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L keyin = BIO_new(BIO_s_file_internal()); +#else + keyin = BIO_new(BIO_s_file()); +#endif if (BIO_read_filename(keyin, keyfile) <= 0) { printf("\nUnable to read server private key file %s\n", keyfile); exit(1); diff --git a/example/server/estserver.c b/example/server/estserver.c index a5dcf5c..14b6297 100644 --- a/example/server/estserver.c +++ b/example/server/estserver.c @@ -144,6 +144,7 @@ static DH *get_dh1024dsa () if ((dh = DH_new()) == NULL) { return (NULL); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); if ((dh->p == NULL) || (dh->g == NULL)) { @@ -151,6 +152,18 @@ static DH *get_dh1024dsa () return (NULL); } dh->length = 160; +#else + BIGNUM * const dh_p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + BIGNUM * const dh_g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if ((dh_p == NULL) || (dh_g == NULL) || !DH_set0_pqg(dh, dh_p, NULL, dh_g)) { + DH_free(dh); + return (NULL); + } + long bits =160; + if (DH_get_length(dh) > 0) { + DH_set_length(dh, bits); + } +#endif return (dh); } @@ -276,7 +289,11 @@ int lookup_pkcs10_request (unsigned char *pkcs10, int p10_len) * would do this lookup. But this should be good enough for * testing the retry-after logic. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L pkey = X509_PUBKEY_get(req->req_info->pubkey); +#else + pkey = X509_PUBKEY_get(X509_REQ_get_X509_PUBKEY(req)); +#endif if (!pkey) { rv = 1; goto DONE; @@ -859,7 +876,11 @@ static int process_ssl_srp_auth (SSL *s, int *ad, void *arg) if (!login) return (-1); +#if OPENSSL_VERSION_NUMBER < 0x10100000L user = SRP_VBASE_get_by_user(srp_db, login); +#else + user = SRP_VBASE_get1_by_user(srp_db, login); +#endif if (user == NULL) { printf("User doesn't exist in SRP database\n"); @@ -1138,7 +1159,12 @@ int main (int argc, char **argv) /* * Read in the local server certificate */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L certin = BIO_new(BIO_s_file_internal()); +#else + certin = BIO_new(BIO_s_file()); +#endif + if (BIO_read_filename(certin, certfile) <= 0) { printf("\nUnable to read server certificate file %s\n", certfile); exit(1); diff --git a/example/server/ossl_srv.c b/example/server/ossl_srv.c index 0b9abd0..f32773b 100644 --- a/example/server/ossl_srv.c +++ b/example/server/ossl_srv.c @@ -265,6 +265,8 @@ X509 *load_cert(BIO *err, const char *file, int format, const char *pass, if (format == FORMAT_ASN1) x = d2i_X509_bio(cert, NULL); + //Could not find any equivalent +#if OPENSSL_VERSION_NUMBER < 0x10100000L else if (format == FORMAT_NETSCAPE) { NETSCAPE_X509 *nx; nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509), cert, NULL); @@ -280,7 +282,9 @@ X509 *load_cert(BIO *err, const char *file, int format, const char *pass, x = nx->cert; nx->cert = NULL; NETSCAPE_X509_free(nx); - } else if (format == FORMAT_PEM) + } +#endif + else if (format == FORMAT_PEM) x = PEM_read_bio_X509_AUX(cert, NULL, (pem_password_cb *) password_callback, NULL); else if (format == FORMAT_PKCS12) { @@ -1389,12 +1393,21 @@ static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey, static int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md, STACK_OF(OPENSSL_STRING) *sigopts) { int rv; +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_MD_CTX mctx; EVP_MD_CTX_init(&mctx); rv = do_sign_init(err, &mctx, pkey, md, sigopts); if (rv > 0) rv = X509_sign_ctx(x, &mctx); EVP_MD_CTX_cleanup(&mctx); +#else + EVP_MD_CTX *mctx; + mctx = EVP_MD_CTX_new(); + rv = do_sign_init(err, mctx, pkey, md, sigopts); + if (rv > 0) + rv = X509_sign_ctx(x, mctx); + EVP_MD_CTX_free(mctx); +#endif return rv > 0 ? 1 : 0; } @@ -1410,7 +1423,9 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, ASN1_STRING *str, *str2; ASN1_OBJECT *obj; X509 *ret = NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000L X509_CINF *ci; +#endif X509_NAME_ENTRY *ne; X509_NAME_ENTRY *tne, *push; EVP_PKEY *pktmp; @@ -1439,7 +1454,10 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, goto err; } X509_REQ_set_subject_name(req, n); +//could not find any equivalent +#if OPENSSL_VERSION_NUMBER < 0x10100000L req->req_info->enc.modified = 1; +#endif X509_NAME_free(n); } @@ -1454,8 +1472,11 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, if (msie_hack) { /* assume all type should be strings */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L nid = OBJ_obj2nid(ne->object); - +#else + nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(ne)); +#endif if (str->type == V_ASN1_UNIVERSALSTRING) ASN1_UNIVERSALSTRING_to_string(str); @@ -1505,7 +1526,11 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, if (selfsign) CAname = X509_NAME_dup(name); else +#if OPENSSL_VERSION_NUMBER < 0x10100000L CAname = X509_NAME_dup(x509->cert_info->subject); +#else + CAname = X509_NAME_dup(X509_get_subject_name(x509)); +#endif if (CAname == NULL) goto err; str = str2 = NULL; @@ -1708,13 +1733,17 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, if ((ret = X509_new()) == NULL) goto err; +#if OPENSSL_VERSION_NUMBER < 0x10100000L ci = ret->cert_info; - +#endif /* Make it an X509 v3 certificate. */ if (!X509_set_version(ret, 2)) goto err; - +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL) +#else + if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL) +#endif goto err; if (selfsign) { if (!X509_set_issuer_name(ret, subject)) @@ -1746,6 +1775,7 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, /* Lets add the extensions, if there are any */ if (ext_sect) { X509V3_CTX ctx; +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (ci->version == NULL) if ((ci->version = ASN1_INTEGER_new()) == NULL) goto err; @@ -1757,6 +1787,16 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db, sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free); ci->extensions = NULL; +#else + X509_set_version(ret, 2); + /* Free the current entries if any, there should not + * be any I believe */ + STACK_OF(X509_EXTENSION) *exts = (STACK_OF(X509_EXTENSION) *)X509_get0_extensions(ret); + if (exts) + sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free); + + exts = NULL; +#endif /* Initialize the context structure */ if (selfsign) @@ -2495,8 +2535,13 @@ BIO * ossl_simple_enroll(const char *p10buf, int p10len) { email_dn = 0; } if (verbose) +#if OPENSSL_VERSION_NUMBER < 0x10100000L BIO_printf(bio_err, "message digest is %s\n", OBJ_nid2ln(dgst->type)); +#else + BIO_printf(bio_err, "message digest is %s\n", + OBJ_nid2ln(EVP_MD_type(dgst))); +#endif if ((policy == NULL) && ((policy = NCONF_get_string(conf, section, ENV_POLICY)) == NULL)) { @@ -2635,9 +2680,15 @@ BIO * ossl_simple_enroll(const char *p10buf, int p10len) { char *n; x = sk_X509_value(cert_sk, i); - +#if OPENSSL_VERSION_NUMBER < 0x10100000L j = x->cert_info->serialNumber->length; p = (const char *) x->cert_info->serialNumber->data; +#else + ASN1_INTEGER *serialNumber = X509_get_serialNumber(x); + j = ASN1_STRING_length(serialNumber); + p = (const char *)ASN1_STRING_get0_data(serialNumber); + +#endif BUF_strlcat(buf[2], "/", sizeof(buf[2])); diff --git a/example/util/utils.c b/example/util/utils.c index 688aa75..5825f12 100644 --- a/example/util/utils.c +++ b/example/util/utils.c @@ -266,7 +266,11 @@ EVP_PKEY *read_private_key(const char *key_file, pem_password_cb *cb) /* * Read in the private key */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L keyin = BIO_new(BIO_s_file_internal()); +#else + keyin = BIO_new(BIO_s_file()); +#endif if (BIO_read_filename(keyin, key_file) <= 0) { EST_LOG_ERR("Unable to read private key file %s", key_file); return(NULL); diff --git a/src/est/est.c b/src/est/est.c index c4afc8a..5ab08f6 100644 --- a/src/est/est.c +++ b/src/est/est.c @@ -1128,7 +1128,11 @@ EST_ERROR est_asn1_sanity_test (const unsigned char *string, long out_len, switch (tag) { case V_ASN1_OBJECT: +#if OPENSSL_VERSION_NUMBER < 0x10100000L a_object = c2i_ASN1_OBJECT(NULL, &string, len); +#else + a_object = d2i_ASN1_OBJECT(NULL, &string, len); +#endif if (a_object != NULL) { nid = OBJ_obj2nid(a_object); EST_LOG_INFO("NID=%d", nid); @@ -1485,7 +1489,11 @@ EST_ERROR est_get_attributes_helper (unsigned char **der_ptr, int *der_len, int switch (tag) { case V_ASN1_OBJECT: +#if OPENSSL_VERSION_NUMBER < 0x10100000L a_object = c2i_ASN1_OBJECT(NULL, &string, len); +#else + a_object = d2i_ASN1_OBJECT(NULL, &string, len); +#endif if (a_object != NULL) { nid = OBJ_obj2nid(a_object); EST_LOG_INFO("NID=%d", nid); diff --git a/src/est/est.h b/src/est/est.h index 67cac82..d0eb200 100644 --- a/src/est/est.h +++ b/src/est/est.h @@ -511,12 +511,21 @@ LIBEST_API int est_convert_p7b64_to_pem(unsigned char *certs_p7, int certs_len, @return void. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define est_apps_startup() \ do { CRYPTO_malloc_init(); \ ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ ENGINE_load_builtin_engines(); \ SSL_library_init(); \ SSL_load_error_strings(); } while (0) +#else +#define est_apps_startup() \ + do { OPENSSL_malloc_init(); \ + ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \ + ENGINE_load_builtin_engines(); \ + SSL_library_init(); \ + SSL_load_error_strings(); } while (0) +#endif /*! @brief est_apps_shutdown() is used by an application to de-initialize the OpenSSL library. This should be called to prevent memory @@ -524,15 +533,22 @@ LIBEST_API int est_convert_p7b64_to_pem(unsigned char *certs_p7, int certs_len, CONF_modules_unload(), OBJ_cleanup(), EVP_cleanup(), ENGINE_cleanup(), CRYPTO_cleanup_all_ex_data(), ERR_remove_thread_state(), and ERR_free_strings(). - + ERR_remove_thread_state is deprecated in versions greater than 0x10100000L @return void. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define est_apps_shutdown() \ do { CONF_modules_unload(1); \ OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \ CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \ ERR_free_strings(); } while (0) - +#else +#define est_apps_shutdown() \ + do { CONF_modules_unload(1); \ + OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \ + CRYPTO_cleanup_all_ex_data(); \ + ERR_free_strings(); } while (0) +#endif #ifdef __cplusplus } #endif diff --git a/src/est/est_client.c b/src/est/est_client.c index 06e2d22..a5b3260 100644 --- a/src/est/est_client.c +++ b/src/est/est_client.c @@ -98,6 +98,8 @@ static int est_client_X509_REQ_sign (X509_REQ *x, EVP_PKEY *pkey, const EVP_MD * { int rv; EVP_PKEY_CTX *pkctx = NULL; + +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_MD_CTX mctx; EVP_MD_CTX_init(&mctx); @@ -118,7 +120,31 @@ static int est_client_X509_REQ_sign (X509_REQ *x, EVP_PKEY *pkey, const EVP_MD * rv = X509_REQ_sign_ctx(x, &mctx); EVP_MD_CTX_cleanup(&mctx); +#else + EVP_MD_CTX *mctx; + + mctx = EVP_MD_CTX_new(); + + if (!EVP_DigestSignInit(mctx, &pkctx, md, NULL, pkey)) { + return 0; + } + + /* + * Encode using DER (ASN.1) + * + * We have to set the modified flag on the X509_REQ because + * OpenSSL keeps a cached copy of the DER encoded data in some + * cases. Setting this flag tells OpenSSL to run the ASN + * encoding again rather than using the cached copy. + */ + //Commenting the below as i am unable to find the equivalent right now + //x->req_info->enc.modified = 1; + + rv = X509_REQ_sign_ctx(x, mctx); + + EVP_MD_CTX_free(mctx); +#endif return (rv); } /* @@ -586,7 +612,11 @@ static EST_ERROR verify_cacert_resp (EST_CTX *ctx, unsigned char *cacerts, */ rv = X509_check_issued(current_cert, current_cert); if (rv == X509_V_OK) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L EST_LOG_INFO("Adding cert to trusted store (%s)", current_cert->name); +#else + EST_LOG_INFO("Adding cert to trusted store (%s)", X509_get_issuer_name(current_cert)); +#endif X509_STORE_add_cert(trusted_cacerts_store, current_cert); } } @@ -620,7 +650,11 @@ static EST_ERROR verify_cacert_resp (EST_CTX *ctx, unsigned char *cacerts, return ( EST_ERR_MALLOC); } current_cert = sk_X509_value(stack, i); +#if OPENSSL_VERSION_NUMBER < 0x10100000L EST_LOG_INFO("Adding cert to store (%s)", current_cert->name); +#else + EST_LOG_INFO("Adding cert to store (%s)", X509_get_issuer_name(current_cert)); +#endif X509_STORE_CTX_set_cert(store_ctx, current_cert); rv = X509_verify_cert(store_ctx); @@ -628,7 +662,11 @@ static EST_ERROR verify_cacert_resp (EST_CTX *ctx, unsigned char *cacerts, /* * this cert failed verification. Log this and continue on */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L EST_LOG_WARN("Certificate failed verification (%s)", current_cert->name); +#else + EST_LOG_WARN("Certificate failed verification (%s)", X509_get_issuer_name(current_cert)); +#endif failed = 1; } } @@ -1607,10 +1645,19 @@ int est_client_send_enroll_request (EST_CTX *ctx, SSL *ssl, BUF_MEM *bptr, */ static EST_ERROR est_client_check_x509 (X509 *cert) { +#if OPENSSL_VERSION_NUMBER > 0x10100000L + const ASN1_BIT_STRING *asn1_sig = NULL; + const X509_ALGOR *sig_type = NULL; +#endif /* * Make sure the cert is signed */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L if(!cert->signature) { +#else + X509_get0_signature(&asn1_sig, &sig_type, cert); + if(asn1_sig == NULL) { +#endif EST_LOG_ERR("The certificate provided does not contain a signature."); return (EST_ERR_BAD_X509); } @@ -1618,7 +1665,11 @@ static EST_ERROR est_client_check_x509 (X509 *cert) /* * Make sure the signature length is not invalid */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (cert->signature->length <= 0) { +#else + if (asn1_sig->length <= 0) { +#endif EST_LOG_ERR("The certificate provided contains an invalid signature length."); return (EST_ERR_BAD_X509); } @@ -1706,6 +1757,7 @@ static EST_ERROR est_client_enroll_req (EST_CTX *ctx, SSL *ssl, X509_REQ *req, } p10out = BIO_push(b64, p10out); +#if OPENSSL_VERSION_NUMBER < 0x10100000L /* * Encode using DER (ASN.1) * @@ -1715,6 +1767,7 @@ static EST_ERROR est_client_enroll_req (EST_CTX *ctx, SSL *ssl, X509_REQ *req, * encoding again rather than using the cached copy. * */ req->req_info->enc.modified = 1; +#endif i2d_X509_REQ_bio(p10out, req); (void)BIO_flush(p10out); BIO_get_mem_ptr(p10out, &bptr); @@ -2197,7 +2250,11 @@ static EST_ERROR est_client_verifyhost (char *hostname, X509 *server_cert) check = sk_GENERAL_NAME_value(altnames, i); /* get data and length */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L altptr = (char*)ASN1_STRING_data(check->d.ia5); +#else + altptr = (char*)ASN1_STRING_get0_data(check->d.ia5); +#endif altlen = (size_t)ASN1_STRING_length(check->d.ia5); switch (check->type) { @@ -2303,7 +2360,11 @@ static EST_ERROR est_client_verifyhost (char *hostname, X509 *server_cert) if (j >= 0) { peer_CN = malloc(j + 1); if (peer_CN) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L safec_rc = memcpy_s(peer_CN, j, ASN1_STRING_data(tmp), j); +#else + safec_rc = memcpy_s(peer_CN, j, ASN1_STRING_get0_data(tmp), j); +#endif if (safec_rc != EOK) { EST_LOG_INFO("memcpy_s error 0x%xO with ASN1 string\n", safec_rc); } @@ -3235,8 +3296,15 @@ EST_ERROR est_client_reenroll (EST_CTX *ctx, X509 *cert, int *pkcs7_len, EVP_PKE * in the config file to copyall to retain the * extensions in the CSR when issuing a new cert. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (cert->cert_info && cert->cert_info->extensions) { ossl_rv = X509_REQ_add_extensions(req, cert->cert_info->extensions); +#else + STACK_OF(X509_EXTENSION) *extensions; + extensions = (STACK_OF(X509_EXTENSION) *)X509_get0_extensions(cert); + if (extensions) { + ossl_rv = X509_REQ_add_extensions(req, extensions); +#endif if (!ossl_rv) { EST_LOG_WARN("Failed to copy X509 extensions to the CSR. Your new certificate may not contain the extensions present in the old certificate."); } @@ -3593,7 +3661,6 @@ EST_ERROR est_client_get_csrattrs (EST_CTX *ctx, unsigned char **csr_data, int * return (rv); } - /*! @brief est_client_enable_srp() is used by an application to enable TLS-SRP as the transport, which is used in place of traditional TLS. TLS-SRP allows for secure transport when an X.509 certificate @@ -3660,6 +3727,8 @@ EST_ERROR est_client_enable_srp (EST_CTX *ctx, int strength, char *uid, char *pw * enable the DSS and RSA auth cipher suites if we do. */ store = SSL_CTX_get_cert_store(ctx->ssl_ctx); + +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (store && store->objs && sk_X509_OBJECT_num(store->objs) > 0) { EST_LOG_INFO("Enable SSL SRP cipher suites with RSA/DSS\n"); rv = SSL_CTX_set_cipher_list(ctx->ssl_ctx, EST_CIPHER_LIST_SRP_AUTH); @@ -3667,6 +3736,17 @@ EST_ERROR est_client_enable_srp (EST_CTX *ctx, int strength, char *uid, char *pw EST_LOG_INFO("Enable SSL SRP cipher suites w/o RSA/DSS\n"); rv = SSL_CTX_set_cipher_list(ctx->ssl_ctx, EST_CIPHER_LIST_SRP_ONLY); } +#else + STACK_OF(X509_OBJECT) * pobjs = X509_STORE_get0_objects(store); + + if (store && pobjs && sk_X509_OBJECT_num(pobjs) > 0) { + EST_LOG_INFO("Enable SSL SRP cipher suites with RSA/DSS\n"); + rv = SSL_CTX_set_cipher_list(ctx->ssl_ctx, EST_CIPHER_LIST_SRP_AUTH); + } else { + EST_LOG_INFO("Enable SSL SRP cipher suites w/o RSA/DSS\n"); + rv = SSL_CTX_set_cipher_list(ctx->ssl_ctx, EST_CIPHER_LIST_SRP_ONLY); + } +#endif if (!rv) { EST_LOG_ERR("Failed to set SSL SRP cipher suites\n"); ossl_dump_ssl_errors(); @@ -3693,7 +3773,6 @@ EST_ERROR est_client_enable_srp (EST_CTX *ctx, int strength, char *uid, char *pw return (EST_ERR_NONE); } - /*! @brief est_client_set_auth() is used by an application to set up the authentication parameters to be used. diff --git a/src/est/est_locl.h b/src/est/est_locl.h index 63cca4f..5ea0b0e 100644 --- a/src/est/est_locl.h +++ b/src/est/est_locl.h @@ -43,7 +43,13 @@ #define EST_URI_MAX_LEN (EST_URI_PATH_PREFIX_MAX_LEN+EST_MAX_PATH_SEGMENT_LEN+EST_MAX_PATH_SEGMENT_LEN) #define EST_BODY_MAX_LEN 16384 #define EST_CA_MAX 2000000 +/*Value which comes after the read in BIO_get_mem_ptr is +64 in openssl 1.1.1 as compared to 16 in older versions*/ +#if OPENSSL_VERSION_NUMBER < 0x10100000L #define EST_TLS_UID_LEN 17 +#else +#define EST_TLS_UID_LEN 65 +#endif #define EST_RAW_CSR_LEN_MAX 8192 #define EST_MAX_CONTENT_LEN 8192 diff --git a/src/est/est_ossl_util.c b/src/est/est_ossl_util.c index 0b92e02..cbcfa68 100644 --- a/src/est/est_ossl_util.c +++ b/src/est/est_ossl_util.c @@ -179,7 +179,13 @@ static int ossl_init_cert_store_from_raw (X509_STORE *store, while (sk_X509_INFO_num(sk)) { xi = sk_X509_INFO_shift(sk); if (xi->x509 != NULL) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L EST_LOG_INFO("Adding cert to store (%s)", xi->x509->name); +#else + char *issuer = X509_NAME_oneline(X509_get_issuer_name(xi->x509), NULL, 0); + EST_LOG_INFO("Adding cert to store (%s)",issuer); + +#endif X509_STORE_add_cert(store, xi->x509); cert_cnt++; } diff --git a/src/est/est_server.c b/src/est/est_server.c index da0b309..1d8a18d 100644 --- a/src/est/est_server.c +++ b/src/est/est_server.c @@ -531,9 +531,11 @@ int est_tls_uid_auth (EST_CTX *ctx, SSL *ssl, X509_REQ *req) X509_ATTRIBUTE *attr; int i, j; +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_TYPE *at; - ASN1_BIT_STRING *bs = NULL; ASN1_TYPE *t; +#endif + ASN1_BIT_STRING *bs = NULL; int rv = EST_ERR_NONE; char *tls_uid; int diff; @@ -566,6 +568,7 @@ int est_tls_uid_auth (EST_CTX *ctx, SSL *ssl, X509_REQ *req) * If we found the attribute, get the actual value of the challengePassword */ if (attr) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L if (attr->single) { t = attr->value.single; bs = t->value.bit_string; @@ -573,7 +576,18 @@ int est_tls_uid_auth (EST_CTX *ctx, SSL *ssl, X509_REQ *req) j = 0; at = sk_ASN1_TYPE_value(attr->value.set, j); bs = at->value.asn1_string; +#else + ASN1_TYPE *value; + value = X509_ATTRIBUTE_get0_type(attr, 0); + + if ((value != NULL) && (value->type == V_ASN1_BIT_STRING )) { + bs = value ->value.bit_string; + } + + if ((value != NULL) && (value->type == V_ASN1_GENERALSTRING )) { + bs = value ->value.asn1_string; } +#endif } else { EST_LOG_WARN("PoP challengePassword attribute not found in client cert request"); return (EST_ERR_AUTH_FAIL_TLSUID); @@ -970,7 +984,11 @@ static EST_ERROR est_server_all_csrattrs_present(EST_CTX *ctx, char *body, int b } switch (tag) { case V_ASN1_OBJECT: +#if OPENSSL_VERSION_NUMBER < 0x10100000L a_object = c2i_ASN1_OBJECT(NULL, (const unsigned char**)&der_ptr, len); +#else + a_object = d2i_ASN1_OBJECT(NULL, (const unsigned char**)&der_ptr, len); +#endif if (!a_object) { EST_LOG_ERR("a_object is null"); est_server_free_csr_oid_list(csr_attr_oids); From 0673b3811a4e15bd7c25a15cfdeb5f9675e38740 Mon Sep 17 00:00:00 2001 From: Sumant Gupta Date: Thu, 4 Jul 2019 15:27:43 +0530 Subject: [PATCH 2/2] Update est_server.c Corrected the code in case we are compiling against: OPENSSL_VERSION_NUMBER < 0x10100000L --- src/est/est_server.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/est/est_server.c b/src/est/est_server.c index 1d8a18d..35156e4 100644 --- a/src/est/est_server.c +++ b/src/est/est_server.c @@ -576,6 +576,7 @@ int est_tls_uid_auth (EST_CTX *ctx, SSL *ssl, X509_REQ *req) j = 0; at = sk_ASN1_TYPE_value(attr->value.set, j); bs = at->value.asn1_string; + } #else ASN1_TYPE *value; value = X509_ATTRIBUTE_get0_type(attr, 0);