cisco · sumantgupta1984 · Jul 4, 2019 · Jul 4, 2019
diff --git a/example/client/estclient.c b/example/client/estclient.c
@@ -368,7 +368,14 @@ static int client_manual_cert_verify(X509 *cur_cert, int openssl_cert_error)
      * This fingerprint can be checked against the anticipated value to determine
      * whether or not the server's cert should be approved.
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     X509_signature_print(bio_err, cur_cert->sig_alg, cur_cert->signature);
+#else
+    const ASN1_BIT_STRING *asn1_sig = NULL;
+    const X509_ALGOR      *sig_type = NULL;
+    X509_get0_signature(&asn1_sig, &sig_type, cur_cert);
+    X509_signature_print(bio_err, sig_type, asn1_sig);
+#endif
 
     BIO_free(bio_err);
 
@@ -398,7 +405,11 @@ static X509_REQ *read_csr (char *csr_file)
     /*
      * Read in the csr
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     csrin = BIO_new(BIO_s_file_internal());
+#else
+    csrin = BIO_new(BIO_s_file());
+#endif
     if (BIO_read_filename(csrin, csr_file) <= 0) {
         printf("\nUnable to read CSR file %s\n", csr_file);
         return (NULL);
@@ -758,15 +769,13 @@ static void worker_thread (void *ptr)
 	    exit(1);
 	}
 
-
 	if (srp) {
 	    rv = est_client_enable_srp(ectx, 1024, est_srp_uid, est_srp_pwd);
 	    if (rv != EST_ERR_NONE) {
 		printf("\nUnable to enable SRP.  Aborting!!!\n");
 	        exit(1);
 	    }
 	}
-
         if (token_auth_mode) {
             rv = est_client_set_auth_cred_cb(ectx, auth_credentials_token_cb);
 	    if (rv != EST_ERR_NONE) {
@@ -935,7 +944,9 @@ static void worker_thread (void *ptr)
     if (verbose) printf("\nEnding thread %d", tctx->thread_id);
     free(tctx);
     ERR_clear_error();
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     ERR_remove_thread_state(NULL);
+#endif
 }
 
 
@@ -1275,7 +1286,11 @@ int main (int argc, char **argv)
      * Read in the current client certificate
      */
     if (client_cert_file[0]) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         certin = BIO_new(BIO_s_file_internal());
+#else
+        certin = BIO_new(BIO_s_file());
+#endif
         if (BIO_read_filename(certin, client_cert_file) <= 0) {
             printf("\nUnable to read client certificate file %s\n", client_cert_file);
             exit(1);

diff --git a/example/proxy/estproxy.c b/example/proxy/estproxy.c
@@ -269,8 +269,11 @@ static int process_ssl_srp_auth (SSL *s, int *ad, void *arg)
 
     if (!login)
         return (-1);
-
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     user = SRP_VBASE_get_by_user(srp_db, login);
+#else
+    user = SRP_VBASE_get1_by_user(srp_db, login);
+#endif
 
     if (user == NULL) {
         printf("User doesn't exist in SRP database\n");
@@ -494,7 +497,11 @@ int main (int argc, char **argv)
     /*
      * Read in the local server certificate 
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     certin = BIO_new(BIO_s_file_internal());
+#else
+    certin = BIO_new(BIO_s_file());
+#endif
     if (BIO_read_filename(certin, certfile) <= 0) {
         printf("\nUnable to read server certificate file %s\n", certfile);
         exit(1);
@@ -514,7 +521,11 @@ int main (int argc, char **argv)
     /* 
      * Read in the server's private key
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     keyin = BIO_new(BIO_s_file_internal());
+#else
+    keyin = BIO_new(BIO_s_file());
+#endif
     if (BIO_read_filename(keyin, keyfile) <= 0) {
         printf("\nUnable to read server private key file %s\n", keyfile);
         exit(1);

diff --git a/example/server/estserver.c b/example/server/estserver.c
@@ -144,13 +144,26 @@ static DH *get_dh1024dsa ()
     if ((dh = DH_new()) == NULL) {
         return (NULL);
     }
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
     dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
     if ((dh->p == NULL) || (dh->g == NULL)) {
         DH_free(dh);
         return (NULL);
     }
     dh->length = 160;
+#else
+    BIGNUM * const dh_p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+    BIGNUM * const dh_g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+    if ((dh_p == NULL) || (dh_g == NULL) || !DH_set0_pqg(dh, dh_p, NULL, dh_g)) {
+	    DH_free(dh);
+	    return (NULL);
+    }
+    long bits =160;
+    if (DH_get_length(dh) > 0) {
+	    DH_set_length(dh, bits);
+    }
+#endif
     return (dh);
 }
 
@@ -276,7 +289,11 @@ int lookup_pkcs10_request (unsigned char *pkcs10, int p10_len)
      * would do this lookup.  But this should be good enough for
      * testing the retry-after logic.
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     pkey = X509_PUBKEY_get(req->req_info->pubkey);
+#else
+    pkey = X509_PUBKEY_get(X509_REQ_get_X509_PUBKEY(req));
+#endif
     if (!pkey) {
         rv = 1;
         goto DONE;
@@ -859,7 +876,11 @@ static int process_ssl_srp_auth (SSL *s, int *ad, void *arg)
     if (!login)
         return (-1);
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     user = SRP_VBASE_get_by_user(srp_db, login);
+#else
+    user = SRP_VBASE_get1_by_user(srp_db, login);
+#endif
 
     if (user == NULL) {
         printf("User doesn't exist in SRP database\n");
@@ -1138,7 +1159,12 @@ int main (int argc, char **argv)
     /*
      * Read in the local server certificate
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     certin = BIO_new(BIO_s_file_internal());
+#else
+   certin = BIO_new(BIO_s_file());
+#endif
+
     if (BIO_read_filename(certin, certfile) <= 0) {
         printf("\nUnable to read server certificate file %s\n", certfile);
         exit(1);

diff --git a/example/server/ossl_srv.c b/example/server/ossl_srv.c
@@ -265,6 +265,8 @@ X509 *load_cert(BIO *err, const char *file, int format, const char *pass,
 
     if (format == FORMAT_ASN1)
         x = d2i_X509_bio(cert, NULL);
+    //Could not find any equivalent
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     else if (format == FORMAT_NETSCAPE) {
         NETSCAPE_X509 *nx;
         nx = ASN1_item_d2i_bio(ASN1_ITEM_rptr(NETSCAPE_X509), cert, NULL);
@@ -280,7 +282,9 @@ X509 *load_cert(BIO *err, const char *file, int format, const char *pass,
         x = nx->cert;
         nx->cert = NULL;
         NETSCAPE_X509_free(nx);
-    } else if (format == FORMAT_PEM)
+    } 
+#endif
+    else if (format == FORMAT_PEM)
         x = PEM_read_bio_X509_AUX(cert, NULL,
                 (pem_password_cb *) password_callback, NULL);
     else if (format == FORMAT_PKCS12) {
@@ -1389,12 +1393,21 @@ static int do_sign_init(BIO *err, EVP_MD_CTX *ctx, EVP_PKEY *pkey,
 static int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
 STACK_OF(OPENSSL_STRING) *sigopts) {
     int rv;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     EVP_MD_CTX mctx;
     EVP_MD_CTX_init(&mctx);
     rv = do_sign_init(err, &mctx, pkey, md, sigopts);
     if (rv > 0)
         rv = X509_sign_ctx(x, &mctx);
     EVP_MD_CTX_cleanup(&mctx);
+#else
+    EVP_MD_CTX *mctx;
+    mctx = EVP_MD_CTX_new();
+    rv = do_sign_init(err, mctx, pkey, md, sigopts);
+    if (rv > 0)
+        rv = X509_sign_ctx(x, mctx);
+    EVP_MD_CTX_free(mctx);
+#endif
     return rv > 0 ? 1 : 0;
 }
 
@@ -1410,7 +1423,9 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
     ASN1_STRING *str, *str2;
     ASN1_OBJECT *obj;
     X509 *ret = NULL;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     X509_CINF *ci;
+#endif
     X509_NAME_ENTRY *ne;
     X509_NAME_ENTRY *tne, *push;
     EVP_PKEY *pktmp;
@@ -1439,7 +1454,10 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
             goto err;
         }
         X509_REQ_set_subject_name(req, n);
+//could not find any equivalent
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         req->req_info->enc.modified = 1;
+#endif
         X509_NAME_free(n);
     }
 
@@ -1454,8 +1472,11 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
 
         if (msie_hack) {
             /* assume all type should be strings */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             nid = OBJ_obj2nid(ne->object);
-
+#else
+            nid = OBJ_obj2nid(X509_NAME_ENTRY_get_object(ne));
+#endif
             if (str->type == V_ASN1_UNIVERSALSTRING)
                 ASN1_UNIVERSALSTRING_to_string(str);
 
@@ -1505,7 +1526,11 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
     if (selfsign)
         CAname = X509_NAME_dup(name);
     else
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         CAname = X509_NAME_dup(x509->cert_info->subject);
+#else
+        CAname = X509_NAME_dup(X509_get_subject_name(x509));
+#endif
     if (CAname == NULL)
         goto err;
     str = str2 = NULL;
@@ -1708,13 +1733,17 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
 
     if ((ret = X509_new()) == NULL)
         goto err;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     ci = ret->cert_info;
-
+#endif
     /* Make it an X509 v3 certificate. */
     if (!X509_set_version(ret, 2))
         goto err;
-
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     if (BN_to_ASN1_INTEGER(serial, ci->serialNumber) == NULL)
+#else
+    if (BN_to_ASN1_INTEGER(serial, X509_get_serialNumber(ret)) == NULL)
+#endif
         goto err;
     if (selfsign) {
         if (!X509_set_issuer_name(ret, subject))
@@ -1746,6 +1775,7 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
     /* Lets add the extensions, if there are any */
     if (ext_sect) {
         X509V3_CTX ctx;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
         if (ci->version == NULL)
             if ((ci->version = ASN1_INTEGER_new()) == NULL)
                 goto err;
@@ -1757,6 +1787,16 @@ STACK_OF(OPENSSL_STRING) *sigopts, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
             sk_X509_EXTENSION_pop_free(ci->extensions, X509_EXTENSION_free);
 
         ci->extensions = NULL;
+#else
+        X509_set_version(ret, 2);
+        /* Free the current entries if any, there should not
+         * be any I believe */
+        STACK_OF(X509_EXTENSION) *exts = (STACK_OF(X509_EXTENSION) *)X509_get0_extensions(ret);
+        if (exts)
+            sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+
+        exts = NULL;
+#endif
 
         /* Initialize the context structure */
         if (selfsign)
@@ -2495,8 +2535,13 @@ BIO * ossl_simple_enroll(const char *p10buf, int p10len) {
                 email_dn = 0;
         }
         if (verbose)
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             BIO_printf(bio_err, "message digest is %s\n",
                     OBJ_nid2ln(dgst->type));
+#else
+            BIO_printf(bio_err, "message digest is %s\n",
+                    OBJ_nid2ln(EVP_MD_type(dgst)));
+#endif
         if ((policy == NULL)
                 && ((policy = NCONF_get_string(conf, section, ENV_POLICY))
                         == NULL)) {
@@ -2635,9 +2680,15 @@ BIO * ossl_simple_enroll(const char *p10buf, int p10len) {
             char *n;
 
             x = sk_X509_value(cert_sk, i);
-
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             j = x->cert_info->serialNumber->length;
             p = (const char *) x->cert_info->serialNumber->data;
+#else
+       ASN1_INTEGER *serialNumber = X509_get_serialNumber(x);
+	    j = ASN1_STRING_length(serialNumber);
+	    p = (const char *)ASN1_STRING_get0_data(serialNumber);
+
+#endif
 
             BUF_strlcat(buf[2], "/", sizeof(buf[2]));
 

diff --git a/example/util/utils.c b/example/util/utils.c
@@ -266,7 +266,11 @@ EVP_PKEY *read_private_key(const char *key_file, pem_password_cb *cb)
     /*
      * Read in the private key
      */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
     keyin = BIO_new(BIO_s_file_internal());
+#else
+    keyin = BIO_new(BIO_s_file());
+#endif
     if (BIO_read_filename(keyin, key_file) <= 0) {
     EST_LOG_ERR("Unable to read private key file %s", key_file);
     return(NULL);

diff --git a/src/est/est.c b/src/est/est.c
@@ -1128,7 +1128,11 @@ EST_ERROR est_asn1_sanity_test (const unsigned char *string, long out_len,
 	switch (tag)
 	{
 	case V_ASN1_OBJECT:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             a_object = c2i_ASN1_OBJECT(NULL, &string, len);
+#else
+            a_object = d2i_ASN1_OBJECT(NULL, &string, len);
+#endif
 	    if (a_object != NULL) {
 	        nid = OBJ_obj2nid(a_object);
 		EST_LOG_INFO("NID=%d", nid);
@@ -1485,7 +1489,11 @@ EST_ERROR est_get_attributes_helper (unsigned char **der_ptr, int *der_len, int
 	switch (tag) {
 
 	case V_ASN1_OBJECT:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
             a_object = c2i_ASN1_OBJECT(NULL, &string, len);
+#else
+            a_object = d2i_ASN1_OBJECT(NULL, &string, len);
+#endif
 	    if (a_object != NULL) {
 	        nid = OBJ_obj2nid(a_object);
 		EST_LOG_INFO("NID=%d", nid);