From 5c95b880956b575af37e868d91ebb7c2e827fe6e Mon Sep 17 00:00:00 2001 From: csoler Date: Sun, 19 Feb 2017 22:38:02 +0100 Subject: [PATCH] compilation fix for openssl-1.1.0 (pqissl+authssl part) --- libretroshare/src/crypto/chacha20.cpp | 3 + libretroshare/src/pqi/authssl.cc | 149 ++++++++++++++++++------ libretroshare/src/pqi/pqissl.cc | 9 ++ libretroshare/src/pqi/pqissllistener.cc | 9 ++ libretroshare/src/pqi/pqistreamer.cc | 1 + libretroshare/src/pqi/sslfns.cc | 18 ++- libretroshare/src/util/rsaes.cc | 34 +++--- libretroshare/src/util/rsrecogn.cc | 16 +++ retroshare.pri | 3 + 9 files changed, 190 insertions(+), 52 deletions(-) diff --git a/libretroshare/src/crypto/chacha20.cpp b/libretroshare/src/crypto/chacha20.cpp index 5219983a4..2653a7046 100644 --- a/libretroshare/src/crypto/chacha20.cpp +++ b/libretroshare/src/crypto/chacha20.cpp @@ -583,6 +583,9 @@ bool AEAD_chacha20_sha256(uint8_t key[32], uint8_t nonce[12],uint8_t *data,uint3 HMAC_Update(hmac_ctx,aad,aad_size) ; HMAC_Update(hmac_ctx,data,data_size) ; HMAC_Final(hmac_ctx,computed_tag,&md_size) ; + + HMAC_CTX_free(hmac_ctx) ; + hmac_ctx=NULL; #endif // decrypt diff --git a/libretroshare/src/pqi/authssl.cc b/libretroshare/src/pqi/authssl.cc index 07c12b942..bbe99b2a6 100644 --- a/libretroshare/src/pqi/authssl.cc +++ b/libretroshare/src/pqi/authssl.cc @@ -245,12 +245,18 @@ sslcert::sslcert(X509 *x509, const RsPeerId& pid) { certificate = x509; id = pid; +#if OPENSSL_VERSION_NUMBER < 0x10100000L name = getX509CNString(x509->cert_info->subject); org = getX509OrgString(x509->cert_info->subject); location = getX509LocString(x509->cert_info->subject); - email = ""; - issuer = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer))); +#else + name = getX509CNString(X509_get_subject_name(x509)); + org = getX509OrgString(X509_get_subject_name(x509)); + location = getX509LocString(X509_get_subject_name(x509)); + issuer = RsPgpId(std::string(getX509CNString(X509_get_issuer_name(x509)))); +#endif + email = ""; authed = false; } @@ -371,8 +377,17 @@ static int initLib = 0; if (dh) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L BN_hex2bn(&dh->p,dh_prime_4096_hex.c_str()) ; BN_hex2bn(&dh->g,"5") ; +#else + BIGNUM *pp=NULL,*gg=NULL ; + + BN_hex2bn(&pp,dh_prime_4096_hex.c_str()) ; + BN_hex2bn(&gg,"5"); + + DH_set0_pqg(dh,pp,NULL,gg) ; +#endif std::cout.flush() ; @@ -776,47 +791,74 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/) std::cerr << "X509 Cert, prepared for signing" << std::endl; /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/ + // + // The code has been copied in order to use the PGP signing instead of supplying the + // private EVP_KEY to ASN1_sign(), which would be another alternative. + int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; +#if OPENSSL_VERSION_NUMBER < 0x10100000L X509_ALGOR *algor1 = x509->cert_info->signature; X509_ALGOR *algor2 = x509->sig_alg; ASN1_BIT_STRING *signature = x509->signature; X509_CINF *data = x509->cert_info; +#else + const X509_ALGOR *algor1 = X509_get0_tbs_sigalg(x509) ; + const X509_ALGOR *algor2 = NULL ; + + const ASN1_BIT_STRING *tmp_signature = NULL ; + + X509_get0_signature(&tmp_signature,&algor2,x509); + + ASN1_BIT_STRING *signature = const_cast(tmp_signature); +#endif //EVP_PKEY *pkey = NULL; const EVP_MD *type = EVP_sha1(); - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); unsigned char *p,*buf_in=NULL; unsigned char *buf_hashout=NULL,*buf_sigout=NULL; int inl=0,hashoutl=0; int sigoutl=0; X509_ALGOR *a; - EVP_MD_CTX_init(&ctx); + EVP_MD_CTX_init(ctx); /* FIX ALGORITHMS */ - a = algor1; + a = const_cast(algor1); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_TYPE_free(a->parameter); a->parameter=ASN1_TYPE_new(); a->parameter->type=V_ASN1_NULL; ASN1_OBJECT_free(a->algorithm); a->algorithm=OBJ_nid2obj(type->pkey_type); +#else + X509_ALGOR_set0(a,OBJ_nid2obj(EVP_MD_pkey_type(type)),V_ASN1_NULL,NULL); +#endif - a = algor2; + a = const_cast(algor2); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_TYPE_free(a->parameter); a->parameter=ASN1_TYPE_new(); a->parameter->type=V_ASN1_NULL; ASN1_OBJECT_free(a->algorithm); - a->algorithm=OBJ_nid2obj(type->pkey_type); + a->algorithm=OBJ_nid2obj(type->pkey_type); +#else + X509_ALGOR_set0(a,OBJ_nid2obj(EVP_MD_pkey_type(type)),V_ASN1_NULL,NULL); +#endif std::cerr << "Algorithms Fixed" << std::endl; /* input buffer */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L inl=i2d(data,NULL); buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); +#else + inl=i2d_re_X509_tbs(x509,&buf_in) ; // this does the i2d over x509->cert_info +#endif hashoutl=EVP_MD_size(type); buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl); @@ -831,15 +873,17 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/) fprintf(stderr, "AuthSSLimpl::SignX509Req: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE)\n"); goto err; } - p=buf_in; - std::cerr << "Buffers Allocated" << std::endl; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + p=buf_in; i2d(data,&p); +#endif + /* data in buf_in, ready to be hashed */ - EVP_DigestInit_ex(&ctx,type, NULL); - EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl); - if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout, + EVP_DigestInit_ex(ctx,type, NULL); + EVP_DigestUpdate(ctx,(unsigned char *)buf_in,inl); + if (!EVP_DigestFinal(ctx,(unsigned char *)buf_hashout, (unsigned int *)&hashoutl)) { hashoutl=0; @@ -879,6 +923,8 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/) std::cerr << "Certificate Complete" << std::endl; + EVP_MD_CTX_free(ctx) ; + return x509; /* XXX CLEANUP */ @@ -915,7 +961,11 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic) } /* extract CN for peer Id */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L RsPgpId issuer(std::string(getX509CNString(x509->cert_info->issuer))); +#else + RsPgpId issuer(std::string(getX509CNString(X509_get_issuer_name(x509)))); +#endif RsPeerDetails pd; #ifdef AUTHSSL_DEBUG std::cerr << "Checking GPG issuer : " << issuer.toStdString() << std::endl ; @@ -930,22 +980,33 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic) /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/ int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF; + +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_BIT_STRING *signature = x509->signature; X509_CINF *data = x509->cert_info; +#else + const ASN1_BIT_STRING *signature = NULL ; + const X509_ALGOR *algor2=NULL; + + X509_get0_signature(&signature,&algor2,x509); +#endif + + const EVP_MD *type = EVP_sha1(); - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); unsigned char *p,*buf_in=NULL; unsigned char *buf_hashout=NULL,*buf_sigout=NULL; int inl=0,hashoutl=0; int sigoutl=0; - //X509_ALGOR *a; - - EVP_MD_CTX_init(&ctx); /* input buffer */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L inl=i2d(data,NULL); buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl); +#else + inl=i2d_re_X509_tbs(x509,&buf_in) ; // this does the i2d over x509->cert_info +#endif hashoutl=EVP_MD_size(type); buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl); @@ -973,11 +1034,13 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic) std::cerr << "Buffers Allocated" << std::endl; #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L i2d(data,&p); +#endif /* data in buf_in, ready to be hashed */ - EVP_DigestInit_ex(&ctx,type, NULL); - EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl); - if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout, + EVP_DigestInit_ex(ctx,type, NULL); + EVP_DigestUpdate(ctx,(unsigned char *)buf_in,inl); + if (!EVP_DigestFinal(ctx,(unsigned char *)buf_hashout, (unsigned int *)&hashoutl)) { hashoutl=0; @@ -1017,6 +1080,7 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic) #ifdef AUTHSSL_DEBUG std::cerr << "AuthSSLimpl::AuthX509() X509 authenticated" << std::endl; #endif + EVP_MD_CTX_free(ctx) ; OPENSSL_free(buf_in) ; OPENSSL_free(buf_hashout) ; @@ -1093,21 +1157,34 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx) if(x509 != NULL) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L RsPgpId gpgid (std::string(getX509CNString(x509->cert_info->issuer))); +#else + RsPgpId gpgid (std::string(getX509CNString(X509_get_issuer_name(x509)))); +#endif + if(gpgid.isNull()) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L std::cerr << "verify_x509_callback(): wrong PGP id \"" << std::string(getX509CNString(x509->cert_info->issuer)) << "\"" << std::endl; +#else + std::cerr << "verify_x509_callback(): wrong PGP id \"" << std::string(getX509CNString(X509_get_issuer_name(x509))) << "\"" << std::endl; +#endif return false ; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L std::string sslcn = getX509CNString(x509->cert_info->subject); +#else + std::string sslcn = getX509CNString(X509_get_subject_name(x509)); +#endif RsPeerId sslid ; getX509id(x509,sslid); if(sslid.isNull()) { - std::cerr << "verify_x509_callback(): wrong SSL id \"" << std::string(getX509CNString(x509->cert_info->subject)) << "\"" << std::endl; + std::cerr << "verify_x509_callback(): wrong PGP id \"" << sslcn << "\"" << std::endl; return false ; } @@ -1185,7 +1262,11 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx) std::cerr << "(WW) Certificate was rejected because authentication failed. Diagnostic = " << auth_diagnostic << std::endl; return false; } - RsPgpId pgpid = RsPgpId(std::string(getX509CNString(X509_STORE_CTX_get_current_cert(ctx)->cert_info->issuer))); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + RsPgpId pgpid(std::string(getX509CNString(X509_STORE_CTX_get_current_cert(ctx)->cert_info->issuer))); +#else + RsPgpId pgpid(std::string(getX509CNString(X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx))))); +#endif if (pgpid != AuthGPG::getAuthGPG()->getGPGOwnId() && !AuthGPG::getAuthGPG()->isGPGAccepted(pgpid)) { @@ -1258,15 +1339,18 @@ bool AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen, #endif return false; } else { +#if OPENSSL_VERSION_NUMBER < 0x10100000L public_key = mCerts[peerId]->certificate->cert_info->key->pkey; +#else + public_key = X509_get0_pubkey(mCerts[peerId]->certificate) ; +#endif } } - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); int eklen, net_ekl; unsigned char *ek; unsigned char iv[EVP_MAX_IV_LENGTH]; - EVP_CIPHER_CTX_init(&ctx); int out_currOffset = 0; int out_offset = 0; @@ -1283,7 +1367,7 @@ bool AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen, int max_outlen = inlen + cipher_block_size + EVP_MAX_IV_LENGTH + max_evp_key_size + size_net_ekl; // intialize context and send store encrypted cipher in ek - if(!EVP_SealInit(&ctx, EVP_aes_128_cbc(), &ek, &eklen, iv, &public_key, 1)) { + if(!EVP_SealInit(ctx, EVP_aes_128_cbc(), &ek, &eklen, iv, &public_key, 1)) { free(ek); return false; } @@ -1307,7 +1391,7 @@ bool AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen, out_offset += EVP_MAX_IV_LENGTH; // now encrypt actual data - if(!EVP_SealUpdate(&ctx, (unsigned char*) out + out_offset, &out_currOffset, (unsigned char*) in, inlen)) { + if(!EVP_SealUpdate(ctx, (unsigned char*) out + out_offset, &out_currOffset, (unsigned char*) in, inlen)) { free(ek); free(out); out = NULL; @@ -1318,7 +1402,7 @@ bool AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen, out_offset += out_currOffset; // add padding - if(!EVP_SealFinal(&ctx, (unsigned char*) out + out_offset, &out_currOffset)) { + if(!EVP_SealFinal(ctx, (unsigned char*) out + out_offset, &out_currOffset)) { free(ek); free(out) ; out = NULL; @@ -1334,7 +1418,7 @@ bool AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen, // free encrypted key data free(ek); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); outlen = out_offset; @@ -1358,7 +1442,7 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) // out = malloc(inlen); // memcpy(out, in, inlen); // outlen = inlen; - EVP_CIPHER_CTX ctx; + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); int eklen = 0, net_ekl = 0; unsigned char *ek = NULL; unsigned char iv[EVP_MAX_IV_LENGTH]; @@ -1370,7 +1454,6 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) std::cerr << "(EE) Cannot allocate memory for " << ek_mkl << " bytes in " << __PRETTY_FUNCTION__ << std::endl; return false ; } - EVP_CIPHER_CTX_init(&ctx); int in_offset = 0, out_currOffset = 0; int size_net_ekl = sizeof(net_ekl); @@ -1402,7 +1485,7 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) const EVP_CIPHER* cipher = EVP_aes_128_cbc(); - if(0 == EVP_OpenInit(&ctx, cipher, ek, eklen, iv, mOwnPrivateKey)) { + if(0 == EVP_OpenInit(ctx, cipher, ek, eklen, iv, mOwnPrivateKey)) { free(ek); return false; } @@ -1414,7 +1497,7 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) free(ek) ; return false ; } - if(!EVP_OpenUpdate(&ctx, (unsigned char*) out, &out_currOffset, (unsigned char*)in + in_offset, inlen - in_offset)) { + if(!EVP_OpenUpdate(ctx, (unsigned char*) out, &out_currOffset, (unsigned char*)in + in_offset, inlen - in_offset)) { free(ek); free(out) ; out = NULL; @@ -1424,7 +1507,7 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) in_offset += out_currOffset; outlen += out_currOffset; - if(!EVP_OpenFinal(&ctx, (unsigned char*)out + out_currOffset, &out_currOffset)) { + if(!EVP_OpenFinal(ctx, (unsigned char*)out + out_currOffset, &out_currOffset)) { free(ek); free(out) ; out = NULL; @@ -1436,7 +1519,7 @@ bool AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen) if(ek != NULL) free(ek); - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); #ifdef AUTHSSL_DEBUG std::cerr << "AuthSSLimpl::decrypt() finished with outlen : " << outlen << std::endl; diff --git a/libretroshare/src/pqi/pqissl.cc b/libretroshare/src/pqi/pqissl.cc index 795691586..b7709bb82 100644 --- a/libretroshare/src/pqi/pqissl.cc +++ b/libretroshare/src/pqi/pqissl.cc @@ -361,7 +361,11 @@ void pqissl::getCryptoParams(RsPeerCryptoParams& params) bool pqissl::actAsServer() { +#if OPENSSL_VERSION_NUMBER < 0x10100000L return (bool)ssl_connection->server; +#else + return (bool)SSL_is_server(ssl_connection); +#endif } /* returns ... @@ -1226,8 +1230,13 @@ int pqissl::Extract_Failed_SSL_Certificate() RsPeerId sslid ; getX509id(peercert, sslid) ; +#if OPENSSL_VERSION_NUMBER < 0x10100000L RsPgpId gpgid(getX509CNString(peercert->cert_info->issuer)); std::string sslcn = getX509CNString(peercert->cert_info->subject); +#else + RsPgpId gpgid(getX509CNString(X509_get_issuer_name(peercert))); + std::string sslcn = getX509CNString(X509_get_subject_name(peercert)); +#endif AuthSSL::getAuthSSL()->FailedCertificate(peercert, gpgid,sslid,sslcn,remote_addr, false); mLinkMgr->notifyDeniedConnection(gpgid, sslid, sslcn, remote_addr, false); diff --git a/libretroshare/src/pqi/pqissllistener.cc b/libretroshare/src/pqi/pqissllistener.cc index 189eb5dce..9c2040247 100644 --- a/libretroshare/src/pqi/pqissllistener.cc +++ b/libretroshare/src/pqi/pqissllistener.cc @@ -494,8 +494,13 @@ int pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool #endif if(x509 != NULL) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L incoming_connexion_info.gpgid = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer))); incoming_connexion_info.sslcn = getX509CNString(x509->cert_info->subject); +#else + incoming_connexion_info.gpgid = RsPgpId(std::string(getX509CNString(X509_get_issuer_name(x509)))); + incoming_connexion_info.sslcn = getX509CNString(X509_get_subject_name(x509)); +#endif getX509id(x509,incoming_connexion_info.sslid); @@ -888,7 +893,11 @@ int pqissllistener::completeConnection(int fd, IncomingSSLInfo& info) AuthSSL::getAuthSSL()->CheckCertificate(newPeerId, peercert); /* now need to get GPG id too */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L RsPgpId pgpid(std::string(getX509CNString(peercert->cert_info->issuer))); +#else + RsPgpId pgpid(std::string(getX509CNString(X509_get_issuer_name(peercert)))); +#endif mPeerMgr->addFriend(newPeerId, pgpid); X509_free(peercert); diff --git a/libretroshare/src/pqi/pqistreamer.cc b/libretroshare/src/pqi/pqistreamer.cc index 76f5b1581..626f1db76 100644 --- a/libretroshare/src/pqi/pqistreamer.cc +++ b/libretroshare/src/pqi/pqistreamer.cc @@ -26,6 +26,7 @@ #include "pqi/pqistreamer.h" +#include // for gettimeofday #include // for free, realloc, exit #include // for memcpy, memset, memcmp #include // for NULL, time, time_t diff --git a/libretroshare/src/pqi/sslfns.cc b/libretroshare/src/pqi/sslfns.cc index 07ec804a2..7cf742956 100644 --- a/libretroshare/src/pqi/sslfns.cc +++ b/libretroshare/src/pqi/sslfns.cc @@ -242,6 +242,7 @@ X509_REQ *GenerateX509Req( #define SERIAL_RAND_BITS 64 +#ifdef UNUSED_CODE X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, long days) { const EVP_MD *digest = EVP_sha1(); @@ -369,6 +370,7 @@ X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, l return x509; } +#endif /********************************************************************************/ /********************************************************************************/ @@ -600,7 +602,14 @@ bool getX509id(X509 *x509, RsPeerId& xid) } // get the signature from the cert, and copy to the array. +#if OPENSSL_VERSION_NUMBER < 0x10100000L ASN1_BIT_STRING *signature = x509->signature; +#else + const ASN1_BIT_STRING *signature = NULL ; + const X509_ALGOR *algor ; + + X509_get0_signature(&signature,&algor,x509); +#endif int signlen = ASN1_STRING_length(signature); if (signlen < CERTSIGNLEN) { @@ -612,12 +621,14 @@ bool getX509id(X509 *x509, RsPeerId& xid) } // else copy in the first CERTSIGNLEN. - unsigned char *signdata = ASN1_STRING_data(signature); + unsigned char *signdata = ASN1_STRING_data(const_cast(signature)); /* switched to the other end of the signature. for * more randomness */ +#warning this is cryptographically horrible. We should do a hash of the public key here!!! + xid = RsPeerId(&signdata[signlen - CERTSIGNLEN]) ; //for(int i = signlen - CERTSIGNLEN; i < signlen; i++) @@ -689,8 +700,13 @@ int LoadCheckX509(const char *cert_file, RsPgpId& issuerName, std::string &locat if (valid) { // extract the name. +#if OPENSSL_VERSION_NUMBER < 0x10100000L issuerName = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer))); location = getX509LocString(x509->cert_info->subject); +#else + issuerName = RsPgpId(std::string(getX509CNString(X509_get_issuer_name(x509)))); + location = getX509LocString(X509_get_subject_name(x509)); +#endif } #ifdef AUTHSSL_DEBUG diff --git a/libretroshare/src/util/rsaes.cc b/libretroshare/src/util/rsaes.cc index 1703c4d77..7be5175f9 100644 --- a/libretroshare/src/util/rsaes.cc +++ b/libretroshare/src/util/rsaes.cc @@ -52,9 +52,8 @@ bool RsAES::aes_crypt_8_16(const uint8_t *input_data,uint32_t input_data_length, return false ; } - EVP_CIPHER_CTX e_ctx ; - EVP_CIPHER_CTX_init(&e_ctx); - EVP_EncryptInit_ex(&e_ctx, EVP_aes_256_cbc(), NULL, key, iv); + EVP_CIPHER_CTX *e_ctx = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, key, iv); /* max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE -1 bytes */ int c_len = input_data_length + AES_BLOCK_SIZE ; @@ -62,31 +61,31 @@ bool RsAES::aes_crypt_8_16(const uint8_t *input_data,uint32_t input_data_length, if(output_data_length < (uint32_t)c_len) { - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return false ; } /* update ciphertext, c_len is filled with the length of ciphertext generated, *len is the size of plaintext in bytes */ - if(!EVP_EncryptUpdate(&e_ctx, output_data, &c_len, input_data, input_data_length)) + if(!EVP_EncryptUpdate(e_ctx, output_data, &c_len, input_data, input_data_length)) { std::cerr << "RsAES: decryption failed at end. Check padding." << std::endl; - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return false ; } /* update ciphertext with the final remaining bytes */ - if(!EVP_EncryptFinal_ex(&e_ctx, output_data+c_len, &f_len)) + if(!EVP_EncryptFinal_ex(e_ctx, output_data+c_len, &f_len)) { std::cerr << "RsAES: decryption failed at end. Check padding." << std::endl; - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return false ; } output_data_length = c_len + f_len; - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return true; } @@ -108,9 +107,8 @@ bool RsAES::aes_decrypt_8_16(const uint8_t *input_data,uint32_t input_data_lengt return false ; } - EVP_CIPHER_CTX e_ctx ; - EVP_CIPHER_CTX_init(&e_ctx); - EVP_DecryptInit_ex(&e_ctx, EVP_aes_256_cbc(), NULL, key, iv); + EVP_CIPHER_CTX *e_ctx = EVP_CIPHER_CTX_new(); + EVP_DecryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, key, iv); /* max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE -1 bytes */ int c_len = input_data_length + AES_BLOCK_SIZE ; @@ -118,7 +116,7 @@ bool RsAES::aes_decrypt_8_16(const uint8_t *input_data,uint32_t input_data_lengt if(output_data_length < (uint32_t)c_len) { - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return false ; } @@ -127,24 +125,24 @@ bool RsAES::aes_decrypt_8_16(const uint8_t *input_data,uint32_t input_data_lengt /* update ciphertext, c_len is filled with the length of ciphertext generated, *len is the size of plaintext in bytes */ - if(! EVP_DecryptUpdate(&e_ctx, output_data, &c_len, input_data, input_data_length)) + if(! EVP_DecryptUpdate(e_ctx, output_data, &c_len, input_data, input_data_length)) { std::cerr << "RsAES: decryption failed." << std::endl; - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return false ; } /* update ciphertext with the final remaining bytes */ - if(!EVP_DecryptFinal_ex(&e_ctx, output_data+c_len, &f_len)) + if(!EVP_DecryptFinal_ex(e_ctx, output_data+c_len, &f_len)) { std::cerr << "RsAES: decryption failed at end. Check padding." << std::endl; - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return false ; } output_data_length = c_len + f_len; - EVP_CIPHER_CTX_cleanup(&e_ctx) ; + EVP_CIPHER_CTX_free(e_ctx) ; return true; } diff --git a/libretroshare/src/util/rsrecogn.cc b/libretroshare/src/util/rsrecogn.cc index f7c51b9e9..f42a4dd6f 100644 --- a/libretroshare/src/util/rsrecogn.cc +++ b/libretroshare/src/util/rsrecogn.cc @@ -28,6 +28,7 @@ #include "util/rsrecogn.h" #include "util/radix64.h" #include "util/rsstring.h" +#include "util/rsdir.h" #include "gxs/gxssecurity.h" @@ -507,9 +508,23 @@ bool RsRecogn::itemToRadix64(RsItem *item, std::string &radstr) std::string RsRecogn::getRsaKeyId(RSA *pubkey) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L int len = BN_num_bytes(pubkey -> n); unsigned char tmp[len]; BN_bn2bin(pubkey -> n, tmp); +#else + const BIGNUM *nn=NULL ; + RSA_get0_key(pubkey,&nn,NULL,NULL) ; + + int len = BN_num_bytes(nn); + unsigned char tmp[len]; + BN_bn2bin(nn, tmp); +#endif + + return RsDirUtil::sha1sum(tmp,len).toStdString(); + +#ifdef OLD_VERSION_REMOVED + // (cyril) I removed this because this is cryptographically insane, as it allows to easily forge a RSA key with the same ID. // copy first CERTSIGNLEN bytes... if (len > CERTSIGNLEN) @@ -524,6 +539,7 @@ std::string RsRecogn::getRsaKeyId(RSA *pubkey) } return id; +#endif } diff --git a/retroshare.pri b/retroshare.pri index 498131aea..7642acc88 100644 --- a/retroshare.pri +++ b/retroshare.pri @@ -60,6 +60,9 @@ rs_nodeprecatedwarning:CONFIG -= no_rs_nodeprecatedwarning CONFIG *= no_rs_nocppwarning rs_nocppwarning:CONFIG -= no_rs_nocppwarning +INCLUDEPATH += /usr/local/openssl/include +LIBS += -L/usr/local/openssl/lib + unix { isEmpty(PREFIX) { PREFIX = "/usr" } isEmpty(BIN_DIR) { BIN_DIR = "$${PREFIX}/bin" }