compilation fix for openssl-1.1.0 (pqissl+authssl part)

2025-01-14 08:59:50 -05:00 · 2017-02-19 22:38:02 +01:00 · 2017-02-19 22:38:02 +01:00 · 5c95b88095
commit 5c95b88095
parent 57bbd15893
9 changed files with 190 additions and 52 deletions
--- a/libretroshare/src/crypto/chacha20.cpp
+++ b/libretroshare/src/crypto/chacha20.cpp
@ -583,6 +583,9 @@ bool AEAD_chacha20_sha256(uint8_t key[32], uint8_t nonce[12],uint8_t *data,uint3
       HMAC_Update(hmac_ctx,aad,aad_size) ;
       HMAC_Update(hmac_ctx,data,data_size) ;
       HMAC_Final(hmac_ctx,computed_tag,&md_size) ;
       HMAC_CTX_free(hmac_ctx) ;
       hmac_ctx=NULL;
 #endif
       // decrypt
--- a/libretroshare/src/pqi/authssl.cc
+++ b/libretroshare/src/pqi/authssl.cc
@ -245,12 +245,18 @@ sslcert::sslcert(X509 *x509, const RsPeerId& pid)
 {
 	certificate = x509;
 	id = pid;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	name = getX509CNString(x509->cert_info->subject);
 	org = getX509OrgString(x509->cert_info->subject);
 	location = getX509LocString(x509->cert_info->subject);
 	email = "";
 	issuer = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer)));
 #else
 	name = getX509CNString(X509_get_subject_name(x509));
 	org = getX509OrgString(X509_get_subject_name(x509));
 	location = getX509LocString(X509_get_subject_name(x509));
 	issuer = RsPgpId(std::string(getX509CNString(X509_get_issuer_name(x509))));
 #endif
 	email = "";
 	authed = false;
 }
@ -371,8 +377,17 @@ static  int initLib = 0;
 	if (dh)
 	{
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 		BN_hex2bn(&dh->p,dh_prime_4096_hex.c_str()) ;
 		BN_hex2bn(&dh->g,"5") ;
 #else
        BIGNUM *pp=NULL,*gg=NULL ;
        BN_hex2bn(&pp,dh_prime_4096_hex.c_str()) ;
        BN_hex2bn(&gg,"5");
        DH_set0_pqg(dh,pp,NULL,gg) ;
 #endif
 		std::cout.flush() ;
@ -776,47 +791,74 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/)
        std::cerr << "X509 Cert, prepared for signing" << std::endl;
        /*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/
        //
        // The code has been copied in order to use the PGP signing instead of supplying the
        // private EVP_KEY to ASN1_sign(), which would be another alternative.
        int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
        X509_ALGOR *algor1 = x509->cert_info->signature;
        X509_ALGOR *algor2 = x509->sig_alg;
        ASN1_BIT_STRING *signature = x509->signature;
        X509_CINF *data = x509->cert_info;
 #else
        const X509_ALGOR *algor1 = X509_get0_tbs_sigalg(x509) ;
        const X509_ALGOR *algor2 = NULL ;
        const ASN1_BIT_STRING *tmp_signature = NULL ;
        X509_get0_signature(&tmp_signature,&algor2,x509);
        ASN1_BIT_STRING *signature = const_cast<ASN1_BIT_STRING*>(tmp_signature);
 #endif
        //EVP_PKEY *pkey = NULL;
        const EVP_MD *type = EVP_sha1();
-        EVP_MD_CTX ctx;
+        EVP_MD_CTX *ctx = EVP_MD_CTX_new();
        unsigned char *p,*buf_in=NULL;
        unsigned char *buf_hashout=NULL,*buf_sigout=NULL;
        int inl=0,hashoutl=0;
        int sigoutl=0;
        X509_ALGOR *a;
-        EVP_MD_CTX_init(&ctx);
+        EVP_MD_CTX_init(ctx);
        /* FIX ALGORITHMS */
-        a = algor1;
+        a = const_cast<X509_ALGOR*>(algor1);
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
        ASN1_TYPE_free(a->parameter);
        a->parameter=ASN1_TYPE_new();
        a->parameter->type=V_ASN1_NULL;
        ASN1_OBJECT_free(a->algorithm);
        a->algorithm=OBJ_nid2obj(type->pkey_type);
 #else
        X509_ALGOR_set0(a,OBJ_nid2obj(EVP_MD_pkey_type(type)),V_ASN1_NULL,NULL);
 #endif
-        a = algor2;
+        a = const_cast<X509_ALGOR*>(algor2);
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
        ASN1_TYPE_free(a->parameter);
        a->parameter=ASN1_TYPE_new();
        a->parameter->type=V_ASN1_NULL;
        ASN1_OBJECT_free(a->algorithm);
-        a->algorithm=OBJ_nid2obj(type->pkey_type);
+		a->algorithm=OBJ_nid2obj(type->pkey_type);
 #else
        X509_ALGOR_set0(a,OBJ_nid2obj(EVP_MD_pkey_type(type)),V_ASN1_NULL,NULL);
 #endif
        std::cerr << "Algorithms Fixed" << std::endl;
        /* input buffer */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
        inl=i2d(data,NULL);
        buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl);
 #else
        inl=i2d_re_X509_tbs(x509,&buf_in) ;	// this does the i2d over x509->cert_info
 #endif
        hashoutl=EVP_MD_size(type);
        buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl);
@ -831,15 +873,17 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/)
                fprintf(stderr, "AuthSSLimpl::SignX509Req: ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE)\n");
                goto err;
                }
        p=buf_in;
        std::cerr << "Buffers Allocated" << std::endl;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
        p=buf_in;
        i2d(data,&p);
 #endif
        /* data in buf_in, ready to be hashed */
-        EVP_DigestInit_ex(&ctx,type, NULL);
+        EVP_DigestInit_ex(ctx,type, NULL);
-        EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl);
+        EVP_DigestUpdate(ctx,(unsigned char *)buf_in,inl);
-        if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout,
+        if (!EVP_DigestFinal(ctx,(unsigned char *)buf_hashout,
                        (unsigned int *)&hashoutl))
                {
                hashoutl=0;
@ -879,6 +923,8 @@ X509 *AuthSSLimpl::SignX509ReqWithGPG(X509_REQ *req, long /*days*/)
        std::cerr << "Certificate Complete" << std::endl;
        EVP_MD_CTX_free(ctx) ;
        return x509;
 	/* XXX CLEANUP */
@ -915,7 +961,11 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic)
 	}
 	/* extract CN for peer Id */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	RsPgpId issuer(std::string(getX509CNString(x509->cert_info->issuer)));
 #else
 	RsPgpId issuer(std::string(getX509CNString(X509_get_issuer_name(x509))));
 #endif
 	RsPeerDetails pd;
 #ifdef AUTHSSL_DEBUG
 	std::cerr << "Checking GPG issuer : " << issuer.toStdString() << std::endl ;
@ -930,22 +980,33 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic)
 	/*** NOW The Manual signing bit (HACKED FROM asn1/a_sign.c) ***/
 	int (*i2d)(X509_CINF*, unsigned char**) = i2d_X509_CINF;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	ASN1_BIT_STRING *signature = x509->signature;
 	X509_CINF *data = x509->cert_info;
 #else
 	const ASN1_BIT_STRING *signature = NULL ;
    const X509_ALGOR *algor2=NULL;
 	X509_get0_signature(&signature,&algor2,x509);
 #endif
 	const EVP_MD *type = EVP_sha1();
-	EVP_MD_CTX ctx;
+	EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 	unsigned char *p,*buf_in=NULL;
 	unsigned char *buf_hashout=NULL,*buf_sigout=NULL;
 	int inl=0,hashoutl=0;
 	int sigoutl=0;
 	//X509_ALGOR *a;
 	EVP_MD_CTX_init(&ctx);
 	/* input buffer */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	inl=i2d(data,NULL);
 	buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl);
 #else
 	inl=i2d_re_X509_tbs(x509,&buf_in) ;	// this does the i2d over x509->cert_info
 #endif
 	hashoutl=EVP_MD_size(type);
 	buf_hashout=(unsigned char *)OPENSSL_malloc((unsigned int)hashoutl);
@ -973,11 +1034,13 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic)
 	std::cerr << "Buffers Allocated" << std::endl;
 #endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	i2d(data,&p);
 #endif
 	/* data in buf_in, ready to be hashed */
-	EVP_DigestInit_ex(&ctx,type, NULL);
+	EVP_DigestInit_ex(ctx,type, NULL);
-	EVP_DigestUpdate(&ctx,(unsigned char *)buf_in,inl);
+	EVP_DigestUpdate(ctx,(unsigned char *)buf_in,inl);
-	if (!EVP_DigestFinal(&ctx,(unsigned char *)buf_hashout,
+	if (!EVP_DigestFinal(ctx,(unsigned char *)buf_hashout,
 				(unsigned int *)&hashoutl))
 	{
 		hashoutl=0;
@ -1017,6 +1080,7 @@ bool AuthSSLimpl::AuthX509WithGPG(X509 *x509,uint32_t& diagnostic)
 #ifdef AUTHSSL_DEBUG
 	std::cerr << "AuthSSLimpl::AuthX509() X509 authenticated" << std::endl;
 #endif
    EVP_MD_CTX_free(ctx) ;
 	OPENSSL_free(buf_in) ;
 	OPENSSL_free(buf_hashout) ;
@ -1093,21 +1157,34 @@ static int verify_x509_callback(int preverify_ok, X509_STORE_CTX *ctx)
 	if(x509 != NULL)
 	{
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 		RsPgpId gpgid (std::string(getX509CNString(x509->cert_info->issuer)));
 #else
 		RsPgpId gpgid (std::string(getX509CNString(X509_get_issuer_name(x509))));
 #endif
 		if(gpgid.isNull()) 
 		{
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 			std::cerr << "verify_x509_callback(): wrong PGP id \"" << std::string(getX509CNString(x509->cert_info->issuer)) << "\"" << std::endl;
 #else
 			std::cerr << "verify_x509_callback(): wrong PGP id \"" << std::string(getX509CNString(X509_get_issuer_name(x509))) << "\"" << std::endl;
 #endif
 			return false ;
 		}
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 		std::string sslcn = getX509CNString(x509->cert_info->subject);
 #else
 		std::string sslcn = getX509CNString(X509_get_subject_name(x509));
 #endif
 		RsPeerId sslid ;
 		getX509id(x509,sslid);
 		if(sslid.isNull()) 
 		{
-			std::cerr << "verify_x509_callback(): wrong SSL id \"" << std::string(getX509CNString(x509->cert_info->subject)) << "\"" << std::endl;
+			std::cerr << "verify_x509_callback(): wrong PGP id \"" << sslcn << "\"" << std::endl;
 			return false ;
 		}
@ -1185,7 +1262,11 @@ int AuthSSLimpl::VerifyX509Callback(int preverify_ok, X509_STORE_CTX *ctx)
            std::cerr << "(WW) Certificate was rejected because authentication failed. Diagnostic = " << auth_diagnostic << std::endl;
            return false;
        }
-        RsPgpId pgpid = RsPgpId(std::string(getX509CNString(X509_STORE_CTX_get_current_cert(ctx)->cert_info->issuer)));
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
        RsPgpId pgpid(std::string(getX509CNString(X509_STORE_CTX_get_current_cert(ctx)->cert_info->issuer)));
 #else
        RsPgpId pgpid(std::string(getX509CNString(X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)))));
 #endif
        if (pgpid != AuthGPG::getAuthGPG()->getGPGOwnId() && !AuthGPG::getAuthGPG()->isGPGAccepted(pgpid))
        {
@ -1258,15 +1339,18 @@ bool    AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen,
                #endif
                return false;
            } else {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
                public_key = mCerts[peerId]->certificate->cert_info->key->pkey;
 #else
                public_key = X509_get0_pubkey(mCerts[peerId]->certificate) ;
 #endif
            }
        }
-        EVP_CIPHER_CTX ctx;
+        EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
        int eklen, net_ekl;
        unsigned char *ek;
        unsigned char iv[EVP_MAX_IV_LENGTH];
        EVP_CIPHER_CTX_init(&ctx);
        int out_currOffset = 0;
        int out_offset = 0;
@ -1283,7 +1367,7 @@ bool    AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen,
        int max_outlen = inlen + cipher_block_size + EVP_MAX_IV_LENGTH + max_evp_key_size + size_net_ekl;
        // intialize context and send store encrypted cipher in ek
-        if(!EVP_SealInit(&ctx, EVP_aes_128_cbc(), &ek, &eklen, iv, &public_key, 1)) {
+        if(!EVP_SealInit(ctx, EVP_aes_128_cbc(), &ek, &eklen, iv, &public_key, 1)) {
            free(ek);
            return false;
        }
@ -1307,7 +1391,7 @@ bool    AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen,
    	out_offset += EVP_MAX_IV_LENGTH;
    	// now encrypt actual data
-        if(!EVP_SealUpdate(&ctx, (unsigned char*) out + out_offset, &out_currOffset, (unsigned char*) in, inlen)) {
+        if(!EVP_SealUpdate(ctx, (unsigned char*) out + out_offset, &out_currOffset, (unsigned char*) in, inlen)) {
            free(ek);
            free(out);
            out = NULL;
@ -1318,7 +1402,7 @@ bool    AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen,
    	out_offset += out_currOffset;
    	// add padding
-        if(!EVP_SealFinal(&ctx, (unsigned char*) out + out_offset, &out_currOffset)) {
+        if(!EVP_SealFinal(ctx, (unsigned char*) out + out_offset, &out_currOffset)) {
            free(ek);
 				free(out) ;
            out = NULL;
@ -1334,7 +1418,7 @@ bool    AuthSSLimpl::encrypt(void *&out, int &outlen, const void *in, int inlen,
    	// free encrypted key data
    	free(ek);
-        EVP_CIPHER_CTX_cleanup(&ctx);
+        EVP_CIPHER_CTX_free(ctx);
    	outlen = out_offset;
@ -1358,7 +1442,7 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
 //        out = malloc(inlen);
 //        memcpy(out, in, inlen);
 //        outlen = inlen;
-        EVP_CIPHER_CTX ctx;
+        EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
        int eklen = 0, net_ekl = 0;
        unsigned char *ek = NULL;
        unsigned char iv[EVP_MAX_IV_LENGTH];
@ -1370,7 +1454,6 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
            std::cerr << "(EE) Cannot allocate memory for " << ek_mkl << " bytes in " << __PRETTY_FUNCTION__ << std::endl;
            return false ;
        }
        EVP_CIPHER_CTX_init(&ctx);
        int in_offset = 0, out_currOffset = 0;
        int size_net_ekl = sizeof(net_ekl);
@ -1402,7 +1485,7 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
        const EVP_CIPHER* cipher = EVP_aes_128_cbc();
-        if(0 == EVP_OpenInit(&ctx, cipher, ek, eklen, iv, mOwnPrivateKey)) {
+        if(0 == EVP_OpenInit(ctx, cipher, ek, eklen, iv, mOwnPrivateKey)) {
            free(ek);
            return false;
        }
@ -1414,7 +1497,7 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
            free(ek) ;
            return false ;
        }
-        if(!EVP_OpenUpdate(&ctx, (unsigned char*) out, &out_currOffset, (unsigned char*)in + in_offset, inlen - in_offset)) {
+        if(!EVP_OpenUpdate(ctx, (unsigned char*) out, &out_currOffset, (unsigned char*)in + in_offset, inlen - in_offset)) {
            free(ek);
 				free(out) ;
            out = NULL;
@ -1424,7 +1507,7 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
        in_offset += out_currOffset;
        outlen += out_currOffset;
-        if(!EVP_OpenFinal(&ctx, (unsigned char*)out + out_currOffset, &out_currOffset)) {
+        if(!EVP_OpenFinal(ctx, (unsigned char*)out + out_currOffset, &out_currOffset)) {
            free(ek);
 				free(out) ;
            out = NULL;
@ -1436,7 +1519,7 @@ bool    AuthSSLimpl::decrypt(void *&out, int &outlen, const void *in, int inlen)
        if(ek != NULL)
        	free(ek);
-        EVP_CIPHER_CTX_cleanup(&ctx);
+        EVP_CIPHER_CTX_free(ctx);
 #ifdef AUTHSSL_DEBUG
 		  std::cerr << "AuthSSLimpl::decrypt() finished with outlen : " << outlen << std::endl;
--- a/libretroshare/src/pqi/pqissl.cc
+++ b/libretroshare/src/pqi/pqissl.cc
@ -361,7 +361,11 @@ void pqissl::getCryptoParams(RsPeerCryptoParams& params)
 bool pqissl::actAsServer()
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	return (bool)ssl_connection->server;
 #else
 	return (bool)SSL_is_server(ssl_connection);
 #endif
 }
 /* returns ...
@ -1226,8 +1230,13 @@ int 	pqissl::Extract_Failed_SSL_Certificate()
 	RsPeerId sslid ;
 	getX509id(peercert, sslid) ;
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	RsPgpId gpgid(getX509CNString(peercert->cert_info->issuer));
 	std::string sslcn = getX509CNString(peercert->cert_info->subject);
 #else
 	RsPgpId gpgid(getX509CNString(X509_get_issuer_name(peercert)));
 	std::string sslcn = getX509CNString(X509_get_subject_name(peercert));
 #endif
 	AuthSSL::getAuthSSL()->FailedCertificate(peercert, gpgid,sslid,sslcn,remote_addr, false);
 	mLinkMgr->notifyDeniedConnection(gpgid, sslid, sslcn, remote_addr, false);
--- a/libretroshare/src/pqi/pqissllistener.cc
+++ b/libretroshare/src/pqi/pqissllistener.cc
@ -494,8 +494,13 @@ int	pqissllistenbase::continueSSL(IncomingSSLInfo& incoming_connexion_info, bool
 #endif
    if(x509 != NULL)
    {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
        incoming_connexion_info.gpgid = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer)));
        incoming_connexion_info.sslcn = getX509CNString(x509->cert_info->subject);
 #else
        incoming_connexion_info.gpgid = RsPgpId(std::string(getX509CNString(X509_get_issuer_name(x509))));
        incoming_connexion_info.sslcn = getX509CNString(X509_get_subject_name(x509));
 #endif
        getX509id(x509,incoming_connexion_info.sslid);
@ -888,7 +893,11 @@ int pqissllistener::completeConnection(int fd, IncomingSSLInfo& info)
 		AuthSSL::getAuthSSL()->CheckCertificate(newPeerId, peercert);
 		/* now need to get GPG id too */
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 		RsPgpId pgpid(std::string(getX509CNString(peercert->cert_info->issuer)));
 #else
 		RsPgpId pgpid(std::string(getX509CNString(X509_get_issuer_name(peercert))));
 #endif
 		mPeerMgr->addFriend(newPeerId, pgpid);
 		X509_free(peercert);
--- a/libretroshare/src/pqi/pqistreamer.cc
+++ b/libretroshare/src/pqi/pqistreamer.cc
@ -26,6 +26,7 @@
 #include "pqi/pqistreamer.h"
 #include <sys/time.h>             // for gettimeofday
 #include <stdlib.h>               // for free, realloc, exit
 #include <string.h>               // for memcpy, memset, memcmp
 #include <time.h>                 // for NULL, time, time_t
--- a/libretroshare/src/pqi/sslfns.cc
+++ b/libretroshare/src/pqi/sslfns.cc
@ -242,6 +242,7 @@ X509_REQ *GenerateX509Req(
 #define SERIAL_RAND_BITS 	64
 #ifdef UNUSED_CODE
 X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, long days)
 {
 	const EVP_MD *digest = EVP_sha1();
@ -369,6 +370,7 @@ X509 *SignX509Certificate(X509_NAME *issuer, EVP_PKEY *privkey, X509_REQ *req, l
 	return x509;
 }
 #endif
 /********************************************************************************/
 /********************************************************************************/
@ -600,7 +602,14 @@ bool getX509id(X509 *x509, RsPeerId& xid)
 	}
 	// get the signature from the cert, and copy to the array.
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	ASN1_BIT_STRING *signature = x509->signature;
 #else
 	const ASN1_BIT_STRING *signature = NULL ;
    const X509_ALGOR *algor ;
    X509_get0_signature(&signature,&algor,x509);
 #endif
 	int signlen = ASN1_STRING_length(signature);
 	if (signlen < CERTSIGNLEN)
 	{
@ -612,12 +621,14 @@ bool getX509id(X509 *x509, RsPeerId& xid)
 	}
 	// else copy in the first CERTSIGNLEN.
-	unsigned char *signdata = ASN1_STRING_data(signature);
+	unsigned char *signdata = ASN1_STRING_data(const_cast<ASN1_BIT_STRING*>(signature));
 	/* switched to the other end of the signature. for
 	 * more randomness
 	 */
 #warning this is cryptographically horrible. We should do a hash of the public key here!!!
 	xid = RsPeerId(&signdata[signlen - CERTSIGNLEN]) ;
 	//for(int i = signlen - CERTSIGNLEN; i < signlen; i++)
@ -689,8 +700,13 @@ int	LoadCheckX509(const char *cert_file, RsPgpId& issuerName, std::string &locat
 	if (valid)
 	{
 		// extract the name.
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 		issuerName = RsPgpId(std::string(getX509CNString(x509->cert_info->issuer)));
 		location = getX509LocString(x509->cert_info->subject);
 #else
 		issuerName = RsPgpId(std::string(getX509CNString(X509_get_issuer_name(x509))));
 		location = getX509LocString(X509_get_subject_name(x509));
 #endif
 	}
 #ifdef AUTHSSL_DEBUG
--- a/libretroshare/src/util/rsaes.cc
+++ b/libretroshare/src/util/rsaes.cc
@ -52,9 +52,8 @@ bool RsAES::aes_crypt_8_16(const uint8_t *input_data,uint32_t input_data_length,
 		return false ;
 	}
-	EVP_CIPHER_CTX e_ctx ;
+	EVP_CIPHER_CTX *e_ctx = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_init(&e_ctx);
+	EVP_EncryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, key, iv);
 	EVP_EncryptInit_ex(&e_ctx, EVP_aes_256_cbc(), NULL, key, iv);
 	/* max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE -1 bytes */
 	int c_len = input_data_length + AES_BLOCK_SIZE ;
@ -62,31 +61,31 @@ bool RsAES::aes_crypt_8_16(const uint8_t *input_data,uint32_t input_data_length,
 	if(output_data_length < (uint32_t)c_len)
    {
-	    EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+	    EVP_CIPHER_CTX_free(e_ctx) ;
 	    return false ;
    }
 	/* update ciphertext, c_len is filled with the length of ciphertext generated,
 	 *len is the size of plaintext in bytes */
-	if(!EVP_EncryptUpdate(&e_ctx, output_data, &c_len, input_data, input_data_length))
+	if(!EVP_EncryptUpdate(e_ctx, output_data, &c_len, input_data, input_data_length))
 	{
 		std::cerr << "RsAES: decryption failed at end. Check padding." << std::endl;
-        	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+        	EVP_CIPHER_CTX_free(e_ctx) ;
 		return false ;
 	}
 	/* update ciphertext with the final remaining bytes */
-	if(!EVP_EncryptFinal_ex(&e_ctx, output_data+c_len, &f_len))
+	if(!EVP_EncryptFinal_ex(e_ctx, output_data+c_len, &f_len))
 	{
 		std::cerr << "RsAES: decryption failed at end. Check padding." << std::endl;
-        	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+        	EVP_CIPHER_CTX_free(e_ctx) ;
 		return false ;
 	}
 	output_data_length = c_len + f_len;
-	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+	EVP_CIPHER_CTX_free(e_ctx) ;
 	return true;
 }
@ -108,9 +107,8 @@ bool RsAES::aes_decrypt_8_16(const uint8_t *input_data,uint32_t input_data_lengt
 		return false ;
 	}
-	EVP_CIPHER_CTX e_ctx ;
+	EVP_CIPHER_CTX *e_ctx = EVP_CIPHER_CTX_new();
-	EVP_CIPHER_CTX_init(&e_ctx);
+	EVP_DecryptInit_ex(e_ctx, EVP_aes_256_cbc(), NULL, key, iv);
 	EVP_DecryptInit_ex(&e_ctx, EVP_aes_256_cbc(), NULL, key, iv);
 	/* max ciphertext len for a n bytes of plaintext is n + AES_BLOCK_SIZE -1 bytes */
 	int c_len = input_data_length + AES_BLOCK_SIZE ;
@ -118,7 +116,7 @@ bool RsAES::aes_decrypt_8_16(const uint8_t *input_data,uint32_t input_data_lengt
 	if(output_data_length < (uint32_t)c_len)
    {
-        	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+        	EVP_CIPHER_CTX_free(e_ctx) ;
 		return false ;
    }
@ -127,24 +125,24 @@ bool RsAES::aes_decrypt_8_16(const uint8_t *input_data,uint32_t input_data_lengt
 	/* update ciphertext, c_len is filled with the length of ciphertext generated,
 	 *len is the size of plaintext in bytes */
-	if(! EVP_DecryptUpdate(&e_ctx, output_data, &c_len, input_data, input_data_length))
+	if(! EVP_DecryptUpdate(e_ctx, output_data, &c_len, input_data, input_data_length))
 	{
 		std::cerr << "RsAES: decryption failed." << std::endl;
-        	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+        	EVP_CIPHER_CTX_free(e_ctx) ;
 		return false ;
 	}
 	/* update ciphertext with the final remaining bytes */
-	if(!EVP_DecryptFinal_ex(&e_ctx, output_data+c_len, &f_len))
+	if(!EVP_DecryptFinal_ex(e_ctx, output_data+c_len, &f_len))
 	{
 		std::cerr << "RsAES: decryption failed at end. Check padding." << std::endl;
-        	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+        	EVP_CIPHER_CTX_free(e_ctx) ;
 		return false ;
 	}
 	output_data_length = c_len + f_len;
-	EVP_CIPHER_CTX_cleanup(&e_ctx) ;
+	EVP_CIPHER_CTX_free(e_ctx) ;
 	return true;
 }
--- a/libretroshare/src/util/rsrecogn.cc
+++ b/libretroshare/src/util/rsrecogn.cc
@ -28,6 +28,7 @@
 #include "util/rsrecogn.h"
 #include "util/radix64.h"
 #include "util/rsstring.h"
 #include "util/rsdir.h"
 #include "gxs/gxssecurity.h"
@ -507,9 +508,23 @@ bool	RsRecogn::itemToRadix64(RsItem *item, std::string &radstr)
 std::string RsRecogn::getRsaKeyId(RSA *pubkey)
 {
 #if OPENSSL_VERSION_NUMBER < 0x10100000L
 	int len = BN_num_bytes(pubkey -> n);
 	unsigned char tmp[len];
 	BN_bn2bin(pubkey -> n, tmp);
 #else
    const BIGNUM *nn=NULL ;
    RSA_get0_key(pubkey,&nn,NULL,NULL) ;
 	int len = BN_num_bytes(nn);
 	unsigned char tmp[len];
 	BN_bn2bin(nn, tmp);
 #endif
    return RsDirUtil::sha1sum(tmp,len).toStdString();
 #ifdef OLD_VERSION_REMOVED
    // (cyril) I removed this because this is cryptographically insane, as it allows to easily forge a RSA key with the same ID.
 	// copy first CERTSIGNLEN bytes...
 	if (len > CERTSIGNLEN)
@ -524,6 +539,7 @@ std::string RsRecogn::getRsaKeyId(RSA *pubkey)
 	}
 	return id;
 #endif
 }
--- a/retroshare.pri
+++ b/retroshare.pri
@ -60,6 +60,9 @@ rs_nodeprecatedwarning:CONFIG -= no_rs_nodeprecatedwarning
 CONFIG *= no_rs_nocppwarning
 rs_nocppwarning:CONFIG -= no_rs_nocppwarning
 INCLUDEPATH += /usr/local/openssl/include
 LIBS += -L/usr/local/openssl/lib
 unix {
 	isEmpty(PREFIX)   { PREFIX   = "/usr" }
 	isEmpty(BIN_DIR)  { BIN_DIR  = "$${PREFIX}/bin" }