]> git.ipfire.org Git - ipfire-3.x.git/blame - sssd/patches/0001-crypto-Port-libcrypto-code-to-openssl-1.1.patch
projects / ipfire-3.x.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
git: Update to 2.23.0
[ipfire-3.x.git] / sssd / patches / 0001-crypto-Port-libcrypto-code-to-openssl-1.1.patch
CommitLineData
92ae11e3
SS		 1From 805494c6ffec6831753891c507a773f3e43b30e5 Mon Sep 17 00:00:00 2001
2From: Lukas Slebodnik <lslebodn@redhat.com>
3Date: Mon, 17 Oct 2016 15:44:20 +0200
4Subject: [PATCH 01/39] crypto: Port libcrypto code to openssl-1.1
5
6EVP_MD_CTX and EVP_CIPHER_CTX are opaque in openssl-1.1
7
8Reviewed-by: Tomas Mraz <tmraz@redhat.com>
9(cherry picked from commit 8f1316a0c677f211eaaa1346e21a03446b8c4fb1)
10(cherry picked from commit 81ebd058ab8f6ab08b05a7e35e04881812404d43)
11---
12 Makefile.am | 1 +
13 src/util/cert/libcrypto/cert.c | 23 ++++++--
14 src/util/crypto/libcrypto/crypto_hmac_sha1.c | 33 ++++++-----
15 src/util/crypto/libcrypto/crypto_nite.c | 76 +++++++++++++++----------
16 src/util/crypto/libcrypto/crypto_obfuscate.c | 32 +++++++----
17 src/util/crypto/libcrypto/crypto_sha512crypt.c | 77 +++++++++++++++-----------
18 src/util/crypto/libcrypto/sss_openssl.h | 39 +++++++++++++
19 7 files changed, 190 insertions(+), 91 deletions(-)
20 create mode 100644 src/util/crypto/libcrypto/sss_openssl.h
21
22diff --git a/Makefile.am b/Makefile.am
23index b5f300a37..3d3500918 100644
24--- a/Makefile.am
25+++ b/Makefile.am
26@@ -565,6 +565,7 @@ endif
27 dist_noinst_HEADERS = \
28 src/monitor/monitor.h \
29 src/util/crypto/sss_crypto.h \
30+ src/util/crypto/libcrypto/sss_openssl.h \
31 src/util/cert.h \
32 src/util/dlinklist.h \
33 src/util/debug.h \
34diff --git a/src/util/cert/libcrypto/cert.c b/src/util/cert/libcrypto/cert.c
35index a7752d7c1..aba598d7c 100644
36--- a/src/util/cert/libcrypto/cert.c
37+++ b/src/util/cert/libcrypto/cert.c
38@@ -182,6 +182,8 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
39 size_t c;
40 X509 *cert = NULL;
41 EVP_PKEY *cert_pub_key = NULL;
42+ const BIGNUM *n;
43+ const BIGNUM *e;
44 int modulus_len;
45 unsigned char modulus[OPENSSL_RSA_MAX_MODULUS_BITS/8];
46 int exponent_len;
47@@ -208,16 +210,29 @@ errno_t cert_to_ssh_key(TALLOC_CTX *mem_ctx, const char *ca_db,
48 goto done;
49 }
50
51- if (cert_pub_key->type != EVP_PKEY_RSA) {
52+ if (EVP_PKEY_base_id(cert_pub_key) != EVP_PKEY_RSA) {
53 DEBUG(SSSDBG_CRIT_FAILURE,
54 "Expected RSA public key, found unsupported [%d].\n",
55- cert_pub_key->type);
56+ EVP_PKEY_base_id(cert_pub_key));
57 ret = EINVAL;
58 goto done;
59 }
60
61- modulus_len = BN_bn2bin(cert_pub_key->pkey.rsa->n, modulus);
62- exponent_len = BN_bn2bin(cert_pub_key->pkey.rsa->e, exponent);
63+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
64+ RSA *rsa_pub_key = NULL;
65+ rsa_pub_key = EVP_PKEY_get0_RSA(cert_pub_key);
66+ if (rsa_pub_key == NULL) {
67+ ret = ENOMEM;
68+ goto done;
69+ }
70+
71+ RSA_get0_key(rsa_pub_key, &n, &e, NULL);
72+#else
73+ n = cert_pub_key->pkey.rsa->n;
74+ e = cert_pub_key->pkey.rsa->e;
75+#endif
76+ modulus_len = BN_bn2bin(n, modulus);
77+ exponent_len = BN_bn2bin(e, exponent);
78
79 size = SSH_RSA_HEADER_LEN + 3 * sizeof(uint32_t)
80 + modulus_len
81diff --git a/src/util/crypto/libcrypto/crypto_hmac_sha1.c b/src/util/crypto/libcrypto/crypto_hmac_sha1.c
82index 37d25794e..5a4ce356e 100644
83--- a/src/util/crypto/libcrypto/crypto_hmac_sha1.c
84+++ b/src/util/crypto/libcrypto/crypto_hmac_sha1.c
85@@ -24,6 +24,8 @@
86
87 #include <openssl/evp.h>
88
89+#include "sss_openssl.h"
90+
91 #define HMAC_SHA1_BLOCKSIZE 64
92
93 int sss_hmac_sha1(const unsigned char *key,
94@@ -33,23 +35,26 @@ int sss_hmac_sha1(const unsigned char *key,
95 unsigned char *out)
96 {
97 int ret;
98- EVP_MD_CTX ctx;
99+ EVP_MD_CTX *ctx;
100 unsigned char ikey[HMAC_SHA1_BLOCKSIZE], okey[HMAC_SHA1_BLOCKSIZE];
101 size_t i;
102 unsigned char hash[SSS_SHA1_LENGTH];
103 unsigned int res_len;
104
105- EVP_MD_CTX_init(&ctx);
106+ ctx = EVP_MD_CTX_new();
107+ if (ctx == NULL) {
108+ return ENOMEM;
109+ }
110
111 if (key_len > HMAC_SHA1_BLOCKSIZE) {
112 /* keys longer than blocksize are shortened */
113- if (!EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL)) {
114+ if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) {
115 ret = EIO;
116 goto done;
117 }
118
119- EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len);
120- EVP_DigestFinal_ex(&ctx, ikey, &res_len);
121+ EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len);
122+ EVP_DigestFinal_ex(ctx, ikey, &res_len);
123 memset(ikey + SSS_SHA1_LENGTH, 0, HMAC_SHA1_BLOCKSIZE - SSS_SHA1_LENGTH);
124 } else {
125 /* keys shorter than blocksize are zero-padded */
126@@ -63,25 +68,25 @@ int sss_hmac_sha1(const unsigned char *key,
127 ikey[i] ^= 0x36;
128 }
129
130- if (!EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL)) {
131+ if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) {
132 ret = EIO;
133 goto done;
134 }
135
136- EVP_DigestUpdate(&ctx, (const unsigned char *)ikey, HMAC_SHA1_BLOCKSIZE);
137- EVP_DigestUpdate(&ctx, (const unsigned char *)in, in_len);
138- EVP_DigestFinal_ex(&ctx, hash, &res_len);
139+ EVP_DigestUpdate(ctx, (const unsigned char *)ikey, HMAC_SHA1_BLOCKSIZE);
140+ EVP_DigestUpdate(ctx, (const unsigned char *)in, in_len);
141+ EVP_DigestFinal_ex(ctx, hash, &res_len);
142
143- if (!EVP_DigestInit_ex(&ctx, EVP_sha1(), NULL)) {
144+ if (!EVP_DigestInit_ex(ctx, EVP_sha1(), NULL)) {
145 ret = EIO;
146 goto done;
147 }
148
149- EVP_DigestUpdate(&ctx, (const unsigned char *)okey, HMAC_SHA1_BLOCKSIZE);
150- EVP_DigestUpdate(&ctx, (const unsigned char *)hash, SSS_SHA1_LENGTH);
151- EVP_DigestFinal_ex(&ctx, out, &res_len);
152+ EVP_DigestUpdate(ctx, (const unsigned char *)okey, HMAC_SHA1_BLOCKSIZE);
153+ EVP_DigestUpdate(ctx, (const unsigned char *)hash, SSS_SHA1_LENGTH);
154+ EVP_DigestFinal_ex(ctx, out, &res_len);
155 ret = EOK;
156 done:
157- EVP_MD_CTX_cleanup(&ctx);
158+ EVP_MD_CTX_free(ctx);
159 return ret;
160 }
161diff --git a/src/util/crypto/libcrypto/crypto_nite.c b/src/util/crypto/libcrypto/crypto_nite.c
162index fa267fbcc..de562f2d2 100644
163--- a/src/util/crypto/libcrypto/crypto_nite.c
164+++ b/src/util/crypto/libcrypto/crypto_nite.c
165@@ -33,6 +33,8 @@
166 #include <openssl/rand.h>
167 #include <openssl/crypto.h>
168
169+#include "sss_openssl.h"
170+
171 struct cipher_mech {
172 const EVP_CIPHER * (*cipher)(void);
173 const EVP_MD * (*digest)(void);
174@@ -47,9 +49,9 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
175 {
176 const EVP_CIPHER *cipher;
177 const EVP_MD *digest;
178- EVP_PKEY *hmackey;
179- EVP_CIPHER_CTX ctx;
180- EVP_MD_CTX mdctx;
181+ EVP_PKEY *hmackey = NULL;
182+ EVP_CIPHER_CTX *ctx;
183+ EVP_MD_CTX *mdctx = NULL;
184 uint8_t *out = NULL;
185 int evpkeylen;
186 int evpivlen;
187@@ -86,8 +88,13 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
188 RAND_bytes(out, evpivlen);
189 }
190
191- EVP_CIPHER_CTX_init(&ctx);
192- ret = EVP_EncryptInit_ex(&ctx, cipher, 0, key, evpivlen ? out : NULL);
193+ ctx = EVP_CIPHER_CTX_new();
194+ if (ctx == NULL) {
195+ ret = ENOMEM;
196+ goto done;
197+ }
198+
199+ ret = EVP_EncryptInit_ex(ctx, cipher, 0, key, evpivlen ? out : NULL);
200 if (ret != 1) {
201 ret = EFAULT;
202 goto done;
203@@ -95,7 +102,7 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
204
205 outlen = evpivlen;
206 tmplen = 0;
207- ret = EVP_EncryptUpdate(&ctx, out + outlen, &tmplen, plaintext, plainlen);
208+ ret = EVP_EncryptUpdate(ctx, out + outlen, &tmplen, plaintext, plainlen);
209 if (ret != 1) {
210 ret = EFAULT;
211 goto done;
212@@ -103,7 +110,7 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
213
214 outlen += tmplen;
215
216- ret = EVP_EncryptFinal_ex(&ctx, out + outlen, &tmplen);
217+ ret = EVP_EncryptFinal_ex(ctx, out + outlen, &tmplen);
218 if (ret != 1) {
219 ret = EFAULT;
220 goto done;
221@@ -113,28 +120,32 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
222
223 /* Then HMAC */
224
225- EVP_MD_CTX_init(&mdctx);
226+ mdctx = EVP_MD_CTX_new();
227+ if (mdctx == NULL) {
228+ ret = ENOMEM;
229+ goto done;
230+ }
231
232- ret = EVP_DigestInit_ex(&mdctx, digest, NULL);
233+ ret = EVP_DigestInit_ex(mdctx, digest, NULL);
234 if (ret != 1) {
235 ret = EFAULT;
236 goto done;
237 }
238
239- ret = EVP_DigestSignInit(&mdctx, NULL, digest, NULL, hmackey);
240+ ret = EVP_DigestSignInit(mdctx, NULL, digest, NULL, hmackey);
241 if (ret != 1) {
242 ret = EFAULT;
243 goto done;
244 }
245
246- ret = EVP_DigestSignUpdate(&mdctx, out, outlen);
247+ ret = EVP_DigestSignUpdate(mdctx, out, outlen);
248 if (ret != 1) {
249 ret = EFAULT;
250 goto done;
251 }
252
253 slen = hmaclen;
254- ret = EVP_DigestSignFinal(&mdctx, &out[outlen], &slen);
255+ ret = EVP_DigestSignFinal(mdctx, &out[outlen], &slen);
256 if (ret != 1) {
257 ret = EFAULT;
258 goto done;
259@@ -147,8 +158,8 @@ int sss_encrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
260 ret = EOK;
261
262 done:
263- EVP_MD_CTX_cleanup(&mdctx);
264- EVP_CIPHER_CTX_cleanup(&ctx);
265+ EVP_MD_CTX_free(mdctx);
266+ EVP_CIPHER_CTX_free(ctx);
267 EVP_PKEY_free(hmackey);
268 return ret;
269 }
270@@ -160,9 +171,9 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
271 {
272 const EVP_CIPHER *cipher;
273 const EVP_MD *digest;
274- EVP_PKEY *hmackey;
275- EVP_CIPHER_CTX ctx;
276- EVP_MD_CTX mdctx;
277+ EVP_PKEY *hmackey = NULL;
278+ EVP_CIPHER_CTX *ctx = NULL;
279+ EVP_MD_CTX *mdctx;
280 const uint8_t *iv = NULL;
281 uint8_t *out;
282 int evpkeylen;
283@@ -194,28 +205,32 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
284
285 /* First check HMAC */
286
287- EVP_MD_CTX_init(&mdctx);
288+ mdctx = EVP_MD_CTX_new();
289+ if (mdctx == NULL) {
290+ ret = ENOMEM;
291+ goto done;
292+ }
293
294- ret = EVP_DigestInit_ex(&mdctx, digest, NULL);
295+ ret = EVP_DigestInit_ex(mdctx, digest, NULL);
296 if (ret != 1) {
297 ret = EFAULT;
298 goto done;
299 }
300
301- ret = EVP_DigestSignInit(&mdctx, NULL, digest, NULL, hmackey);
302+ ret = EVP_DigestSignInit(mdctx, NULL, digest, NULL, hmackey);
303 if (ret != 1) {
304 ret = EFAULT;
305 goto done;
306 }
307
308- ret = EVP_DigestSignUpdate(&mdctx, ciphertext, cipherlen - hmaclen);
309+ ret = EVP_DigestSignUpdate(mdctx, ciphertext, cipherlen - hmaclen);
310 if (ret != 1) {
311 ret = EFAULT;
312 goto done;
313 }
314
315 slen = hmaclen;
316- ret = EVP_DigestSignFinal(&mdctx, out, &slen);
317+ ret = EVP_DigestSignFinal(mdctx, out, &slen);
318 if (ret != 1) {
319 ret = EFAULT;
320 goto done;
321@@ -233,14 +248,19 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
322 iv = ciphertext;
323 }
324
325- EVP_CIPHER_CTX_init(&ctx);
326- ret = EVP_DecryptInit_ex(&ctx, cipher, 0, key, iv);
327+ ctx = EVP_CIPHER_CTX_new();
328+ if (ctx == NULL) {
329+ ret = ENOMEM;
330+ goto done;
331+ }
332+
333+ ret = EVP_DecryptInit_ex(ctx, cipher, 0, key, iv);
334 if (ret != 1) {
335 ret = EFAULT;
336 goto done;
337 }
338
339- ret = EVP_DecryptUpdate(&ctx, out, &outlen,
340+ ret = EVP_DecryptUpdate(ctx, out, &outlen,
341 ciphertext + evpivlen,
342 cipherlen - evpivlen - hmaclen);
343 if (ret != 1) {
344@@ -248,7 +268,7 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
345 goto done;
346 }
347
348- ret = EVP_DecryptFinal_ex(&ctx, out + outlen, &tmplen);
349+ ret = EVP_DecryptFinal_ex(ctx, out + outlen, &tmplen);
350 if (ret != 1) {
351 ret = EFAULT;
352 goto done;
353@@ -261,8 +281,8 @@ int sss_decrypt(TALLOC_CTX *mem_ctx, enum encmethod enctype,
354 ret = EOK;
355
356 done:
357- EVP_MD_CTX_cleanup(&mdctx);
358- EVP_CIPHER_CTX_cleanup(&ctx);
359+ EVP_MD_CTX_free(mdctx);
360+ EVP_CIPHER_CTX_free(ctx);
361 EVP_PKEY_free(hmackey);
362 return ret;
363 }
364diff --git a/src/util/crypto/libcrypto/crypto_obfuscate.c b/src/util/crypto/libcrypto/crypto_obfuscate.c
365index 85de333ec..69b622e1d 100644
366--- a/src/util/crypto/libcrypto/crypto_obfuscate.c
367+++ b/src/util/crypto/libcrypto/crypto_obfuscate.c
368@@ -70,7 +70,7 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
369 enum obfmethod meth, char **obfpwd)
370 {
371 int ret;
372- EVP_CIPHER_CTX ctx;
373+ EVP_CIPHER_CTX *ctx;
374 struct crypto_mech_data *mech_props;
375 TALLOC_CTX *tmp_ctx = NULL;
376 unsigned char *keybuf;
377@@ -90,7 +90,11 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
378 return ENOMEM;
379 }
380
381- EVP_CIPHER_CTX_init(&ctx);
382+ ctx = EVP_CIPHER_CTX_new();
383+ if (ctx == NULL) {
384+ ret = ENOMEM;
385+ goto done;
386+ }
387
388 mech_props = get_crypto_mech_data(meth);
389 if (mech_props == NULL) {
390@@ -121,20 +125,20 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
391 goto done;
392 }
393
394- if (!EVP_EncryptInit_ex(&ctx, mech_props->cipher(), 0, keybuf, ivbuf)) {
395+ if (!EVP_EncryptInit_ex(ctx, mech_props->cipher(), 0, keybuf, ivbuf)) {
396 DEBUG(SSSDBG_CRIT_FAILURE, "Failure to initialize cipher contex\n");
397 ret = EIO;
398 goto done;
399 }
400
401 /* sample data we'll encrypt and decrypt */
402- if (!EVP_EncryptUpdate(&ctx, cryptotext, &ctlen, (const unsigned char*)password, plen)) {
403+ if (!EVP_EncryptUpdate(ctx, cryptotext, &ctlen, (const unsigned char *)password, plen)) {
404 DEBUG(SSSDBG_CRIT_FAILURE, "Cannot execute the encryption operation\n");
405 ret = EIO;
406 goto done;
407 }
408
409- if(!EVP_EncryptFinal_ex(&ctx, cryptotext+ctlen, &digestlen)) {
410+ if (!EVP_EncryptFinal_ex(ctx, cryptotext + ctlen, &digestlen)) {
411 DEBUG(SSSDBG_CRIT_FAILURE, "Cannot finialize the encryption operation\n");
412 ret = EIO;
413 goto done;
414@@ -185,7 +189,7 @@ int sss_password_encrypt(TALLOC_CTX *mem_ctx, const char *password, int plen,
415
416 done:
417 talloc_free(tmp_ctx);
418- EVP_CIPHER_CTX_cleanup(&ctx);
419+ EVP_CIPHER_CTX_free(ctx);
420 return ret;
421 }
422
423@@ -193,7 +197,7 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded,
424 char **password)
425 {
426 int ret;
427- EVP_CIPHER_CTX ctx;
428+ EVP_CIPHER_CTX *ctx;
429 TALLOC_CTX *tmp_ctx = NULL;
430 struct crypto_mech_data *mech_props;
431
432@@ -217,7 +221,11 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded,
433 return ENOMEM;
434 }
435
436- EVP_CIPHER_CTX_init(&ctx);
437+ ctx = EVP_CIPHER_CTX_new();
438+ if (ctx == NULL) {
439+ ret = ENOMEM;
440+ goto done;
441+ }
442
443 /* Base64 decode the incoming buffer */
444 obfbuf = sss_base64_decode(tmp_ctx, b64encoded, &obflen);
445@@ -276,18 +284,18 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded,
446 goto done;
447 }
448
449- if (!EVP_DecryptInit_ex(&ctx, mech_props->cipher(), 0, keybuf, ivbuf)) {
450+ if (!EVP_DecryptInit_ex(ctx, mech_props->cipher(), 0, keybuf, ivbuf)) {
451 ret = EIO;
452 goto done;
453 }
454
455 /* sample data we'll encrypt and decrypt */
456- if (!EVP_DecryptUpdate(&ctx, (unsigned char*)pwdbuf, &plainlen, cryptotext, ctsize)) {
457+ if (!EVP_DecryptUpdate(ctx, (unsigned char *)pwdbuf, &plainlen, cryptotext, ctsize)) {
458 ret = EIO;
459 goto done;
460 }
461
462- if(!EVP_DecryptFinal_ex(&ctx, (unsigned char*)pwdbuf+plainlen, &digestlen)) {
463+ if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)pwdbuf + plainlen, &digestlen)) {
464 ret = EIO;
465 goto done;
466 }
467@@ -296,6 +304,6 @@ int sss_password_decrypt(TALLOC_CTX *mem_ctx, char *b64encoded,
468 ret = EOK;
469 done:
470 talloc_free(tmp_ctx);
471- EVP_CIPHER_CTX_cleanup(&ctx);
472+ EVP_CIPHER_CTX_free(ctx);
473 return ret;
474 }
475diff --git a/src/util/crypto/libcrypto/crypto_sha512crypt.c b/src/util/crypto/libcrypto/crypto_sha512crypt.c
476index 34547d08a..102356662 100644
477--- a/src/util/crypto/libcrypto/crypto_sha512crypt.c
478+++ b/src/util/crypto/libcrypto/crypto_sha512crypt.c
479@@ -28,6 +28,9 @@
480 #include <openssl/evp.h>
481 #include <openssl/rand.h>
482
483+#include "sss_openssl.h"
484+
485+
486 /* Define our magic string to mark salt for SHA512 "encryption" replacement. */
487 const char sha512_salt_prefix[] = "$6$";
488 #define SALT_PREF_SIZE (sizeof(sha512_salt_prefix) - 1)
489@@ -75,8 +78,8 @@ static int sha512_crypt_r(const char *key,
490 unsigned char alt_result[64] __attribute__((__aligned__(ALIGN64)));
491 size_t rounds = ROUNDS_DEFAULT;
492 bool rounds_custom = false;
493- EVP_MD_CTX alt_ctx;
494- EVP_MD_CTX ctx;
495+ EVP_MD_CTX *alt_ctx = NULL;
496+ EVP_MD_CTX *ctx;
497 size_t salt_len;
498 size_t key_len;
499 size_t cnt;
500@@ -125,75 +128,83 @@ static int sha512_crypt_r(const char *key,
501 salt = copied_salt = memcpy(tmp + ALIGN64 - PTR_2_INT(tmp) % ALIGN64, salt, salt_len);
502 }
503
504- EVP_MD_CTX_init(&ctx);
505+ ctx = EVP_MD_CTX_new();
506+ if (ctx == NULL) {
507+ ret = ENOMEM;
508+ goto done;
509+ }
510
511- EVP_MD_CTX_init(&alt_ctx);
512+ alt_ctx = EVP_MD_CTX_new();
513+ if (alt_ctx == NULL) {
514+ ret = ENOMEM;
515+ goto done;
516+ }
517
518 /* Prepare for the real work. */
519- if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) {
520+ if (!EVP_DigestInit_ex(ctx, EVP_sha512(), NULL)) {
521 ret = EIO;
522 goto done;
523 }
524
525 /* Add the key string. */
526- EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len);
527+ EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len);
528
529 /* The last part is the salt string. This must be at most 16
530 * characters and it ends at the first `$' character (for
531 * compatibility with existing implementations). */
532- EVP_DigestUpdate(&ctx, (const unsigned char *)salt, salt_len);
533+ EVP_DigestUpdate(ctx, (const unsigned char *)salt, salt_len);
534
535 /* Compute alternate SHA512 sum with input KEY, SALT, and KEY.
536 * The final result will be added to the first context. */
537- if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) {
538+ if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) {
539 ret = EIO;
540 goto done;
541 }
542
543 /* Add key. */
544- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len);
545+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len);
546
547 /* Add salt. */
548- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len);
549+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)salt, salt_len);
550
551 /* Add key again. */
552- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len);
553+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len);
554
555 /* Now get result of this (64 bytes) and add it to the other context. */
556- EVP_DigestFinal_ex(&alt_ctx, alt_result, &part);
557+ EVP_DigestFinal_ex(alt_ctx, alt_result, &part);
558
559 /* Add for any character in the key one byte of the alternate sum. */
560 for (cnt = key_len; cnt > 64; cnt -= 64) {
561- EVP_DigestUpdate(&ctx, alt_result, 64);
562+ EVP_DigestUpdate(ctx, alt_result, 64);
563 }
564- EVP_DigestUpdate(&ctx, alt_result, cnt);
565+ EVP_DigestUpdate(ctx, alt_result, cnt);
566
567 /* Take the binary representation of the length of the key and for every
568 * 1 add the alternate sum, for every 0 the key. */
569 for (cnt = key_len; cnt > 0; cnt >>= 1) {
570 if ((cnt & 1) != 0) {
571- EVP_DigestUpdate(&ctx, alt_result, 64);
572+ EVP_DigestUpdate(ctx, alt_result, 64);
573 } else {
574- EVP_DigestUpdate(&ctx, (const unsigned char *)key, key_len);
575+ EVP_DigestUpdate(ctx, (const unsigned char *)key, key_len);
576 }
577 }
578
579 /* Create intermediate result. */
580- EVP_DigestFinal_ex(&ctx, alt_result, &part);
581+ EVP_DigestFinal_ex(ctx, alt_result, &part);
582
583 /* Start computation of P byte sequence. */
584- if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) {
585+ if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) {
586 ret = EIO;
587 goto done;
588 }
589
590 /* For every character in the password add the entire password. */
591 for (cnt = 0; cnt < key_len; cnt++) {
592- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)key, key_len);
593+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)key, key_len);
594 }
595
596 /* Finish the digest. */
597- EVP_DigestFinal_ex(&alt_ctx, temp_result, &part);
598+ EVP_DigestFinal_ex(alt_ctx, temp_result, &part);
599
600 /* Create byte sequence P. */
601 cp = p_bytes = alloca(key_len);
602@@ -203,18 +214,18 @@ static int sha512_crypt_r(const char *key,
603 memcpy(cp, temp_result, cnt);
604
605 /* Start computation of S byte sequence. */
606- if (!EVP_DigestInit_ex(&alt_ctx, EVP_sha512(), NULL)) {
607+ if (!EVP_DigestInit_ex(alt_ctx, EVP_sha512(), NULL)) {
608 ret = EIO;
609 goto done;
610 }
611
612 /* For every character in the password add the entire salt. */
613 for (cnt = 0; cnt < 16 + alt_result[0]; cnt++) {
614- EVP_DigestUpdate(&alt_ctx, (const unsigned char *)salt, salt_len);
615+ EVP_DigestUpdate(alt_ctx, (const unsigned char *)salt, salt_len);
616 }
617
618 /* Finish the digest. */
619- EVP_DigestFinal_ex(&alt_ctx, temp_result, &part);
620+ EVP_DigestFinal_ex(alt_ctx, temp_result, &part);
621
622 /* Create byte sequence S. */
623 cp = s_bytes = alloca(salt_len);
624@@ -226,37 +237,37 @@ static int sha512_crypt_r(const char *key,
625 /* Repeatedly run the collected hash value through SHA512 to burn CPU cycles. */
626 for (cnt = 0; cnt < rounds; cnt++) {
627
628- if (!EVP_DigestInit_ex(&ctx, EVP_sha512(), NULL)) {
629+ if (!EVP_DigestInit_ex(ctx, EVP_sha512(), NULL)) {
630 ret = EIO;
631 goto done;
632 }
633
634 /* Add key or last result. */
635 if ((cnt & 1) != 0) {
636- EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len);
637+ EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len);
638 } else {
639- EVP_DigestUpdate(&ctx, alt_result, 64);
640+ EVP_DigestUpdate(ctx, alt_result, 64);
641 }
642
643 /* Add salt for numbers not divisible by 3. */
644 if (cnt % 3 != 0) {
645- EVP_DigestUpdate(&ctx, (const unsigned char *)s_bytes, salt_len);
646+ EVP_DigestUpdate(ctx, (const unsigned char *)s_bytes, salt_len);
647 }
648
649 /* Add key for numbers not divisible by 7. */
650 if (cnt % 7 != 0) {
651- EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len);
652+ EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len);
653 }
654
655 /* Add key or last result. */
656 if ((cnt & 1) != 0) {
657- EVP_DigestUpdate(&ctx, alt_result, 64);
658+ EVP_DigestUpdate(ctx, alt_result, 64);
659 } else {
660- EVP_DigestUpdate(&ctx, (const unsigned char *)p_bytes, key_len);
661+ EVP_DigestUpdate(ctx, (const unsigned char *)p_bytes, key_len);
662 }
663
664 /* Create intermediate result. */
665- EVP_DigestFinal_ex(&ctx, alt_result, &part);
666+ EVP_DigestFinal_ex(ctx, alt_result, &part);
667 }
668
669 /* Now we can construct the result string.
670@@ -318,8 +329,8 @@ done:
671 * to processes or reading core dumps cannot get any information. We do it
672 * in this way to clear correct_words[] inside the SHA512 implementation
673 * as well. */
674- EVP_MD_CTX_cleanup(&ctx);
675- EVP_MD_CTX_cleanup(&alt_ctx);
676+ EVP_MD_CTX_free(ctx);
677+ EVP_MD_CTX_free(alt_ctx);
678 if (p_bytes) memset(p_bytes, '\0', key_len);
679 if (s_bytes) memset(s_bytes, '\0', salt_len);
680 if (copied_key) memset(copied_key, '\0', key_len);
681diff --git a/src/util/crypto/libcrypto/sss_openssl.h b/src/util/crypto/libcrypto/sss_openssl.h
682new file mode 100644
683index 000000000..a2e2d8523
684--- /dev/null
685+++ b/src/util/crypto/libcrypto/sss_openssl.h
686@@ -0,0 +1,39 @@
687+/*
688+ Authors:
689+ Lukas Slebodnik <lslebodn@redhat.com>
690+
691+ Copyright (C) 2016 Red Hat
692+
693+ This program is free software; you can redistribute it and/or modify
694+ it under the terms of the GNU General Public License as published by
695+ the Free Software Foundation; either version 3 of the License, or
696+ (at your option) any later version.
697+
698+ This program is distributed in the hope that it will be useful,
699+ but WITHOUT ANY WARRANTY; without even the implied warranty of
700+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
701+ GNU General Public License for more details.
702+
703+ You should have received a copy of the GNU General Public License
704+ along with this program. If not, see <http://www.gnu.org/licenses/>.
705+*/
706+
707+#ifndef _SSS_LIBCRYTPO_SSS_OPENSSL_H_
708+#define _SSS_LIBCRYTPO_SSS_OPENSSL_H_
709+
710+#include <openssl/evp.h>
711+
712+#if OPENSSL_VERSION_NUMBER < 0x10100000L
713+
714+/* EVP_MD_CTX_create and EVP_MD_CTX_destroy are deprecated macros
715+ * in openssl-1.1 but openssl-1.0 does not know anything about
716+ * newly added functions EVP_MD_CTX_new, EVP_MD_CTX_free in 1.1
717+ */
718+
719+# define EVP_MD_CTX_new() EVP_MD_CTX_create()
720+# define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy((ctx))
721+
722+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
723+
724+
725+#endif /* _SSS_LIBCRYTPO_SSS_OPENSSL_H_ */
726--
7272.11.0
728
IPFire 3.x development tree