OpenSSL: don't use direct access to the internal of DSA

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including DSA. We have to use the defined
functions to do so.

Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget <logout@free.fr>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20170612134330.20971-5-logout@free.fr>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14791.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit c07c0358b553c519ed9d80e2e0a9ba48ca8850e4)

diff --git a/configure.ac b/configure.ac
index 5f7b4f0aa03d8e0855ae7c7efcef10663ff7c759..6af96b8cea00acbb6a923fa84445474fdb064e48 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -912,6 +912,8 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then
                        RSA_bits \
                        RSA_get0_key \
                        RSA_set0_key \
+                       DSA_get0_pqg \
+                       DSA_bits \
                        RSA_meth_new \
                        RSA_meth_free \
                        RSA_meth_set_pub_enc \

diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index e3f20b739e0f3f099ae829dff3940d038ab71ac5..729fab6c56f81a3f59c0b298be75d88cb260dd0a 100644 (file)
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -275,6 +275,50 @@ RSA_bits(const RSA *rsa)
 }
 #endif
 
+#if !defined(HAVE_DSA_GET0_PQG)
+/**
+ * Get the DSA parameters
+ *
+ * @param dsa                 The DSA object
+ * @param p                   The @c p parameter
+ * @param q                   The @c q parameter
+ * @param g                   The @c g parameter
+ */
+static inline void
+DSA_get0_pqg(const DSA *dsa, const BIGNUM **p,
+             const BIGNUM **q, const BIGNUM **g)
+{
+    if (p != NULL)
+    {
+        *p = dsa ? dsa->p : NULL;
+    }
+    if (q != NULL)
+    {
+        *q = dsa ? dsa->q : NULL;
+    }
+    if (g != NULL)
+    {
+        *g = dsa ? dsa->g : NULL;
+    }
+}
+#endif
+
+#if !defined(HAVE_DSA_BITS)
+/**
+ * Number of significant DSA bits
+ *
+ * @param rsa                The DSA object ; shall not be NULL
+ * @return                   The number of DSA bits or 0 on error
+ */
+static inline int
+DSA_bits(const DSA *dsa)
+{
+    const BIGNUM *p = NULL;
+    DSA_get0_pqg(dsa, &p, NULL, NULL);
+    return p ? BN_num_bits(p) : 0;
+}
+#endif
+
 #if !defined(HAVE_RSA_METH_NEW)
 /**
  * Allocate a new RSA method object

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 50ae29f971ae16e63f2fdd62f704c676990b7781..e589dcd9fe3037f02bbde29b820eacbed9d1dd22 100644 (file)
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1692,11 +1692,11 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
                 openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
                                  RSA_bits(rsa));
             }
-            else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL
-                     && pkey->pkey.dsa->p != NULL)
+            else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL)
             {
+                DSA *dsa = EVP_PKEY_get0_DSA(pkey);
                 openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
-                                 BN_num_bits(pkey->pkey.dsa->p));
+                                 DSA_bits(dsa));
             }
             EVP_PKEY_free(pkey);
         }