From: Mike Brady <4265913+mikebrady@users.noreply.github.com> Date: Sat, 10 Jun 2023 15:25:03 +0000 (+0100) Subject: replace some deprecated OpenSSL calls X-Git-Tag: 4.3~1^2~49 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97dd0b1eacb9e2855fb733a176e39fbef288896e;p=thirdparty%2Fshairport-sync.git replace some deprecated OpenSSL calls --- diff --git a/player.c b/player.c index 9d52c6ec..86837da6 100644 --- a/player.c +++ b/player.c @@ -57,7 +57,13 @@ #endif #ifdef CONFIG_OPENSSL -#include +#include // needed for BIO_new_mem_buf +// #include +#include // needed for older AES stuff +#include // needed for ERR_error_string, ERR_get_error +#include // needed for EVP_PKEY_CTX_new, EVP_PKEY_sign_init, EVP_PKEY_sign +#include // needed for PEM_read_bio_RSAPrivateKey, EVP_PKEY_CTX_set_rsa_padding +#include // needed for EVP_PKEY_CTX_set_rsa_padding #endif #ifdef CONFIG_SOXR @@ -190,6 +196,41 @@ void unencrypted_packet_decode(unsigned char *packet, int length, short *dest, i } } +#ifdef CONFIG_OPENSSL +// Thanks to +// https://stackoverflow.com/questions/27558625/how-do-i-use-aes-cbc-encrypt-128-openssl-properly-in-ubuntu +// for inspiration. Changed to a 128-bit key and no padding. + +int openssl_aes_decrypt_cbc(unsigned char *ciphertext, int ciphertext_len, unsigned char *key, + unsigned char *iv, unsigned char *plaintext) { + EVP_CIPHER_CTX *ctx; + int len; + int plaintext_len = 0; + ctx = EVP_CIPHER_CTX_new(); + if (ctx != NULL) { + if (EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, key, iv) == 1) { + EVP_CIPHER_CTX_set_padding(ctx, 0); // no padding -- always returns 1 + // no need to allow space for padding in the output, as padding is disabled + if (EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len) == 1) { + plaintext_len = len; + if (EVP_DecryptFinal_ex(ctx, plaintext + len, &len) == 1) { + plaintext_len += len; + } else { + debug(1, "EVP_DecryptFinal_ex error \"%s\".", ERR_error_string(ERR_get_error(), NULL)); + } + } else { + debug(1, "EVP_DecryptUpdate error \"%s\".", ERR_error_string(ERR_get_error(), NULL)); + } + } else { + debug(1, "EVP_DecryptInit_ex error \"%s\".", ERR_error_string(ERR_get_error(), NULL)); + } + EVP_CIPHER_CTX_free(ctx); + } else { + debug(1, "EVP_CIPHER_CTX_new error \"%s\".", ERR_error_string(ERR_get_error(), NULL)); + } + return plaintext_len; +} +#endif int audio_packet_decode(short *dest, int *destlen, uint8_t *buf, int len, rtsp_conn_info *conn) { // parameters: where the decoded stuff goes, its length in samples, // the incoming packet, the length of the incoming packet in bytes @@ -218,7 +259,7 @@ int audio_packet_decode(short *dest, int *destlen, uint8_t *buf, int len, rtsp_c aes_crypt_cbc(&conn->dctx, AES_DECRYPT, aeslen, iv, buf, packet); #endif #ifdef CONFIG_OPENSSL - AES_cbc_encrypt(buf, packet, aeslen, &conn->aes, iv, AES_DECRYPT); + openssl_aes_decrypt_cbc(buf, aeslen, conn->stream.aeskey, iv, packet); #endif memcpy(packet + aeslen, buf + aeslen, len - aeslen); unencrypted_packet_decode(packet, len, dest, &outsize, maximum_possible_outsize, conn); @@ -1923,10 +1964,6 @@ void *player_thread_func(void *arg) { memset(&conn->dctx, 0, sizeof(aes_context)); aes_setkey_dec(&conn->dctx, conn->stream.aeskey, 128); #endif - -#ifdef CONFIG_OPENSSL - AES_set_decrypt_key(conn->stream.aeskey, 128, &conn->aes); -#endif } conn->timestamp_epoch = 0; // indicate that the next timestamp will be the first one. diff --git a/player.h b/player.h index a35b54e6..55f77e2e 100644 --- a/player.h +++ b/player.h @@ -246,10 +246,6 @@ typedef struct { aes_context dctx; #endif -#ifdef CONFIG_OPENSSL - AES_KEY aes; -#endif - int amountStuffed; int32_t framesProcessedInThisEpoch;