From: Emmanuel Deloget Date: Mon, 12 Jun 2017 13:43:24 +0000 (+0200) Subject: OpenSSL: don't use direct access to the internal of EVP_PKEY X-Git-Tag: v2.5_beta1~672 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b8ca5bc3593e539d0735a74b55ed41a792e55033;p=thirdparty%2Fopenvpn.git OpenSSL: don't use direct access to the internal of EVP_PKEY OpenSSL 1.1 does not allow us to directly access the internal of any data type, including EVP_PKEY. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget Acked-by: Steffan Karger Message-Id: <20170612134330.20971-3-logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14795.html Signed-off-by: Gert Doering --- diff --git a/configure.ac b/configure.ac index c30bf3d50..43f332b20 100644 --- a/configure.ac +++ b/configure.ac @@ -925,6 +925,9 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then X509_STORE_get0_objects \ X509_OBJECT_free \ X509_OBJECT_get_type \ + EVP_PKEY_id \ + EVP_PKEY_get0_RSA \ + EVP_PKEY_get0_DSA \ RSA_meth_new \ RSA_meth_free \ RSA_meth_set_pub_enc \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index 612bfa567..604985953 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -133,6 +133,48 @@ X509_OBJECT_get_type(const X509_OBJECT *obj) } #endif +#if !defined(HAVE_EVP_PKEY_GET0_RSA) +/** + * Get the RSA object of a public key + * + * @param pkey Public key object + * @return The underlying RSA object + */ +static inline RSA * +EVP_PKEY_get0_RSA(EVP_PKEY *pkey) +{ + return pkey ? pkey->pkey.rsa : NULL; +} +#endif + +#if !defined(HAVE_EVP_PKEY_ID) +/** + * Get the PKEY type + * + * @param pkey Public key object + * @return The key type + */ +static inline int +EVP_PKEY_id(const EVP_PKEY *pkey) +{ + return pkey ? pkey->type : EVP_PKEY_NONE; +} +#endif + +#if !defined(HAVE_EVP_PKEY_GET0_DSA) +/** + * Get the DSA object of a public key + * + * @param pkey Public key object + * @return The underlying DSA object + */ +static inline DSA * +EVP_PKEY_get0_DSA(EVP_PKEY *pkey) +{ + return pkey ? pkey->pkey.dsa : NULL; +} +#endif + #if !defined(HAVE_RSA_METH_NEW) /** * Allocate a new RSA method object diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 89c3b0143..c84372d6f 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1072,7 +1072,7 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx, /* get the public key */ EVP_PKEY *pkey = X509_get0_pubkey(cert); ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */ - pub_rsa = cert->cert_info->key->pkey->pkey.rsa; + pub_rsa = EVP_PKEY_get0_RSA(pkey); /* initialize RSA object */ rsa->n = BN_dup(pub_rsa->n); @@ -1677,13 +1677,13 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) EVP_PKEY *pkey = X509_get_pubkey(cert); if (pkey != NULL) { - if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL + if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) != NULL && pkey->pkey.rsa->n != NULL) { openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA", BN_num_bits(pkey->pkey.rsa->n)); } - else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL + else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL && pkey->pkey.dsa->p != NULL) { openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",