From: W.C.A. Wijngaards Date: Mon, 5 Sep 2016 10:59:10 +0000 (+0200) Subject: Fix for openssl 1.1.0 api changes. X-Git-Tag: release-1.7.0-rc1~62 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f7b3a9700e91f8e46477f335c5aaac7c6cdd8acb;p=thirdparty%2Fldns.git Fix for openssl 1.1.0 api changes. ldns-keygen prints error when openssl cannot create that type of key. --- diff --git a/dane.c b/dane.c index c9acb467..07c06df3 100644 --- a/dane.c +++ b/dane.c @@ -327,8 +327,8 @@ ldns_dane_pkix_get_last_self_signed(X509** out_cert, } (void) X509_verify_cert(vrfy_ctx); - if (vrfy_ctx->error == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || - vrfy_ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ + if (X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN || + X509_STORE_CTX_get_error(vrfy_ctx) == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT){ *out_cert = X509_STORE_CTX_get_current_cert( vrfy_ctx); s = LDNS_STATUS_OK; diff --git a/dnssec.c b/dnssec.c index c8316bc3..a3302ed4 100644 --- a/dnssec.c +++ b/dnssec.c @@ -375,13 +375,31 @@ ldns_key_buf2dsa_raw(const unsigned char* key, size_t len) BN_free(Y); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S dsa->p = P; dsa->q = Q; dsa->g = G; dsa->pub_key = Y; #endif /* splint */ +#else /* OPENSSL_VERSION_NUMBER */ + if (!DSA_set0_pqg(dsa, P, Q, G)) { + /* QPG not yet attached, need to free */ + BN_free(Q); + BN_free(P); + BN_free(G); + DSA_free(dsa); + BN_free(Y); + return NULL; + } + if (!DSA_set0_key(dsa, Y, NULL)) { + /* QPG attached, cleaned up by DSA_fre() */ + DSA_free(dsa); + BN_free(Y); + return NULL; + } +#endif /* OPENSSL_VERSION_NUMBER */ return dsa; } @@ -443,10 +461,19 @@ ldns_key_buf2rsa_raw(const unsigned char* key, size_t len) BN_free(modulus); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S rsa->n = modulus; rsa->e = exponent; #endif /* splint */ +#else /* OPENSSL_VERSION_NUMBER */ + if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { + BN_free(exponent); + BN_free(modulus); + RSA_free(rsa); + return NULL; + } +#endif /* OPENSSL_VERSION_NUMBER */ return rsa; } @@ -1820,14 +1847,14 @@ ldns_convert_ecdsa_rrsig_asn1len2rdf(const ldns_buffer *sig, const long sig_len, int num_bytes) { ECDSA_SIG* ecdsa_sig; - BIGNUM *r, *s; + const BIGNUM *r, *s; unsigned char *data = (unsigned char*)ldns_buffer_begin(sig); ldns_rdf* rdf; ecdsa_sig = d2i_ECDSA_SIG(NULL, (const unsigned char **)&data, sig_len); if(!ecdsa_sig) return NULL; #ifdef HAVE_ECDSA_SIG_GET0 - ECDSA_SIG_get0(&r, &s, ecdsa_sig); + ECDSA_SIG_get0(ecdsa_sig, &r, &s); #else r = ecdsa_sig->r; s = ecdsa_sig->s; diff --git a/examples/ldns-keygen.c b/examples/ldns-keygen.c index 292fc21e..3b200d03 100644 --- a/examples/ldns-keygen.c +++ b/examples/ldns-keygen.c @@ -189,6 +189,11 @@ main(int argc, char *argv[]) /* generate a new key */ key = ldns_key_new_frm_algorithm(algorithm, bits); + if(!key) { + fprintf(stderr, "cannot generate key of algorithm %s\n", + ldns_pkt_algorithm2str(algorithm)); + exit(EXIT_FAILURE); + } /* set the owner name in the key - this is a /separate/ step */ ldns_key_set_pubkey_owner(key, domain); diff --git a/host2str.c b/host2str.c index 00de4cd2..604b1cbf 100644 --- a/host2str.c +++ b/host2str.c @@ -1929,19 +1929,42 @@ ldns_gost_key2buffer_str(ldns_buffer *output, EVP_PKEY *p) } #endif +/** print one b64 encoded bignum to a line in the keybuffer */ +static int +ldns_print_bignum_b64_line(ldns_buffer* output, const char* label, const BIGNUM* num) +{ + unsigned char *bignumbuf = LDNS_XMALLOC(unsigned char, LDNS_MAX_KEYLEN); + if(!bignumbuf) return 0; + + ldns_buffer_printf(output, "%s: ", label); + if(num) { + ldns_rdf *b64_bignum = NULL; + int i = BN_bn2bin(num, bignumbuf); + if (i > LDNS_MAX_KEYLEN) { + LDNS_FREE(bignumbuf); + return 0; + } + b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignumbuf); + if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { + ldns_rdf_deep_free(b64_bignum); + LDNS_FREE(bignumbuf); + return 0; + } + ldns_rdf_deep_free(b64_bignum); + ldns_buffer_printf(output, "\n"); + } else { + ldns_buffer_printf(output, "(Not available)\n"); + } + LDNS_FREE(bignumbuf); + return 1; +} + ldns_status ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) { ldns_status status = LDNS_STATUS_OK; unsigned char *bignum; #ifdef HAVE_SSL -# ifndef S_SPLINT_S - uint16_t i; -# endif - /* not used when ssl is not defined */ - /*@unused@*/ - ldns_rdf *b64_bignum = NULL; - RSA *rsa; DSA *dsa; #endif /* HAVE_SSL */ @@ -2011,132 +2034,43 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) /* print to buf, convert to bin, convert to b64, * print to buf */ - ldns_buffer_printf(output, "Modulus: "); -#ifndef S_SPLINT_S - i = (uint16_t)BN_bn2bin(rsa->n, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - ldns_buffer_printf(output, "PublicExponent: "); - i = (uint16_t)BN_bn2bin(rsa->e, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - ldns_buffer_printf(output, "PrivateExponent: "); - if (rsa->d) { - i = (uint16_t)BN_bn2bin(rsa->d, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - ldns_buffer_printf(output, "(Not available)\n"); - } - - ldns_buffer_printf(output, "Prime1: "); - if (rsa->p) { - i = (uint16_t)BN_bn2bin(rsa->p, bignum); - if (i > LDNS_MAX_KEYLEN) { +#ifndef S_SPLINT_S + if(1) { + const BIGNUM *n=NULL, *e=NULL, *d=NULL, + *p=NULL, *q=NULL, *dmp1=NULL, + *dmq1=NULL, *iqmp=NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + n = rsa->n; + e = rsa->e; + d = rsa->d; + p = rsa->p; + q = rsa->q; + dmp1 = rsa->dmp1; + dmq1 = rsa->dmq1; + iqmp = rsa->iqmp; +#else + RSA_get0_key(rsa, &n, &e, &d); + RSA_get0_factors(rsa, &p, &q); + RSA_get0_crt_params(rsa, &dmp1, + &dmq1, &iqmp); +#endif + if(!ldns_print_bignum_b64_line(output, "Modulus", n)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "PublicExponent", e)) goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - ldns_buffer_printf(output, "(Not available)\n"); - } - - ldns_buffer_printf(output, "Prime2: "); - if (rsa->q) { - i = (uint16_t)BN_bn2bin(rsa->q, bignum); - if (i > LDNS_MAX_KEYLEN) { + if(!ldns_print_bignum_b64_line(output, "PrivateExponent", d)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "Prime1", p)) goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - ldns_buffer_printf(output, "(Not available)\n"); - } - - ldns_buffer_printf(output, "Exponent1: "); - if (rsa->dmp1) { - i = (uint16_t)BN_bn2bin(rsa->dmp1, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - ldns_buffer_printf(output, "(Not available)\n"); - } - - ldns_buffer_printf(output, "Exponent2: "); - if (rsa->dmq1) { - i = (uint16_t)BN_bn2bin(rsa->dmq1, bignum); - if (i > LDNS_MAX_KEYLEN) { + if(!ldns_print_bignum_b64_line(output, "Prime2", q)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "Exponent1", dmp1)) goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - ldns_buffer_printf(output, "(Not available)\n"); - } - - ldns_buffer_printf(output, "Coefficient: "); - if (rsa->iqmp) { - i = (uint16_t)BN_bn2bin(rsa->iqmp, bignum); - if (i > LDNS_MAX_KEYLEN) { + if(!ldns_print_bignum_b64_line(output, "Exponent2", dmq1)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "Coefficient", iqmp)) goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - ldns_buffer_printf(output, "(Not available)\n"); } #endif /* splint */ @@ -2155,92 +2089,32 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) /* print to buf, convert to bin, convert to b64, * print to buf */ - ldns_buffer_printf(output, "Prime(p): "); + if(1) { + const BIGNUM *p=NULL, *q=NULL, *g=NULL, + *priv_key=NULL, *pub_key=NULL; +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S - if (dsa->p) { - i = (uint16_t)BN_bn2bin(dsa->p, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - printf("(Not available)\n"); - } - - ldns_buffer_printf(output, "Subprime(q): "); - if (dsa->q) { - i = (uint16_t)BN_bn2bin(dsa->q, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - printf("(Not available)\n"); - } - - ldns_buffer_printf(output, "Base(g): "); - if (dsa->g) { - i = (uint16_t)BN_bn2bin(dsa->g, bignum); - if (i > LDNS_MAX_KEYLEN) { + p = dsa->p; + q = dsa->q; + g = dsa->g; + priv_key = dsa->priv_key; + pub_key = dsa->pub_key; +#endif /* splint */ +#else + DSA_get0_pqg(dsa, &p, &q, &g); + DSA_get0_key(dsa, &pub_key, &priv_key); +#endif + if(!ldns_print_bignum_b64_line(output, "Prime(p)", p)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "Subprime(q)", q)) goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - printf("(Not available)\n"); - } - - ldns_buffer_printf(output, "Private_value(x): "); - if (dsa->priv_key) { - i = (uint16_t)BN_bn2bin(dsa->priv_key, bignum); - if (i > LDNS_MAX_KEYLEN) { + if(!ldns_print_bignum_b64_line(output, "Base(g)", g)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "Private_value(x)", priv_key)) goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - printf("(Not available)\n"); - } - - ldns_buffer_printf(output, "Public_value(y): "); - if (dsa->pub_key) { - i = (uint16_t)BN_bn2bin(dsa->pub_key, bignum); - if (i > LDNS_MAX_KEYLEN) { + if(!ldns_print_bignum_b64_line(output, "Public_value(y)", pub_key)) goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); - } else { - printf("(Not available)\n"); } -#endif /* splint */ break; case LDNS_SIGN_ECC_GOST: /* no format defined, use blob */ @@ -2269,18 +2143,8 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) if(k->_key.key) { EC_KEY* ec = EVP_PKEY_get1_EC_KEY(k->_key.key); const BIGNUM* b = EC_KEY_get0_private_key(ec); - ldns_buffer_printf(output, "PrivateKey: "); - i = (uint16_t)BN_bn2bin(b, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); - ldns_buffer_printf(output, "\n"); + if(!ldns_print_bignum_b64_line(output, "PrivateKey", b)) + goto error; /* down reference count in EC_KEY * its still assigned to the PKEY */ EC_KEY_free(ec); @@ -2296,20 +2160,11 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) ldns_buffer_printf(output, "Algorithm: %d (", ldns_key_algorithm(k)); status=ldns_algorithm2buffer_str(output, (ldns_algorithm)ldns_key_algorithm(k)); ldns_buffer_printf(output, ")\n"); - ldns_buffer_printf(output, "PrivateKey: "); if(k->_key.key) { EC_KEY* ec = EVP_PKEY_get1_EC_KEY(k->_key.key); const BIGNUM* b = EC_KEY_get0_private_key(ec); - i = (uint16_t)BN_bn2bin(b, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "PrivateKey", b)) + goto error; /* down reference count in EC_KEY * its still assigned to the PKEY */ EC_KEY_free(ec); @@ -2323,20 +2178,11 @@ ldns_key2buffer_str(ldns_buffer *output, const ldns_key *k) ldns_buffer_printf(output, "Algorithm: %d (", ldns_key_algorithm(k)); status=ldns_algorithm2buffer_str(output, (ldns_algorithm)ldns_key_algorithm(k)); ldns_buffer_printf(output, ")\n"); - ldns_buffer_printf(output, "PrivateKey: "); if(k->_key.key) { EC_KEY* ec = EVP_PKEY_get1_EC_KEY(k->_key.key); const BIGNUM* b = EC_KEY_get0_private_key(ec); - i = (uint16_t)BN_bn2bin(b, bignum); - if (i > LDNS_MAX_KEYLEN) { - goto error; - } - b64_bignum = ldns_rdf_new_frm_data(LDNS_RDF_TYPE_B64, i, bignum); - if (ldns_rdf2buffer_str(output, b64_bignum) != LDNS_STATUS_OK) { - ldns_rdf_deep_free(b64_bignum); - goto error; - } - ldns_rdf_deep_free(b64_bignum); + if(!ldns_print_bignum_b64_line(output, "PrivateKey", b)) + goto error; /* down reference count in EC_KEY * its still assigned to the PKEY */ EC_KEY_free(ec); diff --git a/keys.c b/keys.c index e5237875..cf779f90 100644 --- a/keys.c +++ b/keys.c @@ -776,15 +776,17 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) * // ... * */ - char *d; + char *b; RSA *rsa; uint8_t *buf; int i; + BIGNUM *n=NULL, *e=NULL, *d=NULL, *p=NULL, *q=NULL, + *dmp1=NULL, *dmq1=NULL, *iqmp=NULL; - d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); + b = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); rsa = RSA_new(); - if (!d || !rsa || !buf) { + if (!b || !rsa || !buf) { goto error; } @@ -793,95 +795,121 @@ ldns_key_new_frm_fp_rsa_l(FILE *f, int *line_nr) */ /* Modules, rsa->n */ - if (ldns_fget_keyword_data_l(f, "Modulus", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "Modulus", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); #ifndef S_SPLINT_S - rsa->n = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->n) { + n = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!n) { goto error; } /* PublicExponent, rsa->e */ - if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "PublicExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->e = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->e) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + e = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!e) { goto error; } /* PrivateExponent, rsa->d */ - if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "PrivateExponent", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->d = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->d) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + d = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!d) { goto error; } /* Prime1, rsa->p */ - if (ldns_fget_keyword_data_l(f, "Prime1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "Prime1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->p) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + p = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!p) { goto error; } /* Prime2, rsa->q */ - if (ldns_fget_keyword_data_l(f, "Prime2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "Prime2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->q) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + q = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!q) { goto error; } /* Exponent1, rsa->dmp1 */ - if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "Exponent1", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->dmp1) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + dmp1 = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dmp1) { goto error; } /* Exponent2, rsa->dmq1 */ - if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "Exponent2", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->dmq1) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + dmq1 = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!dmq1) { goto error; } /* Coefficient, rsa->iqmp */ - if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", d, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { + if (ldns_fget_keyword_data_l(f, "Coefficient", ": ", b, "\n", LDNS_MAX_LINELEN, line_nr) == -1) { goto error; } - i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - rsa->iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!rsa->iqmp) { + i = ldns_b64_pton((const char*)b, buf, ldns_b64_ntop_calculate_size(strlen(b))); + iqmp = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!iqmp) { goto error; } #endif /* splint */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 + rsa->n = n; + rsa->e = e; + rsa->d = d; + rsa->p = p; + rsa->q = q; + rsa->dmp1 = dmp1; + rsa->dmq1 = dmq1; + rsa->iqmp = iqmp; +#else + if(!RSA_set0_key(rsa, n, e, d)) + goto error; + if(!RSA_set0_factors(rsa, p, q)) + goto error; + if(!RSA_set0_crt_params(rsa, dmp1, dmq1, iqmp)) + goto error; +#endif + LDNS_FREE(buf); - LDNS_FREE(d); + LDNS_FREE(b); return rsa; error: RSA_free(rsa); - LDNS_FREE(d); + LDNS_FREE(b); LDNS_FREE(buf); + BN_free(n); + BN_free(e); + BN_free(d); + BN_free(p); + BN_free(q); + BN_free(dmp1); + BN_free(dmq1); + BN_free(iqmp); return NULL; } @@ -898,6 +926,7 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) char *d; DSA *dsa; uint8_t *buf; + BIGNUM *p=NULL, *q=NULL, *g=NULL, *priv_key=NULL, *pub_key=NULL; d = LDNS_XMALLOC(char, LDNS_MAX_LINELEN); buf = LDNS_XMALLOC(uint8_t, LDNS_MAX_LINELEN); @@ -914,8 +943,8 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); #ifndef S_SPLINT_S - dsa->p = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!dsa->p) { + p = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!p) { goto error; } @@ -924,8 +953,8 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - dsa->q = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!dsa->q) { + q = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!q) { goto error; } @@ -934,8 +963,8 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - dsa->g = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!dsa->g) { + g = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!g) { goto error; } @@ -944,8 +973,8 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - dsa->priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!dsa->priv_key) { + priv_key = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!priv_key) { goto error; } @@ -954,12 +983,25 @@ ldns_key_new_frm_fp_dsa_l(FILE *f, ATTR_UNUSED(int *line_nr)) goto error; } i = ldns_b64_pton((const char*)d, buf, ldns_b64_ntop_calculate_size(strlen(d))); - dsa->pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); - if (!dsa->pub_key) { + pub_key = BN_bin2bn((const char unsigned*)buf, i, NULL); + if (!pub_key) { goto error; } #endif /* splint */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 + dsa->p = p; + dsa->q = q; + dsa->g = g; + dsa->priv_key = priv_key; + dsa->pub_key = pub_key; +#else + if(!DSA_set0_pqg(dsa, p, q, g)) + goto error; + if(!DSA_set0_key(dsa, pub_key, priv_key)) + goto error; +#endif + LDNS_FREE(buf); LDNS_FREE(d); @@ -969,6 +1011,11 @@ error: LDNS_FREE(d); LDNS_FREE(buf); DSA_free(dsa); + BN_free(p); + BN_free(q); + BN_free(g); + BN_free(priv_key); + BN_free(pub_key); return NULL; } @@ -1611,27 +1658,34 @@ static bool ldns_key_rsa2bin(unsigned char *data, RSA *k, uint16_t *size) { int i,j; + const BIGNUM *n=NULL, *e=NULL; if (!k) { return false; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 + n = k->n; + e = k->e; +#else + RSA_get0_key(k, &n, &e, NULL); +#endif - if (BN_num_bytes(k->e) <= 256) { + if (BN_num_bytes(e) <= 256) { /* normally only this path is executed (small factors are * more common */ - data[0] = (unsigned char) BN_num_bytes(k->e); - i = BN_bn2bin(k->e, data + 1); - j = BN_bn2bin(k->n, data + i + 1); + data[0] = (unsigned char) BN_num_bytes(e); + i = BN_bn2bin(e, data + 1); + j = BN_bn2bin(n, data + i + 1); *size = (uint16_t) i + j; - } else if (BN_num_bytes(k->e) <= 65536) { + } else if (BN_num_bytes(e) <= 65536) { data[0] = 0; /* BN_bn2bin does bigendian, _uint16 also */ - ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(k->e)); + ldns_write_uint16(data + 1, (uint16_t) BN_num_bytes(e)); - BN_bn2bin(k->e, data + 3); - BN_bn2bin(k->n, data + 4 + BN_num_bytes(k->e)); - *size = (uint16_t) BN_num_bytes(k->n) + 6; + BN_bn2bin(e, data + 3); + BN_bn2bin(n, data + 4 + BN_num_bytes(e)); + *size = (uint16_t) BN_num_bytes(n) + 6; } else { return false; }