From c07c0358b553c519ed9d80e2e0a9ba48ca8850e4 Mon Sep 17 00:00:00 2001 From: Emmanuel Deloget Date: Mon, 12 Jun 2017 15:43:26 +0200 Subject: [PATCH] OpenSSL: don't use direct access to the internal of DSA OpenSSL 1.1 does not allow us to directly access the internal of any data type, including DSA. We have to use the defined functions to do so. Compatibility with OpenSSL 1.0 is kept by defining the corresponding functions when they are not found in the library. Signed-off-by: Emmanuel Deloget Acked-by: Steffan Karger Message-Id: <20170612134330.20971-5-logout@free.fr> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14791.html Signed-off-by: Gert Doering --- configure.ac | 2 ++ src/openvpn/openssl_compat.h | 44 ++++++++++++++++++++++++++++++++++++ src/openvpn/ssl_openssl.c | 6 ++--- 3 files changed, 49 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e9ac5a6e5..523487809 100644 --- a/configure.ac +++ b/configure.ac @@ -932,6 +932,8 @@ if test "${enable_crypto}" = "yes" -a "${with_crypto_library}" = "openssl"; then RSA_bits \ RSA_get0_key \ RSA_set0_key \ + DSA_get0_pqg \ + DSA_bits \ RSA_meth_new \ RSA_meth_free \ RSA_meth_set_pub_enc \ diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h index e3f20b739..729fab6c5 100644 --- a/src/openvpn/openssl_compat.h +++ b/src/openvpn/openssl_compat.h @@ -275,6 +275,50 @@ RSA_bits(const RSA *rsa) } #endif +#if !defined(HAVE_DSA_GET0_PQG) +/** + * Get the DSA parameters + * + * @param dsa The DSA object + * @param p The @c p parameter + * @param q The @c q parameter + * @param g The @c g parameter + */ +static inline void +DSA_get0_pqg(const DSA *dsa, const BIGNUM **p, + const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + { + *p = dsa ? dsa->p : NULL; + } + if (q != NULL) + { + *q = dsa ? dsa->q : NULL; + } + if (g != NULL) + { + *g = dsa ? dsa->g : NULL; + } +} +#endif + +#if !defined(HAVE_DSA_BITS) +/** + * Number of significant DSA bits + * + * @param rsa The DSA object ; shall not be NULL + * @return The number of DSA bits or 0 on error + */ +static inline int +DSA_bits(const DSA *dsa) +{ + const BIGNUM *p = NULL; + DSA_get0_pqg(dsa, &p, NULL, NULL); + return p ? BN_num_bits(p) : 0; +} +#endif + #if !defined(HAVE_RSA_METH_NEW) /** * Allocate a new RSA method object diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index da801ed5e..11f4a567b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -1689,11 +1689,11 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix) openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA", RSA_bits(rsa)); } - else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL - && pkey->pkey.dsa->p != NULL) + else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL) { + DSA *dsa = EVP_PKEY_get0_DSA(pkey); openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA", - BN_num_bits(pkey->pkey.dsa->p)); + DSA_bits(dsa)); } EVP_PKEY_free(pkey); } -- 2.47.2