1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
|
From c8372f27d791aa445e879ded4efe4a267e3ff48e Mon Sep 17 00:00:00 2001
From: quentin <quentin@minster.io>
Date: Mon, 26 Feb 2018 02:43:41 +0100
Subject: [PATCH] Improve compatibility with OpenSSL 1.1.0
* add missing headers
* stop using deprecated APIs
---
tool/util.c | 1 +
tool/yubico-piv-tool.c | 24 +++++++++++++++++++++++-
ykcs11/openssl_types.h | 1 +
ykcs11/openssl_utils.c | 11 +++++++++++
4 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/tool/util.c b/tool/util.c
index de6b071..5b299ca 100644
--- a/tool/util.c
+++ b/tool/util.c
@@ -38,6 +38,7 @@
#endif
#include "openssl-compat.h"
+#include <openssl/bn.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/rsa.h>
diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c
index c40b027..f8b72b1 100644
--- a/tool/yubico-piv-tool.c
+++ b/tool/yubico-piv-tool.c
@@ -43,10 +43,12 @@
#endif
#include "openssl-compat.h"
+#include <openssl/bn.h>
#include <openssl/des.h>
#include <openssl/pem.h>
#include <openssl/pkcs12.h>
#include <openssl/rand.h>
+#include <openssl/rsa.h>
#include "cmdline.h"
#include "util.h"
@@ -868,11 +870,19 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo
fprintf(stderr, "Failed to set certificate serial.\n");
goto selfsign_out;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if(!X509_gmtime_adj(X509_get_notBefore(x509), 0)) {
+#else
+ if(!X509_gmtime_adj(X509_getm_notBefore(x509), 0)) {
+#endif
fprintf(stderr, "Failed to set certificate notBefore.\n");
goto selfsign_out;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if(!X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * validDays)) {
+#else
+ if(!X509_gmtime_adj(X509_getm_notAfter(x509), 60L * 60L * 24L * validDays)) {
+#endif
fprintf(stderr, "Failed to set certificate notAfter.\n");
goto selfsign_out;
}
@@ -1241,7 +1251,7 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M
if(*ptr++ == 0x70) {
unsigned int md_len = sizeof(data);
- ASN1_TIME *not_before, *not_after;
+ const ASN1_TIME *not_before, *not_after;
ptr += get_length(ptr, &cert_len);
x509 = X509_new();
@@ -1299,13 +1309,21 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M
dump_data(data, md_len, output, false, format_arg_hex);
bio = BIO_new_fp(output, BIO_NOCLOSE | BIO_FP_TEXT);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
not_before = X509_get_notBefore(x509);
+#else
+ not_before = X509_get0_notBefore(x509);
+#endif
if(not_before) {
fprintf(output, "\tNot Before:\t");
ASN1_TIME_print(bio, not_before);
fprintf(output, "\n");
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
not_after = X509_get_notAfter(x509);
+#else
+ not_after = X509_get0_notAfter(x509);
+#endif
if(not_after) {
fprintf(output, "\tNot After:\t");
ASN1_TIME_print(bio, not_after);
@@ -1950,7 +1968,9 @@ int main(int argc, char *argv[]) {
/* openssl setup.. */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_algorithms();
+#endif
for(i = 0; i < args_info.action_given; i++) {
@@ -2191,6 +2211,8 @@ int main(int argc, char *argv[]) {
}
ykpiv_done(state);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
+#endif
return ret;
}
diff --git a/ykcs11/openssl_types.h b/ykcs11/openssl_types.h
index 307f746..08170fc 100644
--- a/ykcs11/openssl_types.h
+++ b/ykcs11/openssl_types.h
@@ -31,6 +31,7 @@
#ifndef OPENSSL_TYPES_H
#define OPENSSL_TYPES_H
+#include <openssl/bn.h>
#include <openssl/x509.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c
index 5a7f85d..edfe0ea 100644
--- a/ykcs11/openssl_utils.c
+++ b/ykcs11/openssl_utils.c
@@ -35,6 +35,11 @@
#include "debug.h"
#include <string.h>
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define X509_set_notBefore X509_set1_notBefore
+# define X509_set_notAfter X509_set1_notAfter
+#endif
+
CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) {
const unsigned char *p = data; // Mandatory temp variable required by OpenSSL
@@ -580,7 +585,9 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) {
unsigned char em[RSA_size(key)];
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
OpenSSL_add_all_digests();
+#endif
DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key));
@@ -590,14 +597,18 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len,
// In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD
if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
+#endif
return CKR_FUNCTION_FAILED;
}
memcpy(out, em, sizeof(em));
*out_len = (CK_ULONG) sizeof(em);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_cleanup();
+#endif
return CKR_OK;
}
|
