From 553e44ce7e541a9e1404b1ead92be0753668710a Mon Sep 17 00:00:00 2001 From: Andrew Stormont Date: Fri, 1 Jun 2018 12:10:19 +0100 Subject: [PATCH] 6429 SMB domain join doesn't work with libreSSL 9546 Restore support for building against LibreSSL 9547 Remove KMF dependency on insecure encryption types Reviewed by: Andy Fiddaman Reviewed by: Vitaliy Gusev Reviewed by: Ken Mays Approved by: Dan McDonald --- usr/src/cmd/sendmail/src/tls.c | 5 +- .../plugins/preauth/pkinit/pkinit_crypto_openssl.c | 229 +++++++++------------ .../plugins/preauth/pkinit/pkinit_crypto_openssl.h | 6 +- .../lib/libkmf/plugins/kmf_openssl/common/compat.c | 5 +- .../lib/libkmf/plugins/kmf_openssl/common/compat.h | 5 +- .../plugins/kmf_openssl/common/openssl_spi.c | 55 +++-- 6 files changed, 148 insertions(+), 157 deletions(-) diff --git a/usr/src/cmd/sendmail/src/tls.c b/usr/src/cmd/sendmail/src/tls.c index 605d91635a..ab17456d78 100644 --- a/usr/src/cmd/sendmail/src/tls.c +++ b/usr/src/cmd/sendmail/src/tls.c @@ -3,6 +3,7 @@ * All rights reserved. * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved. * Copyright 2018 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2018 RackTop Systems. * * By using this file, you agree to the terms and conditions set * forth in the LICENSE file which can be found at the top level of @@ -39,7 +40,7 @@ static int tls_verify_log __P((int, X509_STORE_CTX *, char *)); # include # include -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* * This compatibility function is taken from @@ -319,7 +320,7 @@ bool init_tls_library() { /* basic TLS initialization, ignore result for now */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* No longer available (nor necessary) in OpenSSL 1.1 */ SSL_library_init(); SSL_load_error_strings(); diff --git a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 00ad9a3afc..3ae2f2a362 100644 --- a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -32,6 +32,7 @@ * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved. * Copyright 2018 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2018 RackTop Systems. */ #include @@ -370,7 +371,7 @@ unsigned char pkinit_4096_dhprime[4096/8] = { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* * Many things have changed in OpenSSL 1.1. The code in this file has been * updated to use the v1.1 APIs but some are new and require emulation @@ -463,11 +464,7 @@ __DH_get0_key(const DH *dh, const BIGNUM **pub, const BIGNUM **priv) *priv = dh->priv_key; } -#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ - -/* Solaris Kerberos */ -static k5_mutex_t oids_mutex = K5_MUTEX_PARTIAL_INITIALIZER; -static int pkinit_oids_refs = 0; +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER */ krb5_error_code pkinit_init_plg_crypto(pkinit_plg_crypto_context *cryptoctx) { @@ -603,73 +600,43 @@ pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx) static krb5_error_code pkinit_init_pkinit_oids(pkinit_plg_crypto_context ctx) { - krb5_error_code retval = ENOMEM; - int nid = 0; - - /* - * If OpenSSL already knows about the OID, use the - * existing definition. Otherwise, create an OID object. - */ - #define CREATE_OBJ_IF_NEEDED(oid, vn, sn, ln) \ - nid = OBJ_txt2nid(oid); \ - if (nid == NID_undef) { \ - nid = OBJ_create(oid, sn, ln); \ - if (nid == NID_undef) { \ - pkiDebug("Error creating oid object for '%s'\n", oid); \ - goto out; \ - } \ - } \ - ctx->vn = OBJ_nid2obj(nid); - - /* Solaris Kerberos */ - retval = k5_mutex_lock(&oids_mutex); - if (retval != 0) - goto out; - - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.2", id_pkinit_san, - "id-pkinit-san", "KRB5PrincipalName"); - - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.1", id_pkinit_authData, - "id-pkinit-authdata", "PKINIT signedAuthPack"); - - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.2", id_pkinit_DHKeyData, - "id-pkinit-DHKeyData", "PKINIT dhSignedData"); - - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.3", id_pkinit_rkeyData, - "id-pkinit-rkeyData", "PKINIT encKeyPack"); + ctx->id_pkinit_san = OBJ_txt2obj("1.3.6.1.5.2.2", 1); + if (ctx->id_pkinit_san == NULL) + return ENOMEM; - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.4", id_pkinit_KPClientAuth, - "id-pkinit-KPClientAuth", "PKINIT Client EKU"); + ctx->id_pkinit_authData = OBJ_txt2obj("1.3.6.1.5.2.3.1", 1); + if (ctx->id_pkinit_authData == NULL) + return ENOMEM; - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.2.3.5", id_pkinit_KPKdc, - "id-pkinit-KPKdc", "KDC EKU"); + ctx->id_pkinit_DHKeyData = OBJ_txt2obj("1.3.6.1.5.2.3.2", 1); + if (ctx->id_pkinit_DHKeyData == NULL) + return ENOMEM; -#if 0 - CREATE_OBJ_IF_NEEDED("1.2.840.113549.1.7.1", id_pkinit_authData9, - "id-pkcs7-data", "PKCS7 data"); -#else - /* See note in pkinit_pkcs7type2oid() */ - ctx->id_pkinit_authData9 = NULL; -#endif + ctx->id_pkinit_rkeyData = OBJ_txt2obj("1.3.6.1.5.2.3.3", 1); + if (ctx->id_pkinit_rkeyData == NULL) + return ENOMEM; - CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.2", id_ms_kp_sc_logon, - "id-ms-kp-sc-logon EKU", "Microsoft SmartCard Login EKU"); + ctx->id_pkinit_KPClientAuth = OBJ_txt2obj("1.3.6.1.5.2.3.4", 1); + if (ctx->id_pkinit_KPClientAuth == NULL) + return ENOMEM; - CREATE_OBJ_IF_NEEDED("1.3.6.1.4.1.311.20.2.3", id_ms_san_upn, - "id-ms-san-upn", "Microsoft Universal Principal Name"); + ctx->id_pkinit_KPKdc = OBJ_txt2obj("1.3.6.1.5.2.3.5", 1); + if (ctx->id_pkinit_KPKdc == NULL) + return ENOMEM; - CREATE_OBJ_IF_NEEDED("1.3.6.1.5.5.7.3.1", id_kp_serverAuth, - "id-kp-serverAuth EKU", "Server Authentication EKU"); + ctx->id_ms_kp_sc_logon = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.2", 1); + if (ctx->id_ms_kp_sc_logon == NULL) + return ENOMEM; - /* Success */ - retval = 0; + ctx->id_ms_san_upn = OBJ_txt2obj("1.3.6.1.4.1.311.20.2.3", 1); + if (ctx->id_ms_san_upn == NULL) + return ENOMEM; - pkinit_oids_refs++; - /* Solaris Kerberos */ - k5_mutex_unlock(&oids_mutex); + ctx->id_kp_serverAuth = OBJ_txt2obj("1.3.6.1.5.5.7.3.1", 1); + if (ctx->id_kp_serverAuth == NULL) + return ENOMEM; -out: - return retval; + return 0; } static krb5_error_code @@ -748,22 +715,15 @@ pkinit_fini_pkinit_oids(pkinit_plg_crypto_context ctx) { if (ctx == NULL) return; - - /* Only call OBJ_cleanup once! */ - /* Solaris Kerberos: locking */ - k5_mutex_lock(&oids_mutex); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - /* - * In OpenSSL versions prior to 1.1.0, OBJ_cleanup() cleaned up OpenSSL's - * internal object table. This function is deprecated in version 1.1.0. - * No explicit de-initialisation is now required. - */ - if (--pkinit_oids_refs == 0) - OBJ_cleanup(); -#else - pkinit_oids_refs--; -#endif - k5_mutex_unlock(&oids_mutex); + ASN1_OBJECT_free(ctx->id_pkinit_san); + ASN1_OBJECT_free(ctx->id_pkinit_authData); + ASN1_OBJECT_free(ctx->id_pkinit_DHKeyData); + ASN1_OBJECT_free(ctx->id_pkinit_rkeyData); + ASN1_OBJECT_free(ctx->id_pkinit_KPClientAuth); + ASN1_OBJECT_free(ctx->id_pkinit_KPKdc); + ASN1_OBJECT_free(ctx->id_ms_kp_sc_logon); + ASN1_OBJECT_free(ctx->id_ms_san_upn); + ASN1_OBJECT_free(ctx->id_kp_serverAuth); } static DH * @@ -953,6 +913,55 @@ pkinit_identity_set_prompter(pkinit_identity_crypto_context id_cryptoctx, return 0; } +/* Create a CMS ContentInfo of type oid containing the octet string in data. */ +static krb5_error_code +create_contentinfo(krb5_context context, + ASN1_OBJECT *oid, + unsigned char *data, + size_t data_len, + PKCS7 **p7_out) +{ + PKCS7 *p7 = NULL; + ASN1_OCTET_STRING *ostr = NULL; + + *p7_out = NULL; + + ostr = ASN1_OCTET_STRING_new(); + if (ostr == NULL) + goto oom; + if (!ASN1_OCTET_STRING_set(ostr, (unsigned char *)data, data_len)) + goto oom; + + p7 = PKCS7_new(); + if (p7 == NULL) + goto oom; + p7->type = OBJ_dup(oid); + if (p7->type == NULL) + goto oom; + + if (OBJ_obj2nid(oid) == NID_pkcs7_data) { + /* Draft 9 uses id-pkcs7-data for signed data. For this type OpenSSL + * expects an octet string in d.data. */ + p7->d.data = ostr; + } else { + p7->d.other = ASN1_TYPE_new(); + if (p7->d.other == NULL) + goto oom; + p7->d.other->type = V_ASN1_OCTET_STRING; + p7->d.other->value.octet_string = ostr; + } + + *p7_out = p7; + return 0; + +oom: + if (ostr != NULL) + ASN1_OCTET_STRING_free(ostr); + if (p7 != NULL) + PKCS7_free(p7); + return ENOMEM; +} + /* ARGSUSED */ krb5_error_code cms_signeddata_create(krb5_context context, @@ -972,7 +981,6 @@ cms_signeddata_create(krb5_context context, PKCS7_SIGNED *p7s = NULL; PKCS7_SIGNER_INFO *p7si = NULL; unsigned char *p; - ASN1_TYPE *pkinit_data = NULL; STACK_OF(X509) * cert_stack = NULL; ASN1_OCTET_STRING *digest_attr = NULL; EVP_MD_CTX *ctx = NULL, *ctx2 = NULL; @@ -988,7 +996,7 @@ cms_signeddata_create(krb5_context context, unsigned int alg_len = 0, digest_len = 0; unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL; X509 *cert = NULL; - ASN1_OBJECT *oid = NULL; + ASN1_OBJECT *oid = NULL, *oid_copy; /* Solaris Kerberos */ if (signed_data == NULL) @@ -1120,8 +1128,11 @@ cms_signeddata_create(krb5_context context, V_ASN1_OCTET_STRING, (char *) digest_attr); /* create a content-type attr */ + oid_copy = OBJ_dup(oid); + if (oid_copy == NULL) + goto cleanup2; PKCS7_add_signed_attribute(p7si, NID_pkcs9_contentType, - V_ASN1_OBJECT, oid); + V_ASN1_OBJECT, oid_copy); /* create the signature over signed attributes. get DER encoded value */ /* This is the place where smartcard signature needs to be calculated */ @@ -1223,26 +1234,7 @@ cms_signeddata_create(krb5_context context, goto cleanup2; /* start on adding data to the pkcs7 signed */ - if ((inner_p7 = PKCS7_new()) == NULL) - goto cleanup2; - if ((pkinit_data = ASN1_TYPE_new()) == NULL) - goto cleanup2; - pkinit_data->type = V_ASN1_OCTET_STRING; - if ((pkinit_data->value.octet_string = ASN1_OCTET_STRING_new()) == NULL) - goto cleanup2; - if (!ASN1_OCTET_STRING_set(pkinit_data->value.octet_string, data, - (int)data_len)) { - unsigned long err = ERR_peek_error(); - retval = KRB5KDC_ERR_PREAUTH_FAILED; - krb5_set_error_message(context, retval, "%s\n", - ERR_error_string(err, NULL)); - pkiDebug("failed to add pkcs7 data\n"); - goto cleanup2; - } - - if (!PKCS7_set0_type_other(inner_p7, OBJ_obj2nid(oid), pkinit_data)) - goto cleanup2; - + retval = create_contentinfo(context, oid, data, data_len, &inner_p7); if (p7s->contents != NULL) PKCS7_free(p7s->contents); p7s->contents = inner_p7; @@ -1355,7 +1347,6 @@ cms_signeddata_verify(krb5_context context, "/tmp/client_received_pkcs7_signeddata"); #endif - /* Do this early enough to create the shadow OID for pkcs7-data if needed */ oid = pkinit_pkcs7type2oid(plgctx, cms_msg_type); if (oid == NULL) goto cleanup; @@ -2650,7 +2641,7 @@ openssl_init() if (ret == 0) { if (!did_init) { /* initialize openssl routines */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* * As of version 1.1.0, OpenSSL will automatically allocate * resources as-needed. @@ -2712,7 +2703,7 @@ cleanup: return retval; } -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static DH * pkinit_decode_dh_params(DH ** a, unsigned char **pp, unsigned int len) @@ -2828,7 +2819,7 @@ pkinit_decode_dh_params(DH **a, unsigned char **pp, unsigned int len) return dh; } -#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER */ static krb5_error_code pkinit_create_sequence_of_principal_identifiers( @@ -3333,31 +3324,11 @@ openssl_callback_ignore_crls(int ok, X509_STORE_CTX * ctx) static ASN1_OBJECT * pkinit_pkcs7type2oid(pkinit_plg_crypto_context cryptoctx, int pkcs7_type) { - int nid; - switch (pkcs7_type) { case CMS_SIGN_CLIENT: return cryptoctx->id_pkinit_authData; case CMS_SIGN_DRAFT9: - /* - * Delay creating this OID until we know we need it. - * It shadows an existing OpenSSL oid. If it - * is created too early, it breaks things like - * the use of pkcs12 (which uses pkcs7 structures). - * We need this shadow version because our code - * depends on the "other" type to be unknown to the - * OpenSSL code. - */ - if (cryptoctx->id_pkinit_authData9 == NULL) { - pkiDebug("%s: Creating shadow instance of pkcs7-data oid\n", - __FUNCTION__); - nid = OBJ_create("1.2.840.113549.1.7.1", "id-pkcs7-data", - "PKCS7 data"); - if (nid == NID_undef) - return NULL; - cryptoctx->id_pkinit_authData9 = OBJ_nid2obj(nid); - } - return cryptoctx->id_pkinit_authData9; + return OBJ_nid2obj(NID_pkcs7_data); case CMS_SIGN_SERVER: return cryptoctx->id_pkinit_DHKeyData; case CMS_ENVEL_SERVER: @@ -4664,7 +4635,7 @@ pkinit_find_private_key(pkinit_identity_crypto_context id_cryptoctx, attrs[nattrs].ulValueLen = sizeof keytype; nattrs++; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) rsa = priv->pkey.rsa; rsan = rsa->n; n_len = BN_num_bytes(rsan); diff --git a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h index 2f3e0ccae4..22fa5126b3 100644 --- a/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h +++ b/usr/src/lib/krb5/plugins/preauth/pkinit/pkinit_crypto_openssl.h @@ -31,6 +31,7 @@ /* * Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright 2018 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2018 RackTop Systems. */ #ifndef _PKINIT_CRYPTO_OPENSSL_H @@ -50,7 +51,7 @@ #include #include -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #include #else #include @@ -118,7 +119,6 @@ struct _pkinit_plg_crypto_context { DH *dh_2048; DH *dh_4096; ASN1_OBJECT *id_pkinit_authData; - ASN1_OBJECT *id_pkinit_authData9; ASN1_OBJECT *id_pkinit_DHKeyData; ASN1_OBJECT *id_pkinit_rkeyData; ASN1_OBJECT *id_pkinit_san; @@ -285,7 +285,7 @@ wrap_signeddata(unsigned char *data, unsigned int data_len, /* This handy macro borrowed from crypto/x509v3/v3_purp.c */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #define ku_reject(x, usage) \ (((x)->ex_flags & EXFLAG_KUSAGE) && !((x)->ex_kusage & (usage))) #else diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c index b64064cb7b..0a17b32a6a 100644 --- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.c @@ -1,5 +1,6 @@ /* * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 RackTop Systems. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -12,7 +13,7 @@ #include #include "compat.h" -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static void * OPENSSL_zalloc(size_t num) @@ -443,4 +444,4 @@ EVP_PKEY_get0_RSA(EVP_PKEY *pkey) return (pkey->pkey.rsa); } -#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* OPENSSL_VERSION_NUMBER || LIBRESSL_VERSION_NUMBER */ diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h index 6613eb8d6d..9373c88639 100644 --- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/compat.h @@ -1,5 +1,6 @@ /* * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2018 RackTop Systems. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,7 +11,7 @@ #ifndef LIBCRYPTO_COMPAT_H #define LIBCRYPTO_COMPAT_H -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) #include #include @@ -86,6 +87,6 @@ RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); #define X509_getm_notBefore X509_get_notBefore #define X509_getm_notAfter X509_get_notAfter -#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* OPENSSL_VERSION_NUMBER || LIBRESSL_VERSION_NUMBER */ #endif /* LIBCRYPTO_COMPAT_H */ diff --git a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c index 3ca328ff05..1faa4bea34 100644 --- a/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c +++ b/usr/src/lib/libkmf/plugins/kmf_openssl/common/openssl_spi.c @@ -6,6 +6,7 @@ /* * Copyright (c) 2012, OmniTI Computer Consulting, Inc. All rights reserved. * Copyright 2018 OmniOS Community Edition (OmniOSce) Association. + * Copyright 2018 RackTop Systems. */ /* * Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL @@ -138,7 +139,7 @@ static uchar_t G[] = { 0x00, 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, /* * Declare some new macros for managing stacks of EVP_PKEYS. */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) DECLARE_STACK_OF(EVP_PKEY) #define sk_EVP_PKEY_new_null() SKM_sk_new_null(EVP_PKEY) @@ -300,7 +301,7 @@ KMF_PLUGIN_FUNCLIST openssl_plugin_table = NULL /* Finalize */ }; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) static mutex_t *lock_cs; static long *lock_count; @@ -321,12 +322,12 @@ thread_id() { return ((unsigned long)thr_self()); } -#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L || LIBRESSL_VERSION_NUMBER */ KMF_PLUGIN_FUNCLIST * KMF_Plugin_Initialize() { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) int i; #endif @@ -347,7 +348,7 @@ KMF_Plugin_Initialize() (void) OBJ_create("2.5.29.54", "inhibitAnyPolicy", "X509v3 Inhibit Any-Policy"); -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) /* * Set up for thread-safe operation. * This is not required for OpenSSL 1.1 @@ -1791,20 +1792,36 @@ OpenSSL_SignData(KMF_HANDLE_T handle, KMF_KEY_HANDLE *key, EVP_PKEY *pkey = (EVP_PKEY *)key->keyp; uchar_t *p; int len; - if (AlgId == KMF_ALGID_MD5WithRSA) + switch (AlgId) { +#ifndef OPENSSL_NO_MD5 + case KMF_ALGID_MD5WithRSA: md = EVP_md5(); - else if (AlgId == KMF_ALGID_SHA1WithRSA) + break; +#endif +#ifndef OPENSSL_NO_SHA + case KMF_ALGID_SHA1WithRSA: md = EVP_sha1(); - else if (AlgId == KMF_ALGID_SHA256WithRSA) + break; +#endif +#ifndef OPENSSL_NO_SHA256 + case KMF_ALGID_SHA256WithRSA: md = EVP_sha256(); - else if (AlgId == KMF_ALGID_SHA384WithRSA) + break; +#endif +#ifndef OPENSSL_NO_SHA512 + case KMF_ALGID_SHA384WithRSA: md = EVP_sha384(); - else if (AlgId == KMF_ALGID_SHA512WithRSA) + break; + case KMF_ALGID_SHA512WithRSA: md = EVP_sha512(); - else if (AlgId == KMF_ALGID_RSA) + break; +#endif + case KMF_ALGID_RSA: md = NULL; - else + break; + default: return (KMF_ERR_BAD_ALGORITHM); + } if ((md == NULL) && (AlgId == KMF_ALGID_RSA)) { RSA *rsa = EVP_PKEY_get1_RSA((EVP_PKEY *)pkey); @@ -2123,14 +2140,14 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, case KMF_CERT_SIGNATURE_ALG: case KMF_CERT_PUBKEY_ALG: { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) ASN1_OBJECT *alg = NULL; #else const ASN1_OBJECT *alg = NULL; #endif if (flag == KMF_CERT_SIGNATURE_ALG) { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) alg = xcert->sig_alg->algorithm; #else const X509_ALGOR *sig_alg = NULL; @@ -2141,7 +2158,7 @@ OpenSSL_CertGetPrintable(KMF_HANDLE_T handle, const KMF_DATA *pcert, sig_alg); #endif } else { -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) alg = xcert->cert_info->key->algor->algorithm; #else X509_PUBKEY *key = X509_get_X509_PUBKEY(xcert); @@ -2498,7 +2515,7 @@ static X509 *ocsp_find_signer_sk(STACK_OF(X509) *certs, OCSP_BASICRESP *bs) unsigned char tmphash[SHA_DIGEST_LENGTH], *keyhash; const ASN1_OCTET_STRING *pid; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) OCSP_RESPID *id = bs->tbsResponseData->responderId; if (id->type == V_OCSP_RESPID_NAME) @@ -2571,7 +2588,7 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs, STACK_OF(X509) *cert_stack = NULL; X509 *signer = NULL; X509 *issuer = NULL; -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) EVP_PKEY *skey = NULL; #else STACK_OF(X509) *cert_stack2 = NULL; @@ -2631,7 +2648,7 @@ check_response_signature(KMF_HANDLE_T handle, OCSP_BASICRESP *bs, } /* Verify the signature of the response */ -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) skey = X509_get_pubkey(signer); if (skey == NULL) { ret = KMF_ERR_OCSP_BAD_SIGNER; @@ -2672,7 +2689,7 @@ end: X509_free(signer); } -#if OPENSSL_VERSION_NUMBER < 0x10100000L +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) if (skey != NULL) { EVP_PKEY_free(skey); } -- 2.11.4.GIT