openlink · sebastianas · Sep 5, 2016 · Bo98 · Nov 18, 2019 · Bo98
diff --git a/libsrc/Dk/Dkernel.c b/libsrc/Dk/Dkernel.c
@@ -5270,7 +5270,11 @@ ssl_server_init ()
   }
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000
   SSLeay_add_all_algorithms ();
+#else
+  OpenSSL_add_all_algorithms();
+#endif
   PKCS12_PBE_add ();		/* stub */
 
 #ifdef NO_THREAD

diff --git a/libsrc/Wi/bif_crypto.c b/libsrc/Wi/bif_crypto.c
@@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg)
   unsigned char temp[EVP_MAX_MD_SIZE];
   unsigned int size = 0;
   caddr_t res = NULL;
-  HMAC_CTX ctx;
+  HMAC_CTX *ctx;
   const EVP_MD *md = EVP_sha1 ();
 
   if (alg == 1)
     md = EVP_ripemd160 ();
 
-  HMAC_Init (&ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md);
-  box_hmac_1 (box, &ctx);
-  HMAC_Final (&ctx, temp, &size);
+  ctx = HMAC_CTX_new();
+  if (!ctx)
+	  return res;
+
+  HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL);
+  box_hmac_1 (box, ctx);
+  HMAC_Final (ctx, temp, &size);
   if (size)
     {
       res = dk_alloc_box (size + 1, DV_SHORT_STRING);
       memcpy (res, temp, size);
       res[size] = 0;
     }
+  HMAC_CTX_free(ctx);
   return res;
 }
 
@@ -345,16 +350,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 	    }
 	  else if (tag == V_ASN1_BOOLEAN)
 	    {
-	      int ii;
-
-	      opp = op;
-	      ii = d2i_ASN1_BOOLEAN (NULL, (const unsigned char **)&opp, len + hl);
-	      if (ii < 0)
+	      if (len + hl < 1)
 		{
 		  if (BIO_write (bp, "Bad boolean\n", 12))
 		    goto end;
 		}
-	      BIO_printf (bp, "%d", ii);
+	      BIO_printf (bp, "%d", p[0]);
 	    }
 	  else if (tag == V_ASN1_BMPSTRING)
 	    {
@@ -415,7 +416,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		}
 	      if (os != NULL)
 		{
-		  M_ASN1_OCTET_STRING_free (os);
+		  ASN1_STRING_free (os);
 		  os = NULL;
 		}
 	    }
@@ -448,7 +449,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD INTEGER", 11) <= 0)
 		    goto end;
 		}
-	      M_ASN1_INTEGER_free (bs);
+	      ASN1_STRING_free (bs);
 	    }
 	  else if (tag == V_ASN1_ENUMERATED)
 	    {
@@ -479,7 +480,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0)
 		    goto end;
 		}
-	      M_ASN1_ENUMERATED_free (bs);
+	      ASN1_STRING_free (bs);
 	    }
 	  else if (len > 0 && dump)
 	    {
@@ -515,7 +516,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
   if (o != NULL)
     ASN1_OBJECT_free (o);
   if (os != NULL)
-    M_ASN1_OCTET_STRING_free (os);
+    ASN1_STRING_free (os);
   *pp = p;
   return (ret);
 }
@@ -723,7 +724,7 @@ bio_to_strses (BIO * out_bio)
   int len = BIO_get_mem_data (out_bio, &ptr);
   int to_read = len, readed = 0;
 
-  to_free = ((BUF_MEM *) out_bio->ptr)->data;
+  to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data;
   BIO_set_flags (out_bio, BIO_FLAGS_MEM_RDONLY);
   CATCH_WRITE_FAIL (ses)
     {
@@ -735,7 +736,8 @@ bio_to_strses (BIO * out_bio)
       } while (to_read > 0);
     }
   END_WRITE_FAIL (ses);
-  ((BUF_MEM *) out_bio->ptr)->data = to_free;
+  ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free;
+
   BIO_clear_flags (out_bio, BIO_FLAGS_MEM_RDONLY);
   return ses;
 }
@@ -770,7 +772,7 @@ bif_smime_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
   if (DV_TYPE_OF (msg) == DV_STRING_SESSION)
     {
       in_bio = strses_to_bio ((dk_session_t *) msg);
-      to_free = ((BUF_MEM *) in_bio->ptr)->data;
+      to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data;
-      to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data;
+      to_free = ((BUF_MEM *) BIO_get_data(in_bio))->data;
-      to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data;
+      to_free = ((BUF_MEM *) BIO_get_data(in_bio))->data;
       BIO_set_flags (in_bio, BIO_FLAGS_MEM_RDONLY);
     }
   else
@@ -780,7 +782,7 @@ bif_smime_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
       p7 = SMIME_read_PKCS7 (in_bio, &data_bio);
       if (to_free)
 	{
-	  ((BUF_MEM *) in_bio->ptr)->data = to_free;
+	  ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free;
-	  ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free;
+	  ((BUF_MEM *) BIO_get_data(in_bio))->data = to_free;
-	  ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free;
+	  ((BUF_MEM *) BIO_get_data(in_bio))->data = to_free;
 	  BIO_clear_flags (in_bio, BIO_FLAGS_MEM_RDONLY);
 	}
       BIO_free (in_bio);
@@ -924,16 +926,20 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
     }
 
   certs = sk_X509_new_null ();
-  if (store && store->objs)
+
+  if (store && X509_STORE_get0_objects(store))
     {
-      for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
+      STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
+
+      for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
 	{
-	  X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
-	  if (obj->type == X509_LU_X509)
-	    sk_X509_push (certs, X509_dup (obj->data.x509));
+	  X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
+	  if (X509_OBJECT_get_type(obj) == X509_LU_X509)
+	    sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
 	}
 
     }
+
   if (store)
     X509_STORE_free (store);
   in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -1005,15 +1011,19 @@ bif_smime_encrypt (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
     sqlr_new_error ("42000", "CR006", "No recipient certificates");
 
   certs = sk_X509_new_null ();
-  if (store && store->objs)
+
+  if (store && X509_STORE_get0_objects(store))
     {
-      for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
+      STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
+
+      for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
 	{
-	  X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
-	  if (obj->type == X509_LU_X509)
-	    sk_X509_push (certs, X509_dup (obj->data.x509));
+	  X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
+	  if (X509_OBJECT_get_type(obj) == X509_LU_X509)
+	    sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
 	}
     }
+
   if (store)
     X509_STORE_free (store);
   in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -1181,7 +1191,7 @@ x509_certificate_verify_cb (int ok, X509_STORE_CTX * ctx)
   char *opts = (char *) X509_STORE_CTX_get_app_data (ctx);
   if (!ok && opts)
     {
-      switch (ctx->error)
+      switch (X509_STORE_CTX_get_error(ctx))
 	{
 	case X509_V_ERR_CERT_HAS_EXPIRED:
 	  if (strstr (opts, "expired"))
@@ -1287,7 +1297,7 @@ bif_x509_certificate_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** a
   if (!i)
     {
       const char *err_str;
-      err_str = X509_verify_cert_error_string (csc->error);
+      err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(csc));
       *err_ret = srv_make_new_error ("22023", "CR015", "X509 error: %s", err_str);
     }
 
@@ -1308,20 +1318,16 @@ bif_x509_certificate_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** a
 #define VIRT_CERT_EXT "2.16.840.1.1113.1"
 
 static caddr_t
-BN_box (BIGNUM * x)
+BN_box (const BIGNUM *x)
 {
   size_t buf_len, n;
   caddr_t buf;
   buf_len = (size_t) BN_num_bytes (x);
-  if (buf_len <= BN_BYTES)
-    buf = box_num ((unsigned long) x->d[0]);
-  else
-    {
-      buf = dk_alloc_box (buf_len, DV_BIN);
-      n = BN_bn2bin (x, (unsigned char *) buf);
-      if (n != buf_len)
-	GPF_T;
-    }
+  /* did not figure out where buf is free()ed */
+  buf = dk_alloc_box (buf_len, DV_BIN);
+  n = BN_bn2bin (x, (unsigned char *) buf);
+  if (n != buf_len)
+	  GPF_T;
   return buf;
 }
 
@@ -1498,7 +1504,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	int i;
 	char tmp[1024];
 	char *ext_oid = (char *) (BOX_ELEMENTS (args) > 4 ? bif_string_arg (qst, args, 4, "get_certificate_info") : VIRT_CERT_EXT);
-	STACK_OF (X509_EXTENSION) * exts = cert->cert_info->extensions;
+	const STACK_OF (X509_EXTENSION) * exts = X509_get0_extensions(cert);
 	for (i = 0; i < sk_X509_EXTENSION_num (exts); i++)
 	  {
 	    X509_EXTENSION *ex = sk_X509_EXTENSION_value (exts, i);
@@ -1510,7 +1516,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 		char *data_ptr;
 		BIO *mem = BIO_new (BIO_s_mem ());
 		if (!X509V3_EXT_print (mem, ex, 0, 0))
-		  M_ASN1_OCTET_STRING_print (mem, ex->value);
+		  ASN1_STRING_print (mem, X509_EXTENSION_get_data(ex));
 		len = BIO_get_mem_data (mem, &data_ptr);
 		if (len > 0 && data_ptr)
 		  {
@@ -1537,18 +1543,23 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	if (k)
 	  {
 #ifdef EVP_PKEY_RSA
-	    if (k->type == EVP_PKEY_RSA)
+	    if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
 	      {
-		RSA *x = k->pkey.rsa;
-		ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (x->e), BN_box (x->n));
+		const BIGNUM *n, *e;
+
+		RSA_get0_key(EVP_PKEY_get0_RSA(k), &n, &e, NULL);
+
+		ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (e), BN_box (n));
 	      }
 	    else
 #endif
 #ifdef EVP_PKEY_DSA
-	    if (k->type == EVP_PKEY_DSA)
+	    if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
 	      {
-		DSA *x = k->pkey.dsa;
-		ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (x->pub_key));
+		const BIGNUM *pub_key;
+
+		DSA_get0_key(EVP_PKEY_get0_DSA(k), &pub_key, NULL);
+		ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (pub_key));
 	      }
 	    else
 #endif
@@ -1567,13 +1578,14 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	int n, i, len;
 	char *s, *data_ptr;
 	BIO *mem = BIO_new (BIO_s_mem ());
-	for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
+
+	for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
 	  {
-	    ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
-	    n = OBJ_obj2nid (ne->object);
+	    ne = X509_NAME_get_entry(subj, i);
+	    n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
 	    if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL))
 	      {
-		i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
+		i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
 		s = buffer;
 	      }
 	    if (!strcmp (s, attr))
@@ -1582,9 +1594,10 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 		break;
 	      }
 	  }
+
 	if (ne_ret)
 	  {
-	    ASN1_STRING_print (mem, ne_ret->value);
+	    ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne_ret));
 	    len = BIO_get_mem_data (mem, &data_ptr);
 	    if (len > 0 && data_ptr)
 	      {
@@ -1605,17 +1618,18 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	dk_set_t set = NULL;
 	caddr_t val;
 	BIO *mem = BIO_new (BIO_s_mem ());
-	for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
+
+	for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
 	  {
 	    val = NULL;
-	    ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
-	    n = OBJ_obj2nid (ne->object);
+	    ne = X509_NAME_get_entry(subj, i);
+	    n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
 	    if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL))
 	      {
-		i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
+		i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
 		s = buffer;
 	      }
-	    ASN1_STRING_print (mem, ne->value);
+	    ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne));
 	    len = BIO_get_mem_data (mem, &data_ptr);
 	    if (len > 0 && data_ptr)
 	      {
@@ -1635,15 +1649,19 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
       {
 	const unsigned char *s;
 	int i, n;
-	const ASN1_STRING *sig = cert->signature;
-	X509_ALGOR *sigalg = cert->sig_alg;
+	const ASN1_STRING *sig;
+	const X509_ALGOR *sigalg;
+	const ASN1_OBJECT *sig_alg_algorithm;
 	char buf[80];
 	caddr_t val;
 
-        i2t_ASN1_OBJECT(buf,sizeof (buf), sigalg->algorithm);
+	X509_get0_signature(&sig, &sigalg, cert);
+	X509_ALGOR_get0(&sig_alg_algorithm, NULL, NULL, sigalg);
+
+        i2t_ASN1_OBJECT(buf,sizeof (buf), sig_alg_algorithm);
 
-	n = sig->length;
-	s = sig->data;
+	n = ASN1_STRING_length(sig);
+	s = ASN1_STRING_get0_data(sig);
 	val = dk_alloc_box ((n * 2) + 1, DV_SHORT_STRING);
 	for (i = 0; i < n; i ++)
 	  {
@@ -1660,11 +1678,11 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	if (k)
 	  {
 #ifdef EVP_PKEY_RSA
-	    if (k->type == EVP_PKEY_RSA)
+	    if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
 	      {
 		char *data_ptr;
 		int len;
-		RSA *x = k->pkey.rsa;
+		RSA *x = EVP_PKEY_get0_RSA(k);
 		b = BIO_new (BIO_s_mem());
 		i2d_RSA_PUBKEY_bio (b, x);
 		len = BIO_get_mem_data (b, &data_ptr);

diff --git a/libsrc/Wi/http.c b/libsrc/Wi/http.c
@@ -8841,7 +8841,7 @@ ssl_server_set_certificate (SSL_CTX* ssl_ctx, char * cert_name, char * key_name,
 		  log_error ("SSL: The stored certificate '%s' can not be used as extra chain certificate", tok);
 		  break;
 		}
-	      CRYPTO_add(&k->xek_x509->references, 1, CRYPTO_LOCK_X509);
+	      X509_up_ref(k->xek_x509);
               tok = strtok_r (NULL, ",", &tok_s);
 	    }
 	  dk_free_box (str);