Fix FTBFS with openssl 1.1

Bug-Debian: https://bugs.debian.org/828594
Forwarded: openlink/virtuoso-opensource#583
Last-Update: Mo 11. Feb 13:50:17 CET 2019 (by Andreas Tille <tille@debian.org>)


Gbp-Pq: Name ssl1.1.patch

configure.ac

@@ -881,17 +881,6 @@ AC_TRY_COMPILE([
     ])
 
 AC_MSG_CHECKING([OpenSSL version])
-AC_TRY_COMPILE([
-#include <openssl/opensslv.h>
-],[
-#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
-#error OpenSSL version too new
-#endif
-    ],[
-      AC_MSG_RESULT([< 1.1.0])
-    ],[
-      AC_MSG_ERROR([OpenSSL version 1.1.0 or greater is currently not supported.])
-    ])
 
 AC_MSG_CHECKING([usability of the OpenSSL header files and library in ${openssl_dir}])
 AC_TRY_RUN([

libsrc/Dk/Dkernel.c

@@ -5280,7 +5280,11 @@ ssl_server_init ()
   }
 #endif
 
-  SSLeay_add_all_algorithms ();
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+  SSLeay_add_all_algorithms();
+#else
+  OpenSSL_add_all_algorithms();
+#endif
   PKCS12_PBE_add ();		/* stub */
 
 #ifdef NO_THREAD

libsrc/Wi/bif_crypto.c

@@ -181,21 +181,26 @@ box_hmac (caddr_t box, caddr_t key, int alg)
   unsigned char temp[EVP_MAX_MD_SIZE];
   unsigned int size = 0;
   caddr_t res = NULL;
-  HMAC_CTX ctx;
+  HMAC_CTX *ctx;
   const EVP_MD *md = EVP_sha1 ();
 
   if (alg == 1)
     md = EVP_ripemd160 ();
 
-  HMAC_Init (&ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md);
-  box_hmac_1 (box, &ctx);
-  HMAC_Final (&ctx, temp, &size);
+  ctx = HMAC_CTX_new();
+  if (!ctx)
+	  return res;
+
+  HMAC_Init_ex (ctx, key, box_length (key) - DV_STRINGP (key) ? 1 : 0, md, NULL);
+  box_hmac_1 (box, ctx);
+  HMAC_Final (ctx, temp, &size);
   if (size)
     {
       res = dk_alloc_box (size + 1, DV_SHORT_STRING);
       memcpy (res, temp, size);
       res[size] = 0;
     }
+  HMAC_CTX_free(ctx);
   return res;
 }
 
@@ -347,14 +352,12 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 	    {
 	      int ii;
 
-	      opp = op;
-	      ii = d2i_ASN1_BOOLEAN (NULL, (const unsigned char **)&opp, len + hl);
-	      if (ii < 0)
+	      if (len + hl < 1)
 		{
 		  if (BIO_write (bp, "Bad boolean\n", 12))
 		    goto end;
 		}
-	      BIO_printf (bp, "%d", ii);
+	      BIO_printf (bp, "%d", p[0]);
 	    }
 	  else if (tag == V_ASN1_BMPSTRING)
 	    {
@@ -415,7 +418,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		}
 	      if (os != NULL)
 		{
-		  M_ASN1_OCTET_STRING_free (os);
+		  ASN1_STRING_free (os);
 		  os = NULL;
 		}
 	    }
@@ -448,7 +451,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD INTEGER", 11) <= 0)
 		    goto end;
 		}
-	      M_ASN1_INTEGER_free (bs);
+	      ASN1_STRING_free (bs);
 	    }
 	  else if (tag == V_ASN1_ENUMERATED)
 	    {
@@ -479,7 +482,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
 		  if (BIO_write (bp, "BAD ENUMERATED", 11) <= 0)
 		    goto end;
 		}
-	      M_ASN1_ENUMERATED_free (bs);
+	      ASN1_STRING_free (bs);
 	    }
 	  else if (len > 0 && dump)
 	    {
@@ -515,7 +518,7 @@ asn1_parse_to_xml (BIO * bp, unsigned char **pp, long length, int offset, int de
   if (o != NULL)
     ASN1_OBJECT_free (o);
   if (os != NULL)
-    M_ASN1_OCTET_STRING_free (os);
+    ASN1_STRING_free (os);
   *pp = p;
   return (ret);
 }
@@ -723,7 +726,7 @@ bio_to_strses (BIO * out_bio)
   int len = BIO_get_mem_data (out_bio, &ptr);
   int to_read = len, readed = 0;
 
-  to_free = ((BUF_MEM *) out_bio->ptr)->data;
+  to_free = ((BUF_MEM *) BIO_get_data(out_bio))->data;
   BIO_set_flags (out_bio, BIO_FLAGS_MEM_RDONLY);
   CATCH_WRITE_FAIL (ses)
     {
@@ -735,7 +738,7 @@ bio_to_strses (BIO * out_bio)
       } while (to_read > 0);
     }
   END_WRITE_FAIL (ses);
-  ((BUF_MEM *) out_bio->ptr)->data = to_free;
+  ((BUF_MEM *) BIO_get_data(out_bio))->data = to_free;
   BIO_clear_flags (out_bio, BIO_FLAGS_MEM_RDONLY);
   return ses;
 }
@@ -770,7 +773,7 @@ bif_smime_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
   if (DV_TYPE_OF (msg) == DV_STRING_SESSION)
     {
       in_bio = strses_to_bio ((dk_session_t *) msg);
-      to_free = ((BUF_MEM *) in_bio->ptr)->data;
+      to_free = ((BUF_MEM *) BIO_get_data(in_bio))->data;
       BIO_set_flags (in_bio, BIO_FLAGS_MEM_RDONLY);
     }
   else
@@ -780,7 +783,7 @@ bif_smime_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
       p7 = SMIME_read_PKCS7 (in_bio, &data_bio);
       if (to_free)
 	{
-	  ((BUF_MEM *) in_bio->ptr)->data = to_free;
+	  ((BUF_MEM *) BIO_get_data(in_bio))->data = to_free;
 	  BIO_clear_flags (in_bio, BIO_FLAGS_MEM_RDONLY);
 	}
       BIO_free (in_bio);
@@ -924,16 +927,20 @@ bif_smime_sign (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
     }
 
   certs = sk_X509_new_null ();
-  if (store && store->objs)
+
+  if (store && X509_STORE_get0_objects(store))
     {
-      for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
+      STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
+
+      for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
 	{
-	  X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
-	  if (obj->type == X509_LU_X509)
-	    sk_X509_push (certs, X509_dup (obj->data.x509));
+	  X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
+	  if (X509_OBJECT_get_type(obj) == X509_LU_X509)
+	    sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
 	}
 
     }
+
   if (store)
     X509_STORE_free (store);
   in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -1005,15 +1012,19 @@ bif_smime_encrypt (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args)
     sqlr_new_error ("42000", "CR006", "No recipient certificates");
 
   certs = sk_X509_new_null ();
-  if (store && store->objs)
+
+  if (store && X509_STORE_get0_objects(store))
     {
-      for (inx = 0; inx < sk_X509_OBJECT_num (store->objs); inx++)
+      STACK_OF(X509_OBJECT) *store_objs = X509_STORE_get0_objects(store);
+
+      for (inx = 0; inx < sk_X509_OBJECT_num (store_objs); inx++)
 	{
-	  X509_OBJECT *obj = sk_X509_OBJECT_value (store->objs, inx);
-	  if (obj->type == X509_LU_X509)
-	    sk_X509_push (certs, X509_dup (obj->data.x509));
+	  X509_OBJECT *obj = sk_X509_OBJECT_value (store_objs, inx);
+	  if (X509_OBJECT_get_type(obj) == X509_LU_X509)
+	    sk_X509_push (certs, X509_dup (X509_OBJECT_get0_X509(obj)));
 	}
     }
+
   if (store)
     X509_STORE_free (store);
   in_bio = BIO_new_mem_buf (msg, box_length (msg) - 1);
@@ -1181,7 +1192,7 @@ x509_certificate_verify_cb (int ok, X509_STORE_CTX * ctx)
   char *opts = (char *) X509_STORE_CTX_get_app_data (ctx);
   if (!ok && opts)
     {
-      switch (ctx->error)
+      switch (X509_STORE_CTX_get_error(ctx))
 	{
 	case X509_V_ERR_CERT_HAS_EXPIRED:
 	  if (strstr (opts, "expired"))
@@ -1287,7 +1298,7 @@ bif_x509_certificate_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** a
   if (!i)
     {
       const char *err_str;
-      err_str = X509_verify_cert_error_string (csc->error);
+      err_str = X509_verify_cert_error_string (X509_STORE_CTX_get_error(csc));
       *err_ret = srv_make_new_error ("22023", "CR015", "X509 error: %s", err_str);
     }
 
@@ -1308,20 +1319,16 @@ bif_x509_certificate_verify (caddr_t * qst, caddr_t * err_ret, state_slot_t ** a
 #define VIRT_CERT_EXT "2.16.840.1.1113.1"
 
 static caddr_t
-BN_box (BIGNUM * x)
+BN_box (const BIGNUM *x)
 {
   size_t buf_len, n;
   caddr_t buf;
   buf_len = (size_t) BN_num_bytes (x);
-  if (buf_len <= BN_BYTES)
-    buf = box_num ((unsigned long) x->d[0]);
-  else
-    {
-      buf = dk_alloc_box (buf_len, DV_BIN);
-      n = BN_bn2bin (x, (unsigned char *) buf);
-      if (n != buf_len)
-	GPF_T;
-    }
+  /* did not figure out where buf is free()ed */
+  buf = dk_alloc_box (buf_len, DV_BIN);
+  n = BN_bn2bin (x, (unsigned char *) buf);
+  if (n != buf_len)
+	  GPF_T;
   return buf;
 }
 
@@ -1498,7 +1505,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	int i;
 	char tmp[1024];
 	char *ext_oid = (char *) (BOX_ELEMENTS (args) > 4 ? bif_string_arg (qst, args, 4, "get_certificate_info") : VIRT_CERT_EXT);
-	STACK_OF (X509_EXTENSION) * exts = cert->cert_info->extensions;
+	const STACK_OF (X509_EXTENSION) * exts = X509_get0_extensions(cert);
 	for (i = 0; i < sk_X509_EXTENSION_num (exts); i++)
 	  {
 	    X509_EXTENSION *ex = sk_X509_EXTENSION_value (exts, i);
@@ -1510,7 +1517,7 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 		char *data_ptr;
 		BIO *mem = BIO_new (BIO_s_mem ());
 		if (!X509V3_EXT_print (mem, ex, 0, 0))
-		  M_ASN1_OCTET_STRING_print (mem, ex->value);
+		  ASN1_STRING_print (mem, X509_EXTENSION_get_data(ex));
 		len = BIO_get_mem_data (mem, &data_ptr);
 		if (len > 0 && data_ptr)
 		  {
@@ -1537,18 +1544,23 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	if (k)
 	  {
 #ifdef EVP_PKEY_RSA
-	    if (k->type == EVP_PKEY_RSA)
+	    if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
 	      {
-		RSA *x = k->pkey.rsa;
-		ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (x->e), BN_box (x->n));
+		const BIGNUM *n, *e;
+
+		RSA_get0_key(EVP_PKEY_get0_RSA(k), &n, &e, NULL);
+
+		ret = list (3, box_dv_short_string ("RSAPublicKey"), BN_box (e), BN_box (n));
 	      }
 	    else
 #endif
 #ifdef EVP_PKEY_DSA
-	    if (k->type == EVP_PKEY_DSA)
+	    if (EVP_PKEY_id(k) == EVP_PKEY_DSA)
 	      {
-		DSA *x = k->pkey.dsa;
-		ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (x->pub_key));
+		const BIGNUM *pub_key;
+
+		DSA_get0_key(EVP_PKEY_get0_DSA(k), &pub_key, NULL);
+		ret = list (2, box_dv_short_string ("DSAPublicKey"), BN_box (pub_key));
 	      }
 	    else
 #endif
@@ -1567,13 +1579,13 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	int n, i, len;
 	char *s, *data_ptr;
 	BIO *mem = BIO_new (BIO_s_mem ());
-	for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
+	for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
 	  {
-	    ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
-	    n = OBJ_obj2nid (ne->object);
+	    ne = X509_NAME_get_entry(subj, i);
+	    n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
 	    if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL))
 	      {
-		i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
+		i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
 		s = buffer;
 	      }
 	    if (!strcmp (s, attr))
@@ -1582,9 +1594,10 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 		break;
 	      }
 	  }
+
 	if (ne_ret)
 	  {
-	    ASN1_STRING_print (mem, ne_ret->value);
+	    ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne_ret));
 	    len = BIO_get_mem_data (mem, &data_ptr);
 	    if (len > 0 && data_ptr)
 	      {
@@ -1605,17 +1618,17 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	dk_set_t set = NULL;
 	caddr_t val;
 	BIO *mem = BIO_new (BIO_s_mem ());
-	for (i = 0; NULL != subj && i < sk_X509_NAME_ENTRY_num(subj->entries); i++)
+	for (i = 0; NULL != subj && i < X509_NAME_entry_count(subj); i++)
 	  {
 	    val = NULL;
-	    ne = sk_X509_NAME_ENTRY_value(subj->entries,i);
-	    n = OBJ_obj2nid (ne->object);
+	    ne = X509_NAME_get_entry(subj, i);
+	    n = OBJ_obj2nid (X509_NAME_ENTRY_get_object(ne));
 	    if ((n == NID_undef) || ((s = (char *) OBJ_nid2sn (n)) == NULL))
 	      {
-		i2t_ASN1_OBJECT (buffer, sizeof (buffer), ne->object);
+		i2t_ASN1_OBJECT (buffer, sizeof (buffer), X509_NAME_ENTRY_get_object(ne));
 		s = buffer;
 	      }
-	    ASN1_STRING_print (mem, ne->value);
+	    ASN1_STRING_print (mem, X509_NAME_ENTRY_get_data(ne));
 	    len = BIO_get_mem_data (mem, &data_ptr);
 	    if (len > 0 && data_ptr)
 	      {
@@ -1629,18 +1642,22 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	  }
 	BIO_free (mem);
 	ret = list_to_array (dk_set_nreverse (set));
+
 	break;
       }
     case 12:
       {
 	const unsigned char *s;
 	int i, n;
-	const ASN1_STRING *sig = cert->signature;
-	X509_ALGOR *sigalg = cert->sig_alg;
+	const ASN1_STRING *sig;
+	const X509_ALGOR *sigalg;
+	const ASN1_OBJECT *sig_alg_algorithm;
 	char buf[80];
 	caddr_t val;
 
-        i2t_ASN1_OBJECT(buf,sizeof (buf), sigalg->algorithm);
+	X509_get0_signature(&sig, &sigalg, cert);
+	X509_ALGOR_get0(&sig_alg_algorithm, NULL, NULL, sigalg);
+	i2t_ASN1_OBJECT(buf,sizeof (buf), sig_alg_algorithm);
 
 	n = sig->length;
 	s = sig->data;
@@ -1660,11 +1677,11 @@ bif_get_certificate_info (caddr_t * qst, caddr_t * err_ret, state_slot_t ** args
 	if (k)
 	  {
 #ifdef EVP_PKEY_RSA
-	    if (k->type == EVP_PKEY_RSA)
+	    if (EVP_PKEY_id(k) == EVP_PKEY_RSA)
 	      {
 		char *data_ptr;
 		int len;
-		RSA *x = k->pkey.rsa;
+		RSA *x = EVP_PKEY_get0_RSA(k);
 		b = BIO_new (BIO_s_mem());
 		i2d_RSA_PUBKEY_bio (b, x);
 		len = BIO_get_mem_data (b, &data_ptr);