Issue opendnssec#190: Support for OpenSSL 1.1.0

bellgrim · Sep 23, 2016 · ff328a9 · ff328a9
1 parent 7072e98
commit ff328a9
Show file tree

Hide file tree

Showing 38 changed files with 1,421 additions and 445 deletions.
diff --git a/NEWS b/NEWS
@@ -9,6 +9,7 @@ SoftHSM develop
 * Issue #186: Reinitializing a token will now keep the token, but all
   token objects are deleted, the user PIN is removed and the token
   label is updated.
+* Issue #190: Support for OpenSSL 1.1.0.
 * Issue #198: Calling C_GetSlotList with NULL_PTR will make sure that
   there is always a slot with an uninitialized token available.
 * Issue #199: The token serial number will be used when setting the slot

diff --git a/m4/acx_openssl.m4 b/m4/acx_openssl.m4
@@ -23,7 +23,7 @@ AC_DEFUN([ACX_OPENSSL],[
 	LIBS="$LIBS $OPENSSL_LIBS"
 
 	AC_CHECK_HEADERS([openssl/ssl.h],,[AC_MSG_ERROR([Can't find OpenSSL headers])])
-	AC_CHECK_LIB(crypto, BN_init,,[AC_MSG_ERROR([Can't find OpenSSL library])])
+	AC_CHECK_LIB(crypto, BN_new,,[AC_MSG_ERROR([Can't find OpenSSL library])])
 
 	AC_MSG_CHECKING([for OpenSSL version])
 	CHECK_OPENSSL_VERSION=m4_format(0x%02x%02x%02x000L, $1, $2, $3)

diff --git a/m4/acx_openssl_ecc.m4 b/m4/acx_openssl_ecc.m4
@@ -14,19 +14,20 @@ AC_DEFUN([ACX_OPENSSL_ECC],[
 			#include <openssl/objects.h>
 			int main()
 			{
-				EC_KEY *ec256, *ec384;
+				EC_KEY *ec256, *ec384, *ec521;
 
 				ec256 = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
 				ec384 = EC_KEY_new_by_curve_name(NID_secp384r1);
-				if (ec256 == NULL || ec384 == NULL)
+				ec521 = EC_KEY_new_by_curve_name(NID_secp521r1);
+				if (ec256 == NULL || ec384 == NULL || ec521 == NULL)
 					return 1;
 				return 0;
 			}
 		]])
 	],[
-		AC_MSG_RESULT([Found P256 and P384])
+		AC_MSG_RESULT([Found P256, P384, and P521])
 	],[
-		AC_MSG_RESULT([Cannot find P256 or P384])
+		AC_MSG_RESULT([Cannot find P256, P384, or P521])
 		AC_MSG_ERROR([OpenSSL library has no ECC support])
 	],[])
 	AC_LANG_POP([C])

diff --git a/m4/acx_openssl_gost.m4 b/m4/acx_openssl_gost.m4
@@ -10,28 +10,52 @@ AC_DEFUN([ACX_OPENSSL_GOST],[
 	AC_LANG_PUSH([C])
 	AC_RUN_IFELSE([
 		AC_LANG_SOURCE([[
-			#include <openssl/conf.h>
 			#include <openssl/engine.h>
+			#include <openssl/crypto.h>
+			#include <openssl/opensslv.h>
 			int main()
 			{
-				ENGINE *e;
-				EC_KEY *ek;
+				ENGINE* eg;
+				const EVP_MD* EVP_GOST_34_11;
 
-				ek = NULL;
-				OPENSSL_config(NULL);
+				/* Initialise OpenSSL */
+				OpenSSL_add_all_algorithms();
 
-				e = ENGINE_by_id("gost");
-				if (e == NULL)
+				/* Load engines */
+			#if OPENSSL_VERSION_NUMBER < 0x10100000L
+				ENGINE_load_builtin_engines();
+			#else
+				OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN | OPENSSL_INIT_LOAD_CONFIG, NULL);
+			#endif
+
+				/* Initialise the GOST engine */
+				eg = ENGINE_by_id("gost");
+				if (eg == NULL)
+					return 1;
+				if (ENGINE_init(eg) <= 0)
 					return 1;
-				if (ENGINE_init(e) <= 0)
+
+				/* better than digest_gost */
+				EVP_GOST_34_11 = ENGINE_get_digest(eg, NID_id_GostR3411_94);
+				if (EVP_GOST_34_11 == NULL)
 					return 1;
+
+				/* from the openssl.cnf */
+				if (ENGINE_register_pkey_asn1_meths(eg) <= 0)
+					return 1;
+				if (ENGINE_ctrl_cmd_string(eg,
+				    "CRYPT_PARAMS",
+				    "id-Gost28147-89-CryptoPro-A-ParamSet",
+				    0) <= 0)
+					return 1;
+
 				return 0;
 			}
 		]])
 	],[
 		AC_MSG_RESULT([Found GOST engine])
 	],[
-		AC_MSG_RESULT([Cannot GOST engine])
+		AC_MSG_RESULT([Cannot find GOST engine])
 		AC_MSG_ERROR([OpenSSL library has no GOST support])
 	],[])
 	AC_LANG_POP([C])

diff --git a/src/bin/keyconv/Makefile.am b/src/bin/keyconv/Makefile.am
@@ -1,6 +1,7 @@
 MAINTAINERCLEANFILES =	$(srcdir)/Makefile.in
 
-AM_CPPFLAGS =			@CRYPTO_INCLUDES@
+AM_CPPFLAGS =			@CRYPTO_INCLUDES@ \
+				-I$(srcdir)/../../lib/crypto
 
 dist_man_MANS =			softhsm2-keyconv.1
 
@@ -12,7 +13,8 @@ softhsm2_keyconv_LDADD =	@CRYPTO_LIBS@
 
 # Compile with OpenSSL support
 if WITH_OPENSSL
-softhsm2_keyconv_SOURCES +=	softhsm2-keyconv-ossl.cpp
+softhsm2_keyconv_SOURCES +=	softhsm2-keyconv-ossl.cpp \
+				../../lib/crypto/OSSLComp.cpp
 endif
 
 # Compile with Botan support

diff --git a/src/bin/keyconv/softhsm2-keyconv-ossl.cpp b/src/bin/keyconv/softhsm2-keyconv-ossl.cpp
@@ -33,6 +33,7 @@
 #include <config.h>
 #define KEYCONV_OSSL
 #include "softhsm2-keyconv.h"
+#include "OSSLComp.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -95,14 +96,17 @@ int save_rsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey)
 	}
 
 	rsa = RSA_new();
-	rsa->p =    BN_bin2bn((unsigned char*)pkey[TAG_PRIME1].big,  pkey[TAG_PRIME1].size, NULL);
-	rsa->q =    BN_bin2bn((unsigned char*)pkey[TAG_PRIME2].big,  pkey[TAG_PRIME2].size, NULL);
-	rsa->d =    BN_bin2bn((unsigned char*)pkey[TAG_PRIVEXP].big, pkey[TAG_PRIVEXP].size, NULL);
-	rsa->n =    BN_bin2bn((unsigned char*)pkey[TAG_MODULUS].big, pkey[TAG_MODULUS].size, NULL);
-	rsa->e =    BN_bin2bn((unsigned char*)pkey[TAG_PUBEXP].big,  pkey[TAG_PUBEXP].size, NULL);
-	rsa->dmp1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP1].big,    pkey[TAG_EXP1].size, NULL);
-	rsa->dmq1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP2].big,    pkey[TAG_EXP2].size, NULL);
-	rsa->iqmp = BN_bin2bn((unsigned char*)pkey[TAG_COEFF].big,   pkey[TAG_COEFF].size, NULL);
+	BIGNUM* bn_p =    BN_bin2bn((unsigned char*)pkey[TAG_PRIME1].big,  pkey[TAG_PRIME1].size, NULL);
+	BIGNUM* bn_q =    BN_bin2bn((unsigned char*)pkey[TAG_PRIME2].big,  pkey[TAG_PRIME2].size, NULL);
+	BIGNUM* bn_d =    BN_bin2bn((unsigned char*)pkey[TAG_PRIVEXP].big, pkey[TAG_PRIVEXP].size, NULL);
+	BIGNUM* bn_n =    BN_bin2bn((unsigned char*)pkey[TAG_MODULUS].big, pkey[TAG_MODULUS].size, NULL);
+	BIGNUM* bn_e =    BN_bin2bn((unsigned char*)pkey[TAG_PUBEXP].big,  pkey[TAG_PUBEXP].size, NULL);
+	BIGNUM* bn_dmp1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP1].big,    pkey[TAG_EXP1].size, NULL);
+	BIGNUM* bn_dmq1 = BN_bin2bn((unsigned char*)pkey[TAG_EXP2].big,    pkey[TAG_EXP2].size, NULL);
+	BIGNUM* bn_iqmp = BN_bin2bn((unsigned char*)pkey[TAG_COEFF].big,   pkey[TAG_COEFF].size, NULL);
+	RSA_set0_factors(rsa, bn_p, bn_q);
+	RSA_set0_crt_params(rsa, bn_dmp1, bn_dmq1, bn_iqmp);
+	RSA_set0_key(rsa, bn_n, bn_e, bn_d);
 
 	ossl_pkey = EVP_PKEY_new();
 
@@ -188,11 +192,15 @@ int save_dsa_pkcs8(char* out_path, char* file_pin, key_material_t* pkey)
 	}
 
 	dsa = DSA_new();
-	dsa->p =        BN_bin2bn((unsigned char*)pkey[TAG_PRIME].big,    pkey[TAG_PRIME].size, NULL);
-	dsa->q =        BN_bin2bn((unsigned char*)pkey[TAG_SUBPRIME].big, pkey[TAG_SUBPRIME].size, NULL);
-	dsa->g =        BN_bin2bn((unsigned char*)pkey[TAG_BASE].big,     pkey[TAG_BASE].size, NULL);
-	dsa->priv_key = BN_bin2bn((unsigned char*)pkey[TAG_PRIVVAL].big,  pkey[TAG_PRIVVAL].size, NULL);
-	dsa->pub_key =  BN_bin2bn((unsigned char*)pkey[TAG_PUBVAL].big,   pkey[TAG_PUBVAL].size, NULL);
+	BIGNUM* bn_p =        BN_bin2bn((unsigned char*)pkey[TAG_PRIME].big,    pkey[TAG_PRIME].size, NULL);
+	BIGNUM* bn_q =        BN_bin2bn((unsigned char*)pkey[TAG_SUBPRIME].big, pkey[TAG_SUBPRIME].size, NULL);
+	BIGNUM* bn_g =        BN_bin2bn((unsigned char*)pkey[TAG_BASE].big,     pkey[TAG_BASE].size, NULL);
+	BIGNUM* bn_priv_key = BN_bin2bn((unsigned char*)pkey[TAG_PRIVVAL].big,  pkey[TAG_PRIVVAL].size, NULL);
+	BIGNUM* bn_pub_key =  BN_bin2bn((unsigned char*)pkey[TAG_PUBVAL].big,   pkey[TAG_PUBVAL].size, NULL);
+
+	DSA_set0_pqg(dsa, bn_p, bn_q, bn_g);
+	DSA_set0_key(dsa, bn_pub_key, bn_priv_key);
+
 	ossl_pkey = EVP_PKEY_new();
 
 	// Convert DSA to EVP_PKEY

diff --git a/src/bin/util/Makefile.am b/src/bin/util/Makefile.am
@@ -27,7 +27,8 @@ softhsm2_util_LDADD =	@CRYPTO_LIBS@ \
 
 # Compile with support of OpenSSL
 if WITH_OPENSSL
-softhsm2_util_SOURCES +=	softhsm2-util-ossl.cpp
+softhsm2_util_SOURCES +=	softhsm2-util-ossl.cpp \
+				../../lib/crypto/OSSLComp.cpp
 endif
 
 # Compile with support of Botan

diff --git a/src/bin/util/softhsm2-util-ossl.cpp b/src/bin/util/softhsm2-util-ossl.cpp
@@ -34,6 +34,7 @@
 #define UTIL_OSSL
 #include "softhsm2-util.h"
 #include "softhsm2-util-ossl.h"
+#include "OSSLComp.h"
 
 #include <stdio.h>
 #include <stdlib.h>
@@ -94,7 +95,7 @@ int crypto_import_key_pair
 	EC_KEY* ecdsa = NULL;
 #endif
 
-	switch (EVP_PKEY_type(pkey->type))
+	switch (EVP_PKEY_type(EVP_PKEY_id(pkey)))
 	{
 		case EVP_PKEY_RSA:
 			rsa = EVP_PKEY_get1_RSA(pkey);
@@ -193,13 +194,6 @@ EVP_PKEY* crypto_read_file(char* filePath, char* filePIN)
 		}
 	}
 
-	if (p8inf->broken)
-	{
-		fprintf(stderr, "ERROR: Broken key encoding.\n");
-		PKCS8_PRIV_KEY_INFO_free(p8inf);
-		return NULL;
-	}
-
 	// Convert the PKCS#8 to OpenSSL
 	pkey = EVP_PKCS82PKEY(p8inf);
 	PKCS8_PRIV_KEY_INFO_free(p8inf);
@@ -310,14 +304,26 @@ rsa_key_material_t* crypto_malloc_rsa(RSA* rsa)
 		return NULL;
 	}
 
-	keyMat->sizeE = BN_num_bytes(rsa->e);
-	keyMat->sizeN = BN_num_bytes(rsa->n);
-	keyMat->sizeD = BN_num_bytes(rsa->d);
-	keyMat->sizeP = BN_num_bytes(rsa->p);
-	keyMat->sizeQ = BN_num_bytes(rsa->q);
-	keyMat->sizeDMP1 = BN_num_bytes(rsa->dmp1);
-	keyMat->sizeDMQ1 = BN_num_bytes(rsa->dmq1);
-	keyMat->sizeIQMP = BN_num_bytes(rsa->iqmp);
+	const BIGNUM* bn_e = NULL;
+	const BIGNUM* bn_n = NULL;
+	const BIGNUM* bn_d = NULL;
+	const BIGNUM* bn_p = NULL;
+	const BIGNUM* bn_q = NULL;
+	const BIGNUM* bn_dmp1 = NULL;
+	const BIGNUM* bn_dmq1 = NULL;
+	const BIGNUM* bn_iqmp = NULL;
+	RSA_get0_factors(rsa, &bn_p, &bn_q);
+	RSA_get0_crt_params(rsa, &bn_dmp1, &bn_dmq1, &bn_iqmp);
+	RSA_get0_key(rsa, &bn_n, &bn_e, &bn_d);
+
+	keyMat->sizeE = BN_num_bytes(bn_e);
+	keyMat->sizeN = BN_num_bytes(bn_n);
+	keyMat->sizeD = BN_num_bytes(bn_d);
+	keyMat->sizeP = BN_num_bytes(bn_p);
+	keyMat->sizeQ = BN_num_bytes(bn_q);
+	keyMat->sizeDMP1 = BN_num_bytes(bn_dmp1);
+	keyMat->sizeDMQ1 = BN_num_bytes(bn_dmq1);
+	keyMat->sizeIQMP = BN_num_bytes(bn_iqmp);
 
 	keyMat->bigE = (CK_VOID_PTR)malloc(keyMat->sizeE);
 	keyMat->bigN = (CK_VOID_PTR)malloc(keyMat->sizeN);
@@ -344,14 +350,14 @@ rsa_key_material_t* crypto_malloc_rsa(RSA* rsa)
 		return NULL;
 	}
 
-	BN_bn2bin(rsa->e, (unsigned char*)keyMat->bigE);
-	BN_bn2bin(rsa->n, (unsigned char*)keyMat->bigN);
-	BN_bn2bin(rsa->d, (unsigned char*)keyMat->bigD);
-	BN_bn2bin(rsa->p, (unsigned char*)keyMat->bigP);
-	BN_bn2bin(rsa->q, (unsigned char*)keyMat->bigQ);
-	BN_bn2bin(rsa->dmp1, (unsigned char*)keyMat->bigDMP1);
-	BN_bn2bin(rsa->dmq1, (unsigned char*)keyMat->bigDMQ1);
-	BN_bn2bin(rsa->iqmp, (unsigned char*)keyMat->bigIQMP);
+	BN_bn2bin(bn_e, (unsigned char*)keyMat->bigE);
+	BN_bn2bin(bn_n, (unsigned char*)keyMat->bigN);
+	BN_bn2bin(bn_d, (unsigned char*)keyMat->bigD);
+	BN_bn2bin(bn_p, (unsigned char*)keyMat->bigP);
+	BN_bn2bin(bn_q, (unsigned char*)keyMat->bigQ);
+	BN_bn2bin(bn_dmp1, (unsigned char*)keyMat->bigDMP1);
+	BN_bn2bin(bn_dmq1, (unsigned char*)keyMat->bigDMQ1);
+	BN_bn2bin(bn_iqmp, (unsigned char*)keyMat->bigIQMP);
 
 	return keyMat;
 }
@@ -467,11 +473,19 @@ dsa_key_material_t* crypto_malloc_dsa(DSA* dsa)
 		return NULL;
 	}
 
-	keyMat->sizeP = BN_num_bytes(dsa->p);
-	keyMat->sizeQ = BN_num_bytes(dsa->q);
-	keyMat->sizeG = BN_num_bytes(dsa->g);
-	keyMat->sizeX = BN_num_bytes(dsa->priv_key);
-	keyMat->sizeY = BN_num_bytes(dsa->pub_key);
+	const BIGNUM* bn_p = NULL;
+	const BIGNUM* bn_q = NULL;
+	const BIGNUM* bn_g = NULL;
+	const BIGNUM* bn_priv_key = NULL;
+	const BIGNUM* bn_pub_key = NULL;
+	DSA_get0_pqg(dsa, &bn_p, &bn_q, &bn_g);
+	DSA_get0_key(dsa, &bn_pub_key, &bn_priv_key);
+
+	keyMat->sizeP = BN_num_bytes(bn_p);
+	keyMat->sizeQ = BN_num_bytes(bn_q);
+	keyMat->sizeG = BN_num_bytes(bn_g);
+	keyMat->sizeX = BN_num_bytes(bn_priv_key);
+	keyMat->sizeY = BN_num_bytes(bn_pub_key);
 
 	keyMat->bigP = (CK_VOID_PTR)malloc(keyMat->sizeP);
 	keyMat->bigQ = (CK_VOID_PTR)malloc(keyMat->sizeQ);
@@ -485,11 +499,11 @@ dsa_key_material_t* crypto_malloc_dsa(DSA* dsa)
 		return NULL;
 	}
 
-	BN_bn2bin(dsa->p, (unsigned char*)keyMat->bigP);
-	BN_bn2bin(dsa->q, (unsigned char*)keyMat->bigQ);
-	BN_bn2bin(dsa->g, (unsigned char*)keyMat->bigG);
-	BN_bn2bin(dsa->priv_key, (unsigned char*)keyMat->bigX);
-	BN_bn2bin(dsa->pub_key, (unsigned char*)keyMat->bigY);
+	BN_bn2bin(bn_p, (unsigned char*)keyMat->bigP);
+	BN_bn2bin(bn_q, (unsigned char*)keyMat->bigQ);
+	BN_bn2bin(bn_g, (unsigned char*)keyMat->bigG);
+	BN_bn2bin(bn_priv_key, (unsigned char*)keyMat->bigX);
+	BN_bn2bin(bn_pub_key, (unsigned char*)keyMat->bigY);
 
 	return keyMat;
 }

diff --git a/src/lib/crypto/Makefile.am b/src/lib/crypto/Makefile.am
@@ -39,6 +39,7 @@ EXTRA_DIST =			$(srcdir)/*.h $(srcdir)/*.cpp
 # Compile with support of OpenSSL
 if WITH_OPENSSL
 libsofthsm_crypto_la_SOURCES +=	OSSLAES.cpp \
+				OSSLComp.cpp \
 				OSSLCryptoFactory.cpp \
 				OSSLDES.cpp \
 				OSSLDH.cpp \

diff --git a/src/lib/crypto/OSSLAES.cpp b/src/lib/crypto/OSSLAES.cpp
@@ -156,13 +156,12 @@ bool OSSLAES::wrapUnwrapKey(const SymmetricKey* key, const SymWrap::Type mode, c
 	}
 
 	// Allocate the EVP context
-	EVP_CIPHER_CTX* pWrapCTX = (EVP_CIPHER_CTX*) salloc(sizeof(EVP_CIPHER_CTX));
+	EVP_CIPHER_CTX* pWrapCTX = EVP_CIPHER_CTX_new();
 	if (pWrapCTX == NULL)
 	{
 		ERROR_MSG("Failed to allocate space for EVP_CIPHER_CTX");
 		return false;
 	}
-	EVP_CIPHER_CTX_init(pWrapCTX);
 	EVP_CIPHER_CTX_set_flags(pWrapCTX, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
 
 	int rv = EVP_CipherInit_ex(pWrapCTX, cipher, NULL, (unsigned char*) key->getKeyBits().const_byte_str(), NULL, wrap);
@@ -173,8 +172,7 @@ bool OSSLAES::wrapUnwrapKey(const SymmetricKey* key, const SymWrap::Type mode, c
 	{
 		ERROR_MSG("Failed to initialise EVP cipher %swrap operation", prefix);
 
-		EVP_CIPHER_CTX_cleanup(pWrapCTX);
-		sfree(pWrapCTX);
+		EVP_CIPHER_CTX_free(pWrapCTX);
 		return false;
 	}
 
@@ -191,10 +189,10 @@ bool OSSLAES::wrapUnwrapKey(const SymmetricKey* key, const SymWrap::Type mode, c
 	{
 		ERROR_MSG("Failed EVP %swrap operation", prefix);
 
-		EVP_CIPHER_CTX_cleanup(pWrapCTX);
-		sfree(pWrapCTX);
+		EVP_CIPHER_CTX_free(pWrapCTX);
 		return false;
 	}
+	EVP_CIPHER_CTX_free(pWrapCTX);
 	outLen += curBlockLen;
 	out.resize(outLen);
 	return true;