Merge pull request #436 from M Ellert adding OpenSSL 1.1 support

cmake/FindOpenSSL.cmake

@@ -46,6 +46,9 @@ endif()
 
 set ( CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES} )
 
+check_function_exists(TLS_method HAVE_TLS)
+compiler_define_if_found(HAVE_TLS HAVE_TLS)
+
 check_function_exists(TLSv1_2_method HAVE_TLS12)
 compiler_define_if_found(HAVE_TLS12 HAVE_TLS12)
 

src/XrdCrypto/XrdCryptoFactory.cc

@@ -358,7 +358,7 @@ XrdCryptoX509SignProxyReq_t XrdCryptoFactory::X509SignProxyReq()
 //______________________________________________________________________________
 XrdCryptoX509CheckProxy3_t XrdCryptoFactory::X509CheckProxy3()
 {
-   // Sign a proxy request
+   // Check consistency of a GSI 3 compliant proxy
 
    ABSTRACTMETHOD("XrdCryptoFactory::X509CheckProxy3");
    return 0;

src/XrdCrypto/XrdCryptoFactory.hh

@@ -84,7 +84,8 @@ typedef int (*XrdCryptoX509ParseBucket_t)(XrdSutBucket *,
                                           XrdCryptoX509Chain *);
 // Proxies
 // The OID of the extension
-#define gsiProxyCertInfo_OID "1.3.6.1.4.1.3536.1.222"
+#define gsiProxyCertInfo_OLD_OID "1.3.6.1.4.1.3536.1.222"
+#define gsiProxyCertInfo_OID     "1.3.6.1.5.5.7.1.14"
 // check presence of proxyCertInfo extension (RFC 3820)
 typedef bool (*XrdCryptoProxyCertInfo_t)(const void *, int &, bool *);
 // set path length constraint
@@ -105,7 +106,7 @@ typedef int (*XrdCryptoX509CreateProxyReq_t)(XrdCryptoX509 *,
 // sign a proxy certificate request
 typedef int (*XrdCryptoX509SignProxyReq_t)(XrdCryptoX509 *, XrdCryptoRSA *,
                                            XrdCryptoX509Req *, XrdCryptoX509 **);
-// sign a proxy certificate request
+// check consistency of a GSI 3 compliant proxy
 typedef int (*XrdCryptoX509CheckProxy3_t)(XrdCryptoX509 *, XrdOucString &);
 
 // get VOMS attributes

src/XrdCrypto/XrdCryptogsiX509Chain.cc

@@ -170,6 +170,7 @@ bool XrdCryptogsiX509Chain::Verify(EX509ChainErr &errcode, x509ChainVerifyOpt_t
       int pxplen = -1; bool b;
       if (opt & kOptsRfc3820) {
          const void *extdata = xcer->GetExtension(gsiProxyCertInfo_OID);
+         if (!extdata) extdata = xcer->GetExtension(gsiProxyCertInfo_OLD_OID);
          if (!extdata || !cfact || !(cfact && (*(cfact->ProxyCertInfo()))(extdata, pxplen, &b))) {
             errcode = kMissingExtension;
             lastError = "rfc3820: ";
@@ -238,7 +239,7 @@ bool XrdCryptogsiX509Chain::SubjectOK(EX509ChainErr &errcode, XrdCryptoX509 *xce
       if (pcn) {
          char *pcnn = 0;
          while ((pcnn = (char *) strstr(pcn+1,"/CN=")))
-	    pcn = pcnn;
+            pcn = pcnn;
          ilen = (int)(pcn - xcer->Issuer());
       }
       if (strncmp(xcer->Subject() + ilen,"/CN=",4)) {

src/XrdCrypto/XrdCryptosslAux.cc

@@ -48,6 +48,16 @@
 static int gErrVerifyChain = 0;
 XrdOucTrace *sslTrace = 0;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+static RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+    if (pkey->type != EVP_PKEY_RSA) {
+        return NULL;
+    }
+    return pkey->pkey.rsa;
+}
+#endif
+
 //____________________________________________________________________________
 int XrdCryptosslX509VerifyCB(int ok, X509_STORE_CTX *ctx)
 {
@@ -444,15 +454,12 @@ int XrdCryptosslX509ParseFile(const char *fname,
                   // Get the public key
                   EVP_PKEY *evpp = X509_get_pubkey((X509 *)(cert->Opaque()));
                   if (evpp) {
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
-                     // evpp gets reset by the other call on >=1.0.0; to be investigated
-                     if (PEM_read_bio_RSAPrivateKey(bkey,&(evpp->pkey.rsa),0,0)) {
-#else
-                     if (PEM_read_bio_PrivateKey(bkey,&evpp,0,0)) {
-#endif
+                     RSA *rsa = 0;
+                     if (PEM_read_bio_RSAPrivateKey(bkey,&rsa,0,0)) {
+                        EVP_PKEY_assign_RSA(evpp, rsa);
                         DEBUG("RSA key completed for '"<<cert->Subject()<<"'");
                         // Test consistency
-                        int rc = RSA_check_key(evpp->pkey.rsa);
+                        int rc = RSA_check_key(EVP_PKEY_get0_RSA(evpp));
                         if (rc != 0) {
                            // Update PKI in certificate
                            cert->SetPKI((XrdCryptoX509data)evpp);
@@ -567,10 +574,12 @@ int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *chain)
                   // Get the public key
                   EVP_PKEY *evpp = X509_get_pubkey((X509 *)(cert->Opaque()));
                   if (evpp) {
-                     if (PEM_read_bio_PrivateKey(bkey,&evpp,0,0)) {
+                     RSA *rsa = 0;
+                     if (PEM_read_bio_RSAPrivateKey(bkey,&rsa,0,0)) {
+                        EVP_PKEY_assign_RSA(evpp, rsa);
                         DEBUG("RSA key completed ");
                         // Test consistency
-                        int rc = RSA_check_key(evpp->pkey.rsa);
+                        int rc = RSA_check_key(EVP_PKEY_get0_RSA(evpp));
                         if (rc != 0) {
                            // Update PKI in certificate
                            cert->SetPKI((XrdCryptoX509data)evpp);
@@ -598,7 +607,7 @@ int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *chain)
 }
 
 //____________________________________________________________________________
-int XrdCryptosslASN1toUTC(ASN1_TIME *tsn1)
+int XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1)
 {
    // Function to convert from ASN1 time format into UTC
    // since Epoch (Jan 1, 1970) 

src/XrdCrypto/XrdCryptosslAux.hh

@@ -62,7 +62,7 @@ int XrdCryptosslX509ParseFile(const char *fname, XrdCryptoX509Chain *c);
 int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *c);
 //
 // Function to convert from ASN1 time format into UTC since Epoch (Jan 1, 1970) 
-int XrdCryptosslASN1toUTC(ASN1_TIME *tsn1);
+int XrdCryptosslASN1toUTC(const ASN1_TIME *tsn1);
 
 // Function to convert X509_NAME into a one-line human readable string
 void XrdCryptosslNameOneLine(X509_NAME *nm, XrdOucString &s);