xrootd · simonmichal · Sep 30, 2021 · Sep 26, 2021
diff --git a/src/XrdCrypto/XrdCryptoLite_bf32.cc b/src/XrdCrypto/XrdCryptoLite_bf32.cc
@@ -40,7 +40,7 @@
 #include <netinet/in.h>
 #include <cinttypes>
 
-#include <openssl/blowfish.h>
+#include <openssl/evp.h>
 
 #include "XrdOuc/XrdOucCRC.hh"
 #include "XrdSys/XrdSysHeaders.hh"
@@ -82,23 +82,23 @@ int XrdCryptoLite_bf32::Decrypt(const char *key,
                                 char       *dst,
                                 int         dstLen)
 {
-   BF_KEY decKey;
    unsigned char ivec[8] = {0,0,0,0,0,0,0,0};
    unsigned int crc32;
-   int ivnum = 0, dLen = srcLen-sizeof(crc32);
+   int wLen;
+   int dLen = srcLen - sizeof(crc32);
 
 // Make sure we have data
 //
    if (dstLen <= (int)sizeof(crc32) || dstLen < srcLen) return -EINVAL;
 
-// Set the key
-//
-   BF_set_key(&decKey, keyLen, (const unsigned char *)key);
-
 // Decrypt
 //
-   BF_cfb64_encrypt((const unsigned char *)src, (unsigned char *)dst, srcLen,
-                    &decKey, ivec, &ivnum, BF_DECRYPT);
+   EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+   EVP_DecryptInit_ex(ctx, EVP_bf_cfb64(), 0, (unsigned char *)key, ivec);
+   EVP_DecryptUpdate(ctx, (unsigned char *)dst, &wLen,
+                          (unsigned char *)src, srcLen);
+   EVP_DecryptFinal_ex(ctx, (unsigned char *)dst, &wLen);
+   EVP_CIPHER_CTX_free(ctx);
 
 // Perform the CRC check to verify we have valid data here
 //
@@ -123,10 +123,10 @@ int XrdCryptoLite_bf32::Encrypt(const char *key,
                                 char       *dst,
                                 int         dstLen)
 {
-   BF_KEY encKey;
    unsigned char buff[4096], *bP, *mP = 0, ivec[8] = {0,0,0,0,0,0,0,0};
    unsigned int crc32;
-   int ivnum = 0, dLen = srcLen+sizeof(crc32);
+   int wLen;
+   int dLen = srcLen + sizeof(crc32);
 
 // Make sure that the destination if at least 4 bytes larger and we have data
 //
@@ -146,14 +146,13 @@ int XrdCryptoLite_bf32::Encrypt(const char *key,
    crc32 = htonl(crc32);
    memcpy((bP+srcLen), &crc32, sizeof(crc32));
 
-// Set the key
-//
-   BF_set_key(&encKey, keyLen, (const unsigned char *)key);
-
 // Encrypt
 //
-   BF_cfb64_encrypt(bP, (unsigned char *)dst, dLen,
-                    &encKey, ivec, &ivnum, BF_ENCRYPT);
+   EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
+   EVP_EncryptInit_ex(ctx, EVP_bf_cfb64(), 0, (unsigned char *)key, ivec);
+   EVP_EncryptUpdate(ctx, (unsigned char *)dst, &wLen, bP, dLen);
+   EVP_EncryptFinal_ex(ctx, (unsigned char *)dst, &wLen);
+   EVP_CIPHER_CTX_free(ctx);
 
 // Free temp buffer and return success
 //

diff --git a/src/XrdCrypto/XrdCryptoX509Chain.cc b/src/XrdCrypto/XrdCryptoX509Chain.cc
@@ -44,7 +44,7 @@
 
 // Description of errors
 static const char *X509ChainErrStr[] = {
-   "no error condition occurred",         // 0
+   "no error condition occurred",        // 0
    "chain is inconsistent",              // 1
    "size exceeds max allowed depth",     // 2
    "invalid or missing CA",              // 3

diff --git a/src/XrdCrypto/XrdCryptosslAux.cc b/src/XrdCrypto/XrdCryptosslAux.cc
@@ -59,6 +59,22 @@ static RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
 }
 #endif
 
+static int XrdCheckRSA (EVP_PKEY *pkey) {
+   int rc;
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+   RSA *rsa = EVP_PKEY_get0_RSA(pkey);
+   if (rsa)
+      rc = RSA_check_key(rsa);
+   else
+      rc = -2;
+#else
+   EVP_PKEY_CTX *ckctx = EVP_PKEY_CTX_new(pkey, 0);
+   rc = EVP_PKEY_check(ckctx);
+   EVP_PKEY_CTX_free(ckctx);
+#endif
+   return rc;
+}
+
 //____________________________________________________________________________
 int XrdCryptosslX509VerifyCB(int ok, X509_STORE_CTX *ctx)
 {
@@ -151,7 +167,7 @@ bool XrdCryptosslX509VerifyChain(XrdCryptoX509Chain *chain, int &errcode)
       return 0;
 
    // Set the verify callback function
-   X509_STORE_set_verify_cb_func(store,0);
+   X509_STORE_set_verify_cb_func(store, 0);
 
    // Add the first (the CA) certificate
    XrdCryptoX509 *cert = chain->Begin();
@@ -515,58 +531,40 @@ int XrdCryptosslX509ParseFile(FILE *fcer,
    // rewind and look for it
    if (nci) {
       rewind(fcer);
-      RSA  *rsap = 0;
-      if (!PEM_read_RSAPrivateKey(fcer, &rsap, 0, 0)) {
+      EVP_PKEY *rsa = 0;
+      if (!PEM_read_PrivateKey(fcer, &rsa, 0, 0)) {
          DEBUG("no RSA private key found in file " << fname);
       } else {
          DEBUG("found a RSA private key in file " << fname);
-         // We need to complete the key: we save it temporarily
-         // to a bio and check all the private keys of the
-         // loaded certificates 
-         bool ok = 1;
-         BIO *bkey = BIO_new(BIO_s_mem());
-         if (!bkey) {
-            DEBUG("unable to create BIO for key completion");
-            ok = 0;
-         }
-         if (ok) {
-            // Write the private key
-            if (!PEM_write_bio_RSAPrivateKey(bkey,rsap,0,0,0,0,0)) {
-               DEBUG("unable to write RSA private key to bio");
-               ok = 0;
-            }
-         }
-         RSA_free(rsap);
-         if (ok) {
+         // We need to complete the key:
+         // check all the private keys of the loaded certificates
+         {
             // Loop over the chain certificates
             XrdCryptoX509 *cert = chain->Begin();
             while (cert->Opaque()) {
                if (cert->type != XrdCryptoX509::kCA) {
                   // Get the public key
                   EVP_PKEY *evpp = X509_get_pubkey((X509 *)(cert->Opaque()));
                   if (evpp) {
-                     RSA *rsa = 0;
-                     if (PEM_read_bio_RSAPrivateKey(bkey,&rsa,0,0)) {
-                        EVP_PKEY_assign_RSA(evpp, rsa);
+                        EVP_PKEY_copy_parameters(evpp, rsa);
                         DEBUG("RSA key completed for '"<<cert->Subject()<<"'");
                         // Test consistency
-                        int rc = RSA_check_key(EVP_PKEY_get0_RSA(evpp));
-                        if (rc != 0) {
+                        if (XrdCheckRSA(evpp) == 1) {
                            // Update PKI in certificate
                            cert->SetPKI((XrdCryptoX509data)evpp);
                            // Update status
                            cert->PKI()->status = XrdCryptoRSA::kComplete;
                            break;
                         }
-                     }
+                        EVP_PKEY_free(evpp);
                   }
                }
                // Get next
                cert = chain->Next();
             }
          }
          // Cleanup
-         BIO_free(bkey);
+         EVP_PKEY_free(rsa);
       }
    }
 
@@ -610,7 +608,7 @@ int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *chain)
 
    // Get certificates from BIO
    X509 *xcer = 0;
-   while (PEM_read_bio_X509(bmem,&xcer,0,0)) {
+   while (PEM_read_bio_X509(bmem, &xcer, 0, 0)) {
       //
       // Create container and add to the list
       XrdCryptoX509 *c = new XrdCryptosslX509(xcer);
@@ -632,58 +630,40 @@ int XrdCryptosslX509ParseBucket(XrdSutBucket *b, XrdCryptoX509Chain *chain)
    // as read operations modify the BIO contents; a read-only BIO
    // may be more efficient)
    if (nci && BIO_write(bmem,(const void *)(b->buffer),b->size) == b->size) {
-      RSA  *rsap = 0;
-      if (!PEM_read_bio_RSAPrivateKey(bmem, &rsap, 0, 0)) {
-         DEBUG("no RSA private key found in bucket ");
+      EVP_PKEY *rsa = 0;
+      if (!PEM_read_bio_PrivateKey(bmem, &rsa, 0, 0)) {
+         DEBUG("no RSA private key found in bucket");
       } else {
-         DEBUG("found a RSA private key in bucket ");
-         // We need to complete the key: we save it temporarily
-         // to a bio and check all the private keys of the
-         // loaded certificates 
-         bool ok = 1;
-         BIO *bkey = BIO_new(BIO_s_mem());
-         if (!bkey) {
-            DEBUG("unable to create BIO for key completion");
-            ok = 0;
-         }
-         if (ok) {
-            // Write the private key
-            if (!PEM_write_bio_RSAPrivateKey(bkey,rsap,0,0,0,0,0)) {
-               DEBUG("unable to write RSA private key to bio");
-               ok = 0;
-            }
-         }
-         RSA_free(rsap);
-         if (ok) {
+         DEBUG("found a RSA private key in bucket");
+         // We need to complete the key
+         // check all the private keys of the loaded certificates
+         {
             // Loop over the chain certificates
             XrdCryptoX509 *cert = chain->Begin();
             while (cert->Opaque()) {
                if (cert->type != XrdCryptoX509::kCA) {
                   // Get the public key
                   EVP_PKEY *evpp = X509_get_pubkey((X509 *)(cert->Opaque()));
                   if (evpp) {
-                     RSA *rsa = 0;
-                     if (PEM_read_bio_RSAPrivateKey(bkey,&rsa,0,0)) {
-                        EVP_PKEY_assign_RSA(evpp, rsa);
-                        DEBUG("RSA key completed ");
+                        EVP_PKEY_copy_parameters(evpp, rsa);
+                        DEBUG("RSA key completed");
                         // Test consistency
-                        int rc = RSA_check_key(EVP_PKEY_get0_RSA(evpp));
-                        if (rc != 0) {
+                        if (XrdCheckRSA(evpp) == 1) {
                            // Update PKI in certificate
                            cert->SetPKI((XrdCryptoX509data)evpp);
                            // Update status
                            cert->PKI()->status = XrdCryptoRSA::kComplete;
                            break;
                         }
-                     }
+                        EVP_PKEY_free(evpp);
                   }
                }
                // Get next
                cert = chain->Next();
             }
          }
          // Cleanup
-         BIO_free(bkey);
+         EVP_PKEY_free(rsa);
       }
    }