From 27c963e6da56b704f8be6d893e5d32887f79d95c Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Sun, 16 Dec 2018 15:56:47 +0100 Subject: [PATCH 1/5] FindOpenSSL: add check for DH_compute_key_padded --- cmake/FindOpenSSL.cmake | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/cmake/FindOpenSSL.cmake b/cmake/FindOpenSSL.cmake index 5d02bbe0b35..007a9d9f68c 100644 --- a/cmake/FindOpenSSL.cmake +++ b/cmake/FindOpenSSL.cmake @@ -81,3 +81,12 @@ check_symbol_exists( if( HAVE_TLS1_FUNC AND HAVE_TLS1_SYMB ) add_definitions( -DHAVE_TLS1 ) endif() + +check_function_exists(DH_compute_key_padded HAVE_DH_PADDED_FUNC) +check_symbol_exists( + DH_compute_key_padded + ${OPENSSL_INCLUDE_DIR}/openssl/dh.h + HAVE_DH_PADDED_SYMB) +if( HAVE_DH_PADDED_FUNC AND HAVE_DH_PADDED_SYMB ) + add_definitions( -DHAVE_DH_PADDED ) +endif() From 14e6ec4a1a6ec1cf40e0a2d4deea384fad8d5c8f Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Sun, 16 Dec 2018 15:57:32 +0100 Subject: [PATCH 2/5] sslCipher: remove local definition of DH_compute_key_padded --- src/XrdCrypto/XrdCryptosslCipher.cc | 16 ---------------- 1 file changed, 16 deletions(-) diff --git a/src/XrdCrypto/XrdCryptosslCipher.cc b/src/XrdCrypto/XrdCryptosslCipher.cc index 858b6fd1a3a..367de60c056 100644 --- a/src/XrdCrypto/XrdCryptosslCipher.cc +++ b/src/XrdCrypto/XrdCryptosslCipher.cc @@ -133,22 +133,6 @@ static int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) } #endif -#if OPENSSL_VERSION_NUMBER < 0x10002000L -static int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) -{ - int rv, pad; - rv = dh->meth->compute_key(key, pub_key, dh); - if (rv <= 0) - return rv; - pad = BN_num_bytes(dh->p) - rv; - if (pad > 0) { - memmove(key + pad, key, rv); - memset(key, 0, pad); - } - return rv + pad; -} -#endif - //_____________________________________________________________________________ bool XrdCryptosslCipher::IsSupported(const char *cip) { From 5f5fc8ac093e866253bcbff6b2ace007d3ca4ee6 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Sun, 16 Dec 2018 15:58:46 +0100 Subject: [PATCH 3/5] sslFactory: consolidate HasPaddingSupport using the result of FindOpenSSL --- src/XrdCrypto/XrdCryptosslFactory.cc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/XrdCrypto/XrdCryptosslFactory.cc b/src/XrdCrypto/XrdCryptosslFactory.cc index 923cecbdf4e..2ecf6bbfbe5 100644 --- a/src/XrdCrypto/XrdCryptosslFactory.cc +++ b/src/XrdCrypto/XrdCryptosslFactory.cc @@ -188,10 +188,10 @@ bool XrdCryptosslFactory::SupportedCipher(const char *t) bool XrdCryptosslFactory::HasPaddingSupport() { // Returns true if cipher padding is supported -#if OPENSSL_VERSION_NUMBER < 0x10002000L - return false; -#else +#if defined(HAVE_DH_PADDED) return true; +#else + return false; #endif } From a2fa9d73341870c672c0e93e6528effac3a98616 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Sun, 16 Dec 2018 16:20:27 +0100 Subject: [PATCH 4/5] sslCipher: remove unnecessary unorthodox constructor --- src/XrdCrypto/XrdCryptosslCipher.hh | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/XrdCrypto/XrdCryptosslCipher.hh b/src/XrdCrypto/XrdCryptosslCipher.hh index 4c03ef8a19f..d87264959fd 100644 --- a/src/XrdCrypto/XrdCryptosslCipher.hh +++ b/src/XrdCrypto/XrdCryptosslCipher.hh @@ -68,8 +68,6 @@ public: int liv, const char *iv); XrdCryptosslCipher(XrdSutBucket *b); XrdCryptosslCipher(bool padded, int len, char *pub, int lpub, const char *t); - XrdCryptosslCipher(int len, char *pub, int lpub, const char *t) - : XrdCryptosslCipher(false,len,pub,lpub,t) { } XrdCryptosslCipher(const XrdCryptosslCipher &c); virtual ~XrdCryptosslCipher(); From 7f10d67bff12d9c67681a38f650a3e51b6f11616 Mon Sep 17 00:00:00 2001 From: Gerardo Ganis Date: Mon, 17 Dec 2018 11:37:18 +0100 Subject: [PATCH 5/5] xrdcrypto: improve padding support for incomplete openssl versions Default openssl on SLC6 provides the function but not the signature --- cmake/FindOpenSSL.cmake | 8 ++++++-- src/XrdCrypto/XrdCryptosslCipher.cc | 20 ++++++++++++++++++++ src/XrdCrypto/XrdCryptosslFactory.cc | 2 +- 3 files changed, 27 insertions(+), 3 deletions(-) diff --git a/cmake/FindOpenSSL.cmake b/cmake/FindOpenSSL.cmake index 007a9d9f68c..7ea43b1eb81 100644 --- a/cmake/FindOpenSSL.cmake +++ b/cmake/FindOpenSSL.cmake @@ -87,6 +87,10 @@ check_symbol_exists( DH_compute_key_padded ${OPENSSL_INCLUDE_DIR}/openssl/dh.h HAVE_DH_PADDED_SYMB) -if( HAVE_DH_PADDED_FUNC AND HAVE_DH_PADDED_SYMB ) - add_definitions( -DHAVE_DH_PADDED ) +if( HAVE_DH_PADDED_FUNC) + if( HAVE_DH_PADDED_SYMB ) + add_definitions( -DHAVE_DH_PADDED ) + else() + add_definitions( -DHAVE_DH_PADDED_FUNC ) + endif() endif() diff --git a/src/XrdCrypto/XrdCryptosslCipher.cc b/src/XrdCrypto/XrdCryptosslCipher.cc index 367de60c056..f265d4260a5 100644 --- a/src/XrdCrypto/XrdCryptosslCipher.cc +++ b/src/XrdCrypto/XrdCryptosslCipher.cc @@ -133,6 +133,26 @@ static int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) } #endif +#if !defined(HAVE_DH_PADDED) +#if defined(HAVE_DH_PADDED_FUNC) +int DH_compute_key_padded(unsigned char *, const BIGNUM *, DH *); +#else +static int DH_compute_key_padded(unsigned char *key, const BIGNUM *pub_key, DH *dh) +{ + int rv, pad; + rv = dh->meth->compute_key(key, pub_key, dh); + if (rv <= 0) + return rv; + pad = BN_num_bytes(dh->p) - rv; + if (pad > 0) { + memmove(key + pad, key, rv); + memset(key, 0, pad); + } + return rv + pad; +} +#endif +#endif + //_____________________________________________________________________________ bool XrdCryptosslCipher::IsSupported(const char *cip) { diff --git a/src/XrdCrypto/XrdCryptosslFactory.cc b/src/XrdCrypto/XrdCryptosslFactory.cc index 2ecf6bbfbe5..cc2337389a8 100644 --- a/src/XrdCrypto/XrdCryptosslFactory.cc +++ b/src/XrdCrypto/XrdCryptosslFactory.cc @@ -188,7 +188,7 @@ bool XrdCryptosslFactory::SupportedCipher(const char *t) bool XrdCryptosslFactory::HasPaddingSupport() { // Returns true if cipher padding is supported -#if defined(HAVE_DH_PADDED) +#if defined(HAVE_DH_PADDED) || defined(HAVE_DH_PADDED_FUNC) return true; #else return false;