Control: tags -1 + upstream patch
Hello!
Please see attached patch which has (only) been compile-tested against
openssl 1.1.0. No runtime testing. No compile-testing against older
versions. No guarantees. Please review carefully.
Regards,
Andreas Henriksson
diff -urip libapache2-mod-auth-openidc-1.8.10.1/src/jose/apr_jwe.c libapache2-mod-auth-openidc-1.8.10.1.openssl110/src/jose/apr_jwe.c
--- libapache2-mod-auth-openidc-1.8.10.1/src/jose/apr_jwe.c 2016-04-03 18:34:49.000000000 +0000
+++ libapache2-mod-auth-openidc-1.8.10.1.openssl110/src/jose/apr_jwe.c 2016-11-01 18:26:39.773097593 +0000
@@ -175,10 +175,14 @@ static RSA* apr_jwe_jwk_to_openssl_rsa_k
jwk->key.rsa->private_exponent_len, private_exp);
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ RSA_set0_key(key, modulus, exponent, private_exp);
+#else
key->n = modulus;
key->e = exponent;
/* private_exp is NULL for public keys */
key->d = private_exp;
+#endif
return key;
}
@@ -489,10 +493,15 @@ apr_byte_t apr_jwe_decrypt_content_aescb
unsigned char *plaintext = apr_palloc(pool, p_len + AES_BLOCK_SIZE);
/* initialize decryption context */
- EVP_CIPHER_CTX decrypt_ctx;
- EVP_CIPHER_CTX_init(&decrypt_ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX *decrypt_ctx = EVP_CIPHER_CTX_new();
+#else
+ EVP_CIPHER_CTX my_decrypt_ctx;
+ EVP_CIPHER_CTX *decrypt_ctx = &my_decrypt_ctx;
+ EVP_CIPHER_CTX_init(decrypt_ctx);
+#endif
/* pass the extracted encryption key and Initialization Vector */
- if (!EVP_DecryptInit_ex(&decrypt_ctx,
+ if (!EVP_DecryptInit_ex(decrypt_ctx,
apr_jwe_enc_to_openssl_cipher(header->enc), NULL, enc_key,
(const unsigned char *) iv->value)) {
apr_jwt_error_openssl(err, "EVP_DecryptInit_ex");
@@ -500,14 +509,14 @@ apr_byte_t apr_jwe_decrypt_content_aescb
}
/* decrypt the ciphertext in to the plaintext */
- if (!EVP_DecryptUpdate(&decrypt_ctx, plaintext, &p_len,
+ if (!EVP_DecryptUpdate(decrypt_ctx, plaintext, &p_len,
(const unsigned char *) cipher_text->value, cipher_text->len)) {
apr_jwt_error_openssl(err, "EVP_DecryptUpdate");
return FALSE;
}
/* decrypt the remaining bits/padding */
- if (!EVP_DecryptFinal_ex(&decrypt_ctx, plaintext + p_len, &f_len)) {
+ if (!EVP_DecryptFinal_ex(decrypt_ctx, plaintext + p_len, &f_len)) {
apr_jwt_error_openssl(err, "EVP_DecryptFinal_ex");
return FALSE;
}
@@ -516,7 +525,11 @@ apr_byte_t apr_jwe_decrypt_content_aescb
*decrypted = (char *) plaintext;
/* cleanup */
- EVP_CIPHER_CTX_cleanup(&decrypt_ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_CIPHER_CTX_free(decrypt_ctx);
+#else
+ EVP_CIPHER_CTX_cleanup(decrypt_ctx);
+#endif
/* if we got here, all must be fine */
return TRUE;
diff -urip libapache2-mod-auth-openidc-1.8.10.1/src/jose/apr_jwk.c libapache2-mod-auth-openidc-1.8.10.1.openssl110/src/jose/apr_jwk.c
--- libapache2-mod-auth-openidc-1.8.10.1/src/jose/apr_jwk.c 2016-01-08 20:50:19.000000000 +0000
+++ libapache2-mod-auth-openidc-1.8.10.1.openssl110/src/jose/apr_jwk.c 2016-11-01 18:07:47.809111822 +0000
@@ -122,6 +122,7 @@ static apr_byte_t apr_jwk_rsa_bio_to_key
X509 *x509 = NULL;
EVP_PKEY *pkey = NULL;
apr_byte_t rv = FALSE;
+ const BIGNUM *n, *e, *d;
if (is_private_key) {
/* get the private key struct from the BIO */
@@ -153,21 +154,29 @@ static apr_byte_t apr_jwk_rsa_bio_to_key
goto end;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ RSA_get0_key(rsa, &n, &e, &d);
+#else
+ n = rsa->n;
+ e = rsa->e;
+ d = rsa->d;
+#endif
+
/* convert the modulus bignum in to a key/len */
- key->modulus_len = BN_num_bytes(rsa->n);
+ key->modulus_len = BN_num_bytes(n);
key->modulus = apr_pcalloc(pool, key->modulus_len);
- BN_bn2bin(rsa->n, key->modulus);
+ BN_bn2bin(n, key->modulus);
/* convert the exponent bignum in to a key/len */
- key->exponent_len = BN_num_bytes(rsa->e);
+ key->exponent_len = BN_num_bytes(e);
key->exponent = apr_pcalloc(pool, key->exponent_len);
- BN_bn2bin(rsa->e, key->exponent);
+ BN_bn2bin(e, key->exponent);
/* convert the private exponent bignum in to a key/len */
- if (rsa->d != NULL) {
- key->private_exponent_len = BN_num_bytes(rsa->d);
+ if (d != NULL) {
+ key->private_exponent_len = BN_num_bytes(d);
key->private_exponent = apr_pcalloc(pool, key->private_exponent_len);
- BN_bn2bin(rsa->d, key->private_exponent);
+ BN_bn2bin(d, key->private_exponent);
}
RSA_free(rsa);
diff -urip libapache2-mod-auth-openidc-1.8.10.1/src/jose/apr_jws.c libapache2-mod-auth-openidc-1.8.10.1.openssl110/src/jose/apr_jws.c
--- libapache2-mod-auth-openidc-1.8.10.1/src/jose/apr_jws.c 2016-07-11 13:18:18.000000000 +0000
+++ libapache2-mod-auth-openidc-1.8.10.1.openssl110/src/jose/apr_jws.c 2016-11-01 18:23:44.993099790 +0000
@@ -219,8 +219,14 @@ apr_byte_t apr_jws_hash_bytes(apr_pool_t
unsigned char **output, unsigned int *output_len, apr_jwt_error_t *err) {
unsigned char md_value[EVP_MAX_MD_SIZE];
- EVP_MD_CTX ctx;
- EVP_MD_CTX_init(&ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *ctx;
+ ctx = EVP_MD_CTX_new();
+#else
+ EVP_MD_CTX my_ctx;
+ EVP_MD_CTX *ctx = &my_ctx;
+ EVP_MD_CTX_init(ctx);
+#endif
const EVP_MD *evp_digest = NULL;
if ((evp_digest = EVP_get_digestbyname(s_digest)) == NULL) {
@@ -230,20 +236,24 @@ apr_byte_t apr_jws_hash_bytes(apr_pool_t
return FALSE;
}
- if (!EVP_DigestInit_ex(&ctx, evp_digest, NULL)) {
+ if (!EVP_DigestInit_ex(ctx, evp_digest, NULL)) {
apr_jwt_error_openssl(err, "EVP_DigestInit_ex");
return FALSE;
}
- if (!EVP_DigestUpdate(&ctx, input, input_len)) {
+ if (!EVP_DigestUpdate(ctx, input, input_len)) {
apr_jwt_error_openssl(err, "EVP_DigestUpdate");
return FALSE;
}
- if (!EVP_DigestFinal_ex(&ctx, md_value, output_len)) {
+ if (!EVP_DigestFinal_ex(ctx, md_value, output_len)) {
apr_jwt_error_openssl(err, "EVP_DigestFinal_ex");
return FALSE;
}
- EVP_MD_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+#endif
*output = apr_pcalloc(pool, *output_len);
memcpy(*output, md_value, *output_len);
@@ -303,8 +313,13 @@ apr_byte_t apr_jws_calculate_rsa(apr_poo
if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL)
return FALSE;
- EVP_MD_CTX ctx;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+#else
+ EVP_MD_CTX my_ctx;
+ EVP_MD_CTX *ctx = &my_ctx;
EVP_MD_CTX_init(&ctx);
+#endif
RSA * privkey = RSA_new();
@@ -317,9 +332,13 @@ apr_byte_t apr_jws_calculate_rsa(apr_poo
BN_bin2bn(jwk->key.rsa->private_exponent,
jwk->key.rsa->private_exponent_len, private_exponent);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ RSA_set0_key(privkey, modulus, exponent, private_exponent);
+#else
privkey->n = modulus;
privkey->e = exponent;
privkey->d = private_exponent;
+#endif
EVP_PKEY* pRsaKey = EVP_PKEY_new();
if (!EVP_PKEY_assign_RSA(pRsaKey, privkey)) {
@@ -333,15 +352,15 @@ apr_byte_t apr_jws_calculate_rsa(apr_poo
unsigned char *pDigest = apr_pcalloc(pool, RSA_size(privkey));
unsigned int uDigestLen = RSA_size(privkey);
- if (!EVP_DigestInit(&ctx, digest)) {
+ if (!EVP_DigestInit(ctx, digest)) {
apr_jwt_error_openssl(err, "EVP_DigestInit");
goto end;
}
- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_DigestUpdate");
goto end;
}
- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) {
+ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) {
apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal");
goto end;
}
@@ -371,17 +390,17 @@ apr_byte_t apr_jws_calculate_rsa(apr_poo
} else {
- if (!EVP_SignInit_ex(&ctx, digest, NULL)) {
+ if (!EVP_SignInit_ex(ctx, digest, NULL)) {
apr_jwt_error_openssl(err, "EVP_SignInit_ex");
goto end;
}
- if (!EVP_SignUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_SignUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_SignUpdate");
goto end;
}
- if (!EVP_SignFinal(&ctx, (unsigned char *) jwt->signature.bytes,
+ if (!EVP_SignFinal(ctx, (unsigned char *) jwt->signature.bytes,
(unsigned int *) &jwt->signature.length, pRsaKey)) {
apr_jwt_error_openssl(err, "wrong key? EVP_SignFinal");
goto end;
@@ -398,7 +417,11 @@ apr_byte_t apr_jws_calculate_rsa(apr_poo
} else if (privkey) {
RSA_free(privkey);
}
- EVP_MD_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+#endif
return rc;
}
@@ -416,8 +439,13 @@ static apr_byte_t apr_jws_verify_rsa(apr
if ((digest = apr_jws_crypto_alg_to_evp(pool, jwt->header.alg, err)) == NULL)
return FALSE;
- EVP_MD_CTX ctx;
- EVP_MD_CTX_init(&ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
+#else
+ EVP_MD_CTX my_ctx;
+ EVP_MD_CTX *ctx = &my_ctx;
+ EVP_MD_CTX_init(ctx);
+#endif
RSA * pubkey = RSA_new();
@@ -427,8 +455,12 @@ static apr_byte_t apr_jws_verify_rsa(apr
BN_bin2bn(jwk->key.rsa->modulus, jwk->key.rsa->modulus_len, modulus);
BN_bin2bn(jwk->key.rsa->exponent, jwk->key.rsa->exponent_len, exponent);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ RSA_set0_key(pubkey, modulus, exponent, NULL);
+#else
pubkey->n = modulus;
pubkey->e = exponent;
+#endif
EVP_PKEY* pRsaKey = EVP_PKEY_new();
if (!EVP_PKEY_assign_RSA(pRsaKey, pubkey)) {
@@ -451,15 +483,15 @@ static apr_byte_t apr_jws_verify_rsa(apr
unsigned char *pDigest = apr_pcalloc(pool, RSA_size(pubkey));
unsigned int uDigestLen = RSA_size(pubkey);
- if (!EVP_DigestInit(&ctx, digest)) {
+ if (!EVP_DigestInit(ctx, digest)) {
apr_jwt_error_openssl(err, "EVP_DigestInit");
goto end;
}
- if (!EVP_DigestUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_DigestUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_DigestUpdate");
goto end;
}
- if (!EVP_DigestFinal(&ctx, pDigest, &uDigestLen)) {
+ if (!EVP_DigestFinal(ctx, pDigest, &uDigestLen)) {
apr_jwt_error_openssl(err, "wrong key? EVP_DigestFinal");
goto end;
}
@@ -477,16 +509,16 @@ static apr_byte_t apr_jws_verify_rsa(apr
} else if (apr_jws_signature_starts_with(pool, jwt->header.alg,
"RS") == TRUE) {
- if (!EVP_VerifyInit_ex(&ctx, digest, NULL)) {
+ if (!EVP_VerifyInit_ex(ctx, digest, NULL)) {
apr_jwt_error_openssl(err, "EVP_VerifyInit_ex");
goto end;
}
- if (!EVP_VerifyUpdate(&ctx, jwt->message, strlen(jwt->message))) {
+ if (!EVP_VerifyUpdate(ctx, jwt->message, strlen(jwt->message))) {
apr_jwt_error_openssl(err, "EVP_VerifyUpdate");
goto end;
}
- int rv = EVP_VerifyFinal(&ctx, (const unsigned char *) jwt->signature.bytes,
+ int rv = EVP_VerifyFinal(ctx, (const unsigned char *) jwt->signature.bytes,
jwt->signature.length, pRsaKey);
if (rv < 0) {
@@ -508,7 +540,11 @@ end:
} else if (pubkey) {
RSA_free(pubkey);
}
- EVP_MD_CTX_cleanup(&ctx);
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX_free(ctx);
+#else
+ EVP_MD_CTX_cleanup(ctx);
+#endif
return rc;
}
