Browse Source

Added support for OpenSSL 1.1

Some KOpenSSLProxy methods have been renamed to be consistent
with OpenSSL 1.1 API names and to prevent hidden API changes.
To ensure API / ABI compatibility, the original methods are
still included but have been marked as deprecated.

+ SSLv23_client_method => TLS_client_method
+ X509_STORE_CTX_set_chain => X509_STORE_CTX_set0_untrusted
+ sk_dup => OPENSSL_sk_dup
+ sk_free => OPENSSL_sk_free
+ sk_new => OPENSSL_sk_new
+ sk_num => OPENSSL_sk_num
+ sk_pop => OPENSSL_sk_pop
+ sk_push => OPENSSL_sk_push
+ sk_value => OPENSSL_sk_value

Additional methods have been added to KOpenSSLProxy to support
the new OpenSSL 1.1 API functions that provide access to the
(now) opaque SSL structures. Compatibility with OpenSSL < 1.1
is handled internally in KOpenSSLProxy.

+ BIO_get_data
+ DSA_get0_key
+ DSA_get0_pqg
+ EVP_PKEY_base_id
+ EVP_PKEY_get0_DSA
+ EVP_PKEY_get0_RSA
+ RSA_get0_key
+ X509_CRL_get0_lastUpdate
+ X509_CRL_get0_nextUpdate
+ X509_OBJECT_get0_X509
+ X509_OBJECT_get_type
+ X509_STORE_CTX_get_current_cert
+ X509_STORE_CTX_get_error
+ X509_STORE_CTX_get_error_depth
+ X509_STORE_CTX_set_error
+ X509_STORE_get0_objects
+ X509_STORE_set_verify_cb
+ X509_get0_signature
+ X509_getm_notAfter
+ X509_getm_notBefore
+ X509_subject_name_cmp
+ _SSL_session_reused
+ _SSL_set_options

Method "KSSL::setSession" has been renamed to "KSSL::takeSession"
and its functionality has changed: the session is now transferred
from the argument object to the invoked object. Since it is only
used internally in TDE and the functionality is different, the
method with the previous name has not been preserved.

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>
pull/1/head
Slávek Banko 2 years ago
parent
commit
e1861cb681

+ 3
- 10
tdecert/tdecertpart.cc View File

@@ -557,9 +557,6 @@ if (whatType == "application/x-pkcs12") {
557 557
 		return false;
558 558
 	}
559 559
 
560
-#define sk_free KOSSL::self()->sk_free
561
-#define sk_num KOSSL::self()->sk_num
562
-#define sk_value KOSSL::self()->sk_value
563 560
 	STACK_OF(X509_INFO) *sx5i = KOSSL::self()->PEM_X509_INFO_read(fp, NULL, KSSLPemCallback, NULL);
564 561
 
565 562
 	if (!sx5i) {
@@ -569,8 +566,8 @@ if (whatType == "application/x-pkcs12") {
569 566
 	}
570 567
 
571 568
 	_ca_filenameLabel->setText(m_file);
572
-	for (int i = 0; i < sk_X509_INFO_num(sx5i); i++) {
573
-		X509_INFO* x5i = sk_X509_INFO_value(sx5i, i);
569
+	for (int i = 0; i < KOSSL::self()->OPENSSL_sk_num(sx5i); i++) {
570
+		X509_INFO* x5i = reinterpret_cast<X509_INFO*>(KOSSL::self()->OPENSSL_sk_value(sx5i, i));
574 571
 		if (x5i->x_pkey && x5i->x509) {   // a personal cert (like PKCS12)
575 572
 			KSSLCertificate *xc = KSSLCertificate::fromX509(x5i->x509);
576 573
 			new KX509Item(_sideList, xc);
@@ -584,11 +581,7 @@ if (whatType == "application/x-pkcs12") {
584 581
 		}
585 582
 	}
586 583
 
587
-	sk_X509_INFO_free(sx5i);
588
-
589
-#undef sk_free
590
-#undef sk_num
591
-#undef sk_value
584
+	KOSSL::self()->OPENSSL_sk_free(sx5i);
592 585
 
593 586
 	fclose(fp);
594 587
 	return true;

+ 612
- 112
tdeio/kssl/kopenssl.cc
File diff suppressed because it is too large
View File


+ 191
- 31
tdeio/kssl/kopenssl.h View File

@@ -48,13 +48,22 @@ class KOpenSSLProxyPrivate;
48 48
 #include <openssl/stack.h>
49 49
 #include <openssl/bn.h>
50 50
 #undef crypt
51
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
52
+#define STACK OPENSSL_STACK
53
+#else
51 54
 #if OPENSSL_VERSION_NUMBER >= 0x10000000L
52 55
 #define STACK _STACK
53 56
 #endif
54 57
 #endif
58
+#endif
55 59
 
56 60
 #include <kstaticdeleter.h>
57 61
 
62
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
63
+typedef int (*X509_STORE_CTX_verify_cb)(int, X509_STORE_CTX *);
64
+typedef int X509_LOOKUP_TYPE;
65
+#endif
66
+
58 67
 /**
59 68
  * Dynamically load and wrap OpenSSL.
60 69
  *
@@ -178,17 +187,14 @@ public:
178 187
     */
179 188
    SSL_CIPHER *SSL_get_current_cipher(SSL *ssl);
180 189
 
181
-   /*
182
-    *   SSL_set_options - manipulate SSL engine options
183
-    *   Note: These are all mapped to SSL_ctrl so call them as the comment
184
-    *         specifies but know that they use SSL_ctrl.  They are #define
185
-    *         so they will map to the one in this class if called as a
186
-    *         member function of this class.
187
-    */
188
-   /* long SSL_set_options(SSL *ssl, long options); */
189
-   /*   Returns 0 if not reused, 1 if session id is reused */
190
-   /*   int SSL_session_reused(SSL *ssl); */
191
-   long    SSL_ctrl(SSL *ssl,int cmd, long larg, char *parg);
190
+   /* SSL_set_options - manipulate SSL engine options */
191
+   long _SSL_set_options(SSL *ssl, long options);
192
+
193
+   /* Returns 0 if not reused, 1 if session id is reused */
194
+   int _SSL_session_reused(SSL *ssl);
195
+
196
+   /* SSL control */
197
+   long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg);
192 198
 
193 199
    /*
194 200
     *   RAND_egd - set the path to the EGD
@@ -233,9 +239,9 @@ public:
233 239
 
234 240
 
235 241
    /*
236
-    *   SSLv23_client_method - return a SSLv23 client method object
242
+    *   TLS_client_method - return client method object
237 243
     */
238
-   SSL_METHOD *SSLv23_client_method();
244
+   SSL_METHOD *TLS_client_method();
239 245
 
240 246
 
241 247
    /*
@@ -310,12 +316,38 @@ public:
310 316
 
311 317
 
312 318
    /*
319
+    *   X509_subject_name_cmp - compare subject name of two X509 objects
320
+    */
321
+   int X509_subject_name_cmp(const X509 *a, const X509 *b);
322
+
323
+
324
+   /*
313 325
     *   X509_dup - duplicate an X509 object
314 326
     */
315 327
    X509 *X509_dup(X509 *x509);
316 328
 
317 329
 
318 330
    /*
331
+    *   X509_get0_signature - get signature and algorithm
332
+    */
333
+   void X509_get0_signature(const ASN1_BIT_STRING **psig,
334
+                            const X509_ALGOR **palg, const X509 *x);
335
+
336
+
337
+
338
+   /*
339
+    *
340
+    */
341
+   ASN1_TIME *X509_getm_notAfter(const X509 *x);
342
+
343
+
344
+   /*
345
+    *
346
+    */
347
+   ASN1_TIME *X509_getm_notBefore(const X509 *x);
348
+
349
+
350
+   /*
319 351
     *   X509_STORE_CTX_new - create an X509 store context
320 352
     */
321 353
    X509_STORE_CTX *X509_STORE_CTX_new(void);
@@ -328,15 +360,66 @@ public:
328 360
 
329 361
 
330 362
    /*
331
-    *   X509_STORE_CTX_set_chain - set the certificate chain
363
+    *   X509_STORE_CTX_set0_untrusted - set the certificate chain
332 364
     */
333
-   void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x);
365
+   void X509_STORE_CTX_set0_untrusted(X509_STORE_CTX *v, STACK_OF(X509)* x);
366
+
334 367
 
335 368
    /*
336 369
     *   X509_STORE_CTX_set_purpose - set the purpose of the certificate 
337 370
     */
338 371
    void X509_STORE_CTX_set_purpose(X509_STORE_CTX *v, int purpose);
339 372
 
373
+
374
+   /*
375
+    *
376
+    */
377
+   X509 *X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
378
+
379
+
380
+   /*
381
+    *
382
+    */
383
+   int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
384
+
385
+
386
+   /*
387
+    *
388
+    */
389
+   int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
390
+
391
+
392
+   /*
393
+    *
394
+    */
395
+   void X509_STORE_CTX_set_error(X509_STORE_CTX *ctx, int s);
396
+
397
+
398
+   /*
399
+    *
400
+    */
401
+   void X509_STORE_set_verify_cb(X509_STORE *ctx,
402
+                                 X509_STORE_CTX_verify_cb verify_cb);
403
+
404
+
405
+   /*
406
+    *
407
+    */
408
+   STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *v);
409
+
410
+
411
+   /*
412
+    *
413
+    */
414
+   X509_LOOKUP_TYPE X509_OBJECT_get_type(const X509_OBJECT *a);
415
+
416
+
417
+   /*
418
+    *
419
+    */
420
+   X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a);
421
+
422
+
340 423
    /*
341 424
     *   X509_verify_cert - verify the certificate
342 425
     */
@@ -367,6 +450,18 @@ public:
367 450
 
368 451
 
369 452
    /*
453
+    *
454
+    */
455
+   const ASN1_TIME *X509_CRL_get0_lastUpdate(const X509_CRL *crl);
456
+
457
+
458
+   /*
459
+    *
460
+    */
461
+   const ASN1_TIME *X509_CRL_get0_nextUpdate(const X509_CRL *crl);
462
+
463
+
464
+   /*
370 465
     *   X509_NAME_oneline - return the X509 data in a string
371 466
     */
372 467
    char *X509_NAME_oneline(X509_NAME *a, char *buf, int size);
@@ -455,6 +550,11 @@ public:
455 550
    int BIO_write(BIO *b, const void *data, int len);
456 551
 
457 552
    /*
553
+    *   BIO_get_data - retrieve (custom) data from BIO
554
+    */
555
+   void *BIO_get_data(BIO *a);
556
+
557
+   /*
458 558
     *   PEM_write_bio_X509 - write a PEM encoded cert to a BIO*
459 559
     */
460 560
    int PEM_write_bio_X509(BIO *bp, X509 *x);
@@ -536,53 +636,51 @@ public:
536 636
    /* 
537 637
     *   Pop off the stack
538 638
     */
539
-   char *sk_pop(STACK *s);
639
+   char *OPENSSL_sk_pop(STACK *s);
640
+
641
+   char *OPENSSL_sk_pop(void *s) { return OPENSSL_sk_pop(reinterpret_cast<STACK*>(s)); }
540 642
 
541 643
 
542 644
    /* 
543 645
     *   Free the stack
544 646
     */
545
-   void sk_free(STACK *s);
647
+   void OPENSSL_sk_free(STACK *s);
546 648
 
547
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
548
-   void sk_free(void *s) { return sk_free(reinterpret_cast<STACK*>(s)); }
549
-#endif
649
+   void OPENSSL_sk_free(void *s) { OPENSSL_sk_free(reinterpret_cast<STACK*>(s)); }
550 650
 
551 651
    /* 
552 652
     *  Number of elements in the stack
553 653
     */
554
-   int sk_num(STACK *s);
654
+   int OPENSSL_sk_num(STACK *s);
555 655
 
656
+   int OPENSSL_sk_num(void *s) { return OPENSSL_sk_num(reinterpret_cast<STACK*>(s)); }
556 657
 
557 658
    /* 
558 659
     *  Value of element n in the stack
559 660
     */
560
-   char *sk_value(STACK *s, int n);
661
+   char *OPENSSL_sk_value(STACK *s, int n);
561 662
 
562
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
563
-   char *sk_value(void *s, int n) { return sk_value(reinterpret_cast<STACK*>(s), n); }
564
-#endif
663
+   char *OPENSSL_sk_value(void *s, int n) { return OPENSSL_sk_value(reinterpret_cast<STACK*>(s), n); }
565 664
 
566 665
    /* 
567 666
     *  Create a new stack
568 667
     */
569
-   STACK *sk_new(int (*cmp)());
668
+   STACK *OPENSSL_sk_new(int (*cmp)());
570 669
 
571 670
 
572 671
    /* 
573 672
     *  Add an element to the stack
574 673
     */
575
-   int sk_push(STACK *s, char *d);
674
+   int OPENSSL_sk_push(STACK *s, char *d);
576 675
 
577
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
578
-   int sk_push(void *s, void *d) { return sk_push(reinterpret_cast<STACK*>(s), reinterpret_cast<char*>(d)); }
579
-#endif
676
+   int OPENSSL_sk_push(void *s, void *d) { return OPENSSL_sk_push(reinterpret_cast<STACK*>(s), reinterpret_cast<char*>(d)); }
580 677
 
581 678
    /* 
582 679
     *  Duplicate the stack
583 680
     */
584
-   STACK *sk_dup(STACK *s);
681
+   STACK *OPENSSL_sk_dup(const STACK *s);
585 682
 
683
+   STACK *OPENSSL_sk_dup(const void *s) { return OPENSSL_sk_dup(reinterpret_cast<const STACK*>(s)); }
586 684
 
587 685
    /*
588 686
     *  Convert an ASN1_INTEGER to it's text form
@@ -824,12 +922,37 @@ public:
824 922
 
825 923
 
826 924
    /*
925
+    * Get EVP private key type
926
+    */
927
+   int EVP_PKEY_base_id(const EVP_PKEY *pkey);
928
+
929
+
930
+   /*
827 931
     * Assign a private key
828 932
     */
829 933
    int EVP_PKEY_assign(EVP_PKEY *pkey, int type, char *key);
830 934
 
831 935
 
832 936
    /*
937
+    * Get RSA key
938
+    */
939
+   RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
940
+
941
+
942
+   /*
943
+    * Get DSA key
944
+    */
945
+   DSA *EVP_PKEY_get0_DSA(EVP_PKEY *pkey);
946
+
947
+
948
+   /*
949
+    *  RSA_get0_key - retreive key parameters
950
+    */
951
+   void RSA_get0_key(const RSA *r,
952
+                     const BIGNUM **n, const BIGNUM **e, const BIGNUM **d);
953
+
954
+
955
+   /*
833 956
     * Generate a RSA key
834 957
     */
835 958
    RSA *RSA_generate_key(int bits, unsigned long e, void
@@ -837,6 +960,20 @@ public:
837 960
 
838 961
 
839 962
    /*
963
+    *  DSA_get0_pqg - retreive key parameters
964
+    */
965
+   void DSA_get0_pqg(const DSA *d,
966
+                     const BIGNUM **p, const BIGNUM **q, const BIGNUM **g);
967
+
968
+
969
+   /*
970
+    *  DSA_get0_key - retreive key
971
+    */
972
+   void DSA_get0_key(const DSA *d,
973
+                     const BIGNUM **pub_key, const BIGNUM **priv_key);
974
+
975
+
976
+   /*
840 977
     * Create/destroy a certificate request
841 978
     */
842 979
    X509_REQ *X509_REQ_new();
@@ -912,6 +1049,29 @@ public:
912 1049
    /* get list of available SSL_CIPHER's sorted by preference */
913 1050
    STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL* ssl);
914 1051
 
1052
+
1053
+   /* cover KOpenSSLProxy API compatibility */
1054
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_API_COMPAT < 0x10100000L
1055
+#  undef sk_dup
1056
+#  undef sk_free
1057
+#  undef sk_new
1058
+#  undef sk_num
1059
+#  undef sk_pop
1060
+#  undef sk_push
1061
+#  undef sk_value
1062
+#  undef X509_STORE_CTX_set_chain
1063
+#  undef SSLv23_client_method
1064
+#endif
1065
+   STACK *sk_dup(const STACK *s) KDE_DEPRECATED;
1066
+   void sk_free(STACK *s) KDE_DEPRECATED;
1067
+   STACK *sk_new(int (*cmp)()) KDE_DEPRECATED;
1068
+   int sk_num(STACK *s) KDE_DEPRECATED;
1069
+   char *sk_pop(STACK *s) KDE_DEPRECATED;
1070
+   int sk_push(STACK *s, char *d) KDE_DEPRECATED;
1071
+   char *sk_value(STACK *s, int n) KDE_DEPRECATED;
1072
+   void X509_STORE_CTX_set_chain(X509_STORE_CTX *v, STACK_OF(X509)* x) KDE_DEPRECATED;
1073
+   SSL_METHOD *SSLv23_client_method() KDE_DEPRECATED;
1074
+
915 1075
 #endif
916 1076
 
917 1077
 private:

+ 11
- 18
tdeio/kssl/ksmimecrypto.cc View File

@@ -38,15 +38,6 @@
38 38
 #endif
39 39
 
40 40
 
41
-// forward included macros to KOpenSSLProxy
42
-#define sk_new kossl->sk_new
43
-#define sk_free kossl->sk_free
44
-#define sk_push kossl->sk_push
45
-#define sk_value kossl->sk_value
46
-#define sk_num kossl->sk_num
47
-#define BIO_ctrl kossl->BIO_ctrl
48
-
49
-
50 41
 #ifdef KSSL_HAVE_SSL
51 42
 static const char eot = 0;
52 43
 
@@ -87,10 +78,10 @@ KSMIMECryptoPrivate::KSMIMECryptoPrivate(KOpenSSLProxy *kossl): kossl(kossl) {
87 78
 
88 79
 
89 80
 STACK_OF(X509) *KSMIMECryptoPrivate::certsToX509(TQPtrList<KSSLCertificate> &certs) {
90
-    STACK_OF(X509) *x509 = reinterpret_cast<STACK_OF(X509)*>(sk_new(NULL));
81
+    STACK_OF(X509) *x509 = reinterpret_cast<STACK_OF(X509)*>(kossl->OPENSSL_sk_new(NULL));
91 82
     KSSLCertificate *cert = certs.first();
92 83
     while(cert) {
93
-	sk_X509_push(x509, cert->getCert());
84
+	kossl->OPENSSL_sk_push(x509, cert->getCert());
94 85
 	cert = certs.next();
95 86
     }
96 87
     return x509;
@@ -111,7 +102,7 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::signMessage(BIO *clearText,
111 102
     PKCS7 *p7 = kossl->PKCS7_sign(privKey.getCertificate()->getCert(), privKey.getPrivateKey(),
112 103
 				  other, clearText, flags);
113 104
 
114
-    if (other) sk_X509_free(other);
105
+    if (other) kossl->OPENSSL_sk_free(other);
115 106
 
116 107
     if (!p7) return sslErrToRc();
117 108
 
@@ -154,7 +145,7 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::encryptMessage(BIO *clearText,
154 145
 
155 146
     PKCS7 *p7 = kossl->PKCS7_encrypt(certs, clearText, cipher, 0);
156 147
 
157
-    sk_X509_free(certs);
148
+    kossl->OPENSSL_sk_free(certs);
158 149
 
159 150
     if (!p7) return sslErrToRc();
160 151
 
@@ -192,14 +183,14 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::checkSignature(BIO *clearText,
192 183
     X509_STORE *dummystore = kossl->X509_STORE_new();
193 184
     if (kossl->PKCS7_verify(p7, NULL, dummystore, in, out, PKCS7_NOVERIFY)) {
194 185
 	STACK_OF(X509) *signers = kossl->PKCS7_get0_signers(p7, 0, PKCS7_NOVERIFY);
195
-	int num = sk_X509_num(signers);
186
+	int num = kossl->OPENSSL_sk_num(signers);
196 187
 
197 188
 	for(int n=0; n<num; n++) {
198
-	    KSSLCertificate *signer = KSSLCertificate::fromX509(sk_X509_value(signers, n));
189
+	    KSSLCertificate *signer = KSSLCertificate::fromX509(reinterpret_cast<X509*>(kossl->OPENSSL_sk_value(signers, n)));
199 190
 	    recip.append(signer);
200 191
 	}
201 192
 
202
-	sk_X509_free(signers);
193
+	kossl->OPENSSL_sk_free(signers);
203 194
 	rc = KSMIMECrypto::KSC_R_OK;
204 195
     } else {
205 196
 	rc = sslErrToRc();
@@ -236,13 +227,14 @@ KSMIMECrypto::rc KSMIMECryptoPrivate::decryptMessage(BIO *cipherText,
236 227
 
237 228
 void KSMIMECryptoPrivate::MemBIOToQByteArray(BIO *src, TQByteArray &dest) {
238 229
     char *buf;
239
-    long len = BIO_get_mem_data(src, &buf);
230
+    long len = kossl->BIO_get_mem_data(src, &buf);
240 231
     dest.assign(buf, len);
241 232
     /* Now this goes quite a bit into openssl internals.
242 233
        We assume that openssl uses malloc() (it does in
243 234
        default config) and rip out the buffer.
244 235
     */
245
-    reinterpret_cast<BUF_MEM *>(src->ptr)->data = NULL;
236
+    void *ptr = kossl->BIO_get_data(src);
237
+    reinterpret_cast<BUF_MEM *>(ptr)->data = NULL;
246 238
 }
247 239
 
248 240
     
@@ -422,3 +414,4 @@ KSMIMECrypto::rc KSMIMECrypto::decryptMessage(const TQByteArray &cipherText,
422 414
     return KSC_R_NO_SSL;
423 415
 #endif
424 416
 }
417
+

+ 20
- 17
tdeio/kssl/kssl.cc View File

@@ -51,7 +51,6 @@
51 51
 #include <tdelocale.h>
52 52
 #include <ksocks.h>
53 53
 
54
-#define sk_dup d->kossl->sk_dup
55 54
 
56 55
 class KSSLPrivate {
57 56
 public:
@@ -180,7 +179,7 @@ bool KSSL::initialize() {
180 179
 		d->m_meth = d->kossl->TLSv1_client_method();
181 180
 	else if (!m_cfg->tlsv1() && m_cfg->sslv3() && !m_cfg->sslv2())
182 181
 		d->m_meth = d->kossl->SSLv3_client_method();
183
-	else d->m_meth = d->kossl->SSLv23_client_method();
182
+	else d->m_meth = d->kossl->TLS_client_method();
184 183
 
185 184
 /*
186 185
 if (m_cfg->sslv2() && m_cfg->sslv3()) kdDebug(7029) << "Double method" << endl;
@@ -207,7 +206,7 @@ return false;
207 206
 }
208 207
 
209 208
 
210
-bool KSSL::setSession(const KSSLSession *session) {
209
+bool KSSL::takeSession(KSSLSession *session) {
211 210
 #ifdef KSSL_HAVE_SSL
212 211
 	if (!session) {
213 212
 		delete d->session;
@@ -215,11 +214,10 @@ bool KSSL::setSession(const KSSLSession *session) {
215 214
 		return true;
216 215
 	}
217 216
 
218
-	// Obtain a reference by incrementing the reference count.  Yuck.
219
-	static_cast<SSL_SESSION*>(session->_session)->references++;
220
-
217
+	// Take session reference
221 218
 	d->session = new KSSLSession;
222 219
 	d->session->_session = session->_session;
220
+	session->_session = 0L;
223 221
 
224 222
 	return true;
225 223
 #else
@@ -284,12 +282,16 @@ int rc;
284 282
 		return -1;
285 283
 
286 284
 	if (d->session) {
285
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
287 286
 		if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0)
288 287
 		{
289 288
 			kdDebug(7029) << "Can't reuse session, no certificate." << endl;
290 289
 			delete d->session;
291 290
 			d->session = 0;
292
-		} else if (1 == d->kossl->SSL_set_session(d->m_ssl,
291
+		}
292
+		else
293
+#endif
294
+		if (1 == d->kossl->SSL_set_session(d->m_ssl,
293 295
 			static_cast<SSL_SESSION*>(d->session->_session))) {
294 296
 			kdDebug(7029) << "Session ID is being reused." << endl;
295 297
 		} else {
@@ -316,7 +318,7 @@ int rc;
316 318
 	if (!m_cfg->sslv2())
317 319
 		off |= SSL_OP_NO_SSLv2;
318 320
 
319
-	d->kossl->SSL_set_options(d->m_ssl, off);
321
+	d->kossl->_SSL_set_options(d->m_ssl, off);
320 322
 
321 323
 	rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
322 324
 	if (rc == 0) {
@@ -341,7 +343,7 @@ int rc;
341 343
 		return -1;
342 344
 	}
343 345
 
344
-	if (!d->kossl->SSL_session_reused(d->m_ssl)) {
346
+	if (!d->kossl->_SSL_session_reused(d->m_ssl)) {
345 347
 		if (d->session) {
346 348
 			kdDebug(7029) << "Session reuse failed.  New session used instead." << endl;
347 349
 			delete d->session;
@@ -375,12 +377,16 @@ int rc;
375 377
 		return -1;
376 378
 
377 379
 	if (d->session) {
380
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
378 381
 		if (static_cast<SSL_SESSION*>(d->session->_session)->sess_cert == 0)
379 382
 		{
380 383
 			kdDebug(7029) << "Can't reuse session, no certificate." << endl;
381 384
 			delete d->session;
382 385
 			d->session = 0;
383
-		} else if (1 == d->kossl->SSL_set_session(d->m_ssl,
386
+		}
387
+		else
388
+#endif
389
+		if (1 == d->kossl->SSL_set_session(d->m_ssl,
384 390
 			static_cast<SSL_SESSION*>(d->session->_session))) {
385 391
 			kdDebug(7029) << "Session ID is being reused." << endl;
386 392
 		} else {
@@ -407,7 +413,7 @@ int rc;
407 413
 	if (!m_cfg->sslv2())
408 414
 		off |= SSL_OP_NO_SSLv2;
409 415
 
410
-	d->kossl->SSL_set_options(d->m_ssl, off);
416
+	d->kossl->_SSL_set_options(d->m_ssl, off);
411 417
 
412 418
 	rc = d->kossl->SSL_set_fd(d->m_ssl, sock);
413 419
 	if (rc == 0) {
@@ -441,7 +447,7 @@ connect_again:
441 447
 		}
442 448
 	}
443 449
 
444
-	if (!d->kossl->SSL_session_reused(d->m_ssl)) {
450
+	if (!d->kossl->_SSL_session_reused(d->m_ssl)) {
445 451
 		if (d->session) {
446 452
 			kdDebug(7029) << "Session reuse failed.  New session used instead." << endl;
447 453
 			delete d->session;
@@ -613,7 +619,7 @@ void KSSL::setPeerInfo() {
613 619
 	m_pi.m_cert.setCert(d->kossl->SSL_get_peer_certificate(d->m_ssl));
614 620
 	STACK_OF(X509) *xs = d->kossl->SSL_get_peer_cert_chain(d->m_ssl);
615 621
 	if (xs)
616
-		xs = sk_X509_dup(xs);   // Leak? 
622
+		xs = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_dup(xs));   // Leak?
617 623
 	m_pi.m_cert.setChain((void *)xs);
618 624
 #endif
619 625
 }
@@ -671,18 +677,15 @@ EVP_PKEY *k = pkcs->getPrivateKey();
671 677
 #endif
672 678
 }
673 679
 
674
-#undef sk_dup
675
-
676 680
 const KSSLSession* KSSL::session() const {
677 681
 	return d->session;
678 682
 }
679 683
 
680 684
 bool KSSL::reusingSession() const {
681 685
 #ifdef KSSL_HAVE_SSL
682
-	return (d->m_ssl && d->kossl->SSL_session_reused(d->m_ssl));
686
+	return (d->m_ssl && d->kossl->_SSL_session_reused(d->m_ssl));
683 687
 #else
684 688
 	return false;
685 689
 #endif
686 690
 }
687 691
 
688
-

+ 3
- 4
tdeio/kssl/kssl.h View File

@@ -82,16 +82,15 @@ public:
82 82
 	bool TLSInit();
83 83
 
84 84
 	/**
85
-	 *  Set an SSL session to use.  This deep copies the session so it
86
-	 *  doesn't have to remain valid.  You need to call it after calling
87
-	 *  initialize or reInitialize.  The ID is cleared in close().
85
+	 *  Set an SSL session to use.  This takes the session from the original
86
+	 *  KSSL object, so it is in fact a session move operation.
88 87
 	 *
89 88
 	 *  @param session A valid session to reuse.  If 0L, it will clear the
90 89
 	 *                 session ID in memory.
91 90
 	 *
92 91
 	 *  @return true on success
93 92
 	 */
94
-	bool setSession(const KSSLSession *session);
93
+	bool takeSession(KSSLSession *session);
95 94
 
96 95
 	/**
97 96
 	 *  Close the SSL session.

+ 11
- 4
tdeio/kssl/ksslcallback.c View File

@@ -27,8 +27,9 @@ bool KSSL_X509CallBack_ca_found;
27 27
 
28 28
 extern "C" {
29 29
 static int X509Callback(int ok, X509_STORE_CTX *ctx) {
30
- 
31
-  kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << ctx->error << " depth = " << ctx->error_depth << endl;
30
+
31
+  kdDebug(7029) << "X509Callback: ok = " << ok << " error = " << KOSSL::self()->X509_STORE_CTX_get_error(ctx) << " depth = "
32
+  							<< KOSSL::self()->X509_STORE_CTX_get_error_depth(ctx) << endl;
32 33
   // Here is how this works.  We put "ok = 1;" in any case that we
33 34
   // don't consider to be an error.  In that case, it will return OK
34 35
   // for the certificate check as long as there are no other critical
@@ -39,14 +40,20 @@ static int X509Callback(int ok, X509_STORE_CTX *ctx) {
39 40
 
40 41
   if (KSSL_X509CallBack_ca)
41 42
   {
42
-     if (KOSSL::self()->X509_cmp(ctx->current_cert, KSSL_X509CallBack_ca) != 0)
43
+     if (KOSSL::self()->X509_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0 &&
44
+         /*
45
+          * With OpenSSL >= 1.1 certificate in chain can be replaced by a certificate from the local certificate store.
46
+          * It is therefore necessary to compare the subject name, rather than the entire certificate.
47
+          */
48
+         KOSSL::self()->X509_subject_name_cmp(KOSSL::self()->X509_STORE_CTX_get_current_cert(ctx), KSSL_X509CallBack_ca) != 0) {
43 49
         return 1; // Ignore errors for this certificate
50
+     }
44 51
 
45 52
      KSSL_X509CallBack_ca_found = true;
46 53
   }
47 54
  
48 55
   if (!ok) {
49
-    switch (ctx->error) {
56
+    switch (KOSSL::self()->X509_STORE_CTX_get_error(ctx)) {
50 57
       case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
51 58
       case X509_V_ERR_UNABLE_TO_GET_CRL:
52 59
       case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:

+ 26
- 48
tdeio/kssl/ksslcertchain.cc View File

@@ -44,17 +44,6 @@
44 44
 #include <tqstringlist.h>
45 45
 
46 46
 
47
-
48
-#ifdef KSSL_HAVE_SSL
49
-#define sk_new d->kossl->sk_new
50
-#define sk_push d->kossl->sk_push
51
-#define sk_free d->kossl->sk_free
52
-#define sk_value d->kossl->sk_value
53
-#define sk_num d->kossl->sk_num
54
-#define sk_dup d->kossl->sk_dup
55
-#define sk_pop d->kossl->sk_pop
56
-#endif
57
-
58 47
 class KSSLCertChainPrivate {
59 48
 public:
60 49
   KSSLCertChainPrivate() {
@@ -79,11 +68,11 @@ KSSLCertChain::~KSSLCertChain() {
79 68
     STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
80 69
 
81 70
     for (;;) {
82
-      X509* x5 = sk_X509_pop(x);
71
+      X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
83 72
       if (!x5) break;
84 73
       d->kossl->X509_free(x5);
85 74
     }
86
-    sk_X509_free(x);
75
+    d->kossl->OPENSSL_sk_free(x);
87 76
   }
88 77
 #endif
89 78
   delete d;
@@ -107,7 +96,7 @@ return x;
107 96
 
108 97
 int KSSLCertChain::depth() {
109 98
 #ifdef KSSL_HAVE_SSL
110
-  return sk_X509_num((STACK_OF(X509)*)_chain);
99
+  return d->kossl->OPENSSL_sk_num((STACK_OF(X509)*)_chain);
111 100
 #endif
112 101
 return 0;
113 102
 }
@@ -119,8 +108,8 @@ if (!_chain) return cl;
119 108
 #ifdef KSSL_HAVE_SSL
120 109
 STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
121 110
 
122
-   for (int i = 0; i < sk_X509_num(x); i++) {
123
-     X509* x5 = sk_X509_value(x, i);
111
+   for (int i = 0; i < d->kossl->OPENSSL_sk_num(x); i++) {
112
+     X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_value(x, i));
124 113
      if (!x5) continue;
125 114
      KSSLCertificate *nc = new KSSLCertificate;
126 115
      nc->setCert(d->kossl->X509_dup(x5));
@@ -138,18 +127,18 @@ if (_chain) {
138 127
     STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
139 128
 
140 129
     for (;;) {
141
-      X509* x5 = sk_X509_pop(x);
130
+      X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
142 131
       if (!x5) break;
143 132
       d->kossl->X509_free(x5);
144 133
     }
145
-    sk_X509_free(x);
134
+    d->kossl->OPENSSL_sk_free(x);
146 135
     _chain = NULL;
147 136
 }
148 137
 
149 138
   if (chain.count() == 0) return;
150
-  _chain = (void *)sk_new(NULL);
139
+  _chain = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_new(NULL));
151 140
   for (KSSLCertificate *x = chain.first(); x != 0; x = chain.next()) {
152
-    sk_X509_push((STACK_OF(X509)*)_chain, d->kossl->X509_dup(x->getCert()));
141
+    d->kossl->OPENSSL_sk_push((STACK_OF(X509) *)_chain, d->kossl->X509_dup(x->getCert()));
153 142
   }
154 143
 
155 144
 #endif
@@ -158,31 +147,31 @@ if (_chain) {
158 147
  
159 148
 void KSSLCertChain::setChain(void *stack_of_x509) {
160 149
 #ifdef KSSL_HAVE_SSL
161
-if (_chain) {
162
-    STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
163
-
164
-    for (;;) {
165
-      X509* x5 = sk_X509_pop(x);
166
-      if (!x5) break;
167
-      d->kossl->X509_free(x5);
150
+    if (_chain) {
151
+        STACK_OF(X509) *x = (STACK_OF(X509) *)_chain;
152
+
153
+        for (;;) {
154
+          X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_pop(x));
155
+          if (!x5) break;
156
+          d->kossl->X509_free(x5);
157
+        }
158
+        d->kossl->OPENSSL_sk_free(x);
159
+        _chain = NULL;
168 160
     }
169
-    sk_X509_free(x);
170
-    _chain = NULL;
171
-}
172 161
 
173
-if (!stack_of_x509) return;
162
+    if (!stack_of_x509) return;
174 163
 
175
-_chain = (void *)sk_new(NULL);
176
-STACK_OF(X509) *x = (STACK_OF(X509) *)stack_of_x509;
164
+    _chain = reinterpret_cast<STACK_OF(X509)*>(d->kossl->OPENSSL_sk_new(NULL));
165
+    STACK_OF(X509) *x = (STACK_OF(X509) *)stack_of_x509;
177 166
 
178
-   for (int i = 0; i < sk_X509_num(x); i++) {
179
-     X509* x5 = sk_X509_value(x, i);
167
+   for (int i = 0; i < d->kossl->OPENSSL_sk_num(x); i++) {
168
+     X509* x5 = reinterpret_cast<X509*>(d->kossl->OPENSSL_sk_value(x, i));
180 169
      if (!x5) continue;
181
-     sk_X509_push((STACK_OF(X509)*)_chain,d->kossl->X509_dup(x5));
170
+     d->kossl->OPENSSL_sk_push((STACK_OF(X509)*)_chain,d->kossl->X509_dup(x5));
182 171
    }
183 172
 
184 173
 #else
185
-_chain = NULL;
174
+    _chain = NULL;
186 175
 #endif
187 176
 }
188 177
 
@@ -203,14 +192,3 @@ void KSSLCertChain::setCertChain(const TQStringList& chain) {
203 192
     setChain(cl);
204 193
 }
205 194
 
206
-
207
-#ifdef KSSL_HAVE_SSL
208
-#undef sk_new
209
-#undef sk_push
210
-#undef sk_free
211
-#undef sk_value
212
-#undef sk_num
213
-#undef sk_dup
214
-#undef sk_pop
215
-#endif
216
-

+ 64
- 40
tdeio/kssl/ksslcertificate.cc View File

@@ -198,7 +198,7 @@ TQString rc = "";
198 198
 	if (!t)
199 199
 		return rc;
200 200
 	rc = t;
201
-	d->kossl->OPENSSL_free(t);
201
+	d->kossl->CRYPTO_free(t);
202 202
 #endif
203 203
 return rc;
204 204
 }
@@ -225,14 +225,17 @@ TQString rc = "";
225 225
 char *s;
226 226
 int n, i;
227 227
 
228
-	i = d->kossl->OBJ_obj2nid(d->m_cert->sig_alg->algorithm);
228
+	const ASN1_BIT_STRING *signature = 0L;
229
+	const X509_ALGOR *sig_alg = 0L;
230
+	d->kossl->X509_get0_signature(&signature, &sig_alg, d->m_cert);
231
+	i = d->kossl->OBJ_obj2nid(sig_alg->algorithm);
229 232
 	rc = i18n("Signature Algorithm: ");
230 233
 	rc += (i == NID_undef)?i18n("Unknown"):TQString(d->kossl->OBJ_nid2ln(i));
231 234
 
232 235
 	rc += "\n";
233 236
 	rc += i18n("Signature Contents:");
234
-	n = d->m_cert->signature->length;
235
-	s = (char *)d->m_cert->signature->data;
237
+	n = signature->length;
238
+	s = (char *)signature->data;
236 239
 	for (i = 0; i < n; i++) {
237 240
 		if (i%20 != 0) rc += ":";
238 241
 		else rc += "\n";
@@ -254,8 +257,8 @@ void KSSLCertificate::getEmails(TQStringList &to) const {
254 257
 	
255 258
 	STACK *s = d->kossl->X509_get1_email(d->m_cert);
256 259
 	if (s) {
257
-		for(int n=0; n < s->num; n++) {
258
-			to.append(d->kossl->sk_value(s,n));
260
+		for(int n=0; n < d->kossl->OPENSSL_sk_num(s); n++) {
261
+			to.append(d->kossl->OPENSSL_sk_value(s,n));
259 262
 		}
260 263
 		d->kossl->X509_email_free(s);
261 264
 	}
@@ -336,12 +339,12 @@ TQString rc = "";
336 339
 	EVP_PKEY *pkey = d->kossl->X509_get_pubkey(d->m_cert);
337 340
 	if (pkey) {
338 341
 		#ifndef NO_RSA
339
-			if (pkey->type == EVP_PKEY_RSA)
342
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA)
340 343
 				rc = "RSA";
341 344
 			else
342 345
 		#endif
343 346
 		#ifndef NO_DSA
344
-			if (pkey->type == EVP_PKEY_DSA)
347
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA)
345 348
 				rc = "DSA";
346 349
 			else
347 350
 		#endif
@@ -364,10 +367,14 @@ char *x = NULL;
364 367
 	if (pkey) {
365 368
 		rc = i18n("Unknown", "Unknown key algorithm");
366 369
 		#ifndef NO_RSA
367
-			if (pkey->type == EVP_PKEY_RSA) {
370
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_RSA) {
368 371
 				rc = i18n("Key type: RSA (%1 bit)") + "\n";
369 372
 
370
-				x = d->kossl->BN_bn2hex(pkey->pkey.rsa->n);
373
+				RSA *pkey_rsa = d->kossl->EVP_PKEY_get0_RSA(pkey);
374
+				const BIGNUM *bn_n = 0L;
375
+				const BIGNUM *bn_e = 0L;
376
+				d->kossl->RSA_get0_key(pkey_rsa, &bn_n, &bn_e, NULL);
377
+				x = d->kossl->BN_bn2hex(bn_n);
371 378
 				rc += i18n("Modulus: ");
372 379
 				rc = rc.arg(strlen(x)*4);
373 380
 				for (unsigned int i = 0; i < strlen(x); i++) {
@@ -378,18 +385,26 @@ char *x = NULL;
378 385
 					rc += x[i];
379 386
 				}
380 387
 				rc += "\n";
381
-				d->kossl->OPENSSL_free(x);
388
+				d->kossl->CRYPTO_free(x);
382 389
 
383
-				x = d->kossl->BN_bn2hex(pkey->pkey.rsa->e);
390
+				x = d->kossl->BN_bn2hex(bn_e);
384 391
 				rc += i18n("Exponent: 0x") + x + "\n";
385
-				d->kossl->OPENSSL_free(x);
392
+				d->kossl->CRYPTO_free(x);
386 393
 			}
387 394
 		#endif
388 395
 		#ifndef NO_DSA
389
-			if (pkey->type == EVP_PKEY_DSA) {
396
+			if (d->kossl->EVP_PKEY_base_id(pkey) == EVP_PKEY_DSA) {
390 397
 				rc = i18n("Key type: DSA (%1 bit)") + "\n";
391 398
 
392
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->p);
399
+				DSA *pkey_dsa = d->kossl->EVP_PKEY_get0_DSA(pkey);
400
+				const BIGNUM *bn_p = 0L;
401
+				const BIGNUM *bn_q = 0L;
402
+				const BIGNUM *bn_g = 0L;
403
+				const BIGNUM *bn_pub_key = 0L;
404
+				d->kossl->DSA_get0_pqg(pkey_dsa, &bn_p, &bn_q, &bn_g);
405
+				d->kossl->DSA_get0_key(pkey_dsa, &bn_pub_key, NULL);
406
+
407
+				x = d->kossl->BN_bn2hex(bn_p);
393 408
 				rc += i18n("Prime: ");
394 409
 				// hack - this may not be always accurate
395 410
 				rc = rc.arg(strlen(x)*4) ;
@@ -401,9 +416,9 @@ char *x = NULL;
401 416
 					rc += x[i];
402 417
 				}
403 418
 				rc += "\n";
404
-				d->kossl->OPENSSL_free(x);
419
+				d->kossl->CRYPTO_free(x);
405 420
 
406
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->q);
421
+				x = d->kossl->BN_bn2hex(bn_q);
407 422
 				rc += i18n("160 bit prime factor: ");
408 423
 				for (unsigned int i = 0; i < strlen(x); i++) {
409 424
 					if (i%40 != 0 && i%2 == 0)
@@ -413,9 +428,9 @@ char *x = NULL;
413 428
 					rc += x[i];
414 429
 				}
415 430
 				rc += "\n";
416
-				d->kossl->OPENSSL_free(x);
431
+				d->kossl->CRYPTO_free(x);
417 432
 	
418
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->g);
433
+				x = d->kossl->BN_bn2hex(bn_g);
419 434
 				rc += TQString("g: ");
420 435
 				for (unsigned int i = 0; i < strlen(x); i++) {
421 436
 					if (i%40 != 0 && i%2 == 0)
@@ -425,9 +440,9 @@ char *x = NULL;
425 440
 					rc += x[i];
426 441
 				}
427 442
 				rc += "\n";
428
-				d->kossl->OPENSSL_free(x);
443
+				d->kossl->CRYPTO_free(x);
429 444
 	
430
-				x = d->kossl->BN_bn2hex(pkey->pkey.dsa->pub_key);
445
+				x = d->kossl->BN_bn2hex(bn_pub_key);
431 446
 				rc += i18n("Public key: ");
432 447
 				for (unsigned int i = 0; i < strlen(x); i++) {
433 448
 					if (i%40 != 0 && i%2 == 0)
@@ -437,7 +452,7 @@ char *x = NULL;
437 452
 					rc += x[i];
438 453
 				}
439 454
 				rc += "\n";
440
-				d->kossl->OPENSSL_free(x);
455
+				d->kossl->CRYPTO_free(x);
441 456
 			}
442 457
 		#endif
443 458
 		d->kossl->EVP_PKEY_free(pkey);
@@ -459,7 +474,7 @@ TQString rc = "";
459 474
 		return rc;
460 475
 
461 476
 	rc = t;
462
-	d->kossl->OPENSSL_free(t);
477
+	d->kossl->CRYPTO_free(t);
463 478
 #endif
464 479
 
465 480
 return rc;
@@ -696,7 +711,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
696 711
 			return errors;
697 712
 		}
698 713
 
699
-		X509_STORE_set_verify_cb_func(certStore, X509Callback);
714
+		d->kossl->X509_STORE_set_verify_cb(certStore, X509Callback);
700 715
 
701 716
 		certLookup = d->kossl->X509_STORE_add_lookup(certStore, d->kossl->X509_LOOKUP_file());
702 717
 		if (!certLookup) {
@@ -727,7 +742,7 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
727 742
 
728 743
 		d->kossl->X509_STORE_CTX_init(certStoreCTX, certStore, d->m_cert, NULL);
729 744
 		if (d->_chain.isValid()) {
730
-			d->kossl->X509_STORE_CTX_set_chain(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
745
+			d->kossl->X509_STORE_CTX_set0_untrusted(certStoreCTX, (STACK_OF(X509)*)d->_chain.rawChain());
731 746
 		}
732 747
 
733 748
 		//kdDebug(7029) << "KSSL setting CRL.............." << endl;
@@ -738,9 +753,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
738 753
 		KSSL_X509CallBack_ca = ca ? ca->d->m_cert : 0;
739 754
 		KSSL_X509CallBack_ca_found = false;
740 755
 
741
-		certStoreCTX->error = X509_V_OK;
756
+		d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
742 757
 		d->kossl->X509_verify_cert(certStoreCTX);
743
-		int errcode = certStoreCTX->error;
758
+		int errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
744 759
 		if (ca && !KSSL_X509CallBack_ca_found) {
745 760
 			ksslv = KSSLCertificate::Irrelevant;
746 761
 		} else {
@@ -753,9 +768,9 @@ KSSLCertificate::KSSLValidationList KSSLCertificate::validateVerbose(KSSLCertifi
753 768
 			d->kossl->X509_STORE_CTX_set_purpose(certStoreCTX,
754 769
 						X509_PURPOSE_NS_SSL_SERVER);
755 770
 
756
-			certStoreCTX->error = X509_V_OK;
771
+			d->kossl->X509_STORE_CTX_set_error(certStoreCTX, X509_V_OK);
757 772
 			d->kossl->X509_verify_cert(certStoreCTX);
758
-			errcode = certStoreCTX->error;
773
+			errcode = d->kossl->X509_STORE_CTX_get_error(certStoreCTX);
759 774
 			ksslv = processError(errcode);
760 775
 		}
761 776
 		d->kossl->X509_STORE_CTX_free(certStoreCTX);
@@ -888,7 +903,7 @@ return rc;
888 903
 
889 904
 TQString KSSLCertificate::getNotBefore() const {
890 905
 #ifdef KSSL_HAVE_SSL
891
-return ASN1_UTCTIME_QString(X509_get_notBefore(d->m_cert));
906
+return ASN1_UTCTIME_QString(d->kossl->X509_getm_notBefore(d->m_cert));
892 907
 #else
893 908
 return TQString::null;
894 909
 #endif
@@ -897,7 +912,7 @@ return TQString::null;
897 912
 
898 913
 TQString KSSLCertificate::getNotAfter() const {
899 914
 #ifdef KSSL_HAVE_SSL
900
-return ASN1_UTCTIME_QString(X509_get_notAfter(d->m_cert));
915
+return ASN1_UTCTIME_QString(d->kossl->X509_getm_notAfter(d->m_cert));
901 916
 #else
902 917
 return TQString::null;
903 918
 #endif
@@ -906,7 +921,7 @@ return TQString::null;
906 921
 
907 922
 TQDateTime KSSLCertificate::getQDTNotBefore() const {
908 923
 #ifdef KSSL_HAVE_SSL
909
-return ASN1_UTCTIME_QDateTime(X509_get_notBefore(d->m_cert), NULL);
924
+return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notBefore(d->m_cert), NULL);
910 925
 #else
911 926
 return TQDateTime::currentDateTime();
912 927
 #endif
@@ -915,7 +930,7 @@ return TQDateTime::currentDateTime();
915 930
 
916 931
 TQDateTime KSSLCertificate::getQDTNotAfter() const {
917 932
 #ifdef KSSL_HAVE_SSL
918
-return ASN1_UTCTIME_QDateTime(X509_get_notAfter(d->m_cert), NULL);
933
+return ASN1_UTCTIME_QDateTime(d->kossl->X509_getm_notAfter(d->m_cert), NULL);
919 934
 #else
920 935
 return TQDateTime::currentDateTime();
921 936
 #endif
@@ -924,7 +939,7 @@ return TQDateTime::currentDateTime();
924 939
 
925 940
 TQDateTime KSSLCertificate::getQDTLastUpdate() const {
926 941
 #ifdef KSSL_HAVE_SSL
927
-return ASN1_UTCTIME_QDateTime(X509_CRL_get_lastUpdate(d->m_cert_crl), NULL);
942
+return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_lastUpdate(d->m_cert_crl), NULL);
928 943
 #else
929 944
 return TQDateTime::currentDateTime();
930 945
 #endif
@@ -933,7 +948,7 @@ return TQDateTime::currentDateTime();
933 948
 
934 949
 TQDateTime KSSLCertificate::getQDTNextUpdate() const {
935 950
 #ifdef KSSL_HAVE_SSL
936
-return ASN1_UTCTIME_QDateTime(X509_CRL_get_nextUpdate(d->m_cert_crl), NULL);
951
+return ASN1_UTCTIME_QDateTime((ASN1_UTCTIME*)d->kossl->X509_CRL_get0_nextUpdate(d->m_cert_crl), NULL);
937 952
 #else
938 953
 return TQDateTime::currentDateTime();
939 954
 #endif
@@ -1053,6 +1068,15 @@ return qba;
1053 1068
 
1054 1069
 
1055 1070
 #define NETSCAPE_CERT_HDR     "certificate"
1071
+#ifdef KSSL_HAVE_SSL
1072
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
1073
+typedef struct NETSCAPE_X509_st
1074
+{
1075
+	ASN1_OCTET_STRING *header;
1076
+	X509 *cert;
1077
+} NETSCAPE_X509;
1078
+#endif
1079
+#endif
1056 1080
 
1057 1081
 // what a piece of crap this is
1058 1082
 TQByteArray KSSLCertificate::toNetscape() {
@@ -1062,8 +1086,8 @@ TQByteArray qba;
1062 1086
 	NETSCAPE_X509 nx;
1063 1087
 	ASN1_OCTET_STRING hdr;
1064 1088
 #else
1065
-   ASN1_HEADER ah;
1066
-   ASN1_OCTET_STRING os;
1089
+  ASN1_HEADER ah;
1090
+  ASN1_OCTET_STRING os;
1067 1091
 #endif
1068 1092
 	KTempFile ktf;
1069 1093
 
@@ -1159,10 +1183,10 @@ TQStringList KSSLCertificate::subjAltNames() const {
1159 1183
 		return rc;
1160 1184
 	}
1161 1185
 
1162
-	int cnt = d->kossl->sk_GENERAL_NAME_num(names);
1186
+	int cnt = d->kossl->OPENSSL_sk_num(names);
1163 1187
 
1164 1188
 	for (int i = 0; i < cnt; i++) {
1165
-		const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->sk_value(names, i);
1189
+		const GENERAL_NAME *val = (const GENERAL_NAME *)d->kossl->OPENSSL_sk_value(names, i);
1166 1190
 		if (val->type != GEN_DNS) {
1167 1191
 			continue;
1168 1192
 		}
@@ -1174,7 +1198,7 @@ TQStringList KSSLCertificate::subjAltNames() const {
1174 1198
 			rc += s;
1175 1199
 		}
1176 1200
 	}
1177
-	d->kossl->sk_free(names);
1201
+	d->kossl->OPENSSL_sk_free(names);
1178 1202
 #endif
1179 1203
 	return rc;
1180 1204
 }

+ 4
- 25
tdeio/kssl/ksslpkcs12.cc View File

@@ -34,16 +34,6 @@
34 34
 
35 35
 #include <assert.h>
36 36
 
37
-#ifdef KSSL_HAVE_SSL
38
-#define sk_new kossl->sk_new
39
-#define sk_push kossl->sk_push
40
-#define sk_free kossl->sk_free
41
-#define sk_value kossl->sk_value
42
-#define sk_num kossl->sk_num
43
-#define sk_dup kossl->sk_dup
44
-#define sk_pop kossl->sk_pop
45
-#endif
46
-
47 37
 
48 38
 KSSLPKCS12::KSSLPKCS12() {
49 39
    _pkcs = NULL;
@@ -60,11 +50,11 @@ KSSLPKCS12::~KSSLPKCS12() {
60 50
    if (_pkey) kossl->EVP_PKEY_free(_pkey);
61 51
    if (_caStack) {
62 52
       for (;;) {
63
-         X509* x5 = sk_X509_pop(_caStack);
53
+         X509* x5 = reinterpret_cast<X509*>(kossl->OPENSSL_sk_pop(_caStack));
64 54
          if (!x5) break;
65 55
          kossl->X509_free(x5);
66 56
       }
67
-      sk_X509_free(_caStack);
57
+      kossl->OPENSSL_sk_free(_caStack);
68 58
    }
69 59
    if (_pkcs) kossl->PKCS12_free(_pkcs);
70 60
 #endif
@@ -151,11 +141,11 @@ X509 *x = NULL;
151 141
    if (_pkey) kossl->EVP_PKEY_free(_pkey);
152 142
    if (_caStack) {
153 143
       for (;;) {
154
-         X509* x5 = sk_X509_pop(_caStack);
144
+         X509* x5 = reinterpret_cast<X509*>(kossl->OPENSSL_sk_pop(_caStack));
155 145
          if (!x5) break;
156 146
          kossl->X509_free(x5);
157 147
       }
158
-      sk_X509_free(_caStack);
148
+      kossl->OPENSSL_sk_free(_caStack);
159 149
    }
160 150
    _pkey = NULL;
161 151
    _caStack = NULL;
@@ -282,14 +272,3 @@ TQString KSSLPKCS12::name() {
282 272
    return _cert->getSubject();
283 273
 }
284 274
 
285
- 
286
-#ifdef KSSL_HAVE_SSL
287
-#undef sk_new
288
-#undef sk_push
289
-#undef sk_free
290
-#undef sk_value
291
-#undef sk_num
292
-#undef sk_pop
293
-#undef sk_dup
294
-#endif
295
-

+ 0
- 19
tdeio/kssl/ksslpkcs7.cc View File

@@ -34,15 +34,6 @@
34 34
 
35 35
 #include <assert.h>
36 36
 
37
-#ifdef KSSL_HAVE_SSL
38
-#define sk_new kossl->sk_new
39
-#define sk_push kossl->sk_push
40
-#define sk_free kossl->sk_free
41
-#define sk_value kossl->sk_value
42
-#define sk_num kossl->sk_num
43
-#define sk_dup kossl->sk_dup
44
-#endif
45
-
46 37
 
47 38
 KSSLPKCS7::KSSLPKCS7() {
48 39
    _pkcs = NULL;
@@ -196,13 +187,3 @@ TQString KSSLPKCS7::name() {
196 187
    return TQString();
197 188
 }
198 189
 
199
- 
200
-#ifdef KSSL_HAVE_SSL
201
-#undef sk_new
202
-#undef sk_push
203
-#undef sk_free
204
-#undef sk_value
205
-#undef sk_num
206
-#undef sk_dup
207
-#endif
208
-

+ 29
- 40
tdeio/kssl/ksslsettings.cc View File

@@ -46,29 +46,20 @@
46 46
 #endif
47 47
 #include <kopenssl.h>
48 48
 
49
-#ifdef KSSL_HAVE_SSL
50
-#define sk_new d->kossl->sk_new
51
-#define sk_push d->kossl->sk_push
52
-#define sk_free d->kossl->sk_free
53
-#define sk_value d->kossl->sk_value
54
-#define sk_num d->kossl->sk_num
55
-#define sk_dup d->kossl->sk_dup
56
-#define sk_pop d->kossl->sk_pop
57
-#endif
58 49
 
59
-      class CipherNode {
60
-      public:
61
-        CipherNode(const char *_name, int _keylen) : 
62
-                      name(_name), keylen(_keylen) {}
63
-        TQString name;
64
-        int keylen;
65
-        inline int operator==(CipherNode &x) 
66
-                     { return ((x.keylen == keylen) && (x.name == name)); }
67
-        inline int operator< (CipherNode &x) { return keylen < x.keylen;  }
68
-        inline int operator<=(CipherNode &x) { return keylen <= x.keylen; }
69
-        inline int operator> (CipherNode &x) { return keylen > x.keylen;  }
70
-        inline int operator>=(CipherNode &x) { return keylen >= x.keylen; }
71
-      };
50
+class CipherNode {
51
+public:
52
+	CipherNode(const char *_name, int _keylen) :
53
+								name(_name), keylen(_keylen) {}
54
+	TQString name;
55
+	int keylen;
56
+	inline int operator==(CipherNode &x)
57
+								{ return ((x.keylen == keylen) && (x.name == name)); }
58
+	inline int operator< (CipherNode &x) { return keylen < x.keylen;  }
59
+	inline int operator<=(CipherNode &x) { return keylen <= x.keylen; }
60
+	inline int operator> (CipherNode &x) { return keylen > x.keylen;  }
61
+	inline int operator>=(CipherNode &x) { return keylen >= x.keylen; }
62
+};
72 63
 
73 64
 
74 65
 class KSSLSettingsPrivate {
@@ -145,7 +136,7 @@ TQString KSSLSettings::getCipherList() {
145 136
 		d->kossl = KOSSL::self();
146 137
 
147 138
 	if (m_bUseSSLv3 && m_bUseSSLv2)
148
-		meth = d->kossl->SSLv23_client_method();
139
+		meth = d->kossl->TLS_client_method();
149 140
 	else if(m_bUseSSLv3)
150 141
 		meth = d->kossl->SSLv3_client_method();
151 142
 	else if (m_bUseSSLv2)
@@ -154,9 +145,9 @@ TQString KSSLSettings::getCipherList() {
154 145
 	SSL_CTX *ctx = d->kossl->SSL_CTX_new(meth);
155 146
 	SSL* ssl = d->kossl->SSL_new(ctx);
156 147
 	STACK_OF(SSL_CIPHER)* sk = d->kossl->SSL_get_ciphers(ssl);
157
-	int cnt = sk_SSL_CIPHER_num(sk);
148
+	int cnt = d->kossl->OPENSSL_sk_num(sk);
158 149
 	for (int i=0; i< cnt; i++) {
159
-		SSL_CIPHER *sc = sk_SSL_CIPHER_value(sk,i);
150
+		SSL_CIPHER *sc = reinterpret_cast<SSL_CIPHER*>(d->kossl->OPENSSL_sk_value(sk,i));
160 151
 		if (!sc)
161 152
 			break;
162 153
 
@@ -165,10 +156,10 @@ TQString KSSLSettings::getCipherList() {
165 156
 		else
166 157
 			m_cfg->setGroup("SSLv3");
167 158
 
168
-		tcipher.sprintf("cipher_%s", sc->name);
159
+		tcipher.sprintf("cipher_%s", d->kossl->SSL_CIPHER_get_name(sc));
169 160
 		int bits = d->kossl->SSL_CIPHER_get_bits(sc, NULL);
170 161
 		if (m_cfg->readBoolEntry(tcipher, bits >= 56)) {
171
-			CipherNode *xx = new CipherNode(sc->name,bits);
162
+			CipherNode *xx = new CipherNode(d->kossl->SSL_CIPHER_get_name(sc),bits);
172 163
 			if (!cipherList.contains(xx))
173 164
 				cipherList.prepend(xx);
174 165
 			else
@@ -212,13 +203,21 @@ void KSSLSettings::load() {
212 203
 
213 204
   m_cfg->setGroup("TLS");
214 205
   m_bUseTLSv1 = m_cfg->readBoolEntry("Enabled", true);
215
- 
206
+
207
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(OPENSSL_NO_SSL2)
208
+  m_bUseSSLv2 = false;
209
+#else
216 210
   m_cfg->setGroup("SSLv2");
217 211
   m_bUseSSLv2 = m_cfg->readBoolEntry("Enabled", false);
218
- 
212
+#endif
213
+
214
+#if defined(OPENSSL_NO_SSL3)
215
+  m_bUseSSLv3 = false;
216
+#else
219 217
   m_cfg->setGroup("SSLv3");
220 218
   m_bUseSSLv3 = m_cfg->readBoolEntry("Enabled", true);
221
- 
219
+#endif
220
+
222 221
   m_cfg->setGroup("Warnings");
223 222
   m_bWarnOnEnter = m_cfg->readBoolEntry("OnEnter", false);
224 223
   m_bWarnOnLeave = m_cfg->readBoolEntry("OnLeave", true);
@@ -344,13 +343,3 @@ void KSSLSettings::setSSLv3(bool enabled) { m_bUseSSLv3 = enabled; }
344 343
 
345 344
 TQString& KSSLSettings::getEGDPath()       { return d->m_EGDPath; }
346 345
 
347
-#ifdef KSSL_HAVE_SSL
348
-#undef sk_new
349
-#undef sk_push
350
-#undef sk_free
351
-#undef sk_value
352
-#undef sk_num
353
-#undef sk_pop
354
-#undef sk_dup
355
-#endif
356
-

+ 4
- 4
tdeio/kssl/ksslutils.cc View File

@@ -92,10 +92,10 @@ TQString ASN1_UTCTIME_QString(ASN1_UTCTIME *tm) {
92 92
 
93 93
 
94 94
 TQString ASN1_INTEGER_QString(ASN1_INTEGER *aint) {
95
-char *rep = KOSSL::self()->i2s_ASN1_INTEGER(NULL, aint);
96
-TQString yy = rep;
97
-KOSSL::self()->OPENSSL_free(rep);
98
-return yy;
95
+	char *rep = KOSSL::self()->i2s_ASN1_INTEGER(NULL, aint);
96
+	TQString yy = rep;
97
+	KOSSL::self()->CRYPTO_free(rep);
98
+	return yy;
99 99
 }
100 100
 
101 101
 

+ 3
- 3
tdeio/tdeio/tcpslavebase.cpp View File

@@ -471,7 +471,7 @@ int TCPSlaveBase::startTLS()
471 471
     if (hasMetaData("ssl_session_id")) {
472 472
         KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id"));
473 473
         if (s) {
474
-            d->kssl->setSession(s);
474
+            d->kssl->takeSession(s);
475 475
             delete s;
476 476
         }
477 477
     }
@@ -1301,9 +1301,9 @@ bool TCPSlaveBase::doSSLHandShake( bool sendError )
1301 1301
     if (hasMetaData("ssl_session_id")) {
1302 1302
         KSSLSession *s = KSSLSession::fromString(metaData("ssl_session_id"));
1303 1303
         if (s) {
1304
-            d->kssl->setSession(s);
1304
+            d->kssl->takeSession(s);
1305 1305
             delete s;
1306
-	}    
1306
+        }
1307 1307
     }
1308 1308
     certificatePrompt();
1309 1309
 

Loading…
Cancel
Save