diff options
Diffstat (limited to 'src/openssl')
| -rw-r--r-- | src/openssl/Makefile.am | 1 | ||||
| -rw-r--r-- | src/openssl/Makefile.in | 294 | ||||
| -rw-r--r-- | src/openssl/README | 8 | ||||
| -rw-r--r-- | src/openssl/app.c | 19 | ||||
| -rw-r--r-- | src/openssl/bn.c | 2 | ||||
| -rw-r--r-- | src/openssl/ciphers.c | 409 | ||||
| -rw-r--r-- | src/openssl/crypto.c | 21 | ||||
| -rw-r--r-- | src/openssl/digests.c | 180 | ||||
| -rw-r--r-- | src/openssl/evp.c | 391 | ||||
| -rw-r--r-- | src/openssl/evp_signatures.c | 1034 | ||||
| -rw-r--r-- | src/openssl/globals.h | 2 | ||||
| -rw-r--r-- | src/openssl/hmac.c | 69 | ||||
| -rw-r--r-- | src/openssl/kt_rsa.c | 32 | ||||
| -rw-r--r-- | src/openssl/kw_aes.c | 5 | ||||
| -rw-r--r-- | src/openssl/kw_des.c | 33 | ||||
| -rw-r--r-- | src/openssl/signatures.c | 1905 | ||||
| -rw-r--r-- | src/openssl/symkeys.c | 7 | ||||
| -rw-r--r-- | src/openssl/x509.c | 18 | ||||
| -rw-r--r-- | src/openssl/x509vfy.c | 196 |
19 files changed, 2953 insertions, 1673 deletions
diff --git a/src/openssl/Makefile.am b/src/openssl/Makefile.am index 23c225a1..309a44b2 100644 --- a/src/openssl/Makefile.am +++ b/src/openssl/Makefile.am @@ -25,6 +25,7 @@ libxmlsec1_openssl_la_SOURCES =\ crypto.c \ digests.c \ evp.c \ + evp_signatures.c \ hmac.c \ kw_aes.c \ kw_des.c \ diff --git a/src/openssl/Makefile.in b/src/openssl/Makefile.in index fd16efd0..c6cd744b 100644 --- a/src/openssl/Makefile.in +++ b/src/openssl/Makefile.in @@ -1,9 +1,8 @@ -# Makefile.in generated by automake 1.11.3 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software -# Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. + # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -16,6 +15,61 @@ @SET_MAKE@ VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ @@ -36,14 +90,14 @@ build_triplet = @build@ host_triplet = @host@ @SHAREDLIB_HACK_TRUE@am__append_1 = ../strings.c subdir = src/openssl -DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = @@ -79,14 +133,18 @@ am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) am__DEPENDENCIES_1 = am__libxmlsec1_openssl_la_SOURCES_DIST = app.c bn.c ciphers.c crypto.c \ - digests.c evp.c hmac.c kw_aes.c kw_des.c kt_rsa.c signatures.c \ - symkeys.c x509.c x509vfy.c globals.h ../strings.c + digests.c evp.c evp_signatures.c hmac.c kw_aes.c kw_des.c \ + kt_rsa.c signatures.c symkeys.c x509.c x509vfy.c globals.h \ + ../strings.c am__objects_1 = -@SHAREDLIB_HACK_TRUE@am__objects_2 = libxmlsec1_openssl_la-strings.lo +am__dirstamp = $(am__leading_dot)dirstamp +@SHAREDLIB_HACK_TRUE@am__objects_2 = \ +@SHAREDLIB_HACK_TRUE@ ../libxmlsec1_openssl_la-strings.lo am_libxmlsec1_openssl_la_OBJECTS = libxmlsec1_openssl_la-app.lo \ libxmlsec1_openssl_la-bn.lo libxmlsec1_openssl_la-ciphers.lo \ libxmlsec1_openssl_la-crypto.lo \ libxmlsec1_openssl_la-digests.lo libxmlsec1_openssl_la-evp.lo \ + libxmlsec1_openssl_la-evp_signatures.lo \ libxmlsec1_openssl_la-hmac.lo libxmlsec1_openssl_la-kw_aes.lo \ libxmlsec1_openssl_la-kw_des.lo \ libxmlsec1_openssl_la-kt_rsa.lo \ @@ -98,10 +156,23 @@ libxmlsec1_openssl_la_OBJECTS = $(am_libxmlsec1_openssl_la_OBJECTS) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent +am__v_lt_1 = libxmlsec1_openssl_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ $(AM_CFLAGS) $(CFLAGS) $(libxmlsec1_openssl_la_LDFLAGS) \ $(LDFLAGS) -o $@ +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -114,24 +185,43 @@ LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(AM_CFLAGS) $(CFLAGS) AM_V_CC = $(am__v_CC_@AM_V@) am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) -am__v_CC_0 = @echo " CC " $@; -AM_V_at = $(am__v_at_@AM_V@) -am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) -am__v_at_0 = @ +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = CCLD = $(CC) LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(AM_LDFLAGS) $(LDFLAGS) -o $@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) -am__v_CCLD_0 = @echo " CCLD " $@; -AM_V_GEN = $(am__v_GEN_@AM_V@) -am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) -am__v_GEN_0 = @echo " GEN " $@; +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = SOURCES = $(libxmlsec1_openssl_la_SOURCES) DIST_SOURCES = $(am__libxmlsec1_openssl_la_SOURCES_DIST) +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp README DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -168,6 +258,10 @@ GNUTLS_CRYPTO_LIB = @GNUTLS_CRYPTO_LIB@ GNUTLS_LIBS = @GNUTLS_LIBS@ GNUTLS_MIN_VERSION = @GNUTLS_MIN_VERSION@ GREP = @GREP@ +GTKDOC_MKDB = @GTKDOC_MKDB@ +GTKDOC_MKHTML = @GTKDOC_MKHTML@ +GTKDOC_MKTMPL = @GTKDOC_MKTMPL@ +GTKDOC_SCAN = @GTKDOC_SCAN@ HELP2MAN = @HELP2MAN@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ @@ -187,6 +281,7 @@ LIBXSLT_CFLAGS = @LIBXSLT_CFLAGS@ LIBXSLT_CONFIG = @LIBXSLT_CONFIG@ LIBXSLT_LIBS = @LIBXSLT_LIBS@ LIBXSLT_MIN_VERSION = @LIBXSLT_MIN_VERSION@ +LIBXSLT_PC_FILE_COND = @LIBXSLT_PC_FILE_COND@ LIPO = @LIPO@ LN_S = @LN_S@ LTLIBOBJS = @LTLIBOBJS@ @@ -225,6 +320,7 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ PKGCONFIG_PRESENT = @PKGCONFIG_PRESENT@ PKG_CONFIG = @PKG_CONFIG@ PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ @@ -241,7 +337,6 @@ XMLSEC_APP_DEFINES = @XMLSEC_APP_DEFINES@ XMLSEC_CFLAGS = @XMLSEC_CFLAGS@ XMLSEC_CORE_CFLAGS = @XMLSEC_CORE_CFLAGS@ XMLSEC_CORE_LIBS = @XMLSEC_CORE_LIBS@ -XMLSEC_CRYPTO = @XMLSEC_CRYPTO@ XMLSEC_CRYPTO_CFLAGS = @XMLSEC_CRYPTO_CFLAGS@ XMLSEC_CRYPTO_DISABLED_LIST = @XMLSEC_CRYPTO_DISABLED_LIST@ XMLSEC_CRYPTO_EXTRA_LDFLAGS = @XMLSEC_CRYPTO_EXTRA_LDFLAGS@ @@ -249,6 +344,7 @@ XMLSEC_CRYPTO_LIB = @XMLSEC_CRYPTO_LIB@ XMLSEC_CRYPTO_LIBS = @XMLSEC_CRYPTO_LIBS@ XMLSEC_CRYPTO_LIST = @XMLSEC_CRYPTO_LIST@ XMLSEC_CRYPTO_PC_FILES_LIST = @XMLSEC_CRYPTO_PC_FILES_LIST@ +XMLSEC_DEFAULT_CRYPTO = @XMLSEC_DEFAULT_CRYPTO@ XMLSEC_DEFINES = @XMLSEC_DEFINES@ XMLSEC_DL_INCLUDES = @XMLSEC_DL_INCLUDES@ XMLSEC_DL_LIBS = @XMLSEC_DL_LIBS@ @@ -268,6 +364,7 @@ XMLSEC_NO_DSA = @XMLSEC_NO_DSA@ XMLSEC_NO_GCRYPT = @XMLSEC_NO_GCRYPT@ XMLSEC_NO_GNUTLS = @XMLSEC_NO_GNUTLS@ XMLSEC_NO_GOST = @XMLSEC_NO_GOST@ +XMLSEC_NO_GOST2012 = @XMLSEC_NO_GOST2012@ XMLSEC_NO_HMAC = @XMLSEC_NO_HMAC@ XMLSEC_NO_LIBXSLT = @XMLSEC_NO_LIBXSLT@ XMLSEC_NO_MD5 = @XMLSEC_NO_MD5@ @@ -282,7 +379,6 @@ XMLSEC_NO_SHA256 = @XMLSEC_NO_SHA256@ XMLSEC_NO_SHA384 = @XMLSEC_NO_SHA384@ XMLSEC_NO_SHA512 = @XMLSEC_NO_SHA512@ XMLSEC_NO_X509 = @XMLSEC_NO_X509@ -XMLSEC_NO_XKMS = @XMLSEC_NO_XKMS@ XMLSEC_NO_XMLDSIG = @XMLSEC_NO_XMLDSIG@ XMLSEC_NO_XMLENC = @XMLSEC_NO_XMLENC@ XMLSEC_NSS_CFLAGS = @XMLSEC_NSS_CFLAGS@ @@ -297,6 +393,7 @@ XMLSEC_VERSION_MAJOR = @XMLSEC_VERSION_MAJOR@ XMLSEC_VERSION_MINOR = @XMLSEC_VERSION_MINOR@ XMLSEC_VERSION_SAFE = @XMLSEC_VERSION_SAFE@ XMLSEC_VERSION_SUBMINOR = @XMLSEC_VERSION_SUBMINOR@ +XSLTPROC = @XSLTPROC@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ @@ -369,8 +466,9 @@ libxmlsec1_openssl_la_CPPFLAGS = \ $(NULL) libxmlsec1_openssl_la_SOURCES = app.c bn.c ciphers.c crypto.c \ - digests.c evp.c hmac.c kw_aes.c kw_des.c kt_rsa.c signatures.c \ - symkeys.c x509.c x509vfy.c globals.h $(NULL) $(am__append_1) + digests.c evp.c evp_signatures.c hmac.c kw_aes.c kw_des.c \ + kt_rsa.c signatures.c symkeys.c x509.c x509vfy.c globals.h \ + $(NULL) $(am__append_1) libxmlsec1_openssl_la_LIBADD = \ $(OPENSSL_LIBS) \ $(LIBXSLT_LIBS) \ @@ -402,7 +500,6 @@ $(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(am__confi echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/openssl/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --gnu src/openssl/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -420,9 +517,9 @@ $(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) $(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): + install-libLTLIBRARIES: $(lib_LTLIBRARIES) @$(NORMAL_INSTALL) - test -z "$(libdir)" || $(MKDIR_P) "$(DESTDIR)$(libdir)" @list='$(lib_LTLIBRARIES)'; test -n "$(libdir)" || list=; \ list2=; for p in $$list; do \ if test -f $$p; then \ @@ -430,6 +527,8 @@ install-libLTLIBRARIES: $(lib_LTLIBRARIES) else :; fi; \ done; \ test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(libdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(libdir)" || exit 1; \ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(libdir)'"; \ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(libdir)"; \ } @@ -445,54 +544,71 @@ uninstall-libLTLIBRARIES: clean-libLTLIBRARIES: -test -z "$(lib_LTLIBRARIES)" || rm -f $(lib_LTLIBRARIES) - @list='$(lib_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done + @list='$(lib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } +../$(am__dirstamp): + @$(MKDIR_P) .. + @: > ../$(am__dirstamp) +../$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) ../$(DEPDIR) + @: > ../$(DEPDIR)/$(am__dirstamp) +../libxmlsec1_openssl_la-strings.lo: ../$(am__dirstamp) \ + ../$(DEPDIR)/$(am__dirstamp) + libxmlsec1-openssl.la: $(libxmlsec1_openssl_la_OBJECTS) $(libxmlsec1_openssl_la_DEPENDENCIES) $(EXTRA_libxmlsec1_openssl_la_DEPENDENCIES) $(AM_V_CCLD)$(libxmlsec1_openssl_la_LINK) -rpath $(libdir) $(libxmlsec1_openssl_la_OBJECTS) $(libxmlsec1_openssl_la_LIBADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) + -rm -f ../*.$(OBJEXT) + -rm -f ../*.lo distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@../$(DEPDIR)/libxmlsec1_openssl_la-strings.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-app.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-bn.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-ciphers.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-crypto.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-digests.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-evp.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-evp_signatures.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-hmac.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-kt_rsa.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-kw_aes.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-kw_des.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-signatures.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-strings.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-symkeys.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-x509.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libxmlsec1_openssl_la-x509vfy.Plo@am__quote@ .c.o: -@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.o$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $< .c.obj: -@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.obj$$||'`;\ +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ `$(CYGPATH_W) '$<'` &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'` .c.lo: -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@am__fastdepCC_TRUE@ $(AM_V_CC)depbase=`echo $@ | sed 's|[^/]*$$|$(DEPDIR)/&|;s|\.lo$$||'`;\ +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $$depbase.Tpo -c -o $@ $< &&\ +@am__fastdepCC_TRUE@ $(am__mv) $$depbase.Tpo $$depbase.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< @@ -539,6 +655,13 @@ libxmlsec1_openssl_la-evp.lo: evp.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_openssl_la-evp.lo `test -f 'evp.c' || echo '$(srcdir)/'`evp.c +libxmlsec1_openssl_la-evp_signatures.lo: evp_signatures.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_openssl_la-evp_signatures.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_openssl_la-evp_signatures.Tpo -c -o libxmlsec1_openssl_la-evp_signatures.lo `test -f 'evp_signatures.c' || echo '$(srcdir)/'`evp_signatures.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libxmlsec1_openssl_la-evp_signatures.Tpo $(DEPDIR)/libxmlsec1_openssl_la-evp_signatures.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='evp_signatures.c' object='libxmlsec1_openssl_la-evp_signatures.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_openssl_la-evp_signatures.lo `test -f 'evp_signatures.c' || echo '$(srcdir)/'`evp_signatures.c + libxmlsec1_openssl_la-hmac.lo: hmac.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_openssl_la-hmac.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_openssl_la-hmac.Tpo -c -o libxmlsec1_openssl_la-hmac.lo `test -f 'hmac.c' || echo '$(srcdir)/'`hmac.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libxmlsec1_openssl_la-hmac.Tpo $(DEPDIR)/libxmlsec1_openssl_la-hmac.Plo @@ -595,39 +718,29 @@ libxmlsec1_openssl_la-x509vfy.lo: x509vfy.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_openssl_la-x509vfy.lo `test -f 'x509vfy.c' || echo '$(srcdir)/'`x509vfy.c -libxmlsec1_openssl_la-strings.lo: ../strings.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libxmlsec1_openssl_la-strings.lo -MD -MP -MF $(DEPDIR)/libxmlsec1_openssl_la-strings.Tpo -c -o libxmlsec1_openssl_la-strings.lo `test -f '../strings.c' || echo '$(srcdir)/'`../strings.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libxmlsec1_openssl_la-strings.Tpo $(DEPDIR)/libxmlsec1_openssl_la-strings.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../strings.c' object='libxmlsec1_openssl_la-strings.lo' libtool=yes @AMDEPBACKSLASH@ +../libxmlsec1_openssl_la-strings.lo: ../strings.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ../libxmlsec1_openssl_la-strings.lo -MD -MP -MF ../$(DEPDIR)/libxmlsec1_openssl_la-strings.Tpo -c -o ../libxmlsec1_openssl_la-strings.lo `test -f '../strings.c' || echo '$(srcdir)/'`../strings.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) ../$(DEPDIR)/libxmlsec1_openssl_la-strings.Tpo ../$(DEPDIR)/libxmlsec1_openssl_la-strings.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='../strings.c' object='../libxmlsec1_openssl_la-strings.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libxmlsec1_openssl_la-strings.lo `test -f '../strings.c' || echo '$(srcdir)/'`../strings.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libxmlsec1_openssl_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ../libxmlsec1_openssl_la-strings.lo `test -f '../strings.c' || echo '$(srcdir)/'`../strings.c mostlyclean-libtool: -rm -f *.lo clean-libtool: -rm -rf .libs _libs + -rm -rf ../.libs ../_libs + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) set x; \ here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ + $(am__define_uniq_tagged_files); \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ @@ -639,15 +752,11 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $$unique; \ fi; \ fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique @@ -656,6 +765,21 @@ GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags @@ -723,6 +847,8 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + -rm -f ../$(DEPDIR)/$(am__dirstamp) + -rm -f ../$(am__dirstamp) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -733,7 +859,7 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ mostlyclean-am distclean: distclean-am - -rm -rf ./$(DEPDIR) + -rm -rf ../$(DEPDIR) ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -779,7 +905,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) + -rm -rf ../$(DEPDIR) ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic @@ -800,19 +926,21 @@ uninstall-am: uninstall-libLTLIBRARIES .MAKE: install-am install-strip -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libLTLIBRARIES clean-libtool ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am \ - install-libLTLIBRARIES install-man install-pdf install-pdf-am \ - install-ps install-ps-am install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libLTLIBRARIES clean-libtool cscopelist-am ctags \ + ctags-am distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-libLTLIBRARIES install-man install-pdf \ + install-pdf-am install-ps install-ps-am install-strip \ + installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-libLTLIBRARIES + tags tags-am uninstall uninstall-am uninstall-libLTLIBRARIES + +.PRECIOUS: Makefile # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/openssl/README b/src/openssl/README index 0f1c625d..e33b0b0a 100644 --- a/src/openssl/README +++ b/src/openssl/README @@ -1,6 +1,6 @@ WHAT VERSION OF OPENSSL? ------------------------------------------------------------------------ -OpenSSL 0.9.6 is supported but some functionality requires 0.9.7 or greater. +OpenSSL 0.9.8 or later is required KEYS MANAGER ------------------------------------------------------------------------ @@ -9,9 +9,3 @@ OpenSSL does not have a keys or certificates storage implementation. The default xmlsec-openssl key manager uses a simple keys store from xmlsec core library based on plain keys list. Trusted/untrusted certificates are stored in STACK_OF(X509) structures. - -KNOWN ISSUES. ------------------------------------------------------------------------- -1) One day we might decide to drop OpenSSL 0.9.6 supprot and remove all -these ifdef's to simplify the code. - diff --git a/src/openssl/app.c b/src/openssl/app.c index 4f8f79e6..373e03a8 100644 --- a/src/openssl/app.c +++ b/src/openssl/app.c @@ -4,7 +4,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -19,6 +19,7 @@ #include <openssl/pem.h> #include <openssl/pkcs12.h> #include <openssl/conf.h> +#include <openssl/engine.h> #include <xmlsec/xmlsec.h> #include <xmlsec/keys.h> @@ -96,6 +97,7 @@ xmlSecOpenSSLAppInit(const char* config) { int xmlSecOpenSSLAppShutdown(void) { xmlSecOpenSSLAppSaveRANDFile(NULL); + RAND_cleanup(); EVP_cleanup(); @@ -103,14 +105,21 @@ xmlSecOpenSSLAppShutdown(void) { X509_TRUST_cleanup(); #endif /* XMLSEC_NO_X509 */ -#ifndef XMLSEC_OPENSSL_096 + ENGINE_cleanup(); + CONF_modules_unload(1); + CRYPTO_cleanup_all_ex_data(); -#endif /* XMLSEC_OPENSSL_096 */ /* finally cleanup errors */ +#if defined(XMLSEC_OPENSSL_100) || defined(XMLSEC_OPENSSL_110) + ERR_remove_thread_state(NULL); +#else ERR_remove_state(0); +#endif /* defined(XMLSEC_OPENSSL_100) || defined(XMLSEC_OPENSSL_110) */ + ERR_free_strings(); + /* done */ return(0); } @@ -255,7 +264,7 @@ xmlSecOpenSSLAppKeyLoadBIO(BIO* bio, xmlSecKeyDataFormat format, } if(pKey == NULL) { /* go to start of the file and try to read public key */ - BIO_reset(bio); + (void)BIO_reset(bio); pKey = PEM_read_bio_PUBKEY(bio, NULL, XMLSEC_PTR_TO_FUNC(pem_password_cb, pwdCallback), pwdCallbackCtx); @@ -274,7 +283,7 @@ xmlSecOpenSSLAppKeyLoadBIO(BIO* bio, xmlSecKeyDataFormat format, pKey = d2i_PrivateKey_bio(bio, NULL); if(pKey == NULL) { /* go to start of the file and try to read public key */ - BIO_reset(bio); + (void)BIO_reset(bio); pKey = d2i_PUBKEY_bio(bio, NULL); if(pKey == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, diff --git a/src/openssl/bn.c b/src/openssl/bn.c index dfeae6ea..db186d11 100644 --- a/src/openssl/bn.c +++ b/src/openssl/bn.c @@ -6,7 +6,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" diff --git a/src/openssl/ciphers.c b/src/openssl/ciphers.c index 1b600625..c93f06b9 100644 --- a/src/openssl/ciphers.c +++ b/src/openssl/ciphers.c @@ -4,7 +4,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -21,10 +21,11 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/evp.h> -/* this is not defined in OpenSSL 0.9.6 */ -#ifndef EVP_MAX_BLOCK_LENGTH -#define EVP_MAX_BLOCK_LENGTH 32 -#endif /* EVP_MAX_BLOCK_LENGTH */ +/* new API from OpenSSL 1.1.0 */ +#if !defined(XMLSEC_OPENSSL_110) +#define EVP_CIPHER_CTX_encrypting(x) ((x)->encrypt) +#endif /* !defined(XMLSEC_OPENSSL_110) */ + /************************************************************************** * @@ -36,25 +37,33 @@ typedef struct _xmlSecOpenSSLEvpBlockCipherCtx xmlSecOpenSSLEvpBlockCip struct _xmlSecOpenSSLEvpBlockCipherCtx { const EVP_CIPHER* cipher; xmlSecKeyDataId keyId; - EVP_CIPHER_CTX cipherCtx; + EVP_CIPHER_CTX* cipherCtx; int keyInitialized; int ctxInitialized; xmlSecByte key[EVP_MAX_KEY_LENGTH]; xmlSecByte iv[EVP_MAX_IV_LENGTH]; - xmlSecByte pad[EVP_MAX_BLOCK_LENGTH]; + xmlSecByte pad[2*EVP_MAX_BLOCK_LENGTH]; }; + static int xmlSecOpenSSLEvpBlockCipherCtxInit (xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, xmlSecBufferPtr in, xmlSecBufferPtr out, int encrypt, const xmlChar* cipherName, xmlSecTransformCtxPtr transformCtx); +static int xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, + const xmlSecByte * in, + int inSize, + xmlSecBufferPtr out, + const xmlChar* cipherName, + int final); static int xmlSecOpenSSLEvpBlockCipherCtxUpdate (xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, xmlSecBufferPtr in, xmlSecBufferPtr out, const xmlChar* cipherName, xmlSecTransformCtxPtr transformCtx); static int xmlSecOpenSSLEvpBlockCipherCtxFinal (xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, + xmlSecBufferPtr in, xmlSecBufferPtr out, const xmlChar* cipherName, xmlSecTransformCtxPtr transformCtx); @@ -69,6 +78,7 @@ xmlSecOpenSSLEvpBlockCipherCtxInit(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->cipher != NULL, -1); + xmlSecAssert2(ctx->cipherCtx != NULL, -1); xmlSecAssert2(ctx->keyInitialized != 0, -1); xmlSecAssert2(ctx->ctxInitialized == 0, -1); xmlSecAssert2(in != NULL, -1); @@ -126,7 +136,7 @@ xmlSecOpenSSLEvpBlockCipherCtxInit(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, } /* set iv */ - ret = EVP_CipherInit(&(ctx->cipherCtx), ctx->cipher, ctx->key, ctx->iv, encrypt); + ret = EVP_CipherInit(ctx->cipherCtx, ctx->cipher, ctx->key, ctx->iv, encrypt); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), @@ -140,84 +150,59 @@ xmlSecOpenSSLEvpBlockCipherCtxInit(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, /* * The padding used in XML Enc does not follow RFC 1423 - * and is not supported by OpenSSL. In the case of OpenSSL 0.9.7 - * it is possible to disable padding and do it by yourself - * For OpenSSL 0.9.6 you have interop problems + * and is not supported by OpenSSL. However, it is possible + * to disable padding and do it by yourself + * + * https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Alg-Block */ -#ifndef XMLSEC_OPENSSL_096 - EVP_CIPHER_CTX_set_padding(&(ctx->cipherCtx), 0); -#endif /* XMLSEC_OPENSSL_096 */ + EVP_CIPHER_CTX_set_padding(ctx->cipherCtx, 0); + return(0); } static int -xmlSecOpenSSLEvpBlockCipherCtxUpdate(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, - xmlSecBufferPtr in, xmlSecBufferPtr out, - const xmlChar* cipherName, - xmlSecTransformCtxPtr transformCtx) { - int blockLen, fixLength = 0, outLen = 0; - xmlSecSize inSize, outSize; +xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, + const xmlSecByte * in, + int inSize, + xmlSecBufferPtr out, + const xmlChar* cipherName, + int final) { xmlSecByte* outBuf; + xmlSecSize outSize; + int blockLen, outLen = 0; int ret; xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->cipher != NULL, -1); + xmlSecAssert2(ctx->cipherCtx != NULL, -1); xmlSecAssert2(ctx->keyInitialized != 0, -1); xmlSecAssert2(ctx->ctxInitialized != 0, -1); xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(inSize > 0, -1); xmlSecAssert2(out != NULL, -1); - xmlSecAssert2(transformCtx != NULL, -1); + /* OpenSSL docs: If the pad parameter is zero then no padding is performed, the total amount of + * data encrypted or decrypted must then be a multiple of the block size or an error will occur. + */ blockLen = EVP_CIPHER_block_size(ctx->cipher); xmlSecAssert2(blockLen > 0, -1); + xmlSecAssert2((inSize % blockLen) == 0, -1); - inSize = xmlSecBufferGetSize(in); + /* prepare: ensure we have enough space (+blockLen for final) */ outSize = xmlSecBufferGetSize(out); - - if(inSize == 0) { - /* wait for more data */ - return(0); - } - - /* OpenSSL docs: The amount of data written depends on the block - * alignment of the encrypted data: as a result the amount of data - * written may be anything from zero bytes to (inl + cipher_block_size - 1). - */ ret = xmlSecBufferSetMaxSize(out, outSize + inSize + blockLen); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), "xmlSecBufferSetMaxSize", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%d", outSize + inSize + blockLen); + "size=%d", (int)(outSize + inSize + blockLen)); return(-1); } - outBuf = xmlSecBufferGetData(out) + outSize; - - /* - * The padding used in XML Enc does not follow RFC 1423 - * and is not supported by OpenSSL. In the case of OpenSSL 0.9.7 - * it is possible to disable padding and do it by yourself - * For OpenSSL 0.9.6 you have interop problems. - * - * The logic below is copied from EVP_DecryptUpdate() function. - * This is a hack but it's the only way I can provide binary - * compatibility with previous versions of xmlsec. - * This needs to be fixed in the next XMLSEC API refresh. - */ -#ifndef XMLSEC_OPENSSL_096 - if(!ctx->cipherCtx.encrypt) { - if(ctx->cipherCtx.final_used) { - memcpy(outBuf, ctx->cipherCtx.final, blockLen); - outBuf += blockLen; - fixLength = 1; - } else { - fixLength = 0; - } - } -#endif /* XMLSEC_OPENSSL_096 */ + outBuf = xmlSecBufferGetData(out) + outSize; /* encrypt/decrypt */ - ret = EVP_CipherUpdate(&(ctx->cipherCtx), outBuf, &outLen, xmlSecBufferGetData(in), inSize); + ret = EVP_CipherUpdate(ctx->cipherCtx, outBuf, &outLen, in, inSize); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), @@ -226,27 +211,24 @@ xmlSecOpenSSLEvpBlockCipherCtxUpdate(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, XMLSEC_ERRORS_NO_MESSAGE); return(-1); } + xmlSecAssert2(outLen == inSize, -1); -#ifndef XMLSEC_OPENSSL_096 - if(!ctx->cipherCtx.encrypt) { - /* - * The logic below is copied from EVP_DecryptUpdate() function. - * This is a hack but it's the only way I can provide binary - * compatibility with previous versions of xmlsec. - * This needs to be fixed in the next XMLSEC API refresh. - */ - if (blockLen > 1 && !ctx->cipherCtx.buf_len) { - outLen -= blockLen; - ctx->cipherCtx.final_used = 1; - memcpy(ctx->cipherCtx.final, &outBuf[outLen], blockLen); - } else { - ctx->cipherCtx.final_used = 0; - } - if (fixLength) { - outLen += blockLen; + /* finalize transform if needed */ + if(final != 0) { + int outLen2 = 0; + + ret = EVP_CipherFinal(ctx->cipherCtx, outBuf + outLen, &outLen2); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "EVP_CipherFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } + + outLen += outLen2; } -#endif /* XMLSEC_OPENSSL_096 */ /* set correct output buffer size */ ret = xmlSecBufferSetSize(out, outSize + outLen); @@ -255,166 +237,226 @@ xmlSecOpenSSLEvpBlockCipherCtxUpdate(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, xmlSecErrorsSafeString(cipherName), "xmlSecBufferSetSize", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%d", outSize + outLen); + "size=%d", (int)(outSize + outLen)); + return(-1); + } + + /* done */ + return (0); +} + +static int +xmlSecOpenSSLEvpBlockCipherCtxUpdate(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, + xmlSecBufferPtr in, xmlSecBufferPtr out, + const xmlChar* cipherName, + xmlSecTransformCtxPtr transformCtx) { + xmlSecSize inSize, blockLen, inBlocksLen; + xmlSecByte* inBuf; + int ret; + + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->cipherCtx != NULL, -1); + xmlSecAssert2(ctx->keyInitialized != 0, -1); + xmlSecAssert2(ctx->ctxInitialized != 0, -1); + xmlSecAssert2(in != NULL, -1); + xmlSecAssert2(out != NULL, -1); + xmlSecAssert2(transformCtx != NULL, -1); + + blockLen = EVP_CIPHER_block_size(ctx->cipher); + xmlSecAssert2(blockLen > 0, -1); + + inSize = xmlSecBufferGetSize(in); + if(inSize <= blockLen) { + /* wait for more data: we want to make sure we keep the last chunk in tmp buffer for + * padding check/removal on decryption + */ + return(0); + } + + /* OpenSSL docs: If the pad parameter is zero then no padding is performed, the total amount of + * data encrypted or decrypted must then be a multiple of the block size or an error will occur. + * + * We process all complete blocks from the input + */ + inBlocksLen = blockLen * (inSize / blockLen); + if(inBlocksLen == inSize) { + inBlocksLen -= blockLen; /* ensure we keep the last block around for Final() call to add/check/remove padding */ + } + xmlSecAssert2(inBlocksLen > 0, -1); + + inBuf = xmlSecBufferGetData(in); + ret = xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock(ctx, inBuf, inBlocksLen, out, cipherName, 0); /* not final */ + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + NULL); return(-1); } /* remove the processed block from input */ - ret = xmlSecBufferRemoveHead(in, inSize); + ret = xmlSecBufferRemoveHead(in, inBlocksLen); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), "xmlSecBufferRemoveHead", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%d", inSize); + "size=%d", (int)inSize); return(-1); } + + /* just a double check */ + inSize = xmlSecBufferGetSize(in); + xmlSecAssert2(inSize > 0, -1); + xmlSecAssert2(inSize <= blockLen, -1); + + /* done */ return(0); } static int xmlSecOpenSSLEvpBlockCipherCtxFinal(xmlSecOpenSSLEvpBlockCipherCtxPtr ctx, + xmlSecBufferPtr in, xmlSecBufferPtr out, const xmlChar* cipherName, xmlSecTransformCtxPtr transformCtx) { - int blockLen, outLen = 0, outLen2 = 0; - xmlSecSize outSize; + xmlSecSize inSize, outSize, blockLen; + xmlSecByte* inBuf; xmlSecByte* outBuf; int ret; xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->cipher != NULL, -1); + xmlSecAssert2(ctx->cipherCtx != NULL, -1); xmlSecAssert2(ctx->keyInitialized != 0, -1); xmlSecAssert2(ctx->ctxInitialized != 0, -1); + xmlSecAssert2(in != NULL, -1); xmlSecAssert2(out != NULL, -1); xmlSecAssert2(transformCtx != NULL, -1); blockLen = EVP_CIPHER_block_size(ctx->cipher); xmlSecAssert2(blockLen > 0, -1); + xmlSecAssert2(blockLen <= EVP_MAX_BLOCK_LENGTH, -1); - outSize = xmlSecBufferGetSize(out); - - /* OpenSSL docs: The encrypted final data is written to out which should - * have sufficient space for one cipher block. We might have to write - * one more block with padding - */ - ret = xmlSecBufferSetMaxSize(out, outSize + 2 * blockLen); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(cipherName), - "xmlSecBufferSetMaxSize", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%d", outSize + 2 * blockLen); - return(-1); - } - outBuf = xmlSecBufferGetData(out) + outSize; + /* not more than one block left */ + inSize = xmlSecBufferGetSize(in); + inBuf = xmlSecBufferGetData(in); + xmlSecAssert2(inSize <= blockLen, -1); /* * The padding used in XML Enc does not follow RFC 1423 - * and is not supported by OpenSSL. In the case of OpenSSL 0.9.7 - * it is possible to disable padding and do it by yourself - * For OpenSSL 0.9.6 you have interop problems. + * and is not supported by OpenSSL. However, it is possible + * to disable padding and do it by yourself * - * The logic below is copied from EVP_DecryptFinal() function. - * This is a hack but it's the only way I can provide binary - * compatibility with previous versions of xmlsec. - * This needs to be fixed in the next XMLSEC API refresh. + * https://www.w3.org/TR/2002/REC-xmlenc-core-20021210/Overview.html#sec-Alg-Block */ -#ifndef XMLSEC_OPENSSL_096 - if(ctx->cipherCtx.encrypt) { - int padLen; - - xmlSecAssert2(blockLen <= EVP_MAX_BLOCK_LENGTH, -1); + if(EVP_CIPHER_CTX_encrypting(ctx->cipherCtx)) { + xmlSecSize padLen; - padLen = blockLen - ctx->cipherCtx.buf_len; + /* figure out pad length, if it is 0 (i.e. inSize == blockLen) then set it to blockLen */ + padLen = blockLen - inSize; + if(padLen == 0) { + padLen = blockLen; + } xmlSecAssert2(padLen > 0, -1); + xmlSecAssert2(inSize + padLen <= sizeof(ctx->pad), -1); + + /* we can have inSize == 0 if there were no data at all, otherwise -- copy the data */ + if(inSize > 0) { + memcpy(ctx->pad, inBuf, inSize); + } /* generate random padding */ if(padLen > 1) { - ret = RAND_bytes(ctx->pad, padLen - 1); + ret = RAND_bytes(ctx->pad + inSize, padLen - 1); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), "RAND_bytes", XMLSEC_ERRORS_R_CRYPTO_FAILED, - "size=%d", padLen - 1); + "size=%d", (int)(padLen - 1)); return(-1); } } - ctx->pad[padLen - 1] = padLen; - /* write padding */ - ret = EVP_CipherUpdate(&(ctx->cipherCtx), outBuf, &outLen, ctx->pad, padLen); - if(ret != 1) { + /* set the last byte to the pad length */ + ctx->pad[inSize + padLen - 1] = padLen; + + /* update the last 1 or 2 blocks with padding */ + ret = xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock(ctx, ctx->pad, inSize + padLen, out, cipherName, 1); /* final */ + if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), - "EVP_CipherUpdate", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); + "xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + NULL); return(-1); } - outBuf += outLen; - } -#endif /* XMLSEC_OPENSSL_096 */ + } else { + xmlSecSize padLen; - /* finalize transform */ - ret = EVP_CipherFinal(&(ctx->cipherCtx), outBuf, &outLen2); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, + /* update the last one block with padding */ + ret = xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock(ctx, inBuf, inSize, out, cipherName, 1); /* final */ + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecOpenSSLEvpBlockCipherCtxUpdateBlock", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + NULL); + return(-1); + } + + /* we expect at least one block in the output -- the one we just decrypted */ + outBuf = xmlSecBufferGetData(out); + outSize = xmlSecBufferGetSize(out); + if(outSize < blockLen) { + xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), - "EVP_CipherFinal", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "outSize=%d;blockLen=%d", + (int)outSize, (int)blockLen); + return(-1); + } - /* - * The padding used in XML Enc does not follow RFC 1423 - * and is not supported by OpenSSL. In the case of OpenSSL 0.9.7 - * it is possible to disable padding and do it by yourself - * For OpenSSL 0.9.6 you have interop problems. - * - * The logic below is copied from EVP_DecryptFinal() function. - * This is a hack but it's the only way I can provide binary - * compatibility with previous versions of xmlsec. - * This needs to be fixed in the next XMLSEC API refresh. - */ -#ifndef XMLSEC_OPENSSL_096 - if(!ctx->cipherCtx.encrypt) { - /* we instructed openssl to do not use padding so there - * should be no final block - */ - xmlSecAssert2(outLen2 == 0, -1); - xmlSecAssert2(ctx->cipherCtx.buf_len == 0, -1); - xmlSecAssert2(ctx->cipherCtx.final_used, -1); - - if(blockLen > 1) { - outLen2 = blockLen - ctx->cipherCtx.final[blockLen - 1]; - if(outLen2 > 0) { - memcpy(outBuf, ctx->cipherCtx.final, outLen2); - } else if(outLen2 < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(cipherName), - NULL, - XMLSEC_ERRORS_R_INVALID_DATA, - "padding=%d;buffer=%d", - ctx->cipherCtx.final[blockLen - 1], blockLen); - return(-1); - } + /* get the pad length from the last byte */ + padLen = (xmlSecSize)(outBuf[outSize - 1]); + if(padLen > blockLen) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + NULL, + XMLSEC_ERRORS_R_INVALID_DATA, + "padLen=%d;blockLen=%d", + (int)padLen, (int)blockLen); + return(-1); + } + xmlSecAssert2(padLen <= outSize, -1); + + /* remove the padding */ + ret = xmlSecBufferRemoveTail(out, padLen); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(cipherName), + "xmlSecBufferRemoveTail", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "size=%d", (int)padLen); + return(-1); } } -#endif /* XMLSEC_OPENSSL_096 */ - /* set correct output buffer size */ - ret = xmlSecBufferSetSize(out, outSize + outLen + outLen2); + /* remove the processed block from input */ + ret = xmlSecBufferRemoveHead(in, inSize); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(cipherName), - "xmlSecBufferSetSize", + "xmlSecBufferRemoveHead", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%d", outSize + outLen + outLen2); + "size=%d", (int)inSize); return(-1); } + /* done */ return(0); } @@ -505,7 +547,18 @@ xmlSecOpenSSLEvpBlockCipherInitialize(xmlSecTransformPtr transform) { return(-1); } - EVP_CIPHER_CTX_init(&(ctx->cipherCtx)); + /* create cipher ctx */ + ctx->cipherCtx = EVP_CIPHER_CTX_new(); + if(ctx->cipherCtx == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_CIPHER_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* done */ return(0); } @@ -519,7 +572,10 @@ xmlSecOpenSSLEvpBlockCipherFinalize(xmlSecTransformPtr transform) { ctx = xmlSecOpenSSLEvpBlockCipherGetCtx(transform); xmlSecAssert(ctx != NULL); - EVP_CIPHER_CTX_cleanup(&(ctx->cipherCtx)); + if(ctx->cipherCtx != NULL) { + EVP_CIPHER_CTX_free(ctx->cipherCtx); + } + memset(ctx, 0, sizeof(xmlSecOpenSSLEvpBlockCipherCtx)); } @@ -584,7 +640,7 @@ xmlSecOpenSSLEvpBlockCipherSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key NULL, XMLSEC_ERRORS_R_INVALID_KEY_DATA_SIZE, "keySize=%d;expected=%d", - xmlSecBufferGetSize(buffer), cipherKeyLen); + (int)xmlSecBufferGetSize(buffer), (int)cipherKeyLen); return(-1); } @@ -654,9 +710,7 @@ xmlSecOpenSSLEvpBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSe } if(last != 0) { - /* by now there should be no input */ - xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1); - ret = xmlSecOpenSSLEvpBlockCipherCtxFinal(ctx, out, + ret = xmlSecOpenSSLEvpBlockCipherCtxFinal(ctx, in, out, xmlSecTransformGetName(transform), transformCtx); if(ret < 0) { @@ -668,6 +722,9 @@ xmlSecOpenSSLEvpBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSe return(-1); } transform->status = xmlSecTransformStatusFinished; + + /* by now there should be no input */ + xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1); } } else if(transform->status == xmlSecTransformStatusFinished) { /* the only way we can get here is if there is no input */ @@ -680,7 +737,7 @@ xmlSecOpenSSLEvpBlockCipherExecute(xmlSecTransformPtr transform, int last, xmlSe xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), NULL, XMLSEC_ERRORS_R_INVALID_STATUS, - "status=%d", transform->status); + "status=%d", (int)(transform->status)); return(-1); } diff --git a/src/openssl/crypto.c b/src/openssl/crypto.c index eba1a323..b70eb731 100644 --- a/src/openssl/crypto.c +++ b/src/openssl/crypto.c @@ -4,7 +4,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -80,7 +80,12 @@ xmlSecCryptoGetFunctions_openssl(void) { #ifndef XMLSEC_NO_GOST gXmlSecOpenSSLFunctions->keyDataGost2001GetKlass = xmlSecOpenSSLKeyDataGost2001GetKlass; -#endif /* XMLSEC_NO_GOST*/ +#endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + gXmlSecOpenSSLFunctions->keyDataGostR3410_2012_256GetKlass = xmlSecOpenSSLKeyDataGostR3410_2012_256GetKlass; + gXmlSecOpenSSLFunctions->keyDataGostR3410_2012_512GetKlass = xmlSecOpenSSLKeyDataGostR3410_2012_512GetKlass; +#endif /* XMLSEC_NO_GOST2012 */ #ifndef XMLSEC_NO_HMAC gXmlSecOpenSSLFunctions->keyDataHmacGetKlass = xmlSecOpenSSLKeyDataHmacGetKlass; @@ -166,13 +171,17 @@ xmlSecCryptoGetFunctions_openssl(void) { /******************************* GOST ********************************/ #ifndef XMLSEC_NO_GOST - gXmlSecOpenSSLFunctions->transformGost2001GostR3411_94GetKlass = xmlSecOpenSSLTransformGost2001GostR3411_94GetKlass; -#endif /* XMLSEC_NO_GOST */ - -#ifndef XMLSEC_NO_GOST + gXmlSecOpenSSLFunctions->transformGost2001GostR3411_94GetKlass = xmlSecOpenSSLTransformGost2001GostR3411_94GetKlass; gXmlSecOpenSSLFunctions->transformGostR3411_94GetKlass = xmlSecOpenSSLTransformGostR3411_94GetKlass; #endif /* XMLSEC_NO_GOST */ +#ifndef XMLSEC_NO_GOST2012 + gXmlSecOpenSSLFunctions->transformGostR3410_2012GostR3411_2012_256GetKlass = xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_256GetKlass; + gXmlSecOpenSSLFunctions->transformGostR3410_2012GostR3411_2012_512GetKlass = xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_512GetKlass; + gXmlSecOpenSSLFunctions->transformGostR3411_2012_256GetKlass = xmlSecOpenSSLTransformGostR3411_2012_256GetKlass; + gXmlSecOpenSSLFunctions->transformGostR3411_2012_512GetKlass = xmlSecOpenSSLTransformGostR3411_2012_512GetKlass; +#endif /* XMLSEC_NO_GOST2012 */ + /******************************* HMAC ********************************/ #ifndef XMLSEC_NO_HMAC diff --git a/src/openssl/digests.c b/src/openssl/digests.c index fa26fa65..1d00a1b7 100644 --- a/src/openssl/digests.c +++ b/src/openssl/digests.c @@ -4,7 +4,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -20,6 +20,16 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/evp.h> +/* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html): + * + * EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed to EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1. + */ +#if !defined(XMLSEC_OPENSSL_110) +#define EVP_MD_CTX_new() EVP_MD_CTX_create() +#define EVP_MD_CTX_free(x) EVP_MD_CTX_destroy((x)) +#endif /* !defined(XMLSEC_OPENSSL_110) */ + + /************************************************************************** * * Internal OpenSSL Digest CTX @@ -28,7 +38,7 @@ typedef struct _xmlSecOpenSSLDigestCtx xmlSecOpenSSLDigestCtx, *xmlSecOpenSSLDigestCtxPtr; struct _xmlSecOpenSSLDigestCtx { const EVP_MD* digest; - EVP_MD_CTX digestCtx; + EVP_MD_CTX* digestCtx; xmlSecByte dgst[EVP_MAX_MD_SIZE]; xmlSecSize dgstSize; /* dgst size in bytes */ }; @@ -108,6 +118,15 @@ xmlSecOpenSSLEvpDigestCheckId(xmlSecTransformPtr transform) { } else #endif /* XMLSEC_NO_GOST*/ +#ifndef XMLSEC_NO_GOST2012 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3411_2012_256Id)) { + return(1); + } else + + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3411_2012_512Id)) { + return(1); + } else +#endif /* XMLSEC_NO_GOST2012 */ { return(0); @@ -174,6 +193,20 @@ xmlSecOpenSSLEvpDigestInitialize(xmlSecTransformPtr transform) { #ifndef XMLSEC_NO_GOST if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3411_94Id)) { ctx->digest = EVP_get_digestbyname("md_gost94"); + if (!ctx->digest) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_TRANSFORM, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else +#endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3411_2012_256Id)) { + ctx->digest = EVP_get_digestbyname("md_gost12_256"); if (!ctx->digest) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -184,7 +217,20 @@ xmlSecOpenSSLEvpDigestInitialize(xmlSecTransformPtr transform) { return(-1); } } else -#endif /* XMLSEC_NO_GOST*/ + + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3411_2012_512Id)) { + ctx->digest = EVP_get_digestbyname("md_gost12_512"); + if (!ctx->digest) + { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_TRANSFORM, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else +#endif /* XMLSEC_NO_GOST2012 */ { xmlSecError(XMLSEC_ERRORS_HERE, @@ -195,10 +241,18 @@ xmlSecOpenSSLEvpDigestInitialize(xmlSecTransformPtr transform) { return(-1); } -#ifndef XMLSEC_OPENSSL_096 - EVP_MD_CTX_init(&(ctx->digestCtx)); -#endif /* XMLSEC_OPENSSL_096 */ + /* create digest CTX */ + ctx->digestCtx = EVP_MD_CTX_new(); + if(ctx->digestCtx == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_MD_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + /* done */ return(0); } @@ -212,9 +266,10 @@ xmlSecOpenSSLEvpDigestFinalize(xmlSecTransformPtr transform) { ctx = xmlSecOpenSSLEvpDigestGetCtx(transform); xmlSecAssert(ctx != NULL); -#ifndef XMLSEC_OPENSSL_096 - EVP_MD_CTX_cleanup(&(ctx->digestCtx)); -#endif /* XMLSEC_OPENSSL_096 */ + if(ctx->digestCtx != NULL) { + EVP_MD_CTX_free(ctx->digestCtx); + } + memset(ctx, 0, sizeof(xmlSecOpenSSLDigestCtx)); } @@ -280,10 +335,10 @@ xmlSecOpenSSLEvpDigestExecute(xmlSecTransformPtr transform, int last, xmlSecTran ctx = xmlSecOpenSSLEvpDigestGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->digest != NULL, -1); + xmlSecAssert2(ctx->digestCtx != NULL, -1); if(transform->status == xmlSecTransformStatusNone) { -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_DigestInit(&(ctx->digestCtx), ctx->digest); + ret = EVP_DigestInit(ctx->digestCtx, ctx->digest); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -292,9 +347,6 @@ xmlSecOpenSSLEvpDigestExecute(xmlSecTransformPtr transform, int last, xmlSecTran XMLSEC_ERRORS_NO_MESSAGE); return(-1); } -#else /* XMLSEC_OPENSSL_096 */ - EVP_DigestInit(&(ctx->digestCtx), ctx->digest); -#endif /* XMLSEC_OPENSSL_096 */ transform->status = xmlSecTransformStatusWorking; } @@ -303,8 +355,7 @@ xmlSecOpenSSLEvpDigestExecute(xmlSecTransformPtr transform, int last, xmlSecTran inSize = xmlSecBufferGetSize(in); if(inSize > 0) { -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_DigestUpdate(&(ctx->digestCtx), xmlSecBufferGetData(in), inSize); + ret = EVP_DigestUpdate(ctx->digestCtx, xmlSecBufferGetData(in), inSize); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -313,9 +364,6 @@ xmlSecOpenSSLEvpDigestExecute(xmlSecTransformPtr transform, int last, xmlSecTran "size=%d", inSize); return(-1); } -#else /* XMLSEC_OPENSSL_096 */ - EVP_DigestUpdate(&(ctx->digestCtx), xmlSecBufferGetData(in), inSize); -#endif /* XMLSEC_OPENSSL_096 */ ret = xmlSecBufferRemoveHead(in, inSize); if(ret < 0) { @@ -332,8 +380,7 @@ xmlSecOpenSSLEvpDigestExecute(xmlSecTransformPtr transform, int last, xmlSecTran xmlSecAssert2((xmlSecSize)EVP_MD_size(ctx->digest) <= sizeof(ctx->dgst), -1); -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_DigestFinal(&(ctx->digestCtx), ctx->dgst, &dgstSize); + ret = EVP_DigestFinal(ctx->digestCtx, ctx->dgst, &dgstSize); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), @@ -342,9 +389,6 @@ xmlSecOpenSSLEvpDigestExecute(xmlSecTransformPtr transform, int last, xmlSecTran XMLSEC_ERRORS_NO_MESSAGE); return(-1); } -#else /* XMLSEC_OPENSSL_096 */ - EVP_DigestFinal(&(ctx->digestCtx), ctx->dgst, &dgstSize); -#endif /* XMLSEC_OPENSSL_096 */ xmlSecAssert2(dgstSize > 0, -1); ctx->dgstSize = XMLSEC_SIZE_BAD_CAST(dgstSize); @@ -745,3 +789,91 @@ xmlSecOpenSSLTransformGostR3411_94GetKlass(void) { } #endif /* XMLSEC_NO_GOST*/ +#ifndef XMLSEC_NO_GOST2012 + +/****************************************************************************** + * + * GOST R 34.11-2012 256 bit + * + *****************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLGostR3411_2012_256Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* size_t klassSize */ + xmlSecOpenSSLEvpDigestSize, /* size_t objSize */ + + xmlSecNameGostR3411_2012_256, /* const xmlChar* name; */ + xmlSecHrefGostR3411_2012_256, /* const xmlChar* href; */ + xmlSecTransformUsageDigestMethod, /* xmlSecTransformUsage usage; */ + xmlSecOpenSSLEvpDigestInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpDigestFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + NULL, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + NULL, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpDigestVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpDigestExecute, /* xmlSecTransformExecuteMethod execute; */ + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformGostR3411_2012_256GetKlass: + * + * GOST R 34.11-2012 256 bit digest transform klass. + * + * Returns: pointer to GOST R 34.11-2012 256 bit digest transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformGostR3411_2012_256GetKlass(void) { + return(&xmlSecOpenSSLGostR3411_2012_256Klass); +} + +/****************************************************************************** + * + * GOST R 34.11-2012 512 bit + * + *****************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLGostR3411_2012_512Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* size_t klassSize */ + xmlSecOpenSSLEvpDigestSize, /* size_t objSize */ + + xmlSecNameGostR3411_2012_512, /* const xmlChar* name; */ + xmlSecHrefGostR3411_2012_512, /* const xmlChar* href; */ + xmlSecTransformUsageDigestMethod, /* xmlSecTransformUsage usage; */ + xmlSecOpenSSLEvpDigestInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpDigestFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + NULL, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + NULL, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpDigestVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpDigestExecute, /* xmlSecTransformExecuteMethod execute; */ + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformGostR3411_2012_512GetKlass: + * + * GOST R 34.11-2012 512 bit digest transform klass. + * + * Returns: pointer to GOST R 34.11-2012 512 bit digest transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformGostR3411_2012_512GetKlass(void) { + return(&xmlSecOpenSSLGostR3411_2012_512Klass); +} + +#endif /* XMLSEC_NO_GOST2012 */ + diff --git a/src/openssl/evp.c b/src/openssl/evp.c index 9cb52dc2..328602bc 100644 --- a/src/openssl/evp.c +++ b/src/openssl/evp.c @@ -4,7 +4,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -250,6 +250,7 @@ xmlSecOpenSSLEvpKeyAdopt(EVP_PKEY *pKey) { } break; #endif /* XMLSEC_NO_ECDSA */ + #ifndef XMLSEC_NO_GOST case NID_id_GostR3410_2001: data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataGost2001Id); @@ -263,6 +264,33 @@ xmlSecOpenSSLEvpKeyAdopt(EVP_PKEY *pKey) { } break; #endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + case NID_id_GostR3410_2012_256: + data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataGostR3410_2012_256Id); + if(data == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecKeyDataCreate", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "xmlSecOpenSSLKeyDataGostR3410_2012_256Id"); + return(NULL); + } + break; + + case NID_id_GostR3410_2012_512: + data = xmlSecKeyDataCreate(xmlSecOpenSSLKeyDataGostR3410_2012_512Id); + if(data == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecKeyDataCreate", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "xmlSecOpenSSLKeyDataGostR3410_2012_512Id"); + return(NULL); + } + break; +#endif /* XMLSEC_NO_GOST2012 */ + default: xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -914,16 +942,27 @@ xmlSecOpenSSLKeyDataDsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlS xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataDsaId), -1); xmlSecAssert2(sizeBits > 0, -1); - dsa = DSA_generate_parameters(sizeBits, NULL, 0, &counter_ret, &h_ret, NULL, NULL); + dsa = DSA_new(); if(dsa == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), - "DSA_generate_parameters", + "DSA_new", XMLSEC_ERRORS_R_CRYPTO_FAILED, "size=%d", sizeBits); return(-1); } + ret = DSA_generate_parameters_ex(dsa, sizeBits, NULL, 0, &counter_ret, &h_ret, NULL); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "DSA_generate_parameters_ex", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "size=%d", sizeBits); + DSA_free(dsa); + return(-1); + } + ret = DSA_generate_key(dsa); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -1060,8 +1099,8 @@ static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataEcdsaKlass = { NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */ /* read/write */ - NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */ - NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */ + NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */ + NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */ NULL, /* xmlSecKeyDataBinReadMethod binRead; */ NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */ @@ -1225,7 +1264,8 @@ static xmlSecSize xmlSecOpenSSLKeyDataEcdsaGetSize(xmlSecKeyDataPtr data) { const EC_GROUP *group; const EC_KEY *ecdsa; - BIGNUM order; + BIGNUM * order; + xmlSecSize res; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataEcdsaId), 0); @@ -1244,16 +1284,30 @@ xmlSecOpenSSLKeyDataEcdsaGetSize(xmlSecKeyDataPtr data) { return(0); } - if(EC_GROUP_get_order(group, &order, NULL) != 1) { + order = BN_new(); + if(order == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "BN_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(0); + } + + if(EC_GROUP_get_order(group, order, NULL) != 1) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "EC_GROUP_get_order", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); + BN_free(order); return(0); } - return(BN_num_bytes(&order)); + res = BN_num_bytes(order); + BN_free(order); + + return(res); } static void @@ -1758,19 +1812,55 @@ xmlSecOpenSSLKeyDataRsaXmlWrite(xmlSecKeyDataId id, xmlSecKeyPtr key, static int xmlSecOpenSSLKeyDataRsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlSecKeyDataType type ATTRIBUTE_UNUSED) { + BIGNUM* e; RSA* rsa; int ret; xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataRsaId), -1); xmlSecAssert2(sizeBits > 0, -1); - rsa = RSA_generate_key(sizeBits, 3, NULL, NULL); + /* create exponent */ + e = BN_new(); + if(e == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "BN_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "sizeBits=%d", sizeBits); + return(-1); + } + + ret = BN_set_word(e, RSA_F4); + if(ret != 1){ + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "BN_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "sizeBits=%d", sizeBits); + BN_free(e); + return(-1); + } + + rsa = RSA_new(); if(rsa == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), + "RSA_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + "sizeBits=%d", sizeBits); + BN_free(e); + return(-1); + } + + ret = RSA_generate_key_ex(rsa, sizeBits, e, NULL); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataGetName(data)), "RSA_generate_key", XMLSEC_ERRORS_R_CRYPTO_FAILED, "sizeBits=%d", sizeBits); + RSA_free(rsa); + BN_free(e); return(-1); } @@ -1782,9 +1872,14 @@ xmlSecOpenSSLKeyDataRsaGenerate(xmlSecKeyDataPtr data, xmlSecSize sizeBits, xmlS XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); RSA_free(rsa); + BN_free(e); return(-1); } + /* cleanup (don't release rsa since xmlSecKeyDataPtr data owns it now */ + BN_free(e); + + /* done */ return(0); } @@ -1798,7 +1893,7 @@ xmlSecOpenSSLKeyDataRsaGetType(xmlSecKeyDataPtr data) { if((rsa != NULL) && (rsa->n != NULL) && (rsa->e != NULL)) { if(rsa->d != NULL) { return(xmlSecKeyDataTypePrivate | xmlSecKeyDataTypePublic); - } else if(rsa->engine != NULL) { + } else if((rsa->flags & RSA_FLAG_EXT_PKEY) != 0) { /* * !!! HACK !!! Also see DSA key * We assume here that engine *always* has private key. @@ -1844,14 +1939,12 @@ xmlSecOpenSSLKeyDataRsaDebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { fprintf(output, "<RSAKeyValue size=\"%d\" />\n", xmlSecOpenSSLKeyDataRsaGetSize(data)); } - #endif /* XMLSEC_NO_RSA */ - #ifndef XMLSEC_NO_GOST /************************************************************************** * - * GOST2001 xml key representation processing. Contain errors. + * GOST2001 xml key representation processing * *************************************************************************/ static int xmlSecOpenSSLKeyDataGost2001Initialize(xmlSecKeyDataPtr data); @@ -1887,17 +1980,17 @@ static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataGost2001Klass = { /* get info */ xmlSecOpenSSLKeyDataGost2001GetType, /* xmlSecKeyDataGetTypeMethod getType; */ xmlSecOpenSSLKeyDataGost2001GetSize, /* xmlSecKeyDataGetSizeMethod getSize; */ - NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */ + NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */ /* read/write */ - NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */ - NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */ - NULL, /* xmlSecKeyDataBinReadMethod binRead; */ - NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */ + NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */ + NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */ + NULL, /* xmlSecKeyDataBinReadMethod binRead; */ + NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */ /* debug */ xmlSecOpenSSLKeyDataGost2001DebugDump, /* xmlSecKeyDataDebugDumpMethod debugDump; */ - xmlSecOpenSSLKeyDataGost2001DebugXmlDump,/* xmlSecKeyDataDebugDumpMethod debugXmlDump; */ + xmlSecOpenSSLKeyDataGost2001DebugXmlDump, /* xmlSecKeyDataDebugDumpMethod debugXmlDump; */ /* reserved for the future */ NULL, /* void* reserved0; */ @@ -1941,9 +2034,9 @@ xmlSecOpenSSLKeyDataGost2001Finalize(xmlSecKeyDataPtr data) { static xmlSecKeyDataType xmlSecOpenSSLKeyDataGost2001GetType(xmlSecKeyDataPtr data) { - /* Now I don't know how to find whether we have both private and public key - or the public only*/ - return(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate); + /* Now I don't know how to find whether we have both private and public key + or the public only*/ + return(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate); } static xmlSecSize @@ -1970,6 +2063,258 @@ xmlSecOpenSSLKeyDataGost2001DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { fprintf(output, "<GOST2001KeyValue size=\"%d\" />\n", xmlSecOpenSSLKeyDataGost2001GetSize(data)); } +#endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + +/************************************************************************** + * + * GOST R 34.10-2012 256 bit xml key representation processing + * + *************************************************************************/ +static int xmlSecOpenSSLKeyDataGostR3410_2012_256Initialize(xmlSecKeyDataPtr data); +static int xmlSecOpenSSLKeyDataGostR3410_2012_256Duplicate(xmlSecKeyDataPtr dst, + xmlSecKeyDataPtr src); +static void xmlSecOpenSSLKeyDataGostR3410_2012_256Finalize(xmlSecKeyDataPtr data); + +static xmlSecKeyDataType xmlSecOpenSSLKeyDataGostR3410_2012_256GetType(xmlSecKeyDataPtr data); +static xmlSecSize xmlSecOpenSSLKeyDataGostR3410_2012_256GetSize(xmlSecKeyDataPtr data); +static void xmlSecOpenSSLKeyDataGostR3410_2012_256DebugDump(xmlSecKeyDataPtr data, + FILE* output); +static void xmlSecOpenSSLKeyDataGostR3410_2012_256DebugXmlDump(xmlSecKeyDataPtr data, + FILE* output); + +static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataGostR3410_2012_256Klass = { + sizeof(xmlSecKeyDataKlass), + xmlSecOpenSSLEvpKeyDataSize, + + /* data */ + xmlSecNameGostR3410_2012_256KeyValue, + xmlSecKeyDataUsageKeyValueNode | xmlSecKeyDataUsageRetrievalMethodNodeXml, + /* xmlSecKeyDataUsage usage; */ + xmlSecHrefGostR3410_2012_256KeyValue, /* const xmlChar* href; */ + xmlSecNodeGostR3410_2012_256KeyValue, /* const xmlChar* dataNodeName; */ + xmlSecDSigNs, /* const xmlChar* dataNodeNs; */ + + /* constructors/destructor */ + xmlSecOpenSSLKeyDataGostR3410_2012_256Initialize, /* xmlSecKeyDataInitializeMethod initialize; */ + xmlSecOpenSSLKeyDataGostR3410_2012_256Duplicate, /* xmlSecKeyDataDuplicateMethod duplicate; */ + xmlSecOpenSSLKeyDataGostR3410_2012_256Finalize, /* xmlSecKeyDataFinalizeMethod finalize; */ + NULL, /* xmlSecOpenSSLKeyDataGostR3410_2012_256Generate,*/ /* xmlSecKeyDataGenerateMethod generate; */ + + /* get info */ + xmlSecOpenSSLKeyDataGostR3410_2012_256GetType, /* xmlSecKeyDataGetTypeMethod getType; */ + xmlSecOpenSSLKeyDataGostR3410_2012_256GetSize, /* xmlSecKeyDataGetSizeMethod getSize; */ + NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */ + + /* read/write */ + NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */ + NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */ + NULL, /* xmlSecKeyDataBinReadMethod binRead; */ + NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */ + + /* debug */ + xmlSecOpenSSLKeyDataGostR3410_2012_256DebugDump, /* xmlSecKeyDataDebugDumpMethod debugDump; */ + xmlSecOpenSSLKeyDataGostR3410_2012_256DebugXmlDump,/* xmlSecKeyDataDebugDumpMethod debugXmlDump; */ + + /* reserved for the future */ + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLKeyDataGostR3410_2012_256GetKlass: + * + * The GOST R 34.10-2012 256 bit key data klass. + * + * Returns: pointer to GOST R 34.10-2012 256 bit key data klass. + */ +xmlSecKeyDataId +xmlSecOpenSSLKeyDataGostR3410_2012_256GetKlass(void) { + return(&xmlSecOpenSSLKeyDataGostR3410_2012_256Klass); +} + + +static int +xmlSecOpenSSLKeyDataGostR3410_2012_256Initialize(xmlSecKeyDataPtr data) { + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_256Id), -1); + + return(xmlSecOpenSSLEvpKeyDataInitialize(data)); +} + +static int +xmlSecOpenSSLKeyDataGostR3410_2012_256Duplicate(xmlSecKeyDataPtr dst, +xmlSecKeyDataPtr src) { + xmlSecAssert2(xmlSecKeyDataCheckId(dst, xmlSecOpenSSLKeyDataGostR3410_2012_256Id), -1); + xmlSecAssert2(xmlSecKeyDataCheckId(src, xmlSecOpenSSLKeyDataGostR3410_2012_256Id), -1); + + return(xmlSecOpenSSLEvpKeyDataDuplicate(dst, src)); +} + +static void +xmlSecOpenSSLKeyDataGostR3410_2012_256Finalize(xmlSecKeyDataPtr data) { + xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_256Id)); + + xmlSecOpenSSLEvpKeyDataFinalize(data); +} + +static xmlSecKeyDataType +xmlSecOpenSSLKeyDataGostR3410_2012_256GetType(xmlSecKeyDataPtr data) { + /* Now I don't know how to find whether we have both private and public key + or the public only*/ + return(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate); +} + +static xmlSecSize +xmlSecOpenSSLKeyDataGostR3410_2012_256GetSize(xmlSecKeyDataPtr data) { + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_256Id), 0); + + return 512; +} + +static void +xmlSecOpenSSLKeyDataGostR3410_2012_256DebugDump(xmlSecKeyDataPtr data, FILE* output) { + xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_256Id)); + xmlSecAssert(output != NULL); + + fprintf(output, "=== gost key: size = %d\n", + xmlSecOpenSSLKeyDataGostR3410_2012_256GetSize(data)); +} + +static void +xmlSecOpenSSLKeyDataGostR3410_2012_256DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { + xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_256Id)); + xmlSecAssert(output != NULL); + + fprintf(output, "<GOST2012_256KeyValue size=\"%d\" />\n", + xmlSecOpenSSLKeyDataGostR3410_2012_256GetSize(data)); +} + + + + +/************************************************************************** + * + * GOST R 34.10-2012 512 bit xml key representation processing + * + *************************************************************************/ +static int xmlSecOpenSSLKeyDataGostR3410_2012_512Initialize(xmlSecKeyDataPtr data); +static int xmlSecOpenSSLKeyDataGostR3410_2012_512Duplicate(xmlSecKeyDataPtr dst, + xmlSecKeyDataPtr src); +static void xmlSecOpenSSLKeyDataGostR3410_2012_512Finalize(xmlSecKeyDataPtr data); + +static xmlSecKeyDataType xmlSecOpenSSLKeyDataGostR3410_2012_512GetType(xmlSecKeyDataPtr data); +static xmlSecSize xmlSecOpenSSLKeyDataGostR3410_2012_512GetSize(xmlSecKeyDataPtr data); +static void xmlSecOpenSSLKeyDataGostR3410_2012_512DebugDump(xmlSecKeyDataPtr data, + FILE* output); +static void xmlSecOpenSSLKeyDataGostR3410_2012_512DebugXmlDump(xmlSecKeyDataPtr data, + FILE* output); + +static xmlSecKeyDataKlass xmlSecOpenSSLKeyDataGostR3410_2012_512Klass = { + sizeof(xmlSecKeyDataKlass), + xmlSecOpenSSLEvpKeyDataSize, + + /* data */ + xmlSecNameGostR3410_2012_512KeyValue, + xmlSecKeyDataUsageKeyValueNode | xmlSecKeyDataUsageRetrievalMethodNodeXml, + /* xmlSecKeyDataUsage usage; */ + xmlSecHrefGostR3410_2012_512KeyValue, /* const xmlChar* href; */ + xmlSecNodeGostR3410_2012_512KeyValue, /* const xmlChar* dataNodeName; */ + xmlSecDSigNs, /* const xmlChar* dataNodeNs; */ + + /* constructors/destructor */ + xmlSecOpenSSLKeyDataGostR3410_2012_512Initialize, /* xmlSecKeyDataInitializeMethod initialize; */ + xmlSecOpenSSLKeyDataGostR3410_2012_512Duplicate, /* xmlSecKeyDataDuplicateMethod duplicate; */ + xmlSecOpenSSLKeyDataGostR3410_2012_512Finalize, /* xmlSecKeyDataFinalizeMethod finalize; */ + NULL, /* xmlSecOpenSSLKeyDataGostR3410_2012_512Generate,*/ /* xmlSecKeyDataGenerateMethod generate; */ + + /* get info */ + xmlSecOpenSSLKeyDataGostR3410_2012_512GetType, /* xmlSecKeyDataGetTypeMethod getType; */ + xmlSecOpenSSLKeyDataGostR3410_2012_512GetSize, /* xmlSecKeyDataGetSizeMethod getSize; */ + NULL, /* xmlSecKeyDataGetIdentifier getIdentifier; */ + + /* read/write */ + NULL, /* xmlSecKeyDataXmlReadMethod xmlRead; */ + NULL, /* xmlSecKeyDataXmlWriteMethod xmlWrite; */ + NULL, /* xmlSecKeyDataBinReadMethod binRead; */ + NULL, /* xmlSecKeyDataBinWriteMethod binWrite; */ + + /* debug */ + xmlSecOpenSSLKeyDataGostR3410_2012_512DebugDump, /* xmlSecKeyDataDebugDumpMethod debugDump; */ + xmlSecOpenSSLKeyDataGostR3410_2012_512DebugXmlDump,/* xmlSecKeyDataDebugDumpMethod debugXmlDump; */ + + /* reserved for the future */ + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLKeyDataGostR3410_2012_512GetKlass: + * + * The GOST R 34.10-2012 512 bit key data klass. + * + * Returns: pointer to GOST R 34.10-2012 512 bit key data klass. + */ +xmlSecKeyDataId +xmlSecOpenSSLKeyDataGostR3410_2012_512GetKlass(void) { + return(&xmlSecOpenSSLKeyDataGostR3410_2012_512Klass); +} + + +static int +xmlSecOpenSSLKeyDataGostR3410_2012_512Initialize(xmlSecKeyDataPtr data) { + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_512Id), -1); + + return(xmlSecOpenSSLEvpKeyDataInitialize(data)); +} + +static int +xmlSecOpenSSLKeyDataGostR3410_2012_512Duplicate(xmlSecKeyDataPtr dst, +xmlSecKeyDataPtr src) { + xmlSecAssert2(xmlSecKeyDataCheckId(dst, xmlSecOpenSSLKeyDataGostR3410_2012_512Id), -1); + xmlSecAssert2(xmlSecKeyDataCheckId(src, xmlSecOpenSSLKeyDataGostR3410_2012_512Id), -1); + + return(xmlSecOpenSSLEvpKeyDataDuplicate(dst, src)); +} + +static void +xmlSecOpenSSLKeyDataGostR3410_2012_512Finalize(xmlSecKeyDataPtr data) { + xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_512Id)); + + xmlSecOpenSSLEvpKeyDataFinalize(data); +} + +static xmlSecKeyDataType +xmlSecOpenSSLKeyDataGostR3410_2012_512GetType(xmlSecKeyDataPtr data) { + /* Now I don't know how to find whether we have both private and public key + or the public only*/ + return(xmlSecKeyDataTypePublic | xmlSecKeyDataTypePrivate); +} + +static xmlSecSize +xmlSecOpenSSLKeyDataGostR3410_2012_512GetSize(xmlSecKeyDataPtr data) { + xmlSecAssert2(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_512Id), 0); + + return 1024; +} + +static void +xmlSecOpenSSLKeyDataGostR3410_2012_512DebugDump(xmlSecKeyDataPtr data, FILE* output) { + xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_512Id)); + xmlSecAssert(output != NULL); + + fprintf(output, "=== gost key: size = %d\n", + xmlSecOpenSSLKeyDataGostR3410_2012_512GetSize(data)); +} + +static void +xmlSecOpenSSLKeyDataGostR3410_2012_512DebugXmlDump(xmlSecKeyDataPtr data, FILE* output) { + xmlSecAssert(xmlSecKeyDataCheckId(data, xmlSecOpenSSLKeyDataGostR3410_2012_512Id)); + xmlSecAssert(output != NULL); + + fprintf(output, "<GOST2012_512KeyValue size=\"%d\" />\n", + xmlSecOpenSSLKeyDataGostR3410_2012_512GetSize(data)); +} -#endif /* XMLSEC_NO_GOST*/ +#endif /* XMLSEC_NO_GOST2012 */ diff --git a/src/openssl/evp_signatures.c b/src/openssl/evp_signatures.c new file mode 100644 index 00000000..4dc493ca --- /dev/null +++ b/src/openssl/evp_signatures.c @@ -0,0 +1,1034 @@ +/** + * XMLSec library + * + * This is free software; see Copyright file in the source + * distribution for preciese wording. + * + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. + */ +#include "globals.h" + +#include <string.h> + +#include <openssl/evp.h> +#include <openssl/rand.h> +#include <openssl/sha.h> + +#include <xmlsec/xmlsec.h> +#include <xmlsec/keys.h> +#include <xmlsec/transforms.h> +#include <xmlsec/errors.h> + +#include <xmlsec/openssl/crypto.h> +#include <xmlsec/openssl/evp.h> + +/* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html): + * + * EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed to EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1. + */ +#if !defined(XMLSEC_OPENSSL_110) +#define EVP_MD_CTX_new() EVP_MD_CTX_create() +#define EVP_MD_CTX_free(x) EVP_MD_CTX_destroy((x)) +#define EVP_MD_CTX_md_data(x) ((x)->md_data) +#endif /* !defined(XMLSEC_OPENSSL_110) */ + + +/************************************************************************** + * + * Internal OpenSSL evp signatures ctx + * + *****************************************************************************/ +typedef struct _xmlSecOpenSSLEvpSignatureCtx xmlSecOpenSSLEvpSignatureCtx, + *xmlSecOpenSSLEvpSignatureCtxPtr; +struct _xmlSecOpenSSLEvpSignatureCtx { + const EVP_MD* digest; + EVP_MD_CTX* digestCtx; + xmlSecKeyDataId keyId; + EVP_PKEY* pKey; +}; + +/****************************************************************************** + * + * EVP Signature transforms + * + * xmlSecOpenSSLEvpSignatureCtx is located after xmlSecTransform + * + *****************************************************************************/ +#define xmlSecOpenSSLEvpSignatureSize \ + (sizeof(xmlSecTransform) + sizeof(xmlSecOpenSSLEvpSignatureCtx)) +#define xmlSecOpenSSLEvpSignatureGetCtx(transform) \ + ((xmlSecOpenSSLEvpSignatureCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform))) + +static int xmlSecOpenSSLEvpSignatureCheckId (xmlSecTransformPtr transform); +static int xmlSecOpenSSLEvpSignatureInitialize (xmlSecTransformPtr transform); +static void xmlSecOpenSSLEvpSignatureFinalize (xmlSecTransformPtr transform); +static int xmlSecOpenSSLEvpSignatureSetKeyReq (xmlSecTransformPtr transform, + xmlSecKeyReqPtr keyReq); +static int xmlSecOpenSSLEvpSignatureSetKey (xmlSecTransformPtr transform, + xmlSecKeyPtr key); +static int xmlSecOpenSSLEvpSignatureVerify (xmlSecTransformPtr transform, + const xmlSecByte* data, + xmlSecSize dataSize, + xmlSecTransformCtxPtr transformCtx); +static int xmlSecOpenSSLEvpSignatureExecute (xmlSecTransformPtr transform, + int last, + xmlSecTransformCtxPtr transformCtx); + +static int +xmlSecOpenSSLEvpSignatureCheckId(xmlSecTransformPtr transform) { + +#ifndef XMLSEC_NO_RSA + +#ifndef XMLSEC_NO_MD5 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaMd5Id)) { + return(1); + } else +#endif /* XMLSEC_NO_MD5 */ + +#ifndef XMLSEC_NO_RIPEMD160 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaRipemd160Id)) { + return(1); + } else +#endif /* XMLSEC_NO_RIPEMD160 */ + +#ifndef XMLSEC_NO_SHA1 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha1Id)) { + return(1); + } else +#endif /* XMLSEC_NO_SHA1 */ + +#ifndef XMLSEC_NO_SHA224 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha224Id)) { + return(1); + } else +#endif /* XMLSEC_NO_SHA224 */ + +#ifndef XMLSEC_NO_SHA256 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha256Id)) { + return(1); + } else +#endif /* XMLSEC_NO_SHA256 */ + +#ifndef XMLSEC_NO_SHA384 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha384Id)) { + return(1); + } else +#endif /* XMLSEC_NO_SHA384 */ + +#ifndef XMLSEC_NO_SHA512 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha512Id)) { + return(1); + } else +#endif /* XMLSEC_NO_SHA512 */ + +#endif /* XMLSEC_NO_RSA */ + +#ifndef XMLSEC_NO_GOST + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGost2001GostR3411_94Id)) { + return(1); + } else +#endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_256Id)) { + return(1); + } else + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_512Id)) { + return(1); + } else +#endif /* XMLSEC_NO_GOST2012 */ + + { + return(0); + } + + return(0); +} + +static int +xmlSecOpenSSLEvpSignatureInitialize(xmlSecTransformPtr transform) { + xmlSecOpenSSLEvpSignatureCtxPtr ctx; + + xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert2(ctx != NULL, -1); + + memset(ctx, 0, sizeof(xmlSecOpenSSLEvpSignatureCtx)); + +#ifndef XMLSEC_NO_RSA + +#ifndef XMLSEC_NO_MD5 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaMd5Id)) { + ctx->digest = EVP_md5(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_MD5 */ + +#ifndef XMLSEC_NO_RIPEMD160 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaRipemd160Id)) { + ctx->digest = EVP_ripemd160(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_RIPEMD160 */ + +#ifndef XMLSEC_NO_SHA1 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha1Id)) { + ctx->digest = EVP_sha1(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_SHA1 */ + +#ifndef XMLSEC_NO_SHA224 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha224Id)) { + ctx->digest = EVP_sha224(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_SHA224 */ + +#ifndef XMLSEC_NO_SHA256 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha256Id)) { + ctx->digest = EVP_sha256(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_SHA256 */ + +#ifndef XMLSEC_NO_SHA384 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha384Id)) { + ctx->digest = EVP_sha384(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_SHA384 */ + +#ifndef XMLSEC_NO_SHA512 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha512Id)) { + ctx->digest = EVP_sha512(); + ctx->keyId = xmlSecOpenSSLKeyDataRsaId; + } else +#endif /* XMLSEC_NO_SHA512 */ + +#endif /* XMLSEC_NO_RSA */ + +#ifndef XMLSEC_NO_GOST + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGost2001GostR3411_94Id)) { + ctx->keyId = xmlSecOpenSSLKeyDataGost2001Id; + ctx->digest = EVP_get_digestbyname("md_gost94"); + if (!ctx->digest) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_TRANSFORM, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else +#endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_256Id)) { + ctx->keyId = xmlSecOpenSSLKeyDataGostR3410_2012_256Id; + ctx->digest = EVP_get_digestbyname("md_gost12_256"); + if (!ctx->digest) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_TRANSFORM, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else + + if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_512Id)) { + ctx->keyId = xmlSecOpenSSLKeyDataGostR3410_2012_512Id; + ctx->digest = EVP_get_digestbyname("md_gost12_512"); + if (!ctx->digest) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_TRANSFORM, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else +#endif /* XMLSEC_NO_GOST2012 */ + + if(1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_TRANSFORM, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* create digest CTX */ + ctx->digestCtx = EVP_MD_CTX_new(); + if(ctx->digestCtx == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_MD_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* done */ + return(0); +} + +static void +xmlSecOpenSSLEvpSignatureFinalize(xmlSecTransformPtr transform) { + xmlSecOpenSSLEvpSignatureCtxPtr ctx; + + xmlSecAssert(xmlSecOpenSSLEvpSignatureCheckId(transform)); + xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize)); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert(ctx != NULL); + + if(ctx->pKey != NULL) { + EVP_PKEY_free(ctx->pKey); + } + + if(ctx->digestCtx != NULL) { + EVP_MD_CTX_free(ctx->digestCtx); + } + + memset(ctx, 0, sizeof(xmlSecOpenSSLEvpSignatureCtx)); +} + +static int +xmlSecOpenSSLEvpSignatureSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { + xmlSecOpenSSLEvpSignatureCtxPtr ctx; + xmlSecKeyDataPtr value; + EVP_PKEY* pKey; + + xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(key != NULL, -1); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->digest != NULL, -1); + xmlSecAssert2(ctx->keyId != NULL, -1); + xmlSecAssert2(xmlSecKeyCheckId(key, ctx->keyId), -1); + + value = xmlSecKeyGetValue(key); + xmlSecAssert2(value != NULL, -1); + + pKey = xmlSecOpenSSLEvpKeyDataGetEvp(value); + if(pKey == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecOpenSSLEvpKeyDataGetEvp", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + if(ctx->pKey != NULL) { + EVP_PKEY_free(ctx->pKey); + } + + ctx->pKey = xmlSecOpenSSLEvpKeyDup(pKey); + if(ctx->pKey == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecOpenSSLEvpKeyDup", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + return(0); +} + +static int +xmlSecOpenSSLEvpSignatureSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { + xmlSecOpenSSLEvpSignatureCtxPtr ctx; + + xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(keyReq != NULL, -1); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->keyId != NULL, -1); + + keyReq->keyId = ctx->keyId; + if(transform->operation == xmlSecTransformOperationSign) { + keyReq->keyType = xmlSecKeyDataTypePrivate; + keyReq->keyUsage = xmlSecKeyUsageSign; + } else { + keyReq->keyType = xmlSecKeyDataTypePublic; + keyReq->keyUsage = xmlSecKeyUsageVerify; + } + return(0); +} + + +static int +xmlSecOpenSSLEvpSignatureVerify(xmlSecTransformPtr transform, + const xmlSecByte* data, xmlSecSize dataSize, + xmlSecTransformCtxPtr transformCtx) { + xmlSecOpenSSLEvpSignatureCtxPtr ctx; + int ret; + + xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2(transform->operation == xmlSecTransformOperationVerify, -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(transform->status == xmlSecTransformStatusFinished, -1); + xmlSecAssert2(data != NULL, -1); + xmlSecAssert2(transformCtx != NULL, -1); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->digestCtx != NULL, -1); + + ret = EVP_VerifyFinal(ctx->digestCtx, (xmlSecByte*)data, dataSize, ctx->pKey); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_VerifyFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } else if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_VerifyFinal", + XMLSEC_ERRORS_R_DATA_NOT_MATCH, + "signature do not match"); + transform->status = xmlSecTransformStatusFail; + return(0); + } + + transform->status = xmlSecTransformStatusOk; + return(0); +} + +static int +xmlSecOpenSSLEvpSignatureExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { + xmlSecOpenSSLEvpSignatureCtxPtr ctx; + xmlSecBufferPtr in, out; + xmlSecSize inSize; + xmlSecSize outSize; + int ret; + + xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(transformCtx != NULL, -1); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert2(ctx != NULL, -1); + + in = &(transform->inBuf); + out = &(transform->outBuf); + inSize = xmlSecBufferGetSize(in); + outSize = xmlSecBufferGetSize(out); + + ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->digest != NULL, -1); + xmlSecAssert2(ctx->digestCtx != NULL, -1); + xmlSecAssert2(ctx->pKey != NULL, -1); + + if(transform->status == xmlSecTransformStatusNone) { + xmlSecAssert2(outSize == 0, -1); + + if(transform->operation == xmlSecTransformOperationSign) { + ret = EVP_SignInit(ctx->digestCtx, ctx->digest); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_SignInit", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else { + ret = EVP_VerifyInit(ctx->digestCtx, ctx->digest); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_VerifyInit", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + transform->status = xmlSecTransformStatusWorking; + } + + if((transform->status == xmlSecTransformStatusWorking) && (inSize > 0)) { + xmlSecAssert2(outSize == 0, -1); + + if(transform->operation == xmlSecTransformOperationSign) { + ret = EVP_SignUpdate(ctx->digestCtx, xmlSecBufferGetData(in), inSize); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_SignUpdate", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } else { + ret = EVP_VerifyUpdate(ctx->digestCtx, xmlSecBufferGetData(in), inSize); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_VerifyUpdate", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + + ret = xmlSecBufferRemoveHead(in, inSize); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecBufferRemoveHead", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + } + + if((transform->status == xmlSecTransformStatusWorking) && (last != 0)) { + xmlSecAssert2(outSize == 0, -1); + if(transform->operation == xmlSecTransformOperationSign) { + unsigned int signSize; + + /* for rsa signatures we get size from EVP_PKEY_size() */ + signSize = EVP_PKEY_size(ctx->pKey); + ret = xmlSecBufferSetMaxSize(out, signSize); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecBufferSetMaxSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "size=%u", signSize); + return(-1); + } + + ret = EVP_SignFinal(ctx->digestCtx, xmlSecBufferGetData(out), &signSize, ctx->pKey); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_SignFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + ret = xmlSecBufferSetSize(out, signSize); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "size=%u", signSize); + return(-1); + } + } + transform->status = xmlSecTransformStatusFinished; + } + + if((transform->status == xmlSecTransformStatusWorking) || (transform->status == xmlSecTransformStatusFinished)) { + /* the only way we can get here is if there is no input */ + xmlSecAssert2(xmlSecBufferGetSize(&(transform->inBuf)) == 0, -1); + } else { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + NULL, + XMLSEC_ERRORS_R_INVALID_STATUS, + "status=%d", transform->status); + return(-1); + } + + return(0); +} + + +#ifndef XMLSEC_NO_RSA + +#ifndef XMLSEC_NO_MD5 +/**************************************************************************** + * + * RSA-MD5 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaMd5Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaMd5, /* const xmlChar* name; */ + xmlSecHrefRsaMd5, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaMd5GetKlass: + * + * The RSA-MD5 signature transform klass. + * + * Returns: RSA-MD5 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaMd5GetKlass(void) { + return(&xmlSecOpenSSLRsaMd5Klass); +} + +#endif /* XMLSEC_NO_MD5 */ + +#ifndef XMLSEC_NO_RIPEMD160 +/**************************************************************************** + * + * RSA-RIPEMD160 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaRipemd160Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaRipemd160, /* const xmlChar* name; */ + xmlSecHrefRsaRipemd160, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaRipemd160GetKlass: + * + * The RSA-RIPEMD160 signature transform klass. + * + * Returns: RSA-RIPEMD160 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaRipemd160GetKlass(void) { + return(&xmlSecOpenSSLRsaRipemd160Klass); +} + +#endif /* XMLSEC_NO_RIPEMD160 */ + +#ifndef XMLSEC_NO_SHA1 +/**************************************************************************** + * + * RSA-SHA1 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaSha1Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaSha1, /* const xmlChar* name; */ + xmlSecHrefRsaSha1, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaSha1GetKlass: + * + * The RSA-SHA1 signature transform klass. + * + * Returns: RSA-SHA1 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaSha1GetKlass(void) { + return(&xmlSecOpenSSLRsaSha1Klass); +} + +#endif /* XMLSEC_NO_SHA1 */ + +#ifndef XMLSEC_NO_SHA224 +/**************************************************************************** + * + * RSA-SHA224 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaSha224Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaSha224, /* const xmlChar* name; */ + xmlSecHrefRsaSha224, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaSha224GetKlass: + * + * The RSA-SHA224 signature transform klass. + * + * Returns: RSA-SHA224 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaSha224GetKlass(void) { + return(&xmlSecOpenSSLRsaSha224Klass); +} + +#endif /* XMLSEC_NO_SHA224 */ + +#ifndef XMLSEC_NO_SHA256 +/**************************************************************************** + * + * RSA-SHA256 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaSha256Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaSha256, /* const xmlChar* name; */ + xmlSecHrefRsaSha256, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaSha256GetKlass: + * + * The RSA-SHA256 signature transform klass. + * + * Returns: RSA-SHA256 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaSha256GetKlass(void) { + return(&xmlSecOpenSSLRsaSha256Klass); +} + +#endif /* XMLSEC_NO_SHA256 */ + +#ifndef XMLSEC_NO_SHA384 +/**************************************************************************** + * + * RSA-SHA384 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaSha384Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaSha384, /* const xmlChar* name; */ + xmlSecHrefRsaSha384, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaSha384GetKlass: + * + * The RSA-SHA384 signature transform klass. + * + * Returns: RSA-SHA384 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaSha384GetKlass(void) { + return(&xmlSecOpenSSLRsaSha384Klass); +} + +#endif /* XMLSEC_NO_SHA384 */ + +#ifndef XMLSEC_NO_SHA512 +/**************************************************************************** + * + * RSA-SHA512 signature transform + * + ***************************************************************************/ +static xmlSecTransformKlass xmlSecOpenSSLRsaSha512Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameRsaSha512, /* const xmlChar* name; */ + xmlSecHrefRsaSha512, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformRsaSha512GetKlass: + * + * The RSA-SHA512 signature transform klass. + * + * Returns: RSA-SHA512 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformRsaSha512GetKlass(void) { + return(&xmlSecOpenSSLRsaSha512Klass); +} + +#endif /* XMLSEC_NO_SHA512 */ + +#endif /* XMLSEC_NO_RSA */ + +#ifndef XMLSEC_NO_GOST +/**************************************************************************** + * + * GOST2001-GOSTR3411_94 signature transform + * + ***************************************************************************/ + +static xmlSecTransformKlass xmlSecOpenSSLGost2001GostR3411_94Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameGost2001GostR3411_94, /* const xmlChar* name; */ + xmlSecHrefGost2001GostR3411_94, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformGost2001GostR3411_94GetKlass: + * + * The GOST2001-GOSTR3411_94 signature transform klass. + * + * Returns: GOST2001-GOSTR3411_94 signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformGost2001GostR3411_94GetKlass(void) { + return(&xmlSecOpenSSLGost2001GostR3411_94Klass); +} +#endif /* XMLSEC_NO_GOST */ + +#ifndef XMLSEC_NO_GOST2012 + +/**************************************************************************** + * + * GOST R 34.10-2012 - GOST R 34.11-2012 256 bit signature transform + * + ***************************************************************************/ + +static xmlSecTransformKlass xmlSecOpenSSLGostR3410_2012GostR3411_2012_256Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameGostR3410_2012GostR3411_2012_256, /* const xmlChar* name; */ + xmlSecHrefGostR3410_2012GostR3411_2012_256, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformGost3410_2012GostR3411_2012_256GetKlass: + * + * The GOST R 34.10-2012 - GOST R 34.11-2012 256 bit signature transform klass. + * + * Returns: GOST R 34.10-2012 - GOST R 34.11-2012 256 bit signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_256GetKlass(void) { + return(&xmlSecOpenSSLGostR3410_2012GostR3411_2012_256Klass); +} + + +/**************************************************************************** + * + * GOST R 34.10-2012 - GOST R 34.11-2012 512 bit signature transform + * + ***************************************************************************/ + +static xmlSecTransformKlass xmlSecOpenSSLGostR3410_2012GostR3411_2012_512Klass = { + /* klass/object sizes */ + sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ + xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + + xmlSecNameGostR3410_2012GostR3411_2012_512, /* const xmlChar* name; */ + xmlSecHrefGostR3410_2012GostR3411_2012_512, /* const xmlChar* href; */ + xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ + + xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + NULL, /* xmlSecTransformNodeReadMethod readNode; */ + NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ + xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ + xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ + xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ + NULL, /* xmlSecTransformPushXmlMethod pushXml; */ + NULL, /* xmlSecTransformPopXmlMethod popXml; */ + xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + + NULL, /* void* reserved0; */ + NULL, /* void* reserved1; */ +}; + +/** + * xmlSecOpenSSLTransformGost3410_2012GostR3411_2012_512GetKlass: + * + * The GOST R 34.10-2012 - GOST R 34.11-2012 512 bit signature transform klass. + * + * Returns: GOST R 34.10-2012 - GOST R 34.11-2012 512 bit signature transform klass. + */ +xmlSecTransformId +xmlSecOpenSSLTransformGostR3410_2012GostR3411_2012_512GetKlass(void) { + return(&xmlSecOpenSSLGostR3410_2012GostR3411_2012_512Klass); +} + +#endif /* XMLSEC_NO_GOST2012 */ + + diff --git a/src/openssl/globals.h b/src/openssl/globals.h index 770b6dba..065c3e8f 100644 --- a/src/openssl/globals.h +++ b/src/openssl/globals.h @@ -6,7 +6,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #ifndef __XMLSEC_GLOBALS_H__ #define __XMLSEC_GLOBALS_H__ diff --git a/src/openssl/hmac.c b/src/openssl/hmac.c index bad1ac03..edfc3af4 100644 --- a/src/openssl/hmac.c +++ b/src/openssl/hmac.c @@ -13,7 +13,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #ifndef XMLSEC_NO_HMAC #include "globals.h" @@ -33,6 +33,16 @@ #include <xmlsec/openssl/crypto.h> +/* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/hmac.html): + * + * HMAC_CTX_new() and HMAC_CTX_free() are new in OpenSSL version 1.1. + */ +#if !defined(XMLSEC_OPENSSL_110) +#define HMAC_CTX_new() ((HMAC_CTX*)calloc(1, sizeof(HMAC_CTX))) +#define HMAC_CTX_free(x) { HMAC_CTX_cleanup((x)); free((x)); } +#endif /* !defined(XMLSEC_OPENSSL_110) */ + + /* sizes in bits */ #define XMLSEC_OPENSSL_MIN_HMAC_SIZE 80 #define XMLSEC_OPENSSL_MAX_HMAC_SIZE (EVP_MAX_MD_SIZE * 8) @@ -75,7 +85,7 @@ void xmlSecOpenSSLHmacSetMinOutputLength(int min_length) typedef struct _xmlSecOpenSSLHmacCtx xmlSecOpenSSLHmacCtx, *xmlSecOpenSSLHmacCtxPtr; struct _xmlSecOpenSSLHmacCtx { const EVP_MD* hmacDgst; - HMAC_CTX hmacCtx; + HMAC_CTX* hmacCtx; int ctxInitialized; xmlSecByte dgst[XMLSEC_OPENSSL_MAX_HMAC_SIZE]; xmlSecSize dgstSize; /* dgst size in bits */ @@ -232,9 +242,18 @@ xmlSecOpenSSLHmacInitialize(xmlSecTransformPtr transform) { return(-1); } -#ifndef XMLSEC_OPENSSL_096 - HMAC_CTX_init(&(ctx->hmacCtx)); -#endif /* XMLSEC_OPENSSL_096 */ + /* create hmac CTX */ + ctx->hmacCtx = HMAC_CTX_new(); + if(ctx->hmacCtx == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "HMAC_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + /* done */ return(0); } @@ -248,9 +267,10 @@ xmlSecOpenSSLHmacFinalize(xmlSecTransformPtr transform) { ctx = xmlSecOpenSSLHmacGetCtx(transform); xmlSecAssert(ctx != NULL); -#ifndef XMLSEC_OPENSSL_096 - HMAC_CTX_cleanup(&(ctx->hmacCtx)); -#endif /* XMLSEC_OPENSSL_096 */ + if(ctx->hmacCtx != NULL) { + HMAC_CTX_free(ctx->hmacCtx); + } + memset(ctx, 0, sizeof(xmlSecOpenSSLHmacCtx)); } @@ -327,6 +347,7 @@ xmlSecOpenSSLHmacSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { xmlSecOpenSSLHmacCtxPtr ctx; xmlSecKeyDataPtr value; xmlSecBufferPtr buffer; + int ret; xmlSecAssert2(xmlSecOpenSSLHmacCheckId(transform), -1); xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); @@ -335,6 +356,7 @@ xmlSecOpenSSLHmacSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { ctx = xmlSecOpenSSLHmacGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->hmacCtx != NULL, -1); xmlSecAssert2(ctx->hmacDgst != NULL, -1); xmlSecAssert2(ctx->ctxInitialized == 0, -1); @@ -354,10 +376,32 @@ xmlSecOpenSSLHmacSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { } xmlSecAssert2(xmlSecBufferGetData(buffer) != NULL, -1); - HMAC_Init(&(ctx->hmacCtx), + +#if (defined(XMLSEC_OPENSSL_098)) + /* no return value in 0.9.8 */ + HMAC_Init_ex(ctx->hmacCtx, + xmlSecBufferGetData(buffer), + xmlSecBufferGetSize(buffer), + ctx->hmacDgst, + NULL); + ret = 1; +#else /* (defined(XMLSEC_OPENSSL_098)) */ + ret = HMAC_Init_ex(ctx->hmacCtx, xmlSecBufferGetData(buffer), xmlSecBufferGetSize(buffer), - ctx->hmacDgst); + ctx->hmacDgst, + NULL); +#endif /* (defined(XMLSEC_OPENSSL_098)) */ + + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "HMAC_Init_ex", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + NULL); + return(-1); + } + ctx->ctxInitialized = 1; return(0); } @@ -448,6 +492,7 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform ctx = xmlSecOpenSSLHmacGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->ctxInitialized != 0, -1); + xmlSecAssert2(ctx->hmacCtx != NULL, -1); if(transform->status == xmlSecTransformStatusNone) { /* we should be already initialized when we set key */ @@ -459,7 +504,7 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform inSize = xmlSecBufferGetSize(in); if(inSize > 0) { - HMAC_Update(&(ctx->hmacCtx), xmlSecBufferGetData(in), inSize); + HMAC_Update(ctx->hmacCtx, xmlSecBufferGetData(in), inSize); ret = xmlSecBufferRemoveHead(in, inSize); if(ret < 0) { @@ -475,7 +520,7 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform if(last) { unsigned int dgstSize; - HMAC_Final(&(ctx->hmacCtx), ctx->dgst, &dgstSize); + HMAC_Final(ctx->hmacCtx, ctx->dgst, &dgstSize); xmlSecAssert2(dgstSize > 0, -1); /* check/set the result digest size */ diff --git a/src/openssl/kt_rsa.c b/src/openssl/kt_rsa.c index 1cf1aba1..8d47e427 100644 --- a/src/openssl/kt_rsa.c +++ b/src/openssl/kt_rsa.c @@ -7,7 +7,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -785,8 +785,17 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr } outSize = ret; } else if((transform->operation == xmlSecTransformOperationDecrypt) && (paramsSize != 0)) { - BIGNUM bn; + BIGNUM * bn; + bn = BN_new(); + if(bn == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "BN_new()", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } ret = RSA_private_decrypt(inSize, xmlSecBufferGetData(in), xmlSecBufferGetData(out), ctx->pKey->pkey.rsa, RSA_NO_PADDING); @@ -796,6 +805,7 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr "RSA_private_decrypt(RSA_NO_PADDING)", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); + BN_free(bn); return(-1); } outSize = ret; @@ -806,28 +816,27 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr * beggining so I have to do decode it back to BIGNUM and dump * buffer again */ - BN_init(&bn); - if(BN_bin2bn(xmlSecBufferGetData(out), outSize, &bn) == NULL) { + if(BN_bin2bn(xmlSecBufferGetData(out), outSize, bn) == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), "BN_bin2bn", XMLSEC_ERRORS_R_CRYPTO_FAILED, "size=%d", outSize); - BN_clear_free(&bn); + BN_free(bn); return(-1); } - ret = BN_bn2bin(&bn, xmlSecBufferGetData(out)); + ret = BN_bn2bin(bn, xmlSecBufferGetData(out)); if(ret <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), "BN_bn2bin", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - BN_clear_free(&bn); + BN_free(bn); return(-1); } - BN_clear_free(&bn); + BN_free(bn); outSize = ret; ret = RSA_padding_check_PKCS1_OAEP(xmlSecBufferGetData(out), outSize, @@ -845,7 +854,12 @@ xmlSecOpenSSLRsaOaepProcess(xmlSecTransformPtr transform, xmlSecTransformCtxPtr } outSize = ret; } else { - xmlSecAssert2("we could not be here" == NULL, -1); + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "Unexpected trasnform operation: %d; paramsSize: %d", + (int)transform->operation, (int)paramsSize); return(-1); } diff --git a/src/openssl/kw_aes.c b/src/openssl/kw_aes.c index 573fb985..8e71148e 100644 --- a/src/openssl/kw_aes.c +++ b/src/openssl/kw_aes.c @@ -7,10 +7,9 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #ifndef XMLSEC_NO_AES -#ifndef XMLSEC_OPENSSL_096 #include "globals.h" #include <stdlib.h> @@ -508,6 +507,4 @@ xmlSecOpenSSLKWAesBlockDecrypt(const xmlSecByte * in, xmlSecSize inSize, return(AES_BLOCK_SIZE); } - -#endif /* XMLSEC_OPENSSL_096 */ #endif /* XMLSEC_NO_AES */ diff --git a/src/openssl/kw_des.c b/src/openssl/kw_des.c index 9d55e107..c9642579 100644 --- a/src/openssl/kw_des.c +++ b/src/openssl/kw_des.c @@ -7,7 +7,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2010 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #ifndef XMLSEC_NO_DES #include "globals.h" @@ -505,7 +505,7 @@ xmlSecOpenSSLKWDes3Encrypt(const xmlSecByte *key, xmlSecSize keySize, const xmlSecByte *in, xmlSecSize inSize, xmlSecByte *out, xmlSecSize outSize, int enc) { - EVP_CIPHER_CTX cipherCtx; + EVP_CIPHER_CTX * cipherCtx; int updateLen; int finalLen; int ret; @@ -519,42 +519,55 @@ xmlSecOpenSSLKWDes3Encrypt(const xmlSecByte *key, xmlSecSize keySize, xmlSecAssert2(out != NULL, -1); xmlSecAssert2(outSize >= inSize, -1); - EVP_CIPHER_CTX_init(&cipherCtx); - ret = EVP_CipherInit(&cipherCtx, EVP_des_ede3_cbc(), key, iv, enc); + cipherCtx = EVP_CIPHER_CTX_new(); + if(cipherCtx == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "EVP_CIPHER_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + ret = EVP_CipherInit(cipherCtx, EVP_des_ede3_cbc(), key, iv, enc); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "EVP_CipherInit", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); + EVP_CIPHER_CTX_free(cipherCtx); return(-1); } -#ifndef XMLSEC_OPENSSL_096 - EVP_CIPHER_CTX_set_padding(&cipherCtx, 0); -#endif /* XMLSEC_OPENSSL_096 */ + EVP_CIPHER_CTX_set_padding(cipherCtx, 0); - ret = EVP_CipherUpdate(&cipherCtx, out, &updateLen, in, inSize); + ret = EVP_CipherUpdate(cipherCtx, out, &updateLen, in, inSize); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "EVP_CipherUpdate", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); + EVP_CIPHER_CTX_free(cipherCtx); return(-1); } - ret = EVP_CipherFinal(&cipherCtx, out + updateLen, &finalLen); + ret = EVP_CipherFinal(cipherCtx, out + updateLen, &finalLen); if(ret != 1) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "EVP_CipherFinal", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); + EVP_CIPHER_CTX_free(cipherCtx); return(-1); } - EVP_CIPHER_CTX_cleanup(&cipherCtx); + /* cleanup */ + EVP_CIPHER_CTX_free(cipherCtx); + + /* done */ return(updateLen + finalLen); } diff --git a/src/openssl/signatures.c b/src/openssl/signatures.c index 7e3dbc7d..5cb6f7b8 100644 --- a/src/openssl/signatures.c +++ b/src/openssl/signatures.c @@ -4,7 +4,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -22,92 +22,145 @@ #include <xmlsec/openssl/crypto.h> #include <xmlsec/openssl/evp.h> +/* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/EVP_DigestInit.html): + * + * EVP_MD_CTX_create() and EVP_MD_CTX_destroy() were renamed to EVP_MD_CTX_new() and EVP_MD_CTX_free() in OpenSSL 1.1. + */ +#if !defined(XMLSEC_OPENSSL_110) +#define EVP_MD_CTX_new() EVP_MD_CTX_create() +#define EVP_MD_CTX_free(x) EVP_MD_CTX_destroy((x)) +#define EVP_MD_CTX_md_data(x) ((x)->md_data) + #ifndef XMLSEC_NO_DSA +/* we expect the r/s to be NOT NULL */ +static void ECDSA_SIG_get0(BIGNUM **pr, BIGNUM **ps, ECDSA_SIG *sig) { + if (pr != NULL) { + if(sig->r == NULL) { + sig->r = BN_new(); + } + *pr = sig->r; + } + if (ps != NULL) { + if(sig->s == NULL) { + sig->s = BN_new(); + } + *ps = sig->s; + } +} +#endif /* XMLSEC_NO_ECDSA */ -#define XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE (20 * 2) +#endif /* !defined(XMLSEC_OPENSSL_110) */ -#ifndef XMLSEC_NO_SHA1 -static const EVP_MD *xmlSecOpenSSLDsaSha1Evp (void); -#endif /* XMLSEC_NO_SHA1 */ +/* Preparation for OpenSSL 1.1.0 compatibility: we expect the r/s to be NOT NULL */ +#ifndef XMLSEC_NO_DSA +static void DSA_SIG_get0(BIGNUM **pr, BIGNUM **ps, DSA_SIG *sig) { + if (pr != NULL) { + if(sig->r == NULL) { + sig->r = BN_new(); + } + *pr = sig->r; + } + if (ps != NULL) { + if(sig->s == NULL) { + sig->s = BN_new(); + } + *ps = sig->s; + } +} +#endif /* XMLSEC_NO_DSA */ -#ifndef XMLSEC_NO_SHA256 -#ifdef XMLSEC_OPENSSL_100 -static const EVP_MD *xmlSecOpenSSLDsaSha256Evp (void); -#endif /* XMLSEC_OPENSSL_100 */ -#endif /* XMLSEC_NO_SHA256 */ -#endif /* XMLSEC_NO_DSA */ -#ifndef XMLSEC_NO_ECDSA -#define XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE ((512 / 8) * 2) +/************************************************************************** + * + * Internal OpenSSL signatures ctx: forward declarations + * + *****************************************************************************/ +typedef struct _xmlSecOpenSSLSignatureCtx xmlSecOpenSSLSignatureCtx, + *xmlSecOpenSSLSignatureCtxPtr; -#ifndef XMLSEC_NO_SHA1 -static const EVP_MD *xmlSecOpenSSLEcdsaSha1Evp (void); -#endif /* XMLSEC_NO_SHA1 */ +#ifndef XMLSEC_NO_DSA -#ifndef XMLSEC_NO_SHA224 -static const EVP_MD *xmlSecOpenSSLEcdsaSha224Evp (void); -#endif /* XMLSEC_NO_SHA224 */ +static int xmlSecOpenSSLSignatureDsaSign (xmlSecOpenSSLSignatureCtxPtr ctx, + xmlSecBufferPtr out); +static int xmlSecOpenSSLSignatureDsaVerify (xmlSecOpenSSLSignatureCtxPtr ctx, + const xmlSecByte* signData, + xmlSecSize signSize); +#endif /* XMLSEC_NO_DSA */ -#ifndef XMLSEC_NO_SHA256 -static const EVP_MD *xmlSecOpenSSLEcdsaSha256Evp (void); -#endif /* XMLSEC_NO_SHA256 */ +#ifndef XMLSEC_NO_ECDSA -#ifndef XMLSEC_NO_SHA384 -static const EVP_MD *xmlSecOpenSSLEcdsaSha384Evp (void); -#endif /* XMLSEC_NO_SHA384 */ +static int xmlSecOpenSSLSignatureEcdsaSign (xmlSecOpenSSLSignatureCtxPtr ctx, + xmlSecBufferPtr out); +static int xmlSecOpenSSLSignatureEcdsaVerify (xmlSecOpenSSLSignatureCtxPtr ctx, + const xmlSecByte* signData, + xmlSecSize signSize); -#ifndef XMLSEC_NO_SHA512 -static const EVP_MD *xmlSecOpenSSLEcdsaSha512Evp (void); -#endif /* XMLSEC_NO_SHA512 */ #endif /* XMLSEC_NO_ECDSA */ + + +/************************************************************************** + * + * Sign/verify callbacks + * + *****************************************************************************/ +typedef int (*xmlSecOpenSSLSignatureSignCallback) (xmlSecOpenSSLSignatureCtxPtr ctx, + xmlSecBufferPtr out); +typedef int (*xmlSecOpenSSLSignatureVerifyCallback) (xmlSecOpenSSLSignatureCtxPtr ctx, + const xmlSecByte* signData, + xmlSecSize signSize); + /************************************************************************** * - * Internal OpenSSL evp signatures ctx + * Internal OpenSSL signatures ctx * *****************************************************************************/ -typedef struct _xmlSecOpenSSLEvpSignatureCtx xmlSecOpenSSLEvpSignatureCtx, - *xmlSecOpenSSLEvpSignatureCtxPtr; -struct _xmlSecOpenSSLEvpSignatureCtx { - const EVP_MD* digest; - EVP_MD_CTX digestCtx; - xmlSecKeyDataId keyId; - EVP_PKEY* pKey; +struct _xmlSecOpenSSLSignatureCtx { + const EVP_MD* digest; + EVP_MD_CTX* digestCtx; + xmlSecKeyDataId keyId; + xmlSecOpenSSLSignatureSignCallback signCallback; + xmlSecOpenSSLSignatureVerifyCallback verifyCallback; + EVP_PKEY* pKey; + unsigned char dgst[EVP_MAX_MD_SIZE]; + unsigned int dgstSize; }; + + /****************************************************************************** * - * EVP Signature transforms + * Signature transforms * - * xmlSecOpenSSLEvpSignatureCtx is located after xmlSecTransform + * xmlSecOpenSSLSignatureCtx is located after xmlSecTransform * *****************************************************************************/ -#define xmlSecOpenSSLEvpSignatureSize \ - (sizeof(xmlSecTransform) + sizeof(xmlSecOpenSSLEvpSignatureCtx)) -#define xmlSecOpenSSLEvpSignatureGetCtx(transform) \ - ((xmlSecOpenSSLEvpSignatureCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform))) - -static int xmlSecOpenSSLEvpSignatureCheckId (xmlSecTransformPtr transform); -static int xmlSecOpenSSLEvpSignatureInitialize (xmlSecTransformPtr transform); -static void xmlSecOpenSSLEvpSignatureFinalize (xmlSecTransformPtr transform); -static int xmlSecOpenSSLEvpSignatureSetKeyReq (xmlSecTransformPtr transform, +#define xmlSecOpenSSLSignatureSize \ + (sizeof(xmlSecTransform) + sizeof(xmlSecOpenSSLSignatureCtx)) +#define xmlSecOpenSSLSignatureGetCtx(transform) \ + ((xmlSecOpenSSLSignatureCtxPtr)(((xmlSecByte*)(transform)) + sizeof(xmlSecTransform))) + +static int xmlSecOpenSSLSignatureCheckId (xmlSecTransformPtr transform); +static int xmlSecOpenSSLSignatureInitialize (xmlSecTransformPtr transform); +static void xmlSecOpenSSLSignatureFinalize (xmlSecTransformPtr transform); +static int xmlSecOpenSSLSignatureSetKeyReq (xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq); -static int xmlSecOpenSSLEvpSignatureSetKey (xmlSecTransformPtr transform, +static int xmlSecOpenSSLSignatureSetKey (xmlSecTransformPtr transform, xmlSecKeyPtr key); -static int xmlSecOpenSSLEvpSignatureVerify (xmlSecTransformPtr transform, +static int xmlSecOpenSSLSignatureVerify (xmlSecTransformPtr transform, const xmlSecByte* data, xmlSecSize dataSize, xmlSecTransformCtxPtr transformCtx); -static int xmlSecOpenSSLEvpSignatureExecute (xmlSecTransformPtr transform, +static int xmlSecOpenSSLSignatureExecute (xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx); static int -xmlSecOpenSSLEvpSignatureCheckId(xmlSecTransformPtr transform) { +xmlSecOpenSSLSignatureCheckId(xmlSecTransformPtr transform) { #ifndef XMLSEC_NO_DSA #ifndef XMLSEC_NO_SHA1 @@ -158,58 +211,6 @@ xmlSecOpenSSLEvpSignatureCheckId(xmlSecTransformPtr transform) { #endif /* XMLSEC_NO_ECDSA */ -#ifndef XMLSEC_NO_RSA - -#ifndef XMLSEC_NO_MD5 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaMd5Id)) { - return(1); - } else -#endif /* XMLSEC_NO_MD5 */ - -#ifndef XMLSEC_NO_RIPEMD160 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaRipemd160Id)) { - return(1); - } else -#endif /* XMLSEC_NO_RIPEMD160 */ - -#ifndef XMLSEC_NO_SHA1 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha1Id)) { - return(1); - } else -#endif /* XMLSEC_NO_SHA1 */ - -#ifndef XMLSEC_NO_SHA224 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha224Id)) { - return(1); - } else -#endif /* XMLSEC_NO_SHA224 */ - -#ifndef XMLSEC_NO_SHA256 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha256Id)) { - return(1); - } else -#endif /* XMLSEC_NO_SHA256 */ - -#ifndef XMLSEC_NO_SHA384 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha384Id)) { - return(1); - } else -#endif /* XMLSEC_NO_SHA384 */ - -#ifndef XMLSEC_NO_SHA512 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha512Id)) { - return(1); - } else -#endif /* XMLSEC_NO_SHA512 */ - -#endif /* XMLSEC_NO_RSA */ - -#ifndef XMLSEC_NO_GOST - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGost2001GostR3411_94Id)) { - return(1); - } else -#endif /* XMLSEC_NO_GOST*/ - { return(0); } @@ -218,33 +219,36 @@ xmlSecOpenSSLEvpSignatureCheckId(xmlSecTransformPtr transform) { } static int -xmlSecOpenSSLEvpSignatureInitialize(xmlSecTransformPtr transform) { - xmlSecOpenSSLEvpSignatureCtxPtr ctx; +xmlSecOpenSSLSignatureInitialize(xmlSecTransformPtr transform) { + xmlSecOpenSSLSignatureCtxPtr ctx; + int ret; - xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); - xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(xmlSecOpenSSLSignatureCheckId(transform), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLSignatureSize), -1); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); - memset(ctx, 0, sizeof(xmlSecOpenSSLEvpSignatureCtx)); + memset(ctx, 0, sizeof(xmlSecOpenSSLSignatureCtx)); #ifndef XMLSEC_NO_DSA #ifndef XMLSEC_NO_SHA1 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformDsaSha1Id)) { - ctx->digest = xmlSecOpenSSLDsaSha1Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataDsaId; + ctx->digest = EVP_sha1(); + ctx->keyId = xmlSecOpenSSLKeyDataDsaId; + ctx->signCallback = xmlSecOpenSSLSignatureDsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureDsaVerify; } else #endif /* XMLSEC_NO_SHA1 */ #ifndef XMLSEC_NO_SHA256 -#ifdef XMLSEC_OPENSSL_100 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformDsaSha256Id)) { - ctx->digest = xmlSecOpenSSLDsaSha256Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataDsaId; + ctx->digest = EVP_sha256(); + ctx->keyId = xmlSecOpenSSLKeyDataDsaId; + ctx->signCallback = xmlSecOpenSSLSignatureDsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureDsaVerify; } else -#endif /* XMLSEC_OPENSSL_100 */ #endif /* XMLSEC_NO_SHA256 */ #endif /* XMLSEC_NO_DSA */ @@ -253,157 +257,118 @@ xmlSecOpenSSLEvpSignatureInitialize(xmlSecTransformPtr transform) { #ifndef XMLSEC_NO_SHA1 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformEcdsaSha1Id)) { - ctx->digest = xmlSecOpenSSLEcdsaSha1Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->digest = EVP_sha1(); + ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->signCallback = xmlSecOpenSSLSignatureEcdsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureEcdsaVerify; } else #endif /* XMLSEC_NO_SHA1 */ #ifndef XMLSEC_NO_SHA224 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformEcdsaSha224Id)) { - ctx->digest = xmlSecOpenSSLEcdsaSha224Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->digest = EVP_sha224(); + ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->signCallback = xmlSecOpenSSLSignatureEcdsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureEcdsaVerify; } else #endif /* XMLSEC_NO_SHA224 */ #ifndef XMLSEC_NO_SHA256 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformEcdsaSha256Id)) { - ctx->digest = xmlSecOpenSSLEcdsaSha256Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->digest = EVP_sha256(); + ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->signCallback = xmlSecOpenSSLSignatureEcdsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureEcdsaVerify; } else #endif /* XMLSEC_NO_SHA256 */ #ifndef XMLSEC_NO_SHA384 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformEcdsaSha384Id)) { - ctx->digest = xmlSecOpenSSLEcdsaSha384Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->digest = EVP_sha384(); + ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->signCallback = xmlSecOpenSSLSignatureEcdsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureEcdsaVerify; } else #endif /* XMLSEC_NO_SHA384 */ #ifndef XMLSEC_NO_SHA512 if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformEcdsaSha512Id)) { - ctx->digest = xmlSecOpenSSLEcdsaSha512Evp(); - ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->digest = EVP_sha512(); + ctx->keyId = xmlSecOpenSSLKeyDataEcdsaId; + ctx->signCallback = xmlSecOpenSSLSignatureEcdsaSign; + ctx->verifyCallback = xmlSecOpenSSLSignatureEcdsaVerify; } else #endif /* XMLSEC_NO_SHA512 */ #endif /* XMLSEC_NO_ECDSA */ -#ifndef XMLSEC_NO_RSA - -#ifndef XMLSEC_NO_MD5 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaMd5Id)) { - ctx->digest = EVP_md5(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_MD5 */ - -#ifndef XMLSEC_NO_RIPEMD160 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaRipemd160Id)) { - ctx->digest = EVP_ripemd160(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_RIPEMD160 */ - -#ifndef XMLSEC_NO_SHA1 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha1Id)) { - ctx->digest = EVP_sha1(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_SHA1 */ - -#ifndef XMLSEC_NO_SHA224 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha224Id)) { - ctx->digest = EVP_sha224(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_SHA224 */ - -#ifndef XMLSEC_NO_SHA256 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha256Id)) { - ctx->digest = EVP_sha256(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_SHA256 */ - -#ifndef XMLSEC_NO_SHA384 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha384Id)) { - ctx->digest = EVP_sha384(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_SHA384 */ - -#ifndef XMLSEC_NO_SHA512 - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformRsaSha512Id)) { - ctx->digest = EVP_sha512(); - ctx->keyId = xmlSecOpenSSLKeyDataRsaId; - } else -#endif /* XMLSEC_NO_SHA512 */ - -#endif /* XMLSEC_NO_RSA */ - -#ifndef XMLSEC_NO_GOST - if(xmlSecTransformCheckId(transform, xmlSecOpenSSLTransformGost2001GostR3411_94Id)) { - ctx->keyId = xmlSecOpenSSLKeyDataGost2001Id; - ctx->digest = EVP_get_digestbyname("md_gost94"); - if (!ctx->digest) - { + if(1) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), NULL, XMLSEC_ERRORS_R_INVALID_TRANSFORM, XMLSEC_ERRORS_NO_MESSAGE); return(-1); - } - } else -#endif /* XMLSEC_NO_GOST*/ + } - if(1) { + /* create/init digest CTX */ + ctx->digestCtx = EVP_MD_CTX_new(); + if(ctx->digestCtx == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - NULL, - XMLSEC_ERRORS_R_INVALID_TRANSFORM, + "EVP_MD_CTX_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + + ret = EVP_DigestInit(ctx->digestCtx, ctx->digest); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_DigestInit", + XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); return(-1); } -#ifndef XMLSEC_OPENSSL_096 - EVP_MD_CTX_init(&(ctx->digestCtx)); -#endif /* XMLSEC_OPENSSL_096 */ + /* done */ return(0); } static void -xmlSecOpenSSLEvpSignatureFinalize(xmlSecTransformPtr transform) { - xmlSecOpenSSLEvpSignatureCtxPtr ctx; +xmlSecOpenSSLSignatureFinalize(xmlSecTransformPtr transform) { + xmlSecOpenSSLSignatureCtxPtr ctx; - xmlSecAssert(xmlSecOpenSSLEvpSignatureCheckId(transform)); - xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize)); + xmlSecAssert(xmlSecOpenSSLSignatureCheckId(transform)); + xmlSecAssert(xmlSecTransformCheckSize(transform, xmlSecOpenSSLSignatureSize)); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert(ctx != NULL); if(ctx->pKey != NULL) { EVP_PKEY_free(ctx->pKey); } -#ifndef XMLSEC_OPENSSL_096 - EVP_MD_CTX_cleanup(&(ctx->digestCtx)); -#endif /* XMLSEC_OPENSSL_096 */ - memset(ctx, 0, sizeof(xmlSecOpenSSLEvpSignatureCtx)); + if(ctx->digestCtx != NULL) { + EVP_MD_CTX_free(ctx->digestCtx); + } + + memset(ctx, 0, sizeof(xmlSecOpenSSLSignatureCtx)); } static int -xmlSecOpenSSLEvpSignatureSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { - xmlSecOpenSSLEvpSignatureCtxPtr ctx; +xmlSecOpenSSLSignatureSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) { + xmlSecOpenSSLSignatureCtxPtr ctx; xmlSecKeyDataPtr value; EVP_PKEY* pKey; - xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2(xmlSecOpenSSLSignatureCheckId(transform), -1); xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); - xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLSignatureSize), -1); xmlSecAssert2(key != NULL, -1); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->digest != NULL, -1); xmlSecAssert2(ctx->keyId != NULL, -1); @@ -440,15 +405,15 @@ xmlSecOpenSSLEvpSignatureSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) } static int -xmlSecOpenSSLEvpSignatureSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { - xmlSecOpenSSLEvpSignatureCtxPtr ctx; +xmlSecOpenSSLSignatureSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) { + xmlSecOpenSSLSignatureCtxPtr ctx; - xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2(xmlSecOpenSSLSignatureCheckId(transform), -1); xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); - xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLSignatureSize), -1); xmlSecAssert2(keyReq != NULL, -1); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->keyId != NULL, -1); @@ -465,136 +430,95 @@ xmlSecOpenSSLEvpSignatureSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPt static int -xmlSecOpenSSLEvpSignatureVerify(xmlSecTransformPtr transform, +xmlSecOpenSSLSignatureVerify(xmlSecTransformPtr transform, const xmlSecByte* data, xmlSecSize dataSize, xmlSecTransformCtxPtr transformCtx) { - xmlSecOpenSSLEvpSignatureCtxPtr ctx; + xmlSecOpenSSLSignatureCtxPtr ctx; int ret; - xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2(xmlSecOpenSSLSignatureCheckId(transform), -1); xmlSecAssert2(transform->operation == xmlSecTransformOperationVerify, -1); - xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLSignatureSize), -1); xmlSecAssert2(transform->status == xmlSecTransformStatusFinished, -1); xmlSecAssert2(data != NULL, -1); xmlSecAssert2(transformCtx != NULL, -1); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->verifyCallback != NULL, -1); + xmlSecAssert2(ctx->dgstSize > 0, -1); - ret = EVP_VerifyFinal(&(ctx->digestCtx), (xmlSecByte*)data, dataSize, ctx->pKey); + ret = (ctx->verifyCallback)(ctx, data, dataSize); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_VerifyFinal", - XMLSEC_ERRORS_R_CRYPTO_FAILED, + "verifyCallback", + XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); return(-1); - } else if(ret != 1) { + } + + /* check signature results */ + if(ret == 1) { + transform->status = xmlSecTransformStatusOk; + } else { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_VerifyFinal", + "verifyCallback", XMLSEC_ERRORS_R_DATA_NOT_MATCH, "signature do not match"); transform->status = xmlSecTransformStatusFail; - return(0); } - transform->status = xmlSecTransformStatusOk; + /* done */ return(0); } static int -xmlSecOpenSSLEvpSignatureExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { - xmlSecOpenSSLEvpSignatureCtxPtr ctx; +xmlSecOpenSSLSignatureExecute(xmlSecTransformPtr transform, int last, xmlSecTransformCtxPtr transformCtx) { + xmlSecOpenSSLSignatureCtxPtr ctx; xmlSecBufferPtr in, out; xmlSecSize inSize; xmlSecSize outSize; int ret; - xmlSecAssert2(xmlSecOpenSSLEvpSignatureCheckId(transform), -1); + xmlSecAssert2(xmlSecOpenSSLSignatureCheckId(transform), -1); xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1); - xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLEvpSignatureSize), -1); + xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLSignatureSize), -1); xmlSecAssert2(transformCtx != NULL, -1); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->signCallback != NULL, -1); + xmlSecAssert2(ctx->verifyCallback != NULL, -1); in = &(transform->inBuf); out = &(transform->outBuf); inSize = xmlSecBufferGetSize(in); outSize = xmlSecBufferGetSize(out); - ctx = xmlSecOpenSSLEvpSignatureGetCtx(transform); + ctx = xmlSecOpenSSLSignatureGetCtx(transform); xmlSecAssert2(ctx != NULL, -1); xmlSecAssert2(ctx->digest != NULL, -1); + xmlSecAssert2(ctx->digestCtx != NULL, -1); xmlSecAssert2(ctx->pKey != NULL, -1); if(transform->status == xmlSecTransformStatusNone) { xmlSecAssert2(outSize == 0, -1); - - if(transform->operation == xmlSecTransformOperationSign) { -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_SignInit(&(ctx->digestCtx), ctx->digest); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_SignInit", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } -#else /* XMLSEC_OPENSSL_096 */ - EVP_SignInit(&(ctx->digestCtx), ctx->digest); -#endif /* XMLSEC_OPENSSL_096 */ - } else { -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_VerifyInit(&(ctx->digestCtx), ctx->digest); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_VerifyInit", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } -#else /* XMLSEC_OPENSSL_096 */ - EVP_VerifyInit(&(ctx->digestCtx), ctx->digest); -#endif /* XMLSEC_OPENSSL_096 */ - } transform->status = xmlSecTransformStatusWorking; } if((transform->status == xmlSecTransformStatusWorking) && (inSize > 0)) { xmlSecAssert2(outSize == 0, -1); - if(transform->operation == xmlSecTransformOperationSign) { -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_SignUpdate(&(ctx->digestCtx), xmlSecBufferGetData(in), inSize); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_SignUpdate", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } -#else /* XMLSEC_OPENSSL_096 */ - EVP_SignUpdate(&(ctx->digestCtx), xmlSecBufferGetData(in), inSize); -#endif /* XMLSEC_OPENSSL_096 */ - } else { -#ifndef XMLSEC_OPENSSL_096 - ret = EVP_VerifyUpdate(&(ctx->digestCtx), xmlSecBufferGetData(in), inSize); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_VerifyUpdate", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - return(-1); - } -#else /* XMLSEC_OPENSSL_096 */ - EVP_VerifyUpdate(&(ctx->digestCtx), xmlSecBufferGetData(in), inSize); -#endif /* XMLSEC_OPENSSL_096 */ + ret = EVP_DigestUpdate(ctx->digestCtx, xmlSecBufferGetData(in), inSize); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_DigestUpdate", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); } ret = xmlSecBufferRemoveHead(in, inSize); @@ -610,54 +534,32 @@ xmlSecOpenSSLEvpSignatureExecute(xmlSecTransformPtr transform, int last, xmlSecT if((transform->status == xmlSecTransformStatusWorking) && (last != 0)) { xmlSecAssert2(outSize == 0, -1); - if(transform->operation == xmlSecTransformOperationSign) { - unsigned int signSize; - /* this is a hack: for rsa signatures - * we get size from EVP_PKEY_size(), - * for dsa signature we use a fixed constant */ - signSize = EVP_PKEY_size(ctx->pKey); -#ifndef XMLSEC_NO_DSA - if(signSize < XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE) { - signSize = XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE; - } -#endif /* XMLSEC_NO_DSA */ -#ifndef XMLSEC_NO_ECDSA - if(signSize < XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE) { - signSize = XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE; - } -#endif /* XMLSEC_NO_ECDSA */ + ret = EVP_DigestFinal(ctx->digestCtx, ctx->dgst, &ctx->dgstSize); + if(ret != 1) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), + "EVP_DigestFinal", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(-1); + } + xmlSecAssert2(ctx->dgstSize > 0, -1); - ret = xmlSecBufferSetMaxSize(out, signSize); + /* sign right away, verify will wait till separate call */ + if(transform->operation == xmlSecTransformOperationSign) { + ret = (ctx->signCallback)(ctx, out); if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "xmlSecBufferSetMaxSize", + "signCallback", XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%u", signSize); - return(-1); - } - - ret = EVP_SignFinal(&(ctx->digestCtx), xmlSecBufferGetData(out), &signSize, ctx->pKey); - if(ret != 1) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "EVP_SignFinal", - XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); return(-1); } - - ret = xmlSecBufferSetSize(out, signSize); - if(ret < 0) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecTransformGetName(transform)), - "xmlSecBufferSetSize", - XMLSEC_ERRORS_R_XMLSEC_FAILED, - "size=%u", signSize); - return(-1); - } } + + /* done! */ transform->status = xmlSecTransformStatusFinished; } @@ -677,6 +579,7 @@ xmlSecOpenSSLEvpSignatureExecute(xmlSecTransformPtr transform, int last, xmlSecT } #ifndef XMLSEC_NO_DSA + /**************************************************************************** * * DSA EVP @@ -704,81 +607,257 @@ xmlSecOpenSSLEvpSignatureExecute(xmlSecTransformPtr transform, int last, xmlSecT * ***************************************************************************/ static int -xmlSecOpenSSLDsaEvpSign(int type ATTRIBUTE_UNUSED, - const unsigned char *dgst, unsigned int dlen, - unsigned char *sig, unsigned int *siglen, void *dsa) { - DSA_SIG *s; - int rSize, sSize; - - s = DSA_do_sign(dgst, dlen, dsa); - if(s == NULL) { - *siglen=0; - return(0); +xmlSecOpenSSLSignatureDsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr out) { + DSA * dsaKey = NULL; + DSA_SIG *sig = NULL; + BIGNUM *rr = NULL, *ss = NULL; + xmlSecByte *outData; + xmlSecSize dsaSignSize, signHalfSize, rSize, sSize; + int res = -1; + int ret; + + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->pKey != NULL, -1); + xmlSecAssert2(ctx->dgstSize > 0, -1); + xmlSecAssert2(ctx->dgstSize <= sizeof(ctx->dgst), -1); + xmlSecAssert2(out != NULL, -1); + + /* get key */ + dsaKey = EVP_PKEY_get1_DSA(ctx->pKey); + if(dsaKey == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "EVP_PKEY_get1_DSA", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; } - rSize = BN_num_bytes(s->r); - sSize = BN_num_bytes(s->s); - if((rSize > (XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2)) || - (sSize > (XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2))) { + /* signature size = r + s + 8 bytes, we just need r+s */ + dsaSignSize = DSA_size(dsaKey); + if(dsaSignSize < 8) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, + "DSA_size", + XMLSEC_ERRORS_R_INVALID_SIZE, + "dsaSignSize=%d", (int)dsaSignSize); + goto done; + } + + signHalfSize = (dsaSignSize - 8) / 2; + if(signHalfSize < 4) { + xmlSecError(XMLSEC_ERRORS_HERE, NULL, + "signHalfSize", XMLSEC_ERRORS_R_INVALID_SIZE, - "size(r)=%d or size(s)=%d > %d", - rSize, sSize, XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2); - DSA_SIG_free(s); - return(0); + "signHalfSize=%d", (int)signHalfSize); + goto done; } - memset(sig, 0, XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE); - BN_bn2bin(s->r, sig + (XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2) - rSize); - BN_bn2bin(s->s, sig + XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE - sSize); - *siglen = XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE; + /* calculate signature */ + sig = DSA_do_sign(ctx->dgst, ctx->dgstSize, dsaKey); + if(sig == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_do_sign", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } - DSA_SIG_free(s); - return(1); + /* get signature components */ + DSA_SIG_get0(&rr, &ss, sig); + if((rr == NULL) || (ss == NULL)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_SIG_get0", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + rSize = BN_num_bytes(rr); + if(rSize > signHalfSize) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_SIZE, + "rSize=%d > %d", + rSize, signHalfSize); + goto done; + } + sSize = BN_num_bytes(ss); + if(sSize > signHalfSize) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + NULL, + XMLSEC_ERRORS_R_INVALID_SIZE, + "sSize=%d > %d", + sSize, signHalfSize); + goto done; + } + + /* allocate buffer */ + ret = xmlSecBufferSetSize(out, 2 * signHalfSize); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "size=%d", (int)(2 * signHalfSize)); + goto done; + } + outData = xmlSecBufferGetData(out); + xmlSecAssert2(outData != NULL, -1); + + /* write components */ + xmlSecAssert2((rSize + sSize) <= 2 * signHalfSize, -1); + memset(outData, 0, 2 * signHalfSize); + BN_bn2bin(rr, outData + signHalfSize - rSize); + BN_bn2bin(ss, outData + 2 * signHalfSize - sSize); + + /* success */ + res = 0; + +done: + /* cleanup */ + if(sig != NULL) { + DSA_SIG_free(sig); + } + if(dsaKey != NULL) { + DSA_free(dsaKey); + } + + /* done */ + return(res); } static int -xmlSecOpenSSLDsaEvpVerify(int type ATTRIBUTE_UNUSED, - const unsigned char *dgst, unsigned int dgst_len, - const unsigned char *sigbuf, unsigned int siglen, - void *dsa) { - DSA_SIG *s; - int ret = -1; +xmlSecOpenSSLSignatureDsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecByte* signData, xmlSecSize signSize) { + DSA * dsaKey = NULL; + DSA_SIG *sig = NULL; + BIGNUM *rr = NULL, *ss = NULL; + xmlSecSize dsaSignSize, signHalfSize; + int res = -1; + int ret; - s = DSA_SIG_new(); - if (s == NULL) { - return(ret); + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->pKey != NULL, -1); + xmlSecAssert2(ctx->dgstSize > 0, -1); + xmlSecAssert2(signData != NULL, -1); + + /* get key */ + dsaKey = EVP_PKEY_get1_DSA(ctx->pKey); + if(dsaKey == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "EVP_PKEY_get1_DSA", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* signature size = r + s + 8 bytes, we just need r+s */ + dsaSignSize = DSA_size(dsaKey); + if(dsaSignSize < 8) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_size", + XMLSEC_ERRORS_R_INVALID_SIZE, + "dsaSignSize=%d", (int)dsaSignSize); + goto done; + } + + signHalfSize = (dsaSignSize - 8) / 2; + if(signHalfSize < 4) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "signHalfSize", + XMLSEC_ERRORS_R_INVALID_SIZE, + "signHalfSize=%d", (int)signHalfSize); + goto done; } - if(siglen != XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE) { + /* check size */ + if(signSize != 2 * signHalfSize) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_R_INVALID_SIZE, "invalid length %d (%d expected)", - siglen, XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE); + (int)signSize, (int)(2 * signHalfSize)); goto done; } - s->r = BN_bin2bn(sigbuf, XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2, NULL); - s->s = BN_bin2bn(sigbuf + (XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2), - XMLSEC_OPENSSL_DSA_SIGNATURE_SIZE / 2, NULL); - if((s->r == NULL) || (s->s == NULL)) { + /* create/read signature */ + sig = DSA_SIG_new(); + if (sig == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "BN_bin2bn", + "DSA_SIG_new", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); goto done; } - ret = DSA_do_verify(dgst, dgst_len, s, dsa); + /* get signature components */ + DSA_SIG_get0(&rr, &ss, sig); + if((rr == NULL) || (ss == NULL)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_SIG_get0", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + rr = BN_bin2bn(signData, signHalfSize, rr); + if(rr == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "BN_bin2bn(sig->r)", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + ss = BN_bin2bn(signData + signHalfSize, signHalfSize, ss); + if(ss == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "BN_bin2bn(sig->s)", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* verify signature */ + ret = DSA_do_verify(ctx->dgst, ctx->dgstSize, sig, dsaKey); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_do_verify", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* return 1 for good signatures and 0 for bad */ + if(ret > 0) { + res = 1; + } else if(ret == 0) { + res = 0; + } done: - DSA_SIG_free(s); - return(ret); + /* cleanup */ + if(sig != NULL) { + DSA_SIG_free(sig); + } + if(dsaKey != NULL) { + DSA_free(dsaKey); + } + + /* done */ + return(res); } #ifndef XMLSEC_NO_SHA1 @@ -791,25 +870,25 @@ done: static xmlSecTransformKlass xmlSecOpenSSLDsaSha1Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameDsaSha1, /* const xmlChar* name; */ xmlSecHrefDsaSha1, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -827,57 +906,6 @@ xmlSecOpenSSLTransformDsaSha1GetKlass(void) { return(&xmlSecOpenSSLDsaSha1Klass); } -#ifndef XMLSEC_OPENSSL_096 -static int -xmlSecOpenSSLDsaSha1EvpInit(EVP_MD_CTX *ctx) -{ - return SHA1_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLDsaSha1EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA1_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLDsaSha1EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA1_Final(md,ctx->md_data); -} -#endif /* XMLSEC_OPENSSL_096 */ - -static const EVP_MD xmlSecOpenSSLDsaSha1MdEvp = { - NID_dsaWithSHA, - NID_dsaWithSHA, - SHA_DIGEST_LENGTH, -#ifndef XMLSEC_OPENSSL_096 - 0, - xmlSecOpenSSLDsaSha1EvpInit, - xmlSecOpenSSLDsaSha1EvpUpdate, - xmlSecOpenSSLDsaSha1EvpFinal, - NULL, - NULL, -#else /* XMLSEC_OPENSSL_096 */ - SHA1_Init, - SHA1_Update, - SHA1_Final, -#endif /* XMLSEC_OPENSSL_096 */ - xmlSecOpenSSLDsaEvpSign, - xmlSecOpenSSLDsaEvpVerify, - {EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3,EVP_PKEY_DSA4,0}, - SHA_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA_CTX) -#ifdef XMLSEC_OPENSSL_100 - , NULL -#endif /* XMLSEC_OPENSSL_100 */ -}; - -static const EVP_MD *xmlSecOpenSSLDsaSha1Evp(void) -{ - return(&xmlSecOpenSSLDsaSha1MdEvp); -} - #endif /* XMLSEC_NO_SHA1 */ #ifndef XMLSEC_NO_SHA256 @@ -890,25 +918,25 @@ static const EVP_MD *xmlSecOpenSSLDsaSha1Evp(void) static xmlSecTransformKlass xmlSecOpenSSLDsaSha256Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameDsaSha256, /* const xmlChar* name; */ xmlSecHrefDsaSha256, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -926,50 +954,6 @@ xmlSecOpenSSLTransformDsaSha256GetKlass(void) { return(&xmlSecOpenSSLDsaSha256Klass); } -#ifdef XMLSEC_OPENSSL_100 -static int -xmlSecOpenSSLDsaSha256EvpInit(EVP_MD_CTX *ctx) -{ - return SHA256_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLDsaSha256EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA256_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLDsaSha256EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA256_Final(md,ctx->md_data); -} - -static const EVP_MD xmlSecOpenSSLDsaSha256MdEvp = { - NID_dsa_with_SHA256, - NID_dsa_with_SHA256, - SHA256_DIGEST_LENGTH, - 0, - xmlSecOpenSSLDsaSha256EvpInit, - xmlSecOpenSSLDsaSha256EvpUpdate, - xmlSecOpenSSLDsaSha256EvpFinal, - NULL, - NULL, - xmlSecOpenSSLDsaEvpSign, - xmlSecOpenSSLDsaEvpVerify, - /* XXX-MAK: This worries me, not sure that the keys are right. */ - {EVP_PKEY_DSA,EVP_PKEY_DSA2,EVP_PKEY_DSA3,EVP_PKEY_DSA4,0}, - SHA256_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA256_CTX), - NULL -}; - -static const EVP_MD *xmlSecOpenSSLDsaSha256Evp(void) -{ - return(&xmlSecOpenSSLDsaSha256MdEvp); -} -#endif /* XMLSEC_OPENSSL_100 */ - #endif /* XMLSEC_NO_SHA256 */ #endif /* XMLSEC_NO_DSA */ @@ -991,26 +975,18 @@ static const EVP_MD *xmlSecOpenSSLDsaSha256Evp(void) * octet-stream conversion MUST be done according to the I2OSP operation * defined in Section 4.1 of RFC 3447 [PKCS1] with the xLen parameter equal * to the size of the base point order of the curve in bytes (32 for the - * P-256 curve). + * P-256 curve and 66 for the P-521 curve). * ***************************************************************************/ -static int -xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED, - const unsigned char *dgst, unsigned int dlen, - unsigned char *sig, unsigned int *siglen, void *ecdsa) { - int rSize, sSize, xLen; +static xmlSecSize +xmlSecOpenSSLSignatureEcdsaSignatureHalfSize(EC_KEY * ecKey) { const EC_GROUP *group; BIGNUM *order = NULL; - ECDSA_SIG *s; - int ret = 0; + xmlSecSize signHalfSize = 0; - s = ECDSA_do_sign(dgst, dlen, ecdsa); - if(s == NULL) { - *siglen = 0; - return(ret); - } + xmlSecAssert2(ecKey != NULL, 0); - group = EC_KEY_get0_group(ecdsa); + group = EC_KEY_get0_group(ecKey); if(group == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -1039,129 +1015,256 @@ xmlSecOpenSSLEcdsaEvpSign(int type ATTRIBUTE_UNUSED, goto done; } - xLen = BN_num_bytes(order); - if(xLen > (XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2)) { + /* result */ + signHalfSize = BN_num_bytes(order); + +done: + /* cleanup */ + if(order != NULL) { + BN_clear_free(order); + } + + /* done */ + return(signHalfSize); +} + + +static int +xmlSecOpenSSLSignatureEcdsaSign(xmlSecOpenSSLSignatureCtxPtr ctx, xmlSecBufferPtr out) { + EC_KEY * ecKey = NULL; + ECDSA_SIG *sig = NULL; + BIGNUM *rr = NULL, *ss = NULL; + xmlSecByte *outData; + xmlSecSize signHalfSize, rSize, sSize; + int res = -1; + int ret; + + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->pKey != NULL, -1); + xmlSecAssert2(ctx->dgstSize > 0, -1); + xmlSecAssert2(ctx->dgstSize <= sizeof(ctx->dgst), -1); + xmlSecAssert2(out != NULL, -1); + + /* get key */ + ecKey = EVP_PKEY_get1_EC_KEY(ctx->pKey); + if(ecKey == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "EVP_PKEY_get1_DSA", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* calculate signature size */ + signHalfSize = xmlSecOpenSSLSignatureEcdsaSignatureHalfSize(ecKey); + if(signHalfSize <= 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecOpenSSLSignatureEcdsaSignatureHalfSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* sign */ + sig = ECDSA_do_sign(ctx->dgst, ctx->dgstSize, ecKey); + if(sig == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "ECDSA_do_sign", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* get signature components */ + ECDSA_SIG_get0(&rr, &ss, sig); + if((rr == NULL) || (ss == NULL)) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "ECDSA_SIG_get0", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + + /* check sizes */ + rSize = BN_num_bytes(rr); + if(rSize > signHalfSize) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_R_INVALID_SIZE, - "xLen=%d > %d", - xLen, XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2); + "rSize=%d > %d", + (int)rSize, (int)signHalfSize); goto done; } - rSize = BN_num_bytes(s->r); - sSize = BN_num_bytes(s->s); - if((rSize > xLen) || (sSize > xLen)) { + sSize = BN_num_bytes(ss); + if(sSize > signHalfSize) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, XMLSEC_ERRORS_R_INVALID_SIZE, - "size(r)=%d or size(s)=%d > %d", - rSize, sSize, xLen); + "sSize=%d > %d", + (int)sSize, (int)signHalfSize); + goto done; + } + + /* allocate buffer */ + ret = xmlSecBufferSetSize(out, 2 * signHalfSize); + if(ret < 0) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "xmlSecBufferSetSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, + "size=%d", (int)(2 * signHalfSize)); goto done; } + outData = xmlSecBufferGetData(out); + xmlSecAssert2(outData != NULL, -1); - memset(sig, 0, xLen * 2); - BN_bn2bin(s->r, sig + xLen - rSize); - BN_bn2bin(s->s, sig + (xLen * 2) - sSize); - *siglen = xLen * 2; + /* write components */ + xmlSecAssert2((rSize + sSize) <= 2 * signHalfSize, -1); + memset(outData, 0, 2 * signHalfSize); + BN_bn2bin(rr, outData + signHalfSize - rSize); + BN_bn2bin(ss, outData + 2 * signHalfSize - sSize); - ret = 1; + /* success */ + res = 0; done: - if(order != NULL) { - BN_clear_free(order); + /* cleanup */ + if(sig != NULL) { + ECDSA_SIG_free(sig); + } + if(ecKey != NULL) { + EC_KEY_free(ecKey); } - ECDSA_SIG_free(s); - return(ret); + + /* done */ + return(res); } static int -xmlSecOpenSSLEcdsaEvpVerify(int type ATTRIBUTE_UNUSED, - const unsigned char *dgst, unsigned int dgst_len, - const unsigned char *sigbuf, unsigned int siglen, - void *ecdsa) { - const EC_GROUP *group; - unsigned int xLen; - BIGNUM *order = NULL; - ECDSA_SIG *s; - int ret = -1; +xmlSecOpenSSLSignatureEcdsaVerify(xmlSecOpenSSLSignatureCtxPtr ctx, const xmlSecByte* signData, xmlSecSize signSize) { + EC_KEY * ecKey = NULL; + ECDSA_SIG *sig = NULL; + BIGNUM *rr = NULL, *ss = NULL; + xmlSecSize signHalfSize; + int res = -1; + int ret; - s = ECDSA_SIG_new(); - if (s == NULL) { - return(ret); - } + xmlSecAssert2(ctx != NULL, -1); + xmlSecAssert2(ctx->pKey != NULL, -1); + xmlSecAssert2(ctx->dgstSize > 0, -1); + xmlSecAssert2(ctx->dgstSize <= sizeof(ctx->dgst), -1); + xmlSecAssert2(signData != NULL, -1); - group = EC_KEY_get0_group(ecdsa); - if(group == NULL) { + /* get key */ + ecKey = EVP_PKEY_get1_EC_KEY(ctx->pKey); + if(ecKey == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "EC_KEY_get0_group", + "EVP_PKEY_get1_DSA", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); goto done; } - order = BN_new(); - if(order == NULL) { + /* calculate signature size */ + signHalfSize = xmlSecOpenSSLSignatureEcdsaSignatureHalfSize(ecKey); + if(signHalfSize <= 0) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "BN_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, + "xmlSecOpenSSLSignatureEcdsaSignatureHalfSize", + XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); goto done; } - if(EC_GROUP_get_order(group, order, NULL) != 1) { + /* check size */ + if(signSize != 2 * signHalfSize) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "EC_GROUP_get_order", + NULL, + XMLSEC_ERRORS_R_INVALID_SIZE, + "invalid length %d (%d expected)", + (int)signSize, (int)(2 * signHalfSize)); + goto done; + } + + /* create/read signature */ + sig = ECDSA_SIG_new(); + if (sig == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "DSA_SIG_new", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); goto done; } - xLen = BN_num_bytes(order); - if(xLen > (XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2)) { + /* get signature components */ + ECDSA_SIG_get0(&rr, &ss, sig); + if((rr == NULL) || (ss == NULL)) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - NULL, - XMLSEC_ERRORS_R_INVALID_SIZE, - "xLen=%d > %d", - xLen, XMLSEC_OPENSSL_ECDSA_SIGNATURE_SIZE / 2); + "ECDSA_SIG_get0", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); goto done; } - if(siglen != xLen * 2) { + rr = BN_bin2bn(signData, signHalfSize, rr); + if(rr == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, + "BN_bin2bn(sig->r)", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + ss = BN_bin2bn(signData + signHalfSize, signHalfSize, ss); + if(ss == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, NULL, - XMLSEC_ERRORS_R_INVALID_SIZE, - "invalid length %d (%d expected)", - siglen, xLen * 2); + "BN_bin2bn(sig->s)", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); goto done; } - s->r = BN_bin2bn(sigbuf, xLen, NULL); - s->s = BN_bin2bn(sigbuf + xLen, xLen, NULL); - if((s->r == NULL) || (s->s == NULL)) { + /* verify signature */ + ret = ECDSA_do_verify(ctx->dgst, ctx->dgstSize, sig, ecKey); + if(ret < 0) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "BN_bin2bn", + "ECDSA_do_verify", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); goto done; } - ret = ECDSA_do_verify(dgst, dgst_len, s, ecdsa); + /* return 1 for good signatures and 0 for bad */ + if(ret > 0) { + res = 1; + } else if(ret == 0) { + res = 0; + } done: - if(order != NULL) { - BN_clear_free(order); + /* cleanup */ + if(sig != NULL) { + ECDSA_SIG_free(sig); + } + if(ecKey != NULL) { + EC_KEY_free(ecKey); } - ECDSA_SIG_free(s); - return(ret); + + /* done */ + return(res); } #ifndef XMLSEC_NO_SHA1 @@ -1174,25 +1277,25 @@ done: static xmlSecTransformKlass xmlSecOpenSSLEcdsaSha1Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameEcdsaSha1, /* const xmlChar* name; */ xmlSecHrefEcdsaSha1, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -1210,56 +1313,6 @@ xmlSecOpenSSLTransformEcdsaSha1GetKlass(void) { return(&xmlSecOpenSSLEcdsaSha1Klass); } -#ifndef XMLSEC_OPENSSL_096 -static int -xmlSecOpenSSLEcdsaSha1EvpInit(EVP_MD_CTX *ctx) -{ - return SHA1_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLEcdsaSha1EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA1_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLEcdsaSha1EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA1_Final(md,ctx->md_data); -} -#endif /* XMLSEC_OPENSSL_096 */ - -static const EVP_MD xmlSecOpenSSLEcdsaSha1MdEvp = { - NID_ecdsa_with_SHA1, - NID_ecdsa_with_SHA1, - SHA_DIGEST_LENGTH, -#ifndef XMLSEC_OPENSSL_096 - 0, - xmlSecOpenSSLEcdsaSha1EvpInit, - xmlSecOpenSSLEcdsaSha1EvpUpdate, - xmlSecOpenSSLEcdsaSha1EvpFinal, - NULL, - NULL, -#else /* XMLSEC_OPENSSL_096 */ - SHA1_Init, - SHA1_Update, - SHA1_Final, -#endif /* XMLSEC_OPENSSL_096 */ - xmlSecOpenSSLEcdsaEvpSign, - xmlSecOpenSSLEcdsaEvpVerify, - /* XXX-MAK: This worries me, not sure that the keys are right. */ - {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA1,0,0,0}, - SHA_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA_CTX), - NULL -}; - -static const EVP_MD *xmlSecOpenSSLEcdsaSha1Evp(void) -{ - return(&xmlSecOpenSSLEcdsaSha1MdEvp); -} - #endif /* XMLSEC_NO_SHA1 */ #ifndef XMLSEC_NO_SHA224 @@ -1272,25 +1325,25 @@ static const EVP_MD *xmlSecOpenSSLEcdsaSha1Evp(void) static xmlSecTransformKlass xmlSecOpenSSLEcdsaSha224Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameEcdsaSha224, /* const xmlChar* name; */ xmlSecHrefEcdsaSha224, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -1308,56 +1361,6 @@ xmlSecOpenSSLTransformEcdsaSha224GetKlass(void) { return(&xmlSecOpenSSLEcdsaSha224Klass); } -#ifndef XMLSEC_OPENSSL_096 -static int -xmlSecOpenSSLEcdsaSha224EvpInit(EVP_MD_CTX *ctx) -{ - return SHA224_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLEcdsaSha224EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA224_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLEcdsaSha224EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA224_Final(md,ctx->md_data); -} -#endif /* XMLSEC_OPENSSL_096 */ - -static const EVP_MD xmlSecOpenSSLEcdsaSha224MdEvp = { - NID_ecdsa_with_SHA224, - NID_ecdsa_with_SHA224, - SHA224_DIGEST_LENGTH, -#ifndef XMLSEC_OPENSSL_096 - 0, - xmlSecOpenSSLEcdsaSha224EvpInit, - xmlSecOpenSSLEcdsaSha224EvpUpdate, - xmlSecOpenSSLEcdsaSha224EvpFinal, - NULL, - NULL, -#else /* XMLSEC_OPENSSL_096 */ - SHA224_Init, - SHA224_Update, - SHA224_Final, -#endif /* XMLSEC_OPENSSL_096 */ - xmlSecOpenSSLEcdsaEvpSign, - xmlSecOpenSSLEcdsaEvpVerify, - /* XXX-MAK: This worries me, not sure that the keys are right. */ - {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA224,0,0,0}, - SHA256_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA256_CTX), - NULL -}; - -static const EVP_MD *xmlSecOpenSSLEcdsaSha224Evp(void) -{ - return(&xmlSecOpenSSLEcdsaSha224MdEvp); -} - #endif /* XMLSEC_NO_SHA224 */ #ifndef XMLSEC_NO_SHA256 @@ -1370,25 +1373,25 @@ static const EVP_MD *xmlSecOpenSSLEcdsaSha224Evp(void) static xmlSecTransformKlass xmlSecOpenSSLEcdsaSha256Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameEcdsaSha256, /* const xmlChar* name; */ xmlSecHrefEcdsaSha256, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -1406,56 +1409,6 @@ xmlSecOpenSSLTransformEcdsaSha256GetKlass(void) { return(&xmlSecOpenSSLEcdsaSha256Klass); } -#ifndef XMLSEC_OPENSSL_096 -static int -xmlSecOpenSSLEcdsaSha256EvpInit(EVP_MD_CTX *ctx) -{ - return SHA256_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLEcdsaSha256EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA256_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLEcdsaSha256EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA256_Final(md,ctx->md_data); -} -#endif /* XMLSEC_OPENSSL_096 */ - -static const EVP_MD xmlSecOpenSSLEcdsaSha256MdEvp = { - NID_ecdsa_with_SHA256, - NID_ecdsa_with_SHA256, - SHA256_DIGEST_LENGTH, -#ifndef XMLSEC_OPENSSL_096 - 0, - xmlSecOpenSSLEcdsaSha256EvpInit, - xmlSecOpenSSLEcdsaSha256EvpUpdate, - xmlSecOpenSSLEcdsaSha256EvpFinal, - NULL, - NULL, -#else /* XMLSEC_OPENSSL_096 */ - SHA256_Init, - SHA256_Update, - SHA256_Final, -#endif /* XMLSEC_OPENSSL_096 */ - xmlSecOpenSSLEcdsaEvpSign, - xmlSecOpenSSLEcdsaEvpVerify, - /* XXX-MAK: This worries me, not sure that the keys are right. */ - {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA256,0,0,0}, - SHA256_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA256_CTX), - NULL -}; - -static const EVP_MD *xmlSecOpenSSLEcdsaSha256Evp(void) -{ - return(&xmlSecOpenSSLEcdsaSha256MdEvp); -} - #endif /* XMLSEC_NO_SHA256 */ #ifndef XMLSEC_NO_SHA384 @@ -1468,25 +1421,25 @@ static const EVP_MD *xmlSecOpenSSLEcdsaSha256Evp(void) static xmlSecTransformKlass xmlSecOpenSSLEcdsaSha384Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameEcdsaSha384, /* const xmlChar* name; */ xmlSecHrefEcdsaSha384, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -1504,56 +1457,6 @@ xmlSecOpenSSLTransformEcdsaSha384GetKlass(void) { return(&xmlSecOpenSSLEcdsaSha384Klass); } -#ifndef XMLSEC_OPENSSL_096 -static int -xmlSecOpenSSLEcdsaSha384EvpInit(EVP_MD_CTX *ctx) -{ - return SHA384_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLEcdsaSha384EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA384_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLEcdsaSha384EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA384_Final(md,ctx->md_data); -} -#endif /* XMLSEC_OPENSSL_096 */ - -static const EVP_MD xmlSecOpenSSLEcdsaSha384MdEvp = { - NID_ecdsa_with_SHA384, - NID_ecdsa_with_SHA384, - SHA384_DIGEST_LENGTH, -#ifndef XMLSEC_OPENSSL_096 - 0, - xmlSecOpenSSLEcdsaSha384EvpInit, - xmlSecOpenSSLEcdsaSha384EvpUpdate, - xmlSecOpenSSLEcdsaSha384EvpFinal, - NULL, - NULL, -#else /* XMLSEC_OPENSSL_096 */ - SHA384_Init, - SHA384_Update, - SHA384_Final, -#endif /* XMLSEC_OPENSSL_096 */ - xmlSecOpenSSLEcdsaEvpSign, - xmlSecOpenSSLEcdsaEvpVerify, - /* XXX-MAK: This worries me, not sure that the keys are right. */ - {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA384,0,0,0}, - SHA512_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA512_CTX), - NULL -}; - -static const EVP_MD *xmlSecOpenSSLEcdsaSha384Evp(void) -{ - return(&xmlSecOpenSSLEcdsaSha384MdEvp); -} - #endif /* XMLSEC_NO_SHA384 */ #ifndef XMLSEC_NO_SHA512 @@ -1566,25 +1469,25 @@ static const EVP_MD *xmlSecOpenSSLEcdsaSha384Evp(void) static xmlSecTransformKlass xmlSecOpenSSLEcdsaSha512Klass = { /* klass/object sizes */ sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ + xmlSecOpenSSLSignatureSize, /* xmlSecSize objSize */ xmlSecNameEcdsaSha512, /* const xmlChar* name; */ xmlSecHrefEcdsaSha512, /* const xmlChar* href; */ xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ + xmlSecOpenSSLSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ + xmlSecOpenSSLSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ NULL, /* xmlSecTransformNodeReadMethod readNode; */ NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ + xmlSecOpenSSLSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ + xmlSecOpenSSLSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ + xmlSecOpenSSLSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ NULL, /* xmlSecTransformPushXmlMethod pushXml; */ NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ + xmlSecOpenSSLSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ NULL, /* void* reserved0; */ NULL, /* void* reserved1; */ @@ -1602,440 +1505,10 @@ xmlSecOpenSSLTransformEcdsaSha512GetKlass(void) { return(&xmlSecOpenSSLEcdsaSha512Klass); } -#ifndef XMLSEC_OPENSSL_096 -static int -xmlSecOpenSSLEcdsaSha512EvpInit(EVP_MD_CTX *ctx) -{ - return SHA512_Init(ctx->md_data); -} - -static int -xmlSecOpenSSLEcdsaSha512EvpUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - return SHA512_Update(ctx->md_data,data,count); -} - -static int -xmlSecOpenSSLEcdsaSha512EvpFinal(EVP_MD_CTX *ctx, unsigned char *md) -{ - return SHA512_Final(md,ctx->md_data); -} -#endif /* XMLSEC_OPENSSL_096 */ - -static const EVP_MD xmlSecOpenSSLEcdsaSha512MdEvp = { - NID_ecdsa_with_SHA512, - NID_ecdsa_with_SHA512, - SHA512_DIGEST_LENGTH, -#ifndef XMLSEC_OPENSSL_096 - 0, - xmlSecOpenSSLEcdsaSha512EvpInit, - xmlSecOpenSSLEcdsaSha512EvpUpdate, - xmlSecOpenSSLEcdsaSha512EvpFinal, - NULL, - NULL, -#else /* XMLSEC_OPENSSL_096 */ - SHA512_Init, - SHA512_Update, - SHA512_Final, -#endif /* XMLSEC_OPENSSL_096 */ - xmlSecOpenSSLEcdsaEvpSign, - xmlSecOpenSSLEcdsaEvpVerify, - /* XXX-MAK: This worries me, not sure that the keys are right. */ - {NID_X9_62_id_ecPublicKey,NID_ecdsa_with_SHA512,0,0,0}, - SHA512_CBLOCK, - sizeof(EVP_MD *)+sizeof(SHA512_CTX), - NULL -}; - -static const EVP_MD *xmlSecOpenSSLEcdsaSha512Evp(void) -{ - return(&xmlSecOpenSSLEcdsaSha512MdEvp); -} - #endif /* XMLSEC_NO_SHA512 */ #endif /* XMLSEC_NO_ECDSA */ -#ifndef XMLSEC_NO_RSA - -#ifndef XMLSEC_NO_MD5 -/**************************************************************************** - * - * RSA-MD5 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaMd5Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaMd5, /* const xmlChar* name; */ - xmlSecHrefRsaMd5, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaMd5GetKlass: - * - * The RSA-MD5 signature transform klass. - * - * Returns: RSA-MD5 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaMd5GetKlass(void) { - return(&xmlSecOpenSSLRsaMd5Klass); -} - -#endif /* XMLSEC_NO_MD5 */ - -#ifndef XMLSEC_NO_RIPEMD160 -/**************************************************************************** - * - * RSA-RIPEMD160 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaRipemd160Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaRipemd160, /* const xmlChar* name; */ - xmlSecHrefRsaRipemd160, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaRipemd160GetKlass: - * - * The RSA-RIPEMD160 signature transform klass. - * - * Returns: RSA-RIPEMD160 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaRipemd160GetKlass(void) { - return(&xmlSecOpenSSLRsaRipemd160Klass); -} - -#endif /* XMLSEC_NO_RIPEMD160 */ - -#ifndef XMLSEC_NO_SHA1 -/**************************************************************************** - * - * RSA-SHA1 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaSha1Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaSha1, /* const xmlChar* name; */ - xmlSecHrefRsaSha1, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaSha1GetKlass: - * - * The RSA-SHA1 signature transform klass. - * - * Returns: RSA-SHA1 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaSha1GetKlass(void) { - return(&xmlSecOpenSSLRsaSha1Klass); -} - -#endif /* XMLSEC_NO_SHA1 */ - -#ifndef XMLSEC_NO_SHA224 -/**************************************************************************** - * - * RSA-SHA224 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaSha224Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaSha224, /* const xmlChar* name; */ - xmlSecHrefRsaSha224, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaSha224GetKlass: - * - * The RSA-SHA224 signature transform klass. - * - * Returns: RSA-SHA224 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaSha224GetKlass(void) { - return(&xmlSecOpenSSLRsaSha224Klass); -} - -#endif /* XMLSEC_NO_SHA224 */ - -#ifndef XMLSEC_NO_SHA256 -/**************************************************************************** - * - * RSA-SHA256 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaSha256Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaSha256, /* const xmlChar* name; */ - xmlSecHrefRsaSha256, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaSha256GetKlass: - * - * The RSA-SHA256 signature transform klass. - * - * Returns: RSA-SHA256 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaSha256GetKlass(void) { - return(&xmlSecOpenSSLRsaSha256Klass); -} - -#endif /* XMLSEC_NO_SHA256 */ - -#ifndef XMLSEC_NO_SHA384 -/**************************************************************************** - * - * RSA-SHA384 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaSha384Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaSha384, /* const xmlChar* name; */ - xmlSecHrefRsaSha384, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaSha384GetKlass: - * - * The RSA-SHA384 signature transform klass. - * - * Returns: RSA-SHA384 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaSha384GetKlass(void) { - return(&xmlSecOpenSSLRsaSha384Klass); -} - -#endif /* XMLSEC_NO_SHA384 */ - -#ifndef XMLSEC_NO_SHA512 -/**************************************************************************** - * - * RSA-SHA512 signature transform - * - ***************************************************************************/ -static xmlSecTransformKlass xmlSecOpenSSLRsaSha512Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameRsaSha512, /* const xmlChar* name; */ - xmlSecHrefRsaSha512, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformRsaSha512GetKlass: - * - * The RSA-SHA512 signature transform klass. - * - * Returns: RSA-SHA512 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformRsaSha512GetKlass(void) { - return(&xmlSecOpenSSLRsaSha512Klass); -} - -#endif /* XMLSEC_NO_SHA512 */ - -#endif /* XMLSEC_NO_RSA */ - - -#ifndef XMLSEC_NO_GOST -/**************************************************************************** - * - * GOST2001-GOSTR3411_94 signature transform - * - ***************************************************************************/ - -static xmlSecTransformKlass xmlSecOpenSSLGost2001GostR3411_94Klass = { - /* klass/object sizes */ - sizeof(xmlSecTransformKlass), /* xmlSecSize klassSize */ - xmlSecOpenSSLEvpSignatureSize, /* xmlSecSize objSize */ - - xmlSecNameGost2001GostR3411_94, /* const xmlChar* name; */ - xmlSecHrefGost2001GostR3411_94, /* const xmlChar* href; */ - xmlSecTransformUsageSignatureMethod, /* xmlSecTransformUsage usage; */ - - xmlSecOpenSSLEvpSignatureInitialize, /* xmlSecTransformInitializeMethod initialize; */ - xmlSecOpenSSLEvpSignatureFinalize, /* xmlSecTransformFinalizeMethod finalize; */ - NULL, /* xmlSecTransformNodeReadMethod readNode; */ - NULL, /* xmlSecTransformNodeWriteMethod writeNode; */ - xmlSecOpenSSLEvpSignatureSetKeyReq, /* xmlSecTransformSetKeyReqMethod setKeyReq; */ - xmlSecOpenSSLEvpSignatureSetKey, /* xmlSecTransformSetKeyMethod setKey; */ - xmlSecOpenSSLEvpSignatureVerify, /* xmlSecTransformVerifyMethod verify; */ - xmlSecTransformDefaultGetDataType, /* xmlSecTransformGetDataTypeMethod getDataType; */ - xmlSecTransformDefaultPushBin, /* xmlSecTransformPushBinMethod pushBin; */ - xmlSecTransformDefaultPopBin, /* xmlSecTransformPopBinMethod popBin; */ - NULL, /* xmlSecTransformPushXmlMethod pushXml; */ - NULL, /* xmlSecTransformPopXmlMethod popXml; */ - xmlSecOpenSSLEvpSignatureExecute, /* xmlSecTransformExecuteMethod execute; */ - - NULL, /* void* reserved0; */ - NULL, /* void* reserved1; */ -}; - -/** - * xmlSecOpenSSLTransformGost2001GostR3411_94GetKlass: - * - * The GOST2001-GOSTR3411_94 signature transform klass. - * - * Returns: GOST2001-GOSTR3411_94 signature transform klass. - */ -xmlSecTransformId -xmlSecOpenSSLTransformGost2001GostR3411_94GetKlass(void) { - return(&xmlSecOpenSSLGost2001GostR3411_94Klass); -} -#endif /* XMLSEC_NO_GOST*/ diff --git a/src/openssl/symkeys.c b/src/openssl/symkeys.c index 6195ed6d..78d29e29 100644 --- a/src/openssl/symkeys.c +++ b/src/openssl/symkeys.c @@ -7,7 +7,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -181,11 +181,9 @@ xmlSecOpenSSLSymKeyDataKlassCheck(xmlSecKeyDataKlass* klass) { #endif /* XMLSEC_NO_DES */ #ifndef XMLSEC_NO_AES -#ifndef XMLSEC_OPENSSL_096 if(klass == xmlSecOpenSSLKeyDataAesId) { return(1); } -#endif /* XMLSEC_OPENSSL_096 */ #endif /* XMLSEC_NO_AES */ #ifndef XMLSEC_NO_HMAC @@ -198,7 +196,6 @@ xmlSecOpenSSLSymKeyDataKlassCheck(xmlSecKeyDataKlass* klass) { } #ifndef XMLSEC_NO_AES -#ifndef XMLSEC_OPENSSL_096 /************************************************************************** * * <xmlsec:AESKeyValue> processing @@ -277,8 +274,6 @@ xmlSecOpenSSLKeyDataAesSet(xmlSecKeyDataPtr data, const xmlSecByte* buf, xmlSecS return(xmlSecBufferSetData(buffer, buf, bufSize)); } - -#endif /* XMLSEC_OPENSSL_096 */ #endif /* XMLSEC_NO_AES */ #ifndef XMLSEC_NO_DES diff --git a/src/openssl/x509.c b/src/openssl/x509.c index 459a312d..891db6b6 100644 --- a/src/openssl/x509.c +++ b/src/openssl/x509.c @@ -7,7 +7,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -1751,7 +1751,6 @@ xmlSecOpenSSLX509CertGetTime(ASN1_TIME* t, time_t* res) { xmlSecAssert2(res != NULL, -1); (*res) = 0; -#ifndef XMLSEC_OPENSSL_096 if(!ASN1_TIME_check(t)) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, @@ -1760,7 +1759,6 @@ xmlSecOpenSSLX509CertGetTime(ASN1_TIME* t, time_t* res) { XMLSEC_ERRORS_NO_MESSAGE); return(-1); } -#endif /* XMLSEC_OPENSSL_096 */ memset(&tm, 0, sizeof(tm)); @@ -1941,7 +1939,7 @@ xmlSecOpenSSLX509CertBase64DerWrite(X509* cert, int base64LineWrap) { /* todo: add error checks */ i2d_X509_bio(mem, cert); - BIO_flush(mem); + (void)BIO_flush(mem); size = BIO_get_mem_data(mem, &p); if((size <= 0) || (p == NULL)){ @@ -2055,7 +2053,7 @@ xmlSecOpenSSLX509CrlBase64DerWrite(X509_CRL* crl, int base64LineWrap) { /* todo: add error checks */ i2d_X509_CRL_bio(mem, crl); - BIO_flush(mem); + (void)BIO_flush(mem); size = BIO_get_mem_data(mem, &p); if((size <= 0) || (p == NULL)){ @@ -2111,7 +2109,7 @@ xmlSecOpenSSLX509NameWrite(X509_NAME* nm) { return(NULL); } - BIO_flush(mem); /* should call flush ? */ + (void)BIO_flush(mem); /* should call flush ? */ size = BIO_pending(mem); res = xmlMalloc(size + 1); @@ -2218,21 +2216,21 @@ xmlSecOpenSSLX509SKIWrite(X509* cert) { "X509V3_EXT_d2i", XMLSEC_ERRORS_R_CRYPTO_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - M_ASN1_OCTET_STRING_free(keyId); + ASN1_OCTET_STRING_free(keyId); return(NULL); } - res = xmlSecBase64Encode(M_ASN1_STRING_data(keyId), M_ASN1_STRING_length(keyId), 0); + res = xmlSecBase64Encode(ASN1_STRING_data(keyId), ASN1_STRING_length(keyId), 0); if(res == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, "xmlSecBase64Encode", XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); - M_ASN1_OCTET_STRING_free(keyId); + ASN1_OCTET_STRING_free(keyId); return(NULL); } - M_ASN1_OCTET_STRING_free(keyId); + ASN1_OCTET_STRING_free(keyId); return(res); } diff --git a/src/openssl/x509vfy.c b/src/openssl/x509vfy.c index fe51da4e..5560526b 100644 --- a/src/openssl/x509vfy.c +++ b/src/openssl/x509vfy.c @@ -7,7 +7,7 @@ * This is free software; see Copyright file in the source * distribution for preciese wording. * - * Copyright (C) 2002-2003 Aleksey Sanin <aleksey@aleksey.com> + * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved. */ #include "globals.h" @@ -37,6 +37,11 @@ #include <xmlsec/openssl/evp.h> #include <xmlsec/openssl/x509.h> +/* new API from OpenSSL 1.1.0 */ +#if !defined(XMLSEC_OPENSSL_110) +#define X509_REVOKED_get0_serialNumber(x) ((x)->serialNumber) +#endif /* !defined(XMLSEC_OPENSSL_110) */ + /************************************************************************** * * Internal OpenSSL X509 store CTX @@ -48,10 +53,7 @@ struct _xmlSecOpenSSLX509StoreCtx { X509_STORE* xst; STACK_OF(X509)* untrusted; STACK_OF(X509_CRL)* crls; - -#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) X509_VERIFY_PARAM * vpm; -#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ }; /**************************************************************************** @@ -107,11 +109,13 @@ static int xmlSecOpenSSLX509NameStringRead (xmlSecB int ingoreTrailingSpaces); static int xmlSecOpenSSLX509NamesCompare (X509_NAME *a, X509_NAME *b); -static int xmlSecOpenSSLX509_NAME_cmp (const X509_NAME * a, - const X509_NAME * b); +static STACK_OF(X509_NAME_ENTRY)* xmlSecOpenSSLX509_NAME_ENTRIES_copy (X509_NAME *a); +static int xmlSecOpenSSLX509_NAME_ENTRIES_cmp (STACK_OF(X509_NAME_ENTRY) * a, + STACK_OF(X509_NAME_ENTRY) * b); static int xmlSecOpenSSLX509_NAME_ENTRY_cmp (const X509_NAME_ENTRY * const *a, const X509_NAME_ENTRY * const *b); + /** * xmlSecOpenSSLX509StoreGetKlass: * @@ -178,7 +182,7 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* X509 * cert; X509 * err_cert = NULL; char buf[256]; - int err = 0, depth; + int err = 0; int i; int ret; @@ -287,49 +291,41 @@ xmlSecOpenSSLX509StoreVerify(xmlSecKeyDataStorePtr store, XMLSEC_STACK_OF_X509* if(xmlSecOpenSSLX509FindNextChainCert(certs2, cert) == NULL) { X509_STORE_CTX xsc; -#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - X509_VERIFY_PARAM * vpm = NULL; - unsigned long vpm_flags = 0; - - vpm = X509_VERIFY_PARAM_new(); - if(vpm == NULL) { - xmlSecError(XMLSEC_ERRORS_HERE, - xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), - "X509_VERIFY_PARAM_new", - XMLSEC_ERRORS_R_CRYPTO_FAILED, - XMLSEC_ERRORS_NO_MESSAGE); - goto done; + X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2); + if(keyInfoCtx->certsVerificationTime > 0) { + X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime); } - vpm_flags = vpm->flags; -/* - vpm_flags &= (~X509_V_FLAG_X509_STRICT); -*/ - vpm_flags &= (~X509_V_FLAG_CRL_CHECK); - X509_VERIFY_PARAM_set_depth(vpm, 9); - X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); -#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ + { + X509_VERIFY_PARAM * vpm = NULL; + unsigned long vpm_flags = 0; + vpm = X509_VERIFY_PARAM_new(); + if(vpm == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + xmlSecErrorsSafeString(xmlSecKeyDataStoreGetName(store)), + "X509_VERIFY_PARAM_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + goto done; + } + vpm_flags = X509_VERIFY_PARAM_get_flags(vpm); + vpm_flags &= (~X509_V_FLAG_CRL_CHECK); - X509_STORE_CTX_init (&xsc, ctx->xst, cert, certs2); + if(keyInfoCtx->certsVerificationTime > 0) { + vpm_flags |= X509_V_FLAG_USE_CHECK_TIME; + X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime); + } - if(keyInfoCtx->certsVerificationTime > 0) { -#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - vpm_flags |= X509_V_FLAG_USE_CHECK_TIME; - X509_VERIFY_PARAM_set_time(vpm, keyInfoCtx->certsVerificationTime); -#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - X509_STORE_CTX_set_time(&xsc, 0, keyInfoCtx->certsVerificationTime); + X509_VERIFY_PARAM_set_depth(vpm, 9); + X509_VERIFY_PARAM_set_flags(vpm, vpm_flags); + X509_STORE_CTX_set0_param(&xsc, vpm); } -#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) - X509_STORE_CTX_set0_param(&xsc, vpm); -#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - ret = X509_verify_cert(&xsc); err_cert = X509_STORE_CTX_get_current_cert(&xsc); err = X509_STORE_CTX_get_error(&xsc); - depth = X509_STORE_CTX_get_error_depth(&xsc); X509_STORE_CTX_cleanup (&xsc); @@ -684,7 +680,6 @@ xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) { return(-1); } -#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) ctx->vpm = X509_VERIFY_PARAM_new(); if(ctx->vpm == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, @@ -697,9 +692,6 @@ xmlSecOpenSSLX509StoreInitialize(xmlSecKeyDataStorePtr store) { X509_VERIFY_PARAM_set_depth(ctx->vpm, 9); /* the default cert verification path in openssl */ X509_STORE_set1_param(ctx->xst, ctx->vpm); -#else /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ - ctx->xst->depth = 9; /* the default cert verification path in openssl */ -#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ return(0); } @@ -722,11 +714,9 @@ xmlSecOpenSSLX509StoreFinalize(xmlSecKeyDataStorePtr store) { if(ctx->crls != NULL) { sk_X509_CRL_pop_free(ctx->crls, X509_CRL_free); } -#if !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) if(ctx->vpm != NULL) { X509_VERIFY_PARAM_free(ctx->vpm); } -#endif /* !defined(XMLSEC_OPENSSL_096) && !defined(XMLSEC_OPENSSL_097) */ memset(ctx, 0, sizeof(xmlSecOpenSSLX509StoreCtx)); } @@ -906,10 +896,10 @@ xmlSecOpenSSLX509FindCert(STACK_OF(X509) *certs, xmlChar *subjectName, keyId = X509V3_EXT_d2i(ext); if((keyId != NULL) && (keyId->length == len) && (memcmp(keyId->data, ski, len) == 0)) { - M_ASN1_OCTET_STRING_free(keyId); + ASN1_OCTET_STRING_free(keyId); return(cert); } - M_ASN1_OCTET_STRING_free(keyId); + ASN1_OCTET_STRING_free(keyId); } } } @@ -951,6 +941,7 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { * Try to retrieve a CRL corresponding to the issuer of * the current certificate */ + issuer = X509_get_issuer_name(cert); n = sk_X509_CRL_num(crls); for(i = 0; i < n; i++) { crl = sk_X509_CRL_value(crls, i); @@ -958,7 +949,6 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { continue; } - issuer = X509_CRL_get_issuer(crl); if(xmlSecOpenSSLX509NamesCompare(X509_CRL_get_issuer(crl), issuer) == 0) { break; } @@ -983,7 +973,7 @@ xmlSecOpenSSLX509VerifyCertAgainstCrls(STACK_OF(X509_CRL) *crls, X509* cert) { n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); for (i = 0; i < n; i++) { revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); - if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(cert)) == 0) { + if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), X509_get_serialNumber(cert)) == 0) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, NULL, @@ -1171,21 +1161,47 @@ xmlSecOpenSSLX509NameStringRead(xmlSecByte **str, int *strLen, return((ingoreTrailingSpaces) ? nonSpace - res + 1 : q - res); } +/** + * This function DOES NOT create duplicates for X509_NAME_ENTRY objects! + */ +static STACK_OF(X509_NAME_ENTRY)* +xmlSecOpenSSLX509_NAME_ENTRIES_copy(X509_NAME * a) { + STACK_OF(X509_NAME_ENTRY) * res = NULL; + int ii; + + res = sk_X509_NAME_ENTRY_new(xmlSecOpenSSLX509_NAME_ENTRY_cmp); + if(res == NULL) { + xmlSecError(XMLSEC_ERRORS_HERE, + NULL, + "sk_X509_NAME_ENTRY_new", + XMLSEC_ERRORS_R_CRYPTO_FAILED, + XMLSEC_ERRORS_NO_MESSAGE); + return(NULL); + } + + for (ii = X509_NAME_entry_count(a) - 1; ii >= 0; --ii) { + sk_X509_NAME_ENTRY_push(res, X509_NAME_get_entry(a, ii)); + } + + return (res); +} + static -int xmlSecOpenSSLX509_NAME_cmp(const X509_NAME * a, const X509_NAME * b) { - int i,ret; - const X509_NAME_ENTRY *na,*nb; +int xmlSecOpenSSLX509_NAME_ENTRIES_cmp(STACK_OF(X509_NAME_ENTRY)* a, STACK_OF(X509_NAME_ENTRY)* b) { + const X509_NAME_ENTRY *na; + const X509_NAME_ENTRY *nb; + int ii, ret; xmlSecAssert2(a != NULL, -1); xmlSecAssert2(b != NULL, 1); - if (sk_X509_NAME_ENTRY_num(a->entries) != sk_X509_NAME_ENTRY_num(b->entries)) { - return sk_X509_NAME_ENTRY_num(a->entries) - sk_X509_NAME_ENTRY_num(b->entries); + if (sk_X509_NAME_ENTRY_num(a) != sk_X509_NAME_ENTRY_num(b)) { + return sk_X509_NAME_ENTRY_num(a) - sk_X509_NAME_ENTRY_num(b); } - for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) { - na=sk_X509_NAME_ENTRY_value(a->entries,i); - nb=sk_X509_NAME_ENTRY_value(b->entries,i); + for (ii = sk_X509_NAME_ENTRY_num(a) - 1; ii >= 0; --ii) { + na = sk_X509_NAME_ENTRY_value(a, ii); + nb = sk_X509_NAME_ENTRY_value(b, ii); ret = xmlSecOpenSSLX509_NAME_ENTRY_cmp(&na, &nb); if(ret != 0) { @@ -1205,49 +1221,52 @@ int xmlSecOpenSSLX509_NAME_cmp(const X509_NAME * a, const X509_NAME * b) { */ static int xmlSecOpenSSLX509NamesCompare(X509_NAME *a, X509_NAME *b) { - X509_NAME *a1 = NULL; - X509_NAME *b1 = NULL; + STACK_OF(X509_NAME_ENTRY) *a1 = NULL; + STACK_OF(X509_NAME_ENTRY) *b1 = NULL; int ret; xmlSecAssert2(a != NULL, -1); xmlSecAssert2(b != NULL, 1); - a1 = X509_NAME_dup(a); + a1 = xmlSecOpenSSLX509_NAME_ENTRIES_copy(a); if(a1 == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "X509_NAME_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, + "xmlSecOpenSSLX509_NAME_ENTRIES_copy", + XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); return(-1); } - b1 = X509_NAME_dup(b); + b1 = xmlSecOpenSSLX509_NAME_ENTRIES_copy(b); if(b1 == NULL) { xmlSecError(XMLSEC_ERRORS_HERE, NULL, - "X509_NAME_dup", - XMLSEC_ERRORS_R_CRYPTO_FAILED, + "xmlSecOpenSSLX509_NAME_ENTRIES_copy", + XMLSEC_ERRORS_R_XMLSEC_FAILED, XMLSEC_ERRORS_NO_MESSAGE); + sk_X509_NAME_ENTRY_free(a1); return(1); } /* sort both */ - (void)sk_X509_NAME_ENTRY_set_cmp_func(a1->entries, xmlSecOpenSSLX509_NAME_ENTRY_cmp); - sk_X509_NAME_ENTRY_sort(a1->entries); - (void)sk_X509_NAME_ENTRY_set_cmp_func(b1->entries, xmlSecOpenSSLX509_NAME_ENTRY_cmp); - sk_X509_NAME_ENTRY_sort(b1->entries); + (void)sk_X509_NAME_ENTRY_set_cmp_func(a1, xmlSecOpenSSLX509_NAME_ENTRY_cmp); + sk_X509_NAME_ENTRY_sort(a1); + (void)sk_X509_NAME_ENTRY_set_cmp_func(b1, xmlSecOpenSSLX509_NAME_ENTRY_cmp); + sk_X509_NAME_ENTRY_sort(b1); /* actually compare */ - ret = xmlSecOpenSSLX509_NAME_cmp(a1, b1); + ret = xmlSecOpenSSLX509_NAME_ENTRIES_cmp(a1, b1); /* cleanup */ - X509_NAME_free(a1); - X509_NAME_free(b1); + sk_X509_NAME_ENTRY_free(a1); + sk_X509_NAME_ENTRY_free(b1); return(ret); } static int xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY * const *a, const X509_NAME_ENTRY * const *b) { + ASN1_STRING *a_value, *b_value; + ASN1_OBJECT *a_name, *b_name; int ret; xmlSecAssert2(a != NULL, -1); @@ -1255,27 +1274,44 @@ xmlSecOpenSSLX509_NAME_ENTRY_cmp(const X509_NAME_ENTRY * const *a, const X509_NA xmlSecAssert2((*a) != NULL, -1); xmlSecAssert2((*b) != NULL, 1); + /* first compare values */ - if(((*a)->value == NULL) && ((*b)->value != NULL)) { + a_value = X509_NAME_ENTRY_get_data((X509_NAME_ENTRY*)(*a)); + b_value = X509_NAME_ENTRY_get_data((X509_NAME_ENTRY*)(*b)); + + if((a_value == NULL) && (b_value != NULL)) { return(-1); - } else if(((*a)->value != NULL) && ((*b)->value == NULL)) { + } else if((a_value != NULL) && (b_value == NULL)) { return(1); - } else if(((*a)->value == NULL) && ((*b)->value == NULL)) { + } else if((a_value == NULL) && (b_value == NULL)) { return(0); } - ret = (*a)->value->length - (*b)->value->length; + ret = ASN1_STRING_length(a_value) - ASN1_STRING_length(b_value); if(ret != 0) { return(ret); } - ret = memcmp((*a)->value->data, (*b)->value->data, (*a)->value->length); - if(ret != 0) { - return(ret); + if(ASN1_STRING_length(a_value) > 0) { + ret = memcmp(ASN1_STRING_data(a_value), ASN1_STRING_data(b_value), ASN1_STRING_length(a_value)); + if(ret != 0) { + return(ret); + } } /* next compare names */ - return(OBJ_cmp((*a)->object, (*b)->object)); + a_name = X509_NAME_ENTRY_get_object((X509_NAME_ENTRY*)(*a)); + b_name = X509_NAME_ENTRY_get_object((X509_NAME_ENTRY*)(*b)); + + if((a_name == NULL) && (b_name != NULL)) { + return(-1); + } else if((a_name != NULL) && (b_name == NULL)) { + return(1); + } else if((a_name == NULL) && (b_name == NULL)) { + return(0); + } + + return(OBJ_cmp(a_name, b_name)); } |