Skip to content
This repository was archived by the owner on Aug 31, 2021. It is now read-only.

Commit d982b05

Browse files
livecodefraserlivecodefraser
committed
Update our use of OpenSSL to be 1.1.0-compatible
The biggest change is that most objects are now opaque and accessor methods now need to be used instead of direct access.
1 parent 1b82252 commit d982b05

3 files changed

Lines changed: 51 additions & 47 deletions

File tree

engine/src/deploy_sign.cpp

Lines changed: 36 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,8 @@ along with LiveCode. If not see <http://www.gnu.org/licenses/>. */
4040
#include <openssl/x509.h>
4141
#include <openssl/pkcs7.h>
4242
#include <openssl/asn1t.h>
43+
#include <openssl/bn.h>
44+
#include <openssl/rsa.h>
4345

4446
////////////////////////////////////////////////////////////////////////////////
4547

@@ -1488,27 +1490,27 @@ bool MCDeploySignLoadPVK(MCStringRef p_filename, MCStringRef p_passphrase, EVP_P
14881490
// Compute the passkey. This is done by taking the first 16 bytes
14891491
// of SHA1(salt & passphrase).
14901492
uint8_t t_passkey[EVP_MAX_KEY_LENGTH];
1491-
EVP_MD_CTX t_md;
1492-
if (t_success && EVP_DigestInit(&t_md, EVP_sha1()))
1493+
MCAutoCustomPointer<EVP_MD_CTX, EVP_MD_CTX_free> t_md = EVP_MD_CTX_new();
1494+
if (t_success && EVP_DigestInit(*t_md, EVP_sha1()))
14931495
{
14941496
MCAutoStringRefAsCString t_passphrase;
14951497
t_success = t_passphrase . Lock(p_passphrase);
14961498

1497-
EVP_DigestUpdate(&t_md, t_salt, t_header . salt_length);
1498-
EVP_DigestUpdate(&t_md, *t_passphrase, strlen(*t_passphrase));
1499-
EVP_DigestFinal(&t_md, t_passkey, NULL);
1499+
EVP_DigestUpdate(*t_md, t_salt, t_header . salt_length);
1500+
EVP_DigestUpdate(*t_md, *t_passphrase, strlen(*t_passphrase));
1501+
EVP_DigestFinal(*t_md, t_passkey, NULL);
15001502
}
15011503

15021504
// Now, first we see if the PVK can be decrypted using the strong form
15031505
// of password generation - that is the first 16 bytes of the hash we
15041506
// just made.
1505-
EVP_CIPHER_CTX t_cipher;
1507+
MCAutoCustomPointer<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> t_cipher = EVP_CIPHER_CTX_new();
15061508
int t_cipher_output;
15071509
t_cipher_output = 0;
1508-
if (t_success && EVP_DecryptInit(&t_cipher, EVP_rc4(), t_passkey, nil))
1510+
if (t_success && EVP_DecryptInit(*t_cipher, EVP_rc4(), t_passkey, nil))
15091511
{
1510-
EVP_DecryptUpdate(&t_cipher, t_new_key_data, &t_cipher_output, t_key_data, t_header . key_length);
1511-
EVP_DecryptFinal(&t_cipher, t_new_key_data + t_cipher_output, &t_cipher_output);
1512+
EVP_DecryptUpdate(*t_cipher, t_new_key_data, &t_cipher_output, t_key_data, t_header . key_length);
1513+
EVP_DecryptFinal(*t_cipher, t_new_key_data + t_cipher_output, &t_cipher_output);
15121514
}
15131515

15141516
// Check to see if 'RSA2' is the first four bytes of the output, and if
@@ -1518,10 +1520,10 @@ bool MCDeploySignLoadPVK(MCStringRef p_filename, MCStringRef p_passphrase, EVP_P
15181520
{
15191521
t_cipher_output = 0;
15201522
MCMemoryClear(t_passkey + 5, 11);
1521-
if (EVP_DecryptInit(&t_cipher, EVP_rc4(), t_passkey, nil))
1523+
if (EVP_DecryptInit(*t_cipher, EVP_rc4(), t_passkey, nil))
15221524
{
1523-
EVP_DecryptUpdate(&t_cipher, t_new_key_data, &t_cipher_output, t_key_data, t_header . key_length);
1524-
EVP_DecryptFinal(&t_cipher, t_new_key_data + t_cipher_output, &t_cipher_output);
1525+
EVP_DecryptUpdate(*t_cipher, t_new_key_data, &t_cipher_output, t_key_data, t_header . key_length);
1526+
EVP_DecryptFinal(*t_cipher, t_new_key_data + t_cipher_output, &t_cipher_output);
15251527
}
15261528
}
15271529

@@ -1575,24 +1577,36 @@ bool MCDeploySignLoadPVK(MCStringRef p_filename, MCStringRef p_passphrase, EVP_P
15751577
// byte sequences in little-endian order.
15761578

15771579
// The exponent is first - this is just a 32-bit number, so we deal with it explicitly.
1580+
typedef MCAutoCustomPointer<BIGNUM, BN_free> MCAutoBignum;
1581+
MCAutoBignum t_rsa_e;
15781582
if (t_success)
15791583
{
1580-
t_rsa -> e = BN_new();
1581-
if (t_rsa -> e == nil ||
1582-
!BN_set_word(t_rsa -> e, t_rsa_header . exponent))
1584+
t_rsa_e = BN_new();
1585+
if (!t_rsa_e || !BN_set_word(&t_rsa_e, t_rsa_header.exponent))
15831586
t_success = MCDeployThrowOpenSSL(kMCDeployErrorNoMemory);
15841587
}
15851588

15861589
// The rest of the numbers for the RSA2 key need special processing.
1590+
MCAutoBignum t_rsa_n;
1591+
MCAutoBignum t_rsa_p;
1592+
MCAutoBignum t_rsa_q;
1593+
MCAutoBignum t_rsa_dmp1;
1594+
MCAutoBignum t_rsa_dmq1;
1595+
MCAutoBignum t_rsa_iqmp;
1596+
MCAutoBignum t_rsa_d;
15871597
if (t_success)
1588-
if (!read_le_bignum(t_rsa_data, t_key_byte_length, t_rsa -> n) ||
1589-
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, t_rsa -> p) ||
1590-
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, t_rsa -> q) ||
1591-
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, t_rsa -> dmp1) ||
1592-
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, t_rsa -> dmq1) ||
1593-
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, t_rsa -> iqmp) ||
1594-
!read_le_bignum(t_rsa_data, t_key_byte_length, t_rsa -> d))
1598+
if (!read_le_bignum(t_rsa_data, t_key_byte_length, &t_rsa_n) ||
1599+
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, &t_rsa_p) ||
1600+
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, &t_rsa_q) ||
1601+
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, &t_rsa_dmp1) ||
1602+
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, &t_rsa_dmq1) ||
1603+
!read_le_bignum(t_rsa_data, t_key_byte_length / 2, &t_rsa_iqmp) ||
1604+
!read_le_bignum(t_rsa_data, t_key_byte_length, &t_rsa_d))
15951605
t_success = MCDeployThrowOpenSSL(kMCDeployErrorNoMemory);
1606+
1607+
RSA_set0_key(t_rsa, t_rsa_n.Release(), t_rsa_e.Release(), t_rsa_d.Release());
1608+
RSA_set0_factors(t_rsa, t_rsa_p.Release(), t_rsa_q.Release());
1609+
RSA_set0_crt_params(t_rsa, t_rsa_dmp1.Release(), t_rsa_dmq1.Release(), t_rsa_iqmp.Release());
15961610

15971611
// We now have the RSA key, so wrap it in an EVP_PKEY and return.
15981612
EVP_PKEY *t_pkey;

engine/src/mcssl.cpp

Lines changed: 13 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@ along with LiveCode. If not see <http://www.gnu.org/licenses/>. */
3838
#include <openssl/evp.h>
3939
#include <openssl/err.h>
4040
#include <openssl/rand.h>
41+
#include <openssl/rsa.h>
4142
#include <openssl/ssl.h>
4243
#include <openssl/x509v3.h>
4344
#endif
@@ -103,8 +104,8 @@ Boolean InitSSLCrypt()
103104
return False;
104105

105106
#ifdef MCSSL
106-
ERR_load_crypto_strings();
107-
OpenSSL_add_all_ciphers();
107+
OPENSSL_init_ssl(0, NULL);
108+
108109
RAND_seed(&MCrandomseed,I4L);
109110
cryptinited = True;
110111

@@ -454,17 +455,17 @@ char *SSL_encode(Boolean isdecrypt, const char *ciphername,
454455
int4 res = 0;
455456

456457
//set up cipher context
457-
EVP_CIPHER_CTX ctx;
458-
EVP_CIPHER_CTX_init(&ctx);
458+
MCAutoCustomPointer<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> ctx = EVP_CIPHER_CTX_new();
459+
EVP_CIPHER_CTX_reset(*ctx);
459460
//init context with cipher and specify operation
460-
if (EVP_CipherInit(&ctx, cipher,NULL, NULL, operation) == 0)
461+
if (EVP_CipherInit(*ctx, cipher,NULL, NULL, operation) == 0)
461462
return NULL;
462463

463464
//try setting keylength if specified. This will fail for some ciphers.
464-
if (keylen && EVP_CIPHER_CTX_set_key_length(&ctx, keylen/8) == 0)
465+
if (keylen && EVP_CIPHER_CTX_set_key_length(*ctx, keylen/8) == 0)
465466
return NULL;
466467
//get new keylength in bytes
467-
int4 curkeylength = EVP_CIPHER_CTX_key_length(&ctx);
468+
int4 curkeylength = EVP_CIPHER_CTX_key_length(*ctx);
468469
//zero key and iv
469470
memset(key,0,EVP_MAX_KEY_LENGTH);
470471
memset(iv,0,EVP_MAX_IV_LENGTH);
@@ -516,14 +517,14 @@ char *SSL_encode(Boolean isdecrypt, const char *ciphername,
516517
memcpy(iv,ivstr,MCU_min(ivlen,EVP_MAX_IV_LENGTH));
517518
}
518519

519-
if (EVP_CipherInit(&ctx, NULL, key, iv, operation) == 0)
520+
if (EVP_CipherInit(*ctx, NULL, key, iv, operation) == 0)
520521
return NULL;
521522
int4 tmp, ol;
522523
ol = 0;
523524

524525
//allocate memory to hold encrypted/decrypted data + an extra block + null terminator for block ciphers.
525526
unsigned char *outdata = nil;
526-
if (!MCMemoryAllocate(inlen + EVP_CIPHER_CTX_block_size(&ctx) + 1 + sizeof(magic) + sizeof(saltbuf), outdata))
527+
if (!MCMemoryAllocate(inlen + EVP_CIPHER_CTX_block_size(*ctx) + 1 + sizeof(magic) + sizeof(saltbuf), outdata))
527528
{
528529
outlen = 791;
529530
return NULL;
@@ -543,7 +544,7 @@ char *SSL_encode(Boolean isdecrypt, const char *ciphername,
543544
// MW-2007-02-13: [[Bug 4258]] - SSL now fails an assertion if datalen == 0
544545
if (tend - data > 0)
545546
{
546-
if (EVP_CipherUpdate(&ctx,&outdata[ol],&tmp,(unsigned char *)data,tend-data) == 0)
547+
if (EVP_CipherUpdate(*ctx, &outdata[ol], &tmp, (unsigned char *)data, tend-data) == 0)
547548
{
548549
MCMemoryDeallocate(outdata);
549550
return NULL;
@@ -552,15 +553,15 @@ char *SSL_encode(Boolean isdecrypt, const char *ciphername,
552553
}
553554

554555
//for padding
555-
if (EVP_CipherFinal(&ctx,&outdata[ol],&tmp) == 0)
556+
if (EVP_CipherFinal(*ctx, &outdata[ol], &tmp) == 0)
556557
{
557558
MCMemoryDeallocate(outdata);
558559
return NULL;
559560
}
560561
outlen = ol + tmp;
561562

562563
//cleam up context and return data
563-
EVP_CIPHER_CTX_cleanup(&ctx);
564+
EVP_CIPHER_CTX_reset(*ctx);
564565
outdata[outlen] = 0; //null terminate data
565566

566567
return (char *)outdata;
@@ -653,9 +654,6 @@ void ShutdownSSL()
653654
#ifdef MCSSL
654655
if (cryptinited)
655656
{
656-
657-
EVP_cleanup();
658-
ERR_free_strings();
659657
#if !defined(_SERVER)
660658
finalise_weak_link_crypto();
661659
finalise_weak_link_ssl();
@@ -910,7 +908,6 @@ bool ssl_set_default_certificates(SSL_CTX *p_ssl_ctx)
910908
#ifdef TARGET_PLATFORM_MACOS_X
911909
bool export_system_root_cert_stack(STACK_OF(X509) *&r_x509_stack)
912910
{
913-
#if MAC_OS_X_VERSION_MAX_ALLOWED > MAC_OS_X_VERSION_10_6
914911
bool t_success = true;
915912

916913
CFArrayRef t_anchors = NULL;
@@ -951,9 +948,6 @@ bool export_system_root_cert_stack(STACK_OF(X509) *&r_x509_stack)
951948
free_x509_stack(t_stack);
952949

953950
return t_success;
954-
#else
955-
return false;
956-
#endif
957951
}
958952

959953
bool export_system_crl_stack(STACK_OF(X509_CRL) *&r_crls)

engine/src/opensslsocket.cpp

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2031,11 +2031,7 @@ Boolean MCSocket::sslinit()
20312031

20322032
if (!InitSSLCrypt())
20332033
return False;
2034-
SSL_library_init();
2035-
SSL_load_error_strings();
20362034

2037-
//consider using SSL_load_error_strings() for SSL error strings;
2038-
// ENGINE_load_builtin_engines();
20392035
sslinited = True;
20402036
}
20412037
return sslinited;
@@ -2050,7 +2046,7 @@ Boolean MCSocket::initsslcontext()
20502046

20512047
bool t_success = true;
20522048

2053-
t_success = NULL != (_ssl_context = SSL_CTX_new(SSLv23_method()));
2049+
t_success = NULL != (_ssl_context = SSL_CTX_new(TLS_method()));
20542050

20552051
if (t_success)
20562052
t_success = MCSSLContextLoadCertificates(_ssl_context, &sslerror);
@@ -2244,7 +2240,7 @@ static long post_connection_check(SSL *ssl, char *host)
22442240
for (int32_t i = 0; i < sk_GENERAL_NAME_num(t_alt_names); i++)
22452241
{
22462242
GENERAL_NAME *t_name = sk_GENERAL_NAME_value(t_alt_names, i);
2247-
if (t_name->type == GEN_DNS && ssl_match_identity((char*)ASN1_STRING_data(t_name->d.ia5), host))
2243+
if (t_name->type == GEN_DNS && ssl_match_identity((char*)ASN1_STRING_get0_data(t_name->d.ia5), host))
22482244
{
22492245
ok = 1;
22502246
break;

0 commit comments

Comments
 (0)