[Openvpn-devel] [PATCH 4/7] OpenSSL: don't use direct access to the internal of DSA

Emmanuel Deloget Fri, 19 May 2017 03:40:33 -0700

OpenSSL 1.1 does not allow us to directly access the internal of
any data type, including DSA. We have to use the defined
functions to do so.


Compatibility with OpenSSL 1.0 is kept by defining the corresponding
functions when they are not found in the library.

Signed-off-by: Emmanuel Deloget <log...@free.fr>
---
 configure.ac                 |  1 +
 src/openvpn/openssl_compat.h | 28 ++++++++++++++++++++++++++++
 src/openvpn/ssl_openssl.c    | 13 +++++++++----
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/configure.ac b/configure.ac
index e4c053c8..d2dc1ffd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -932,6 +932,7 @@ if test "${enable_crypto}" = "yes" -a 
"${with_crypto_library}" = "openssl"; then
                        RSA_set_flags \
                        RSA_get0_key \
                        RSA_set0_key \
+                       DSA_get0_pqg \
                        RSA_meth_new \
                        RSA_meth_free \
                        RSA_meth_set_pub_enc \
diff --git a/src/openvpn/openssl_compat.h b/src/openvpn/openssl_compat.h
index 29cd13a4..fdfc4a27 100644
--- a/src/openvpn/openssl_compat.h
+++ b/src/openvpn/openssl_compat.h
@@ -260,6 +260,34 @@ RSA_set0_key(RSA *rsa, BIGNUM *n, BIGNUM *e, BIGNUM *d)
 }
 #endif
 
+#if !defined(HAVE_DSA_GET0_PQG)
+/**
+ * Get the DSA parameters
+ *
+ * @param dsa                 The DSA object
+ * @param p                   The @c p parameter
+ * @param q                   The @c q parameter
+ * @param g                   The @c g parameter
+ */
+static inline void
+DSA_get0_pqg(const DSA *dsa, const BIGNUM **p,
+             const BIGNUM **q, const BIGNUM **g)
+{
+    if (p != NULL)
+    {
+        *p = dsa ? dsa->p : NULL;
+    }
+    if (q != NULL)
+    {
+        *q = dsa ? dsa->q : NULL;
+    }
+    if (g != NULL)
+    {
+        *g = dsa ? dsa->g : NULL;
+    }
+}
+#endif
+
 #if !defined(HAVE_RSA_METH_NEW)
 /**
  * Allocate a new RSA method object
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 48479c0d..242ab397 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -1691,11 +1691,16 @@ print_details(struct key_state_ssl *ks_ssl, const char 
*prefix)
                                      BN_num_bits(n));
                 }
             }
-            else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && 
EVP_PKEY_get0_DSA(pkey) != NULL
-                     && pkey->pkey.dsa->p != NULL)
+            else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && 
EVP_PKEY_get0_DSA(pkey) != NULL)
             {
-                openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
-                                 BN_num_bits(pkey->pkey.dsa->p));
+                DSA *dsa = EVP_PKEY_get0_DSA(pkey);
+                const BIGNUM *p = NULL;
+                DSA_get0_pqg(dsa, &p, NULL, NULL);
+                if (p != NULL)
+                {
+                    openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
+                                     BN_num_bits(p));
+                }
             }
             EVP_PKEY_free(pkey);
         }
-- 
2.11.0


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

[Openvpn-devel] [PATCH 4/7] OpenSSL: don't use direct access to the internal of DSA

Reply via email to