diff options
author | Marc-André Lureau <marcandre.lureau@redhat.com> | 2022-07-19 14:23:47 +0400 |
---|---|---|
committer | Frediano Ziglio <freddy77@gmail.com> | 2022-08-03 19:03:08 +0100 |
commit | dc40a18092808e2ce0ce6e352a446bccf21b49ca (patch) | |
tree | 53720f6d3b59af9075a2111b6c05d2f1c049a7cb | |
parent | 36f501ef7567c390b9c25cc6c3e59ab37e051942 (diff) |
Fix OpenSSL 3.0 API deprecations
Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
-rw-r--r-- | server/reds-private.h | 4 | ||||
-rw-r--r-- | server/reds.cpp | 100 |
2 files changed, 91 insertions, 13 deletions
diff --git a/server/reds-private.h b/server/reds-private.h index fc867fa3..4e52828d 100644 --- a/server/reds-private.h +++ b/server/reds-private.h @@ -38,7 +38,11 @@ struct TicketAuthentication { }; struct TicketInfo { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *rsa; +#else RSA *rsa; +#endif int rsa_size; BIGNUM *bn; SpiceLinkEncryptedTicket encrypted_ticket; diff --git a/server/reds.cpp b/server/reds.cpp index 49113316..a2561c8d 100644 --- a/server/reds.cpp +++ b/server/reds.cpp @@ -272,7 +272,11 @@ static void reds_link_free(RedLinkInfo *link) link->tiTicketing.bn = nullptr; if (link->tiTicketing.rsa) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY_free(link->tiTicketing.rsa); +#else RSA_free(link->tiTicketing.rsa); +#endif link->tiTicketing.rsa = nullptr; } @@ -1548,14 +1552,29 @@ static bool reds_send_link_ack(RedsState *reds, RedLinkInfo *link) msg.ack.caps_offset = GUINT32_TO_LE(sizeof(SpiceLinkReply)); if (!reds->config->sasl_enabled || !red_link_info_test_capability(link, SPICE_COMMON_CAP_AUTH_SASL)) { - if (!(link->tiTicketing.rsa = RSA_new())) { - spice_warning("RSA new failed"); + if (!(bio = BIO_new(BIO_s_mem()))) { + spice_warning("BIO new failed"); red_dump_openssl_errors(); return FALSE; } - if (!(bio = BIO_new(BIO_s_mem()))) { - spice_warning("BIO new failed"); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + link->tiTicketing.rsa = EVP_RSA_gen(SPICE_TICKET_KEY_PAIR_LENGTH); + if (!link->tiTicketing.rsa) { + spice_warning("Failed to generate %d bits RSA key", + SPICE_TICKET_KEY_PAIR_LENGTH); + red_dump_openssl_errors(); + goto end; + } + link->tiTicketing.rsa_size = SPICE_TICKET_KEY_PAIR_LENGTH / 8; + if (i2d_PUBKEY_bio(bio, link->tiTicketing.rsa) <= 0) { + spice_warning("Failed to get public key"); + red_dump_openssl_errors(); + goto end; + } +#else + if (!(link->tiTicketing.rsa = RSA_new())) { + spice_warning("RSA new failed"); red_dump_openssl_errors(); return FALSE; } @@ -1570,8 +1589,8 @@ static bool reds_send_link_ack(RedsState *reds, RedLinkInfo *link) goto end; } link->tiTicketing.rsa_size = RSA_size(link->tiTicketing.rsa); - i2d_RSA_PUBKEY_bio(bio, link->tiTicketing.rsa); +#endif BIO_get_mem_ptr(bio, &bmBuf); memcpy(msg.ack.pub_key, bmBuf->data, sizeof(msg.ack.pub_key)); } else { @@ -2022,19 +2041,51 @@ static void reds_handle_ticket(void *opaque) RedsState *reds = link->reds; char *password; int password_size; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY_CTX *ctx = nullptr; +#endif - if (RSA_size(link->tiTicketing.rsa) < SPICE_MAX_PASSWORD_LENGTH) { + if (link->tiTicketing.rsa_size < SPICE_MAX_PASSWORD_LENGTH) { spice_warning("RSA modulus size is smaller than SPICE_MAX_PASSWORD_LENGTH (%d < %d), " "SPICE ticket sent from client may be truncated", - RSA_size(link->tiTicketing.rsa), SPICE_MAX_PASSWORD_LENGTH); + link->tiTicketing.rsa_size, SPICE_MAX_PASSWORD_LENGTH); } - password = static_cast<char *>(alloca(RSA_size(link->tiTicketing.rsa) + 1)); + password = static_cast<char *>(alloca(link->tiTicketing.rsa_size + 1)); + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t len = 0; + + ctx = EVP_PKEY_CTX_new_from_pkey(nullptr, link->tiTicketing.rsa, nullptr); + + if (EVP_PKEY_decrypt_init(ctx) <= 0) { + spice_warning("failed to initialize decrypt"); + red_dump_openssl_errors(); + goto error; + } + if (EVP_PKEY_CTX_set_rsa_padding(ctx, RSA_PKCS1_OAEP_PADDING) <= 0) { + spice_warning("failed to set OAEP padding"); + red_dump_openssl_errors(); + goto error; + } + + len = link->tiTicketing.rsa_size; + if (EVP_PKEY_decrypt(ctx, reinterpret_cast<unsigned char *>(password), &len, + link->tiTicketing.encrypted_ticket.encrypted_data, link->tiTicketing.rsa_size) <= 0) { + spice_warning("failed to decrypt RSA encrypted password"); + red_dump_openssl_errors(); + goto error; + } + EVP_PKEY_CTX_free(ctx); + + password_size = len; +#else password_size = RSA_private_decrypt(link->tiTicketing.rsa_size, link->tiTicketing.encrypted_ticket.encrypted_data, reinterpret_cast<unsigned char *>(password), link->tiTicketing.rsa, RSA_PKCS1_OAEP_PADDING); +#endif if (password_size == -1) { spice_warning("failed to decrypt RSA encrypted password"); red_dump_openssl_errors(); @@ -2070,6 +2121,11 @@ static void reds_handle_ticket(void *opaque) return; error: +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + if (ctx != nullptr) { + EVP_PKEY_CTX_free(ctx); + } +#endif reds_send_link_result(link, SPICE_LINK_ERR_PERMISSION_DENIED); reds_link_free(link); } @@ -2635,8 +2691,13 @@ static int reds_init_net(RedsState *reds) static int load_dh_params(SSL_CTX *ctx, char *file) { - DH *ret = nullptr; +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY *dh = nullptr; +#else + DH *dh = nullptr; +#endif BIO *bio; + int ret; if ((bio = BIO_new_file(file, "r")) == nullptr) { spice_warning("Could not open DH file"); @@ -2644,16 +2705,29 @@ static int load_dh_params(SSL_CTX *ctx, char *file) return -1; } - ret = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr); +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + dh = PEM_read_bio_Parameters(bio, &dh); +#else + dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr); +#endif + BIO_free(bio); - if (ret == nullptr) { + if (dh == nullptr) { spice_warning("Could not read DH params"); red_dump_openssl_errors(); return -1; } - - if (SSL_CTX_set_tmp_dh(ctx, ret) < 0) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + ret = SSL_CTX_set0_tmp_dh_pkey(ctx, dh); +#else + ret = SSL_CTX_set_tmp_dh(ctx, dh); + DH_free(dh); +#endif + if (ret < 0) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + EVP_PKEY_free(dh); +#endif spice_warning("Could not set DH params"); red_dump_openssl_errors(); return -1; |