159 lines
5.4 KiB
Diff
159 lines
5.4 KiB
Diff
--- tool/openssl-compat.c
|
|
+++ tool/openssl-compat.c
|
|
@@ -71,6 +71,10 @@
|
|
*iqmp = r->iqmp;
|
|
}
|
|
|
|
+#endif /* OPENSSL_VERSION_NUMBER */
|
|
+
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
+
|
|
void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
|
|
ASN1_OCTET_STRING **pdigest)
|
|
{
|
|
@@ -80,4 +84,4 @@
|
|
*pdigest = sig->digest;
|
|
}
|
|
|
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
+#endif /* OPENSSL_VERSION_NUMBER || defined(LIBRESSL_VERSION_NUMBER) */
|
|
|
|
--- tool/openssl-compat.h
|
|
+++ tool/openssl-compat.h
|
|
@@ -20,7 +20,6 @@
|
|
#include <openssl/ecdsa.h>
|
|
#include <openssl/dh.h>
|
|
#include <openssl/evp.h>
|
|
-#include <openssl/x509.h>
|
|
|
|
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
|
|
void RSA_get0_key(const RSA *r,
|
|
@@ -29,9 +28,15 @@
|
|
void RSA_get0_crt_params(const RSA *r,
|
|
const BIGNUM **dmp1, const BIGNUM **dmq1,
|
|
const BIGNUM **iqmp);
|
|
+#endif /* OPENSSL_VERSION_NUMBER */
|
|
+
|
|
+#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
|
|
+
|
|
+#include <openssl/x509.h>
|
|
+
|
|
void X509_SIG_getm(X509_SIG *sig, X509_ALGOR **palg,
|
|
ASN1_OCTET_STRING **pdigest);
|
|
|
|
+#endif /* OPENSSL_VERSION_NUMBER || defined(LIBRESSL_VERSION_NUMBER) */
|
|
#endif /* _WINDOWS */
|
|
-#endif /* OPENSSL_VERSION_NUMBER */
|
|
#endif /* LIBCRYPTO_COMPAT_H */
|
|
|
|
--- tool/yubico-piv-tool.c
|
|
+++ tool/yubico-piv-tool.c
|
|
@@ -124,7 +124,7 @@
|
|
return false;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
+#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
|
static int ec_key_ex_data_idx = -1;
|
|
|
|
struct internal_key {
|
|
@@ -688,7 +688,7 @@
|
|
goto request_out;
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
memcpy(digest, oid, oid_len);
|
|
/* XXX: this should probably use X509_REQ_digest() but that's buggy */
|
|
if(!ASN1_item_digest(ASN1_ITEM_rptr(X509_REQ_INFO), md, req->req_info,
|
|
@@ -721,7 +721,7 @@
|
|
fprintf(stderr, "Failed signing request.\n");
|
|
goto request_out;
|
|
}
|
|
- M_ASN1_BIT_STRING_set(req->signature, signature, sig_len);
|
|
+ ASN1_BIT_STRING_set(req->signature, signature, sig_len);
|
|
/* mark that all bits should be used. */
|
|
req->signature->flags = ASN1_STRING_FLAG_BITS_LEFT;
|
|
}
|
|
@@ -751,7 +751,7 @@
|
|
EVP_PKEY_free(public_key);
|
|
}
|
|
if(req) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
if(req->sig_alg->parameter) {
|
|
req->sig_alg->parameter = NULL;
|
|
}
|
|
@@ -884,7 +884,7 @@
|
|
if(nid == 0) {
|
|
goto selfsign_out;
|
|
}
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
if(YKPIV_IS_RSA(algorithm)) {
|
|
signinput = digest;
|
|
len = oid_len + md_len;
|
|
@@ -912,7 +912,7 @@
|
|
fprintf(stderr, "Failed signing certificate.\n");
|
|
goto selfsign_out;
|
|
}
|
|
- M_ASN1_BIT_STRING_set(x509->signature, signature, sig_len);
|
|
+ ASN1_BIT_STRING_set(x509->signature, signature, sig_len);
|
|
/* setting flags to ASN1_STRING_FLAG_BITS_LEFT here marks that no bits
|
|
* should be subtracted from the bit string, thus making sure that the
|
|
* certificate can be validated. */
|
|
@@ -941,7 +941,7 @@
|
|
fclose(output_file);
|
|
}
|
|
if(x509) {
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
if(x509->sig_alg->parameter) {
|
|
x509->sig_alg->parameter = NULL;
|
|
x509->cert_info->signature->parameter = NULL;
|
|
|
|
diff --git ykcs11/openssl_utils.c ykcs11/openssl_utils.c
|
|
index 68fb29a..5a7f85d 100644
|
|
--- ykcs11/openssl_utils.c
|
|
+++ ykcs11/openssl_utils.c
|
|
@@ -165,7 +165,7 @@ CK_RV do_create_empty_cert(CK_BYTE_PTR in, CK_ULONG in_len, CK_BBOOL is_rsa,
|
|
X509_set_notBefore(cert, tm);
|
|
X509_set_notAfter(cert, tm);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
// Manually set the signature algorithms.
|
|
// OpenSSL 1.0.1i complains about empty DER fields
|
|
// 8 => md5WithRsaEncryption
|
|
diff --git ykcs11/tests/ykcs11_tests.c ykcs11/tests/ykcs11_tests.c
|
|
index 9fb51da..257c938 100644
|
|
--- ykcs11/tests/ykcs11_tests.c
|
|
+++ ykcs11/tests/ykcs11_tests.c
|
|
@@ -274,7 +274,7 @@ static void test_login() {
|
|
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
+#if !((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
|
|
static int bogus_sign(int dtype, const unsigned char *m, unsigned int m_length,
|
|
unsigned char *sigret, unsigned int *siglen, const RSA *rsa) {
|
|
sigret = malloc(1);
|
|
@@ -385,7 +385,7 @@ static void test_import_and_sign_all_10() {
|
|
X509_set_notBefore(cert, tm);
|
|
X509_set_notAfter(cert, tm);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
cert->sig_alg->algorithm = OBJ_nid2obj(8);
|
|
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
|
|
|
|
@@ -583,7 +583,7 @@ static void test_import_and_sign_all_10_RSA() {
|
|
X509_set_notBefore(cert, tm);
|
|
X509_set_notAfter(cert, tm);
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
|
|
/* putting bogus data to signature to make some checks happy */
|
|
cert->sig_alg->algorithm = OBJ_nid2obj(8);
|
|
cert->cert_info->signature->algorithm = OBJ_nid2obj(8);
|