diff --git a/tool/util.c b/tool/util.c index de6b071..5b299ca 100644 --- a/tool/util.c +++ b/tool/util.c @@ -38,6 +38,7 @@ #endif #include "openssl-compat.h" +#include #include #include #include diff --git a/tool/yubico-piv-tool.c b/tool/yubico-piv-tool.c index 89daa79..9d6c7e1 100644 --- a/tool/yubico-piv-tool.c +++ b/tool/yubico-piv-tool.c @@ -43,10 +43,12 @@ #endif #include "openssl-compat.h" +#include #include #include #include #include +#include #include "cmdline.h" #include "util.h" @@ -859,11 +861,19 @@ static bool selfsign_certificate(ykpiv_state *state, enum enum_key_format key_fo fprintf(stderr, "Failed to set certificate serial.\n"); goto selfsign_out; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L if(!X509_gmtime_adj(X509_get_notBefore(x509), 0)) { +#else + if(!X509_gmtime_adj(X509_getm_notBefore(x509), 0)) { +#endif fprintf(stderr, "Failed to set certificate notBefore.\n"); goto selfsign_out; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L if(!X509_gmtime_adj(X509_get_notAfter(x509), 60L * 60L * 24L * validDays)) { +#else + if(!X509_gmtime_adj(X509_getm_notAfter(x509), 60L * 60L * 24L * validDays)) { +#endif fprintf(stderr, "Failed to set certificate notAfter.\n"); goto selfsign_out; } @@ -1232,7 +1242,7 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M if(*ptr++ == 0x70) { unsigned int md_len = sizeof(data); - ASN1_TIME *not_before, *not_after; + const ASN1_TIME *not_before, *not_after; ptr += get_length(ptr, &cert_len); x509 = X509_new(); @@ -1290,13 +1300,21 @@ static void print_cert_info(ykpiv_state *state, enum enum_slot slot, const EVP_M dump_data(data, md_len, output, false, format_arg_hex); bio = BIO_new_fp(output, BIO_NOCLOSE | BIO_FP_TEXT); +#if OPENSSL_VERSION_NUMBER < 0x10100000L not_before = X509_get_notBefore(x509); +#else + not_before = X509_get0_notBefore(x509); +#endif if(not_before) { fprintf(output, "\tNot Before:\t"); ASN1_TIME_print(bio, not_before); fprintf(output, "\n"); } +#if OPENSSL_VERSION_NUMBER < 0x10100000L not_after = X509_get_notAfter(x509); +#else + not_after = X509_get0_notAfter(x509); +#endif if(not_after) { fprintf(output, "\tNot After:\t"); ASN1_TIME_print(bio, not_after); @@ -1941,7 +1959,9 @@ int main(int argc, char *argv[]) { /* openssl setup.. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_algorithms(); +#endif for(i = 0; i < args_info.action_given; i++) { @@ -2182,6 +2202,8 @@ int main(int argc, char *argv[]) { } ykpiv_done(state); +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); +#endif return ret; } diff --git a/ykcs11/openssl_types.h b/ykcs11/openssl_types.h index 307f746..08170fc 100644 --- a/ykcs11/openssl_types.h +++ b/ykcs11/openssl_types.h @@ -31,6 +31,7 @@ #ifndef OPENSSL_TYPES_H #define OPENSSL_TYPES_H +#include #include #include #include diff --git a/ykcs11/openssl_utils.c b/ykcs11/openssl_utils.c index 68fb29a..172cd79 100644 --- a/ykcs11/openssl_utils.c +++ b/ykcs11/openssl_utils.c @@ -35,6 +35,11 @@ #include "debug.h" #include +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +# define X509_set_notBefore X509_set1_notBefore +# define X509_set_notAfter X509_set1_notAfter +#endif + CK_RV do_store_cert(CK_BYTE_PTR data, CK_ULONG len, X509 **cert) { const unsigned char *p = data; // Mandatory temp variable required by OpenSSL @@ -580,7 +585,9 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len, int nid, CK_BYTE_PTR out, CK_ULONG_PTR out_len) { unsigned char em[RSA_size(key)]; +#if OPENSSL_VERSION_NUMBER < 0x10100000L OpenSSL_add_all_digests(); +#endif DBG("Apply PSS padding to %lu bytes and get %d", in_len, RSA_size(key)); @@ -590,14 +597,18 @@ CK_RV do_pkcs_pss(ykcs11_rsa_key_t *key, CK_BYTE_PTR in, CK_ULONG in_len, // In case of raw PSS (no hash) this function will fail because OpenSSL requires an MD if (RSA_padding_add_PKCS1_PSS(key, em, out, EVP_get_digestbynid(nid), -2) == 0) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); +#endif return CKR_FUNCTION_FAILED; } memcpy(out, em, sizeof(em)); *out_len = (CK_ULONG) sizeof(em); +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_cleanup(); +#endif return CKR_OK; }