Update: support OpenSSL 1.1.x (#26)

In collaboration with @zandbelt
cisco · Aug 2, 2016 · 9bc8a80 · 9bc8a80
1 parent ee7ec81
commit 9bc8a80
Show file tree

Hide file tree

Showing 11 changed files with 448 additions and 104 deletions.
diff --git a/include/cjose/util.h b/include/cjose/util.h
@@ -16,32 +16,57 @@
 
 #include <stddef.h>
 #include <stdint.h>
+#include <stdbool.h>
+
+#include <openssl/rsa.h>
 
 #ifdef __cplusplus
 extern "C"
 {
 #endif
 
+#define CJOSE_OPENSSL_11X  OPENSSL_VERSION_NUMBER >= 0x10100005L
 
 /**
- * Typedef for memory allocator function.
+ * Macro to explicitly mark a parameter unused, and usable across multiple
+ * compiler/platform environments.
+ */
+#define CJOSE_UNUSED_PARAM(x) (void)(x)
+
+/**
+ * Typedef for the basic memory allocator function.
  */
 typedef void *(* cjose_alloc_fn_t)(size_t);
+/**
+ * Typedef for the enhanced memory allocator function.
+ */
+typedef void *(* cjose_alloc3_fn_t)(size_t, const char *, int);
 
 /**
- * Typedef for memory reallocator function.
+ * Typedef for the basic memory reallocator function.
  */
 typedef void *(* cjose_realloc_fn_t)(void *, size_t);
+/**
+ * Typedef for the enhanced memory reallocator function.
+ */
+typedef void *(* cjose_realloc3_fn_t)(void *, size_t, const char *, int);
 
 /**
- * Typedef for memory deallocator function.
+ * Typedef for the basic memory deallocator function.
  */
 typedef void (* cjose_dealloc_fn_t)(void *);
+/**
+ * Typedef for the enhanced memory deallocator function.
+ */
+typedef void (* cjose_dealloc3_fn_t)(void *, const char *, int);
 
 /**
  * Sets the allocator and deallocator functions.
  *
- * If <tt>alloc</tt> is NULL, any previously set allocator function is clared
+ * **NOTE:** This function is mutually exclusive from
+ * <tt>cjose_set_alloc_ex_funcs()</tt>. Both SHOULD NOT be called.
+ *
+ * If <tt>alloc</tt> is NULL, any previously set allocator function is cleared
  * and the the default allocator <tt>malloc()</tt>
  * is used.
  *
@@ -57,6 +82,31 @@ void cjose_set_alloc_funcs(cjose_alloc_fn_t alloc,
                            cjose_dealloc_fn_t dealloc);
 
 
+/**
+ * Sets the enhanced allocator and deallocator functions. This function provides
+ * improved support for OpenSSL >= 1.1.x.
+ *
+ * **NOTE:** This function is mutually exclusive from
+ * <tt>cjose_set_alloc_funcs()</tt>. Both SHOULD NOT be called.
+ *
+ * If <tt>alloc3</tt> is NULL, any previously set allocator function is cleared
+ * and the the default allocator <tt>malloc()</tt>
+ * is used.
+ *
+ * If <tt>dealloc3</tt> is NULL, the default dallocator <tt>free()</tt>
+ * is used.
+ *
+ * \param alloc3 [in] The custom allocator function to use for
+ *        OpenSSL >= 1.1.0, called with extra file/line params.
+ * \param realloc3 [in] The custom reallocator function to use for
+ *        OpenSSL >= 1.1.0, called with extra file/line params.
+ * \param dealloc3 [in] The custom deallocator function to use for
+ *        OpenSSL >= 1.1.0, called with extra file/line params.
+ */
+void cjose_set_alloc_ex_funcs(cjose_alloc3_fn_t alloc3,
+                              cjose_realloc3_fn_t realloc3,
+                              cjose_dealloc3_fn_t dealloc3);
+
 /**
  * Retrieves the configured allocator function.  If an allocator function is
  * not set, this function returns a pointer to <tt>malloc()</tt>.
@@ -65,6 +115,16 @@ void cjose_set_alloc_funcs(cjose_alloc_fn_t alloc,
  */
 cjose_alloc_fn_t cjose_get_alloc();
 
+/**
+ * Retrieves the configured enhanced allocator function.  If an enhanced
+ * allocator function is not set, this function returns a pointer to an
+ * internally defined variant that wraps the basic allocator returned by
+ * <tt>cjose_get_alloc()</tt>.
+ *
+ * \returns The configured enhanced allocator function
+ */
+cjose_alloc3_fn_t cjose_get_alloc3();
+
 /**
  * Retrieve the configured reallocator function. If a reallocator function is
  * not set, this function retursn a pointer to <tt>realloc</tt>.
@@ -73,6 +133,16 @@ cjose_alloc_fn_t cjose_get_alloc();
  */
 cjose_realloc_fn_t cjose_get_realloc();
 
+/**
+ * Retrieves the configured enhanced reallocator function.  If an enhanced
+ * reallocator function is not set, this function returns a pointer to an
+ * internally defined variant that wraps the basic allocator returned by
+ * <tt>cjose_get_realloc()</tt>.
+ *
+ * \returns The configured enhanced allocator function
+ */
+cjose_realloc3_fn_t cjose_get_realloc3();
+
 /**
  * Retrieves the configured deallocator function.  If a deallocator function is
  * not set, this function returns a pointer to <tt>free()</tt>.
@@ -81,9 +151,22 @@ cjose_realloc_fn_t cjose_get_realloc();
  */
 cjose_dealloc_fn_t cjose_get_dealloc();
 
+/**
+ * Retrieves the configured enhanced deallocator function.  If an enhanced
+ * deallocator function is not set, this function returns a pointer to an
+ * internally defined variant that wraps the basic allocator returned by
+ * <tt>cjose_get_dealloc()</tt>.
+ *
+ * \returns The configured enhanced allocator function
+ */
+cjose_dealloc3_fn_t cjose_get_dealloc3();
+
 /**
  * Compares the first n bytes of the memory areas s1 and s2 in constant time.
  *
+ * \param a [in] The first octet string to compare
+ * \param b [in] The second octet string to compare
+ * \param size [in] The length to compare
  * \returns an  integer  less  than,  equal  to,  or
  *        greater than zero if the first n bytes of s1 is found, respectively, to
  *        be less than, to match, or be greater than the first n bytes of s2

diff --git a/src/include/jwk_int.h b/src/include/jwk_int.h
@@ -69,4 +69,6 @@ bool cjose_jwk_hkdf(
         unsigned int okm_len,
         cjose_err *err);
 
+void _cjose_jwk_rsa_get(RSA *rsa, BIGNUM **n, BIGNUM **e, BIGNUM **d);
+
 #endif // SRC_JWK_INT_H
diff --git a/src/include/util_int.h b/src/include/util_int.h
@@ -16,4 +16,12 @@
 char *_cjose_strndup(const char *str, ssize_t len, cjose_err *err);
 json_t *_cjose_json_stringn(const char *value, size_t len, cjose_err *err);
 
+void *cjose_alloc3_default(size_t n, const char *file, int line);
+void *cjose_realloc3_default(void *p, size_t n, const char *file, int line);
+void cjose_dealloc3_default(void *p, const char *file, int line);
+
+void *cjose_alloc_wrapped(size_t n);
+void *cjose_realloc_wrapped(void *p, size_t n);
+void cjose_dealloc_wrapped(void *p);
+
 #endif // SRC_UTIL_INT_H
diff --git a/src/jwe.c b/src/jwe.c
@@ -458,11 +458,17 @@ static bool _cjose_jwe_encrypt_ek_rsa_padding(
         int padding,
         cjose_err *err)
 {
-    // jwk must be RSA and have the necessary public parts set
-    if (jwk->kty != CJOSE_JWK_KTY_RSA ||
-        NULL == jwk->keydata ||
-        NULL == ((RSA *)jwk->keydata)->e || 
-        NULL == ((RSA *)jwk->keydata)->n)
+    // jwk must be RSA
+    if (jwk->kty != CJOSE_JWK_KTY_RSA || NULL == jwk->keydata)
+    {
+        CJOSE_ERROR(err, CJOSE_ERR_INVALID_ARG);
+        return false;
+    }
+
+    // jwk must have the necessary public parts set
+    BIGNUM *rsa_n = NULL, *rsa_e = NULL, *rsa_d = NULL;
+    _cjose_jwk_rsa_get((RSA *)jwk->keydata, &rsa_n, &rsa_e, &rsa_d);
+    if (NULL == rsa_e || NULL == rsa_n)
     {
         CJOSE_ERROR(err, CJOSE_ERR_INVALID_ARG);
         return false;
@@ -642,6 +648,14 @@ static bool _cjose_jwe_set_iv_aes_cbc(
 }
 
 
+#if (CJOSE_OPENSSL_11X)
+    #define CJOSE_EVP_CTRL_GCM_GET_TAG EVP_CTRL_AEAD_GET_TAG
+    #define CJOSE_EVP_CTRL_GCM_SET_TAG EVP_CTRL_AEAD_SET_TAG
+#else
+    #define CJOSE_EVP_CTRL_GCM_GET_TAG EVP_CTRL_GCM_GET_TAG
+    #define CJOSE_EVP_CTRL_GCM_SET_TAG EVP_CTRL_GCM_SET_TAG
+#endif
+
 ////////////////////////////////////////////////////////////////////////////////
 static bool _cjose_jwe_encrypt_dat_a256gcm(
         cjose_jwe_t *jwe, 
@@ -735,8 +749,7 @@ static bool _cjose_jwe_encrypt_dat_a256gcm(
     }
 
     // get the GCM-mode authentication tag
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 
-            jwe->part[4].raw_len, jwe->part[4].raw) != 1)
+    if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_GET_TAG, jwe->part[4].raw_len, jwe->part[4].raw) != 1)
     {
         CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
         goto _cjose_jwe_encrypt_dat_fail;
@@ -890,7 +903,7 @@ static bool _cjose_jwe_encrypt_dat_aes_cbc(
 
     // allocate buffer for the ciphertext (plaintext + block size)
     cjose_get_dealloc()(jwe->part[3].raw);
-    jwe->part[3].raw_len = plaintext_len + cipher->block_size;
+    jwe->part[3].raw_len = plaintext_len + EVP_CIPHER_block_size(cipher);
     if (!_cjose_jwe_malloc(jwe->part[3].raw_len, false, &jwe->part[3].raw, err))
     {
         goto _cjose_jwe_encrypt_dat_aes_cbc_fail;
@@ -976,8 +989,7 @@ static bool _cjose_jwe_decrypt_dat_a256gcm(
     }
 
     // set the expected GCM-mode authentication tag
-    if (EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 
-            jwe->part[4].raw_len, jwe->part[4].raw) != 1)
+    if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->part[4].raw_len, jwe->part[4].raw) != 1)
     {
         CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
         goto _cjose_jwe_decrypt_dat_a256gcm_fail;