/*
Bacula® - The Network Backup Solution
- Copyright (C) 2005-2007 Free Software Foundation Europe e.V.
+ Copyright (C) 2005-2010 Free Software Foundation Europe e.V.
The main author of Bacula is Kern Sibbald, with contributions from
many others, a complete list can be found in the file AUTHORS.
This program is Free Software; you can redistribute it and/or
- modify it under the terms of version two of the GNU General Public
+ modify it under the terms of version three of the GNU Affero General Public
License as published by the Free Software Foundation and included
in the file LICENSE.
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
- You should have received a copy of the GNU General Public License
+ You should have received a copy of the GNU Affero General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.
- Bacula® is a registered trademark of John Walker.
+ Bacula® is a registered trademark of Kern Sibbald.
The licensor of Bacula is the Free Software Foundation Europe
(FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
Switzerland, email:ftf@fsfeurope.org.
*
* Author: Landon Fuller <landonf@opendarwin.org>
*
- * Version $Id$
- *
* This file was contributed to the Bacula project by Landon Fuller.
*
* Landon Fuller has been granted a perpetual, worldwide, non-exclusive,
#include "jcr.h"
#include <assert.h>
+/**
+ * For OpenSSL version 1.x, EVP_PKEY_encrypt no longer
+ * exists. It was not an official API.
+ */
+#ifdef HAVE_OPENSSLv1
+#define EVP_PKEY_encrypt EVP_PKEY_encrypt_old
+#define EVP_PKEY_decrypt EVP_PKEY_decrypt_old
+#endif
+
/*
* Bacula ASN.1 Syntax
*
*/
static ASN1_OCTET_STRING *openssl_cert_keyid(X509 *cert) {
X509_EXTENSION *ext;
- X509V3_EXT_METHOD *method;
+ const X509V3_EXT_METHOD *method;
ASN1_OCTET_STRING *keyid;
int i;
#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL)
/* Extract the subjectKeyIdentifier extension field */
if ((keypair->keyid = openssl_cert_keyid(cert)) == NULL) {
- Jmsg0(get_jcr_from_tid(), M_ERROR, 0,
+ Jmsg0(NULL, M_ERROR, 0,
_("Provided certificate does not include the required subjectKeyIdentifier extension."));
goto err;
}
/* Validate the public key type (only RSA is supported) */
if (EVP_PKEY_type(keypair->pubkey->type) != EVP_PKEY_RSA) {
- Jmsg1(get_jcr_from_tid(), M_ERROR, 0,
+ Jmsg1(NULL, M_ERROR, 0,
_("Unsupported key type provided: %d\n"), EVP_PKEY_type(keypair->pubkey->type));
goto err;
}
digest = (DIGEST *)malloc(sizeof(DIGEST));
digest->type = type;
digest->jcr = jcr;
- Dmsg1(50, "crypto_digest_new jcr=%p\n", jcr);
+ Dmsg1(150, "crypto_digest_new jcr=%p\n", jcr);
/* Initialize the OpenSSL message digest context */
EVP_MD_CTX_init(&digest->ctx);
err:
/* This should not happen, but never say never ... */
- Dmsg0(50, "Digest init failed.\n");
+ Dmsg0(150, "Digest init failed.\n");
openssl_post_errors(jcr, M_ERROR, _("OpenSSL digest initialization failed"));
crypto_digest_free(digest);
return NULL;
bool crypto_digest_update(DIGEST *digest, const uint8_t *data, uint32_t length)
{
if (EVP_DigestUpdate(&digest->ctx, data, length) == 0) {
- Dmsg0(50, "digest update failed\n");
+ Dmsg0(150, "digest update failed\n");
openssl_post_errors(digest->jcr, M_ERROR, _("OpenSSL digest update failed"));
return false;
} else {
bool crypto_digest_finalize(DIGEST *digest, uint8_t *dest, uint32_t *length)
{
if (!EVP_DigestFinal(&digest->ctx, dest, (unsigned int *)length)) {
- Dmsg0(50, "digest finalize failed\n");
+ Dmsg0(150, "digest finalize failed\n");
openssl_post_errors(digest->jcr, M_ERROR, _("OpenSSL digest finalize failed"));
return false;
} else {
sig->sigData = SignatureData_new();
sig->jcr = jcr;
- Dmsg1(50, "crypto_sign_new jcr=%p\n", jcr);
+ Dmsg1(150, "crypto_sign_new jcr=%p\n", jcr);
if (!sig->sigData) {
/* Allocation failed in OpenSSL */
/*
* For a given public key, find the associated SignatureInfo record
- * and create a digest context for signature validation
+ * and create a digest context for signature validation
+ *
* Returns: CRYPTO_ERROR_NONE on success, with the newly allocated DIGEST in digest.
* A crypto_error_t value on failure.
*/
-crypto_error_t crypto_sign_get_digest(SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST **digest)
+crypto_error_t crypto_sign_get_digest(SIGNATURE *sig, X509_KEYPAIR *keypair,
+ crypto_digest_t &type, DIGEST **digest)
{
STACK_OF(SignerInfo) *signers;
SignerInfo *si;
si = sk_SignerInfo_value(signers, i);
if (M_ASN1_OCTET_STRING_cmp(keypair->keyid, si->subjectKeyIdentifier) == 0) {
/* Get the digest algorithm and allocate a digest context */
- Dmsg1(50, "crypto_sign_get_digest jcr=%p\n", sig->jcr);
+ Dmsg1(150, "crypto_sign_get_digest jcr=%p\n", sig->jcr);
switch (OBJ_obj2nid(si->digestAlgorithm)) {
case NID_md5:
+ Dmsg0(100, "sign digest algorithm is MD5\n");
+ type = CRYPTO_DIGEST_MD5;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_MD5);
break;
case NID_sha1:
+ Dmsg0(100, "sign digest algorithm is SHA1\n");
+ type = CRYPTO_DIGEST_SHA1;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA1);
break;
#ifdef HAVE_SHA2
case NID_sha256:
+ Dmsg0(100, "sign digest algorithm is SHA256\n");
+ type = CRYPTO_DIGEST_SHA256;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA256);
break;
case NID_sha512:
+ Dmsg0(100, "sign digest algorithm is SHA512\n");
+ type = CRYPTO_DIGEST_SHA512;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA512);
break;
#endif
default:
+ type = CRYPTO_DIGEST_NONE;
*digest = NULL;
return CRYPTO_ERROR_INVALID_DIGEST;
}
ec = EVP_bf_cbc();
break;
default:
- Jmsg0(get_jcr_from_tid(), M_ERROR, 0, _("Unsupported cipher type specified\n"));
+ Jmsg0(NULL, M_ERROR, 0, _("Unsupported cipher type specified\n"));
crypto_session_free(cs);
return NULL;
}
* Acquire a cipher instance for the given ASN.1 cipher NID
*/
if ((ec = EVP_get_cipherbyobj(cs->cryptoData->contentEncryptionAlgorithm)) == NULL) {
- Jmsg1(get_jcr_from_tid(), M_ERROR, 0,
+ Jmsg1(NULL, M_ERROR, 0,
_("Unsupported contentEncryptionAlgorithm: %d\n"), OBJ_obj2nid(cs->cryptoData->contentEncryptionAlgorithm));
free(cipher_ctx);
return NULL;
if ((stat = openssl_init_threads()) != 0) {
berrno be;
- Jmsg1(get_jcr_from_tid(), M_ABORT, 0,
+ Jmsg1(NULL, M_ABORT, 0,
_("Unable to init OpenSSL threading: ERR=%s\n"), be.bstrerror(stat));
}
OpenSSL_add_all_algorithms();
if (!openssl_seed_prng()) {
- Jmsg0(get_jcr_from_tid(), M_ERROR_TERM, 0, _("Failed to seed OpenSSL PRNG\n"));
+ Jmsg0(NULL, M_ERROR_TERM, 0, _("Failed to seed OpenSSL PRNG\n"));
}
crypto_initialized = true;
}
if (!openssl_save_prng()) {
- Jmsg0(get_jcr_from_tid(), M_ERROR, 0, _("Failed to save OpenSSL PRNG\n"));
+ Jmsg0(NULL, M_ERROR, 0, _("Failed to save OpenSSL PRNG\n"));
}
openssl_cleanup_threads();
if ((ret = SHA1Update(&digest->sha1, (const u_int8_t *) data, length)) == shaSuccess) {
return true;
} else {
- Jmsg1(get_jcr_from_tid(), M_ERROR, 0, _("SHA1Update() returned an error: %d\n"), ret);
+ Jmsg1(NULL, M_ERROR, 0, _("SHA1Update() returned an error: %d\n"), ret);
return false;
}
break;
SIGNATURE *crypto_sign_new(JCR *jcr) { return NULL; }
-crypto_error_t crypto_sign_get_digest (SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST **digest) { return CRYPTO_ERROR_INTERNAL; }
+crypto_error_t crypto_sign_get_digest (SIGNATURE *sig, X509_KEYPAIR *keypair,
+ crypto_digest_t &type, DIGEST **digest)
+ { return CRYPTO_ERROR_INTERNAL; }
+
crypto_error_t crypto_sign_verify (SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST *digest) { return CRYPTO_ERROR_INTERNAL; }
int crypto_sign_add_signer (SIGNATURE *sig, DIGEST *digest, X509_KEYPAIR *keypair) { return false; }
projects / bacula / bacula / blobdiff