/*
Bacula® - The Network Backup Solution
- Copyright (C) 2005-2007 Free Software Foundation Europe e.V.
+ Copyright (C) 2005-2011 Free Software Foundation Europe e.V.
The main author of Bacula is Kern Sibbald, with contributions from
many others, a complete list can be found in the file AUTHORS.
This program is Free Software; you can redistribute it and/or
- modify it under the terms of version two of the GNU General Public
- License as published by the Free Software Foundation plus additions
- that are listed in the file LICENSE.
+ modify it under the terms of version three of the GNU Affero General Public
+ License as published by the Free Software Foundation and included
+ in the file LICENSE.
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.
- You should have received a copy of the GNU General Public License
+ You should have received a copy of the GNU Affero General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
02110-1301, USA.
- Bacula® is a registered trademark of John Walker.
+ Bacula® is a registered trademark of Kern Sibbald.
The licensor of Bacula is the Free Software Foundation Europe
(FSFE), Fiduciary Program, Sumatrastrasse 25, 8006 Zürich,
Switzerland, email:ftf@fsfeurope.org.
*
* Author: Landon Fuller <landonf@opendarwin.org>
*
- * Version $Id$
- *
* This file was contributed to the Bacula project by Landon Fuller.
*
* Landon Fuller has been granted a perpetual, worldwide, non-exclusive,
#include "jcr.h"
#include <assert.h>
+/**
+ * For OpenSSL version 1.x, EVP_PKEY_encrypt no longer
+ * exists. It was not an official API.
+ */
+#ifdef HAVE_OPENSSLv1
+#define EVP_PKEY_encrypt EVP_PKEY_encrypt_old
+#define EVP_PKEY_decrypt EVP_PKEY_decrypt_old
+#endif
+
/*
* Bacula ASN.1 Syntax
*
*/
static ASN1_OCTET_STRING *openssl_cert_keyid(X509 *cert) {
X509_EXTENSION *ext;
- X509V3_EXT_METHOD *method;
+ const X509V3_EXT_METHOD *method;
ASN1_OCTET_STRING *keyid;
int i;
#if (OPENSSL_VERSION_NUMBER >= 0x0090800FL)
/* Extract the subjectKeyIdentifier extension field */
if ((keypair->keyid = openssl_cert_keyid(cert)) == NULL) {
- Jmsg0(get_jcr_from_tid(), M_ERROR, 0,
+ Jmsg0(NULL, M_ERROR, 0,
_("Provided certificate does not include the required subjectKeyIdentifier extension."));
goto err;
}
/* Validate the public key type (only RSA is supported) */
if (EVP_PKEY_type(keypair->pubkey->type) != EVP_PKEY_RSA) {
- Jmsg1(get_jcr_from_tid(), M_ERROR, 0,
+ Jmsg1(NULL, M_ERROR, 0,
_("Unsupported key type provided: %d\n"), EVP_PKEY_type(keypair->pubkey->type));
goto err;
}
digest = (DIGEST *)malloc(sizeof(DIGEST));
digest->type = type;
digest->jcr = jcr;
- Dmsg1(50, "crypto_digest_new jcr=%p\n", jcr);
+ Dmsg1(150, "crypto_digest_new jcr=%p\n", jcr);
/* Initialize the OpenSSL message digest context */
EVP_MD_CTX_init(&digest->ctx);
err:
/* This should not happen, but never say never ... */
- Dmsg0(50, "Digest init failed.\n");
+ Dmsg0(150, "Digest init failed.\n");
openssl_post_errors(jcr, M_ERROR, _("OpenSSL digest initialization failed"));
crypto_digest_free(digest);
return NULL;
bool crypto_digest_update(DIGEST *digest, const uint8_t *data, uint32_t length)
{
if (EVP_DigestUpdate(&digest->ctx, data, length) == 0) {
- Dmsg0(50, "digest update failed\n");
+ Dmsg0(150, "digest update failed\n");
openssl_post_errors(digest->jcr, M_ERROR, _("OpenSSL digest update failed"));
return false;
} else {
bool crypto_digest_finalize(DIGEST *digest, uint8_t *dest, uint32_t *length)
{
if (!EVP_DigestFinal(&digest->ctx, dest, (unsigned int *)length)) {
- Dmsg0(50, "digest finalize failed\n");
+ Dmsg0(150, "digest finalize failed\n");
openssl_post_errors(digest->jcr, M_ERROR, _("OpenSSL digest finalize failed"));
return false;
} else {
sig->sigData = SignatureData_new();
sig->jcr = jcr;
- Dmsg1(50, "crypto_sign_new jcr=%p\n", jcr);
+ Dmsg1(150, "crypto_sign_new jcr=%p\n", jcr);
if (!sig->sigData) {
/* Allocation failed in OpenSSL */
/*
* For a given public key, find the associated SignatureInfo record
- * and create a digest context for signature validation
+ * and create a digest context for signature validation
+ *
* Returns: CRYPTO_ERROR_NONE on success, with the newly allocated DIGEST in digest.
* A crypto_error_t value on failure.
*/
-crypto_error_t crypto_sign_get_digest(SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST **digest)
+crypto_error_t crypto_sign_get_digest(SIGNATURE *sig, X509_KEYPAIR *keypair,
+ crypto_digest_t &type, DIGEST **digest)
{
STACK_OF(SignerInfo) *signers;
SignerInfo *si;
si = sk_SignerInfo_value(signers, i);
if (M_ASN1_OCTET_STRING_cmp(keypair->keyid, si->subjectKeyIdentifier) == 0) {
/* Get the digest algorithm and allocate a digest context */
- Dmsg1(50, "crypto_sign_get_digest jcr=%p\n", sig->jcr);
+ Dmsg1(150, "crypto_sign_get_digest jcr=%p\n", sig->jcr);
switch (OBJ_obj2nid(si->digestAlgorithm)) {
case NID_md5:
+ Dmsg0(100, "sign digest algorithm is MD5\n");
+ type = CRYPTO_DIGEST_MD5;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_MD5);
break;
case NID_sha1:
+ Dmsg0(100, "sign digest algorithm is SHA1\n");
+ type = CRYPTO_DIGEST_SHA1;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA1);
break;
#ifdef HAVE_SHA2
case NID_sha256:
+ Dmsg0(100, "sign digest algorithm is SHA256\n");
+ type = CRYPTO_DIGEST_SHA256;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA256);
break;
case NID_sha512:
+ Dmsg0(100, "sign digest algorithm is SHA512\n");
+ type = CRYPTO_DIGEST_SHA512;
*digest = crypto_digest_new(sig->jcr, CRYPTO_DIGEST_SHA512);
break;
#endif
default:
+ type = CRYPTO_DIGEST_NONE;
*digest = NULL;
return CRYPTO_ERROR_INVALID_DIGEST;
}
ec = EVP_bf_cbc();
break;
default:
- Jmsg0(get_jcr_from_tid(), M_ERROR, 0, _("Unsupported cipher type specified\n"));
+ Jmsg0(NULL, M_ERROR, 0, _("Unsupported cipher type specified\n"));
crypto_session_free(cs);
return NULL;
}
* Acquire a cipher instance for the given ASN.1 cipher NID
*/
if ((ec = EVP_get_cipherbyobj(cs->cryptoData->contentEncryptionAlgorithm)) == NULL) {
- Jmsg1(get_jcr_from_tid(), M_ERROR, 0,
+ Jmsg1(NULL, M_ERROR, 0,
_("Unsupported contentEncryptionAlgorithm: %d\n"), OBJ_obj2nid(cs->cryptoData->contentEncryptionAlgorithm));
free(cipher_ctx);
return NULL;
if ((stat = openssl_init_threads()) != 0) {
berrno be;
- Jmsg1(get_jcr_from_tid(), M_ABORT, 0,
+ Jmsg1(NULL, M_ABORT, 0,
_("Unable to init OpenSSL threading: ERR=%s\n"), be.bstrerror(stat));
}
OpenSSL_add_all_algorithms();
if (!openssl_seed_prng()) {
- Jmsg0(get_jcr_from_tid(), M_ERROR_TERM, 0, _("Failed to seed OpenSSL PRNG\n"));
+ Jmsg0(NULL, M_ERROR_TERM, 0, _("Failed to seed OpenSSL PRNG\n"));
}
crypto_initialized = true;
}
if (!openssl_save_prng()) {
- Jmsg0(get_jcr_from_tid(), M_ERROR, 0, _("Failed to save OpenSSL PRNG\n"));
+ Jmsg0(NULL, M_ERROR, 0, _("Failed to save OpenSSL PRNG\n"));
}
openssl_cleanup_threads();
if ((ret = SHA1Update(&digest->sha1, (const u_int8_t *) data, length)) == shaSuccess) {
return true;
} else {
- Jmsg1(get_jcr_from_tid(), M_ERROR, 0, _("SHA1Update() returned an error: %d\n"), ret);
+ Jmsg1(NULL, M_ERROR, 0, _("SHA1Update() returned an error: %d\n"), ret);
return false;
}
break;
SIGNATURE *crypto_sign_new(JCR *jcr) { return NULL; }
-crypto_error_t crypto_sign_get_digest (SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST **digest) { return CRYPTO_ERROR_INTERNAL; }
+crypto_error_t crypto_sign_get_digest (SIGNATURE *sig, X509_KEYPAIR *keypair,
+ crypto_digest_t &type, DIGEST **digest)
+ { return CRYPTO_ERROR_INTERNAL; }
+
crypto_error_t crypto_sign_verify (SIGNATURE *sig, X509_KEYPAIR *keypair, DIGEST *digest) { return CRYPTO_ERROR_INTERNAL; }
int crypto_sign_add_signer (SIGNATURE *sig, DIGEST *digest, X509_KEYPAIR *keypair) { return false; }