Add support for OpenSSL 1.1 and replace deprecated function calls (WIP)

See #16 for details. Thanks to Chris West @FauxFaux for the initial patch!
boxbackup · Jun 6, 2017 · b003e00 · b003e00
1 parent edd3687
commit b003e00
Show file tree

Hide file tree

Showing 6 changed files with 46 additions and 34 deletions.
diff --git a/appveyor.yml b/appveyor.yml
@@ -19,8 +19,6 @@ configuration:
 environment:
   VisualStudioVersion: 10.0
   Generator: Visual Studio 10
-  OPENSSL_VERSION: 1.1.0f
-  PCRE_VERSION: 8.38
   CMAKE_UNIBUILD_DIR: '%APPVEYOR_BUILD_FOLDER%\..\cmake'
 
 init:

diff --git a/infrastructure/cmake/windows/CMakeLists.txt b/infrastructure/cmake/windows/CMakeLists.txt
@@ -15,9 +15,9 @@ set(ZLIB_VERSION    1.2.11)
 set(ZLIB_HASH SHA256=c3e5e9fdd5004dcb542feda5ee4f0ff0744628baf8ed2dd5d66f8ca1197cb1a1)
 
 # Version of OpenSSL to download, build, and compile Box Backup against:
-set(OPENSSL_VERSION 1.0.2j)
+set(OPENSSL_VERSION 1.1.0f)
 # Hash of openssl-${OPENSSL_VERSION}.tar.gz, to be verified after download:
-set(OPENSSL_HASH SHA256=e7aff292be21c259c6af26469c7a9b3ba26e9abaaffd325e3dccc9785256c431)
+set(OPENSSL_HASH SHA256=12f746f3f2493b2f39da7ecf63d7ee19c6ac9ec6a4fcd8c229da8a522cb12765)
 
 # Version of PCRE to download, build, and compile Box Backup against:
 set(PCRE_VERSION    8.39)

diff --git a/lib/crypto/CipherBlowfish.cpp b/lib/crypto/CipherBlowfish.cpp
@@ -206,7 +206,7 @@ void CipherBlowfish::SetupParameters(EVP_CIPHER_CTX *pCipherContext) const
 	}
 	// Set key
 #ifndef HAVE_OLD_SSL
-	if(EVP_CipherInit_ex(pCipherContext, NULL, NULL, (unsigned char*)mpKey, (unsigned char*)mpInitialisationVector, -1) != 1)
+	if(EVP_CipherInit_ex(pCipherContext, GetCipher(), NULL, (unsigned char*)mpKey, (unsigned char*)mpInitialisationVector, -1) != 1)
 #else
 	if(EVP_CipherInit(pCipherContext, NULL, (unsigned char*)mKey.c_str(), (unsigned char*)mInitialisationVector, -1) != 1)
 #endif

diff --git a/lib/crypto/CipherContext.cpp b/lib/crypto/CipherContext.cpp
@@ -2,7 +2,7 @@
 //
 // File
 //		Name:    CipherContext.cpp
-//		Purpose: Context for symmetric encryption / descryption
+//		Purpose: Context for symmetric encryption / decryption
 //		Created: 1/12/03
 //
 // --------------------------------------------------------------------------
@@ -116,34 +116,36 @@ void CipherContext::Init(CipherContext::CipherFunction Function, const CipherDes
 #else
 	BOX_OPENSSL_INIT_CTX(ctx);
 
-	if(EVP_CipherInit_ex(BOX_OPENSSL_CTX(ctx), rDescription.GetCipher(), NULL, NULL, NULL,
+	if(EVP_CipherInit_ex(BOX_OPENSSL_CTX(ctx), rDescription.GetCipher(), NULL, NULL,
+		(const unsigned char *)(mIV.size() > 0 ? mIV.c_str() : NULL),
 		(mFunction == Encrypt) ? 1 : 0) != 1)
 #endif
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPInitFailure,
 			"Failed to initialise " << rDescription.GetFullName()
-			<< "cipher: " << LogError("initialising cipher"));
+			<< ": " << LogError("initialising cipher"));
 	}
+	UsePadding(mPaddingOn);
 
 	try
 	{
 		mCipherName = rDescription.GetFullName();
 #ifndef HAVE_OLD_SSL
 		// Let the description set up everything else
-		rDescription.SetupParameters(BOX_OPENSSL_CTX(ctx));
+		mpDescription = &rDescription;
 #else
 		// With the old version, a copy needs to be taken first.
 		mpDescription = rDescription.Clone();
 		// Mark it as not a leak, otherwise static cipher contexts
 		// cause spurious memory leaks to be reported
 		MEMLEAKFINDER_NOT_A_LEAK(mpDescription);
-		mpDescription->SetupParameters(&ctx);
 #endif
+		mpDescription->SetupParameters(BOX_OPENSSL_CTX(ctx));
 	}
 	catch(...)
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPInitFailure,
-			"Failed to configure " << mCipherName << " cipher: " <<
+			"Failed to configure " << mCipherName << ": " <<
 			LogError("configuring cipher"));
 		BOX_OPENSSL_CLEANUP_CTX(ctx);
 		throw;
@@ -177,6 +179,7 @@ void CipherContext::Reset()
 	}
 #endif
 	mWithinTransform = false;
+	mIV.clear();
 }
 
 
@@ -203,13 +206,16 @@ void CipherContext::Begin()
 	}
 
 	// Initialise the cipher context again
-	if(EVP_CipherInit(BOX_OPENSSL_CTX(ctx), NULL, NULL, NULL, -1) != 1)
+	if(EVP_CipherInit_ex(BOX_OPENSSL_CTX(ctx), mpDescription->GetCipher(), NULL, NULL,
+		(const unsigned char *)(mIV.size() > 0 ? mIV.c_str() : NULL),
+		-1) != 1)
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPInitFailure,
-			"Failed to reset " << mCipherName << " cipher: " <<
-			LogError("resetting cipher"));
+			"Failed to reset " << mCipherName << ": " << LogError("resetting cipher"));
 	}
-
+	mpDescription->SetupParameters(BOX_OPENSSL_CTX(ctx));
+	UsePadding(mPaddingOn);
+
 	// Mark as being within a transform
 	mWithinTransform = true;
 }
@@ -262,8 +268,7 @@ int CipherContext::Transform(void *pOutBuffer, int OutLength, const void *pInBuf
 		(unsigned char*)pInBuffer, InLength) != 1)
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPUpdateFailure,
-			"Failed to " << GetFunction() << " (update) " <<
-			mCipherName << " cipher: " << LogError(GetFunction()));
+			"Failed to update " << mCipherName << ": " << LogError(GetFunction()));
 	}
 
 	return outLength;
@@ -313,8 +318,7 @@ int CipherContext::Final(void *pOutBuffer, int OutLength)
 	{
 		mWithinTransform = false;
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPFinalFailure,
-			"Failed to " << GetFunction() << " (final) " <<
-			mCipherName << " cipher: " << LogError(GetFunction()));
+			"Failed to finalise " << mCipherName << ": " << LogError(GetFunction()));
 	}
 #else
 	OldOpenSSLFinal((unsigned char*)pOutBuffer, outLength);
@@ -392,12 +396,14 @@ void CipherContext::OldOpenSSLFinal(unsigned char *Buffer, int &rOutLengthOut)
 		}
 	}
 	// Reinitialise the cipher for the next time around
-	if(EVP_CipherInit(&ctx, mpDescription->GetCipher(), NULL, NULL,
+	if(EVP_CipherInit_ex(&ctx, mpDescription->GetCipher(), NULL, NULL,
+		(const unsigned char *)(mIV.size() > 0 ? mIV.c_str() : NULL),
 		(mFunction == Encrypt) ? 1 : 0) != 1)
 	{
 		THROW_EXCEPTION(CipherException, EVPInitFailure)
 	}
 	mpDescription->SetupParameters(&ctx);
+	UsePadding(mPaddingOn);
 
 	// Update length for caller
 	rOutLengthOut = outLength;
@@ -484,10 +490,15 @@ int CipherContext::TransformBlock(void *pOutBuffer, int OutLength, const void *p
 	}
 
 	// Initialise the cipher context again
-	if(EVP_CipherInit(BOX_OPENSSL_CTX(ctx), NULL, NULL, NULL, -1) != 1)
+	if(EVP_CipherInit_ex(BOX_OPENSSL_CTX(ctx), mpDescription->GetCipher(), NULL, NULL,
+		(const unsigned char *)(mIV.size() > 0 ? mIV.c_str() : NULL),
+		-1) != 1)
 	{
-		THROW_EXCEPTION(CipherException, EVPInitFailure)
+		THROW_EXCEPTION_MESSAGE(CipherException, EVPInitFailure,
+			"Failed to init " << mCipherName << ": " << LogError(GetFunction()));
 	}
+	mpDescription->SetupParameters(BOX_OPENSSL_CTX(ctx));
+	UsePadding(mPaddingOn);
 
 	// Do the entire block
 	int outLength = 0;
@@ -498,8 +509,7 @@ int CipherContext::TransformBlock(void *pOutBuffer, int OutLength, const void *p
 		(unsigned char*)pInBuffer, InLength) != 1)
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPUpdateFailure,
-			"Failed to " << GetFunction() << " (update) " <<
-			mCipherName << " cipher: " << LogError(GetFunction()));
+			"Failed to update " << mCipherName << ": " << LogError(GetFunction()));
 	}
 
 	// Finalise
@@ -511,8 +521,7 @@ int CipherContext::TransformBlock(void *pOutBuffer, int OutLength, const void *p
 		&outLength2) != 1)
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPFinalFailure,
-			"Failed to " << GetFunction() << " (final) " <<
-			mCipherName << " cipher: " << LogError(GetFunction()));
+			"Failed to finalise " << mCipherName << ": " << LogError(GetFunction()));
 	}
 #endif
 	outLength += outLength2;
@@ -562,13 +571,17 @@ void CipherContext::SetIV(const void *pIV)
 			"flagged as within a transform");
 	}
 
+	mIV = std::string((const char *)pIV, GetIVLength());
+
 	// Set IV
-	if(EVP_CipherInit(BOX_OPENSSL_CTX(ctx), NULL, NULL, (unsigned char *)pIV, -1) != 1)
+	if(EVP_CipherInit_ex(BOX_OPENSSL_CTX(ctx), mpDescription->GetCipher(), NULL, NULL,
+		(const unsigned char *)mIV.c_str(), -1) != 1)
 	{
 		THROW_EXCEPTION_MESSAGE(CipherException, EVPInitFailure,
-			"Failed to " << GetFunction() << " (set IV) " <<
-			mCipherName << " cipher: " << LogError(GetFunction()));
+			"Failed to set IV for " << mCipherName << ": " << LogError(GetFunction()));
 	}
+	mpDescription->SetupParameters(BOX_OPENSSL_CTX(ctx));
+	UsePadding(mPaddingOn);
 
 #ifdef HAVE_OLD_SSL
 	// Update description
@@ -633,7 +646,9 @@ void CipherContext::UsePadding(bool Padding)
 #ifndef HAVE_OLD_SSL
 	if(EVP_CIPHER_CTX_set_padding(BOX_OPENSSL_CTX(ctx), Padding) != 1)
 	{
-		THROW_EXCEPTION(CipherException, EVPSetPaddingFailure)
+		THROW_EXCEPTION_MESSAGE(CipherException, EVPSetPaddingFailure,
+			"Failed to set padding for " << mCipherName << ": " <<
+			LogError(GetFunction()));
 	}
 #endif
 	mPaddingOn = Padding;

diff --git a/lib/crypto/CipherContext.h b/lib/crypto/CipherContext.h
@@ -97,9 +97,8 @@ class CipherContext
 	uint8_t mGeneratedIV[CIPHERCONTEXT_MAX_GENERATED_IV_LENGTH];
 	CipherFunction mFunction;
 	std::string mCipherName;
-#ifdef HAVE_OLD_SSL
-	CipherDescription *mpDescription;
-#endif
+	const CipherDescription *mpDescription;
+	std::string mIV;
 };
 
 

diff --git a/test/crypto/testcrypto.cpp b/test/crypto/testcrypto.cpp
@@ -266,7 +266,7 @@ int test(int argc, const char *argv[])
 	// Check rolling checksums
 	uint8_t *checkdata_blk = (uint8_t *)malloc(CHECKSUM_DATA_SIZE);
 	uint8_t *checkdata = checkdata_blk;
-	RAND_pseudo_bytes(checkdata, CHECKSUM_DATA_SIZE);
+	RAND_bytes(checkdata, CHECKSUM_DATA_SIZE);
 	for(int size = CHECKSUM_BLOCK_SIZE_BASE; size <= CHECKSUM_BLOCK_SIZE_LAST; ++size)
 	{
 		// Test skip-roll code