2 files changed, 24 insertions, 5 deletions

diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
index bc7884c99..24fe623eb 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c
@@ -28,6 +28,10 @@
 #include <openssl/ecdsa.h>
 #include <openssl/x509.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+OPENSSL_KEY_FALLBACK(ECDSA_SIG, r, s)
+#endif
+
 typedef struct private_openssl_ec_private_key_t private_openssl_ec_private_key_t;
 
 /**
@@ -59,15 +63,17 @@ bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp);
 static bool build_signature(private_openssl_ec_private_key_t *this,
 							chunk_t hash, chunk_t *signature)
 {
-	bool built = FALSE;
+	const BIGNUM *r, *s;
 	ECDSA_SIG *sig;
+	bool built = FALSE;
 
 	sig = ECDSA_do_sign(hash.ptr, hash.len, this->ec);
 	if (sig)
 	{
+		ECDSA_SIG_get0(sig, &r, &s);
 		/* concatenate BNs r/s to a signature chunk */
 		built = openssl_bn_cat(EC_FIELD_ELEMENT_LEN(EC_KEY_get0_group(this->ec)),
-							   sig->r, sig->s, signature);
+							   r, s, signature);
 		ECDSA_SIG_free(sig);
 	}
 	return built;
diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
index 21dcb0120..a1e56fc5e 100644
--- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
+++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c
@@ -27,6 +27,10 @@
 #include <openssl/ecdsa.h>
 #include <openssl/x509.h>
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+OPENSSL_KEY_FALLBACK(ECDSA_SIG, r, s)
+#endif
+
 typedef struct private_openssl_ec_public_key_t private_openssl_ec_public_key_t;
 
 /**
@@ -55,14 +59,23 @@ struct private_openssl_ec_public_key_t {
 static bool verify_signature(private_openssl_ec_public_key_t *this,
 							 chunk_t hash, chunk_t signature)
 {
-	bool valid = FALSE;
+	BIGNUM *r, *s;
 	ECDSA_SIG *sig;
+	bool valid = FALSE;
 
 	sig = ECDSA_SIG_new();
 	if (sig)
 	{
-		/* split the signature chunk in r and s */
-		if (openssl_bn_split(signature, sig->r, sig->s))
+		r = BN_new();
+		s = BN_new();
+		if (!openssl_bn_split(signature, r, s))
+		{
+			BN_free(r);
+			BN_free(s);
+			ECDSA_SIG_free(sig);
+			return FALSE;
+		}
+		if (ECDSA_SIG_set0(sig, r, s))
 		{
 			valid = (ECDSA_do_verify(hash.ptr, hash.len, sig, this->ec) == 1);
 		}