1From 0c35749891bf834c1f3c1c4c330266bd2f4733cc Mon Sep 17 00:00:00 2001 2From: Khem Raj <raj.khem@gmail.com> 3Date: Sun, 9 Sep 2018 10:40:09 -0700 4Subject: [PATCH] Forward port to OpenSSL 1.1.x 5 6* import patch from debian 7https://sources.debian.org/src/wvstreams/4.6.1-14/debian/patches/wvstreams_openssl1.1.patch 8Author: Reiner Herrmann <reiner@reiner-h.de> 9 10Upstream-Status: Submitted [https://github.com/apenwarr/wvstreams/pull/2] 11Signed-off-by: Khem Raj <raj.khem@gmail.com> 12--- 13 crypto/wvcrl.cc | 38 +++++++++++++------------------------- 14 crypto/wvdiffiehellman.cc | 30 +++++++++++++++++++----------- 15 crypto/wvdigest.cc | 16 ++++++++-------- 16 crypto/wvocsp.cc | 35 +++++++++-------------------------- 17 crypto/wvx509.cc | 31 ++++++++++++++++--------------- 18 crypto/wvx509mgr.cc | 27 ++++++++++++++++----------- 19 include/wvdiffiehellman.h | 2 +- 20 include/wvdigest.h | 14 ++++++-------- 21 include/wvtripledes.h | 10 +++++----- 22 9 files changed, 93 insertions(+), 110 deletions(-) 23 24diff --git a/crypto/wvcrl.cc b/crypto/wvcrl.cc 25index fa00c76..880ad85 100644 26--- a/crypto/wvcrl.cc 27+++ b/crypto/wvcrl.cc 28@@ -357,31 +357,19 @@ bool WvCRL::isrevoked(WvStringParm serial_number) const 29 ASN1_INTEGER *serial = serial_to_int(serial_number); 30 if (serial) 31 { 32- X509_REVOKED mayberevoked; 33- mayberevoked.serialNumber = serial; 34- if (crl->crl->revoked) 35- { 36- int idx = sk_X509_REVOKED_find(crl->crl->revoked, 37- &mayberevoked); 38- ASN1_INTEGER_free(serial); 39- if (idx >= 0) 40- { 41- debug("Certificate is revoked.\n"); 42- return true; 43- } 44- else 45- { 46- debug("Certificate is not revoked.\n"); 47- return false; 48- } 49- } 50- else 51- { 52- ASN1_INTEGER_free(serial); 53- debug("CRL does not have revoked list.\n"); 54- return false; 55- } 56- 57+ X509_REVOKED *revoked_entry = NULL; 58+ int idx = X509_CRL_get0_by_serial(crl, &revoked_entry, serial); 59+ ASN1_INTEGER_free(serial); 60+ if (idx >= 1 || revoked_entry) 61+ { 62+ debug("Certificate is revoked.\n"); 63+ return true; 64+ } 65+ else 66+ { 67+ debug("Certificate is not revoked.\n"); 68+ return false; 69+ } 70 } 71 else 72 debug(WvLog::Warning, "Can't convert serial number to ASN1 format. " 73diff --git a/crypto/wvdiffiehellman.cc b/crypto/wvdiffiehellman.cc 74index 7c0bf32..15cd104 100644 75--- a/crypto/wvdiffiehellman.cc 76+++ b/crypto/wvdiffiehellman.cc 77@@ -39,24 +39,25 @@ WvDiffieHellman::WvDiffieHellman(const unsigned char *_key, int _keylen, 78 { 79 int problems; 80 int check; 81- { 82+ 83 info = DH_new(); 84- info->p = BN_bin2bn(_key, _keylen, NULL); 85+ BIGNUM *p = BN_bin2bn(_key, _keylen, NULL); 86 // info->p->top = 0; 87 // info->p->dmax = _keylen * 8 / BN_BITS2; 88 // info->p->neg = 0; 89 // info->p->flags = 0; 90 91- info->g = BN_new(); 92- BN_set_word(info->g, generator); 93+ BIGNUM *g = BN_new(); 94+ BN_set_word(g, generator); 95 // info->g->d = &generator; 96 // info->g->top = 0; 97 // info->g->dmax = 1; 98 // info->g->neg = 0; 99 // info->g->flags = 0; 100- } 101 102- check = BN_mod_word(info->p, 24); 103+ DH_set0_pqg(info, p, NULL, g); 104+ 105+ check = BN_mod_word(p, 24); 106 DH_check(info, &problems); 107 if (problems & DH_CHECK_P_NOT_PRIME) 108 log(WvLog::Error, "Using a composite number for authentication.\n"); 109@@ -64,7 +65,7 @@ WvDiffieHellman::WvDiffieHellman(const unsigned char *_key, int _keylen, 110 log(WvLog::Error,"Using an unsafe prime number for authentication.\n"); 111 if (problems & DH_NOT_SUITABLE_GENERATOR) 112 log(WvLog::Error, "Can you just use 2 instead of %s (%s)!!\n", 113- BN_bn2hex(info->g), check); 114+ BN_bn2hex(g), check); 115 if (problems & DH_UNABLE_TO_CHECK_GENERATOR) 116 log(WvLog::Notice, "Using a strange argument for diffie-hellman.\n"); 117 DH_generate_key(info); 118@@ -72,18 +73,23 @@ WvDiffieHellman::WvDiffieHellman(const unsigned char *_key, int _keylen, 119 120 int WvDiffieHellman::pub_key_len() 121 { 122- return BN_num_bytes(info->pub_key); 123+ const BIGNUM *pub_key = NULL; 124+ DH_get0_key(info, &pub_key, NULL); 125+ return BN_num_bytes(pub_key); 126 } 127 128 int WvDiffieHellman::get_public_value(WvBuf &outbuf, int len) 129 { 130- int key_len = BN_num_bytes(info->pub_key); 131+ const BIGNUM *pub_key = NULL; 132+ DH_get0_key(info, &pub_key, NULL); 133+ 134+ int key_len = BN_num_bytes(pub_key); 135 if (key_len < len) 136 len = key_len; 137 138 // alloca is stack allocated, don't free it. 139 unsigned char *foo = (unsigned char*)alloca(key_len); 140- BN_bn2bin(info->pub_key, foo); 141+ BN_bn2bin(pub_key, foo); 142 outbuf.put(foo, len); 143 144 return len; 145@@ -91,8 +97,10 @@ int WvDiffieHellman::get_public_value(WvBuf &outbuf, int len) 146 147 bool WvDiffieHellman::create_secret(WvBuf &inbuf, size_t in_len, WvBuf& outbuf) 148 { 149+ const BIGNUM *pub_key = NULL; 150+ DH_get0_key(info, &pub_key, NULL); 151 unsigned char *foo = (unsigned char *)alloca(DH_size(info)); 152- log("My public value\n%s\nYour public value\n%s\n",BN_bn2hex(info->pub_key), 153+ log("My public value\n%s\nYour public value\n%s\n",BN_bn2hex(pub_key), 154 hexdump_buffer(inbuf.peek(0, in_len), in_len, false)); 155 int len = DH_compute_key (foo, BN_bin2bn(inbuf.get(in_len), in_len, NULL), 156 info); 157diff --git a/crypto/wvdigest.cc b/crypto/wvdigest.cc 158index 150edee..73ebb5d 100644 159--- a/crypto/wvdigest.cc 160+++ b/crypto/wvdigest.cc 161@@ -13,10 +13,10 @@ 162 163 /***** WvEVPMDDigest *****/ 164 165-WvEVPMDDigest::WvEVPMDDigest(const env_md_st *_evpmd) : 166+WvEVPMDDigest::WvEVPMDDigest(const EVP_MD*_evpmd) : 167 evpmd(_evpmd), active(false) 168 { 169- evpctx = new EVP_MD_CTX; 170+ evpctx = EVP_MD_CTX_new(); 171 _reset(); 172 } 173 174@@ -24,7 +24,7 @@ WvEVPMDDigest::WvEVPMDDigest(const env_md_st *_evpmd) : 175 WvEVPMDDigest::~WvEVPMDDigest() 176 { 177 cleanup(); 178- delete evpctx; 179+ EVP_MD_CTX_free(evpctx); 180 } 181 182 183@@ -60,7 +60,7 @@ bool WvEVPMDDigest::_reset() 184 // the typecast is necessary for API compatibility with different 185 // versions of openssl. None of them *actually* change the contents of 186 // the pointer. 187- EVP_DigestInit(evpctx, (env_md_st *)evpmd); 188+ EVP_DigestInit(evpctx, evpmd); 189 active = true; 190 return true; 191 } 192@@ -79,7 +79,7 @@ void WvEVPMDDigest::cleanup() 193 194 size_t WvEVPMDDigest::digestsize() const 195 { 196- return EVP_MD_size((env_md_st *)evpmd); 197+ return EVP_MD_size(evpmd); 198 } 199 200 201@@ -104,14 +104,14 @@ WvHMACDigest::WvHMACDigest(WvEVPMDDigest *_digest, 202 { 203 key = new unsigned char[keysize]; 204 memcpy(key, _key, keysize); 205- hmacctx = new HMAC_CTX; 206+ hmacctx = HMAC_CTX_new(); 207 _reset(); 208 } 209 210 WvHMACDigest::~WvHMACDigest() 211 { 212 cleanup(); 213- delete hmacctx; 214+ HMAC_CTX_free(hmacctx); 215 deletev key; 216 delete digest; 217 } 218@@ -145,7 +145,7 @@ bool WvHMACDigest::_finish(WvBuf &outbuf) 219 bool WvHMACDigest::_reset() 220 { 221 cleanup(); 222- HMAC_Init(hmacctx, key, keysize, (env_md_st *)digest->getevpmd()); 223+ HMAC_Init(hmacctx, key, keysize, digest->getevpmd()); 224 active = true; 225 return true; 226 } 227diff --git a/crypto/wvocsp.cc b/crypto/wvocsp.cc 228index ddb2de4..7d5da07 100644 229--- a/crypto/wvocsp.cc 230+++ b/crypto/wvocsp.cc 231@@ -118,9 +118,10 @@ bool WvOCSPResp::check_nonce(const WvOCSPReq &req) const 232 233 bool WvOCSPResp::signedbycert(const WvX509 &cert) const 234 { 235- EVP_PKEY *skey = X509_get_pubkey(cert.cert); 236- int i = OCSP_BASICRESP_verify(bs, skey, 0); 237- EVP_PKEY_free(skey); 238+ STACK_OF(X509) *sk = sk_X509_new_null(); 239+ sk_X509_push(sk, cert.cert); 240+ int i = OCSP_basic_verify(bs, sk, NULL, OCSP_NOVERIFY); 241+ sk_X509_free(sk); 242 243 if(i > 0) 244 return true; 245@@ -131,33 +132,15 @@ bool WvOCSPResp::signedbycert(const WvX509 &cert) const 246 247 WvX509 WvOCSPResp::get_signing_cert() const 248 { 249- if (!bs || !sk_X509_num(bs->certs)) 250+ const STACK_OF(X509) *certs = OCSP_resp_get0_certs(bs); 251+ if (!bs || !sk_X509_num(certs)) 252 return WvX509(); 253 254- // note: the following bit of code is taken almost verbatim from 255- // ocsp_vfy.c in OpenSSL 0.9.8. Copyright and attribution should 256- // properly belong to them 257- 258- OCSP_RESPID *id = bs->tbsResponseData->responderId; 259- 260- if (id->type == V_OCSP_RESPID_NAME) 261- { 262- X509 *x = X509_find_by_subject(bs->certs, id->value.byName); 263- if (x) 264- return WvX509(X509_dup(x)); 265+ X509 *signer = NULL; 266+ if (OCSP_resp_get0_signer(bs, &signer, NULL) == 1) { 267+ return WvX509(X509_dup(signer)); 268 } 269 270- if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL; 271- unsigned char tmphash[SHA_DIGEST_LENGTH]; 272- unsigned char *keyhash = id->value.byKey->data; 273- for (int i = 0; i < sk_X509_num(bs->certs); i++) 274- { 275- X509 *x = sk_X509_value(bs->certs, i); 276- X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL); 277- if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH)) 278- return WvX509(X509_dup(x)); 279- } 280- 281 return WvX509(); 282 } 283 284diff --git a/crypto/wvx509.cc b/crypto/wvx509.cc 285index e4925ce..984156c 100644 286--- a/crypto/wvx509.cc 287+++ b/crypto/wvx509.cc 288@@ -974,7 +974,7 @@ static void add_aia(WvStringParm type, WvString identifier, 289 sk_ACCESS_DESCRIPTION_push(ainfo, acc); 290 acc->method = OBJ_txt2obj(type.cstr(), 0); 291 acc->location->type = GEN_URI; 292- acc->location->d.ia5 = M_ASN1_IA5STRING_new(); 293+ acc->location->d.ia5 = ASN1_IA5STRING_new(); 294 unsigned char *cident 295 = reinterpret_cast<unsigned char *>(identifier.edit()); 296 ASN1_STRING_set(acc->location->d.ia5, cident, identifier.len()); 297@@ -1059,7 +1059,7 @@ void WvX509::set_crl_urls(WvStringList &urls) 298 GENERAL_NAMES *uris = GENERAL_NAMES_new(); 299 GENERAL_NAME *uri = GENERAL_NAME_new(); 300 uri->type = GEN_URI; 301- uri->d.ia5 = M_ASN1_IA5STRING_new(); 302+ uri->d.ia5 = ASN1_IA5STRING_new(); 303 unsigned char *cident 304 = reinterpret_cast<unsigned char *>(i().edit()); 305 ASN1_STRING_set(uri->d.ia5, cident, i().len()); 306@@ -1162,10 +1162,11 @@ WvString WvX509::get_extension(int nid) const 307 #else 308 X509V3_EXT_METHOD *method = X509V3_EXT_get(ext); 309 #endif 310+ ASN1_OCTET_STRING *ext_data_str = X509_EXTENSION_get_data(ext); 311 if (!method) 312 { 313 WvDynBuf buf; 314- buf.put(ext->value->data, ext->value->length); 315+ buf.put(ext_data_str->data, ext_data_str->length); 316 retval = buf.getstr(); 317 } 318 else 319@@ -1176,21 +1177,21 @@ WvString WvX509::get_extension(int nid) const 320 // even though it's const (at least as of version 0.9.8e). 321 // gah. 322 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL 323- const unsigned char * ext_value_data = ext->value->data; 324+ const unsigned char * ext_value_data = ext_data_str->data; 325 #else 326 unsigned char *ext_value_data = ext->value->data; 327 #endif 328 if (method->it) 329 { 330 ext_data = ASN1_item_d2i(NULL, &ext_value_data, 331- ext->value->length, 332+ ext_data_str->length, 333 ASN1_ITEM_ptr(method->it)); 334 TRACE("Applied generic conversion!\n"); 335 } 336 else 337 { 338 ext_data = method->d2i(NULL, &ext_value_data, 339- ext->value->length); 340+ ext_data_str->length); 341 TRACE("Applied method specific conversion!\n"); 342 } 343 344@@ -1325,13 +1326,13 @@ bool WvX509::verify(WvBuf &original, WvStringParm signature) const 345 return false; 346 347 /* Verify the signature */ 348- EVP_MD_CTX sig_ctx; 349- EVP_VerifyInit(&sig_ctx, EVP_sha1()); 350- EVP_VerifyUpdate(&sig_ctx, original.peek(0, original.used()), 351+ EVP_MD_CTX *sig_ctx = EVP_MD_CTX_new(); 352+ EVP_VerifyInit(sig_ctx, EVP_sha1()); 353+ EVP_VerifyUpdate(sig_ctx, original.peek(0, original.used()), 354 original.used()); 355- int sig_err = EVP_VerifyFinal(&sig_ctx, sig_buf, sig_size, pk); 356+ int sig_err = EVP_VerifyFinal(sig_ctx, sig_buf, sig_size, pk); 357 EVP_PKEY_free(pk); 358- EVP_MD_CTX_cleanup(&sig_ctx); // Again, not my fault... 359+ EVP_MD_CTX_free(sig_ctx); // Again, not my fault... 360 if (sig_err != 1) 361 { 362 debug("Verify failed!\n"); 363@@ -1450,19 +1451,19 @@ void WvX509::set_ski() 364 { 365 CHECK_CERT_EXISTS_SET("ski"); 366 367- ASN1_OCTET_STRING *oct = M_ASN1_OCTET_STRING_new(); 368- ASN1_BIT_STRING *pk = cert->cert_info->key->public_key; 369+ ASN1_OCTET_STRING *oct = ASN1_OCTET_STRING_new(); 370+ ASN1_BIT_STRING *pk = X509_get0_pubkey_bitstr(cert); 371 unsigned char pkey_dig[EVP_MAX_MD_SIZE]; 372 unsigned int diglen; 373 374 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL); 375 376- M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen); 377+ ASN1_OCTET_STRING_set(oct, pkey_dig, diglen); 378 X509_EXTENSION *ext = X509V3_EXT_i2d(NID_subject_key_identifier, 0, 379 oct); 380 X509_add_ext(cert, ext, -1); 381 X509_EXTENSION_free(ext); 382- M_ASN1_OCTET_STRING_free(oct); 383+ ASN1_OCTET_STRING_free(oct); 384 } 385 386 387diff --git a/crypto/wvx509mgr.cc b/crypto/wvx509mgr.cc 388index f249eec..156d3a4 100644 389--- a/crypto/wvx509mgr.cc 390+++ b/crypto/wvx509mgr.cc 391@@ -350,6 +350,8 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const 392 return false; 393 } 394 395+ uint32_t ex_flags = X509_get_extension_flags(cert); 396+ uint32_t ex_kusage = X509_get_key_usage(cert); 397 if (cert == unsignedcert.cert) 398 { 399 debug("Self Signing!\n"); 400@@ -362,8 +364,8 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const 401 return false; 402 } 403 #endif 404- else if (!((cert->ex_flags & EXFLAG_KUSAGE) && 405- (cert->ex_kusage & KU_KEY_CERT_SIGN))) 406+ else if (!((ex_flags & EXFLAG_KUSAGE) && 407+ (ex_kusage & KU_KEY_CERT_SIGN))) 408 { 409 debug("This Certificate is not allowed to sign certificates!\n"); 410 return false; 411@@ -390,6 +392,8 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const 412 413 bool WvX509Mgr::signcrl(WvCRL &crl) const 414 { 415+ uint32_t ex_flags = X509_get_extension_flags(cert); 416+ uint32_t ex_kusage = X509_get_key_usage(cert); 417 if (!isok() || !crl.isok()) 418 { 419 debug(WvLog::Warning, "Asked to sign CRL, but certificate or CRL (or " 420@@ -403,12 +407,12 @@ bool WvX509Mgr::signcrl(WvCRL &crl) const 421 "CRLs!\n"); 422 return false; 423 } 424- else if (!((cert->ex_flags & EXFLAG_KUSAGE) && 425- (cert->ex_kusage & KU_CRL_SIGN))) 426+ else if (!((ex_flags & EXFLAG_KUSAGE) && 427+ (ex_kusage & KU_CRL_SIGN))) 428 { 429 debug("Certificate not allowed to sign CRLs! (%s %s)\n", 430- (cert->ex_flags & EXFLAG_KUSAGE), 431- (cert->ex_kusage & KU_CRL_SIGN)); 432+ (ex_flags & EXFLAG_KUSAGE), 433+ (ex_kusage & KU_CRL_SIGN)); 434 return false; 435 } 436 #endif 437@@ -454,7 +458,6 @@ WvString WvX509Mgr::sign(WvBuf &data) const 438 { 439 assert(rsa); 440 441- EVP_MD_CTX sig_ctx; 442 unsigned char sig_buf[4096]; 443 444 EVP_PKEY *pk = EVP_PKEY_new(); 445@@ -467,20 +470,22 @@ WvString WvX509Mgr::sign(WvBuf &data) const 446 return WvString::null; 447 } 448 449- EVP_SignInit(&sig_ctx, EVP_sha1()); 450- EVP_SignUpdate(&sig_ctx, data.peek(0, data.used()), data.used()); 451+ EVP_MD_CTX *sig_ctx = EVP_MD_CTX_new(); 452+ EVP_SignInit(sig_ctx, EVP_sha1()); 453+ EVP_SignUpdate(sig_ctx, data.peek(0, data.used()), data.used()); 454 unsigned int sig_len = sizeof(sig_buf); 455- int sig_err = EVP_SignFinal(&sig_ctx, sig_buf, 456+ int sig_err = EVP_SignFinal(sig_ctx, sig_buf, 457 &sig_len, pk); 458 if (sig_err != 1) 459 { 460 debug("Error while signing.\n"); 461 EVP_PKEY_free(pk); 462+ EVP_MD_CTX_free(sig_ctx); 463 return WvString::null; 464 } 465 466 EVP_PKEY_free(pk); 467- EVP_MD_CTX_cleanup(&sig_ctx); // this isn't my fault :// 468+ EVP_MD_CTX_free(sig_ctx); // this isn't my fault :// 469 WvDynBuf buf; 470 buf.put(sig_buf, sig_len); 471 debug("Signature size: %s\n", buf.used()); 472diff --git a/include/wvdiffiehellman.h b/include/wvdiffiehellman.h 473index af75ffa..a2d001f 100644 474--- a/include/wvdiffiehellman.h 475+++ b/include/wvdiffiehellman.h 476@@ -27,7 +27,7 @@ public: 477 bool create_secret(WvBuf &inbuf, size_t in_len, WvBuf& outbuf); 478 479 protected: 480- struct dh_st *info; 481+ DH *info; 482 BN_ULONG generator; 483 484 private: 485diff --git a/include/wvdigest.h b/include/wvdigest.h 486index fdc39bd..f2eed40 100644 487--- a/include/wvdigest.h 488+++ b/include/wvdigest.h 489@@ -9,10 +9,8 @@ 490 491 #include "wvencoder.h" 492 #include <stdint.h> 493+#include <openssl/evp.h> 494 495-struct env_md_st; 496-struct env_md_ctx_st; 497-struct hmac_ctx_st; 498 499 /** 500 * Superclass for all message digests. 501@@ -45,8 +43,8 @@ public: 502 class WvEVPMDDigest : public WvDigest 503 { 504 friend class WvHMACDigest; 505- const env_md_st *evpmd; 506- env_md_ctx_st *evpctx; 507+ const EVP_MD *evpmd; 508+ EVP_MD_CTX *evpctx; 509 bool active; 510 511 public: 512@@ -54,13 +52,13 @@ public: 513 virtual size_t digestsize() const; 514 515 protected: 516- WvEVPMDDigest(const env_md_st *_evpmd); 517+ WvEVPMDDigest(const EVP_MD *_evpmd); 518 virtual bool _encode(WvBuf &inbuf, WvBuf &outbuf, 519 bool flush); // consumes input 520 virtual bool _finish(WvBuf &outbuf); // outputs digest 521 virtual bool _reset(); // supported: resets digest value 522 523- const env_md_st *getevpmd() 524+ const EVP_MD *getevpmd() 525 { return evpmd; } 526 527 private: 528@@ -104,7 +102,7 @@ class WvHMACDigest : public WvDigest 529 WvEVPMDDigest *digest; 530 unsigned char *key; 531 size_t keysize; 532- hmac_ctx_st *hmacctx; 533+ HMAC_CTX *hmacctx; 534 bool active; 535 536 public: 537diff --git a/include/wvtripledes.h b/include/wvtripledes.h 538index 185fe8a..a442e7a 100644 539--- a/include/wvtripledes.h 540+++ b/include/wvtripledes.h 541@@ -70,11 +70,11 @@ protected: 542 543 private: 544 Mode mode; 545- des_cblock key; 546- des_key_schedule deskey1; 547- des_key_schedule deskey2; 548- des_key_schedule deskey3; 549- des_cblock ivec; // initialization vector 550+ DES_cblock key; 551+ DES_key_schedule deskey1; 552+ DES_key_schedule deskey2; 553+ DES_key_schedule deskey3; 554+ DES_cblock ivec; // initialization vector 555 int ivecoff; // current offset into initvec 556 }; 557 558