Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Welcome to the 21st centu...
details: https://anonhg.NetBSD.org/src/rev/ece5cfba7f86
branches: trunk
changeset: 359321:ece5cfba7f86
user: christos <christos%NetBSD.org@localhost>
date: Wed Feb 07 03:59:03 2018 +0000
description:
Welcome to the 21st century Buck Rogers: OpenSSL-1.1
diffstat:
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c | 287 ++++++++++---------
crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h | 237 ++++++++--------
crypto/dist/ipsec-tools/src/racoon/prsa_par.y | 115 ++++++-
crypto/dist/ipsec-tools/src/racoon/rsalist.c | 6 +-
4 files changed, 360 insertions(+), 285 deletions(-)
diffs (truncated from 1088 to 300 lines):
diff -r a5abcc5fad27 -r ece5cfba7f86 crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Wed Feb 07 03:26:36 2018 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c Wed Feb 07 03:59:03 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $ */
+/* $NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $ */
/* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
@@ -109,11 +109,11 @@
* necessary for SSLeay/OpenSSL portability. It sucks.
*/
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
-static X509 *mem2x509 __P((vchar_t *));
-
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
+static int cb_check_cert_local(int, X509_STORE_CTX *);
+static int cb_check_cert_remote(int, X509_STORE_CTX *);
+static X509 *mem2x509(vchar_t *);
+
+static caddr_t eay_hmac_init(vchar_t *, const EVP_MD *);
/* X509 Certificate */
/*
@@ -312,13 +312,19 @@
for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+ ASN1_STRING *eda, *edb;
if (!eb) { /* reached end of eb while still entries in ea, can not be equal... */
i = idx+1;
goto end;
}
- if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
- (eb->value->length == 1 && eb->value->data[0] == '*')) {
- if (OBJ_cmp(ea->object,eb->object)) {
+ eda = X509_NAME_ENTRY_get_data(ea);
+ edb = X509_NAME_ENTRY_get_data(eb);
+ if ((eda->length == 1 && eda->data[0] == '*') ||
+ (edb->length == 1 && edb->data[0] == '*')) {
+ ASN1_OBJECT *eoa, *eob;
+ eoa = X509_NAME_ENTRY_get_object(ea);
+ eob = X509_NAME_ENTRY_get_object(eb);
+ if (OBJ_cmp(eoa, eob)) {
i = idx+1;
goto end;
}
@@ -426,19 +432,17 @@
X509_STORE_CTX *ctx;
{
char buf[256];
- int log_tag;
+ int log_tag, error;
if (!ok) {
- X509_NAME_oneline(
- X509_get_subject_name(ctx->current_cert),
- buf,
- 256);
+ X509_NAME_oneline(X509_get_subject_name(
+ X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
/*
* since we are just checking the certificates, it is
* ok if they are self signed. But we should still warn
* the user.
*/
- switch (ctx->error) {
+ switch (error = X509_STORE_CTX_get_error(ctx)) {
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_INVALID_CA:
@@ -453,9 +457,8 @@
}
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(ctx->error),
- ctx->error,
- ctx->error_depth,
+ X509_verify_cert_error_string(error), error,
+ X509_STORE_CTX_get_error_depth(ctx),
buf);
}
ERR_clear_error();
@@ -473,14 +476,12 @@
X509_STORE_CTX *ctx;
{
char buf[256];
- int log_tag;
+ int log_tag, error;
if (!ok) {
- X509_NAME_oneline(
- X509_get_subject_name(ctx->current_cert),
- buf,
- 256);
- switch (ctx->error) {
+ X509_NAME_oneline(X509_get_subject_name(
+ X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
+ switch (error = X509_STORE_CTX_get_error(ctx)) {
case X509_V_ERR_UNABLE_TO_GET_CRL:
ok = 1;
log_tag = LLV_WARNING;
@@ -490,9 +491,9 @@
}
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(ctx->error),
- ctx->error,
- ctx->error_depth,
+ X509_verify_cert_error_string(error),
+ error,
+ X509_STORE_CTX_get_error_depth(ctx),
buf);
}
ERR_clear_error();
@@ -508,6 +509,7 @@
vchar_t *cert;
{
X509 *x509 = NULL;
+ X509_NAME *xname;
u_char *bp;
vchar_t *name = NULL;
int len;
@@ -517,13 +519,14 @@
goto error;
/* get the length of the name */
- len = i2d_X509_NAME(x509->cert_info->subject, NULL);
+ xname = X509_get_subject_name(x509);
+ len = i2d_X509_NAME(xname, NULL);
name = vmalloc(len);
if (!name)
goto error;
/* get the name */
bp = (unsigned char *) name->v;
- len = i2d_X509_NAME(x509->cert_info->subject, &bp);
+ len = i2d_X509_NAME(xname, &bp);
X509_free(x509);
@@ -674,6 +677,7 @@
vchar_t *cert;
{
X509 *x509 = NULL;
+ X509_NAME *xissuer;
u_char *bp;
vchar_t *name = NULL;
int len;
@@ -683,14 +687,15 @@
goto error;
/* get the length of the name */
- len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
+ xissuer = X509_get_issuer_name(x509);
+ len = i2d_X509_NAME(xissuer, NULL);
name = vmalloc(len);
if (name == NULL)
goto error;
/* get the name */
bp = (unsigned char *) name->v;
- len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
+ len = i2d_X509_NAME(xissuer, &bp);
X509_free(x509);
@@ -871,7 +876,7 @@
return -1;
}
- res = eay_rsa_verify(source, sig, evp->pkey.rsa);
+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
EVP_PKEY_free(evp);
X509_free(x509);
@@ -1013,7 +1018,7 @@
if (evp == NULL)
return NULL;
- sig = eay_rsa_sign(src, evp->pkey.rsa);
+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
EVP_PKEY_free(evp);
@@ -1121,7 +1126,7 @@
evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
{
vchar_t *res;
- EVP_CIPHER_CTX ctx;
+ EVP_CIPHER_CTX *ctx;
if (!e)
return NULL;
@@ -1132,7 +1137,9 @@
if ((res = vmalloc(data->l)) == NULL)
return NULL;
- EVP_CIPHER_CTX_init(&ctx);
+ ctx = EVP_CIPHER_CTX_new();
+ if (ctx == NULL)
+ return NULL;
switch(EVP_CIPHER_nid(e)){
case NID_bf_cbc:
@@ -1146,54 +1153,41 @@
/* XXX: can we do that also for algos with a fixed key size ?
*/
/* init context without key/iv
- */
- if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
- {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-
- /* update key size
- */
- if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
- {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-
- /* finalize context init with desired key size
- */
- if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
- (u_char *) iv->v, enc))
- {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
+ */
+ if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
+ goto out;
+
+ /* update key size
+ */
+ if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
+ goto out;
+
+ /* finalize context init with desired key size
+ */
+ if (!EVP_CipherInit(ctx, NULL, (u_char *)key->v,
+ (u_char *)iv->v, enc))
+ goto out;
break;
default:
- if (!EVP_CipherInit(&ctx, e, (u_char *) key->v,
- (u_char *) iv->v, enc)) {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
+ if (!EVP_CipherInit(ctx, e, (u_char *) key->v,
+ (u_char *) iv->v, enc))
+ goto out;
}
/* disable openssl padding */
- EVP_CIPHER_CTX_set_padding(&ctx, 0);
+ EVP_CIPHER_CTX_set_padding(ctx, 0);
- if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
- OpenSSL_BUG();
- vfree(res);
- return NULL;
- }
-
- EVP_CIPHER_CTX_cleanup(&ctx);
+ if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
+ goto out;
+
+ EVP_CIPHER_CTX_free(ctx);
return res;
+out:
+ EVP_CIPHER_CTX_free(ctx);
+ OpenSSL_BUG();
+ vfree(res);
+ return NULL;
}
int
@@ -1348,7 +1342,7 @@
return len;
}
-#ifdef HAVE_OPENSSL_RC5_H
+#ifdef HAVE_OPENSSL_RC5_H
/*
* RC5-CBC
*/
@@ -1734,9 +1728,9 @@
vchar_t *key;
const EVP_MD *md;
Home |
Main Index |
Thread Index |
Old Index