Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.sbin/syslogd Adjust to OpenSSL-1.1
details: https://anonhg.NetBSD.org/src/rev/67ee1faedc7c
branches: trunk
changeset: 359311:67ee1faedc7c
user: christos <christos%NetBSD.org@localhost>
date: Tue Feb 06 21:36:46 2018 +0000
description:
Adjust to OpenSSL-1.1
diffstat:
usr.sbin/syslogd/sign.c | 38 ++++++++++++++++++++++++--------------
usr.sbin/syslogd/tls.c | 46 ++++++++++++++++++++++++++++++----------------
2 files changed, 54 insertions(+), 30 deletions(-)
diffs (205 lines):
diff -r 6b23cf2ae560 -r 67ee1faedc7c usr.sbin/syslogd/sign.c
--- a/usr.sbin/syslogd/sign.c Tue Feb 06 21:27:49 2018 +0000
+++ b/usr.sbin/syslogd/sign.c Tue Feb 06 21:36:46 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: sign.c,v 1.6 2015/02/10 20:38:15 christos Exp $ */
+/* $NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -55,7 +55,7 @@
* 1. check; next draft will be clearer and specify the format as implemented.
* 2. check; definitely only DSA in this version.
* 3. remains a problem, so far no statement from authors or WG.
- * 4. check; used EVP_dss1 method implements FIPS.
+ * 4. check; used EVP_sha1 method implements FIPS.
*/
/*
* Limitations of this implementation:
@@ -66,7 +66,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: sign.c,v 1.6 2015/02/10 20:38:15 christos Exp $");
+__RCSID("$NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $");
#ifndef DISABLE_SIGN
#include "syslogd.h"
@@ -99,15 +99,19 @@
EVP_MD_CTX_init(GlobalSign.sigctx);
/* the signature algorithm depends on the type of key */
- if (EVP_PKEY_DSA == EVP_PKEY_type(GlobalSign.pubkey->type)) {
- GlobalSign.sig = EVP_dss1();
+ switch (EVP_PKEY_base_id(GlobalSign.pubkey)) {
+ case EVP_PKEY_DSA:
+ GlobalSign.sig = EVP_sha1();
GlobalSign.sig_len_b64 = SIGN_B64SIGLEN_DSS;
-/* this is the place to add non-DSA key types and algorithms
- } else if (EVP_PKEY_RSA == EVP_PKEY_type(GlobalSign.pubkey->type)) {
+ break;
+#ifdef notyet
+ /* this is the place to add non-DSA key types and algorithms */
+ case EVP_PKEY_RSA:
GlobalSign.sig = EVP_sha1();
GlobalSign.sig_len_b64 = 28;
-*/
- } else {
+ break;
+#endif
+ default:
logerror("key type not supported for syslog-sign");
return false;
}
@@ -115,7 +119,6 @@
assert(GlobalSign.keytype == 'C' || GlobalSign.keytype == 'K');
assert(GlobalSign.pubkey_b64 && GlobalSign.privkey &&
GlobalSign.pubkey);
- assert(GlobalSign.privkey->pkey.dsa->priv_key);
GlobalSign.gbc = 0;
STAILQ_INIT(&GlobalSign.SigGroups);
@@ -126,7 +129,7 @@
EVP_MD_CTX_init(GlobalSign.mdctx);
/* values for SHA-1 */
- GlobalSign.md = EVP_dss1();
+ GlobalSign.md = EVP_sha1();
GlobalSign.md_len_b64 = 28;
GlobalSign.ver = "0111";
@@ -191,7 +194,7 @@
*/
FREE_SSL(ssl);
- if (EVP_PKEY_DSA != EVP_PKEY_type(pubkey->type)) {
+ if (EVP_PKEY_DSA != EVP_PKEY_base_id(pubkey)) {
DPRINTF(D_SIGN, "X.509 cert has no DSA key\n");
EVP_PKEY_free(pubkey);
privkey = NULL;
@@ -234,8 +237,15 @@
logerror("EVP_PKEY_new() failed");
return false;
}
- dsa = DSA_generate_parameters(SIGN_GENCERT_BITS, NULL, 0,
- NULL, NULL, NULL, NULL);
+ if ((dsa = DSA_new()) == NULL) {
+ logerror("DSA_new() failed");
+ return false;
+ }
+ if (!DSA_generate_parameters_ex(dsa, SIGN_GENCERT_BITS, NULL, 0,
+ NULL, NULL, NULL)) {
+ logerror("DSA_generate_parameters_ex() failed");
+ return false;
+ }
if (!DSA_generate_key(dsa)) {
logerror("DSA_generate_key() failed");
return false;
diff -r 6b23cf2ae560 -r 67ee1faedc7c usr.sbin/syslogd/tls.c
--- a/usr.sbin/syslogd/tls.c Tue Feb 06 21:27:49 2018 +0000
+++ b/usr.sbin/syslogd/tls.c Tue Feb 06 21:36:46 2018 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tls.c,v 1.13 2017/01/10 21:05:42 christos Exp $ */
+/* $NetBSD: tls.c,v 1.14 2018/02/06 21:36:46 christos Exp $ */
/*-
* Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
*/
#include <sys/cdefs.h>
-__RCSID("$NetBSD: tls.c,v 1.13 2017/01/10 21:05:42 christos Exp $");
+__RCSID("$NetBSD: tls.c,v 1.14 2018/02/06 21:36:46 christos Exp $");
#ifndef DISABLE_TLS
#include <sys/stat.h>
@@ -104,16 +104,20 @@
0x88,0xEC,0xA6,0xBA,0x9F,0x4F,0x85,0x43 };
static const unsigned char dh1024_g[]={ 0x02 };
DH *dh;
+ BIGNUM *p, *g;
- if ((dh=DH_new()) == NULL)
+ if ((dh = DH_new()) == NULL)
return NULL;
- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
+ p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+ g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+ if (p == NULL || g == NULL)
+ goto out;
+ if (!DH_set0_pqg(dh, p, NULL, g))
+ goto out;
+ return dh;
+out:
DH_free(dh);
return NULL;
- }
- return dh;
}
#define ST_CHANGE(x, y) do { \
@@ -435,7 +439,6 @@
match_hostnames(X509 *cert, const char *hostname, const char *subject)
{
int i, len, num;
- char *buf;
unsigned char *ubuf;
GENERAL_NAMES *gennames;
GENERAL_NAME *gn;
@@ -474,10 +477,11 @@
for (i = 0; i < num; ++i) {
gn = sk_GENERAL_NAME_value(gennames, i);
if (gn->type == GEN_DNS) {
- buf = (char *)ASN1_STRING_data(gn->d.ia5);
+ const char *str = (const char *)
+ ASN1_STRING_get0_data(gn->d.ia5);
len = ASN1_STRING_length(gn->d.ia5);
- if (!strncasecmp(subject, buf, len)
- || !strncasecmp(hostname, buf, len))
+ if (!strncasecmp(subject, str, len)
+ || !strncasecmp(hostname, str, len))
return true;
}
}
@@ -703,8 +707,10 @@
X509_verify_cert_error_string(cur_err),
cur_depth, cur_subjectline);
if (cur_err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) {
+ X509 *current_cert =
+ X509_STORE_CTX_get_current_cert(ctx);
X509_NAME_oneline(
- X509_get_issuer_name(ctx->current_cert),
+ X509_get_issuer_name(current_cert),
cur_issuerline, sizeof(cur_issuerline));
DPRINTF(D_TLS, "openssl verify error:missing "
"cert for issuer=%s\n", cur_issuerline);
@@ -2089,8 +2095,16 @@
return false;
}
- dsa = DSA_generate_parameters(bits, NULL, 0,
- NULL, NULL, NULL, NULL);
+ dsa = DSA_new();
+ if (dsa == NULL) {
+ DPRINTF(D_TLS, "DSA_new() failed\n");
+ return false;
+ }
+
+ if (!DSA_generate_parameters_ex(dsa, bits, NULL, 0, NULL, NULL, NULL)) {
+ DPRINTF(D_TLS, "DSA_generate_parameters_ex() failed\n");
+ return false;
+ }
if (!DSA_generate_key(dsa)) {
DPRINTF(D_TLS, "DSA_generate_key() failed\n");
return false;
@@ -2160,7 +2174,7 @@
(void)x509_cert_add_subjectAltName(cert, &ctx);
- if (!X509_sign(cert, pk, EVP_dss1())) {
+ if (!X509_sign(cert, pk, EVP_sha1())) {
DPRINTF(D_TLS, "X509_sign() failed\n");
return false;
}
Home |
Main Index |
Thread Index |
Old Index