Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/crypto/dist/ipsec-tools/src/racoon Welcome to the 21st centu...



details:   https://anonhg.NetBSD.org/src/rev/afdff9feb268
branches:  trunk
changeset: 829622:afdff9feb268
user:      christos <christos%NetBSD.org@localhost>
date:      Wed Feb 07 03:59:03 2018 +0000

description:
Welcome to the 21st century Buck Rogers: OpenSSL-1.1

diffstat:

 crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c |  287 ++++++++++---------
 crypto/dist/ipsec-tools/src/racoon/crypto_openssl.h |  237 ++++++++--------
 crypto/dist/ipsec-tools/src/racoon/prsa_par.y       |  115 ++++++-
 crypto/dist/ipsec-tools/src/racoon/rsalist.c        |    6 +-
 4 files changed, 360 insertions(+), 285 deletions(-)

diffs (truncated from 1088 to 300 lines):

diff -r 2be669bbdb78 -r afdff9feb268 crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c
--- a/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c       Wed Feb 07 03:26:36 2018 +0000
+++ b/crypto/dist/ipsec-tools/src/racoon/crypto_openssl.c       Wed Feb 07 03:59:03 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: crypto_openssl.c,v 1.26 2017/06/11 22:12:56 christos Exp $     */
+/*     $NetBSD: crypto_openssl.c,v 1.27 2018/02/07 03:59:03 christos Exp $     */
 
 /* Id: crypto_openssl.c,v 1.47 2006/05/06 20:42:09 manubsd Exp */
 
@@ -109,11 +109,11 @@
  * necessary for SSLeay/OpenSSL portability.  It sucks.
  */
 
-static int cb_check_cert_local __P((int, X509_STORE_CTX *));
-static int cb_check_cert_remote __P((int, X509_STORE_CTX *));
-static X509 *mem2x509 __P((vchar_t *));
-
-static caddr_t eay_hmac_init __P((vchar_t *, const EVP_MD *));
+static int cb_check_cert_local(int, X509_STORE_CTX *);
+static int cb_check_cert_remote(int, X509_STORE_CTX *);
+static X509 *mem2x509(vchar_t *);
+
+static caddr_t eay_hmac_init(vchar_t *, const EVP_MD *);
 
 /* X509 Certificate */
 /*
@@ -312,13 +312,19 @@
        for(idx = 0; idx < X509_NAME_entry_count(a); idx++) {
                X509_NAME_ENTRY *ea = X509_NAME_get_entry(a, idx);
                X509_NAME_ENTRY *eb = X509_NAME_get_entry(b, idx);
+               ASN1_STRING *eda, *edb;
                if (!eb) {      /* reached end of eb while still entries in ea, can not be equal... */
                        i = idx+1;
                        goto end;
                }
-               if ((ea->value->length == 1 && ea->value->data[0] == '*') ||
-                   (eb->value->length == 1 && eb->value->data[0] == '*')) {
-                       if (OBJ_cmp(ea->object,eb->object)) {
+               eda = X509_NAME_ENTRY_get_data(ea);
+               edb = X509_NAME_ENTRY_get_data(eb);
+               if ((eda->length == 1 && eda->data[0] == '*') ||
+                   (edb->length == 1 && edb->data[0] == '*')) {
+                       ASN1_OBJECT *eoa, *eob;
+                       eoa = X509_NAME_ENTRY_get_object(ea);
+                       eob = X509_NAME_ENTRY_get_object(eb);
+                       if (OBJ_cmp(eoa, eob)) {
                                i = idx+1;
                                goto end;
                        }
@@ -426,19 +432,17 @@
        X509_STORE_CTX *ctx;
 {
        char buf[256];
-       int log_tag;
+       int log_tag, error;
 
        if (!ok) {
-               X509_NAME_oneline(
-                               X509_get_subject_name(ctx->current_cert),
-                               buf,
-                               256);
+               X509_NAME_oneline(X509_get_subject_name(
+                   X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
                /*
                 * since we are just checking the certificates, it is
                 * ok if they are self signed. But we should still warn
                 * the user.
                 */
-               switch (ctx->error) {
+               switch (error = X509_STORE_CTX_get_error(ctx)) {
                case X509_V_ERR_CERT_HAS_EXPIRED:
                case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
                case X509_V_ERR_INVALID_CA:
@@ -453,9 +457,8 @@
                }
                plog(log_tag, LOCATION, NULL,
                        "%s(%d) at depth:%d SubjectName:%s\n",
-                       X509_verify_cert_error_string(ctx->error),
-                       ctx->error,
-                       ctx->error_depth,
+                       X509_verify_cert_error_string(error), error,
+                       X509_STORE_CTX_get_error_depth(ctx),
                        buf);
        }
        ERR_clear_error();
@@ -473,14 +476,12 @@
        X509_STORE_CTX *ctx;
 {
        char buf[256];
-       int log_tag;
+       int log_tag, error;
 
        if (!ok) {
-               X509_NAME_oneline(
-                               X509_get_subject_name(ctx->current_cert),
-                               buf,
-                               256);
-               switch (ctx->error) {
+               X509_NAME_oneline(X509_get_subject_name(
+                   X509_STORE_CTX_get_current_cert(ctx)), buf, 256);
+               switch (error = X509_STORE_CTX_get_error(ctx)) {
                case X509_V_ERR_UNABLE_TO_GET_CRL:
                        ok = 1;
                        log_tag = LLV_WARNING;
@@ -490,9 +491,9 @@
                }
                plog(log_tag, LOCATION, NULL,
                        "%s(%d) at depth:%d SubjectName:%s\n",
-                       X509_verify_cert_error_string(ctx->error),
-                       ctx->error,
-                       ctx->error_depth,
+                       X509_verify_cert_error_string(error),
+                       error,
+                       X509_STORE_CTX_get_error_depth(ctx),
                        buf);
        }
        ERR_clear_error();
@@ -508,6 +509,7 @@
        vchar_t *cert;
 {
        X509 *x509 = NULL;
+       X509_NAME *xname;
        u_char *bp;
        vchar_t *name = NULL;
        int len;
@@ -517,13 +519,14 @@
                goto error;
 
        /* get the length of the name */
-       len = i2d_X509_NAME(x509->cert_info->subject, NULL);
+       xname = X509_get_subject_name(x509);
+       len = i2d_X509_NAME(xname, NULL);
        name = vmalloc(len);
        if (!name)
                goto error;
        /* get the name */
        bp = (unsigned char *) name->v;
-       len = i2d_X509_NAME(x509->cert_info->subject, &bp);
+       len = i2d_X509_NAME(xname, &bp);
 
        X509_free(x509);
 
@@ -674,6 +677,7 @@
        vchar_t *cert;
 {
        X509 *x509 = NULL;
+       X509_NAME *xissuer;
        u_char *bp;
        vchar_t *name = NULL;
        int len;
@@ -683,14 +687,15 @@
                goto error;
 
        /* get the length of the name */
-       len = i2d_X509_NAME(x509->cert_info->issuer, NULL);
+       xissuer = X509_get_issuer_name(x509);
+       len = i2d_X509_NAME(xissuer, NULL);
        name = vmalloc(len);
        if (name == NULL)
                goto error;
 
        /* get the name */
        bp = (unsigned char *) name->v;
-       len = i2d_X509_NAME(x509->cert_info->issuer, &bp);
+       len = i2d_X509_NAME(xissuer, &bp);
 
        X509_free(x509);
 
@@ -871,7 +876,7 @@
                return -1;
        }
 
-       res = eay_rsa_verify(source, sig, evp->pkey.rsa);
+       res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
 
        EVP_PKEY_free(evp);
        X509_free(x509);
@@ -1013,7 +1018,7 @@
        if (evp == NULL)
                return NULL;
 
-       sig = eay_rsa_sign(src, evp->pkey.rsa);
+       sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
 
        EVP_PKEY_free(evp);
 
@@ -1121,7 +1126,7 @@
 evp_crypt(vchar_t *data, vchar_t *key, vchar_t *iv, const EVP_CIPHER *e, int enc)
 {
        vchar_t *res;
-       EVP_CIPHER_CTX ctx;
+       EVP_CIPHER_CTX *ctx;
 
        if (!e)
                return NULL;
@@ -1132,7 +1137,9 @@
        if ((res = vmalloc(data->l)) == NULL)
                return NULL;
 
-       EVP_CIPHER_CTX_init(&ctx);
+       ctx = EVP_CIPHER_CTX_new();
+       if (ctx == NULL)
+               return NULL;
 
        switch(EVP_CIPHER_nid(e)){
        case NID_bf_cbc:
@@ -1146,54 +1153,41 @@
                /* XXX: can we do that also for algos with a fixed key size ?
                 */
                /* init context without key/iv
-         */
-        if (!EVP_CipherInit(&ctx, e, NULL, NULL, enc))
-        {
-            OpenSSL_BUG();
-            vfree(res);
-            return NULL;
-        }
-               
-        /* update key size
-         */
-        if (!EVP_CIPHER_CTX_set_key_length(&ctx, key->l))
-        {
-            OpenSSL_BUG();
-            vfree(res);
-            return NULL;
-        }
-
-        /* finalize context init with desired key size
-         */
-        if (!EVP_CipherInit(&ctx, NULL, (u_char *) key->v,
-                                                       (u_char *) iv->v, enc))
-        {
-            OpenSSL_BUG();
-            vfree(res);
-            return NULL;
-               }
+                */
+               if (!EVP_CipherInit(ctx, e, NULL, NULL, enc))
+                       goto out;
+                       
+               /* update key size
+                */
+               if (!EVP_CIPHER_CTX_set_key_length(ctx, key->l))
+                       goto out;
+
+               /* finalize context init with desired key size
+                */
+               if (!EVP_CipherInit(ctx, NULL, (u_char *)key->v,
+                   (u_char *)iv->v, enc))
+                       goto out;
                break;
        default:
-               if (!EVP_CipherInit(&ctx, e, (u_char *) key->v, 
-                                                       (u_char *) iv->v, enc)) {
-                       OpenSSL_BUG();
-                       vfree(res);
-                       return NULL;
-               }
+               if (!EVP_CipherInit(ctx, e, (u_char *) key->v, 
+                   (u_char *) iv->v, enc))
+                   goto out;
        }
 
        /* disable openssl padding */
-       EVP_CIPHER_CTX_set_padding(&ctx, 0); 
+       EVP_CIPHER_CTX_set_padding(ctx, 0); 
        
-       if (!EVP_Cipher(&ctx, (u_char *) res->v, (u_char *) data->v, data->l)) {
-               OpenSSL_BUG();
-               vfree(res);
-               return NULL;
-       }
-
-       EVP_CIPHER_CTX_cleanup(&ctx);
+       if (!EVP_Cipher(ctx, (u_char *) res->v, (u_char *) data->v, data->l))
+               goto out;
+
+       EVP_CIPHER_CTX_free(ctx);
 
        return res;
+out:
+       EVP_CIPHER_CTX_free(ctx);
+       OpenSSL_BUG();
+       vfree(res);
+       return NULL;
 }
 
 int
@@ -1348,7 +1342,7 @@
        return len;
 }
 
-#ifdef HAVE_OPENSSL_RC5_H
+#ifdef HAVE_OPENSSL_RC5_H 
 /*
  * RC5-CBC
  */
@@ -1734,9 +1728,9 @@
        vchar_t *key;
        const EVP_MD *md;



Home | Main Index | Thread Index | Old Index