control: tag -1 help Hi Kurt,
could you please review this patch? Thank you. Cheers, -Hilko
>From 838e774d137dea242f8169fef3ab772f349db8c7 Mon Sep 17 00:00:00 2001 From: Hilko Bengen <[email protected]> Subject: [PATCH] OpenSSL 1.1 compatibility fixes --- ncat/ncat_ssl.c | 15 +++++++-------- nping/Crypto.cc | 45 ++++++++++++++++++++----------------------- nse_openssl.cc | 60 ++++++++++++++++++++++++++++----------------------------- nse_ssl_cert.cc | 6 +++--- 4 files changed, 60 insertions(+), 66 deletions(-) diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c index 38e049b..dcc9380 100644 --- a/ncat/ncat_ssl.c +++ b/ncat/ncat_ssl.c @@ -293,7 +293,7 @@ static int cert_match_dnsname(X509 *cert, const char *hostname, X509_EXTENSION *ext; STACK_OF(GENERAL_NAME) *gen_names; const X509V3_EXT_METHOD *method; - unsigned char *data; + ASN1_OCTET_STRING *data; int i; if (num_checked != NULL) @@ -315,26 +315,25 @@ static int cert_match_dnsname(X509 *cert, const char *hostname, /* We must copy this address into a temporary variable because ASN1_item_d2i increments it. We don't want it to corrupt ext->value->data. */ - data = ext->value->data; + data = X509_EXTENSION_get_data(ext); /* Here we rely on the fact that the internal representation (the "i" in "i2d") for NID_subject_alt_name is STACK_OF(GENERAL_NAME). Converting it to a stack of CONF_VALUE with a i2v method is not satisfactory, because a CONF_VALUE doesn't contain the length of the value so you can't know the presence of null bytes. */ + const unsigned char *der; + int length = i2d_ASN1_INTEGER(data, (unsigned char**) &der); #if (OPENSSL_VERSION_NUMBER > 0x00907000L) if (method->it != NULL) { gen_names = (STACK_OF(GENERAL_NAME) *) ASN1_item_d2i(NULL, - (const unsigned char **) &data, - ext->value->length, ASN1_ITEM_ptr(method->it)); + &der, length, ASN1_ITEM_ptr(method->it)); } else { gen_names = (STACK_OF(GENERAL_NAME) *) method->d2i(NULL, - (const unsigned char **) &data, - ext->value->length); + &der, length); } #else gen_names = (STACK_OF(GENERAL_NAME) *) method->d2i(NULL, - (const unsigned char **) &data, - ext->value->length); + (const unsigned char*) der, length); #endif if (gen_names == NULL) return 0; diff --git a/nping/Crypto.cc b/nping/Crypto.cc index eedb274..f52d074 100755 --- a/nping/Crypto.cc +++ b/nping/Crypto.cc @@ -178,21 +178,20 @@ int Crypto::aes128_cbc_encrypt(u8 *inbuff, size_t inlen, u8 *dst_buff, u8 *key, #ifdef HAVE_OPENSSL if( o.doCrypto() ){ int flen=0, flen2=0; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - EVP_CIPHER_CTX_set_padding(&ctx, 0); + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX_set_padding(ctx, 0); int result=OP_SUCCESS; - if( EVP_EncryptInit(&ctx, EVP_aes_128_cbc(), key, iv)==0 ){ + if( EVP_EncryptInit(ctx, EVP_aes_128_cbc(), key, iv)==0 ){ nping_print(DBG_4, "EVP_EncryptInit() failed"); result=OP_FAILURE; - }else if( EVP_EncryptUpdate(&ctx, dst_buff, &flen, inbuff, (int)inlen)==0 ){ + }else if( EVP_EncryptUpdate(ctx, dst_buff, &flen, inbuff, (int)inlen)==0 ){ nping_print(DBG_4, "EVP_EncryptUpdate() failed"); result=OP_FAILURE; - }else if( EVP_EncryptFinal(&ctx, dst_buff+flen, &flen2)==0 ){ + }else if( EVP_EncryptFinal(ctx, dst_buff+flen, &flen2)==0 ){ nping_print(DBG_4, "EVP_EncryptFinal() failed"); result=OP_FAILURE; } - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return result; } #endif @@ -213,17 +212,16 @@ int Crypto::aes128_cbc_decrypt(u8 *inbuff, size_t inlen, u8 *dst_buff, u8 *key, #ifdef HAVE_OPENSSL if( o.doCrypto() ){ int flen1=0, flen2=0; - EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); - EVP_CIPHER_CTX_set_padding(&ctx, 0); + EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); + EVP_CIPHER_CTX_set_padding(ctx, 0); int result=OP_SUCCESS; - if( EVP_DecryptInit(&ctx, EVP_aes_128_cbc(), key, iv)==0 ){ + if( EVP_DecryptInit(ctx, EVP_aes_128_cbc(), key, iv)==0 ){ nping_print(DBG_4, "EVP_DecryptInit() failed"); result=OP_FAILURE; - }else if( EVP_DecryptUpdate(&ctx, dst_buff, &flen1, inbuff, (int)inlen)==0 ){ + }else if( EVP_DecryptUpdate(ctx, dst_buff, &flen1, inbuff, (int)inlen)==0 ){ nping_print(DBG_4, "EVP_DecryptUpdate() failed"); result=OP_FAILURE; - }else if( EVP_DecryptFinal(&ctx, dst_buff+flen1, &flen2)==0 ){ + }else if( EVP_DecryptFinal(ctx, dst_buff+flen1, &flen2)==0 ){ nping_print(DBG_4, "OpenSSL bug: it says EVP_DecryptFinal() failed when it didn't (%s).", ERR_error_string(ERR_peek_last_error(), NULL)); /* We do not return OP_FAILURE in this case because the @@ -252,7 +250,7 @@ int Crypto::aes128_cbc_decrypt(u8 *inbuff, size_t inlen, u8 *dst_buff, u8 *key, //ERR_free_strings(); //ERR_pop_to_mark(); } - EVP_CIPHER_CTX_cleanup(&ctx); + EVP_CIPHER_CTX_free(ctx); return result; } #endif @@ -289,28 +287,27 @@ u8 *Crypto::deriveKey(const u8 *from, size_t fromlen, size_t *final_len){ static u8 hash[MAX(SHA256_HASH_LEN, EVP_MAX_MD_SIZE)]; static u8 next[MAX(SHA256_HASH_LEN, EVP_MAX_MD_SIZE)]; unsigned int lastlen; - EVP_MD_CTX ctx; - EVP_MD_CTX_init(&ctx); + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); if( EVP_MD_size(EVP_sha256()) != SHA256_HASH_LEN ) nping_fatal(QT_2, "OpenSSL is broken. SHA256 len is %d\n", EVP_MD_size(EVP_sha256()) ); /* Compute the SHA256 hash of the supplied buffer */ - EVP_DigestInit(&ctx, EVP_sha256()); - EVP_DigestUpdate(&ctx, from, fromlen); - EVP_DigestFinal(&ctx, hash, &lastlen); + EVP_DigestInit(ctx, EVP_sha256()); + EVP_DigestUpdate(ctx, from, fromlen); + EVP_DigestFinal(ctx, hash, &lastlen); /* Now compute the 1000th hash of that hash */ for(int i=0; i<TIMES_KEY_DERIVATION; i++){ - EVP_MD_CTX_init(&ctx); - EVP_DigestInit(&ctx, EVP_sha256()); - EVP_DigestUpdate(&ctx, hash, SHA256_HASH_LEN); - EVP_DigestFinal(&ctx, next, &lastlen); + EVP_MD_CTX_init(ctx); + EVP_DigestInit(ctx, EVP_sha256()); + EVP_DigestUpdate(ctx, hash, SHA256_HASH_LEN); + EVP_DigestFinal(ctx, next, &lastlen); memcpy(hash, next, SHA256_HASH_LEN); } if(final_len!=NULL) *final_len=SHA256_HASH_LEN; - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(ctx); return hash; } #endif diff --git a/nse_openssl.cc b/nse_openssl.cc index a3f5aa3..6f5b6de 100644 --- a/nse_openssl.cc +++ b/nse_openssl.cc @@ -298,23 +298,22 @@ static int l_digest(lua_State *L) /** digest(string algorithm, string messag const unsigned char *msg = (unsigned char *) luaL_checklstring( L, 2, &msg_len ); unsigned char digest[EVP_MAX_MD_SIZE]; const EVP_MD * evp_md; - EVP_MD_CTX mdctx; + + EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); evp_md = EVP_get_digestbyname( algorithm ); if (!evp_md) return luaL_error( L, "Unknown digest algorithm: %s", algorithm ); - EVP_MD_CTX_init(&mdctx); if (!( - EVP_DigestInit_ex( &mdctx, evp_md, NULL ) && - EVP_DigestUpdate( &mdctx, msg, msg_len ) && - EVP_DigestFinal_ex( &mdctx, digest, &digest_len ))) { - EVP_MD_CTX_cleanup( &mdctx ); + EVP_DigestInit_ex( mdctx, evp_md, NULL ) && + EVP_DigestUpdate( mdctx, msg, msg_len ) && + EVP_DigestFinal_ex( mdctx, digest, &digest_len ))) { unsigned long e = ERR_get_error(); return luaL_error( L, "OpenSSL error %d in %s: function %s: %s", e, ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e)); } - EVP_MD_CTX_cleanup( &mdctx ); + EVP_MD_CTX_free( mdctx ); lua_pushlstring( L, (char *) digest, digest_len ); return 1; @@ -390,23 +389,23 @@ static int l_encrypt(lua_State *L) /** encrypt( string algorithm, string key, st if (iv[0] == '\0') iv = NULL; - EVP_CIPHER_CTX cipher_ctx; - EVP_CIPHER_CTX_init( &cipher_ctx ); + EVP_CIPHER_CTX *cipher_ctx; + EVP_CIPHER_CTX_init( cipher_ctx ); /* First create the cipher context, then set the key length and padding, and check the iv length. Below we set the key and iv. */ if (!( - EVP_EncryptInit_ex( &cipher_ctx, evp_cipher, NULL, NULL, NULL ) && - EVP_CIPHER_CTX_set_key_length( &cipher_ctx, key_len ) && - EVP_CIPHER_CTX_set_padding( &cipher_ctx, padding ))) { + EVP_EncryptInit_ex( cipher_ctx, evp_cipher, NULL, NULL, NULL ) && + EVP_CIPHER_CTX_set_key_length( cipher_ctx, key_len ) && + EVP_CIPHER_CTX_set_padding( cipher_ctx, padding ))) { unsigned long e = ERR_get_error(); return luaL_error( L, "OpenSSL error %d in %s: function %s: %s", e, ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e)); } - if (iv != NULL && (int) iv_len != EVP_CIPHER_CTX_iv_length( &cipher_ctx )) { + if (iv != NULL && (int) iv_len != EVP_CIPHER_CTX_iv_length( cipher_ctx )) { return luaL_error( L, "Length of iv is %d; should be %d", - (int) iv_len, EVP_CIPHER_CTX_iv_length( &cipher_ctx )); + (int) iv_len, EVP_CIPHER_CTX_iv_length( cipher_ctx )); } int out_len, final_len; @@ -414,10 +413,10 @@ static int l_encrypt(lua_State *L) /** encrypt( string algorithm, string key, st if (!out) return luaL_error( L, "Couldn't allocate memory."); if (!( - EVP_EncryptInit_ex( &cipher_ctx, NULL, NULL, key, iv ) && - EVP_EncryptUpdate( &cipher_ctx, out, &out_len, data, data_len ) && - EVP_EncryptFinal_ex( &cipher_ctx, out + out_len, &final_len ) )) { - EVP_CIPHER_CTX_cleanup( &cipher_ctx ); + EVP_EncryptInit_ex( cipher_ctx, NULL, NULL, key, iv ) && + EVP_EncryptUpdate( cipher_ctx, out, &out_len, data, data_len ) && + EVP_EncryptFinal_ex( cipher_ctx, out + out_len, &final_len ) )) { + EVP_CIPHER_CTX_cleanup( cipher_ctx ); free( out ); unsigned long e = ERR_get_error(); return luaL_error( L, "OpenSSL error %d in %s: function %s: %s", e, ERR_lib_error_string(e), @@ -426,7 +425,7 @@ static int l_encrypt(lua_State *L) /** encrypt( string algorithm, string key, st lua_pushlstring( L, (char *) out, out_len + final_len ); - EVP_CIPHER_CTX_cleanup( &cipher_ctx ); + EVP_CIPHER_CTX_cleanup( cipher_ctx ); free( out ); return 1; @@ -446,21 +445,20 @@ static int l_decrypt(lua_State *L) /** decrypt( string algorithm, string key, st if (iv[0] == '\0') iv = NULL; - EVP_CIPHER_CTX cipher_ctx; - EVP_CIPHER_CTX_init( &cipher_ctx ); + EVP_CIPHER_CTX *cipher_ctx = EVP_CIPHER_CTX_new(); if (!( - EVP_DecryptInit_ex( &cipher_ctx, evp_cipher, NULL, NULL, NULL ) && - EVP_CIPHER_CTX_set_key_length( &cipher_ctx, key_len ) && - EVP_CIPHER_CTX_set_padding( &cipher_ctx, padding ))) { + EVP_DecryptInit_ex( cipher_ctx, evp_cipher, NULL, NULL, NULL ) && + EVP_CIPHER_CTX_set_key_length( cipher_ctx, key_len ) && + EVP_CIPHER_CTX_set_padding( cipher_ctx, padding ))) { unsigned long e = ERR_get_error(); return luaL_error( L, "OpenSSL error %d in %s: function %s: %s", e, ERR_lib_error_string(e), ERR_func_error_string(e), ERR_reason_error_string(e)); } - if (iv != NULL && (int) iv_len != EVP_CIPHER_CTX_iv_length( &cipher_ctx )) { + if (iv != NULL && (int) iv_len != EVP_CIPHER_CTX_iv_length( cipher_ctx )) { return luaL_error( L, "Length of iv is %d; should be %d", - (int) iv_len, EVP_CIPHER_CTX_iv_length( &cipher_ctx )); + (int) iv_len, EVP_CIPHER_CTX_iv_length( cipher_ctx )); } int out_len, final_len; @@ -468,10 +466,10 @@ static int l_decrypt(lua_State *L) /** decrypt( string algorithm, string key, st if (!out) return luaL_error( L, "Couldn't allocate memory."); if (!( - EVP_DecryptInit_ex( &cipher_ctx, NULL, NULL, key, iv ) && - EVP_DecryptUpdate( &cipher_ctx, out, &out_len, data, data_len ) && - EVP_DecryptFinal_ex( &cipher_ctx, out + out_len, &final_len ) )) { - EVP_CIPHER_CTX_cleanup( &cipher_ctx ); + EVP_DecryptInit_ex( cipher_ctx, NULL, NULL, key, iv ) && + EVP_DecryptUpdate( cipher_ctx, out, &out_len, data, data_len ) && + EVP_DecryptFinal_ex( cipher_ctx, out + out_len, &final_len ) )) { + EVP_CIPHER_CTX_cleanup( cipher_ctx ); free( out ); unsigned long e = ERR_get_error(); return luaL_error( L, "OpenSSL error %d in %s: function %s: %s", e, ERR_lib_error_string(e), @@ -480,7 +478,7 @@ static int l_decrypt(lua_State *L) /** decrypt( string algorithm, string key, st lua_pushlstring( L, (char *) out, out_len + final_len ); - EVP_CIPHER_CTX_cleanup( &cipher_ctx ); + EVP_CIPHER_CTX_free( cipher_ctx ); free( out ); return 1; diff --git a/nse_ssl_cert.cc b/nse_ssl_cert.cc index 8424379..c00d30f 100644 --- a/nse_ssl_cert.cc +++ b/nse_ssl_cert.cc @@ -377,7 +377,7 @@ static void asn1_time_to_obj(lua_State *L, const ASN1_TIME *s) /* This is a helper function for x509_validity_to_table. It builds a table with the two members "notBefore" and "notAfter", whose values are what is returned from asn1_time_to_obj. */ -static void x509_validity_to_table(lua_State *L, const X509 *cert) +static void x509_validity_to_table(lua_State *L, X509 *cert) { lua_newtable(L); @@ -524,7 +524,7 @@ static int parse_ssl_cert(lua_State *L, X509 *cert) lua_setfield(L, -2, "subject"); } - const char *sig_algo = OBJ_nid2ln(OBJ_obj2nid(cert->sig_alg->algorithm)); + const char *sig_algo = OBJ_nid2ln(X509_get_signature_nid(cert)); lua_pushstring(L, sig_algo); lua_setfield(L, -2, "sig_algorithm"); @@ -542,7 +542,7 @@ static int parse_ssl_cert(lua_State *L, X509 *cert) pubkey = X509_get_pubkey(cert); lua_newtable(L); - pkey_type = EVP_PKEY_type(pubkey->type); + pkey_type = EVP_PKEY_type(EVP_PKEY_base_id(pubkey)); if (pkey_type == EVP_PKEY_EC) { lua_push_ecdhparams(L, pubkey); } -- 2.8.1
