Module Name: src Committed By: christos Date: Tue Feb 6 21:36:47 UTC 2018
Modified Files: src/usr.sbin/syslogd: sign.c tls.c Log Message: Adjust to OpenSSL-1.1 To generate a diff of this commit: cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/syslogd/sign.c cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/syslogd/tls.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/usr.sbin/syslogd/sign.c diff -u src/usr.sbin/syslogd/sign.c:1.6 src/usr.sbin/syslogd/sign.c:1.7 --- src/usr.sbin/syslogd/sign.c:1.6 Tue Feb 10 15:38:15 2015 +++ src/usr.sbin/syslogd/sign.c Tue Feb 6 16:36:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: sign.c,v 1.6 2015/02/10 20:38:15 christos Exp $ */ +/* $NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -55,7 +55,7 @@ * 1. check; next draft will be clearer and specify the format as implemented. * 2. check; definitely only DSA in this version. * 3. remains a problem, so far no statement from authors or WG. - * 4. check; used EVP_dss1 method implements FIPS. + * 4. check; used EVP_sha1 method implements FIPS. */ /* * Limitations of this implementation: @@ -66,7 +66,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: sign.c,v 1.6 2015/02/10 20:38:15 christos Exp $"); +__RCSID("$NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $"); #ifndef DISABLE_SIGN #include "syslogd.h" @@ -99,15 +99,19 @@ sign_global_init(struct filed *Files) EVP_MD_CTX_init(GlobalSign.sigctx); /* the signature algorithm depends on the type of key */ - if (EVP_PKEY_DSA == EVP_PKEY_type(GlobalSign.pubkey->type)) { - GlobalSign.sig = EVP_dss1(); + switch (EVP_PKEY_base_id(GlobalSign.pubkey)) { + case EVP_PKEY_DSA: + GlobalSign.sig = EVP_sha1(); GlobalSign.sig_len_b64 = SIGN_B64SIGLEN_DSS; -/* this is the place to add non-DSA key types and algorithms - } else if (EVP_PKEY_RSA == EVP_PKEY_type(GlobalSign.pubkey->type)) { + break; +#ifdef notyet + /* this is the place to add non-DSA key types and algorithms */ + case EVP_PKEY_RSA: GlobalSign.sig = EVP_sha1(); GlobalSign.sig_len_b64 = 28; -*/ - } else { + break; +#endif + default: logerror("key type not supported for syslog-sign"); return false; } @@ -115,7 +119,6 @@ sign_global_init(struct filed *Files) assert(GlobalSign.keytype == 'C' || GlobalSign.keytype == 'K'); assert(GlobalSign.pubkey_b64 && GlobalSign.privkey && GlobalSign.pubkey); - assert(GlobalSign.privkey->pkey.dsa->priv_key); GlobalSign.gbc = 0; STAILQ_INIT(&GlobalSign.SigGroups); @@ -126,7 +129,7 @@ sign_global_init(struct filed *Files) EVP_MD_CTX_init(GlobalSign.mdctx); /* values for SHA-1 */ - GlobalSign.md = EVP_dss1(); + GlobalSign.md = EVP_sha1(); GlobalSign.md_len_b64 = 28; GlobalSign.ver = "0111"; @@ -191,7 +194,7 @@ sign_get_keys(void) */ FREE_SSL(ssl); - if (EVP_PKEY_DSA != EVP_PKEY_type(pubkey->type)) { + if (EVP_PKEY_DSA != EVP_PKEY_base_id(pubkey)) { DPRINTF(D_SIGN, "X.509 cert has no DSA key\n"); EVP_PKEY_free(pubkey); privkey = NULL; @@ -234,8 +237,15 @@ sign_get_keys(void) logerror("EVP_PKEY_new() failed"); return false; } - dsa = DSA_generate_parameters(SIGN_GENCERT_BITS, NULL, 0, - NULL, NULL, NULL, NULL); + if ((dsa = DSA_new()) == NULL) { + logerror("DSA_new() failed"); + return false; + } + if (!DSA_generate_parameters_ex(dsa, SIGN_GENCERT_BITS, NULL, 0, + NULL, NULL, NULL)) { + logerror("DSA_generate_parameters_ex() failed"); + return false; + } if (!DSA_generate_key(dsa)) { logerror("DSA_generate_key() failed"); return false; Index: src/usr.sbin/syslogd/tls.c diff -u src/usr.sbin/syslogd/tls.c:1.13 src/usr.sbin/syslogd/tls.c:1.14 --- src/usr.sbin/syslogd/tls.c:1.13 Tue Jan 10 16:05:42 2017 +++ src/usr.sbin/syslogd/tls.c Tue Feb 6 16:36:46 2018 @@ -1,4 +1,4 @@ -/* $NetBSD: tls.c,v 1.13 2017/01/10 21:05:42 christos Exp $ */ +/* $NetBSD: tls.c,v 1.14 2018/02/06 21:36:46 christos Exp $ */ /*- * Copyright (c) 2008 The NetBSD Foundation, Inc. @@ -45,7 +45,7 @@ */ #include <sys/cdefs.h> -__RCSID("$NetBSD: tls.c,v 1.13 2017/01/10 21:05:42 christos Exp $"); +__RCSID("$NetBSD: tls.c,v 1.14 2018/02/06 21:36:46 christos Exp $"); #ifndef DISABLE_TLS #include <sys/stat.h> @@ -104,16 +104,20 @@ get_dh1024(void) 0x88,0xEC,0xA6,0xBA,0x9F,0x4F,0x85,0x43 }; static const unsigned char dh1024_g[]={ 0x02 }; DH *dh; + BIGNUM *p, *g; - if ((dh=DH_new()) == NULL) + if ((dh = DH_new()) == NULL) return NULL; - dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); - if ((dh->p == NULL) || (dh->g == NULL)) { + p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); + g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); + if (p == NULL || g == NULL) + goto out; + if (!DH_set0_pqg(dh, p, NULL, g)) + goto out; + return dh; +out: DH_free(dh); return NULL; - } - return dh; } #define ST_CHANGE(x, y) do { \ @@ -435,7 +439,6 @@ bool match_hostnames(X509 *cert, const char *hostname, const char *subject) { int i, len, num; - char *buf; unsigned char *ubuf; GENERAL_NAMES *gennames; GENERAL_NAME *gn; @@ -474,10 +477,11 @@ match_hostnames(X509 *cert, const char * for (i = 0; i < num; ++i) { gn = sk_GENERAL_NAME_value(gennames, i); if (gn->type == GEN_DNS) { - buf = (char *)ASN1_STRING_data(gn->d.ia5); + const char *str = (const char *) + ASN1_STRING_get0_data(gn->d.ia5); len = ASN1_STRING_length(gn->d.ia5); - if (!strncasecmp(subject, buf, len) - || !strncasecmp(hostname, buf, len)) + if (!strncasecmp(subject, str, len) + || !strncasecmp(hostname, str, len)) return true; } } @@ -703,8 +707,10 @@ check_peer_cert(int preverify_ok, X509_S X509_verify_cert_error_string(cur_err), cur_depth, cur_subjectline); if (cur_err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) { + X509 *current_cert = + X509_STORE_CTX_get_current_cert(ctx); X509_NAME_oneline( - X509_get_issuer_name(ctx->current_cert), + X509_get_issuer_name(current_cert), cur_issuerline, sizeof(cur_issuerline)); DPRINTF(D_TLS, "openssl verify error:missing " "cert for issuer=%s\n", cur_issuerline); @@ -2089,8 +2095,16 @@ mk_x509_cert(X509 **x509p, EVP_PKEY **pk return false; } - dsa = DSA_generate_parameters(bits, NULL, 0, - NULL, NULL, NULL, NULL); + dsa = DSA_new(); + if (dsa == NULL) { + DPRINTF(D_TLS, "DSA_new() failed\n"); + return false; + } + + if (!DSA_generate_parameters_ex(dsa, bits, NULL, 0, NULL, NULL, NULL)) { + DPRINTF(D_TLS, "DSA_generate_parameters_ex() failed\n"); + return false; + } if (!DSA_generate_key(dsa)) { DPRINTF(D_TLS, "DSA_generate_key() failed\n"); return false; @@ -2160,7 +2174,7 @@ mk_x509_cert(X509 **x509p, EVP_PKEY **pk (void)x509_cert_add_subjectAltName(cert, &ctx); - if (!X509_sign(cert, pk, EVP_dss1())) { + if (!X509_sign(cert, pk, EVP_sha1())) { DPRINTF(D_TLS, "X509_sign() failed\n"); return false; }