CVS commit: src/usr.sbin/syslogd

Tue, 06 Feb 2018 13:37:19 -0800 

Module Name:    src
Committed By:   christos
Date:           Tue Feb  6 21:36:47 UTC 2018

Modified Files:
        src/usr.sbin/syslogd: sign.c tls.c

Log Message:
Adjust to OpenSSL-1.1


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.7 src/usr.sbin/syslogd/sign.c
cvs rdiff -u -r1.13 -r1.14 src/usr.sbin/syslogd/tls.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/usr.sbin/syslogd/sign.c
diff -u src/usr.sbin/syslogd/sign.c:1.6 src/usr.sbin/syslogd/sign.c:1.7
--- src/usr.sbin/syslogd/sign.c:1.6	Tue Feb 10 15:38:15 2015
+++ src/usr.sbin/syslogd/sign.c	Tue Feb  6 16:36:46 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: sign.c,v 1.6 2015/02/10 20:38:15 christos Exp $	*/
+/*	$NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -55,7 +55,7 @@
  * 1. check; next draft will be clearer and specify the format as implemented.
  * 2. check; definitely only DSA in this version.
  * 3. remains a problem, so far no statement from authors or WG.
- * 4. check; used EVP_dss1 method implements FIPS.
+ * 4. check; used EVP_sha1 method implements FIPS.
  */
 /*
  * Limitations of this implementation:
@@ -66,7 +66,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: sign.c,v 1.6 2015/02/10 20:38:15 christos Exp $");
+__RCSID("$NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $");
 
 #ifndef DISABLE_SIGN
 #include "syslogd.h"
@@ -99,15 +99,19 @@ sign_global_init(struct filed *Files)
 	EVP_MD_CTX_init(GlobalSign.sigctx);
 
 	/* the signature algorithm depends on the type of key */
-	if (EVP_PKEY_DSA == EVP_PKEY_type(GlobalSign.pubkey->type)) {
-		GlobalSign.sig = EVP_dss1();
+	switch (EVP_PKEY_base_id(GlobalSign.pubkey)) {
+	case EVP_PKEY_DSA:
+		GlobalSign.sig = EVP_sha1();
 		GlobalSign.sig_len_b64 = SIGN_B64SIGLEN_DSS;
-/* this is the place to add non-DSA key types and algorithms
-	} else if (EVP_PKEY_RSA == EVP_PKEY_type(GlobalSign.pubkey->type)) {
+		break;
+#ifdef notyet
+	/* this is the place to add non-DSA key types and algorithms */
+	case EVP_PKEY_RSA:
 		GlobalSign.sig = EVP_sha1();
 		GlobalSign.sig_len_b64 = 28;
-*/
-	} else {
+		break;
+#endif
+	default:
 		logerror("key type not supported for syslog-sign");
 		return false;
 	}
@@ -115,7 +119,6 @@ sign_global_init(struct filed *Files)
 	assert(GlobalSign.keytype == 'C' || GlobalSign.keytype == 'K');
 	assert(GlobalSign.pubkey_b64 && GlobalSign.privkey &&
 	    GlobalSign.pubkey);
-	assert(GlobalSign.privkey->pkey.dsa->priv_key);
 
 	GlobalSign.gbc = 0;
 	STAILQ_INIT(&GlobalSign.SigGroups);
@@ -126,7 +129,7 @@ sign_global_init(struct filed *Files)
 	EVP_MD_CTX_init(GlobalSign.mdctx);
 
 	/* values for SHA-1 */
-	GlobalSign.md = EVP_dss1();
+	GlobalSign.md = EVP_sha1();
 	GlobalSign.md_len_b64 = 28;
 	GlobalSign.ver = "0111";
 
@@ -191,7 +194,7 @@ sign_get_keys(void)
 		 */
 		FREE_SSL(ssl);
 
-		if (EVP_PKEY_DSA != EVP_PKEY_type(pubkey->type)) {
+		if (EVP_PKEY_DSA != EVP_PKEY_base_id(pubkey)) {
 			DPRINTF(D_SIGN, "X.509 cert has no DSA key\n");
 			EVP_PKEY_free(pubkey);
 			privkey = NULL;
@@ -234,8 +237,15 @@ sign_get_keys(void)
 			logerror("EVP_PKEY_new() failed");
 			return false;
 		}
-		dsa = DSA_generate_parameters(SIGN_GENCERT_BITS, NULL, 0,
-			NULL, NULL, NULL, NULL);
+		if ((dsa = DSA_new()) == NULL) {
+			logerror("DSA_new() failed");
+			return false;
+		}
+		if (!DSA_generate_parameters_ex(dsa, SIGN_GENCERT_BITS, NULL, 0,
+			NULL, NULL, NULL)) {
+			logerror("DSA_generate_parameters_ex() failed");
+			return false;
+		}
 		if (!DSA_generate_key(dsa)) {
 			logerror("DSA_generate_key() failed");
 			return false;

Index: src/usr.sbin/syslogd/tls.c
diff -u src/usr.sbin/syslogd/tls.c:1.13 src/usr.sbin/syslogd/tls.c:1.14
--- src/usr.sbin/syslogd/tls.c:1.13	Tue Jan 10 16:05:42 2017
+++ src/usr.sbin/syslogd/tls.c	Tue Feb  6 16:36:46 2018
@@ -1,4 +1,4 @@
-/*	$NetBSD: tls.c,v 1.13 2017/01/10 21:05:42 christos Exp $	*/
+/*	$NetBSD: tls.c,v 1.14 2018/02/06 21:36:46 christos Exp $	*/
 
 /*-
  * Copyright (c) 2008 The NetBSD Foundation, Inc.
@@ -45,7 +45,7 @@
  */
 
 #include <sys/cdefs.h>
-__RCSID("$NetBSD: tls.c,v 1.13 2017/01/10 21:05:42 christos Exp $");
+__RCSID("$NetBSD: tls.c,v 1.14 2018/02/06 21:36:46 christos Exp $");
 
 #ifndef DISABLE_TLS
 #include <sys/stat.h>
@@ -104,16 +104,20 @@ get_dh1024(void)
 		0x88,0xEC,0xA6,0xBA,0x9F,0x4F,0x85,0x43 };
 	static const unsigned char dh1024_g[]={ 0x02 };
 	DH *dh;
+	BIGNUM *p, *g;
 
-	if ((dh=DH_new()) == NULL)
+	if ((dh = DH_new()) == NULL)
 		return NULL;
-	dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
-	dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
-	if ((dh->p == NULL) || (dh->g == NULL)) {
+	p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
+	g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
+	if (p == NULL || g == NULL)
+		goto out;
+	if (!DH_set0_pqg(dh, p, NULL, g))
+		goto out;
+	return dh;
+out:
 		DH_free(dh);
 		return NULL;
-	}
-	return dh;
 }
 
 #define ST_CHANGE(x, y) do {					\
@@ -435,7 +439,6 @@ bool
 match_hostnames(X509 *cert, const char *hostname, const char *subject)
 {
 	int i, len, num;
-	char *buf;
 	unsigned char *ubuf;
 	GENERAL_NAMES *gennames;
 	GENERAL_NAME *gn;
@@ -474,10 +477,11 @@ match_hostnames(X509 *cert, const char *
 		for (i = 0; i < num; ++i) {
 			gn = sk_GENERAL_NAME_value(gennames, i);
 			if (gn->type == GEN_DNS) {
-				buf = (char *)ASN1_STRING_data(gn->d.ia5);
+				const char *str = (const char *)
+				    ASN1_STRING_get0_data(gn->d.ia5);
 				len = ASN1_STRING_length(gn->d.ia5);
-				if (!strncasecmp(subject, buf, len)
-				    || !strncasecmp(hostname, buf, len))
+				if (!strncasecmp(subject, str, len)
+				    || !strncasecmp(hostname, str, len))
 					return true;
 			}
 		}
@@ -703,8 +707,10 @@ check_peer_cert(int preverify_ok, X509_S
 		    X509_verify_cert_error_string(cur_err),
 		    cur_depth, cur_subjectline);
 		if (cur_err == X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT) {
+			X509 *current_cert =
+			    X509_STORE_CTX_get_current_cert(ctx);
 			X509_NAME_oneline(
-			    X509_get_issuer_name(ctx->current_cert),
+			    X509_get_issuer_name(current_cert),
 			    cur_issuerline, sizeof(cur_issuerline));
 			DPRINTF(D_TLS, "openssl verify error:missing "
 			    "cert for issuer=%s\n", cur_issuerline);
@@ -2089,8 +2095,16 @@ mk_x509_cert(X509 **x509p, EVP_PKEY **pk
 		return false;
 	}
 
-	dsa = DSA_generate_parameters(bits, NULL, 0,
-			    NULL, NULL, NULL, NULL);
+	dsa = DSA_new();
+	if (dsa == NULL) {
+		DPRINTF(D_TLS, "DSA_new() failed\n");
+		return false;
+	}
+
+	if (!DSA_generate_parameters_ex(dsa, bits, NULL, 0, NULL, NULL, NULL)) {
+		DPRINTF(D_TLS, "DSA_generate_parameters_ex() failed\n");
+		return false;
+	}
 	if (!DSA_generate_key(dsa)) {
 		DPRINTF(D_TLS, "DSA_generate_key() failed\n");
 		return false;
@@ -2160,7 +2174,7 @@ mk_x509_cert(X509 **x509p, EVP_PKEY **pk
 
 	(void)x509_cert_add_subjectAltName(cert, &ctx);
 
-	if (!X509_sign(cert, pk, EVP_dss1())) {
+	if (!X509_sign(cert, pk, EVP_sha1())) {
 		DPRINTF(D_TLS, "X509_sign() failed\n");
 		return false;
 	}

Reply via email to