 @@ -1,14 +1,14 @@
-/*	$NetBSD: ntp_crypto.c,v 1.1.1.1 2009/12/13 16:55:33 kardel Exp $	*/
+/*	$NetBSD: ntp_crypto.c,v 1.2 2009/12/14 00:40:26 christos Exp $	*/
 /*
  * ntp_crypto.c - NTP version 4 public key routines
  */
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
 #ifdef OPENSSL
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/param.h>
 #include <unistd.h>
 @@ -393,27 +393,27 @@ crypto_recv(
 	int	has_mac;	/* length of MAC field */
 	int	authlen;	/* offset of MAC field */
 	associd_t associd;	/* association ID */
 	tstamp_t tstamp = 0;	/* timestamp */
 	tstamp_t fstamp = 0;	/* filestamp */
 	u_int	len;		/* extension field length */
 	u_int	code;		/* extension field opcode */
 	u_int	vallen = 0;	/* value length */
 	X509	*cert;		/* X509 certificate */
 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
 	keyid_t	cookie;		/* crumbles */
 	int	hismode;	/* packet mode */
 	int	rval = XEVNT_OK;
-	u_char	*ptr;
+	const u_char	*ptr;
 	u_int32 temp32;
 	/*
 	 * Initialize. Note that the packet has already been checked for
 	 * valid format and extension field lengths. First extract the
 	 * field length, command code and association ID in host byte
 	 * order. These are used with all commands and modes. Then check
 	 * the version number, which must be 2, and length, which must
 	 * be at least 8 for requests and VALUE_LEN (24) for responses.
 	 * Packets that fail either test sink without a trace. The
 	 * association ID is saved only if nonzero.
 	 */
 	authlen = LEN_PKT_NOMAC;
 @@ -1543,53 +1543,54 @@ crypto_verify(
  */
 static int
 crypto_encrypt(
 	struct exten *ep,	/* extension pointer */
 	struct value *vp,	/* value pointer */
 	keyid_t	*cookie		/* server cookie */
+	)
+{
 	EVP_PKEY *pkey;		/* public key */
 	EVP_MD_CTX ctx;		/* signature context */
 	tstamp_t tstamp;	/* NTP timestamp */
 	u_int32	temp32;
 	u_int	len;
-	u_char	*ptr;
+	const u_char	*ptr;
 	u_char *sptr;
 	/*
 	 * Extract the public key from the request.
 	 */
 	len = ntohl(ep->vallen);
 	ptr = (u_char *)ep->pkt;
 	pkey = d2i_PublicKey(EVP_PKEY_RSA, NULL, &ptr, len);
 	if (pkey == NULL) {
 		msyslog(LOG_ERR, "crypto_encrypt: %s",
 		    ERR_error_string(ERR_get_error(), NULL));
 		return (XEVNT_PUB);
+	}
 	/*
 	 * Encrypt the cookie, encode in ASN.1 and sign.
 	 */
 	memset(vp, 0, sizeof(struct value));
 	tstamp = crypto_time();
 	vp->tstamp = htonl(tstamp);
 	vp->fstamp = hostval.tstamp;
 	len = EVP_PKEY_size(pkey);
 	vp->vallen = htonl(len);
 	vp->ptr = emalloc(len);
-	ptr = vp->ptr;
+	sptr = vp->ptr;
 	temp32 = htonl(*cookie);
-	if (RSA_public_encrypt(4, (u_char *)&temp32, ptr,
+	if (RSA_public_encrypt(4, (const u_char *)&temp32, sptr,
 	    pkey->pkey.rsa, RSA_PKCS1_OAEP_PADDING) <= 0) {
 		msyslog(LOG_ERR, "crypto_encrypt: %s",
 		    ERR_error_string(ERR_get_error(), NULL));
 		free(vp->ptr);
 		EVP_PKEY_free(pkey);
 		return (XEVNT_CKY);
+	}
 	EVP_PKEY_free(pkey);
 	if (tstamp == 0)
 		return (XEVNT_OK);
 	vp->sig = emalloc(sign_siglen);
 	EVP_SignInit(&ctx, sign_digest);
 @@ -2936,27 +2937,27 @@ cert_sign(
 	struct exten *ep,	/* extension field pointer */
 	struct value *vp	/* value pointer */
+	)
+{
 	X509	*req;		/* X509 certificate request */
 	X509	*cert;		/* X509 certificate */
 	X509_EXTENSION *ext;	/* certificate extension */
 	ASN1_INTEGER *serial;	/* serial number */
 	X509_NAME *subj;	/* distinguished (common) name */
 	EVP_PKEY *pkey;		/* public key */
 	EVP_MD_CTX ctx;		/* message digest context */
 	tstamp_t tstamp;	/* NTP timestamp */
 	u_int	len;
-	u_char	*ptr;
+	const u_char	*ptr;
 	int	i, temp;
 	/*
 	 * Decode ASN.1 objects and construct certificate structure.
 	 * Make sure the system clock is synchronized to a proventic
 	 * source.
 	 */
 	tstamp = crypto_time();
 	if (tstamp == 0)
 		return (XEVNT_TSP);
 	ptr = (u_char *)ep->pkt;
 	if ((req = d2i_X509(NULL, &ptr, ntohl(ep->vallen))) == NULL) {
 @@ -3019,27 +3020,27 @@ cert_sign(
 	len = i2d_X509(cert, NULL);
 	/*
 	 * Build and sign the value structure. We have to sign it here,
 	 * since the response has to be returned right away. This is a
 	 * clogging hazard.
 	 */
 	memset(vp, 0, sizeof(struct value));
 	vp->tstamp = htonl(tstamp);
 	vp->fstamp = ep->fstamp;
 	vp->vallen = htonl(len);
 	vp->ptr = emalloc(len);
 	ptr = vp->ptr;
-	i2d_X509(cert, &ptr);
+	i2d_X509(cert, (unsigned char **)&ptr);
 	vp->siglen = 0;
 	if (tstamp != 0) {
 		vp->sig = emalloc(sign_siglen);
 		EVP_SignInit(&ctx, sign_digest);
 		EVP_SignUpdate(&ctx, (u_char *)vp, 12);
 		EVP_SignUpdate(&ctx, vp->ptr, len);
 		if (EVP_SignFinal(&ctx, vp->sig, &len, sign_pkey))
 			vp->siglen = htonl(sign_siglen);
+	}
 #ifdef DEBUG
 	if (debug > 1)
 		X509_print_fp(stdout, cert);
 #endif
 @@ -3122,27 +3123,27 @@ cert_install(
  * XEVNT_OK	success
  * XEVNT_CRT	bad or missing certificate
  * XEVNT_PER	host certificate expired
  * XEVNT_VFY	certificate not verified
  */
 int
 cert_hike(
 	struct peer *peer,	/* peer structure pointer */
 	struct cert_info *yp	/* issuer certificate */
+	)
+{
 	struct cert_info *xp;	/* subject certificate */
 	X509	*cert;		/* X509 certificate */
-	u_char	*ptr;
+	const u_char	*ptr;
 	/*
 	 * Save the issuer on the new certificate, but remember the old
 	 * one.
 	 */
 	if (peer->issuer != NULL)
 		free(peer->issuer);
 	peer->issuer = emalloc(strlen(yp->issuer) + 1);
 	strcpy(peer->issuer, yp->issuer);
 	xp = peer->xinfo;
 	peer->xinfo = yp;
 	/*
 @@ -3221,27 +3222,27 @@ cert_hike(
  */
 struct cert_info *		/* certificate information structure */
 cert_parse(
 	u_char	*asn1cert,	/* X509 certificate */
 	long	len,		/* certificate length */
 	tstamp_t fstamp		/* filestamp */
+	)
+{
 	X509	*cert;		/* X509 certificate */
 	X509_EXTENSION *ext;	/* X509v3 extension */
 	struct cert_info *ret;	/* certificate info/value */
 	BIO	*bp;
 	char	pathbuf[MAXFILENAME];
-	u_char	*ptr;
+	const u_char	*ptr;
 	int	temp, cnt, i;
 	/*
 	 * Decode ASN.1 objects and construct certificate structure.
 	 */
 	ptr = asn1cert;
 	if ((cert = d2i_X509(NULL, &ptr, len)) == NULL) {
 		msyslog(LOG_ERR, "cert_parse: %s",
 		    ERR_error_string(ERR_get_error(), NULL));
 		return (NULL);
+	}
 #ifdef DEBUG
 	if (debug > 1)