| @@ -1,47 +1,568 @@ | | | @@ -1,47 +1,568 @@ |
1 | $NetBSD: patch-ab,v 1.7 2014/06/23 22:24:24 christos Exp $ | | 1 | $NetBSD: patch-ab,v 1.8 2020/04/08 15:22:07 rhialto Exp $ |
2 | | | 2 | |
3 | --- ck_ssl.c.orig 2011-07-06 09:03:32.000000000 -0400 | | 3 | - Update for openssl 1.1.1e. |
4 | +++ ck_ssl.c 2014-06-23 18:21:25.000000000 -0400 | | 4 | - Kermit tries to keep SSL and TLS contexts (since in old openssl, the |
5 | @@ -1072,7 +1072,7 @@ | | 5 | *v23* methods were not version-flexible enough). Now afer simplification |
| | | 6 | there is lots of duplicate code left over that could be simplified more. |
| | | 7 | |
| | | 8 | --- ck_ssl.c.orig 2011-07-06 15:03:32.000000000 +0200 |
| | | 9 | +++ ck_ssl.c 2020-04-06 16:43:41.323530837 +0200 |
| | | 10 | @@ -301,7 +301,7 @@ |
| | | 11 | break; |
| | | 12 | default: |
| | | 13 | printf("Error %d while verifying certificate.\r\n", |
| | | 14 | - ctx->error); |
| | | 15 | + error); |
| | | 16 | break; |
| | | 17 | } |
| | | 18 | } |
| | | 19 | @@ -804,6 +804,17 @@ |
| | | 20 | #define MS_CALLBACK |
| | | 21 | #endif /* MS_CALLBACK */ |
| | | 22 | |
| | | 23 | +static BIGNUM *get_RSA_F4() |
| | | 24 | +{ |
| | | 25 | + static BIGNUM *bn; |
| | | 26 | + |
| | | 27 | + if (!bn) { |
| | | 28 | + bn = BN_new(); |
| | | 29 | + BN_add_word(bn, RSA_F4); |
| | | 30 | + } |
| | | 31 | + return bn; |
| | | 32 | +} |
| | | 33 | + |
| | | 34 | static RSA MS_CALLBACK * |
| | | 35 | #ifdef CK_ANSIC |
| | | 36 | tmp_rsa_cb(SSL * s, int export, int keylength) |
| | | 37 | @@ -822,7 +833,16 @@ |
| | | 38 | if (ssl_debug_flag) |
| | | 39 | printf("Generating temporary (%d bit) RSA key...\r\n",keylength); |
| | | 40 | |
| | | 41 | - rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); |
| | | 42 | + rsa_tmp = RSA_new(); |
| | | 43 | + if (rsa_tmp) { |
| | | 44 | + int error = RSA_generate_key_ex(rsa_tmp, keylength, get_RSA_F4(),NULL); |
| | | 45 | + if (error) { |
| | | 46 | + if (ssl_debug_flag) |
| | | 47 | + printf(" error %d", error); |
| | | 48 | + RSA_free(rsa_tmp); |
| | | 49 | + rsa_tmp = NULL; |
| | | 50 | + } |
| | | 51 | + } |
| | | 52 | |
| | | 53 | if (ssl_debug_flag) |
| | | 54 | printf("\r\n"); |
| | | 55 | @@ -936,10 +956,26 @@ |
| | | 56 | |
| | | 57 | if ((dh=DH_new()) == NULL) |
| | | 58 | return(NULL); |
| | | 59 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 60 | + BIGNUM *p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); |
| | | 61 | + BIGNUM *g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); |
| | | 62 | + if ((p == NULL) || (g == NULL)) { |
| | | 63 | + BN_free(g); |
| | | 64 | + BN_free(p); |
| | | 65 | + DH_free(dh); |
| | | 66 | + return(NULL); |
| | | 67 | + } |
| | | 68 | + DH_set0_pqg(dh, p, NULL, g); |
| | | 69 | +#else |
| | | 70 | dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); |
| | | 71 | dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); |
| | | 72 | - if ((dh->p == NULL) || (dh->g == NULL)) |
| | | 73 | + if ((dh->p == NULL) || (dh->g == NULL)) { |
| | | 74 | + BN_free(dh->g); |
| | | 75 | + BN_free(dh->p); |
| | | 76 | + DH_free(dh); |
| | | 77 | return(NULL); |
| | | 78 | + } |
| | | 79 | +#endif |
| | | 80 | return(dh); |
| | | 81 | } |
| | | 82 | |
| | | 83 | @@ -950,10 +986,26 @@ |
| | | 84 | |
| | | 85 | if ((dh=DH_new()) == NULL) |
| | | 86 | return(NULL); |
| | | 87 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 88 | + BIGNUM *p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL); |
| | | 89 | + BIGNUM *g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL); |
| | | 90 | + if ((p == NULL) || (g == NULL)) { |
| | | 91 | + BN_free(g); |
| | | 92 | + BN_free(p); |
| | | 93 | + DH_free(dh); |
| | | 94 | + return(NULL); |
| | | 95 | + } |
| | | 96 | + DH_set0_pqg(dh, p, NULL, g); |
| | | 97 | +#else |
| | | 98 | dh->p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL); |
| | | 99 | dh->g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL); |
| | | 100 | - if ((dh->p == NULL) || (dh->g == NULL)) |
| | | 101 | + if ((dh->p == NULL) || (dh->g == NULL)) { |
| | | 102 | + BN_free(dh->g); |
| | | 103 | + BN_free(dh->p); |
| | | 104 | + DH_free(dh); |
| | | 105 | return(NULL); |
| | | 106 | + } |
| | | 107 | +#endif |
| | | 108 | return(dh); |
| | | 109 | } |
| | | 110 | |
| | | 111 | @@ -964,10 +1016,26 @@ |
| | | 112 | |
| | | 113 | if ((dh=DH_new()) == NULL) |
| | | 114 | return(NULL); |
| | | 115 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 116 | + BIGNUM *p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); |
| | | 117 | + BIGNUM *g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); |
| | | 118 | + if ((p == NULL) || (g == NULL)) { |
| | | 119 | + BN_free(g); |
| | | 120 | + BN_free(p); |
| | | 121 | + DH_free(dh); |
| | | 122 | + return(NULL); |
| | | 123 | + } |
| | | 124 | + DH_set0_pqg(dh, p, NULL, g); |
| | | 125 | +#else |
| | | 126 | dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); |
| | | 127 | dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); |
| | | 128 | - if ((dh->p == NULL) || (dh->g == NULL)) |
| | | 129 | + if ((dh->p == NULL) || (dh->g == NULL)) { |
| | | 130 | + BN_free(dh->g); |
| | | 131 | + BN_free(dh->p); |
| | | 132 | + DH_free(dh); |
| | | 133 | return(NULL); |
| | | 134 | + } |
| | | 135 | +#endif |
| | | 136 | return(dh); |
| | | 137 | } |
| | | 138 | |
| | | 139 | @@ -978,10 +1046,26 @@ |
| | | 140 | |
| | | 141 | if ((dh=DH_new()) == NULL) |
| | | 142 | return(NULL); |
| | | 143 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 144 | + BIGNUM *p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL); |
| | | 145 | + BIGNUM *g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL); |
| | | 146 | + if ((p == NULL) || (g == NULL)) { |
| | | 147 | + BN_free(g); |
| | | 148 | + BN_free(p); |
| | | 149 | + DH_free(dh); |
| | | 150 | + return(NULL); |
| | | 151 | + } |
| | | 152 | + DH_set0_pqg(dh, p, NULL, g); |
| | | 153 | +#else |
| | | 154 | dh->p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL); |
| | | 155 | dh->g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL); |
| | | 156 | - if ((dh->p == NULL) || (dh->g == NULL)) |
| | | 157 | + if ((dh->p == NULL) || (dh->g == NULL)) { |
| | | 158 | + BN_free(dh->g); |
| | | 159 | + BN_free(dh->p); |
| | | 160 | + DH_free(dh); |
| | | 161 | return(NULL); |
| | | 162 | + } |
| | | 163 | +#endif |
| | | 164 | return(dh); |
| | | 165 | } |
| | | 166 | |
| | | 167 | @@ -992,10 +1076,26 @@ |
| | | 168 | |
| | | 169 | if ((dh=DH_new()) == NULL) |
| | | 170 | return(NULL); |
| | | 171 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 172 | + BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); |
| | | 173 | + BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); |
| | | 174 | + if ((p == NULL) || (g == NULL)) { |
| | | 175 | + BN_free(g); |
| | | 176 | + BN_free(p); |
| | | 177 | + DH_free(dh); |
| | | 178 | + return(NULL); |
| | | 179 | + } |
| | | 180 | + DH_set0_pqg(dh, p, NULL, g); |
| | | 181 | +#else |
| | | 182 | dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); |
| | | 183 | dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); |
| | | 184 | - if ((dh->p == NULL) || (dh->g == NULL)) |
| | | 185 | + if ((dh->p == NULL) || (dh->g == NULL)) { |
| | | 186 | + BN_free(dh->g); |
| | | 187 | + BN_free(dh->p); |
| | | 188 | + DH_free(dh); |
| | | 189 | return(NULL); |
| | | 190 | + } |
| | | 191 | +#endif |
| | | 192 | return(dh); |
| | | 193 | } |
| | | 194 | #endif /* NO_DH */ |
| | | 195 | @@ -1054,10 +1154,11 @@ |
| | | 196 | if (ssl == NULL) |
| | | 197 | return; |
| | | 198 | |
| | | 199 | - if (ssl->expand == NULL || ssl->expand->meth == NULL) |
| | | 200 | + const COMP_METHOD *method = SSL_get_current_compression(ssl); |
| | | 201 | + if (method == NULL) |
| | | 202 | printf("Compression: None\r\n"); |
| | | 203 | else { |
| | | 204 | - printf("Compression: %s\r\n",ssl->expand->meth->name); |
| | | 205 | + printf("Compression: %s\r\n",SSL_COMP_get_name(method)); |
| | | 206 | } |
| | | 207 | } |
| | | 208 | |
| | | 209 | @@ -1072,7 +1173,7 @@ |
6 | #endif /* CK_ANSIC */ | | 210 | #endif /* CK_ANSIC */ |
7 | { | | 211 | { |
8 | X509 *peer; | | 212 | X509 *peer; |
9 | - SSL_CIPHER * cipher; | | 213 | - SSL_CIPHER * cipher; |
10 | + const SSL_CIPHER * cipher; | | 214 | + const SSL_CIPHER * cipher; |
11 | const char *cipher_list; | | 215 | const char *cipher_list; |
12 | char buf[512]=""; | | 216 | char buf[512]=""; |
13 | | | 217 | |
14 | @@ -2877,6 +2877,7 @@ | | 218 | @@ -1457,13 +1558,23 @@ |
| | | 219 | |
| | | 220 | #ifdef ZLIB |
| | | 221 | cm = COMP_zlib(); |
| | | 222 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 223 | + if (cm != NULL && COMP_get_type(cm) != NID_undef) { |
| | | 224 | +#else |
| | | 225 | if (cm != NULL && cm->type != NID_undef) { |
| | | 226 | +#endif |
| | | 227 | SSL_COMP_add_compression_method(0xe0, cm); /* EAY's ZLIB ID */ |
| | | 228 | } |
| | | 229 | #endif /* ZLIB */ |
| | | 230 | +#ifdef NID_rle_compression |
| | | 231 | cm = COMP_rle(); |
| | | 232 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 233 | + if (cm != NULL && COMP_get_type(cm) != NID_undef) |
| | | 234 | +#else |
| | | 235 | if (cm != NULL && cm->type != NID_undef) |
| | | 236 | +#endif |
| | | 237 | SSL_COMP_add_compression_method(0xe1, cm); /* EAY's RLE ID */ |
| | | 238 | +#endif /* NID_rle_compression */ |
| | | 239 | |
| | | 240 | /* Ensure the Random number generator has enough entropy */ |
| | | 241 | if ( !RAND_status() ) { |
| | | 242 | @@ -1483,8 +1594,12 @@ |
| | | 243 | } |
| | | 244 | debug(F110,"ssl_rnd_file",ssl_rnd_file,0); |
| | | 245 | |
| | | 246 | +#ifdef OPENSSL_NO_EGD |
| | | 247 | + rc1 = 0; |
| | | 248 | +#else |
| | | 249 | rc1 = RAND_egd(ssl_rnd_file); |
| | | 250 | debug(F111,"ssl_once_init","RAND_egd()",rc1); |
| | | 251 | +#endif |
| | | 252 | if ( rc1 <= 0 ) { |
| | | 253 | rc2 = RAND_load_file(ssl_rnd_file, -1); |
| | | 254 | debug(F111,"ssl_once_init","RAND_load_file()",rc1); |
| | | 255 | @@ -1579,25 +1694,13 @@ |
| | | 256 | /* This can fail because we do not have RSA available */ |
| | | 257 | if ( !ssl_ctx ) { |
| | | 258 | debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); |
| | | 259 | - ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); |
| | | 260 | - } |
| | | 261 | - if ( !ssl_ctx ) { |
| | | 262 | - debug(F110,"ssl_tn_init","SSLv3_client_method failed",0); |
| | | 263 | last_ssl_mode = -1; |
| | | 264 | return(0); |
| | | 265 | } |
| | | 266 | -#ifndef COMMENT |
| | | 267 | - tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method()); |
| | | 268 | -#else /* COMMENT */ |
| | | 269 | tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method()); |
| | | 270 | /* This can fail because we do not have RSA available */ |
| | | 271 | if ( !tls_ctx ) { |
| | | 272 | debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); |
| | | 273 | - tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); |
| | | 274 | - } |
| | | 275 | -#endif /* COMMENT */ |
| | | 276 | - if ( !tls_ctx ) { |
| | | 277 | - debug(F110,"ssl_tn_init","TLSv1_client_method failed",0); |
| | | 278 | last_ssl_mode = -1; |
| | | 279 | return(0); |
| | | 280 | } |
| | | 281 | @@ -1611,25 +1714,13 @@ |
| | | 282 | /* This can fail because we do not have RSA available */ |
| | | 283 | if ( !ssl_ctx ) { |
| | | 284 | debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); |
| | | 285 | - ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method()); |
| | | 286 | - } |
| | | 287 | - if ( !ssl_ctx ) { |
| | | 288 | - debug(F110,"ssl_tn_init","SSLv3_server_method failed",0); |
| | | 289 | last_ssl_mode = -1; |
| | | 290 | return(0); |
| | | 291 | } |
| | | 292 | -#ifdef COMMENT |
| | | 293 | - tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method()); |
| | | 294 | -#else /* COMMENT */ |
| | | 295 | tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method()); |
| | | 296 | /* This can fail because we do not have RSA available */ |
| | | 297 | if ( !tls_ctx ) { |
| | | 298 | debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); |
| | | 299 | - tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method()); |
| | | 300 | - } |
| | | 301 | -#endif /* COMMENT */ |
| | | 302 | - if ( !tls_ctx ) { |
| | | 303 | - debug(F110,"ssl_tn_init","TLSv1_server_method failed",0); |
| | | 304 | last_ssl_mode = -1; |
| | | 305 | return(0); |
| | | 306 | } |
| | | 307 | @@ -1655,7 +1746,6 @@ |
| | | 308 | SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback); |
| | | 309 | SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback); |
| | | 310 | |
| | | 311 | -#ifndef COMMENT |
| | | 312 | /* Set the proper caching mode */ |
| | | 313 | if ( mode == SSL_SERVER ) { |
| | | 314 | SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_SERVER); |
| | | 315 | @@ -1666,10 +1756,6 @@ |
| | | 316 | } |
| | | 317 | SSL_CTX_set_session_id_context(ssl_ctx,(CHAR *)"1",1); |
| | | 318 | SSL_CTX_set_session_id_context(tls_ctx,(CHAR *)"2",1); |
| | | 319 | -#else /* COMMENT */ |
| | | 320 | - SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_OFF); |
| | | 321 | - SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_OFF); |
| | | 322 | -#endif /* COMMENT */ |
| | | 323 | } |
| | | 324 | |
| | | 325 | /* The server uses defaults for the certificate files. */ |
| | | 326 | @@ -1777,7 +1863,14 @@ |
| | | 327 | |
| | | 328 | if ( ssl_debug_flag ) |
| | | 329 | printf("Generating temp (512 bit) RSA key ...\r\n"); |
| | | 330 | - rsa=RSA_generate_key(512,RSA_F4,NULL,NULL); |
| | | 331 | + rsa = RSA_new(); |
| | | 332 | + if (rsa) { |
| | | 333 | + int error = RSA_generate_key_ex(rsa,512,get_RSA_F4(),NULL); |
| | | 334 | + if (error) { |
| | | 335 | + RSA_free(rsa); |
| | | 336 | + rsa = NULL; |
| | | 337 | + } |
| | | 338 | + } |
| | | 339 | if ( ssl_debug_flag ) |
| | | 340 | printf("Generation of temp (512 bit) RSA key done\r\n"); |
| | | 341 | |
| | | 342 | @@ -2153,18 +2246,10 @@ |
| | | 343 | printf("SSL_DEBUG_FLAG on\r\n"); |
| | | 344 | |
| | | 345 | if (!tls_http_ctx ) { |
| | | 346 | -#ifdef COMMENT |
| | | 347 | - /* too many web servers still do not support TLSv1 */ |
| | | 348 | - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method()); |
| | | 349 | -#else /* COMMENT */ |
| | | 350 | tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method()); |
| | | 351 | /* This can fail because we do not have RSA available */ |
| | | 352 | if ( !tls_http_ctx ) { |
| | | 353 | debug(F110,"ssl_http_init","SSLv23_client_method failed",0); |
| | | 354 | - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); |
| | | 355 | - } |
| | | 356 | -#endif /* COMMENT */ |
| | | 357 | - if ( !tls_http_ctx ) { |
| | | 358 | debug(F110,"ssl_http_init","TLSv1_client_method failed",0); |
| | | 359 | return(0); |
| | | 360 | } |
| | | 361 | @@ -2182,7 +2267,7 @@ |
| | | 362 | * for TLS be sure to prevent use of SSLv2 |
| | | 363 | */ |
| | | 364 | SSL_CTX_set_options(tls_http_ctx, |
| | | 365 | - SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); |
| | | 366 | + SSL_OP_NO_SSLv2/*|SSL_OP_NO_SSLv3*/|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); |
| | | 367 | |
| | | 368 | SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback); |
| | | 369 | |
| | | 370 | @@ -2575,7 +2660,11 @@ |
| | | 371 | int |
| | | 372 | ssl_verify_crl(int ok, X509_STORE_CTX *ctx) |
| | | 373 | { |
| | | 374 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 375 | + X509_OBJECT *obj; |
| | | 376 | +#else |
| | | 377 | X509_OBJECT obj; |
| | | 378 | +#endif |
| | | 379 | X509_NAME *subject = NULL; |
| | | 380 | X509_NAME *issuer = NULL; |
| | | 381 | X509 *xs = NULL; |
| | | 382 | @@ -2595,6 +2684,14 @@ |
| | | 383 | if (!crl_store) |
| | | 384 | return ok; |
| | | 385 | |
| | | 386 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 387 | + obj = X509_OBJECT_new(); |
| | | 388 | + if (!obj) |
| | | 389 | + return(ok); |
| | | 390 | +#else |
| | | 391 | + memset((char *)&obj, 0, sizeof(obj)); |
| | | 392 | +#endif |
| | | 393 | + |
| | | 394 | store_ctx = X509_STORE_CTX_new(); |
| | | 395 | if ( !store_ctx ) |
| | | 396 | return(ok); |
| | | 397 | @@ -2641,11 +2738,16 @@ |
| | | 398 | * Try to retrieve a CRL corresponding to the _subject_ of |
| | | 399 | * the current certificate in order to verify it's integrity. |
| | | 400 | */ |
| | | 401 | - memset((char *)&obj, 0, sizeof(obj)); |
| | | 402 | X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL); |
| | | 403 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 404 | + rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj); |
| | | 405 | + X509_STORE_CTX_cleanup(store_ctx); |
| | | 406 | + crl = X509_OBJECT_get0_X509_CRL(obj); |
| | | 407 | +#else |
| | | 408 | rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj); |
| | | 409 | X509_STORE_CTX_cleanup(store_ctx); |
| | | 410 | crl = obj.data.crl; |
| | | 411 | +#endif |
| | | 412 | if (rc > 0 && crl != NULL) { |
| | | 413 | /* |
| | | 414 | * Verify the signature on this CRL |
| | | 415 | @@ -2653,7 +2755,11 @@ |
| | | 416 | if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) { |
| | | 417 | fprintf(stderr, "Invalid signature on CRL!\n"); |
| | | 418 | X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); |
| | | 419 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 420 | + X509_OBJECT_free(obj); |
| | | 421 | +#else |
| | | 422 | X509_OBJECT_free_contents(&obj); |
| | | 423 | +#endif |
| | | 424 | X509_STORE_CTX_free(store_ctx); |
| | | 425 | return 0; |
| | | 426 | } |
| | | 427 | @@ -2661,12 +2767,16 @@ |
| | | 428 | /* |
| | | 429 | * Check date of CRL to make sure it's not expired |
| | | 430 | */ |
| | | 431 | - i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); |
| | | 432 | + i = X509_cmp_current_time(X509_CRL_get0_nextUpdate(crl)); |
| | | 433 | if (i == 0) { |
| | | 434 | fprintf(stderr, "Found CRL has invalid nextUpdate field.\n"); |
| | | 435 | X509_STORE_CTX_set_error(ctx, |
| | | 436 | X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); |
| | | 437 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 438 | + X509_OBJECT_free(obj); |
| | | 439 | +#else |
| | | 440 | X509_OBJECT_free_contents(&obj); |
| | | 441 | +#endif |
| | | 442 | X509_STORE_CTX_free(store_ctx); |
| | | 443 | return 0; |
| | | 444 | } |
| | | 445 | @@ -2675,22 +2785,38 @@ |
| | | 446 | "Found CRL is expired - revoking all certificates until you get updated CRL.\n" |
| | | 447 | ); |
| | | 448 | X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED); |
| | | 449 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 450 | + X509_OBJECT_free(obj); |
| | | 451 | +#else |
| | | 452 | X509_OBJECT_free_contents(&obj); |
| | | 453 | +#endif |
| | | 454 | X509_STORE_CTX_free(store_ctx); |
| | | 455 | return 0; |
| | | 456 | } |
| | | 457 | - X509_OBJECT_free_contents(&obj); |
| | | 458 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 459 | + X509_OBJECT_free(obj); |
| | | 460 | +#else |
| | | 461 | + X509_OBJECT_free_contents(&obj); |
| | | 462 | +#endif |
| | | 463 | } |
| | | 464 | |
| | | 465 | /* |
| | | 466 | * Try to retrieve a CRL corresponding to the _issuer_ of |
| | | 467 | * the current certificate in order to check for revocation. |
| | | 468 | */ |
| | | 469 | +#if OPENSSL_VERSION_NUMBER < 0x10100005L |
| | | 470 | memset((char *)&obj, 0, sizeof(obj)); |
| | | 471 | +#endif |
| | | 472 | X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL); |
| | | 473 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 474 | + rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj); |
| | | 475 | + X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */ |
| | | 476 | + crl = X509_OBJECT_get0_X509_CRL(obj); |
| | | 477 | +#else |
| | | 478 | rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj); |
| | | 479 | X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */ |
| | | 480 | crl = obj.data.crl; |
| | | 481 | +#endif |
| | | 482 | if (rc > 0 && crl != NULL) { |
| | | 483 | /* |
| | | 484 | * Check if the current certificate is revoked by this CRL |
| | | 485 | @@ -2698,19 +2824,34 @@ |
| | | 486 | n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); |
| | | 487 | for (i = 0; i < n; i++) { |
| | | 488 | revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); |
| | | 489 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 490 | + if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), |
| | | 491 | + X509_get_serialNumber(xs)) == 0) { // } |
| | | 492 | + |
| | | 493 | + serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(revoked)); |
| | | 494 | +#else |
| | | 495 | if (ASN1_INTEGER_cmp(revoked->serialNumber, |
| | | 496 | X509_get_serialNumber(xs)) == 0) { |
| | | 497 | |
| | | 498 | serial = ASN1_INTEGER_get(revoked->serialNumber); |
| | | 499 | +#endif |
| | | 500 | cp = X509_NAME_oneline(issuer, NULL, 0); |
| | | 501 | free(cp); |
| | | 502 | |
| | | 503 | X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); |
| | | 504 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 505 | + X509_OBJECT_free(obj); |
| | | 506 | +#else |
| | | 507 | X509_OBJECT_free_contents(&obj); |
| | | 508 | +#endif |
| | | 509 | return 0; |
| | | 510 | } |
| | | 511 | } |
| | | 512 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 513 | + X509_OBJECT_free(obj); |
| | | 514 | +#else |
| | | 515 | X509_OBJECT_free_contents(&obj); |
| | | 516 | +#endif |
| | | 517 | } |
| | | 518 | return ok; |
| | | 519 | } |
| | | 520 | @@ -2877,6 +3018,7 @@ |
15 | #ifndef OpenBSD | | 521 | #ifndef OpenBSD |
16 | #ifndef FREEBSD4 | | 522 | #ifndef FREEBSD4 |
17 | #ifndef NETBSD15 | | 523 | #ifndef NETBSD15 |
18 | +#ifndef __DragonFly__ | | 524 | +#ifndef __DragonFly__ |
19 | #ifndef LINUX | | 525 | #ifndef LINUX |
20 | #ifndef AIX41 | | 526 | #ifndef AIX41 |
21 | #ifndef UW7 | | 527 | #ifndef UW7 |
22 | @@ -2919,6 +2920,7 @@ | | 528 | @@ -2919,6 +3061,7 @@ |
23 | #endif /* UW7 */ | | 529 | #endif /* UW7 */ |
24 | #endif /* AIX41 */ | | 530 | #endif /* AIX41 */ |
25 | #endif /* LINUX */ | | 531 | #endif /* LINUX */ |
26 | +#endif /* __DragonFly__ */ | | 532 | +#endif /* __DragonFly__ */ |
27 | #endif /* NETBSD15 */ | | 533 | #endif /* NETBSD15 */ |
28 | #endif /* FREEBSD4 */ | | 534 | #endif /* FREEBSD4 */ |
29 | #endif /* OpenBSD */ | | 535 | #endif /* OpenBSD */ |
30 | @@ -3057,7 +3059,7 @@ | | 536 | @@ -3057,7 +3200,7 @@ |
31 | tls_is_anon(int x) | | 537 | tls_is_anon(int x) |
32 | { | | 538 | { |
33 | char buf[128]; | | 539 | char buf[128]; |
34 | - SSL_CIPHER * cipher; | | 540 | - SSL_CIPHER * cipher; |
35 | + const SSL_CIPHER * cipher; | | 541 | + const SSL_CIPHER * cipher; |
36 | SSL * ssl = NULL; | | 542 | SSL * ssl = NULL; |
37 | | | 543 | |
38 | switch ( x ) { | | 544 | switch ( x ) { |
39 | @@ -3101,7 +3103,7 @@ | | 545 | @@ -3101,7 +3244,7 @@ |
40 | tls_is_krb5(int x) | | 546 | tls_is_krb5(int x) |
41 | { | | 547 | { |
42 | char buf[128]; | | 548 | char buf[128]; |
43 | - SSL_CIPHER * cipher; | | 549 | - SSL_CIPHER * cipher; |
44 | + const SSL_CIPHER * cipher; | | 550 | + const SSL_CIPHER * cipher; |
45 | SSL * ssl = NULL; | | 551 | SSL * ssl = NULL; |
46 | | | 552 | |
47 | switch ( x ) { | | 553 | switch ( x ) { |
| | | 554 | @@ -4343,7 +4486,14 @@ |
| | | 555 | if (!(fp = fopen(buf, "r"))) |
| | | 556 | return 0; |
| | | 557 | while (!r && (file_cert = PEM_read_X509(fp, NULL, NULL, NULL))) { |
| | | 558 | +#if OPENSSL_VERSION_NUMBER >= 0x10100005L |
| | | 559 | + const ASN1_BIT_STRING *peer_cert_sig, *file_cert_sig; |
| | | 560 | + X509_get0_signature(&peer_cert_sig, NULL, peer_cert); |
| | | 561 | + X509_get0_signature(&file_cert_sig, NULL, file_cert); |
| | | 562 | + if (!ASN1_STRING_cmp(peer_cert_sig, file_cert_sig)) |
| | | 563 | +#else |
| | | 564 | if (!ASN1_STRING_cmp(peer_cert->signature, file_cert->signature)) |
| | | 565 | +#endif |
| | | 566 | r = 1; |
| | | 567 | X509_free(file_cert); |
| | | 568 | } |