search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
archrelease: copy trunk to community-x86_64
[ArchLinux/community.git] / wvstreams / repos / community-x86_64 / wvstreams_openssl1.1.patch
blobcaa39fdadc0e21a63108fc347e2f5dbf5cd2b481
1 Author: Reiner Herrmann <reiner@reiner-h.de>
2 Description: Port to OpenSSL 1.1
3 Bug-Debian: https://bugs.debian.org/859791
4 Forwarded: https://github.com/apenwarr/wvstreams/pull/2
5
6 diff --git a/crypto/wvcrl.cc b/crypto/wvcrl.cc
7 index fa00c76..880ad85 100644
8 --- a/crypto/wvcrl.cc
9 +++ b/crypto/wvcrl.cc
10 @@ -357,31 +357,19 @@ bool WvCRL::isrevoked(WvStringParm serial_number) const
11 ASN1_INTEGER *serial = serial_to_int(serial_number);
12 if (serial)
13 {
14 - X509_REVOKED mayberevoked;
15 - mayberevoked.serialNumber = serial;
16 - if (crl->crl->revoked)
17 - {
18 - int idx = sk_X509_REVOKED_find(crl->crl->revoked,
19 - &mayberevoked);
20 - ASN1_INTEGER_free(serial);
21 - if (idx >= 0)
22 - {
23 - debug("Certificate is revoked.\n");
24 - return true;
25 - }
26 - else
27 - {
28 - debug("Certificate is not revoked.\n");
29 - return false;
30 - }
31 - }
32 - else
33 - {
34 - ASN1_INTEGER_free(serial);
35 - debug("CRL does not have revoked list.\n");
36 - return false;
37 - }
38 -
39 + X509_REVOKED *revoked_entry = NULL;
40 + int idx = X509_CRL_get0_by_serial(crl, &revoked_entry, serial);
41 + ASN1_INTEGER_free(serial);
42 + if (idx >= 1 || revoked_entry)
43 + {
44 + debug("Certificate is revoked.\n");
45 + return true;
46 + }
47 + else
48 + {
49 + debug("Certificate is not revoked.\n");
50 + return false;
51 + }
52 }
53 else
54 debug(WvLog::Warning, "Can't convert serial number to ASN1 format. "
55 diff --git a/crypto/wvdiffiehellman.cc b/crypto/wvdiffiehellman.cc
56 index 7c0bf32..15cd104 100644
57 --- a/crypto/wvdiffiehellman.cc
58 +++ b/crypto/wvdiffiehellman.cc
59 @@ -39,24 +39,25 @@ WvDiffieHellman::WvDiffieHellman(const unsigned char *_key, int _keylen,
60 {
61 int problems;
62 int check;
63 - {
64 +
65 info = DH_new();
66 - info->p = BN_bin2bn(_key, _keylen, NULL);
67 + BIGNUM *p = BN_bin2bn(_key, _keylen, NULL);
68 // info->p->top = 0;
69 // info->p->dmax = _keylen * 8 / BN_BITS2;
70 // info->p->neg = 0;
71 // info->p->flags = 0;
72
73 - info->g = BN_new();
74 - BN_set_word(info->g, generator);
75 + BIGNUM *g = BN_new();
76 + BN_set_word(g, generator);
77 // info->g->d = &generator;
78 // info->g->top = 0;
79 // info->g->dmax = 1;
80 // info->g->neg = 0;
81 // info->g->flags = 0;
82 - }
83
84 - check = BN_mod_word(info->p, 24);
85 + DH_set0_pqg(info, p, NULL, g);
86 +
87 + check = BN_mod_word(p, 24);
88 DH_check(info, &problems);
89 if (problems & DH_CHECK_P_NOT_PRIME)
90 log(WvLog::Error, "Using a composite number for authentication.\n");
91 @@ -64,7 +65,7 @@ WvDiffieHellman::WvDiffieHellman(const unsigned char *_key, int _keylen,
92 log(WvLog::Error,"Using an unsafe prime number for authentication.\n");
93 if (problems & DH_NOT_SUITABLE_GENERATOR)
94 log(WvLog::Error, "Can you just use 2 instead of %s (%s)!!\n",
95 - BN_bn2hex(info->g), check);
96 + BN_bn2hex(g), check);
97 if (problems & DH_UNABLE_TO_CHECK_GENERATOR)
98 log(WvLog::Notice, "Using a strange argument for diffie-hellman.\n");
99 DH_generate_key(info);
100 @@ -72,18 +73,23 @@ WvDiffieHellman::WvDiffieHellman(const unsigned char *_key, int _keylen,
101
102 int WvDiffieHellman::pub_key_len()
103 {
104 - return BN_num_bytes(info->pub_key);
105 + const BIGNUM *pub_key = NULL;
106 + DH_get0_key(info, &pub_key, NULL);
107 + return BN_num_bytes(pub_key);
108 }
109
110 int WvDiffieHellman::get_public_value(WvBuf &outbuf, int len)
111 {
112 - int key_len = BN_num_bytes(info->pub_key);
113 + const BIGNUM *pub_key = NULL;
114 + DH_get0_key(info, &pub_key, NULL);
115 +
116 + int key_len = BN_num_bytes(pub_key);
117 if (key_len < len)
118 len = key_len;
119
120 // alloca is stack allocated, don't free it.
121 unsigned char *foo = (unsigned char*)alloca(key_len);
122 - BN_bn2bin(info->pub_key, foo);
123 + BN_bn2bin(pub_key, foo);
124 outbuf.put(foo, len);
125
126 return len;
127 @@ -91,8 +97,10 @@ int WvDiffieHellman::get_public_value(WvBuf &outbuf, int len)
128
129 bool WvDiffieHellman::create_secret(WvBuf &inbuf, size_t in_len, WvBuf& outbuf)
130 {
131 + const BIGNUM *pub_key = NULL;
132 + DH_get0_key(info, &pub_key, NULL);
133 unsigned char *foo = (unsigned char *)alloca(DH_size(info));
134 - log("My public value\n%s\nYour public value\n%s\n",BN_bn2hex(info->pub_key),
135 + log("My public value\n%s\nYour public value\n%s\n",BN_bn2hex(pub_key),
136 hexdump_buffer(inbuf.peek(0, in_len), in_len, false));
137 int len = DH_compute_key (foo, BN_bin2bn(inbuf.get(in_len), in_len, NULL),
138 info);
139 diff --git a/crypto/wvdigest.cc b/crypto/wvdigest.cc
140 index 150edee..73ebb5d 100644
141 --- a/crypto/wvdigest.cc
142 +++ b/crypto/wvdigest.cc
143 @@ -13,10 +13,10 @@
144
145 /***** WvEVPMDDigest *****/
146
147 -WvEVPMDDigest::WvEVPMDDigest(const env_md_st *_evpmd) :
148 +WvEVPMDDigest::WvEVPMDDigest(const EVP_MD*_evpmd) :
149 evpmd(_evpmd), active(false)
150 {
151 - evpctx = new EVP_MD_CTX;
152 + evpctx = EVP_MD_CTX_new();
153 _reset();
154 }
155
156 @@ -24,7 +24,7 @@ WvEVPMDDigest::WvEVPMDDigest(const env_md_st *_evpmd) :
157 WvEVPMDDigest::~WvEVPMDDigest()
158 {
159 cleanup();
160 - delete evpctx;
161 + EVP_MD_CTX_free(evpctx);
162 }
163
164
165 @@ -60,7 +60,7 @@ bool WvEVPMDDigest::_reset()
166 // the typecast is necessary for API compatibility with different
167 // versions of openssl. None of them *actually* change the contents of
168 // the pointer.
169 - EVP_DigestInit(evpctx, (env_md_st *)evpmd);
170 + EVP_DigestInit(evpctx, evpmd);
171 active = true;
172 return true;
173 }
174 @@ -79,7 +79,7 @@ void WvEVPMDDigest::cleanup()
175
176 size_t WvEVPMDDigest::digestsize() const
177 {
178 - return EVP_MD_size((env_md_st *)evpmd);
179 + return EVP_MD_size(evpmd);
180 }
181
182
183 @@ -104,14 +104,14 @@ WvHMACDigest::WvHMACDigest(WvEVPMDDigest *_digest,
184 {
185 key = new unsigned char[keysize];
186 memcpy(key, _key, keysize);
187 - hmacctx = new HMAC_CTX;
188 + hmacctx = HMAC_CTX_new();
189 _reset();
190 }
191
192 WvHMACDigest::~WvHMACDigest()
193 {
194 cleanup();
195 - delete hmacctx;
196 + HMAC_CTX_free(hmacctx);
197 deletev key;
198 delete digest;
199 }
200 @@ -145,7 +145,7 @@ bool WvHMACDigest::_finish(WvBuf &outbuf)
201 bool WvHMACDigest::_reset()
202 {
203 cleanup();
204 - HMAC_Init(hmacctx, key, keysize, (env_md_st *)digest->getevpmd());
205 + HMAC_Init(hmacctx, key, keysize, digest->getevpmd());
206 active = true;
207 return true;
208 }
209 diff --git a/crypto/wvocsp.cc b/crypto/wvocsp.cc
210 index ddb2de4..7d5da07 100644
211 --- a/crypto/wvocsp.cc
212 +++ b/crypto/wvocsp.cc
213 @@ -118,9 +118,10 @@ bool WvOCSPResp::check_nonce(const WvOCSPReq &req) const
214
215 bool WvOCSPResp::signedbycert(const WvX509 &cert) const
216 {
217 - EVP_PKEY *skey = X509_get_pubkey(cert.cert);
218 - int i = OCSP_BASICRESP_verify(bs, skey, 0);
219 - EVP_PKEY_free(skey);
220 + STACK_OF(X509) *sk = sk_X509_new_null();
221 + sk_X509_push(sk, cert.cert);
222 + int i = OCSP_basic_verify(bs, sk, NULL, OCSP_NOVERIFY);
223 + sk_X509_free(sk);
224
225 if(i > 0)
226 return true;
227 @@ -131,33 +132,15 @@ bool WvOCSPResp::signedbycert(const WvX509 &cert) const
228
229 WvX509 WvOCSPResp::get_signing_cert() const
230 {
231 - if (!bs || !sk_X509_num(bs->certs))
232 + const STACK_OF(X509) *certs = OCSP_resp_get0_certs(bs);
233 + if (!bs || !sk_X509_num(certs))
234 return WvX509();
235
236 - // note: the following bit of code is taken almost verbatim from
237 - // ocsp_vfy.c in OpenSSL 0.9.8. Copyright and attribution should
238 - // properly belong to them
239 -
240 - OCSP_RESPID *id = bs->tbsResponseData->responderId;
241 -
242 - if (id->type == V_OCSP_RESPID_NAME)
243 - {
244 - X509 *x = X509_find_by_subject(bs->certs, id->value.byName);
245 - if (x)
246 - return WvX509(X509_dup(x));
247 + X509 *signer = NULL;
248 + if (OCSP_resp_get0_signer(bs, &signer, NULL) == 1) {
249 + return WvX509(X509_dup(signer));
250 }
251
252 - if (id->value.byKey->length != SHA_DIGEST_LENGTH) return NULL;
253 - unsigned char tmphash[SHA_DIGEST_LENGTH];
254 - unsigned char *keyhash = id->value.byKey->data;
255 - for (int i = 0; i < sk_X509_num(bs->certs); i++)
256 - {
257 - X509 *x = sk_X509_value(bs->certs, i);
258 - X509_pubkey_digest(x, EVP_sha1(), tmphash, NULL);
259 - if(!memcmp(keyhash, tmphash, SHA_DIGEST_LENGTH))
260 - return WvX509(X509_dup(x));
261 - }
262 -
263 return WvX509();
264 }
265
266 diff --git a/crypto/wvx509.cc b/crypto/wvx509.cc
267 index 70c9fa0..5e5f9be 100644
268 --- a/crypto/wvx509.cc
269 +++ b/crypto/wvx509.cc
270 @@ -974,7 +974,7 @@ static void add_aia(WvStringParm type, WvString identifier,
271 sk_ACCESS_DESCRIPTION_push(ainfo, acc);
272 acc->method = OBJ_txt2obj(type.cstr(), 0);
273 acc->location->type = GEN_URI;
274 - acc->location->d.ia5 = M_ASN1_IA5STRING_new();
275 + acc->location->d.ia5 = ASN1_IA5STRING_new();
276 unsigned char *cident
277 = reinterpret_cast<unsigned char *>(identifier.edit());
278 ASN1_STRING_set(acc->location->d.ia5, cident, identifier.len());
279 @@ -1059,7 +1059,7 @@ void WvX509::set_crl_urls(WvStringList &urls)
280 GENERAL_NAMES *uris = GENERAL_NAMES_new();
281 GENERAL_NAME *uri = GENERAL_NAME_new();
282 uri->type = GEN_URI;
283 - uri->d.ia5 = M_ASN1_IA5STRING_new();
284 + uri->d.ia5 = ASN1_IA5STRING_new();
285 unsigned char *cident
286 = reinterpret_cast<unsigned char *>(i().edit());
287 ASN1_STRING_set(uri->d.ia5, cident, i().len());
288 @@ -1158,10 +1158,11 @@ WvString WvX509::get_extension(int nid) const
289 if (ext)
290 {
291 X509V3_EXT_METHOD *method = (X509V3_EXT_METHOD *)X509V3_EXT_get(ext);
292 + ASN1_OCTET_STRING *ext_data_str = X509_EXTENSION_get_data(ext);
293 if (!method)
294 {
295 WvDynBuf buf;
296 - buf.put(ext->value->data, ext->value->length);
297 + buf.put(ext_data_str->data, ext_data_str->length);
298 retval = buf.getstr();
299 }
300 else
301 @@ -1172,21 +1173,21 @@ WvString WvX509::get_extension(int nid) const
302 // even though it's const (at least as of version 0.9.8e).
303 // gah.
304 #if OPENSSL_VERSION_NUMBER >= 0x0090800fL
305 - const unsigned char * ext_value_data = ext->value->data;
306 + const unsigned char * ext_value_data = ext_data_str->data;
307 #else
308 unsigned char *ext_value_data = ext->value->data;
309 #endif
310 if (method->it)
311 {
312 ext_data = ASN1_item_d2i(NULL, &ext_value_data,
313 - ext->value->length,
314 + ext_data_str->length,
315 ASN1_ITEM_ptr(method->it));
316 TRACE("Applied generic conversion!\n");
317 }
318 else
319 {
320 ext_data = method->d2i(NULL, &ext_value_data,
321 - ext->value->length);
322 + ext_data_str->length);
323 TRACE("Applied method specific conversion!\n");
324 }
325
326 @@ -1321,13 +1322,13 @@ bool WvX509::verify(WvBuf &original, WvStringParm signature) const
327 return false;
328
329 /* Verify the signature */
330 - EVP_MD_CTX sig_ctx;
331 - EVP_VerifyInit(&sig_ctx, EVP_sha1());
332 - EVP_VerifyUpdate(&sig_ctx, original.peek(0, original.used()),
333 + EVP_MD_CTX *sig_ctx = EVP_MD_CTX_new();
334 + EVP_VerifyInit(sig_ctx, EVP_sha1());
335 + EVP_VerifyUpdate(sig_ctx, original.peek(0, original.used()),
336 original.used());
337 - int sig_err = EVP_VerifyFinal(&sig_ctx, sig_buf, sig_size, pk);
338 + int sig_err = EVP_VerifyFinal(sig_ctx, sig_buf, sig_size, pk);
339 EVP_PKEY_free(pk);
340 - EVP_MD_CTX_cleanup(&sig_ctx); // Again, not my fault...
341 + EVP_MD_CTX_free(sig_ctx); // Again, not my fault...
342 if (sig_err != 1)
343 {
344 debug("Verify failed!\n");
345 @@ -1446,19 +1447,19 @@ void WvX509::set_ski()
346 {
347 CHECK_CERT_EXISTS_SET("ski");
348
349 - ASN1_OCTET_STRING *oct = M_ASN1_OCTET_STRING_new();
350 - ASN1_BIT_STRING *pk = cert->cert_info->key->public_key;
351 + ASN1_OCTET_STRING *oct = ASN1_OCTET_STRING_new();
352 + ASN1_BIT_STRING *pk = X509_get0_pubkey_bitstr(cert);
353 unsigned char pkey_dig[EVP_MAX_MD_SIZE];
354 unsigned int diglen;
355
356 EVP_Digest(pk->data, pk->length, pkey_dig, &diglen, EVP_sha1(), NULL);
357
358 - M_ASN1_OCTET_STRING_set(oct, pkey_dig, diglen);
359 + ASN1_OCTET_STRING_set(oct, pkey_dig, diglen);
360 X509_EXTENSION *ext = X509V3_EXT_i2d(NID_subject_key_identifier, 0,
361 oct);
362 X509_add_ext(cert, ext, -1);
363 X509_EXTENSION_free(ext);
364 - M_ASN1_OCTET_STRING_free(oct);
365 + ASN1_OCTET_STRING_free(oct);
366 }
367
368
369 diff --git a/crypto/wvx509mgr.cc b/crypto/wvx509mgr.cc
370 index f249eec..156d3a4 100644
371 --- a/crypto/wvx509mgr.cc
372 +++ b/crypto/wvx509mgr.cc
373 @@ -350,6 +350,8 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const
374 return false;
375 }
376
377 + uint32_t ex_flags = X509_get_extension_flags(cert);
378 + uint32_t ex_kusage = X509_get_key_usage(cert);
379 if (cert == unsignedcert.cert)
380 {
381 debug("Self Signing!\n");
382 @@ -362,8 +364,8 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const
383 return false;
384 }
385 #endif
386 - else if (!((cert->ex_flags & EXFLAG_KUSAGE) &&
387 - (cert->ex_kusage & KU_KEY_CERT_SIGN)))
388 + else if (!((ex_flags & EXFLAG_KUSAGE) &&
389 + (ex_kusage & KU_KEY_CERT_SIGN)))
390 {
391 debug("This Certificate is not allowed to sign certificates!\n");
392 return false;
393 @@ -390,6 +392,8 @@ bool WvX509Mgr::signcert(WvX509 &unsignedcert) const
394
395 bool WvX509Mgr::signcrl(WvCRL &crl) const
396 {
397 + uint32_t ex_flags = X509_get_extension_flags(cert);
398 + uint32_t ex_kusage = X509_get_key_usage(cert);
399 if (!isok() || !crl.isok())
400 {
401 debug(WvLog::Warning, "Asked to sign CRL, but certificate or CRL (or "
402 @@ -403,12 +407,12 @@ bool WvX509Mgr::signcrl(WvCRL &crl) const
403 "CRLs!\n");
404 return false;
405 }
406 - else if (!((cert->ex_flags & EXFLAG_KUSAGE) &&
407 - (cert->ex_kusage & KU_CRL_SIGN)))
408 + else if (!((ex_flags & EXFLAG_KUSAGE) &&
409 + (ex_kusage & KU_CRL_SIGN)))
410 {
411 debug("Certificate not allowed to sign CRLs! (%s %s)\n",
412 - (cert->ex_flags & EXFLAG_KUSAGE),
413 - (cert->ex_kusage & KU_CRL_SIGN));
414 + (ex_flags & EXFLAG_KUSAGE),
415 + (ex_kusage & KU_CRL_SIGN));
416 return false;
417 }
418 #endif
419 @@ -454,7 +458,6 @@ WvString WvX509Mgr::sign(WvBuf &data) const
420 {
421 assert(rsa);
422
423 - EVP_MD_CTX sig_ctx;
424 unsigned char sig_buf[4096];
425
426 EVP_PKEY *pk = EVP_PKEY_new();
427 @@ -467,20 +470,22 @@ WvString WvX509Mgr::sign(WvBuf &data) const
428 return WvString::null;
429 }
430
431 - EVP_SignInit(&sig_ctx, EVP_sha1());
432 - EVP_SignUpdate(&sig_ctx, data.peek(0, data.used()), data.used());
433 + EVP_MD_CTX *sig_ctx = EVP_MD_CTX_new();
434 + EVP_SignInit(sig_ctx, EVP_sha1());
435 + EVP_SignUpdate(sig_ctx, data.peek(0, data.used()), data.used());
436 unsigned int sig_len = sizeof(sig_buf);
437 - int sig_err = EVP_SignFinal(&sig_ctx, sig_buf,
438 + int sig_err = EVP_SignFinal(sig_ctx, sig_buf,
439 &sig_len, pk);
440 if (sig_err != 1)
441 {
442 debug("Error while signing.\n");
443 EVP_PKEY_free(pk);
444 + EVP_MD_CTX_free(sig_ctx);
445 return WvString::null;
446 }
447
448 EVP_PKEY_free(pk);
449 - EVP_MD_CTX_cleanup(&sig_ctx); // this isn't my fault ://
450 + EVP_MD_CTX_free(sig_ctx); // this isn't my fault ://
451 WvDynBuf buf;
452 buf.put(sig_buf, sig_len);
453 debug("Signature size: %s\n", buf.used());
454 diff --git a/include/wvdiffiehellman.h b/include/wvdiffiehellman.h
455 index af75ffa..a2d001f 100644
456 --- a/include/wvdiffiehellman.h
457 +++ b/include/wvdiffiehellman.h
458 @@ -27,7 +27,7 @@ public:
459 bool create_secret(WvBuf &inbuf, size_t in_len, WvBuf& outbuf);
460
461 protected:
462 - struct dh_st *info;
463 + DH *info;
464 BN_ULONG generator;
465
466 private:
467 diff --git a/include/wvdigest.h b/include/wvdigest.h
468 index fdc39bd..f2eed40 100644
469 --- a/include/wvdigest.h
470 +++ b/include/wvdigest.h
471 @@ -9,10 +9,8 @@
472
473 #include "wvencoder.h"
474 #include <stdint.h>
475 +#include <openssl/evp.h>
476
477 -struct env_md_st;
478 -struct env_md_ctx_st;
479 -struct hmac_ctx_st;
480
481 /**
482 * Superclass for all message digests.
483 @@ -45,8 +43,8 @@ public:
484 class WvEVPMDDigest : public WvDigest
485 {
486 friend class WvHMACDigest;
487 - const env_md_st *evpmd;
488 - env_md_ctx_st *evpctx;
489 + const EVP_MD *evpmd;
490 + EVP_MD_CTX *evpctx;
491 bool active;
492
493 public:
494 @@ -54,13 +52,13 @@ public:
495 virtual size_t digestsize() const;
496
497 protected:
498 - WvEVPMDDigest(const env_md_st *_evpmd);
499 + WvEVPMDDigest(const EVP_MD *_evpmd);
500 virtual bool _encode(WvBuf &inbuf, WvBuf &outbuf,
501 bool flush); // consumes input
502 virtual bool _finish(WvBuf &outbuf); // outputs digest
503 virtual bool _reset(); // supported: resets digest value
504
505 - const env_md_st *getevpmd()
506 + const EVP_MD *getevpmd()
507 { return evpmd; }
508
509 private:
510 @@ -104,7 +102,7 @@ class WvHMACDigest : public WvDigest
511 WvEVPMDDigest *digest;
512 unsigned char *key;
513 size_t keysize;
514 - hmac_ctx_st *hmacctx;
515 + HMAC_CTX *hmacctx;
516 bool active;
517
518 public:
519 diff --git a/include/wvtripledes.h b/include/wvtripledes.h
520 index 185fe8a..a442e7a 100644
521 --- a/include/wvtripledes.h
522 +++ b/include/wvtripledes.h
523 @@ -70,11 +70,11 @@ protected:
524
525 private:
526 Mode mode;
527 - des_cblock key;
528 - des_key_schedule deskey1;
529 - des_key_schedule deskey2;
530 - des_key_schedule deskey3;
531 - des_cblock ivec; // initialization vector
532 + DES_cblock key;
533 + DES_key_schedule deskey1;
534 + DES_key_schedule deskey2;
535 + DES_key_schedule deskey3;
536 + DES_cblock ivec; // initialization vector
537 int ivecoff; // current offset into initvec
538 };
539
Automatic import of svn 'community' repo (read-only mirror)