1
0
mirror of https://git.FreeBSD.org/ports.git synced 2024-12-24 04:33:24 +00:00

Fix build with OpenSSL 1.1.x.

This commit is contained in:
Hiroki Sato 2019-03-17 11:28:18 +00:00
parent bdb1eb0601
commit a27ed4e6a9
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=496045
21 changed files with 1014 additions and 20 deletions

View File

@ -3,10 +3,9 @@
PORTNAME= send
PORTVERSION= 0.3
DISTVERSIONPREFIX= v
PORTREVISION= 2
CATEGORIES= net-mgmt ipv6
MASTER_SITES= LOCAL/hrs
DISTNAME= ${PORTNAME}_${PORTVERSION}
MAINTAINER= hrs@FreeBSD.org
COMMENT= Secure Neighbor Discovery implementation for IPv6
@ -17,7 +16,11 @@ LICENSE_FILE= ${WRKSRC}/LICENSE
LIB_DEPENDS= libdnet.so:net/libdnet
USES= gmake readline ssl
USE_GITHUB= yes
GH_ACCOUNT= hrs-allbsd
GH_PROJECT= send
USE_RC_SUBR= sendd
SUB_FILES= pkg-message
PORTDOCS= README UserGuide.pdf
MAKE_JOBS_UNSAFE=yes

View File

@ -1,2 +1,3 @@
SHA256 (send_0.3.tar.gz) = abe217c24f8f711124da74eb24342ee27a195e8102bed3e60d426607532ff76b
SIZE (send_0.3.tar.gz) = 1272983
TIMESTAMP = 1551288169
SHA256 (hrs-allbsd-send-v0.3_GH0.tar.gz) = 527542b24fa2009e0cc99a85fd423215782ced69c427454727172745c7fbae92
SIZE (hrs-allbsd-send-v0.3_GH0.tar.gz) = 1313559

View File

@ -1,5 +1,5 @@
--- Makefile.install.orig 2010-08-28 17:58:05.000000000 +0900
+++ Makefile.install 2014-08-20 04:27:44.000000000 +0900
--- Makefile.install.orig 2019-02-27 16:25:45 UTC
+++ Makefile.install
@@ -1,9 +1,9 @@
-INSSBIN= $(PREFIXSBIN)/$(PROG)
+INSSBIN= $(DESTDIR)$(PREFIXSBIN)/$(PROG)

View File

@ -1,5 +1,5 @@
--- include/cga_keyutils.h.orig 2010-08-28 17:58:02.000000000 +0900
+++ include/cga_keyutils.h 2014-08-30 01:53:41.000000000 +0900
--- include/cga_keyutils.h.orig 2019-02-27 16:25:45 UTC
+++ include/cga_keyutils.h
@@ -36,6 +36,9 @@
#include <openssl/x509.h>
#include <openssl/evp.h>

View File

@ -0,0 +1,33 @@
--- include/pkixip_ext.h.orig 2019-02-27 16:25:45 UTC
+++ include/pkixip_ext.h
@@ -47,14 +47,30 @@ struct pkixip_config {
char *certfile;
};
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
extern int pkixip_aor_cmp(const char * const *, const char * const *);
extern int pkixip_ipf_cmp(const char * const *, const char * const *);
+#else
+extern int pkixip_aor_cmp(const IPAddressOrRange * const *,
+ const IPAddressOrRange * const *);
+extern int pkixip_ipf_cmp(const IPAddressFamily * const *,
+ const IPAddressFamily * const *);
+#endif
extern int pkixip_add2stores_cert(X509 *);
extern int pkixip_add2stores_file(const char *);
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
extern int pkixip_add_store(int *, int (*cmp)(X509_OBJECT **, X509_OBJECT **));
+#else
+extern int pkixip_add_store(int *, int (*cmp)(const X509_OBJECT * const *, const X509_OBJECT * const *));
+#endif
extern void *pkixip_find_cert(void *, int);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
extern STACK *pkixip_get_mychain(void);
+#else
+extern STACK_OF(X509_OBJECT) *pkixip_get_mychain(void);
+#endif
extern X509_STORE_CTX *pkixip_get_store_ctx(void);
extern int pkixip_has_ext(X509 *x);
extern X509 *pkixip_load_cert(const char *);

View File

@ -1,4 +1,4 @@
--- include/pkixip_ext_asn.h.orig 2010-08-28 08:58:02 UTC
--- include/pkixip_ext_asn.h.orig 2019-02-27 16:25:45 UTC
+++ include/pkixip_ext_asn.h
@@ -33,7 +33,12 @@
#ifndef _PKIXIP_EXT_ASN_H
@ -31,4 +31,3 @@
#define IP_AOR_PREFIX 0
#define IP_AOR_RANGE 1

View File

@ -1,5 +1,5 @@
--- libs/Makefile.lib.common.orig 2014-08-20 04:21:08.000000000 +0900
+++ libs/Makefile.lib.common 2014-08-20 04:21:27.000000000 +0900
--- libs/Makefile.lib.common.orig 2019-02-27 16:25:45 UTC
+++ libs/Makefile.lib.common
@@ -1,5 +1,5 @@
-CFLAGS += -Wall -O3

View File

@ -0,0 +1,19 @@
--- libs/libcga/cga_keyutils.c.orig 2019-02-27 16:25:45 UTC
+++ libs/libcga/cga_keyutils.c
@@ -45,6 +45,7 @@
#include <pthread.h>
#include <openssl/err.h>
#include <openssl/pem.h>
+#include <openssl/x509.h>
#include "config.h"
#include <applog.h>
@@ -80,7 +81,7 @@ cga_load_cert(cga_ctx_t *cga, const char *f)
goto fail;
}
- k = X509_PUBKEY_get(x->cert_info->key);
+ k = X509_PUBKEY_get(X509_get_X509_PUBKEY(x));
if (cga->key && cga->free_key) {
free(cga->key);

View File

@ -0,0 +1,54 @@
--- libs/libcga/cga_mt.c.orig 2019-02-27 16:25:45 UTC
+++ libs/libcga/cga_mt.c
@@ -77,10 +77,10 @@ SPIN(void)
static int
add_mod(uint8_t *m, uint32_t s)
{
- BIGNUM bn[1], *bnp;
+ BIGNUM *bn, *bnp;
int blen;
- BN_init(bn);
+ bn = BN_new();
if ((bnp = BN_bin2bn(m, CGA_MODLEN, bn)) == NULL) {
ssl_err(__FUNCTION__, "BN_bin2bin failed");
return (-1);
@@ -88,6 +88,7 @@ add_mod(uint8_t *m, uint32_t s)
BN_add_word(bnp, s);
blen = BN_num_bytes(bnp);
BN_bn2bin(bnp, m + (CGA_MODLEN - blen));
+ BN_free(bn);
return (0);
}
@@ -177,12 +178,16 @@ done:
static void
opssec(struct timeval *start, uint8_t *startmod)
{
- BIGNUM sm[1], em[1], ops[1], t[1], dv[1];
+ BIGNUM *sm, *em, *ops, *t, *dv;
BN_CTX *bc;
struct timeval tv[1];
char *dec;
- BN_init(sm); BN_init(em); BN_init(ops); BN_init(t); BN_init(dv);
+ sm = BN_new();
+ em = BN_new();
+ ops = BN_new();
+ t = BN_new();
+ dv = BN_new();
BN_bin2bn(startmod, CGA_MODLEN, sm);
BN_bin2bn(state->mod, CGA_MODLEN, em);
BN_sub(ops, em, sm);
@@ -210,6 +215,11 @@ opssec(struct timeval *start, uint8_t *startmod)
OPENSSL_free(dec);
BN_CTX_free(bc);
+ BN_free(sm);
+ BN_free(em);
+ BN_free(ops);
+ BN_free(t);
+ BN_free(dv);
}
void

View File

@ -0,0 +1,25 @@
--- libs/libpkixipext/asn1.c.orig 2019-02-27 16:25:45 UTC
+++ libs/libpkixipext/asn1.c
@@ -187,9 +187,8 @@ i2v_IPAddressChoice(X509V3_EXT_METHOD *method, IPAddre
break;
case IPA_CHOICE_AOR:
X509V3_add_value(" Prefix or Range", NULL, &extlist);
- for (i = 0; i < sk_num(ipc->u.addressesOrRanges); i++) {
- aor = (IPAddressOrRange *)
- sk_value(ipc->u.addressesOrRanges, i);
+ for (i = 0; i < sk_IPAddressOrRange_num(ipc->u.addressesOrRanges); i++) {
+ aor = sk_IPAddressOrRange_value(ipc->u.addressesOrRanges, i);
i2v_IPAddressOrRange(method, aor, extlist, af);
}
break;
@@ -265,8 +264,8 @@ i2v_IPAddrBlocks(X509V3_EXT_METHOD *method, IPAddrBloc
return (NULL);
}
- for (i = 0; i < sk_num(ipb); i++) {
- ipf = (IPAddressFamily *)sk_value(ipb, i);
+ for (i = 0; i < sk_IPAddressFamily_num(ipb); i++) {
+ ipf = sk_IPAddressFamily_value(ipb, i);
i2v_IPAddressFamily(method, ipf, extlist);
}

View File

@ -0,0 +1,31 @@
--- libs/libpkixipext/pkixip_ext_gram.y.orig 2019-02-27 16:25:45 UTC
+++ libs/libpkixipext/pkixip_ext_gram.y
@@ -350,7 +350,7 @@ new_aor(void)
if (!ipc->u.addressesOrRanges &&
!(ipc->u.addressesOrRanges =
- sk_new(pkixip_aor_cmp))) {
+ sk_IPAddressOrRange_new(pkixip_aor_cmp))) {
applog(LOG_CRIT, "no memory");
return (-1);
}
@@ -361,7 +361,7 @@ new_aor(void)
applog(LOG_CRIT, "%s: no memory", __FUNCTION__);
return (-1);
}
- if (!sk_push(ipc->u.addressesOrRanges, (char *)aor)) {
+ if (!sk_IPAddressOrRange_push(ipc->u.addressesOrRanges, (char *)aor)) {
applog(LOG_CRIT, "sk_push() failed");
return (-1);
}
@@ -459,8 +459,8 @@ af_already_exists(void)
int i;
IPAddressFamily *e_ipf;
- for (i = 0; i < sk_num(parse_ipb); i++) {
- e_ipf = (IPAddressFamily *)sk_value(parse_ipb, i);
+ for (i = 0; i < sk_IPAddressFamily_num(parse_ipb); i++) {
+ e_ipf = sk_IPAddressFamily_value(parse_ipb, i);
if (af_match(ipf, e_ipf)) {
return (1);
}

View File

@ -0,0 +1,30 @@
--- libs/libpkixipext/util.c.orig 2019-02-27 16:25:45 UTC
+++ libs/libpkixipext/util.c
@@ -37,8 +37,13 @@
#include "config.h"
#include "pkixip_ext_asn.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int
pkixip_aor_cmp(const char * const *a1, const char * const *a2)
+#else
+int
+pkixip_aor_cmp(const IPAddressOrRange * const *a1, const IPAddressOrRange * const *a2)
+#endif
{
int by1, by2, bi1, bi2, bytes, bits;
uint8_t *d1, *d2, x1, x2, mask;
@@ -119,8 +124,13 @@ pkixip_aor_cmp(const char * const *a1, const char * co
return (0);
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int
pkixip_ipf_cmp(const char * const *a1, const char * const *a2)
+#else
+int
+pkixip_ipf_cmp(const IPAddressFamily * const *a1, const IPAddressFamily * const *a2)
+#endif
{
IPAddressFamily *ipf1 = (IPAddressFamily *)*a1;
IPAddressFamily *ipf2 = (IPAddressFamily *)*a2;

View File

@ -0,0 +1,240 @@
--- libs/libpkixipext/ver.c.orig 2019-02-27 16:25:45 UTC
+++ libs/libpkixipext/ver.c
@@ -101,11 +101,15 @@ static int
in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1, ASN1_BIT_STRING *min2,
ASN1_BIT_STRING *max2, int af)
{
- BIGNUM bpmin[1], bpmax[1], bmin[1], bmax[1];
- int alen, len, bits;
+ BIGNUM *bpmin, *bpmax, *bmin, *bmax;
+ int alen, len, bits, ret;
uint8_t mask, buf[sizeof (struct in6_addr)];
- BN_init(bpmin); BN_init(bpmax); BN_init(bmin); BN_init(bmax);
+ bpmin = BN_new();
+ bpmax = BN_new();
+ bmin = BN_new();
+ bmax = BN_new();
+ ret = 0;
switch (af) {
case AF_INET:
alen = sizeof (struct in_addr);
@@ -115,14 +119,14 @@ in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1,
break;
default:
DBG(&dbg_ver, "Unsupported AF");
- return (0);
+ goto end;
}
len = min1->length < alen ? min1->length : alen;
memset(buf, 0, sizeof (buf));
memcpy(buf, min1->data, len);
if (!BN_bin2bn(buf, alen, bpmin)) {
- return (0);
+ goto end;
}
len = max1->length < alen ? max1->length : alen;
@@ -135,14 +139,14 @@ in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1,
buf[len - 1] |= mask;
}
if (!BN_bin2bn(buf, alen, bpmax)) {
- return (0);
+ goto end;
}
len = min2->length < alen ? min2->length : alen;
memset(buf, 0, sizeof (buf));
memcpy(buf, min2->data, len);
if (!BN_bin2bn(buf, alen, bmin)) {
- return (0);
+ goto end;
}
len = max2->length < alen ? max2->length : alen;
@@ -155,18 +159,24 @@ in_range(ASN1_BIT_STRING *min1, ASN1_BIT_STRING *max1,
buf[len - 1] |= mask;
}
if (!BN_bin2bn(buf, alen, bmax)) {
- return (0);
+ goto end;
}
/* bmin <= bpmin <= bpmax <= bmax. We already know bpmin <= bpmax */
if (BN_cmp(bmin, bpmin) == 1) {
- return (0);
+ goto end;
}
if (BN_cmp(bpmax, bmax) == 1) {
- return (0);
+ goto end;
}
+ ret = 1;
+end:
+ BN_free(bpmin);
+ BN_free(bpmax);
+ BN_free(bmin);
+ BN_free(bmax);
- return (1);
+ return (ret);
}
static int
@@ -247,16 +257,14 @@ af_cmp(IPAddressFamily *ipf1, IPAddressFamily *ipf2)
}
DBG(&dbg_ver, "Pre-cmp ipc AOR count: %d",
- sk_num(ipc1->u.addressesOrRanges));
+ sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges));
- for (i = 0; i < sk_num(ipc1->u.addressesOrRanges); i++) {
- aor1 =
- (IPAddressOrRange *)sk_value(ipc1->u.addressesOrRanges, i);
- for (j = 0; j < sk_num(ipc2->u.addressesOrRanges); j++) {
- aor2 = (IPAddressOrRange *)
- sk_value(ipc2->u.addressesOrRanges, j);
+ for (i = 0; i < sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges); i++) {
+ aor1 = sk_IPAddressOrRange_value(ipc1->u.addressesOrRanges, i);
+ for (j = 0; j < sk_IPAddressOrRange_num(ipc2->u.addressesOrRanges); j++) {
+ aor2 = sk_IPAddressOrRange_value(ipc2->u.addressesOrRanges, j);
if (aor_match(aor1, aor2, af) == 0) {
- sk_delete(ipc1->u.addressesOrRanges, i--);
+ sk_IPAddressOrRange_delete(ipc1->u.addressesOrRanges, i--);
IPAddressOrRange_free(aor1);
break;
}
@@ -264,9 +272,9 @@ af_cmp(IPAddressFamily *ipf1, IPAddressFamily *ipf2)
}
DBG(&dbg_ver, "Post-cmp ipc AOR count: %d",
- sk_num(ipc1->u.addressesOrRanges));
+ sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges));
- if (sk_num(ipc1->u.addressesOrRanges) == 0) {
+ if (sk_IPAddressOrRange_num(ipc1->u.addressesOrRanges) == 0) {
return (0);
}
@@ -307,7 +315,7 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
IPAddressFamily *ipf1, *ipf2;
int i, j, inherit = 0;
- DBG(&dbg_ver, "vipb stack cnt: %d idx: %d", sk_num(vipb), idx);
+ DBG(&dbg_ver, "vipb stack cnt: %d idx: %d", sk_IPAddressFamily_num(vipb), idx);
ipb = X509_get_ext_d2i(x, pkix_ip_ext_method.ext_nid, NULL, NULL);
if (!ipb) {
@@ -315,18 +323,18 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
return (-1);
}
- for (i = 0; i < sk_num(vipb); i++) {
- ipf1 = (IPAddressFamily *)sk_value(vipb, i);
+ for (i = 0; i < sk_IPAddressFamily_num(vipb); i++) {
+ ipf1 = sk_IPAddressFamily_value(vipb, i);
/* Ignore inherits in vipb */
if (is_inherit(ipf1)) {
- sk_delete(vipb, i--);
+ sk_IPAddressFamily_delete(vipb, i--);
IPAddressFamily_free(ipf1);
continue;
}
- for (j = 0; j < sk_num(ipb); j++) {
- ipf2 = (IPAddressFamily *)sk_value(ipb, j);
+ for (j = 0; j < sk_IPAddressFamily_num(ipb); j++) {
+ ipf2 = sk_IPAddressFamily_value(ipb, j);
if (af_match(ipf1, ipf2)) {
/*
* Inherits in ipb need to be checked
@@ -338,7 +346,7 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
}
if (af_cmp(ipf1, ipf2) == 0) {
- sk_delete(vipb, i--);
+ sk_IPAddressFamily_delete(vipb, i--);
IPAddressFamily_free(ipf1);
break;
}
@@ -346,18 +354,18 @@ verify_ipext_cert(X509_STORE_CTX *ctx, int idx, X509 *
}
}
- if (!inherit || (++idx) == sk_num(ctx->chain)) {
+ if (!inherit || (++idx) == sk_num(X509_STORE_CTX_get_chain(ctx))) {
/* end of the line */
goto done;
}
- x = (X509 *)sk_value(ctx->chain, idx);
+ x = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), idx);
verify_ipext_cert(ctx, idx, x, vipb);
done:
IPAddrBlocks_free(ipb);
/* If the vipb stack is now empty all ipf's matched */
- if (sk_num(vipb) != 0) {
+ if (sk_IPAddressFamily_num(vipb) != 0) {
return (-1);
}
@@ -376,13 +384,13 @@ verify_ipext(X509_STORE_CTX *ctx, IPAddrBlocks *vipb)
i2v_IPAddrBlocks(NULL, vipb, NULL), 8, 1);
#endif
- if (sk_num(vipb) == 0) {
+ if (sk_IPAddressFamily_num(vipb) == 0) {
DBG(&dbg_ver, "IPAddrBlock empty; rejecting");
return (-1);
}
- for (i = 0; i < sk_num(ctx->chain); i++) {
- x = (X509 *)sk_value(ctx->chain, i);
+ for (i = 0; i < sk_num(X509_STORE_CTX_get_chain(ctx)); i++) {
+ x = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), i);
DBG(&dbg_ver, "%s",
X509_NAME_oneline(X509_get_subject_name(x), nbuf,
@@ -391,7 +399,7 @@ verify_ipext(X509_STORE_CTX *ctx, IPAddrBlocks *vipb)
if (verify_ipext_cert(ctx, i, x, vipb) < 0) {
return (-1);
}
- if (sk_num(vipb) == 0) {
+ if (sk_IPAddressFamily_num(vipb) == 0) {
break;
}
}
@@ -408,9 +416,9 @@ verify_ipext_chain(X509_STORE_CTX *ctx)
DBG(&dbg_ver, "Verifying IP Exts in the certificate chain");
- for (i = 1; i < sk_num(ctx->chain); i++) {
- vx = (X509 *)sk_value(ctx->chain, i - 1);
- x = (X509 *)sk_value(ctx->chain, i);
+ for (i = 1; i < sk_num(X509_STORE_CTX_get_chain(ctx)); i++) {
+ vx = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), i - 1);
+ x = (X509 *)sk_value(X509_STORE_CTX_get_chain(ctx), i);
DBG(&dbg_ver, "%s",
X509_NAME_oneline(X509_get_subject_name(vx), nbuf,
@@ -446,7 +454,7 @@ pkixip_verify_cb(int ok, X509_STORE_CTX *ctx)
X509_NAME_oneline(X509_get_subject_name(x), nbuf, sizeof (nbuf));
#endif
if (!ok) {
- if (ctx->error == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) {
+ if (X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION) {
/*
* OpenSSL doesn't explicitly support PKIX IP Ext,
* so it throws this error when it encounters the
@@ -458,7 +466,7 @@ pkixip_verify_cb(int ok, X509_STORE_CTX *ctx)
} else {
DBG(&dbg_ver, "Not OK at %s", nbuf);
DBG(&dbg_ver, "%s",
- X509_verify_cert_error_string(ctx->error));
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)));
}
} else {
DBG(&dbg_ver, "OK at %s", nbuf);

View File

@ -0,0 +1,310 @@
--- libs/libpkixipext/x509.c.orig 2019-02-27 16:25:45 UTC
+++ libs/libpkixipext/x509.c
@@ -57,34 +57,54 @@ static char nbuf[1024];
extern int pkixip_verify_cb(int, X509_STORE_CTX *);
X509V3_EXT_METHOD pkix_ip_ext_method = {
- ext_flags : X509V3_EXT_MULTILINE,
- it : ASN1_ITEM_ref(IPAddrBlocks),
- i2v : (X509V3_EXT_I2V)i2v_IPAddrBlocks,
+ .ext_flags = X509V3_EXT_MULTILINE,
+ .it = ASN1_ITEM_ref(IPAddrBlocks),
+ .i2v = (X509V3_EXT_I2V)i2v_IPAddrBlocks,
};
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
static STACK *stores[PKIXIP_MAX_STORES];
+#else
+static STACK_OF(X509_OBJECT) *stores[PKIXIP_MAX_STORES];
+#endif
static X509_STORE_CTX *ctx_bysubj;
static int next_store = 1;
static void *(*wrap_store_cert)(X509 *x);
static void (*trustanchor_cb)(X509 *x);
pthread_mutex_t stores_lock = PTHREAD_MUTEX_INITIALIZER;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
static STACK *mychain;
+#else
+static STACK_OF(X509_OBJECT) *mychain;
+#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get_type(a) ((a)->type)
+#define X509_OBJECT_get0_X509(a) ((a)->data.x509)
+#define X509_OBJECT_get0_X509_CRL(a) ((a)->data.crl)
+#define X509_STORE_get0_objects(a) ((a)->objs)
+#define X509_STORE_CTX_get0_chain(a) ((a)->chain)
+#endif
/* Lifted from openssl x509_lu.c */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
static int
x509_object_cmp(X509_OBJECT **a, X509_OBJECT **b)
+#else
+static int
+x509_object_cmp(const X509_OBJECT * const *a, const X509_OBJECT * const *b)
+#endif
{
int ret;
- ret=((*a)->type - (*b)->type);
+ ret=(X509_OBJECT_get_type(*a) - X509_OBJECT_get_type(*b));
if (ret) return ret;
- switch ((*a)->type) {
+ switch (X509_OBJECT_get_type(*a)) {
case X509_LU_X509:
- ret=X509_subject_name_cmp((*a)->data.x509,(*b)->data.x509);
+ ret=X509_subject_name_cmp(X509_OBJECT_get0_X509(*a),X509_OBJECT_get0_X509(*b));
break;
case X509_LU_CRL:
- ret=X509_CRL_cmp((*a)->data.crl,(*b)->data.crl);
+ ret=X509_CRL_cmp(X509_OBJECT_get0_X509_CRL(*a),X509_OBJECT_get0_X509_CRL(*b));
break;
default:
/* abort(); */
@@ -243,7 +263,11 @@ pkixip_load_pkey(const char *f)
return (pkey);
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
static STACK *
+#else
+static STACK_OF(X509_OBJECT) *
+#endif
pkixip_get_store(int handle)
{
if (handle >= PKIXIP_MAX_STORES || handle < 0) {
@@ -257,7 +281,11 @@ pkixip_get_store(int handle)
void
pkixip_walk_store(int (*cb)(X509 *, void *), void *cookie, int handle)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
STACK *objs;
+#else
+ STACK_OF(X509_OBJECT) *objs;
+#endif
int i;
X509_OBJECT *xo;
@@ -266,12 +294,16 @@ pkixip_walk_store(int (*cb)(X509 *, void *), void *coo
goto done;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
for (i = 0; i < sk_num(objs); i++) {
+#else
+ for (i = 0; i < sk_X509_OBJECT_num(objs); i++) {
+#endif
xo = sk_X509_OBJECT_value(objs, i);
- if (xo->type != X509_LU_X509) {
+ if (X509_OBJECT_get_type(xo) != X509_LU_X509) {
continue;
}
- if (!cb(xo->data.x509, cookie)) {
+ if (!cb(X509_OBJECT_get0_X509(xo), cookie)) {
break;
}
}
@@ -282,7 +314,11 @@ done:
void *
pkixip_find_cert(void *k, int handle)
{
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
STACK *store;
+#else
+ STACK_OF(X509_OBJECT) *store;
+#endif
int i;
void *r = NULL;
@@ -291,11 +327,19 @@ pkixip_find_cert(void *k, int handle)
goto done;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if ((i = sk_find(store, k)) < 0) {
+#else
+ if ((i = sk_X509_OBJECT_find(store, k)) < 0) {
+#endif
goto done;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
r = sk_value(store, i);
+#else
+ r = sk_X509_OBJECT_value(store, i);
+#endif
done:
pthread_mutex_unlock(&stores_lock);
@@ -304,8 +348,13 @@ done:
/* Caller must hold stores_lock */
static int
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
pkixip_do_add_store(int handle, int (*cmp)(X509_OBJECT **, X509_OBJECT **),
STACK *objs)
+#else
+pkixip_do_add_store(int handle, int (*cmp)(const X509_OBJECT * const *, X509_OBJECT * const *),
+ STACK_OF(X509_OBJECT) *objs)
+#endif
{
if (objs == NULL && (objs = sk_X509_OBJECT_new(cmp)) == NULL) {
applog(LOG_CRIT, "no memory");
@@ -316,8 +365,13 @@ pkixip_do_add_store(int handle, int (*cmp)(X509_OBJECT
return (0);
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
int
pkixip_add_store(int *handle, int (*cmp)(X509_OBJECT **, X509_OBJECT **))
+#else
+int
+pkixip_add_store(int *handle, int (*cmp)(const X509_OBJECT * const *, const X509_OBJECT * const *))
+#endif
{
int r = 0;
@@ -369,7 +423,7 @@ pkixip_get_store_ctx(void)
}
pthread_mutex_lock(&stores_lock);
- if (pkixip_do_add_store(PKIXIP_STORE_BYSUBJ, x509_object_cmp, st->objs)
+ if (pkixip_do_add_store(PKIXIP_STORE_BYSUBJ, x509_object_cmp, X509_STORE_get0_objects(st))
< 0) {
X509_STORE_free(st);
X509_STORE_CTX_free(ctx_bysubj);
@@ -396,17 +450,24 @@ pkixip_store_ctx_light_cleanup(X509_STORE_CTX *ctx)
{
// X509_STORE_CTX_cleanup(ctx);
- if (ctx->chain != NULL) {
- sk_X509_pop_free(ctx->chain, noop_free);
+ if (X509_STORE_CTX_get0_chain(ctx) != NULL) {
+ sk_X509_pop_free(X509_STORE_CTX_get0_chain(ctx), noop_free);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
ctx->chain=NULL;
+#endif
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
&(ctx->ex_data));
memset(&ctx->ex_data,0,sizeof(CRYPTO_EX_DATA));
+#else
+ CRYPTO_free_ex_data(CRYPTO_EX_INDEX_X509_STORE_CTX, ctx,
+ X509_STORE_CTX_get_app_data(ctx));
+#endif
#if 0
- while (sk_num(ctx->chain) > 0) {
- sk_pop(ctx->chain);
+ while (sk_num(X509_STORE_CTX_get0_chain(ctx)) > 0) {
+ sk_pop(X509_STORE_CTX_get0_chain(ctx));
}
#endif
}
@@ -445,10 +506,19 @@ pkixip_add2stores_cert(X509 *x)
int i, r = 0;
X509_STORE_CTX *ctx;
void *wrapper;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
X509_OBJECT o[1];
+#else
+ X509_OBJECT *o;
- if ((ctx = pkixip_get_store_ctx()) == NULL) {
+ o = X509_OBJECT_new();
+ if (o == NULL)
return (-1);
+#endif
+
+ if ((ctx = pkixip_get_store_ctx()) == NULL) {
+ r = -1;
+ goto done2;
}
pthread_mutex_lock(&stores_lock);
@@ -459,7 +529,11 @@ pkixip_add2stores_cert(X509 *x)
goto done;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if (X509_STORE_add_cert(ctx->ctx, x) != 1) {
+#else
+ if (X509_STORE_add_cert(X509_STORE_CTX_get0_store(ctx), x) != 1) {
+#endif
pkixip_ssl_err(__FUNCTION__, "X509_STORE_add_cert() failed");
r = -1;
goto done;
@@ -467,7 +541,8 @@ pkixip_add2stores_cert(X509 *x)
if (wrap_store_cert) {
if ((wrapper = wrap_store_cert(x)) == NULL) {
- return (-1);
+ r = -1;
+ goto done2;
}
} else {
wrapper = x;
@@ -475,7 +550,11 @@ pkixip_add2stores_cert(X509 *x)
for (i = 1; i < PKIXIP_MAX_STORES; i++) {
if (stores[i]) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
sk_push(stores[i], wrapper);
+#else
+ sk_X509_OBJECT_push(stores[i], wrapper);
+#endif
}
}
@@ -484,6 +563,10 @@ pkixip_add2stores_cert(X509 *x)
done:
pthread_mutex_unlock(&stores_lock);
+done2:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ free(o);
+#endif
return (r);
}
@@ -523,14 +606,26 @@ pkixip_my_chain_init(X509 *mycert)
}
if (mychain != NULL) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
sk_free(mychain);
+#else
+ sk_X509_OBJECT_free(mychain);
+#endif
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
if ((mychain = sk_dup(ctx->chain)) == NULL) {
+#else
+ if ((mychain = sk_X509_OBJECT_dup(X509_STORE_CTX_get0_chain(ctx))) == NULL) {
+#endif
APPLOG_NOMEM();
r = -1;
goto done;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
sk_set_cmp_func(mychain, x509_bysubj_cmp);
+#else
+ sk_X509_OBJECT_set_cmp_func(mychain, x509_bysubj_cmp);
+#endif
DBG(&dbg_x509, "mychain verified and set");
done:
@@ -538,7 +633,11 @@ done:
return (r);
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
STACK *
+#else
+STACK_OF(X509_OBJECT) *
+#endif
pkixip_get_mychain(void)
{
return (mychain);

View File

@ -1,6 +1,6 @@
--- sendd/Makefile.orig 2014-08-20 04:19:01.000000000 +0900
+++ sendd/Makefile 2014-08-20 04:19:39.000000000 +0900
@@ -6,8 +6,8 @@
--- sendd/Makefile.orig 2019-02-27 16:25:45 UTC
+++ sendd/Makefile
@@ -6,8 +6,8 @@ OBJS= addr.o cert.o cga.o config.o cpa.o cps.o ctl.o n
sendd.o sigmeth.o sig_rfc3971.o
INC= sendd_local.h snd_proto.h snd_config.h

View File

@ -0,0 +1,14 @@
--- sendd/cert.c.orig 2019-02-27 16:25:45 UTC
+++ sendd/cert.c
@@ -73,7 +73,11 @@ get_pubkeyhash(X509 *x, uint8_t *buf)
EVP_PKEY *k;
int dlen;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
k = X509_PUBKEY_get(x->cert_info->key);
+#else
+ k = X509_get_pubkey(x);
+#endif
if ((der = cga_key2der(k, &dlen)) == NULL) {
return (-1);
}

View File

@ -0,0 +1,63 @@
--- sendd/cpa.c.orig 2019-02-27 16:25:45 UTC
+++ sendd/cpa.c
@@ -183,22 +183,23 @@ next:
}
static int
-can_handle_cps(uint8_t *ops, int len, STACK *chain, X509 **x)
+can_handle_cps(uint8_t *ops, int len, STACK_OF(X509_OBJECT) *chain, X509 **x)
{
int i, j, r = 0;
X509_NAME *dn;
- X509 x509_s;
- X509_CINF cinf_s;
- STACK *dchain;
+ X509 *x509_s;
+ STACK_OF(X509_OBJECT) *dchain;
STACK_OF(X509_NAME) *dns;
*x = NULL;
-
+ x509_s = X509_new();
+ if (x509_s == NULL)
+ return (1);
if ((dns = snd_get_trustanchors_from_opts(ops, len)) == NULL) {
return (1);
}
- if (sk_num(dns) == 0) {
- sk_free(dns);
+ if (sk_X509_NAME_num(dns) == 0) {
+ sk_X509_NAME_free(dns);
return (1);
}
@@ -209,24 +210,22 @@ can_handle_cps(uint8_t *ops, int len, STACK *chain, X5
* sorting (triggered by sk_find), and we need to chain order
* preserved so we can send out the certs in correct order.
*/
- if ((dchain = sk_dup(chain)) == NULL) {
+ if ((dchain = sk_X509_OBJECT_dup(chain)) == NULL) {
applog(LOG_CRIT, "%s: no memory", __FUNCTION__);
goto done;
}
- x509_s.cert_info= &cinf_s;
-
- for (i = 0; i < sk_num(dns); i++) {
+ for (i = 0; i < sk_X509_num(dns); i++) {
dn = sk_X509_NAME_value(dns, i);
- cinf_s.subject=dn;
+ X509_set_subject_name(x509_s, dn);
- if ((j = sk_X509_find(dchain, &x509_s)) >= 0) {
+ if ((j = sk_X509_NAME_find(dchain, x509_s)) >= 0) {
r = 1;
*x = sk_X509_value(dchain, j);
DBG(dbg, "found");
break;
}
}
- sk_free(dchain);
+ sk_X509_OBJECT_free(dchain);
done:
sk_X509_NAME_pop_free(dns, X509_NAME_free);

View File

@ -0,0 +1,42 @@
--- sendd/openssl.c.orig 2019-02-27 16:25:45 UTC
+++ sendd/openssl.c
@@ -57,6 +57,11 @@ struct dlog_desc dbg_cryptox = {
};
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_new(a) calloc(1, sizeof(X509_OBJECT))
+#define X509_OBJECT_get0_X509(a) ((a)->data.x509)
+#endif
+
static char nbuf[1024]; /* for displaying X509_NAMEs */
static pthread_mutex_t *lock_cs;
@@ -216,12 +221,17 @@ snd_have_chain(void *a)
X509_STORE_CTX *ctx = pkixip_get_store_ctx();
X509 *tx = a;
X509_NAME *subj, *iss;
- X509_OBJECT obj[1];
+ X509_OBJECT *obj;
if (ctx == NULL) {
DBG(&dbg_snd, "pkixip_get_store() failed");
return (0);
}
+ obj = X509_OBJECT_new();
+ if (obj == NULL) {
+ DBG(&dbg_snd, "pkixip_get_store() X509_OBJECT() failed");
+ return (0);
+ }
for (;;) {
subj = X509_get_subject_name(tx);
@@ -234,7 +244,7 @@ snd_have_chain(void *a)
X509_NAME_oneline(iss, nbuf, sizeof (nbuf)));
return (0);
}
- tx = obj->data.x509;
+ tx = X509_OBJECT_get0_X509(obj);
}
return (1);

View File

@ -1,10 +1,11 @@
--- sendd/os/Makefile.orig 2010-08-28 17:58:04.000000000 +0900
+++ sendd/os/Makefile 2014-08-20 04:33:33.000000000 +0900
--- sendd/os/Makefile.orig 2019-02-27 16:25:45 UTC
+++ sendd/os/Makefile
@@ -1,13 +1,5 @@
OBJS += os/addr.o os/snd_freebsd.o os-linux/rand.o
-CPPFLAGS += -I/usr/local/include
-
+CPPFLAGS += -I${LOCALBASE}/include
-OSLIBS= -L/usr/local/lib -l$(DNET)
-
-OSEXTRA= os/sendd
@ -13,6 +14,5 @@
-
-/usr/local/etc/rc.d/%: os/%
- install $< $@
+CPPFLAGS += -I${LOCALBASE}/include
-
+OSLIBS= -L${LOCALBASE}/lib -l$(DNET)

View File

@ -0,0 +1,112 @@
--- sendd/sig_rfc3971.c.orig 2019-02-27 16:25:45 UTC
+++ sendd/sig_rfc3971.c
@@ -49,6 +49,11 @@
extern struct dlog_desc dbg_cryptox;
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_new(x) calloc(1, sizeof(EVP_MD_CTX))
+#define EVP_MD_CTX_free(x) free(x)
+#endif
+
static void *
load_privkey(const char *f)
{
@@ -84,7 +89,7 @@ free_privkey(void *k)
static uint8_t *
sign(struct iovec *iov, int iovlen, int *slen, void *priv /* EVP_PKEY */)
{
- EVP_MD_CTX ctx[1];
+ EVP_MD_CTX *ctx;
uint8_t *sig = NULL;
DEFINE_TIMESTAMP_VARS();
int i;
@@ -93,9 +98,15 @@ sign(struct iovec *iov, int iovlen, int *slen, void *p
DBG(&dbg_snd, "private key not set");
return (NULL);
}
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ DBG(&dbg_snd, "EVP_MD_CTX_new() failed");
+ return (NULL);
+ }
if ((*slen = EVP_PKEY_size(priv)) == 0) {
DBG(&dbg_snd, "EVP_PKEY_size() returned 0");
+ EVP_MD_CTX_free(ctx);
return (NULL);
}
@@ -104,6 +115,7 @@ sign(struct iovec *iov, int iovlen, int *slen, void *p
EVP_MD_CTX_init(ctx);
if (EVP_SignInit(ctx, EVP_sha1()) != 1) {
snd_ssl_err(__FUNCTION__, "EVP_SignInit: ");
+ EVP_MD_CTX_free(ctx);
return (NULL);
}
@@ -136,7 +148,10 @@ sign(struct iovec *iov, int iovlen, int *slen, void *p
DBG_HEXDUMP(&dbg_cryptox, "sig:", sig, *slen);
done:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_MD_CTX_cleanup(ctx);
+#endif
+ EVP_MD_CTX_free(ctx);
return (sig);
}
@@ -144,7 +159,7 @@ static int
ver(struct iovec *iov, int iovlen, uint8_t *key, int klen, uint8_t *sig,
int slen)
{
- EVP_MD_CTX ctx[1];
+ EVP_MD_CTX *ctx;
EVP_PKEY *pub;
int rv = -1;
int i, real_slen, min_bits;
@@ -157,11 +172,17 @@ ver(struct iovec *iov, int iovlen, uint8_t *key, int k
DBG(&dbg_snd, "could not d2i key");
return (-1);
}
+ ctx = EVP_MD_CTX_new();
+ if (ctx == NULL) {
+ DBG(&dbg_snd, "EVP_MD_CTX_new() failed");
+ return (NULL);
+ }
min_bits = snd_conf_get_int(snd_min_key_bits);
if (EVP_PKEY_bits(pub) < min_bits) {
DBG(&dbg_snd, "Peer key too weak: %d bits (configured "
"minimum: %d)", EVP_PKEY_bits(pub), min_bits);
+ EVP_MD_CTX_free(ctx);
return (-1);
}
@@ -171,6 +192,7 @@ ver(struct iovec *iov, int iovlen, uint8_t *key, int k
} else if (real_slen > slen) {
DBG(&dbg_snd, "real sig len (%d) > given sig len (%d)",
real_slen, slen);
+ EVP_MD_CTX_free(ctx);
return (-1);
}
TIMESTAMP_START();
@@ -178,6 +200,7 @@ ver(struct iovec *iov, int iovlen, uint8_t *key, int k
EVP_MD_CTX_init(ctx);
if (EVP_VerifyInit(ctx, EVP_sha1()) != 1) {
snd_ssl_err(__FUNCTION__, "EVP_VerifyInit: ");
+ EVP_MD_CTX_free(ctx);
return (-1);
}
@@ -204,7 +227,10 @@ ver(struct iovec *iov, int iovlen, uint8_t *key, int k
TIMESTAMP_END("rfc3971");
done:
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
EVP_MD_CTX_cleanup(ctx);
+#endif
+ EVP_MD_CTX_free(ctx);
return (rv);
}

View File

@ -0,0 +1,18 @@
--- sendd/snd_proto.h.orig 2019-02-27 16:25:45 UTC
+++ sendd/snd_proto.h
@@ -41,11 +41,15 @@
#define ND_OPT_CGA 11
#define ND_OPT_SIG 12
#define ND_OPT_TIMESTAMP 13
+#ifndef ND_OPT_NONCE
#define ND_OPT_NONCE 14
+#endif
#define ND_OPT_TRUST_ANCHOR 15
#define ND_OPT_CERTIFICATE 16
+#ifndef ND_OPT_MAX
#define ND_OPT_MAX ND_OPT_CERTIFICATE
+#endif
#define NDISC_OPT_SPACE(len) (((len)+2+7)&~7)