control: tags -1 + patch control: forwarded -1 https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=777 On 2016-06-26 12:24:33 [+0200], Kurt Roeckx wrote:
> There is a libssl-dev package available in experimental that contains a recent > snapshot, I suggest you try building against that to see if everything works. compiles. > Kurt Sebastian
>From 2477206520dc5228a15bdd8eb47dbf44adb37223 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Sun, 28 Aug 2016 21:49:41 +0200 Subject: [PATCH] get it compiled againt openssl 1.1.0 As a bonus get_dh2048() will free p & q if one of them was NULL. Note: Using the same DH parameters on multiple servers is believed to be subject to precomputation attacks, see http://weakdh.org/. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- daemon/remote.c | 33 +++++++++++++++++++++++++-------- sldns/keyraw.c | 30 ++++++++++++++++++++++++++++++ validator/val_secalgo.c | 19 +++++++++++++++---- 3 files changed, 70 insertions(+), 12 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 7690ee8b1875..e17b6b23fdbf 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -144,7 +144,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d) * (some openssl versions reject DH that is 'too small', eg. 512). */ #ifndef S_SPLINT_S -DH *get_dh2048() +static DH *get_dh2048(void) { static unsigned char dh2048_p[]={ 0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6, @@ -173,14 +173,31 @@ DH *get_dh2048() static unsigned char dh2048_g[]={ 0x02, }; - DH *dh; + DH *dh = NULL; + BIGNUM *p = NULL, *g = NULL; - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - { DH_free(dh); return(NULL); } - return(dh); + dh = DH_new(); + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (!dh || !p || !g) + goto err; + +#if OPENSSL_VERSION_NUMBER < 0x10100000 + dh->p = p; + dh->g = g; +#else + if (!DH_set0_pqg(dh, p, NULL, g)) + goto err; +#endif + return dh; +err: + if (p) + BN_free(p); + if (g) + BN_free(g); + if (dh) + DH_free(dh); + return NULL; } #endif /* SPLINT */ diff --git a/sldns/keyraw.c b/sldns/keyraw.c index 8d28bf40ab32..8b1c18f2b79d 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@ -215,6 +215,7 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) BN_free(Y); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S dsa->p = P; dsa->q = Q; @@ -222,6 +223,25 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) dsa->pub_key = Y; #endif /* splint */ +#else /* OPENSSL_VERSION_NUMBER */ + if (!DSA_set0_pqg(dsa, P, Q, G)) { + /* QPG not yet attached, need to free */ + BN_free(Q); + BN_free(P); + BN_free(G); + + DSA_free(dsa); + BN_free(Y); + return NULL; + } + if (!DSA_set0_key(dsa, Y, NULL)) { + /* QPG attached, cleaned up by DSA_fre() */ + DSA_free(dsa); + BN_free(Y); + return NULL; + } +#endif + return dsa; } @@ -273,11 +293,21 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len) BN_free(modulus); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S rsa->n = modulus; rsa->e = exponent; #endif /* splint */ +#else /* OPENSSL_VERSION_NUMBER */ + if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { + BN_free(exponent); + BN_free(modulus); + RSA_free(rsa); + return NULL; + } +#endif + return rsa; } diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 11c8cd16e8f9..a475385e4b2b 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -72,6 +72,17 @@ #include <openssl/engine.h> #endif +static inline void ossl_CRYPTO_free(unsigned char *ptr, + const char *ATTR_UNUSED(file), + int ATTR_UNUSED(line)) +{ +#if OPENSSL_VERSION_NUMBER < 0x10100000 + CRYPTO_free(ptr); +#else + CRYPTO_free(ptr, file, line); +#endif +} + /* return size of digest if supported, or 0 otherwise */ size_t nsec3_hash_algo_size_supported(int id) @@ -601,7 +612,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, log_err("EVP_MD_CTX_new: malloc failure"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) ossl_CRYPTO_free(sigblock, __FILE__, __LINE__); return sec_status_unchecked; } if(EVP_VerifyInit(ctx, digest_type) == 0) { @@ -609,7 +620,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) ossl_CRYPTO_free(sigblock, __FILE__, __LINE__); return sec_status_unchecked; } if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), @@ -618,7 +629,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) ossl_CRYPTO_free(sigblock, __FILE__, __LINE__); return sec_status_unchecked; } @@ -632,7 +643,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) ossl_CRYPTO_free(sigblock, __FILE__, __LINE__); if(res == 1) { return sec_status_secure; -- 2.1.4