Control: tags -1 + patch
The attached patch moves the code over to using the appropriate
accessors for OpenSSL 1.1 in most cases. I have disabled 40-bit
DES, and not ported that code, as the crypto is comically useless
in the modern world.
Chris.
diff --git a/isakmpd-20041012/apps/certpatch/certpatch.c b/isakmpd-20041012/apps/certpatch/certpatch.c
index 0a0125a..a619db6 100644
--- a/isakmpd-20041012/apps/certpatch/certpatch.c
+++ b/isakmpd-20041012/apps/certpatch/certpatch.c
@@ -147,8 +147,6 @@ main (int argc, char **argv)
* EVP_get_digest_byname.
*/
- SSLeay_add_all_algorithms ();
-
/* Use a certificate created by ssleay and add the appr. extension */
printf ("Reading ssleay created certificate %s and modify it\n",
certin);
@@ -171,7 +169,7 @@ main (int argc, char **argv)
}
/* Get the digest for the actual signing */
- digest = EVP_get_digestbyname (OBJ_nid2sn (OBJ_obj2nid (cert->sig_alg->algorithm)));
+ digest = EVP_get_digestbyname (OBJ_nid2sn (X509_get_signature_nid(cert)));
if (!X509_set_version (cert, 2))
{
@@ -293,7 +291,7 @@ main (int argc, char **argv)
BIO_free (file);
printf ("Creating Signature: PKEY_TYPE = %s: ",
- pkey_priv->type == EVP_PKEY_RSA ? "RSA" : "unknown");
+ EVP_PKEY_id(pkey_priv) == EVP_PKEY_RSA ? "RSA" : "unknown");
err = X509_sign (cert, pkey_priv, digest);
printf ("X509_sign: %d ", err);
if (!err)
diff --git a/isakmpd-20041012/crypto.c b/isakmpd-20041012/crypto.c
index d74191e..2995119 100644
--- a/isakmpd-20041012/crypto.c
+++ b/isakmpd-20041012/crypto.c
@@ -105,12 +105,13 @@ struct crypto_xf transforms[] = {
#define DC (void *)
#endif
+#ifdef USE_DES
enum cryptoerr
des1_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- /* des_set_key returns -1 for parity problems, and -2 for weak keys */
- des_set_odd_parity(DC key);
- switch (des_set_key(DC key, ks->ks_des[0])) {
+ /* DES_set_key returns -1 for parity problems, and -2 for weak keys */
+ DES_set_odd_parity(DC key);
+ switch (DES_set_key(DC key, ks->ks_des[0])) {
case -2:
return EWEAKKEY;
default:
@@ -131,19 +132,20 @@ des1_decrypt(struct keystate *ks, u_int8_t *d, u_int16_t len)
des_cbc_encrypt(DC d, DC d, len, ks->ks_des[0], DC ks->riv,
DES_DECRYPT);
}
+#endif
#ifdef USE_TRIPLEDES
enum cryptoerr
des3_init(struct keystate *ks, u_int8_t *key, u_int16_t len)
{
- des_set_odd_parity(DC key);
- des_set_odd_parity(DC(key + 8));
- des_set_odd_parity(DC(key + 16));
+ DES_set_odd_parity(DC key);
+ DES_set_odd_parity(DC(key + 8));
+ DES_set_odd_parity(DC(key + 16));
/* As of the draft Tripe-DES does not check for weak keys */
- des_set_key(DC key, ks->ks_des[0]);
- des_set_key(DC(key + 8), ks->ks_des[1]);
- des_set_key(DC(key + 16), ks->ks_des[2]);
+ DES_set_key(DC key, ks->ks_des[0]);
+ DES_set_key(DC(key + 8), ks->ks_des[1]);
+ DES_set_key(DC(key + 16), ks->ks_des[2]);
return EOKAY;
}
@@ -154,7 +156,7 @@ des3_encrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
u_int8_t iv[MAXBLK];
memcpy(iv, ks->riv, ks->xf->blocksize);
- des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
+ DES_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
ks->ks_des[1], ks->ks_des[2], DC iv, DES_ENCRYPT);
}
@@ -164,7 +166,7 @@ des3_decrypt(struct keystate *ks, u_int8_t *data, u_int16_t len)
u_int8_t iv[MAXBLK];
memcpy(iv, ks->riv, ks->xf->blocksize);
- des_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
+ DES_ede3_cbc_encrypt(DC data, DC data, len, ks->ks_des[0],
ks->ks_des[1], ks->ks_des[2], DC iv, DES_DECRYPT);
}
#undef DC
diff --git a/isakmpd-20041012/crypto.h b/isakmpd-20041012/crypto.h
index 1095c7e..902c359 100644
--- a/isakmpd-20041012/crypto.h
+++ b/isakmpd-20041012/crypto.h
@@ -108,7 +108,7 @@ struct keystate {
u_int8_t iv2[MAXBLK];
u_int8_t *riv, *liv;
union {
- des_key_schedule desks[3];
+ DES_key_schedule *desks[3];
#ifdef USE_BLOWFISH
blf_ctx blfks;
#endif
diff --git a/isakmpd-20041012/debian/control b/isakmpd-20041012/debian/control
index cc5ddfd..cf3a994 100644
--- a/isakmpd-20041012/debian/control
+++ b/isakmpd-20041012/debian/control
@@ -3,7 +3,7 @@ Maintainer: Jochen Friedrich <joc...@scram.de>
Priority: optional
Section: net
Standards-Version: 3.8.4
-Build-Depends: debhelper (>= 7.0.50~), libssl1.0-dev | libssl-dev (<< 1.1.0~), libgmp-dev, libpcap-dev, linux-kernel-headers
+Build-Depends: debhelper (>= 7.0.50~), libssl-dev, libgmp-dev, libpcap-dev, linux-kernel-headers
Package: isakmpd
Priority: optional
diff --git a/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep b/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep
index 32104ed..4c2edb3 100644
--- a/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep
+++ b/isakmpd-20041012/sysdep/linux/GNUmakefile.sysdep
@@ -39,7 +39,7 @@ CFLAGS+= -DHAVE_GETNAMEINFO -DUSE_OLD_SOCKADDR -DHAVE_PCAP \
-I/usr/include/openssl
FEATURES= debug tripledes blowfish cast ec aggressive x509
-FEATURES+= dpd nat_traversal isakmp_cfg des aes
+FEATURES+= dpd nat_traversal isakmp_cfg aes
IPSEC_SRCS= pf_key_v2.c
IPSEC_CFLAGS= -DUSE_PF_KEY_V2
diff --git a/isakmpd-20041012/x509.c b/isakmpd-20041012/x509.c
index 0897557..1415308 100644
--- a/isakmpd-20041012/x509.c
+++ b/isakmpd-20041012/x509.c
@@ -897,31 +897,28 @@ x509_cert_get(u_int8_t *asn, u_int32_t len)
int
x509_cert_validate(void *scert)
{
- X509_STORE_CTX csc;
+ X509_STORE_CTX *csc;
X509_NAME *issuer, *subject;
X509 *cert = (X509 *) scert;
EVP_PKEY *key;
int res, err;
+ csc = X509_STORE_CTX_new();
+
/*
* Validate the peer certificate by checking with the CA certificates
* we trust.
*/
- X509_STORE_CTX_init(&csc, x509_cas, cert, NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
+ X509_STORE_CTX_init(csc, x509_cas, cert, NULL);
/* XXX See comment in x509_read_crls_from_dir. */
-#if OPENSSL_VERSION_NUMBER >= 0x00908000L
- if (x509_cas->param->flags & X509_V_FLAG_CRL_CHECK) {
-#else
- if (x509_cas->flags & X509_V_FLAG_CRL_CHECK) {
-#endif
- X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK);
- X509_STORE_CTX_set_flags(&csc, X509_V_FLAG_CRL_CHECK_ALL);
+ if (X509_VERIFY_PARAM_get_flags(X509_STORE_get0_param(x509_cas)) & X509_V_FLAG_CRL_CHECK) {
+ X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK);
+ X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CRL_CHECK_ALL);
}
-#endif
- res = X509_verify_cert(&csc);
- err = csc.error;
- X509_STORE_CTX_cleanup(&csc);
+
+ res = X509_verify_cert(csc);
+ err = X509_STORE_CTX_get_error(csc);
+ X509_STORE_CTX_free(csc);
/*
* Return if validation succeeded or self-signed certs are not
@@ -1160,6 +1157,7 @@ int
x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
{
X509_EXTENSION *subjectaltname;
+ ASN1_OCTET_STRING *sandata_asn1;
u_int8_t *sandata;
int extpos, santype, sanlen;
@@ -1171,20 +1169,28 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
}
subjectaltname = X509_get_ext(scert, extpos);
- if (!subjectaltname || !subjectaltname->value ||
- !subjectaltname->value->data ||
- subjectaltname->value->length < 4) {
+ if (!subjectaltname) {
+ log_print("x509_cert_subjectaltname: missing "
+ "subjectaltname extension");
+ return 0;
+ }
+
+ sandata_asn1 = X509_EXTENSION_get_data(subjectaltname);
+
+ if (!sandata_asn1 ||
+ !sandata_asn1->data ||
+ sandata_asn1->length < 4) {
log_print("x509_cert_subjectaltname: invalid "
"subjectaltname extension");
return 0;
}
/* SSL does not handle unknown ASN stuff well, do it by hand. */
- sandata = subjectaltname->value->data;
+ sandata = sandata_asn1->data;
santype = sandata[2] & 0x3f;
sanlen = sandata[3];
sandata += 4;
- if (sanlen + 4 != subjectaltname->value->length) {
+ if (sanlen + 4 != sandata_asn1->length) {
log_print("x509_cert_subjectaltname: subjectaltname invalid "
"length");
return 0;
@@ -1332,12 +1338,12 @@ x509_cert_get_key(void *scert, void *keyp)
key = X509_get_pubkey(cert);
/* Check if we got the right key type. */
- if (key->type != EVP_PKEY_RSA) {
+ if (EVP_PKEY_id(key) != EVP_PKEY_RSA) {
log_print("x509_cert_get_key: public key is not a RSA key");
X509_free(cert);
return 0;
}
- *(RSA **)keyp = RSAPublicKey_dup(key->pkey.rsa);
+ *(RSA **)keyp = RSAPublicKey_dup(EVP_PKEY_get1_RSA(key));
return *(RSA **)keyp == NULL ? 0 : 1;
}
