1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
|
From b4eebafa6d634c4e0e00267ae69703e506ac101d Mon Sep 17 00:00:00 2001
From: wuhanck <wuhanck@hotmail.com>
Date: Thu, 24 Jan 2019 18:39:07 +0800
Subject: [PATCH] upgrade to openssl 1.1.x.
---
configure | 2 +-
lib/fetch/common.c | 2 +-
lib/pubkey2fp.c | 29 ++++++++++++++++++-----------
3 files changed, 20 insertions(+), 13 deletions(-)
diff --git a/configure b/configure
index ebef990a..b6e642a2 100755
--- a/configure
+++ b/configure
@@ -678,7 +678,7 @@ fi
# libssl with pkg-config support is required.
#
printf "Checking for libssl via pkg-config ... "
-if $PKGCONFIG_BIN --exists 'libssl < 1.1' && ! $PKGCONFIG_BIN --exists libtls ; then
+if $PKGCONFIG_BIN --exists 'libssl < 1.2' && ! $PKGCONFIG_BIN --exists libtls ; then
echo "found OpenSSL version $($PKGCONFIG_BIN --modversion libssl)."
elif $PKGCONFIG_BIN --exists libssl libtls; then
echo "found LibreSSL version $($PKGCONFIG_BIN --modversion libssl)."
diff --git a/lib/fetch/common.c b/lib/fetch/common.c
index 94fb2651..b3d8f2f0 100644
--- a/lib/fetch/common.c
+++ b/lib/fetch/common.c
@@ -895,7 +895,7 @@ fetch_ssl_verify_altname(STACK_OF(GENERAL_NAME) *altnames,
for (i = 0; i < sk_GENERAL_NAME_num(altnames); ++i) {
name = sk_GENERAL_NAME_value(altnames, i);
- ns = (const char *)ASN1_STRING_data(name->d.ia5);
+ ns = (const char *)ASN1_STRING_get0_data(name->d.ia5);
nslen = (size_t)ASN1_STRING_length(name->d.ia5);
if (name->type == GEN_DNS && ip == NULL &&
diff --git a/lib/pubkey2fp.c b/lib/pubkey2fp.c
index 2cfe7178..c1a46e88 100644
--- a/lib/pubkey2fp.c
+++ b/lib/pubkey2fp.c
@@ -65,12 +65,13 @@ fp2str(unsigned const char *fp, unsigned int len)
char *
xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
{
- EVP_MD_CTX mdctx;
+ EVP_MD_CTX *mdctx = NULL;
EVP_PKEY *pPubKey = NULL;
RSA *pRsa = NULL;
BIO *bio = NULL;
const void *pubkeydata;
unsigned char md_value[EVP_MAX_MD_SIZE];
+ const BIGNUM *n, *e;
unsigned char *nBytes = NULL, *eBytes = NULL, *pEncoding = NULL;
unsigned int md_len = 0;
char *hexfpstr = NULL;
@@ -79,6 +80,8 @@ xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
ERR_load_crypto_strings();
OpenSSL_add_all_algorithms();
+ mdctx = EVP_MD_CTX_new();
+ assert(mdctx);
pubkeydata = xbps_data_data_nocopy(pubkey);
bio = BIO_new_mem_buf(__UNCONST(pubkeydata), xbps_data_size(pubkey));
assert(bio);
@@ -91,7 +94,7 @@ xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
goto out;
}
- if (EVP_PKEY_type(pPubKey->type) != EVP_PKEY_RSA) {
+ if (EVP_PKEY_base_id(pPubKey) != EVP_PKEY_RSA) {
xbps_dbg_printf(xhp, "only RSA public keys are currently supported\n");
goto out;
}
@@ -103,19 +106,20 @@ xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
goto out;
}
+ RSA_get0_key(pRsa, &n, &e, NULL);
// reading the modulus
- nLen = BN_num_bytes(pRsa->n);
+ nLen = BN_num_bytes(n);
nBytes = (unsigned char*) malloc(nLen);
if (nBytes == NULL)
goto out;
- BN_bn2bin(pRsa->n, nBytes);
+ BN_bn2bin(n, nBytes);
// reading the public exponent
- eLen = BN_num_bytes(pRsa->e);
+ eLen = BN_num_bytes(e);
eBytes = (unsigned char*) malloc(eLen);
if (eBytes == NULL)
goto out;
- BN_bn2bin(pRsa->e, eBytes);
+ BN_bn2bin(e, eBytes);
encodingLength = 11 + 4 + eLen + 4 + nLen;
// correct depending on the MSB of e and N
@@ -135,18 +139,21 @@ xbps_pubkey2fp(struct xbps_handle *xhp, xbps_data_t pubkey)
/*
* Compute the RSA fingerprint (MD5).
*/
- EVP_MD_CTX_init(&mdctx);
- EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL);
- EVP_DigestUpdate(&mdctx, pEncoding, encodingLength);
- if (EVP_DigestFinal_ex(&mdctx, md_value, &md_len) == 0)
+ EVP_MD_CTX_init(mdctx);
+ EVP_DigestInit_ex(mdctx, EVP_md5(), NULL);
+ EVP_DigestUpdate(mdctx, pEncoding, encodingLength);
+ if (EVP_DigestFinal_ex(mdctx, md_value, &md_len) == 0)
goto out;
- EVP_MD_CTX_cleanup(&mdctx);
+ EVP_MD_CTX_free(mdctx);
+ mdctx = NULL;
/*
* Convert result to a compatible OpenSSH hex fingerprint.
*/
hexfpstr = fp2str(md_value, md_len);
out:
+ if (mdctx)
+ EVP_MD_CTX_free(mdctx);
if (bio)
BIO_free_all(bio);
if (pRsa)
|
