On 2016-08-28 22:42:39 [+0200], Kurt Roeckx wrote: > Maybe you should just call OPENSSL_free() instead of > CRYPTO_free()?
done. > Kurt Sebastian
>From d3a1b1ff8bad701944aec8edc13ef0421da81fa0 Mon Sep 17 00:00:00 2001 From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> Date: Sun, 28 Aug 2016 21:49:41 +0200 Subject: [PATCH] get it compiled againt openssl 1.1.0 As a bonus get_dh2048() will free p & q if one of them was NULL. Note: Using the same DH parameters on multiple servers is believed to be subject to precomputation attacks, see http://weakdh.org/. Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- daemon/remote.c | 35 ++++++++++++++++++++++++++--------- sldns/keyraw.c | 30 ++++++++++++++++++++++++++++++ validator/val_secalgo.c | 8 ++++---- 3 files changed, 60 insertions(+), 13 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 7690ee8..e17b6b2 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -144,7 +144,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d) * (some openssl versions reject DH that is 'too small', eg. 512). */ #ifndef S_SPLINT_S -DH *get_dh2048() +static DH *get_dh2048(void) { static unsigned char dh2048_p[]={ 0xE7,0x36,0x28,0x3B,0xE4,0xC3,0x32,0x1C,0x01,0xC3,0x67,0xD6, @@ -173,14 +173,31 @@ DH *get_dh2048() static unsigned char dh2048_g[]={ 0x02, }; - DH *dh; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - { DH_free(dh); return(NULL); } - return(dh); + DH *dh = NULL; + BIGNUM *p = NULL, *g = NULL; + + dh = DH_new(); + p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if (!dh || !p || !g) + goto err; + +#if OPENSSL_VERSION_NUMBER < 0x10100000 + dh->p = p; + dh->g = g; +#else + if (!DH_set0_pqg(dh, p, NULL, g)) + goto err; +#endif + return dh; +err: + if (p) + BN_free(p); + if (g) + BN_free(g); + if (dh) + DH_free(dh); + return NULL; } #endif /* SPLINT */ diff --git a/sldns/keyraw.c b/sldns/keyraw.c index 8d28bf4..8b1c18f 100644 --- a/sldns/keyraw.c +++ b/sldns/keyraw.c @@ -215,6 +215,7 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) BN_free(Y); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S dsa->p = P; dsa->q = Q; @@ -222,6 +223,25 @@ sldns_key_buf2dsa_raw(unsigned char* key, size_t len) dsa->pub_key = Y; #endif /* splint */ +#else /* OPENSSL_VERSION_NUMBER */ + if (!DSA_set0_pqg(dsa, P, Q, G)) { + /* QPG not yet attached, need to free */ + BN_free(Q); + BN_free(P); + BN_free(G); + + DSA_free(dsa); + BN_free(Y); + return NULL; + } + if (!DSA_set0_key(dsa, Y, NULL)) { + /* QPG attached, cleaned up by DSA_fre() */ + DSA_free(dsa); + BN_free(Y); + return NULL; + } +#endif + return dsa; } @@ -273,11 +293,21 @@ sldns_key_buf2rsa_raw(unsigned char* key, size_t len) BN_free(modulus); return NULL; } +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S rsa->n = modulus; rsa->e = exponent; #endif /* splint */ +#else /* OPENSSL_VERSION_NUMBER */ + if (!RSA_set0_key(rsa, modulus, exponent, NULL)) { + BN_free(exponent); + BN_free(modulus); + RSA_free(rsa); + return NULL; + } +#endif + return rsa; } diff --git a/validator/val_secalgo.c b/validator/val_secalgo.c index 11c8cd1..a5576c5 100644 --- a/validator/val_secalgo.c +++ b/validator/val_secalgo.c @@ -601,7 +601,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, log_err("EVP_MD_CTX_new: malloc failure"); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) OPENSSL_free(sigblock); return sec_status_unchecked; } if(EVP_VerifyInit(ctx, digest_type) == 0) { @@ -609,7 +609,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) OPENSSL_free(sigblock); return sec_status_unchecked; } if(EVP_VerifyUpdate(ctx, (unsigned char*)sldns_buffer_begin(buf), @@ -618,7 +618,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, EVP_MD_CTX_destroy(ctx); EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) OPENSSL_free(sigblock); return sec_status_unchecked; } @@ -632,7 +632,7 @@ verify_canonrrset(sldns_buffer* buf, int algo, unsigned char* sigblock, EVP_PKEY_free(evp_key); if(dofree) free(sigblock); - else if(docrypto_free) CRYPTO_free(sigblock); + else if(docrypto_free) OPENSSL_free(sigblock); if(res == 1) { return sec_status_secure; -- 2.9.3
