On 2016-11-01 18:39:01 [+0100], Andreas Henriksson wrote: > Control: tags -1 + upstream patch > > Hello! > > The attached patch (in combination with the fix for #841554) makes the > Debian net-snmp package build against openssl 1.1.0. This patch has only > been compile-tested. No runtime testing. No guarantees. Please review > carefully. > > (Additional ifdefs likely needed to keep this compiling against > older openssl versions.)
added those, added a const and removed the "HAVE_EVP_MD_CTX_CREATE" thingy. > Regards, > Andreas Henriksson Sebastian
From: Andreas Henriksson <andr...@fatal.se> Date: Sat, 23 Dec 2017 22:25:41 +0000 Subject: [PATCH] Port OpenSSL 1.1.0 with support for 1.0.2 Initial support for OpenSSL 1.1.0 Changes by sebast...@breakpoint.cc: - added OpenSSL 1.0.2 glue layer for backwarts compatibility - dropped HAVE_EVP_MD_CTX_CREATE + DESTROY and added a check for OpenSSL version instead (and currently 1.0.2 is the only one supported). BTS: https://bugs.debian.org/828449 Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc> --- apps/snmpusm.c | 43 ++++++++++++++++++++++++++++++++++++------- configure.d/config_os_libs2 | 6 ------ snmplib/keytools.c | 13 ++++++------- snmplib/scapi.c | 17 +++++------------ 4 files changed, 47 insertions(+), 32 deletions(-) --- a/apps/snmpusm.c +++ b/apps/snmpusm.c @@ -183,6 +183,31 @@ setup_oid(oid * it, size_t * len, u_char } #if defined(HAVE_OPENSSL_DH_H) && defined(HAVE_LIBCRYPTO) + +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) + +static void DH_get0_pqg(const DH *dh, + const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) +{ + if (p != NULL) + *p = dh->p; + if (q != NULL) + *q = dh->q; + if (g != NULL) + *g = dh->g; +} + +static void DH_get0_key(const DH *dh, const BIGNUM **pub_key, + const BIGNUM **priv_key) +{ + if (pub_key != NULL) + *pub_key = dh->pub_key; + if (priv_key != NULL) + *priv_key = dh->priv_key; +} + +#endif + int get_USM_DH_key(netsnmp_variable_list *vars, netsnmp_variable_list *dhvar, size_t outkey_len, @@ -190,7 +215,7 @@ get_USM_DH_key(netsnmp_variable_list *va oid *keyoid, size_t keyoid_len) { u_char *dhkeychange; DH *dh; - BIGNUM *other_pub; + const BIGNUM *p, *g, *pub_key, *other_pub; u_char *key; size_t key_len; @@ -205,25 +230,29 @@ get_USM_DH_key(netsnmp_variable_list *va dh = d2i_DHparams(NULL, &cp, dhvar->val_len); } - if (!dh || !dh->g || !dh->p) { + if (dh) + DH_get0_pqg(dh, &p, NULL, &g); + + if (!dh || !g || !p) { SNMP_FREE(dhkeychange); return SNMPERR_GENERR; } - DH_generate_key(dh); - if (!dh->pub_key) { + if (!DH_generate_key(dh)) { SNMP_FREE(dhkeychange); return SNMPERR_GENERR; } - if (vars->val_len != (unsigned int)BN_num_bytes(dh->pub_key)) { + DH_get0_key(dh, &pub_key, NULL); + + if (vars->val_len != (unsigned int)BN_num_bytes(pub_key)) { SNMP_FREE(dhkeychange); fprintf(stderr,"incorrect diffie-helman lengths (%lu != %d)\n", - (unsigned long)vars->val_len, BN_num_bytes(dh->pub_key)); + (unsigned long)vars->val_len, BN_num_bytes(pub_key)); return SNMPERR_GENERR; } - BN_bn2bin(dh->pub_key, dhkeychange + vars->val_len); + BN_bn2bin(pub_key, dhkeychange + vars->val_len); key_len = DH_size(dh); if (!key_len) { --- a/configure.d/config_os_libs2 +++ b/configure.d/config_os_libs2 @@ -291,12 +291,6 @@ if test "x$tryopenssl" != "xno" -a "x$tr AC_CHECK_LIB(${CRYPTO}, AES_cfb128_encrypt, AC_DEFINE(HAVE_AES_CFB128_ENCRYPT, 1, [Define to 1 if you have the `AES_cfb128_encrypt' function.])) - - AC_CHECK_LIB(${CRYPTO}, EVP_MD_CTX_create, - AC_DEFINE([HAVE_EVP_MD_CTX_CREATE], [], - [Define to 1 if you have the `EVP_MD_CTX_create' function.]) - AC_DEFINE([HAVE_EVP_MD_CTX_DESTROY], [], - [Define to 1 if you have the `EVP_MD_CTX_destroy' function.])) fi if echo " $transport_result_list " | $GREP "DTLS" > /dev/null; then AC_CHECK_LIB(ssl, DTLSv1_method, --- a/snmplib/keytools.c +++ b/snmplib/keytools.c @@ -149,13 +149,13 @@ generate_Ku(const oid * hashtype, u_int */ #ifdef NETSNMP_USE_OPENSSL -#ifdef HAVE_EVP_MD_CTX_CREATE +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) ctx = EVP_MD_CTX_create(); #else - ctx = malloc(sizeof(*ctx)); - if (!EVP_MD_CTX_init(ctx)) - return SNMPERR_GENERR; + ctx = EVP_MD_CTX_new(); #endif + if (!ctx) + return SNMPERR_GENERR; #ifndef NETSNMP_DISABLE_MD5 if (ISTRANSFORM(hashtype, HMACMD5Auth)) { if (!EVP_DigestInit(ctx, EVP_md5())) @@ -259,11 +259,10 @@ generate_Ku(const oid * hashtype, u_int memset(buf, 0, sizeof(buf)); #ifdef NETSNMP_USE_OPENSSL if (ctx) { -#ifdef HAVE_EVP_MD_CTX_DESTROY +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_destroy(ctx); #else - EVP_MD_CTX_cleanup(ctx); - free(ctx); + EVP_MD_CTX_free(ctx); #endif } #endif --- a/snmplib/scapi.c +++ b/snmplib/scapi.c @@ -486,15 +486,10 @@ sc_hash(const oid * hashtype, size_t has } /** initialize the pointer */ -#ifdef HAVE_EVP_MD_CTX_CREATE +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) cptr = EVP_MD_CTX_create(); #else - cptr = malloc(sizeof(*cptr)); -#if defined(OLD_DES) - memset(cptr, 0, sizeof(*cptr)); -#else - EVP_MD_CTX_init(cptr); -#endif + cptr = EVP_MD_CTX_new(); #endif if (!EVP_DigestInit(cptr, hashfn)) { /* requested hash function is not available */ @@ -507,13 +502,11 @@ sc_hash(const oid * hashtype, size_t has /** do the final pass */ EVP_DigestFinal(cptr, MAC, &tmp_len); *MAC_len = tmp_len; -#ifdef HAVE_EVP_MD_CTX_DESTROY + +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) EVP_MD_CTX_destroy(cptr); #else -#if !defined(OLD_DES) - EVP_MD_CTX_cleanup(cptr); -#endif - free(cptr); + EVP_MD_CTX_free(cptr); #endif return (rval);
