Bug#828247: (no subject)

[Alexander Couzens]

Here are 2 patches which *should* fix the bug. It's untested, I asked
in the #bip channel if someone can test it.

I also regenerated new dh params. Since the old params were in a
different format.

Best,
lynxis
-- 
Alexander Couzens

mail: lyn...@fe80.eu
jabber: lyn...@fe80.eu
mobile: +4915123277221
gpg: 390D CF78 8BF9 AA50 4F8F  F1E2 C29E 9DA6 A0DF 8604

Index: bip-0.8.9/src/connection.c
===================================================================
--- bip-0.8.9.orig/src/connection.c
+++ bip-0.8.9/src/connection.c
@@ -1069,50 +1069,43 @@ static connection_t *connection_init(int
 
 #include "moduli.h"
 
+/* postfix tls_get_dh - get compiled-in DH parameters */
+
+static DH *tls_get_dh(const unsigned char *p, size_t plen)
+{
+    const unsigned char *endp = p;
+    DH     *dh = 0;
+
+    if (d2i_DHparams(&dh, &endp, plen) && (p + plen) == endp) {
+        return (dh);
+    }
+
+    mylog(LOG_WARN, "cannot load compiled-in DH parameters");
+    if (dh) {
+        DH_free(dh);
+    }
+
+    return (0);
+}
+
 /* from postfix tls impl */
 static DH *dh_512(void)
 {
-	DH *dh;
 	static DH *dh_512;
 
 	if (dh_512 == NULL) {
-		if ((dh = DH_new()) == NULL) {
-			mylog(LOG_WARN, "SSL: cannot create DH parameter set");
-			return (0);
-		}
-		dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0);
-		dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0);
-		if ((dh->p == NULL) || (dh->g == NULL)) {
-			mylog(LOG_WARN, "SSL: cannot load compiled-in DH "
-					"parameters");
-			DH_free(dh);
-			return (0);
-		} else
-			dh_512 = dh;
-	}
+		tls_get_dh(dh512_der, sizeof(dh512_der));
+    }
 	return dh_512;
 }
 
 /* tls_get_dh_1024 - get 1024-bit DH parameters, compiled-in or from file */
 static DH *dh_1024(void)
 {
-	DH *dh;
 	static DH *dh_1024;
 
 	if (dh_1024 == NULL) {
-		if ((dh = DH_new()) == NULL) {
-			mylog(LOG_WARN, "SSL: cannot create DH parameter set");
-			return (0);
-		}
-		dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0);
-		dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0);
-		if ((dh->p == NULL) || (dh->g == NULL)) {
-			mylog(LOG_WARN, "SSL: cannot load compiled-in DH "
-					"parameters");
-			DH_free(dh);
-			return (0);
-		} else
-			dh_1024 = dh;
+		dh_1024 = tls_get_dh(dh2048_der, sizeof(dh2048_der));
 	}
 	return (dh_1024);
 }
Index: bip-0.8.9/src/moduli.h
===================================================================
--- bip-0.8.9.orig/src/moduli.h
+++ bip-0.8.9/src/moduli.h
@@ -1,38 +1,53 @@
 /* ripped from postfix tls_dh.c */
 
- /*
-  * Compiled-in DH parameters. These are used when no parameters are
-  * explicitly loaded from file.
-  *
-  * XXX What is the origin of these parameters?
-  */
-static unsigned char dh512_p[] = {
-	0x88, 0x3F, 0x00, 0xAF, 0xFC, 0x0C, 0x8A, 0xB8, 0x35, 0xCD, 0xE5, 0xC2,
-	0x0F, 0x55, 0xDF, 0x06, 0x3F, 0x16, 0x07, 0xBF, 0xCE, 0x13, 0x35, 0xE4,
-	0x1C, 0x1E, 0x03, 0xF3, 0xAB, 0x17, 0xF6, 0x63, 0x50, 0x63, 0x67, 0x3E,
-	0x10, 0xD7, 0x3E, 0xB4, 0xEB, 0x46, 0x8C, 0x40, 0x50, 0xE6, 0x91, 0xA5,
-	0x6E, 0x01, 0x45, 0xDE, 0xC9, 0xB1, 0x1F, 0x64, 0x54, 0xFA, 0xD9, 0xAB,
-	0x4F, 0x70, 0xBA, 0x5B,
-};
-static unsigned char dh512_g[] = {
-	0x02,
-};
-
-static unsigned char dh1024_p[] = {
-	0xB0, 0xFE, 0xB4, 0xCF, 0xD4, 0x55, 0x07, 0xE7, 0xCC, 0x88, 0x59, 0x0D,
-	0x17, 0x26, 0xC5, 0x0C, 0xA5, 0x4A, 0x92, 0x23, 0x81, 0x78, 0xDA, 0x88,
-	0xAA, 0x4C, 0x13, 0x06, 0xBF, 0x5D, 0x2F, 0x9E, 0xBC, 0x96, 0xB8, 0x51,
-	0x00, 0x9D, 0x0C, 0x0D, 0x75, 0xAD, 0xFD, 0x3B, 0xB1, 0x7E, 0x71, 0x4F,
-	0x3F, 0x91, 0x54, 0x14, 0x44, 0xB8, 0x30, 0x25, 0x1C, 0xEB, 0xDF, 0x72,
-	0x9C, 0x4C, 0xF1, 0x89, 0x0D, 0x68, 0x3F, 0x94, 0x8E, 0xA4, 0xFB, 0x76,
-	0x89, 0x18, 0xB2, 0x91, 0x16, 0x90, 0x01, 0x99, 0x66, 0x8C, 0x53, 0x81,
-	0x4E, 0x27, 0x3D, 0x99, 0xE7, 0x5A, 0x7A, 0xAF, 0xD5, 0xEC, 0xE2, 0x7E,
-	0xFA, 0xED, 0x01, 0x18, 0xC2, 0x78, 0x25, 0x59, 0x06, 0x5C, 0x39, 0xF6,
-	0xCD, 0x49, 0x54, 0xAF, 0xC1, 0xB1, 0xEA, 0x4A, 0xF9, 0x53, 0xD0, 0xDF,
-	0x6D, 0xAF, 0xD4, 0x93, 0xE7, 0xBA, 0xAE, 0x9B,
+/*
+ * Compiled-in DH parameters. These are used when no parameters are
+ * explicitly loaded from file.
+ *
+ * Generated via:
+ *   $ openssl dhparam -2 -outform DER 512 2>/dev/null |
+ *     hexdump -ve '/1 "0x%02x, "' | fmt
+ *
+ * Re-generated on 11 Nov. 2016
+ */
+static unsigned char dh512_der[] = {
+    0x30, 0x46, 0x02, 0x41, 0x00, 0x83, 0x95, 0xdb, 0x45, 0xad, 0x19, 0x17,
+    0xbc, 0xc6, 0x62, 0xc0, 0x89, 0x04, 0xc7, 0x1a, 0x8b, 0xaa, 0x1f, 0x2f,
+    0x96, 0x9b, 0xb9, 0xb8, 0x7b, 0x03, 0x7c, 0x47, 0x7b, 0x4e, 0xb2, 0x25,
+    0xf2, 0x1b, 0x52, 0xcd, 0xf3, 0x81, 0x7a, 0x0d, 0x09, 0x8d, 0xec, 0xe9,
+    0x7f, 0xe7, 0x35, 0x5c, 0xdb, 0x13, 0x3e, 0x19, 0x87, 0x90, 0xea, 0x2b,
 };
 
-static unsigned char dh1024_g[] = {
-	0x02,
+/*
+ * Generated via:
+ *   $ openssl dhparam -2 -outform DER 2048 2>/dev/null |
+ *     hexdump -ve '/1 "0x%02x, "' | fmt
+ *
+ * Re-generated on 11 Nov. 2016
+ */
+static unsigned char dh2048_der[] = {
+    0x30, 0x82, 0x01, 0x08, 0x02, 0x82, 0x01, 0x01, 0x00, 0xbd, 0x8f, 0xa4,
+    0x50, 0xc0, 0x24, 0xf9, 0xfc, 0x84, 0x8f, 0xea, 0xec, 0xf3, 0x6f, 0x02,
+    0x64, 0xee, 0xd6, 0x0c, 0xf6, 0x8e, 0x5a, 0x7a, 0xa6, 0x3a, 0x49, 0x91,
+    0x51, 0x1f, 0x27, 0xc2, 0xcc, 0xce, 0xcb, 0x43, 0x20, 0x83, 0x80, 0x80,
+    0x75, 0x61, 0x04, 0x7a, 0x27, 0x75, 0xe0, 0xaf, 0x98, 0xfe, 0xd9, 0x8a,
+    0x3a, 0xf2, 0xa5, 0x76, 0x88, 0x64, 0x17, 0x6b, 0x9a, 0xf9, 0x36, 0xae,
+    0xe8, 0x01, 0xe3, 0x29, 0xd7, 0xa9, 0x76, 0xc4, 0xf2, 0x43, 0x16, 0xfd,
+    0xc9, 0x7a, 0x45, 0x4e, 0x64, 0x53, 0xf1, 0x1b, 0x67, 0x4e, 0x32, 0xe7,
+    0x47, 0xa5, 0x75, 0x5a, 0x78, 0x9c, 0x16, 0xa3, 0xc2, 0xfc, 0xfa, 0x99,
+    0x4f, 0x63, 0x63, 0xf3, 0x9f, 0xcb, 0x52, 0x7b, 0x8a, 0xf1, 0xb9, 0xdb,
+    0x21, 0x43, 0x1e, 0xcf, 0x12, 0xd1, 0xe5, 0x75, 0x59, 0x02, 0xf4, 0xe9,
+    0x29, 0x23, 0xe4, 0xa8, 0x77, 0xec, 0x9a, 0x45, 0xbd, 0x5c, 0xe9, 0x87,
+    0x1a, 0xcd, 0x51, 0x55, 0x54, 0x94, 0x83, 0x94, 0x51, 0xe0, 0xfe, 0xf7,
+    0x39, 0xb9, 0x7a, 0xae, 0x4a, 0x2b, 0xf9, 0x91, 0x26, 0x9a, 0x01, 0xc6,
+    0xbb, 0x54, 0xd5, 0x30, 0xe5, 0x0c, 0xbe, 0xb1, 0x17, 0x0a, 0xaf, 0xef,
+    0x31, 0xb8, 0x37, 0x89, 0x12, 0x36, 0x5d, 0x73, 0x50, 0x78, 0x49, 0x93,
+    0x8a, 0x52, 0x40, 0xa2, 0x67, 0xac, 0xba, 0x67, 0x5c, 0x87, 0xb0, 0xb9,
+    0xef, 0x7f, 0x57, 0xc4, 0x81, 0xc6, 0xab, 0x2e, 0xa5, 0xa6, 0x6f, 0x60,
+    0x55, 0x4c, 0x0e, 0xb1, 0xae, 0xe3, 0xad, 0xf3, 0x2d, 0x10, 0x27, 0x87,
+    0x5f, 0xf3, 0x51, 0xb2, 0x6a, 0x42, 0x3d, 0xab, 0xee, 0xa2, 0x2b, 0x50,
+    0x6d, 0x0d, 0xf9, 0x38, 0x30, 0x6f, 0x8d, 0xd0, 0x61, 0x55, 0xf3, 0x87,
+    0xb2, 0x70, 0x94, 0xda, 0x85, 0xf1, 0x68, 0x49, 0x28, 0x41, 0x37, 0x60,
+    0xa3, 0x02, 0x01, 0x02,
 };
 

Index: bip-0.8.9/src/connection.c
===================================================================
--- bip-0.8.9.orig/src/connection.c
+++ bip-0.8.9/src/connection.c
@@ -1292,7 +1292,7 @@ static int bip_ssl_verify_callback(int p
 	int err, depth;
 	SSL *ssl;
 	connection_t *c;
-	X509_OBJECT xobj;
+	X509_OBJECT *xobj = NULL;
 	int result;
 
 	err_cert = X509_STORE_CTX_get_current_cert(ctx);
@@ -1323,8 +1323,8 @@ static int bip_ssl_verify_callback(int p
 			 err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) {
 
 		if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
-				X509_get_subject_name(err_cert), &xobj) > 0 &&
-				!X509_cmp(xobj.data.x509, err_cert)) {
+				X509_get_subject_name(err_cert), xobj) > 0 &&
+				!X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
 
 			if (err == X509_V_ERR_CERT_HAS_EXPIRED)
 				mylog(LOG_INFO, "Basic mode; Accepting "

pgp1sNrn6ZcqA.pgp
Description: OpenPGP digital signature