Control: tags -1 + patch Hi,
attached is a patch for compatibility with OpenSSL 1.1. Regards, Reiner
diff --git a/debian/patches/openssl1.1.patch b/debian/patches/openssl1.1.patch new file mode 100644 index 0000000..960d827 --- /dev/null +++ b/debian/patches/openssl1.1.patch @@ -0,0 +1,400 @@ +Author: Reiner Herrmann <rei...@reiner-h.de> +Description: Fix compatibility with OpenSSL 1.1 +Bug-Debian: https://bugs.debian.org/844534 + +--- a/encrypt_openssl.c ++++ b/encrypt_openssl.c +@@ -349,7 +349,7 @@ + const unsigned char *src, unsigned int srclen, + unsigned char *dest, unsigned int *destlen) + { +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher = get_cipher(keytype); + int mode, len; + +@@ -358,32 +358,32 @@ + return 0; + } + mode = EVP_CIPHER_mode(cipher); +- EVP_CIPHER_CTX_init(&ctx); +- if (!EVP_EncryptInit_ex(&ctx, cipher, NULL, NULL, NULL)) { ++ ctx = EVP_CIPHER_CTX_new(); ++ if (!EVP_EncryptInit_ex(ctx, cipher, NULL, NULL, NULL)) { + log_ssl_err("EncryptInit for cipher failed"); + return 0; + } + #ifdef EVP_CIPH_GCM_MODE + if (mode == EVP_CIPH_GCM_MODE) { +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, GCM_IV_LEN, 0)) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, GCM_IV_LEN, 0)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for IVLEN failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } else if (mode == EVP_CIPH_CCM_MODE) { +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, CCM_IV_LEN, 0)) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, CCM_IV_LEN, 0)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for IVLEN failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, CCM_TAG_LEN, 0)) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, CCM_TAG_LEN, 0)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for tag len failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } + #endif +- if (!EVP_EncryptInit_ex(&ctx, NULL, NULL, key, IV)) { ++ if (!EVP_EncryptInit_ex(ctx, NULL, NULL, key, IV)) { + log_ssl_err("EncryptInit for key/IV failed"); + return 0; + } +@@ -391,53 +391,53 @@ + #ifdef EVP_CIPH_GCM_MODE + if ((mode == EVP_CIPH_GCM_MODE) || (mode == EVP_CIPH_CCM_MODE)) { + if (mode == EVP_CIPH_CCM_MODE) { +- if (!EVP_EncryptUpdate(&ctx, NULL, &len, NULL, srclen)) { ++ if (!EVP_EncryptUpdate(ctx, NULL, &len, NULL, srclen)) { + log_ssl_err("EncryptUpdate for datalen failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } + if ((aad != NULL) && (aadlen > 0)) { +- if (!EVP_EncryptUpdate(&ctx, NULL, &len, aad, aadlen)) { ++ if (!EVP_EncryptUpdate(ctx, NULL, &len, aad, aadlen)) { + log_ssl_err("EncryptUpdate for authdata failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } + } + #endif +- if (!EVP_EncryptUpdate(&ctx, dest, &len, src, srclen)) { ++ if (!EVP_EncryptUpdate(ctx, dest, &len, src, srclen)) { + log_ssl_err("EncryptUpdate for data failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + *destlen = len; +- if (!EVP_EncryptFinal_ex(&ctx, dest + *destlen, &len)) { ++ if (!EVP_EncryptFinal_ex(ctx, dest + *destlen, &len)) { + log_ssl_err("EncryptFinal failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + #ifdef EVP_CIPH_GCM_MODE + if (mode == EVP_CIPH_GCM_MODE) { +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, GCM_TAG_LEN, ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, GCM_TAG_LEN, + dest + *destlen)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for get tag failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + len += GCM_TAG_LEN; + } else if (mode == EVP_CIPH_CCM_MODE) { +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_GET_TAG, CCM_TAG_LEN, ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, CCM_TAG_LEN, + dest + *destlen)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for get tag failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + len += CCM_TAG_LEN; + } + #endif + *destlen += len; +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + + return 1; + } +@@ -453,7 +453,7 @@ + unsigned char *src, unsigned int srclen, + unsigned char *dest, unsigned int *destlen) + { +- EVP_CIPHER_CTX ctx; ++ EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher = get_cipher(keytype); + int mode, len, l_srclen; + +@@ -462,36 +462,36 @@ + return 0; + } + mode = EVP_CIPHER_mode(cipher); +- EVP_CIPHER_CTX_init(&ctx); +- if (!EVP_DecryptInit_ex(&ctx, cipher, NULL, NULL, NULL)) { ++ ctx = EVP_CIPHER_CTX_new(); ++ if (!EVP_DecryptInit_ex(ctx, cipher, NULL, NULL, NULL)) { + log_ssl_err("DecryptInit for cipher failed"); + return 0; + } + #ifdef EVP_CIPH_GCM_MODE + if (mode == EVP_CIPH_GCM_MODE) { + l_srclen = srclen - GCM_TAG_LEN; +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, GCM_IV_LEN, 0)) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, GCM_IV_LEN, 0)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for IVLEN failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_TAG, GCM_TAG_LEN, ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, GCM_TAG_LEN, + (void *)(src + l_srclen))) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for set tag failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } else if (mode == EVP_CIPH_CCM_MODE) { + l_srclen = srclen - CCM_TAG_LEN; +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_IVLEN, CCM_IV_LEN, 0)) { ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, CCM_IV_LEN, 0)) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for IVLEN failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } +- if (!EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_CCM_SET_TAG, CCM_TAG_LEN, ++ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, CCM_TAG_LEN, + (void *)(src + l_srclen))) { + log_ssl_err("EVP_CIPHER_CTX_ctrl for set tag failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } else { +@@ -500,7 +500,7 @@ + #else + l_srclen = srclen; + #endif +- if (!EVP_DecryptInit_ex(&ctx, NULL, NULL, key, IV)) { ++ if (!EVP_DecryptInit_ex(ctx, NULL, NULL, key, IV)) { + log_ssl_err("DecryptInit for key/IV failed"); + return 0; + } +@@ -508,40 +508,40 @@ + #ifdef EVP_CIPH_GCM_MODE + if ((mode == EVP_CIPH_GCM_MODE) || (mode == EVP_CIPH_CCM_MODE)) { + if (mode == EVP_CIPH_CCM_MODE) { +- if (!EVP_DecryptUpdate(&ctx, NULL, &len, NULL, l_srclen)) { ++ if (!EVP_DecryptUpdate(ctx, NULL, &len, NULL, l_srclen)) { + log_ssl_err("DecryptUpdate for datalen failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } + if ((aad != NULL) && (aadlen > 0)) { +- if (!EVP_DecryptUpdate(&ctx, NULL, &len, aad, aadlen)) { ++ if (!EVP_DecryptUpdate(ctx, NULL, &len, aad, aadlen)) { + log_ssl_err("DecryptUpdate for authdata failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + } + } + #endif +- if (!EVP_DecryptUpdate(&ctx, dest, &len, src, l_srclen)) { ++ if (!EVP_DecryptUpdate(ctx, dest, &len, src, l_srclen)) { + log_ssl_err("DecryptUpdate for data failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + *destlen = len; + #ifdef EVP_CIPH_CCM_MODE + if (mode != EVP_CIPH_CCM_MODE) { + #endif +- if (!EVP_DecryptFinal_ex(&ctx, dest + *destlen, &len)) { ++ if (!EVP_DecryptFinal_ex(ctx, dest + *destlen, &len)) { + log_ssl_err("DecryptFinal failed"); +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + return 0; + } + *destlen += len; + #ifdef EVP_CIPH_CCM_MODE + } + #endif +- EVP_CIPHER_CTX_cleanup(&ctx); ++ EVP_CIPHER_CTX_free(ctx); + + return 1; + } +@@ -569,30 +569,30 @@ + int hash(int hashtype, const unsigned char *src, unsigned int srclen, + unsigned char *dest, unsigned int *destlen) + { +- EVP_MD_CTX hashctx; ++ EVP_MD_CTX *hashctx; + const EVP_MD *hashptr = get_hash(hashtype); + + if (hashptr == NULL) { + log0(0, 0, 0, "Invalid hashtype"); + return 0; + } +- EVP_MD_CTX_init(&hashctx); +- if (!EVP_DigestInit_ex(&hashctx, hashptr, NULL)) { ++ hashctx = EVP_MD_CTX_new(); ++ if (!EVP_DigestInit_ex(hashctx, hashptr, NULL)) { + log_ssl_err("DigestInit failed"); +- EVP_MD_CTX_cleanup(&hashctx); ++ EVP_MD_CTX_free(hashctx); + return 0; + } +- if (!EVP_DigestUpdate(&hashctx, src, srclen)) { ++ if (!EVP_DigestUpdate(hashctx, src, srclen)) { + log_ssl_err("DigestUpdate failed"); +- EVP_MD_CTX_cleanup(&hashctx); ++ EVP_MD_CTX_free(hashctx); + return 0; + } +- if (!EVP_DigestFinal_ex(&hashctx, dest, (unsigned int *)destlen)) { ++ if (!EVP_DigestFinal_ex(hashctx, dest, (unsigned int *)destlen)) { + log_ssl_err("DigestUpdate failed"); +- EVP_MD_CTX_cleanup(&hashctx); ++ EVP_MD_CTX_free(hashctx); + return 0; + } +- EVP_MD_CTX_cleanup(&hashctx); ++ EVP_MD_CTX_free(hashctx); + + return 1; + } +@@ -770,6 +770,7 @@ + unsigned int meshashlen; + const EVP_MD *hashptr; + ECDSA_SIG *_sig; ++ const BIGNUM *r, *s; + uint16_t *rlen, *slen; + unsigned char *rval, *sval; + +@@ -790,14 +791,15 @@ + rlen = (uint16_t *)sig; + slen = (uint16_t *)(sig + sizeof(uint16_t)); + rval = (unsigned char *)slen + sizeof(uint16_t); +- sval = rval + BN_num_bytes(_sig->r); ++ ECDSA_SIG_get0(_sig, &r, &s); ++ sval = rval + BN_num_bytes(r); + + *siglen = ECDSA_siglen(ec); + memset(sig, 0, *siglen); +- *rlen = htons(BN_num_bytes(_sig->r)); +- *slen = htons(BN_num_bytes(_sig->s)); +- BN_bn2bin(_sig->r, rval); +- BN_bn2bin(_sig->s, sval); ++ *rlen = htons(BN_num_bytes(r)); ++ *slen = htons(BN_num_bytes(s)); ++ BN_bn2bin(r, rval); ++ BN_bn2bin(s, sval); + ECDSA_SIG_free(_sig); + return 1; + #else +@@ -818,6 +820,7 @@ + unsigned int meshashlen; + const EVP_MD *hashptr; + ECDSA_SIG *_sig; ++ BIGNUM *r, *s; + const uint16_t *rlen, *slen; + const unsigned char *rval, *sval; + +@@ -841,16 +844,19 @@ + } + + _sig = ECDSA_SIG_new(); +- if (BN_bin2bn(rval, ntohs(*rlen), _sig->r) == NULL) { ++ r = BN_bin2bn(rval, ntohs(*rlen), NULL); ++ if (r == NULL) { + log_ssl_err("BN_bn2bin failed for r"); + ECDSA_SIG_free(_sig); + return 0; + } +- if (BN_bin2bn(sval, ntohs(*slen), _sig->s) == NULL) { +- log_ssl_err("BN_bn2bin failed for r"); ++ s = BN_bin2bn(sval, ntohs(*slen), NULL); ++ if (s == NULL) { ++ log_ssl_err("BN_bn2bin failed for s"); + ECDSA_SIG_free(_sig); + return 0; + } ++ ECDSA_SIG_set0(_sig, r, s); + + if (!ECDSA_do_verify(meshash, meshashlen, _sig, ec)) { + log_ssl_err("ECDSA_do_verify failed"); +@@ -912,6 +918,7 @@ + { + const struct rsa_blob_t *rsablob; + const unsigned char *modulus; ++ BIGNUM *n, *e; + + rsablob = (const struct rsa_blob_t *)keyblob; + modulus = keyblob + sizeof(struct rsa_blob_t); +@@ -923,15 +930,20 @@ + + *rsa = RSA_new(); + +- if (((*rsa)->e = BN_bin2bn((const unsigned char *)&rsablob->exponent, +- 4, NULL)) == NULL) { ++ e = BN_bin2bn((const unsigned char *)&rsablob->exponent, 4, NULL); ++ if (e == NULL) { + log_ssl_err("BN_bin2bn failed for e"); + return 0; + } +- if (((*rsa)->n = BN_bin2bn(modulus, ntohs(rsablob->modlen),NULL)) == NULL) { ++ n = BN_bin2bn(modulus, ntohs(rsablob->modlen), NULL); ++ if (n == NULL) { + log_ssl_err("BN_bin2bn failed for n"); + return 0; + } ++ if (!RSA_set0_key(*rsa, n, e, NULL)) { ++ log_ssl_err("RSA_set0_key failed"); ++ return 0; ++ } + + return 1; + } +@@ -947,15 +959,17 @@ + unsigned char bin_exponent[4]; + uint32_t exponent; + int explen, modlen, i; ++ const BIGNUM *n, *e; + + rsablob = (struct rsa_blob_t *)keyblob; + modulus = keyblob + sizeof(struct rsa_blob_t); + +- if (BN_num_bytes(rsa->e) > sizeof(bin_exponent)) { ++ RSA_get0_key(rsa, &n, &e, NULL); ++ if (BN_num_bytes(e) > sizeof(bin_exponent)) { + log0(0, 0, 0, "exponent too big for export"); + return 0; + } +- if ((explen = BN_bn2bin(rsa->e, bin_exponent)) <= 0) { ++ if ((explen = BN_bn2bin(e, bin_exponent)) <= 0) { + log_ssl_err("BN_bn2bin failed for e"); + return 0; + } +@@ -968,7 +982,7 @@ + exponent |= bin_exponent[i] << (8 * (explen - i - 1)); + } + +- if ((modlen = BN_bn2bin(rsa->n, modulus)) <= 0) { ++ if ((modlen = BN_bn2bin(n, modulus)) <= 0) { + log_ssl_err("BN_bn2bin failed for n"); + return 0; + } diff --git a/debian/patches/series b/debian/patches/series index 83ea0ab..bd28ac0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ use_buildflags.patch manpage_fold_lines.patch manpage_adjust_line.patch fix_manpage_style.patch +openssl1.1.patch
signature.asc
Description: PGP signature
