Get the MAC secret size from the cipher, rather than reaching into libssl
internals. This effectively takes the OpenSSL 1.1 code path instead of the
OpenSSL 1.0 code path, and will allow for further libssl clean up. While
here use some additional OpenSSL 1.1 code paths and const related
changes.
ok?
Index: Makefile
===================================================================
RCS file: /cvs/ports/net/freeradius3/Makefile,v
retrieving revision 1.32
diff -u -p -u -p -r1.32 Makefile
--- Makefile 19 Apr 2018 20:48:31 -0000 1.32
+++ Makefile 22 Oct 2018 16:23:56 -0000
@@ -12,6 +12,7 @@ COMMENT-pgsql= freeradius pgsql rlm addo
COMMENT-python= freeradius python rlm addon
V= 3.0.17
+REVISION= 0
DISTNAME= freeradius-server-$V
EXTRACT_SUFX= .tar.bz2
Index: patches/patch-src_main_tls_c
===================================================================
RCS file: /cvs/ports/net/freeradius3/patches/patch-src_main_tls_c,v
retrieving revision 1.5
diff -u -p -u -p -r1.5 patch-src_main_tls_c
--- patches/patch-src_main_tls_c 19 Apr 2018 20:48:31 -0000 1.5
+++ patches/patch-src_main_tls_c 22 Oct 2018 16:23:56 -0000
@@ -3,7 +3,37 @@ $OpenBSD: patch-src_main_tls_c,v 1.5 201
Index: src/main/tls.c
--- src/main/tls.c.orig
+++ src/main/tls.c
-@@ -3015,7 +3015,7 @@ post_ca:
+@@ -1510,7 +1510,8 @@ done:
+ return 0;
+ }
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <
0x2080000fL)
+ static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len,
int *copy)
+ #else
+ static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data,
int len, int *copy)
+@@ -2060,7 +2061,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ char cn_str[1024];
+ char buf[64];
+ X509 *client_cert;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >=
0x2080000fL)
+ const STACK_OF(X509_EXTENSION) *ext_list;
+ #else
+ STACK_OF(X509_EXTENSION) *ext_list;
+@@ -2262,7 +2264,8 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ }
+
+ if (lookup == 0) {
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >=
0x2070000fL)
+ ext_list = X509_get0_extensions(client_cert);
+ #else
+ X509_CINF *client_inf;
+@@ -3015,7 +3018,7 @@ post_ca:
return NULL;
}
@@ -12,7 +42,7 @@ Index: src/main/tls.c
if (!SSL_CTX_set_max_proto_version(ctx, max_version)) {
ERROR("Failed setting TLS maximum version");
return NULL;
-@@ -3035,7 +3035,7 @@ post_ca:
+@@ -3035,7 +3038,7 @@ post_ca:
#ifdef SSL_OP_NO_TLSv1
if (conf->disable_tlsv1) {
ctx_options |= SSL_OP_NO_TLSv1;
@@ -21,7 +51,7 @@ Index: src/main/tls.c
WARN("Please use tls_min_version and tls_max_version instead of
disable_tlsv1");
#endif
}
-@@ -3045,7 +3045,7 @@ post_ca:
+@@ -3045,7 +3048,7 @@ post_ca:
#ifdef SSL_OP_NO_TLSv1_1
if (conf->disable_tlsv1_1) {
ctx_options |= SSL_OP_NO_TLSv1_1;
@@ -30,7 +60,7 @@ Index: src/main/tls.c
WARN("Please use tls_min_version and tls_max_version instead of
disable_tlsv1_2");
#endif
}
-@@ -3056,7 +3056,7 @@ post_ca:
+@@ -3056,7 +3059,7 @@ post_ca:
if (conf->disable_tlsv1_2) {
ctx_options |= SSL_OP_NO_TLSv1_2;
Index: patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_eap_fast_c
===================================================================
RCS file: patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_eap_fast_c
diff -N patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_eap_fast_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_eap_fast_c 22 Oct
2018 16:23:56 -0000
@@ -0,0 +1,15 @@
+$OpenBSD$
+
+Index: src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+--- src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c.orig
++++ src/modules/rlm_eap/types/rlm_eap_fast/eap_fast.c
+@@ -44,7 +44,8 @@ static int openssl_get_keyblock_size(REQUEST *request,
+ {
+ const EVP_CIPHER *c;
+ const EVP_MD *h;
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <
0x2070000fL)
+ int md_size;
+
+ if (ssl->enc_read_ctx == NULL || ssl->enc_read_ctx->cipher == NULL ||
Index: patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_rlm_eap_fast_c
===================================================================
RCS file: patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_rlm_eap_fast_c
diff -N patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_rlm_eap_fast_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-src_modules_rlm_eap_types_rlm_eap_fast_rlm_eap_fast_c 22 Oct
2018 16:23:56 -0000
@@ -0,0 +1,25 @@
+$OpenBSD$
+
+Index: src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+--- src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c.orig
++++ src/modules/rlm_eap/types/rlm_eap_fast/rlm_eap_fast.c
+@@ -181,7 +181,8 @@ static void eap_fast_session_ticket(tls_session_t *tls
+ }
+
+ // hostap:src/crypto/tls_openssl.c:tls_sess_sec_cb()
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <
0x2080000fL)
+ static int _session_secret(SSL *s, void *secret, int *secret_len,
+ UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers,
+ UNUSED SSL_CIPHER **cipher, void *arg)
+@@ -205,7 +206,8 @@ static int _session_secret(SSL *s, void *secret, int *
+
+ RDEBUG("processing PAC-Opaque");
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <
0x2070000fL)
+ eap_fast_session_ticket(tls_session, s->s3->client_random,
s->s3->server_random, secret, secret_len);
+ #else
+ uint8_t client_random[SSL3_RANDOM_SIZE];
Index: patches/patch-src_modules_rlm_realm_trustrouter_c
===================================================================
RCS file:
/cvs/ports/net/freeradius3/patches/patch-src_modules_rlm_realm_trustrouter_c,v
retrieving revision 1.1
diff -u -p -u -p -r1.1 patch-src_modules_rlm_realm_trustrouter_c
--- patches/patch-src_modules_rlm_realm_trustrouter_c 16 Jan 2018 13:47:46
-0000 1.1
+++ patches/patch-src_modules_rlm_realm_trustrouter_c 22 Oct 2018 16:23:56
-0000
@@ -3,21 +3,23 @@ $OpenBSD: patch-src_modules_rlm_realm_tr
Index: src/modules/rlm_realm/trustrouter.c
--- src/modules/rlm_realm/trustrouter.c.orig
+++ src/modules/rlm_realm/trustrouter.c
-@@ -279,7 +279,7 @@ static fr_tls_server_conf_t *construct_tls(TIDC_INSTAN
+@@ -279,7 +279,8 @@ static fr_tls_server_conf_t *construct_tls(TIDC_INSTAN
ssize_t keylen;
char *hexbuf = NULL;
DH *aaa_server_dh;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >=
0x2070000fL)
const BIGNUM *dh_pubkey = NULL;
#endif
-@@ -287,7 +287,7 @@ static fr_tls_server_conf_t *construct_tls(TIDC_INSTAN
+@@ -287,7 +288,8 @@ static fr_tls_server_conf_t *construct_tls(TIDC_INSTAN
if (!tls) return NULL;
aaa_server_dh = tid_srvr_get_dh(server);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L || \
++ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >=
0x2070000fL)
DH_get0_key(aaa_server_dh, &dh_pubkey, NULL);
if (NULL == dh_pubkey) {
DEBUG2("DH error");
