From 749384a154025e268b53cf3cc79eaeddde2b3ceb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= <debian@jff-webhosting.net>
Date: Tue, 27 Jun 2017 13:56:16 +0200
Subject: initial stretch branch release 2.4.0-6

---
 src/openvpn/ssl_openssl.c | 107 +++++++++++++++++++---------------------------
 1 file changed, 44 insertions(+), 63 deletions(-)

(limited to 'src/openvpn/ssl_openssl.c')

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index e589dcd..eae1e22 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -17,9 +17,10 @@
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  *  GNU General Public License for more details.
  *
- *  You should have received a copy of the GNU General Public License along
- *  with this program; if not, write to the Free Software Foundation, Inc.,
- *  51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program (see the file COPYING included with this
+ *  distribution); if not, write to the Free Software Foundation, Inc.,
+ *  59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
 /**
@@ -44,7 +45,6 @@
 #include "ssl_backend.h"
 #include "ssl_common.h"
 #include "base64.h"
-#include "openssl_compat.h"
 
 #ifdef ENABLE_CRYPTOAPI
 #include "cryptoapi.h"
@@ -321,8 +321,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 
     /* Translate IANA cipher suite names to OpenSSL names */
     begin_of_cipher = end_of_cipher = 0;
-    for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher)
-    {
+    for (; begin_of_cipher < strlen(ciphers); begin_of_cipher = end_of_cipher) {
         end_of_cipher += strcspn(&ciphers[begin_of_cipher], ":");
         cipher_pair = tls_get_cipher_name_pair(&ciphers[begin_of_cipher], end_of_cipher - begin_of_cipher);
 
@@ -354,8 +353,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
         }
 
         /* Make sure new cipher name fits in cipher string */
-        if ((SIZE_MAX - openssl_ciphers_len) < current_cipher_len
-            || ((sizeof(openssl_ciphers)-1) < openssl_ciphers_len + current_cipher_len))
+        if (((sizeof(openssl_ciphers)-1) - openssl_ciphers_len) < current_cipher_len)
         {
             msg(M_FATAL,
                 "Failed to set restricted TLS cipher list, too long (>%d).",
@@ -509,18 +507,10 @@ tls_ctx_load_ecdh_params(struct tls_root_ctx *ctx, const char *curve_name
         const EC_GROUP *ecgrp = NULL;
         EVP_PKEY *pkey = NULL;
 
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
-        pkey = SSL_CTX_get0_privatekey(ctx->ctx);
-#else
         /* Little hack to get private key ref from SSL_CTX, yay OpenSSL... */
-        SSL *ssl = SSL_new(ctx->ctx);
-        if (!ssl)
-        {
-            crypto_msg(M_FATAL, "SSL_new failed");
-        }
-        pkey = SSL_get_privatekey(ssl);
-        SSL_free(ssl);
-#endif
+        SSL ssl;
+        ssl.cert = ctx->ctx->cert;
+        pkey = SSL_get_privatekey(&ssl);
 
         msg(D_TLS_DEBUG, "Extracting ECDH curve from private key");
 
@@ -659,8 +649,7 @@ tls_ctx_load_pkcs12(struct tls_root_ctx *ctx, const char *pkcs12_file,
         {
             for (i = 0; i < sk_X509_num(ca); i++)
             {
-                X509_STORE *cert_store = SSL_CTX_get_cert_store(ctx->ctx);
-                if (!X509_STORE_add_cert(cert_store,sk_X509_value(ca, i)))
+                if (!X509_STORE_add_cert(ctx->ctx->cert_store,sk_X509_value(ca, i)))
                 {
                     crypto_msg(M_FATAL,"Cannot add certificate to certificate chain (X509_STORE_add_cert)");
                 }
@@ -762,9 +751,8 @@ tls_ctx_load_cert_file_and_copy(struct tls_root_ctx *ctx,
         goto end;
     }
 
-    x = PEM_read_bio_X509(in, NULL,
-                          SSL_CTX_get_default_passwd_cb(ctx->ctx),
-                          SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
+    x = PEM_read_bio_X509(in, NULL, ctx->ctx->default_passwd_callback,
+                          ctx->ctx->default_passwd_callback_userdata);
     if (x == NULL)
     {
         SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_FILE, ERR_R_PEM_LIB);
@@ -846,8 +834,8 @@ tls_ctx_load_priv_file(struct tls_root_ctx *ctx, const char *priv_key_file,
     }
 
     pkey = PEM_read_bio_PrivateKey(in, NULL,
-                                   SSL_CTX_get_default_passwd_cb(ctx->ctx),
-                                   SSL_CTX_get_default_passwd_cb_userdata(ctx->ctx));
+                                   ssl_ctx->default_passwd_callback,
+                                   ssl_ctx->default_passwd_callback_userdata);
     if (!pkey)
     {
         goto end;
@@ -900,15 +888,15 @@ backend_tls_ctx_reload_crl(struct tls_root_ctx *ssl_ctx, const char *crl_file,
     /* Always start with a cleared CRL list, for that we
      * we need to manually find the CRL object from the stack
      * and remove it */
-    STACK_OF(X509_OBJECT) *objs = X509_STORE_get0_objects(store);
-    for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
+    for (int i = 0; i < sk_X509_OBJECT_num(store->objs); i++)
     {
-        X509_OBJECT *obj = sk_X509_OBJECT_value(objs, i);
+        X509_OBJECT *obj = sk_X509_OBJECT_value(store->objs, i);
         ASSERT(obj);
-        if (X509_OBJECT_get_type(obj) == X509_LU_CRL)
+        if (obj->type == X509_LU_CRL)
         {
-            sk_X509_OBJECT_delete(objs, i);
-            X509_OBJECT_free(obj);
+            sk_X509_OBJECT_delete(store->objs, i);
+            X509_OBJECT_free_contents(obj);
+            OPENSSL_free(obj);
         }
     }
 
@@ -976,13 +964,10 @@ rsa_priv_dec(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
 
 /* called at RSA_free */
 static int
-openvpn_extkey_rsa_finish(RSA *rsa)
+rsa_finish(RSA *rsa)
 {
-    /* meth was allocated in tls_ctx_use_external_private_key() ; since
-     * this function is called when the parent RSA object is destroyed,
-     * it is no longer used after this point so kill it. */
-    const RSA_METHOD *meth = RSA_get_method(rsa);
-    RSA_meth_free((RSA_METHOD *)meth);
+    free((void *)rsa->meth);
+    rsa->meth = NULL;
     return 1;
 }
 
@@ -998,7 +983,7 @@ rsa_priv_enc(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, i
 
     if (padding != RSA_PKCS1_PADDING)
     {
-        RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
+        RSAerr(RSA_F_RSA_EAY_PRIVATE_ENCRYPT, RSA_R_UNKNOWN_PADDING_TYPE);
         goto done;
     }
 
@@ -1056,16 +1041,16 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
     ASSERT(NULL != cert);
 
     /* allocate custom RSA method object */
-    rsa_meth = RSA_meth_new("OpenVPN external private key RSA Method",
-                            RSA_METHOD_FLAG_NO_CHECK);
-    check_malloc_return(rsa_meth);
-    RSA_meth_set_pub_enc(rsa_meth, rsa_pub_enc);
-    RSA_meth_set_pub_dec(rsa_meth, rsa_pub_dec);
-    RSA_meth_set_priv_enc(rsa_meth, rsa_priv_enc);
-    RSA_meth_set_priv_dec(rsa_meth, rsa_priv_dec);
-    RSA_meth_set_init(rsa_meth, NULL);
-    RSA_meth_set_finish(rsa_meth, openvpn_extkey_rsa_finish);
-    RSA_meth_set0_app_data(rsa_meth, NULL);
+    ALLOC_OBJ_CLEAR(rsa_meth, RSA_METHOD);
+    rsa_meth->name = "OpenVPN external private key RSA Method";
+    rsa_meth->rsa_pub_enc = rsa_pub_enc;
+    rsa_meth->rsa_pub_dec = rsa_pub_dec;
+    rsa_meth->rsa_priv_enc = rsa_priv_enc;
+    rsa_meth->rsa_priv_dec = rsa_priv_dec;
+    rsa_meth->init = NULL;
+    rsa_meth->finish = rsa_finish;
+    rsa_meth->flags = RSA_METHOD_FLAG_NO_CHECK;
+    rsa_meth->app_data = NULL;
 
     /* allocate RSA object */
     rsa = RSA_new();
@@ -1076,16 +1061,12 @@ tls_ctx_use_external_private_key(struct tls_root_ctx *ctx,
     }
 
     /* get the public key */
-    EVP_PKEY *pkey = X509_get0_pubkey(cert);
-    ASSERT(pkey); /* NULL before SSL_CTX_use_certificate() is called */
-    pub_rsa = EVP_PKEY_get0_RSA(pkey);
+    ASSERT(cert->cert_info->key->pkey); /* NULL before SSL_CTX_use_certificate() is called */
+    pub_rsa = cert->cert_info->key->pkey->pkey.rsa;
 
     /* initialize RSA object */
-    const BIGNUM *n = NULL;
-    const BIGNUM *e = NULL;
-    RSA_get0_key(pub_rsa, &n, &e, NULL);
-    RSA_set0_key(rsa, BN_dup(n), BN_dup(e), NULL);
-    RSA_set_flags(rsa, RSA_flags(rsa) | RSA_FLAG_EXT_PKEY);
+    rsa->n = BN_dup(pub_rsa->n);
+    rsa->flags |= RSA_FLAG_EXT_PKEY;
     if (!RSA_set_method(rsa, rsa_meth))
     {
         goto err;
@@ -1686,17 +1667,17 @@ print_details(struct key_state_ssl *ks_ssl, const char *prefix)
         EVP_PKEY *pkey = X509_get_pubkey(cert);
         if (pkey != NULL)
         {
-            if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA && EVP_PKEY_get0_RSA(pkey) != NULL)
+            if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
+                && pkey->pkey.rsa->n != NULL)
             {
-                RSA *rsa = EVP_PKEY_get0_RSA(pkey);
                 openvpn_snprintf(s2, sizeof(s2), ", %d bit RSA",
-                                 RSA_bits(rsa));
+                                 BN_num_bits(pkey->pkey.rsa->n));
             }
-            else if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA && EVP_PKEY_get0_DSA(pkey) != NULL)
+            else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
+                     && pkey->pkey.dsa->p != NULL)
             {
-                DSA *dsa = EVP_PKEY_get0_DSA(pkey);
                 openvpn_snprintf(s2, sizeof(s2), ", %d bit DSA",
-                                 DSA_bits(dsa));
+                                 BN_num_bits(pkey->pkey.dsa->p));
             }
             EVP_PKEY_free(pkey);
         }
-- 
cgit v1.2.3