diff options
| author | Treehugger Robot <treehugger-gerrit@google.com> | 2021-08-25 20:13:35 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2021-08-25 20:13:35 +0000 |
| commit | f555767bc67b71eae23068ac609519ef8f417bda (patch) | |
| tree | cc8f925e06c68d99b5694a9d6b02385bfe82ce9a | |
| parent | cdd45746bb90807f157bd16595b3a92f7fd7cd15 (diff) | |
| parent | b4d6d4f5f11d3fde1e0469e17006a52b34cee421 (diff) | |
| download | ipsec-tools-f555767bc67b71eae23068ac609519ef8f417bda.tar.gz | |
Merge "Use accessors rather than reaching into BoringSSL structs."android-s-beta-5android-s-beta-5
| -rw-r--r-- | setup.c | 2 | ||||
| -rw-r--r-- | src/racoon/crypto_openssl.c | 192 | ||||
| -rw-r--r-- | src/racoon/crypto_openssl.h | 2 | ||||
| -rw-r--r-- | src/racoon/misc.c | 6 | ||||
| -rw-r--r-- | src/racoon/misc.h | 2 | ||||
| -rw-r--r-- | src/racoon/oakley.c | 2 |
6 files changed, 114 insertions, 92 deletions
@@ -674,7 +674,7 @@ int privsep_xauth_login_system(char *user, char *password) /* misc.h */ -int racoon_hexdump(void *data, size_t length) +int racoon_hexdump(const void *data, size_t length) { return 0; } diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c index cd6dc7b..b34b6dd 100644 --- a/src/racoon/crypto_openssl.c +++ b/src/racoon/crypto_openssl.c @@ -283,15 +283,19 @@ static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { int i; - if (a->length != b->length) - return (a->length - b->length); - - for (i=0; i<a->length; i++) + int a_length = ASN1_STRING_length(a); + int b_length = ASN1_STRING_length(b); + if (a_length != b_length) + return (a_length - b_length); + + const unsigned char *a_data = ASN1_STRING_get0_data(a); + const unsigned char *b_data = ASN1_STRING_get0_data(b); + for (i=0; i<a_length; i++) { int ca, cb; - ca = tolower(a->data[i]); - cb = tolower(b->data[i]); + ca = tolower(a_data[i]); + cb = tolower(b_data[i]); if (ca != cb) return(ca-cb); @@ -305,13 +309,13 @@ static int nocase_cmp(const ASN1_STRING *a, const ASN1_STRING *b) */ static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b) { - unsigned char *pa = NULL, *pb = NULL; + const unsigned char *pa = NULL, *pb = NULL; int la, lb; - la = a->length; - lb = b->length; - pa = a->data; - pb = b->data; + la = ASN1_STRING_length(a); + lb = ASN1_STRING_length(b); + pa = ASN1_STRING_get0_data(a); + pb = ASN1_STRING_get0_data(b); /* skip leading spaces */ while (la > 0 && isspace(*pa)) @@ -375,35 +379,37 @@ static int X509_NAME_wildcmp(const X509_NAME *a, const X509_NAME *b) int i,j; X509_NAME_ENTRY *na,*nb; - if (sk_X509_NAME_ENTRY_num(a->entries) - != sk_X509_NAME_ENTRY_num(b->entries)) - return sk_X509_NAME_ENTRY_num(a->entries) - -sk_X509_NAME_ENTRY_num(b->entries); - for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--) + if (X509_NAME_entry_count(a) + != X509_NAME_entry_count(b)) + return X509_NAME_entry_count(a) + -X509_NAME_entry_count(b); + for (i=X509_NAME_entry_count(a)-1; i>=0; i--) { - na=sk_X509_NAME_ENTRY_value(a->entries,i); - nb=sk_X509_NAME_ENTRY_value(b->entries,i); - j=OBJ_cmp(na->object,nb->object); + na=X509_NAME_get_entry(a,i); + nb=X509_NAME_get_entry(b,i); + j=OBJ_cmp(X509_NAME_ENTRY_get_object(na),X509_NAME_ENTRY_get_object(nb)); if (j) return(j); - if ((na->value->length == 1 && na->value->data[0] == '*') - || (nb->value->length == 1 && nb->value->data[0] == '*')) + const ASN1_STRING *na_value=X509_NAME_ENTRY_get_data(na); + const ASN1_STRING *nb_value=X509_NAME_ENTRY_get_data(nb); + if ((ASN1_STRING_length(na_value) == 1 && ASN1_STRING_get0_data(na_value)[0] == '*') + || (ASN1_STRING_length(nb_value) == 1 && ASN1_STRING_get0_data(nb_value)[0] == '*')) continue; - j=na->value->type-nb->value->type; + j=ASN1_STRING_type(na_value)-ASN1_STRING_type(nb_value); if (j) return(j); - if (na->value->type == V_ASN1_PRINTABLESTRING) - j=nocase_spacenorm_cmp(na->value, nb->value); - else if (na->value->type == V_ASN1_IA5STRING - && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress) - j=nocase_cmp(na->value, nb->value); + if (ASN1_STRING_type(na_value) == V_ASN1_PRINTABLESTRING) + j=nocase_spacenorm_cmp(na_value, nb_value); + else if (ASN1_STRING_type(na_value) == V_ASN1_IA5STRING + && OBJ_obj2nid(X509_NAME_ENTRY_get_object(na)) == NID_pkcs9_emailAddress) + j=nocase_cmp(na_value, nb_value); else { - j=na->value->length-nb->value->length; + j=ASN1_STRING_length(na_value)-ASN1_STRING_length(nb_value); if (j) return(j); - j=memcmp(na->value->data,nb->value->data, - na->value->length); + j=memcmp(ASN1_STRING_get0_data(na_value),ASN1_STRING_get0_data(nb_value), + ASN1_STRING_length(na_value)); } if (j) return(j); - j=na->set-nb->set; + j=X509_NAME_ENTRY_set(na)-X509_NAME_ENTRY_set(nb); if (j) return(j); } @@ -573,7 +579,7 @@ cb_check_cert_local(ok, ctx) if (!ok) { X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert), + X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), buf, 256); /* @@ -581,7 +587,8 @@ cb_check_cert_local(ok, ctx) * ok if they are self signed. But we should still warn * the user. */ - switch (ctx->error) { + int error = X509_STORE_CTX_get_error(ctx); + switch (error) { case X509_V_ERR_CERT_HAS_EXPIRED: case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_INVALID_CA: @@ -596,9 +603,9 @@ cb_check_cert_local(ok, ctx) } plog(log_tag, LOCATION, NULL, "%s(%d) at depth:%d SubjectName:%s\n", - X509_verify_cert_error_string(ctx->error), - ctx->error, - ctx->error_depth, + X509_verify_cert_error_string(error), + error, + X509_STORE_CTX_get_error_depth(ctx), buf); } ERR_clear_error(); @@ -620,10 +627,11 @@ cb_check_cert_remote(ok, ctx) if (!ok) { X509_NAME_oneline( - X509_get_subject_name(ctx->current_cert), + X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), buf, 256); - switch (ctx->error) { + int error = X509_STORE_CTX_get_error(ctx); + switch (error) { case X509_V_ERR_UNABLE_TO_GET_CRL: ok = 1; log_tag = LLV_WARNING; @@ -633,9 +641,9 @@ cb_check_cert_remote(ok, ctx) } plog(log_tag, LOCATION, NULL, "%s(%d) at depth:%d SubjectName:%s\n", - X509_verify_cert_error_string(ctx->error), - ctx->error, - ctx->error_depth, + X509_verify_cert_error_string(error), + error, + X509_STORE_CTX_get_error_depth(ctx), buf); } ERR_clear_error(); @@ -662,13 +670,13 @@ eay_get_x509asn1subjectname(cert) goto error; /* get the length of the name */ - len = i2d_X509_NAME(x509->cert_info->subject, NULL); + len = i2d_X509_NAME(X509_get_subject_name(x509), NULL); name = vmalloc(len); if (!name) goto error; /* get the name */ bp = (unsigned char *) name->v; - len = i2d_X509_NAME(x509->cert_info->subject, &bp); + len = i2d_X509_NAME(X509_get_subject_name(x509), &bp); X509_free(x509); @@ -726,38 +734,37 @@ eay_get_x509subjectaltname(cert, altname, type, pos) gen->type == GEN_URI ) { /* make sure if the data is terminated by '\0'. */ - if (gen->d.ia5->data[gen->d.ia5->length] != '\0') + if (ASN1_STRING_get0_data(gen->d.ia5)[ASN1_STRING_length(gen->d.ia5)] != '\0') { plog(LLV_ERROR, LOCATION, NULL, "data is not terminated by NUL."); - racoon_hexdump(gen->d.ia5->data, gen->d.ia5->length + 1); + racoon_hexdump(ASN1_STRING_get0_data(gen->d.ia5), ASN1_STRING_length(gen->d.ia5) + 1); goto end; } - len = gen->d.ia5->length + 1; + len = ASN1_STRING_length(gen->d.ia5) + 1; *altname = racoon_malloc(len); if (!*altname) goto end; - strlcpy(*altname, (char *) gen->d.ia5->data, len); + strlcpy(*altname, (const char *) ASN1_STRING_get0_data(gen->d.ia5), len); *type = gen->type; error = 0; } /* read IP address */ else if (gen->type == GEN_IPADD) { - unsigned char p[5], *ip; - ip = p; + const unsigned char *ip; /* only support IPv4 */ - if (gen->d.ip->length != 4) + if (ASN1_STRING_length(gen->d.ip) != 4) goto end; /* convert Octet String to String * XXX ??????? */ /*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/ - ip = gen->d.ip->data; + ip = ASN1_STRING_get0_data(gen->d.ip); /* XXX Magic, enough for an IPv4 address */ @@ -976,7 +983,7 @@ eay_check_x509sign(source, sig, cert) return -1; } - res = eay_rsa_verify(source, sig, evp->pkey.rsa); + res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp)); EVP_PKEY_free(evp); X509_free(x509); @@ -1131,7 +1138,7 @@ eay_get_x509sign(src, privkey) if (evp == NULL) return NULL; - sig = eay_rsa_sign(src, evp->pkey.rsa); + sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); EVP_PKEY_free(evp); @@ -2458,7 +2465,7 @@ eay_dh_generate(prime, g, publen, pub, priv) u_int publen; u_int32_t g; { - BIGNUM *p = NULL; + BIGNUM *p = NULL, *g_bn = NULL; DH *dh = NULL; int error = -1; @@ -2469,20 +2476,18 @@ eay_dh_generate(prime, g, publen, pub, priv) if ((dh = DH_new()) == NULL) goto end; - dh->p = p; - p = NULL; /* p is now part of dh structure */ - dh->g = NULL; - if ((dh->g = BN_new()) == NULL) + if ((g_bn = BN_new()) == NULL) + goto end; + if (!BN_set_word(g_bn, g)) goto end; - if (!BN_set_word(dh->g, g)) + if (!DH_set0_pqg(dh, p, NULL, g_bn)) goto end; + /* DH_set0_pqg takes ownership on success. */ + p = NULL; + g_bn = NULL; if (publen != 0) { -#if defined(OPENSSL_IS_BORINGSSL) - dh->priv_length = publen; -#else - dh->length = publen; -#endif + DH_set_length(dh, publen); } /* generate public and private number */ @@ -2490,9 +2495,9 @@ eay_dh_generate(prime, g, publen, pub, priv) goto end; /* copy results to buffers */ - if (eay_bn2v(pub, dh->pub_key) < 0) + if (eay_bn2v(pub, DH_get0_pub_key(dh)) < 0) goto end; - if (eay_bn2v(priv, dh->priv_key) < 0) { + if (eay_bn2v(priv, DH_get0_priv_key(dh)) < 0) { vfree(*pub); goto end; } @@ -2502,8 +2507,10 @@ eay_dh_generate(prime, g, publen, pub, priv) end: if (dh != NULL) DH_free(dh); - if (p != 0) + if (p != NULL) BN_free(p); + if (g_bn != NULL) + BN_free(g_bn); return(error); } @@ -2513,39 +2520,48 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) u_int32_t g; { BIGNUM *dh_pub = NULL; + BIGNUM *dh_pub2 = NULL; + BIGNUM *dh_priv = NULL; + BIGNUM *dh_p = NULL; + BIGNUM *dh_g = NULL; DH *dh = NULL; int l; unsigned char *v = NULL; int error = -1; /* make public number to compute */ - if (eay_v2bn(&dh_pub, pub2) < 0) + if (eay_v2bn(&dh_pub2, pub2) < 0) goto end; /* make DH structure */ if ((dh = DH_new()) == NULL) goto end; - if (eay_v2bn(&dh->p, prime) < 0) + if (eay_v2bn(&dh_p, prime) < 0) goto end; - if (eay_v2bn(&dh->pub_key, pub) < 0) + if (eay_v2bn(&dh_pub, pub) < 0) goto end; - if (eay_v2bn(&dh->priv_key, priv) < 0) + if (eay_v2bn(&dh_priv, priv) < 0) goto end; -#if defined(OPENSSL_IS_BORINGSSL) - dh->priv_length = pub2->l * 8; -#else - dh->length = pub2->l * 8; -#endif + DH_set_length(dh, pub2->l * 8); - dh->g = NULL; - if ((dh->g = BN_new()) == NULL) + if ((dh_g = BN_new()) == NULL) + goto end; + if (!BN_set_word(dh_g, g)) goto end; - if (!BN_set_word(dh->g, g)) + if (!DH_set0_pqg(dh, dh_p, NULL, dh_g)) goto end; + /* DH_set0_pqg takes ownership on success. */ + dh_p = NULL; + dh_g = NULL; + if (!DH_set0_key(dh, dh_pub, dh_priv)) + goto end; + /* DH_set0_key takes ownership on success. */ + dh_pub = NULL; + dh_priv = NULL; if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL) goto end; - if ((l = DH_compute_key(v, dh_pub, dh)) == -1) + if ((l = DH_compute_key(v, dh_pub2, dh)) == -1) goto end; memcpy((*key)->v + (prime->l - l), v, l); @@ -2554,6 +2570,14 @@ eay_dh_compute(prime, g, pub, priv, pub2, key) end: if (dh_pub != NULL) BN_free(dh_pub); + if (dh_pub2 != NULL) + BN_free(dh_pub2); + if (dh_priv != NULL) + BN_free(dh_priv); + if (dh_p != NULL) + BN_free(dh_p); + if (dh_g != NULL) + BN_free(dh_g); if (dh != NULL) DH_free(dh); if (v != NULL) @@ -2588,7 +2612,7 @@ eay_v2bn(bn, var) int eay_bn2v(var, bn) vchar_t **var; - BIGNUM *bn; + const BIGNUM *bn; { #if defined(ANDROID_CHANGES) *var = vmalloc(BN_num_bytes(bn)); @@ -2732,7 +2756,7 @@ binbuf_pubkey2rsa(vchar_t *binbuf) binbuf->l - binbuf->v[0] - 1, NULL); rsa_pub = RSA_new(); - if (!exp || !mod || !rsa_pub) { + if (!exp || !mod || !rsa_pub || !RSA_set0_key(rsa_pub, mod, exp, NULL)) { plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey parsing error: %s\n", eay_strerror()); if (exp) BN_free(exp); @@ -2743,10 +2767,8 @@ binbuf_pubkey2rsa(vchar_t *binbuf) rsa_pub = NULL; goto out; } + /* RSA_set0_key takes ownership of mod and exp on success. */ - rsa_pub->n = mod; - rsa_pub->e = exp; - out: return rsa_pub; } diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h index 9a17de8..983ffe5 100644 --- a/src/racoon/crypto_openssl.h +++ b/src/racoon/crypto_openssl.h @@ -224,7 +224,7 @@ RSA *bignum_pubkey2rsa(BIGNUM *in); extern int eay_revbnl __P((vchar_t *)); #include <openssl/bn.h> extern int eay_v2bn __P((BIGNUM **, vchar_t *)); -extern int eay_bn2v __P((vchar_t **, BIGNUM *)); +extern int eay_bn2v __P((vchar_t **, const BIGNUM *)); extern const char *eay_version __P((void)); diff --git a/src/racoon/misc.c b/src/racoon/misc.c index 4daa0ed..18a4f19 100644 --- a/src/racoon/misc.c +++ b/src/racoon/misc.c @@ -74,10 +74,10 @@ bindump(buf0, len) int racoon_hexdump(buf0, len) - void *buf0; + const void *buf0; size_t len; { - caddr_t buf = (caddr_t)buf0; + const unsigned char *buf = buf0; size_t i; for (i = 0; i < len; i++) { @@ -85,7 +85,7 @@ racoon_hexdump(buf0, len) printf("\n"); if (i % 4 == 0) printf(" "); - printf("%02x", (unsigned char)buf[i]); + printf("%02x", buf[i]); } printf("\n"); diff --git a/src/racoon/misc.h b/src/racoon/misc.h index 66e42b1..4979802 100644 --- a/src/racoon/misc.h +++ b/src/racoon/misc.h @@ -42,7 +42,7 @@ #define LOCATION debug_location(__FILE__, __LINE__, NULL) #endif -extern int racoon_hexdump __P((void *, size_t)); +extern int racoon_hexdump __P((const void *, size_t)); extern char *bit2str __P((int, int)); extern void *get_newbuf __P((void *, size_t)); extern const char *debug_location __P((const char *, int, const char *)); diff --git a/src/racoon/oakley.c b/src/racoon/oakley.c index 6cdd82a..5b6ad46 100644 --- a/src/racoon/oakley.c +++ b/src/racoon/oakley.c @@ -1846,7 +1846,7 @@ static vchar_t* keystore_sign(vchar_t* src, const char* path) { } if (EVP_PKEY_id(evp) == EVP_PKEY_RSA) { - sig = eay_rsa_sign(src, evp->pkey.rsa); + sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp)); } out: |