head 1.8; access; symbols pkgsrc-2026Q1:1.8.0.48 pkgsrc-2026Q1-base:1.8 pkgsrc-2025Q4:1.8.0.46 pkgsrc-2025Q4-base:1.8 pkgsrc-2025Q3:1.8.0.44 pkgsrc-2025Q3-base:1.8 pkgsrc-2025Q2:1.8.0.42 pkgsrc-2025Q2-base:1.8 pkgsrc-2025Q1:1.8.0.40 pkgsrc-2025Q1-base:1.8 pkgsrc-2024Q4:1.8.0.38 pkgsrc-2024Q4-base:1.8 pkgsrc-2024Q3:1.8.0.36 pkgsrc-2024Q3-base:1.8 pkgsrc-2024Q2:1.8.0.34 pkgsrc-2024Q2-base:1.8 pkgsrc-2024Q1:1.8.0.32 pkgsrc-2024Q1-base:1.8 pkgsrc-2023Q4:1.8.0.30 pkgsrc-2023Q4-base:1.8 pkgsrc-2023Q3:1.8.0.28 pkgsrc-2023Q3-base:1.8 pkgsrc-2023Q2:1.8.0.26 pkgsrc-2023Q2-base:1.8 pkgsrc-2023Q1:1.8.0.24 pkgsrc-2023Q1-base:1.8 pkgsrc-2022Q4:1.8.0.22 pkgsrc-2022Q4-base:1.8 pkgsrc-2022Q3:1.8.0.20 pkgsrc-2022Q3-base:1.8 pkgsrc-2022Q2:1.8.0.18 pkgsrc-2022Q2-base:1.8 pkgsrc-2022Q1:1.8.0.16 pkgsrc-2022Q1-base:1.8 pkgsrc-2021Q4:1.8.0.14 pkgsrc-2021Q4-base:1.8 pkgsrc-2021Q3:1.8.0.12 pkgsrc-2021Q3-base:1.8 pkgsrc-2021Q2:1.8.0.10 pkgsrc-2021Q2-base:1.8 pkgsrc-2021Q1:1.8.0.8 pkgsrc-2021Q1-base:1.8 pkgsrc-2020Q4:1.8.0.6 pkgsrc-2020Q4-base:1.8 pkgsrc-2020Q3:1.8.0.4 pkgsrc-2020Q3-base:1.8 pkgsrc-2020Q2:1.8.0.2 pkgsrc-2020Q2-base:1.8 pkgsrc-2020Q1:1.7.0.28 pkgsrc-2020Q1-base:1.7 pkgsrc-2019Q4:1.7.0.50 pkgsrc-2019Q4-base:1.7 pkgsrc-2019Q3:1.7.0.46 pkgsrc-2019Q3-base:1.7 pkgsrc-2019Q2:1.7.0.44 pkgsrc-2019Q2-base:1.7 pkgsrc-2019Q1:1.7.0.42 pkgsrc-2019Q1-base:1.7 pkgsrc-2018Q4:1.7.0.40 pkgsrc-2018Q4-base:1.7 pkgsrc-2018Q3:1.7.0.38 pkgsrc-2018Q3-base:1.7 pkgsrc-2018Q2:1.7.0.36 pkgsrc-2018Q2-base:1.7 pkgsrc-2018Q1:1.7.0.34 pkgsrc-2018Q1-base:1.7 pkgsrc-2017Q4:1.7.0.32 pkgsrc-2017Q4-base:1.7 pkgsrc-2017Q3:1.7.0.30 pkgsrc-2017Q3-base:1.7 pkgsrc-2017Q2:1.7.0.26 pkgsrc-2017Q2-base:1.7 pkgsrc-2017Q1:1.7.0.24 pkgsrc-2017Q1-base:1.7 pkgsrc-2016Q4:1.7.0.22 pkgsrc-2016Q4-base:1.7 pkgsrc-2016Q3:1.7.0.20 pkgsrc-2016Q3-base:1.7 pkgsrc-2016Q2:1.7.0.18 pkgsrc-2016Q2-base:1.7 pkgsrc-2016Q1:1.7.0.16 pkgsrc-2016Q1-base:1.7 pkgsrc-2015Q4:1.7.0.14 pkgsrc-2015Q4-base:1.7 pkgsrc-2015Q3:1.7.0.12 pkgsrc-2015Q3-base:1.7 pkgsrc-2015Q2:1.7.0.10 pkgsrc-2015Q2-base:1.7 pkgsrc-2015Q1:1.7.0.8 pkgsrc-2015Q1-base:1.7 pkgsrc-2014Q4:1.7.0.6 pkgsrc-2014Q4-base:1.7 pkgsrc-2014Q3:1.7.0.4 pkgsrc-2014Q3-base:1.7 pkgsrc-2014Q2:1.7.0.2 pkgsrc-2014Q2-base:1.7 pkgsrc-2014Q1:1.6.0.22 pkgsrc-2014Q1-base:1.6 pkgsrc-2013Q4:1.6.0.20 pkgsrc-2013Q4-base:1.6 pkgsrc-2013Q3:1.6.0.18 pkgsrc-2013Q3-base:1.6 pkgsrc-2013Q2:1.6.0.16 pkgsrc-2013Q2-base:1.6 pkgsrc-2013Q1:1.6.0.14 pkgsrc-2013Q1-base:1.6 pkgsrc-2012Q4:1.6.0.12 pkgsrc-2012Q4-base:1.6 pkgsrc-2012Q3:1.6.0.10 pkgsrc-2012Q3-base:1.6 pkgsrc-2012Q2:1.6.0.8 pkgsrc-2012Q2-base:1.6 pkgsrc-2012Q1:1.6.0.6 pkgsrc-2012Q1-base:1.6 pkgsrc-2011Q4:1.6.0.4 pkgsrc-2011Q4-base:1.6 pkgsrc-2011Q3:1.6.0.2 pkgsrc-2011Q3-base:1.6 pkgsrc-2011Q2:1.5.0.50 pkgsrc-2011Q2-base:1.5 pkgsrc-2011Q1:1.5.0.48 pkgsrc-2011Q1-base:1.5 pkgsrc-2010Q4:1.5.0.46 pkgsrc-2010Q4-base:1.5 pkgsrc-2010Q3:1.5.0.44 pkgsrc-2010Q3-base:1.5 pkgsrc-2010Q2:1.5.0.42 pkgsrc-2010Q2-base:1.5 pkgsrc-2010Q1:1.5.0.40 pkgsrc-2010Q1-base:1.5 pkgsrc-2009Q4:1.5.0.38 pkgsrc-2009Q4-base:1.5 pkgsrc-2009Q3:1.5.0.36 pkgsrc-2009Q3-base:1.5 pkgsrc-2009Q2:1.5.0.34 pkgsrc-2009Q2-base:1.5 pkgsrc-2009Q1:1.5.0.32 pkgsrc-2009Q1-base:1.5 pkgsrc-2008Q4:1.5.0.30 pkgsrc-2008Q4-base:1.5 pkgsrc-2008Q3:1.5.0.28 pkgsrc-2008Q3-base:1.5 cube-native-xorg:1.5.0.26 cube-native-xorg-base:1.5 pkgsrc-2008Q2:1.5.0.24 pkgsrc-2008Q2-base:1.5 cwrapper:1.5.0.22 pkgsrc-2008Q1:1.5.0.20 pkgsrc-2008Q1-base:1.5 pkgsrc-2007Q4:1.5.0.18 pkgsrc-2007Q4-base:1.5 pkgsrc-2007Q3:1.5.0.16 pkgsrc-2007Q3-base:1.5 pkgsrc-2007Q2:1.5.0.14 pkgsrc-2007Q2-base:1.5 pkgsrc-2007Q1:1.5.0.12 pkgsrc-2007Q1-base:1.5 pkgsrc-2006Q4:1.5.0.10 pkgsrc-2006Q4-base:1.5 pkgsrc-2006Q3:1.5.0.8 pkgsrc-2006Q3-base:1.5 pkgsrc-2006Q2:1.5.0.6 pkgsrc-2006Q2-base:1.5 pkgsrc-2006Q1:1.5.0.4 pkgsrc-2006Q1-base:1.5 pkgsrc-2005Q4:1.5.0.2 pkgsrc-2005Q4-base:1.5 pkgsrc-2005Q3:1.4.0.16 pkgsrc-2005Q3-base:1.4 pkgsrc-2005Q2:1.4.0.14 pkgsrc-2005Q2-base:1.4 pkgsrc-2005Q1:1.4.0.12 pkgsrc-2005Q1-base:1.4 pkgsrc-2004Q4:1.4.0.10 pkgsrc-2004Q4-base:1.4 pkgsrc-2004Q3:1.4.0.8 pkgsrc-2004Q3-base:1.4 pkgsrc-2004Q2:1.4.0.6 pkgsrc-2004Q2-base:1.4 pkgsrc-2004Q1:1.4.0.4 pkgsrc-2004Q1-base:1.4 pkgsrc-2003Q4:1.4.0.2 pkgsrc-2003Q4-base:1.4 buildlink2-base:1.3 comdex-fall-1999:1.2 netbsd-1-4-PATCH001:1.2 netbsd-1-4-RELEASE:1.2 netbsd-1-3-PATCH003:1.2 netbsd-1-3-PATCH002:1.1; locks; strict; comment @# @; 1.8 date 2020.04.08.15.22.07; author rhialto; state Exp; branches; next 1.7; commitid 31uy9hCjSybXSA3C; 1.7 date 2014.06.23.22.24.24; author christos; state Exp; branches; next 1.6; commitid FWB5eQMocvgqiHFx; 1.6 date 2011.08.25.14.54.06; author hans; state Exp; branches; next 1.5; 1.5 date 2005.12.18.23.15.43; author joerg; state Exp; branches; next 1.4; 1.4 date 2003.07.02.20.37.35; author kim; state Exp; branches; next 1.3; 1.3 date 99.12.20.12.33.48; author fredb; state dead; branches; next 1.2; 1.2 date 98.08.07.10.36.40; author agc; state Exp; branches; next 1.1; 1.1 date 98.02.10.00.30.11; author tron; state Exp; branches; next ; desc @@ 1.8 log @comms/kermit: Adapt patches to openssl 1.1.1e. Parts are inspired by the FreeBSD port. I could not easily find a telnetd with SSL support so I did not really test it. Without SSL/TLS, it disconnects from NetBSD's telnetd if telnetd is run with "-a valid" ("Authentication failed: No authentication method available"); but "telnetd -a none" works. @ text @$NetBSD: patch-ab,v 1.7 2014/06/23 22:24:24 christos Exp $ - Update for openssl 1.1.1e. - Kermit tries to keep SSL and TLS contexts (since in old openssl, the *v23* methods were not version-flexible enough). Now afer simplification there is lots of duplicate code left over that could be simplified more. --- ck_ssl.c.orig 2011-07-06 15:03:32.000000000 +0200 +++ ck_ssl.c 2020-04-06 16:43:41.323530837 +0200 @@@@ -301,7 +301,7 @@@@ break; default: printf("Error %d while verifying certificate.\r\n", - ctx->error); + error); break; } } @@@@ -804,6 +804,17 @@@@ #define MS_CALLBACK #endif /* MS_CALLBACK */ +static BIGNUM *get_RSA_F4() +{ + static BIGNUM *bn; + + if (!bn) { + bn = BN_new(); + BN_add_word(bn, RSA_F4); + } + return bn; +} + static RSA MS_CALLBACK * #ifdef CK_ANSIC tmp_rsa_cb(SSL * s, int export, int keylength) @@@@ -822,7 +833,16 @@@@ if (ssl_debug_flag) printf("Generating temporary (%d bit) RSA key...\r\n",keylength); - rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); + rsa_tmp = RSA_new(); + if (rsa_tmp) { + int error = RSA_generate_key_ex(rsa_tmp, keylength, get_RSA_F4(),NULL); + if (error) { + if (ssl_debug_flag) + printf(" error %d", error); + RSA_free(rsa_tmp); + rsa_tmp = NULL; + } + } if (ssl_debug_flag) printf("\r\n"); @@@@ -936,10 +956,26 @@@@ if ((dh=DH_new()) == NULL) return(NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + BIGNUM *p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); + BIGNUM *g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + if ((p == NULL) || (g == NULL)) { + BN_free(g); + BN_free(p); + DH_free(dh); + return(NULL); + } + DH_set0_pqg(dh, p, NULL, g); +#else dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + if ((dh->p == NULL) || (dh->g == NULL)) { + BN_free(dh->g); + BN_free(dh->p); + DH_free(dh); return(NULL); + } +#endif return(dh); } @@@@ -950,10 +986,26 @@@@ if ((dh=DH_new()) == NULL) return(NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + BIGNUM *p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL); + BIGNUM *g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL); + if ((p == NULL) || (g == NULL)) { + BN_free(g); + BN_free(p); + DH_free(dh); + return(NULL); + } + DH_set0_pqg(dh, p, NULL, g); +#else dh->p=BN_bin2bn(dh768_p,sizeof(dh768_p),NULL); dh->g=BN_bin2bn(dh768_g,sizeof(dh768_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + if ((dh->p == NULL) || (dh->g == NULL)) { + BN_free(dh->g); + BN_free(dh->p); + DH_free(dh); return(NULL); + } +#endif return(dh); } @@@@ -964,10 +1016,26 @@@@ if ((dh=DH_new()) == NULL) return(NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + BIGNUM *p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); + BIGNUM *g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); + if ((p == NULL) || (g == NULL)) { + BN_free(g); + BN_free(p); + DH_free(dh); + return(NULL); + } + DH_set0_pqg(dh, p, NULL, g); +#else dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + if ((dh->p == NULL) || (dh->g == NULL)) { + BN_free(dh->g); + BN_free(dh->p); + DH_free(dh); return(NULL); + } +#endif return(dh); } @@@@ -978,10 +1046,26 @@@@ if ((dh=DH_new()) == NULL) return(NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + BIGNUM *p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL); + BIGNUM *g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL); + if ((p == NULL) || (g == NULL)) { + BN_free(g); + BN_free(p); + DH_free(dh); + return(NULL); + } + DH_set0_pqg(dh, p, NULL, g); +#else dh->p=BN_bin2bn(dh1536_p,sizeof(dh1536_p),NULL); dh->g=BN_bin2bn(dh1536_g,sizeof(dh1536_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + if ((dh->p == NULL) || (dh->g == NULL)) { + BN_free(dh->g); + BN_free(dh->p); + DH_free(dh); return(NULL); + } +#endif return(dh); } @@@@ -992,10 +1076,26 @@@@ if ((dh=DH_new()) == NULL) return(NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + BIGNUM *p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); + BIGNUM *g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); + if ((p == NULL) || (g == NULL)) { + BN_free(g); + BN_free(p); + DH_free(dh); + return(NULL); + } + DH_set0_pqg(dh, p, NULL, g); +#else dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) + if ((dh->p == NULL) || (dh->g == NULL)) { + BN_free(dh->g); + BN_free(dh->p); + DH_free(dh); return(NULL); + } +#endif return(dh); } #endif /* NO_DH */ @@@@ -1054,10 +1154,11 @@@@ if (ssl == NULL) return; - if (ssl->expand == NULL || ssl->expand->meth == NULL) + const COMP_METHOD *method = SSL_get_current_compression(ssl); + if (method == NULL) printf("Compression: None\r\n"); else { - printf("Compression: %s\r\n",ssl->expand->meth->name); + printf("Compression: %s\r\n",SSL_COMP_get_name(method)); } } @@@@ -1072,7 +1173,7 @@@@ #endif /* CK_ANSIC */ { X509 *peer; - SSL_CIPHER * cipher; + const SSL_CIPHER * cipher; const char *cipher_list; char buf[512]=""; @@@@ -1457,13 +1558,23 @@@@ #ifdef ZLIB cm = COMP_zlib(); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + if (cm != NULL && COMP_get_type(cm) != NID_undef) { +#else if (cm != NULL && cm->type != NID_undef) { +#endif SSL_COMP_add_compression_method(0xe0, cm); /* EAY's ZLIB ID */ } #endif /* ZLIB */ +#ifdef NID_rle_compression cm = COMP_rle(); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + if (cm != NULL && COMP_get_type(cm) != NID_undef) +#else if (cm != NULL && cm->type != NID_undef) +#endif SSL_COMP_add_compression_method(0xe1, cm); /* EAY's RLE ID */ +#endif /* NID_rle_compression */ /* Ensure the Random number generator has enough entropy */ if ( !RAND_status() ) { @@@@ -1483,8 +1594,12 @@@@ } debug(F110,"ssl_rnd_file",ssl_rnd_file,0); +#ifdef OPENSSL_NO_EGD + rc1 = 0; +#else rc1 = RAND_egd(ssl_rnd_file); debug(F111,"ssl_once_init","RAND_egd()",rc1); +#endif if ( rc1 <= 0 ) { rc2 = RAND_load_file(ssl_rnd_file, -1); debug(F111,"ssl_once_init","RAND_load_file()",rc1); @@@@ -1579,25 +1694,13 @@@@ /* This can fail because we do not have RSA available */ if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); - ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); - } - if ( !ssl_ctx ) { - debug(F110,"ssl_tn_init","SSLv3_client_method failed",0); last_ssl_mode = -1; return(0); } -#ifndef COMMENT - tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method()); -#else /* COMMENT */ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method()); /* This can fail because we do not have RSA available */ if ( !tls_ctx ) { debug(F110,"ssl_tn_init","SSLv23_client_method failed",0); - tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); - } -#endif /* COMMENT */ - if ( !tls_ctx ) { - debug(F110,"ssl_tn_init","TLSv1_client_method failed",0); last_ssl_mode = -1; return(0); } @@@@ -1611,25 +1714,13 @@@@ /* This can fail because we do not have RSA available */ if ( !ssl_ctx ) { debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); - ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_server_method()); - } - if ( !ssl_ctx ) { - debug(F110,"ssl_tn_init","SSLv3_server_method failed",0); last_ssl_mode = -1; return(0); } -#ifdef COMMENT - tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method()); -#else /* COMMENT */ tls_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_server_method()); /* This can fail because we do not have RSA available */ if ( !tls_ctx ) { debug(F110,"ssl_tn_init","SSLv23_server_method failed",0); - tls_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_server_method()); - } -#endif /* COMMENT */ - if ( !tls_ctx ) { - debug(F110,"ssl_tn_init","TLSv1_server_method failed",0); last_ssl_mode = -1; return(0); } @@@@ -1655,7 +1746,6 @@@@ SSL_CTX_set_info_callback(ssl_ctx,ssl_client_info_callback); SSL_CTX_set_info_callback(tls_ctx,ssl_client_info_callback); -#ifndef COMMENT /* Set the proper caching mode */ if ( mode == SSL_SERVER ) { SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_SERVER); @@@@ -1666,10 +1756,6 @@@@ } SSL_CTX_set_session_id_context(ssl_ctx,(CHAR *)"1",1); SSL_CTX_set_session_id_context(tls_ctx,(CHAR *)"2",1); -#else /* COMMENT */ - SSL_CTX_set_session_cache_mode(ssl_ctx,SSL_SESS_CACHE_OFF); - SSL_CTX_set_session_cache_mode(tls_ctx,SSL_SESS_CACHE_OFF); -#endif /* COMMENT */ } /* The server uses defaults for the certificate files. */ @@@@ -1777,7 +1863,14 @@@@ if ( ssl_debug_flag ) printf("Generating temp (512 bit) RSA key ...\r\n"); - rsa=RSA_generate_key(512,RSA_F4,NULL,NULL); + rsa = RSA_new(); + if (rsa) { + int error = RSA_generate_key_ex(rsa,512,get_RSA_F4(),NULL); + if (error) { + RSA_free(rsa); + rsa = NULL; + } + } if ( ssl_debug_flag ) printf("Generation of temp (512 bit) RSA key done\r\n"); @@@@ -2153,18 +2246,10 @@@@ printf("SSL_DEBUG_FLAG on\r\n"); if (!tls_http_ctx ) { -#ifdef COMMENT - /* too many web servers still do not support TLSv1 */ - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(TLSv1_client_method()); -#else /* COMMENT */ tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method()); /* This can fail because we do not have RSA available */ if ( !tls_http_ctx ) { debug(F110,"ssl_http_init","SSLv23_client_method failed",0); - tls_http_ctx=(SSL_CTX *)SSL_CTX_new(SSLv3_client_method()); - } -#endif /* COMMENT */ - if ( !tls_http_ctx ) { debug(F110,"ssl_http_init","TLSv1_client_method failed",0); return(0); } @@@@ -2182,7 +2267,7 @@@@ * for TLS be sure to prevent use of SSLv2 */ SSL_CTX_set_options(tls_http_ctx, - SSL_OP_NO_SSLv2|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); + SSL_OP_NO_SSLv2/*|SSL_OP_NO_SSLv3*/|SSL_OP_SINGLE_DH_USE|SSL_OP_EPHEMERAL_RSA); SSL_CTX_set_info_callback(tls_http_ctx,ssl_client_info_callback); @@@@ -2575,7 +2660,11 @@@@ int ssl_verify_crl(int ok, X509_STORE_CTX *ctx) { +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT *obj; +#else X509_OBJECT obj; +#endif X509_NAME *subject = NULL; X509_NAME *issuer = NULL; X509 *xs = NULL; @@@@ -2595,6 +2684,14 @@@@ if (!crl_store) return ok; +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + obj = X509_OBJECT_new(); + if (!obj) + return(ok); +#else + memset((char *)&obj, 0, sizeof(obj)); +#endif + store_ctx = X509_STORE_CTX_new(); if ( !store_ctx ) return(ok); @@@@ -2641,11 +2738,16 @@@@ * Try to retrieve a CRL corresponding to the _subject_ of * the current certificate in order to verify it's integrity. */ - memset((char *)&obj, 0, sizeof(obj)); X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, obj); + X509_STORE_CTX_cleanup(store_ctx); + crl = X509_OBJECT_get0_X509_CRL(obj); +#else rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, subject, &obj); X509_STORE_CTX_cleanup(store_ctx); crl = obj.data.crl; +#endif if (rc > 0 && crl != NULL) { /* * Verify the signature on this CRL @@@@ -2653,7 +2755,11 @@@@ if (X509_CRL_verify(crl, X509_get_pubkey(xs)) <= 0) { fprintf(stderr, "Invalid signature on CRL!\n"); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT_free(obj); +#else X509_OBJECT_free_contents(&obj); +#endif X509_STORE_CTX_free(store_ctx); return 0; } @@@@ -2661,12 +2767,16 @@@@ /* * Check date of CRL to make sure it's not expired */ - i = X509_cmp_current_time(X509_CRL_get_nextUpdate(crl)); + i = X509_cmp_current_time(X509_CRL_get0_nextUpdate(crl)); if (i == 0) { fprintf(stderr, "Found CRL has invalid nextUpdate field.\n"); X509_STORE_CTX_set_error(ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT_free(obj); +#else X509_OBJECT_free_contents(&obj); +#endif X509_STORE_CTX_free(store_ctx); return 0; } @@@@ -2675,22 +2785,38 @@@@ "Found CRL is expired - revoking all certificates until you get updated CRL.\n" ); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT_free(obj); +#else X509_OBJECT_free_contents(&obj); +#endif X509_STORE_CTX_free(store_ctx); return 0; } - X509_OBJECT_free_contents(&obj); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT_free(obj); +#else + X509_OBJECT_free_contents(&obj); +#endif } /* * Try to retrieve a CRL corresponding to the _issuer_ of * the current certificate in order to check for revocation. */ +#if OPENSSL_VERSION_NUMBER < 0x10100005L memset((char *)&obj, 0, sizeof(obj)); +#endif X509_STORE_CTX_init(store_ctx, crl_store, NULL, NULL); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, obj); + X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */ + crl = X509_OBJECT_get0_X509_CRL(obj); +#else rc = X509_STORE_get_by_subject(store_ctx, X509_LU_CRL, issuer, &obj); X509_STORE_CTX_free(store_ctx); /* calls X509_STORE_CTX_cleanup() */ crl = obj.data.crl; +#endif if (rc > 0 && crl != NULL) { /* * Check if the current certificate is revoked by this CRL @@@@ -2698,19 +2824,34 @@@@ n = sk_X509_REVOKED_num(X509_CRL_get_REVOKED(crl)); for (i = 0; i < n; i++) { revoked = sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + if (ASN1_INTEGER_cmp(X509_REVOKED_get0_serialNumber(revoked), + X509_get_serialNumber(xs)) == 0) { // } + + serial = ASN1_INTEGER_get(X509_REVOKED_get0_serialNumber(revoked)); +#else if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(xs)) == 0) { serial = ASN1_INTEGER_get(revoked->serialNumber); +#endif cp = X509_NAME_oneline(issuer, NULL, 0); free(cp); X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED); +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT_free(obj); +#else X509_OBJECT_free_contents(&obj); +#endif return 0; } } +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + X509_OBJECT_free(obj); +#else X509_OBJECT_free_contents(&obj); +#endif } return ok; } @@@@ -2877,6 +3018,7 @@@@ #ifndef OpenBSD #ifndef FREEBSD4 #ifndef NETBSD15 +#ifndef __DragonFly__ #ifndef LINUX #ifndef AIX41 #ifndef UW7 @@@@ -2919,6 +3061,7 @@@@ #endif /* UW7 */ #endif /* AIX41 */ #endif /* LINUX */ +#endif /* __DragonFly__ */ #endif /* NETBSD15 */ #endif /* FREEBSD4 */ #endif /* OpenBSD */ @@@@ -3057,7 +3200,7 @@@@ tls_is_anon(int x) { char buf[128]; - SSL_CIPHER * cipher; + const SSL_CIPHER * cipher; SSL * ssl = NULL; switch ( x ) { @@@@ -3101,7 +3244,7 @@@@ tls_is_krb5(int x) { char buf[128]; - SSL_CIPHER * cipher; + const SSL_CIPHER * cipher; SSL * ssl = NULL; switch ( x ) { @@@@ -4343,7 +4486,14 @@@@ if (!(fp = fopen(buf, "r"))) return 0; while (!r && (file_cert = PEM_read_X509(fp, NULL, NULL, NULL))) { +#if OPENSSL_VERSION_NUMBER >= 0x10100005L + const ASN1_BIT_STRING *peer_cert_sig, *file_cert_sig; + X509_get0_signature(&peer_cert_sig, NULL, peer_cert); + X509_get0_signature(&file_cert_sig, NULL, file_cert); + if (!ASN1_STRING_cmp(peer_cert_sig, file_cert_sig)) +#else if (!ASN1_STRING_cmp(peer_cert->signature, file_cert->signature)) +#endif r = 1; X509_free(file_cert); } @ 1.7 log @Add patches to fix the crypto build (we still don't build with crypto but now we could). @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.6 2011/08/25 14:54:06 hans Exp $ d3 207 a209 3 --- ck_ssl.c.orig 2011-07-06 09:03:32.000000000 -0400 +++ ck_ssl.c 2014-06-23 18:21:25.000000000 -0400 @@@@ -1072,7 +1072,7 @@@@ d218 303 a520 1 @@@@ -2877,6 +2877,7 @@@@ d528 1 a528 1 @@@@ -2919,6 +2920,7 @@@@ d536 1 a536 1 @@@@ -3057,7 +3059,7 @@@@ d545 1 a545 1 @@@@ -3101,7 +3103,7 @@@@ d554 15 @ 1.6 log @Update to 9.0.302, see http://www.columbia.edu/kermit/ck90.html for more information. Tested on NetBSD-current and OpenIndiana. Support for ssl and kerberos is now available through the options framework. @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.5 2005/12/18 23:15:43 joerg Exp $ d3 12 a14 3 --- ck_ssl.c.orig 2011-07-06 15:03:32.000000000 +0200 +++ ck_ssl.c 2011-08-23 10:29:50.031163553 +0200 @@@@ -2877,6 +2877,7 @@@@ show_hostname_warning(char *s1, char *s2 d22 1 a22 1 @@@@ -2919,6 +2920,7 @@@@ inet_aton(char * ipaddress, struct in_ad d30 18 @ 1.5 log @Add read-ahead hack for DragonFly, manually casting to the "public" version of FILE. Kids, don't try that at home. Fix errno. @ text @d1 1 a1 1 $NetBSD$ d3 3 a5 5 --- ck_ssl.c.orig 2004-03-14 17:07:55.000000000 +0000 +++ ck_ssl.c @@@@ -2782,6 +2782,8 @@@@ show_hostname_warning(char *s1, char *s2 #ifndef HPUX1100 #ifndef SCO_OSR505 d7 2 a8 1 +#ifndef __NetBSD__ a9 1 #ifndef FREEBSD4 d12 3 a14 1 @@@@ -2818,6 +2820,8 @@@@ inet_aton(char * ipaddress, struct in_ad d17 2 a19 2 +#endif /* __DragonFly__ */ +#endif /* __NetBSD__ */ a20 2 #endif /* SCO_OSR505 */ #endif /* HPUX1100 */ @ 1.4 log @Enable OpenSSL by default to get SSL/TLS support (e.g. in TELNET and FTP). Install the manual page again. @ text @d3 3 a5 3 --- ck_ssl.c.orig 2003-03-14 09:37:28.000000000 -0500 +++ ck_ssl.c 2003-07-02 15:43:07.000000000 -0400 @@@@ -2728,6 +2728,7 @@@@ d10 1 d14 1 a14 1 @@@@ -2764,6 +2765,7 @@@@ d18 1 @ 1.3 log @Update kermit to 7.0.96.beta11. Numerous changes, too many to list, but here's a couple: - - kermit protocol transfers default to "fast" mode - - support for SOCKS and sun X.25 (both untested) @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.2 1998/08/07 10:36:40 agc Exp $ d3 18 a20 10 --- ckuusx.c.orig Mon Nov 25 01:20:52 1996 +++ ckuusx.c Tue Feb 10 00:55:12 1998 @@@@ -29,6 +29,7 @@@@ #ifdef OS2 #include #endif /* OS2 */ +#include extern xx_strp xxstring; extern struct ck_p ptab[]; @ 1.2 log @Add NetBSD RCS Ids. @ text @d1 1 a1 1 $NetBSD$ @ 1.1 log @Make this package work with NetBSD. @ text @d1 2 @