Attachment #106062 for bug #146615

View | Details | Raw Unified | Return to bug 146615
Collapse All | Expand All

Lines 6-12 Link Here

(-)Makefile (-1 / +1 lines)
6		6
7	PORTNAME= qca-ossl	7	PORTNAME= qca-ossl
8	DISTVERSION= 2.0.0-beta3	8	DISTVERSION= 2.0.0-beta3
9	PORTREVISION= 3	9	PORTREVISION= 4
10	CATEGORIES= security	10	CATEGORIES= security
11	MASTER_SITES= http://delta.affinix.com/download/qca/2.0/plugins/	11	MASTER_SITES= http://delta.affinix.com/download/qca/2.0/plugins/
12		12




--- qca-ossl.cpp.orig	2007-12-11 07:34:57.000000000 +0100
+++ qca-ossl.cpp	2009-02-26 06:41:17.000000000 +0100
@@ -6597,9 +6597,11 @@
 #ifdef SHA512_DIGEST_LENGTH
 	list += "sha512";
 #endif
+#if 0
 #ifdef OBJ_whirlpool
 	list += "whirlpool";
 #endif
+#endif
 	return list;
 }
 
@@ -6810,10 +6812,12 @@
 		else if ( type == "sha512" )
 			return new opensslHashContext( EVP_sha512(), this, type);
 #endif
+#if 0
 #ifdef OBJ_whirlpool
 		else if ( type == "whirlpool" )
 			return new opensslHashContext( EVP_whirlpool(), this, type);
 #endif
+#endif
 		else if ( type == "pbkdf1(sha1)" )
 			return new opensslPbkdf1Context( EVP_sha1(), this, type );
 		else if ( type == "pbkdf1(md2)" )




--- ./qca-ossl.cpp.orig	2007-12-11 09:34:57.000000000 +0300
+++ ./qca-ossl.cpp	2010-05-15 20:12:08.151288762 +0400
@@ -42,6 +42,15 @@
 #define OSSL_097
 #endif
 
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L
+// OpenSSL 1.0.0 makes a few changes that aren't very C++ friendly...
+// Among other things, CHECKED_PTR_OF returns a void*, but is used in
+// contexts requiring STACK pointers.
+#undef CHECKED_PTR_OF
+#define CHECKED_PTR_OF(type, p) \
+	            ((_STACK*) (1 ? p : (type*)0))
+#endif
+
 using namespace QCA;
 
 namespace opensslQCAPlugin {
@@ -327,7 +336,7 @@
 	X509V3_CTX ctx;
 	X509V3_set_ctx_nodb(&ctx);
 	X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0);
-	X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash");
+	X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char *)"hash");
 	return ex;
 }
 
@@ -1182,6 +1191,7 @@
 	{
 		pkey = from.pkey;
 		CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
+		raw_type = false;
 		state = Idle;
 	}
 
@@ -1226,6 +1236,7 @@
 		}
 		else
 		{
+			raw_type = false;
 			EVP_MD_CTX_init(&mdctx);
 			if(!EVP_VerifyInit_ex(&mdctx, type, NULL))
 				state = VerifyError;
@@ -1771,8 +1782,10 @@
 			md = EVP_sha1();
 		else if(alg == EMSA3_MD5)
 			md = EVP_md5();
+#ifdef HAVE_OPENSSL_MD2
 		else if(alg == EMSA3_MD2)
 			md = EVP_md2();
+#endif
 		else if(alg == EMSA3_RIPEMD160)
 			md = EVP_ripemd160();
 		else if(alg == EMSA3_Raw)
@@ -1789,8 +1802,10 @@
 			md = EVP_sha1();
 		else if(alg == EMSA3_MD5)
 			md = EVP_md5();
+#ifdef HAVE_OPENSSL_MD2
 		else if(alg == EMSA3_MD2)
 			md = EVP_md2();
+#endif
 		else if(alg == EMSA3_RIPEMD160)
 			md = EVP_ripemd160();
 		else if(alg == EMSA3_Raw)
@@ -3385,9 +3400,11 @@
 		case NID_md5WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD5;
 		    break;
+#ifdef HAVE_OPENSSL_MD2
 		case NID_md2WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD2;
 		    break;
+#endif
 		case NID_ripemd160WithRSA:
 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
 		    break;
@@ -3871,9 +3888,11 @@
 		case NID_md5WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD5;
 		    break;
+#ifdef HAVE_OPENSSL_MD2
 		case NID_md2WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD2;
 		    break;
+#endif
 		case NID_ripemd160WithRSA:
 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
 		    break;
@@ -4061,9 +4080,11 @@
 		case NID_md5WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD5;
 		    break;
+#ifdef HAVE_OPENSSL_MD2
 		case NID_md2WithRSAEncryption:
 		    p.sigalgo = QCA::EMSA3_MD2;
 		    break;
+#endif
 		case NID_ripemd160WithRSA:
 		    p.sigalgo = QCA::EMSA3_RIPEMD160;
 		    break;
@@ -5128,6 +5149,16 @@
 		v_eof = false;
 	}
 
+	// dummy verification function for SSL_set_verify()
+	static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
+	{
+		Q_UNUSED(preverify_ok);
+		Q_UNUSED(x509_ctx);
+
+		// don't terminate handshake in case of verification failure
+		return 1;
+	}
+
 	virtual QStringList supportedCipherSuites(const TLS::Version &version) const
 	{
 		OpenSSL_add_ssl_algorithms();
@@ -5692,6 +5723,14 @@
 			}
 		}
 
+		// request a certificate from the client, if in server mode
+		if(serv)
+		{
+			SSL_set_verify(ssl,
+				SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,
+				ssl_verify_callback);
+		}
+
 		return true;
 	}
 
@@ -6155,6 +6194,7 @@
 				i2d_PKCS7_bio(bo, p7);
 				//PEM_write_bio_PKCS7(bo, p7);
 				out = bio2ba(bo);
+				PKCS7_free(p7);
 			}
 			else
 			{
@@ -6582,7 +6622,9 @@
 	list += "sha1";
 	list += "sha0";
 	list += "ripemd160";
+#ifdef HAVE_OPENSSL_MD2
 	list += "md2";
+#endif
 	list += "md4";
 	list += "md5";
 #ifdef SHA224_DIGEST_LENGTH
@@ -6597,9 +6639,11 @@
 #ifdef SHA512_DIGEST_LENGTH
 	list += "sha512";
 #endif
+/*
 #ifdef OBJ_whirlpool
 	list += "whirlpool";
 #endif
+*/
 	return list;
 }
 
@@ -6671,7 +6715,7 @@
 	{
 	}
 
-	Context *clone() const
+	Provider::Context *clone() const
 	{
 		return new opensslInfoContext(*this);
 	}
@@ -6692,6 +6736,34 @@
 	}
 };
 
+class opensslRandomContext : public RandomContext
+{
+public:
+	opensslRandomContext(QCA::Provider *p) : RandomContext(p)
+	{
+	}
+
+	Context *clone() const
+	{
+		return new opensslRandomContext(*this);
+	}
+
+	QCA::SecureArray nextBytes(int size)
+	{
+		QCA::SecureArray buf(size);
+		int r;
+		// FIXME: loop while we don't have enough random bytes.
+		while (true) {
+			r = RAND_bytes((unsigned char*)(buf.data()), size);
+			if (r == 1) break; // success
+			r = RAND_pseudo_bytes((unsigned char*)(buf.data()),
+						size);
+			if (r >= 0) break; // accept insecure random numbers
+		}
+		return buf;
+	}
+};
+
 }
 
 using namespace opensslQCAPlugin;
@@ -6711,11 +6783,14 @@
 		OpenSSL_add_all_algorithms();
 		ERR_load_crypto_strings();
 
-		srand(time(NULL));
-		char buf[128];
-		for(int n = 0; n < 128; ++n)
-			buf[n] = rand();
-		RAND_seed(buf, 128);
+		// seed the RNG if it's not seeded yet
+		if (RAND_status() == 0) {
+			qsrand(time(NULL));
+			char buf[128];
+			for(int n = 0; n < 128; ++n)
+				buf[n] = qrand();
+			RAND_seed(buf, 128);
+		}
 
 		openssl_initted = true;
 	}
@@ -6754,10 +6829,13 @@
 	QStringList features() const
 	{
 		QStringList list;
+		list += "random";
 		list += all_hash_types();
 		list += all_mac_types();
 		list += all_cipher_types();
+#ifdef HAVE_OPENSSL_MD2
 		list += "pbkdf1(md2)";
+#endif
 		list += "pbkdf1(sha1)";
 		list += "pbkdf2(sha1)";
 		list += "pkey";
@@ -6780,7 +6858,9 @@
 	Context *createContext(const QString &type)
 	{
 		//OpenSSL_add_all_digests();
-		if ( type == "info" )
+		if ( type == "random" )
+			return new opensslRandomContext(this);
+		else if ( type == "info" )
 			return new opensslInfoContext(this);
 		else if ( type == "sha1" )
 			return new opensslHashContext( EVP_sha1(), this, type);
@@ -6788,8 +6868,10 @@
 			return new opensslHashContext( EVP_sha(), this, type);
 		else if ( type == "ripemd160" )
 			return new opensslHashContext( EVP_ripemd160(), this, type);
+#ifdef HAVE_OPENSSL_MD2
 		else if ( type == "md2" )
 			return new opensslHashContext( EVP_md2(), this, type);
+#endif
 		else if ( type == "md4" )
 			return new opensslHashContext( EVP_md4(), this, type);
 		else if ( type == "md5" )
@@ -6810,14 +6892,18 @@
 		else if ( type == "sha512" )
 			return new opensslHashContext( EVP_sha512(), this, type);
 #endif
+/*
 #ifdef OBJ_whirlpool
 		else if ( type == "whirlpool" )
 			return new opensslHashContext( EVP_whirlpool(), this, type);
 #endif
+*/
 		else if ( type == "pbkdf1(sha1)" )
 			return new opensslPbkdf1Context( EVP_sha1(), this, type );
+#ifdef HAVE_OPENSSL_MD2
 		else if ( type == "pbkdf1(md2)" )
 			return new opensslPbkdf1Context( EVP_md2(), this, type );
+#endif
 		else if ( type == "pbkdf2(sha1)" )
 			return new opensslPbkdf2Context( this, type );
 		else if ( type == "hmac(md5)" )

Return to bug 146615

Removed Link Here

(-)files/patch-qca-oss.cpp (-27 lines)
1	--- qca-ossl.cpp.orig 2007-12-11 07:34:57.000000000 +0100
2	+++ qca-ossl.cpp 2009-02-26 06:41:17.000000000 +0100
3	@@ -6597,9 +6597,11 @@
4	#ifdef SHA512_DIGEST_LENGTH
5	list += "sha512";
6	#endif
7	+#if 0
8	#ifdef OBJ_whirlpool
9	list += "whirlpool";
10	#endif
11	+#endif
12	return list;
13	}
14
15	@@ -6810,10 +6812,12 @@
16	else if ( type == "sha512" )
17	return new opensslHashContext( EVP_sha512(), this, type);
18	#endif
19	+#if 0
20	#ifdef OBJ_whirlpool
21	else if ( type == "whirlpool" )
22	return new opensslHashContext( EVP_whirlpool(), this, type);
23	#endif
24	+#endif
25	else if ( type == "pbkdf1(sha1)" )
26	return new opensslPbkdf1Context( EVP_sha1(), this, type );
27	else if ( type == "pbkdf1(md2)" )

Added Link Here

(-)files/patch-qca-ossl.cpp (+282 lines)
1	--- ./qca-ossl.cpp.orig 2007-12-11 09:34:57.000000000 +0300
2	+++ ./qca-ossl.cpp 2010-05-15 20:12:08.151288762 +0400
3	@@ -42,6 +42,15 @@
4	#define OSSL_097
5	#endif
6
7	+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10000000L
8	+// OpenSSL 1.0.0 makes a few changes that aren't very C++ friendly...
9	+// Among other things, CHECKED_PTR_OF returns a void*, but is used in
10	+// contexts requiring STACK pointers.
11	+#undef CHECKED_PTR_OF
12	+#define CHECKED_PTR_OF(type, p) \
13	+ ((_STACK) (1 ? p : (type)0))
14	+#endif
15	+
16	using namespace QCA;
17
18	namespace opensslQCAPlugin {
19	@@ -327,7 +336,7 @@
20	X509V3_CTX ctx;
21	X509V3_set_ctx_nodb(&ctx);
22	X509V3_set_ctx(&ctx, NULL, cert, NULL, NULL, 0);
23	- X509_EXTENSION *ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, "hash");
24	+ X509_EXTENSION ex = X509V3_EXT_conf_nid(NULL, &ctx, NID_subject_key_identifier, (char )"hash");
25	return ex;
26	}
27
28	@@ -1182,6 +1191,7 @@
29	{
30	pkey = from.pkey;
31	CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
32	+ raw_type = false;
33	state = Idle;
34	}
35
36	@@ -1226,6 +1236,7 @@
37	}
38	else
39	{
40	+ raw_type = false;
41	EVP_MD_CTX_init(&mdctx);
42	if(!EVP_VerifyInit_ex(&mdctx, type, NULL))
43	state = VerifyError;
44	@@ -1771,8 +1782,10 @@
45	md = EVP_sha1();
46	else if(alg == EMSA3_MD5)
47	md = EVP_md5();
48	+#ifdef HAVE_OPENSSL_MD2
49	else if(alg == EMSA3_MD2)
50	md = EVP_md2();
51	+#endif
52	else if(alg == EMSA3_RIPEMD160)
53	md = EVP_ripemd160();
54	else if(alg == EMSA3_Raw)
55	@@ -1789,8 +1802,10 @@
56	md = EVP_sha1();
57	else if(alg == EMSA3_MD5)
58	md = EVP_md5();
59	+#ifdef HAVE_OPENSSL_MD2
60	else if(alg == EMSA3_MD2)
61	md = EVP_md2();
62	+#endif
63	else if(alg == EMSA3_RIPEMD160)
64	md = EVP_ripemd160();
65	else if(alg == EMSA3_Raw)
66	@@ -3385,9 +3400,11 @@
67	case NID_md5WithRSAEncryption:
68	p.sigalgo = QCA::EMSA3_MD5;
69	break;
70	+#ifdef HAVE_OPENSSL_MD2
71	case NID_md2WithRSAEncryption:
72	p.sigalgo = QCA::EMSA3_MD2;
73	break;
74	+#endif
75	case NID_ripemd160WithRSA:
76	p.sigalgo = QCA::EMSA3_RIPEMD160;
77	break;
78	@@ -3871,9 +3888,11 @@
79	case NID_md5WithRSAEncryption:
80	p.sigalgo = QCA::EMSA3_MD5;
81	break;
82	+#ifdef HAVE_OPENSSL_MD2
83	case NID_md2WithRSAEncryption:
84	p.sigalgo = QCA::EMSA3_MD2;
85	break;
86	+#endif
87	case NID_ripemd160WithRSA:
88	p.sigalgo = QCA::EMSA3_RIPEMD160;
89	break;
90	@@ -4061,9 +4080,11 @@
91	case NID_md5WithRSAEncryption:
92	p.sigalgo = QCA::EMSA3_MD5;
93	break;
94	+#ifdef HAVE_OPENSSL_MD2
95	case NID_md2WithRSAEncryption:
96	p.sigalgo = QCA::EMSA3_MD2;
97	break;
98	+#endif
99	case NID_ripemd160WithRSA:
100	p.sigalgo = QCA::EMSA3_RIPEMD160;
101	break;
102	@@ -5128,6 +5149,16 @@
103	v_eof = false;
104	}
105
106	+ // dummy verification function for SSL_set_verify()
107	+ static int ssl_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
108	+ {
109	+ Q_UNUSED(preverify_ok);
110	+ Q_UNUSED(x509_ctx);
111	+
112	+ // don't terminate handshake in case of verification failure
113	+ return 1;
114	+ }
115	+
116	virtual QStringList supportedCipherSuites(const TLS::Version &version) const
117	{
118	OpenSSL_add_ssl_algorithms();
119	@@ -5692,6 +5723,14 @@
120	}
121	}
122
123	+ // request a certificate from the client, if in server mode
124	+ if(serv)
125	+ {
126	+ SSL_set_verify(ssl,
127	+ SSL_VERIFY_PEER\|SSL_VERIFY_CLIENT_ONCE,
128	+ ssl_verify_callback);
129	+ }
130	+
131	return true;
132	}
133
134	@@ -6155,6 +6194,7 @@
135	i2d_PKCS7_bio(bo, p7);
136	//PEM_write_bio_PKCS7(bo, p7);
137	out = bio2ba(bo);
138	+ PKCS7_free(p7);
139	}
140	else
141	{
142	@@ -6582,7 +6622,9 @@
143	list += "sha1";
144	list += "sha0";
145	list += "ripemd160";
146	+#ifdef HAVE_OPENSSL_MD2
147	list += "md2";
148	+#endif
149	list += "md4";
150	list += "md5";
151	#ifdef SHA224_DIGEST_LENGTH
152	@@ -6597,9 +6639,11 @@
153	#ifdef SHA512_DIGEST_LENGTH
154	list += "sha512";
155	#endif
156	+/*
157	#ifdef OBJ_whirlpool
158	list += "whirlpool";
159	#endif
160	+*/
161	return list;
162	}
163
164	@@ -6671,7 +6715,7 @@
165	{
166	}
167
168	- Context *clone() const
169	+ Provider::Context *clone() const
170	{
171	return new opensslInfoContext(*this);
172	}
173	@@ -6692,6 +6736,34 @@
174	}
175	};
176
177	+class opensslRandomContext : public RandomContext
178	+{
179	+public:
180	+ opensslRandomContext(QCA::Provider *p) : RandomContext(p)
181	+ {
182	+ }
183	+
184	+ Context *clone() const
185	+ {
186	+ return new opensslRandomContext(*this);
187	+ }
188	+
189	+ QCA::SecureArray nextBytes(int size)
190	+ {
191	+ QCA::SecureArray buf(size);
192	+ int r;
193	+ // FIXME: loop while we don't have enough random bytes.
194	+ while (true) {
195	+ r = RAND_bytes((unsigned char*)(buf.data()), size);
196	+ if (r == 1) break; // success
197	+ r = RAND_pseudo_bytes((unsigned char*)(buf.data()),
198	+ size);
199	+ if (r >= 0) break; // accept insecure random numbers
200	+ }
201	+ return buf;
202	+ }
203	+};
204	+
205	}
206
207	using namespace opensslQCAPlugin;
208	@@ -6711,11 +6783,14 @@
209	OpenSSL_add_all_algorithms();
210	ERR_load_crypto_strings();
211
212	- srand(time(NULL));
213	- char buf[128];
214	- for(int n = 0; n < 128; ++n)
215	- buf[n] = rand();
216	- RAND_seed(buf, 128);
217	+ // seed the RNG if it's not seeded yet
218	+ if (RAND_status() == 0) {
219	+ qsrand(time(NULL));
220	+ char buf[128];
221	+ for(int n = 0; n < 128; ++n)
222	+ buf[n] = qrand();
223	+ RAND_seed(buf, 128);
224	+ }
225
226	openssl_initted = true;
227	}
228	@@ -6754,10 +6829,13 @@
229	QStringList features() const
230	{
231	QStringList list;
232	+ list += "random";
233	list += all_hash_types();
234	list += all_mac_types();
235	list += all_cipher_types();
236	+#ifdef HAVE_OPENSSL_MD2
237	list += "pbkdf1(md2)";
238	+#endif
239	list += "pbkdf1(sha1)";
240	list += "pbkdf2(sha1)";
241	list += "pkey";
242	@@ -6780,7 +6858,9 @@
243	Context *createContext(const QString &type)
244	{
245	//OpenSSL_add_all_digests();
246	- if ( type == "info" )
247	+ if ( type == "random" )
248	+ return new opensslRandomContext(this);
249	+ else if ( type == "info" )
250	return new opensslInfoContext(this);
251	else if ( type == "sha1" )
252	return new opensslHashContext( EVP_sha1(), this, type);
253	@@ -6788,8 +6868,10 @@
254	return new opensslHashContext( EVP_sha(), this, type);
255	else if ( type == "ripemd160" )
256	return new opensslHashContext( EVP_ripemd160(), this, type);
257	+#ifdef HAVE_OPENSSL_MD2
258	else if ( type == "md2" )
259	return new opensslHashContext( EVP_md2(), this, type);
260	+#endif
261	else if ( type == "md4" )
262	return new opensslHashContext( EVP_md4(), this, type);
263	else if ( type == "md5" )
264	@@ -6810,14 +6892,18 @@
265	else if ( type == "sha512" )
266	return new opensslHashContext( EVP_sha512(), this, type);
267	#endif
268	+/*
269	#ifdef OBJ_whirlpool
270	else if ( type == "whirlpool" )
271	return new opensslHashContext( EVP_whirlpool(), this, type);
272	#endif
273	+*/
274	else if ( type == "pbkdf1(sha1)" )
275	return new opensslPbkdf1Context( EVP_sha1(), this, type );
276	+#ifdef HAVE_OPENSSL_MD2
277	else if ( type == "pbkdf1(md2)" )
278	return new opensslPbkdf1Context( EVP_md2(), this, type );
279	+#endif
280	else if ( type == "pbkdf2(sha1)" )
281	return new opensslPbkdf2Context( this, type );
282	else if ( type == "hmac(md5)" )