From 1e64b869b5b33e2deda7059e4348d9870f86d315 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>

Date: Thu, 3 May 2018 13:59:04 +0200

Subject: [PATCH 1/3] Add support for LibreSSL 2.7

(cherry picked from commit 29ff62a1492ce3dc702a887e864d00bf1949aed3)

---

 config.h.in                 | 12 +++++++

 configure                   | 13 +++++++

 configure.in                |  2 ++

 lib/dns/openssldh_link.c    | 69 +++++++++++++++++++++++--------------

 lib/dns/openssldsa_link.c   |  2 +-

 lib/dns/opensslecdsa_link.c | 11 +++---

 lib/dns/opensslrsa_link.c   | 36 ++++++++++++-------

 7 files changed, 103 insertions(+), 42 deletions(-)

diff --git config.h.in config.h.in

index 0cc04c5dd9..65ee20eeb5 100644

--- config.h.in

+++ config.h.in

@@ -206,6 +206,9 @@ int sigwait(const unsigned int *set, int *sig);

 /* Define to 1 if you have the <devpoll.h> header file. */

 #undef HAVE_DEVPOLL_H

+/* Define to 1 if you have the `DH_get0_key' function. */

+#undef HAVE_DH_GET0_KEY

+

 /* Define to 1 if you have the `dlclose' function. */

 #undef HAVE_DLCLOSE

@@ -221,6 +224,12 @@ int sigwait(const unsigned int *set, int *sig);

 /* Define to 1 to enable dnstap support */

 #undef HAVE_DNSTAP

+/* Define to 1 if you have the `DSA_get0_pqg' function. */

+#undef HAVE_DSA_GET0_PQG

+

+/* Define to 1 if you have the `ECDSA_SIG_get0' function. */

+#undef HAVE_ECDSA_SIG_GET0

+

 /* Define to 1 if you have the <editline/readline.h> header file. */

 #undef HAVE_EDITLINE_READLINE_H

@@ -431,6 +440,9 @@ int sigwait(const unsigned int *set, int *sig);

 /* Define to 1 if you have the <regex.h> header file. */

 #undef HAVE_REGEX_H

+/* Define to 1 if you have the `RSA_set0_key' function. */

+#undef HAVE_RSA_SET0_KEY

+

 /* Define to 1 if you have the <sched.h> header file. */

 #undef HAVE_SCHED_H

diff --git configure configure

index fc9256fa8d..2dde1a681d 100755

--- configure

+++ configure

@@ -16724,6 +16724,19 @@ if eval test \"x\$"$as_ac_var"\" = x"yes"; then :

 #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1

 _ACEOF

+fi

+done

+

+

+	for ac_func in DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg

+do :

+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`

+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :

+  cat >>confdefs.h <<_ACEOF

+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1

+_ACEOF

+

 fi

 done

diff --git configure.in configure.in

index 99139ba5ac..193562c783 100644

--- configure.in

+++ configure.in

@@ -1781,6 +1781,8 @@ DSO_METHOD_dlfcn();

 	AC_CHECK_FUNCS(EVP_sha256 EVP_sha384 EVP_sha512)

+	AC_CHECK_FUNCS([DH_get0_key ECDSA_SIG_get0 RSA_set0_key DSA_get0_pqg])

+

 	AC_MSG_CHECKING(for OpenSSL ECDSA support)

 	have_ecdsa=""

 	AC_TRY_RUN([

diff --git lib/dns/openssldh_link.c lib/dns/openssldh_link.c

index e74bee2e2d..0db673dd31 100644

--- lib/dns/openssldh_link.c

+++ lib/dns/openssldh_link.c

@@ -71,62 +71,81 @@ static isc_result_t openssldh_todns(const dst_key_t *key, isc_buffer_t *data);

 static BIGNUM *bn2, *bn768, *bn1024, *bn1536;

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

+#if !defined(HAVE_DH_GET0_KEY)

 /*

  * DH_get0_key, DH_set0_key, DH_get0_pqg and DH_set0_pqg

  * are from OpenSSL 1.1.0.

  */

 static void

 DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) {

-	if (pub_key != NULL)

+	if (pub_key != NULL) {

 		*pub_key = dh->pub_key;

-	if (priv_key != NULL)

+	}

+	if (priv_key != NULL) {

 		*priv_key = dh->priv_key;

+	}

 }

 static int

 DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) {

-	/* Note that it is valid for priv_key to be NULL */

-	if (pub_key == NULL)

-		return 0;

+	if (pub_key != NULL) {

+		BN_free(dh->pub_key);

+		dh->pub_key = pub_key;

+	}

-	BN_free(dh->pub_key);

-	BN_free(dh->priv_key);

-	dh->pub_key = pub_key;

-	dh->priv_key = priv_key;

+	if (priv_key != NULL) {

+		BN_free(dh->priv_key);

+		dh->priv_key = priv_key;

+	}

-	return 1;

+	return (1);

 }

 static void

 DH_get0_pqg(const DH *dh,

 	    const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)

 {

-	if (p != NULL)

+	if (p != NULL) {

 		*p = dh->p;

-	if (q != NULL)

+	}

+	if (q != NULL) {

 		*q = dh->q;

-	if (g != NULL)

+	}

+	if (g != NULL) {

 		*g = dh->g;

+	}

 }

 static int

-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {

-	/* q is optional */

-	if (p == NULL || g == NULL)

-		return(0);

-	BN_free(dh->p);

-	BN_free(dh->q);

-	BN_free(dh->g);

-	dh->p = p;

-	dh->q = q;

-	dh->g = g;

+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)

+{

+	/* If the fields p and g in d are NULL, the corresponding input

+	 * parameters MUST be non-NULL.  q may remain NULL.

+	 */

+	if ((dh->p == NULL && p == NULL)

+	    || (dh->g == NULL && g == NULL))

+	{

+		return 0;

+	}

+

+	if (p != NULL) {

+		BN_free(dh->p);

+		dh->p = p;

+	}

+	if (q != NULL) {

+		BN_free(dh->q);

+		dh->q = q;

+	}

+	if (g != NULL) {

+		BN_free(dh->g);

+		dh->g = g;

+	}

 	if (q != NULL) {

 		dh->length = BN_num_bits(q);

 	}

-	return(1);

+	return (1);

 }

 #define DH_clear_flags(d, f) (d)->flags &= ~(f)

diff --git lib/dns/openssldsa_link.c lib/dns/openssldsa_link.c

index 1c541ae73a..dfbd484247 100644

--- lib/dns/openssldsa_link.c

+++ lib/dns/openssldsa_link.c

@@ -52,7 +52,7 @@

 static isc_result_t openssldsa_todns(const dst_key_t *key, isc_buffer_t *data);

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

+#if !defined(HAVE_DSA_GET0_PQG)

 static void

 DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,

 	     const BIGNUM **g)

diff --git lib/dns/opensslecdsa_link.c lib/dns/opensslecdsa_link.c

index a8941a808a..2e47459249 100644

--- lib/dns/opensslecdsa_link.c

+++ lib/dns/opensslecdsa_link.c

@@ -45,20 +45,23 @@

 #define DST_RET(a) {ret = a; goto err;}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

+#if !defined(HAVE_ECDSA_SIG_GET0)

 /* From OpenSSL 1.1 */

 static void

 ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {

-	if (pr != NULL)

+	if (pr != NULL) {

 		*pr = sig->r;

-	if (ps != NULL)

+	}

+	if (ps != NULL) {

 		*ps = sig->s;

+	}

 }

 static int

 ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {

-	if (r == NULL || s == NULL)

+	if (r == NULL || s == NULL) {

 		return 0;

+	}

 	BN_clear_free(sig->r);

 	BN_clear_free(sig->s);

diff --git lib/dns/opensslrsa_link.c lib/dns/opensslrsa_link.c

index bdb0a3931d..43f6d317bc 100644

--- lib/dns/opensslrsa_link.c

+++ lib/dns/opensslrsa_link.c

@@ -123,7 +123,7 @@

 #endif

 #define DST_RET(a) {ret = a; goto err;}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)

+#if !defined(HAVE_RSA_SET0_KEY)

 /* From OpenSSL 1.1.0 */

 static int

 RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {

@@ -133,8 +133,9 @@ RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {

 	 * parameters MUST be non-NULL for n and e.  d may be

 	 * left NULL (in case only the public key is used).

 	 */

-	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))

+	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {

 		return 0;

+	}

 	if (n != NULL) {

 		BN_free(r->n);

@@ -159,8 +160,9 @@ RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {

 	 * If the fields p and q in r are NULL, the corresponding input

 	 * parameters MUST be non-NULL.

 	 */

-	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))

+	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {

 		return 0;

+	}

 	if (p != NULL) {

 		BN_free(r->p);

@@ -183,7 +185,9 @@ RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {

 	if ((r->dmp1 == NULL && dmp1 == NULL) ||

 	    (r->dmq1 == NULL && dmq1 == NULL) ||

 	    (r->iqmp == NULL && iqmp == NULL))

+	{

 		return 0;

+	}

 	if (dmp1 != NULL) {

 		BN_free(r->dmp1);

@@ -205,32 +209,40 @@ static void

 RSA_get0_key(const RSA *r,

 	     const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)

 {

-	if (n != NULL)

+	if (n != NULL) {

 		*n = r->n;

-	if (e != NULL)

+	}

+	if (e != NULL) {

 		*e = r->e;

-	if (d != NULL)

+	}

+	if (d != NULL) {

 		*d = r->d;

+	}

 }

 static void

 RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {

-	if (p != NULL)

+	if (p != NULL) {

 		*p = r->p;

-	if (q != NULL)

-	*q = r->q;

+	}

+	if (q != NULL) {

+		*q = r->q;

+	}

 }

 static void

 RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,

 		    const BIGNUM **iqmp)

 {

-	if (dmp1 != NULL)

+	if (dmp1 != NULL) {

 		*dmp1 = r->dmp1;

-	if (dmq1 != NULL)

+	}

+	if (dmq1 != NULL) {

 		*dmq1 = r->dmq1;

-	if (iqmp != NULL)

+	}

+	if (iqmp != NULL) {

 		*iqmp = r->iqmp;

+	}

 }

 static int

-- 

2.17.1

From e3a318e8d3e050677cfe603b25eaa9607c202276 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@sury.org>

Date: Wed, 2 May 2018 14:18:06 +0200

Subject: [PATCH 2/3] Workaround LibreSSL 2.7.0-2.7.2 quirk in DH_set0_key

(cherry picked from commit 6b9e3b7b069509e79c59f89403a91761c300bdee)

---

 lib/dns/openssldh_link.c | 10 ++++++++++

 1 file changed, 10 insertions(+)

diff --git lib/dns/openssldh_link.c lib/dns/openssldh_link.c

index 0db673dd31..8dfda0d2fa 100644

--- lib/dns/openssldh_link.c

+++ lib/dns/openssldh_link.c

@@ -44,6 +44,8 @@

 #include <dst/result.h>

+#include <openssl/opensslv.h>

+

 #include "dst_internal.h"

 #include "dst_openssl.h"

 #include "dst_parse.h"

@@ -564,7 +566,15 @@ openssldh_fromdns(dst_key_t *key, isc_buffer_t *data) {

 		DH_free(dh);

 		return (dst__openssl_toresult(ISC_R_NOMEMORY));

 	}

+#if (LIBRESSL_VERSION_NUMBER >= 0x2070000fL) && (LIBRESSL_VERSION_NUMBER <= 0x2070200fL)

+	/*

+	 * LibreSSL << 2.7.3 DH_get0_key requires priv_key to be set when

+	 * DH structure is empty, hence we cannot use DH_get0_key().

+	 */

+	dh->pub_key = pub_key;

+#else /* LIBRESSL_VERSION_NUMBER */

 	DH_set0_key(dh, pub_key, NULL);

+#endif /* LIBRESSL_VERSION_NUMBER */

 	isc_region_consume(&r, publen);

 	key->key_size = BN_num_bits(p);

-- 

2.17.1