Attachment 176141 Details for Bug 259901 – enhancements for stunnel-4.20

[patch] enhancements for stunnel-4.20

nss_compat_ossl-0.9.1-stunnel.patch (text/plain), 11.92 KB, created by Rob Crittenden on 2007-08-28 12:44:38 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rob Crittenden

Created: 2007-08-28 12:44:38 UTC

Size: 11.92 KB

patch

obsolete

>Index: src/Makefile.am
>===================================================================
>RCS file: /cvs/dirsec/nss_compat_ossl/src/Makefile.am,v
>retrieving revision 1.1.1.1
>diff -u -r1.1.1.1 Makefile.am
>--- src/Makefile.am	20 Apr 2007 22:33:27 -0000	1.1.1.1
>+++ src/Makefile.am	26 Aug 2007 23:22:35 -0000
>@@ -4,7 +4,7 @@
> INCLUDES = @nspr_inc@ @nss_inc@
> LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
> 
>-libnss_compat_ossl_la_SOURCES = ssl.c log.c rand.c
>+libnss_compat_ossl_la_SOURCES = ssl.c algo.c log.c rand.c
> 
> pkginclude_HEADERS = nss_compat_ossl.h
> 
>Index: src/algo.c
>===================================================================
>RCS file: src/algo.c
>diff -N src/algo.c
>--- /dev/null	1 Jan 1970 00:00:00 -0000
>+++ src/algo.c	26 Aug 2007 23:22:35 -0000
>@@ -0,0 +1,101 @@
>+/*
>+ *  Copyright (C) 2007 Red Hat, Inc.
>+ *
>+ *  This library is free software; you can redistribute it and/or
>+ *  modify it under the terms of the GNU Lesser General Public
>+ *  License as published by the Free Software Foundation; either
>+ *  version 2.1 of the License, or (at your option) any later version.
>+ *
>+ *  This library is distributed in the hope that it will be useful,
>+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
>+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
>+ *  Lesser General Public License for more details.
>+ *
>+ *  You should have received a copy of the GNU Lesser General Public
>+ *  License along with this library; if not, write to the Free Software
>+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
>+*/
>+
>+#include <assert.h>
>+
>+#include "nss_compat_ossl.h"
>+
>+/* FIXME: is some error handling possible? */
>+
>+
>+void DES_set_odd_parity(DES_cblock *key)
>+{
>+    size_t i;
>+
>+    for (i = 0; i < sizeof (*key)/sizeof (**key); i++) {
>+	unsigned char val, b;
>+
>+	val = (*key)[i];
>+	b = val;
>+	b ^= (b >> 4); /* (b & 0x0F) == (b & 0x0F) ^ ((b & 0xF0) >> 4) */
>+	b ^= (b >> 2); /* Likewise ... */
>+	b ^= (b >> 1); /* (b & 0x01) == XOR (bits of b) */
>+	if ((b & 0x01) == 0)
>+	    (*key)[i] = val ^ 0x01;
>+    }
>+}
>+
>+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
>+{
>+    assert (sizeof (schedule->key) == sizeof (*key));
>+    memcpy (schedule->key, *key, sizeof (schedule->key));
>+}
>+
>+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
>+		     DES_key_schedule *ks, int enc)
>+{
>+    static const CK_MECHANISM_TYPE mechanism = CKM_DES_ECB;
>+
>+    PK11SlotInfo *slot;
>+    PK11Origin origin;
>+    PK11SymKey *sym_key;
>+    PK11Context *ctx;
>+    SECItem key_item;
>+    int out_len1;
>+    unsigned out_len2;
>+    /* FIXME: input and output may overlap */
>+
>+    slot = PK11_GetBestSlot(mechanism, NULL);
>+    if (slot == NULL)
>+	abort();
>+    origin = enc != DES_DECRYPT ? CKA_ENCRYPT : CKA_DECRYPT,
>+    key_item.data = ks->key;
>+    key_item.len = sizeof (ks->key);
>+    sym_key = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap, origin,
>+				&key_item, NULL);
>+    ctx = PK11_CreateContextBySymKey(mechanism, origin, sym_key, NULL);
>+    (void)PK11_CipherOp(ctx, *output, &out_len1, sizeof (*output), *input,
>+			sizeof (*input));
>+    (void)PK11_DigestFinal(ctx, *output + out_len1, &out_len2,
>+			   sizeof (*output) - out_len1);
>+    assert (out_len1 + out_len2 == sizeof (*output));
>+    PK11_DestroyContext(ctx, PR_TRUE);
>+    PK11_FreeSymKey(sym_key);
>+    PK11_FreeSlot(slot);
>+}
>+
>+
>+void MD4_Init(MD4_CTX *c)
>+{
>+    *c = PK11_CreateDigestContext(SEC_OID_MD4);
>+    (void)PK11_DigestBegin(*c);
>+}
>+
>+void MD4_Update(MD4_CTX *c, const void *data, size_t len)
>+{
>+    (void)PK11_DigestOp(*c, data, len);
>+}
>+
>+void MD4_Final(unsigned char *md, MD4_CTX *c)
>+{
>+    unsigned len;
>+
>+    (void)PK11_DigestFinal(*c, md, &len, 16);
>+    assert (len == 16);
>+    PK11_DestroyContext(*c, PR_TRUE);
>+}
>Index: src/nss_compat_ossl.h
>===================================================================
>RCS file: /cvs/dirsec/nss_compat_ossl/src/nss_compat_ossl.h,v
>retrieving revision 1.4
>diff -u -r1.4 nss_compat_ossl.h
>--- src/nss_compat_ossl.h	11 May 2007 21:25:00 -0000	1.4
>+++ src/nss_compat_ossl.h	26 Aug 2007 23:22:35 -0000
>@@ -44,6 +44,8 @@
> #define NO_RSA 1 /* FIXME: ? */
> #define USE_NSS 1 /* FIXME: autoconf? */
> 
>+#define PEM_BUFSIZE 1024
>+
> /* FIXME: need to map from SSL -> SSL_CTX */
> #define OSSL_SSL2CTX(x) ((SSL_CTX *)NULL)
> #define OSSL_X509_STORE_CTX2CERT(x) NULL
>@@ -167,7 +169,14 @@
> #define X509_OBJECT    SECItem
> #define X509_LOOKUP    SECItem
> #define X509_LOOKUP_METHOD SECItem
>-#define X509_STORE_CTX CERTCertificate
>+
>+typedef struct
>+{
>+  X509 *current_cert;
>+  SSL *ssl__;
>+  int error;
>+} X509_STORE_CTX;
>+
> #define X509_STORE     SECItem
> #define X509_NAME      CERTName
> #define X509_REVOKED   SECItem
>@@ -304,6 +313,7 @@
> long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
> void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
> void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
>+int PEM_def_callback(char *buf, int num, int w, void *key);
> 
> /* SSL context statistics */
> 
>@@ -367,6 +377,7 @@
> SSL_METHOD *SSLv3_client_method(void);
> SSL_METHOD *SSLv23_client_method(void);
> SSL_METHOD *TLSv1_client_method(void);
>+SSL_METHOD *SSLv2_server_method(void);
> SSL_METHOD *SSLv23_server_method(void);
> SSL_METHOD *SSLv3_server_method(void);
> SSL_METHOD *TLSv1_server_method(void);
>@@ -392,6 +403,8 @@
> #define X509_L_FILE_LOAD        1
> #define X509_L_ADD_DIR          2
> 
>+#define X509_LU_X509		1
>+
> X509 *d2i_X509(void *reserved, unsigned char **data, int len);
> X509_NAME *X509_get_issuer_name(X509 *x);
> X509_NAME *X509_get_subject_name(X509 *x);
>@@ -412,6 +425,10 @@
>                 X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
> 
> X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
>+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
>+			      X509_OBJECT *ret);
>+int SSL_get_ex_data_X509_STORE_CTX_idx(void);
>+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
> 
> /* Other */
> 
>@@ -489,12 +506,11 @@
> const char *SSL_alert_type_string_long(int value);
> const char *SSL_alert_desc_string_long(int value);
> 
>-#if 0
> const char *SSL_state_string_long(const SSL *s);
>-#endif
> 
> void CRYPTO_set_id_callback(unsigned long (*func)(void));
>-void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line));
>+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
>+					      const char *file, int line));
> 
> /* RNG */
> 
>@@ -510,6 +526,24 @@
> 
> const char *nss_error(int error);
> 
>+/* Encryption functions */
>+#define DES_DECRYPT 0
>+#define DES_ENCRYPT 1
>+typedef unsigned char DES_cblock[8], const_DES_cblock[8];
>+typedef struct { DES_cblock key; } DES_key_schedule;
>+
>+void DES_set_odd_parity(DES_cblock *key);
>+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
>+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
>+		     DES_key_schedule *ks, int enc);
>+
>+/* Hash functions */
>+typedef PK11Context *MD4_CTX;
>+
>+void MD4_Init(MD4_CTX *c);
>+void MD4_Update(MD4_CTX *c, const void *data, size_t len);
>+void MD4_Final(unsigned char *md, MD4_CTX *c);
>+
> /* ASN1 funcs */
> unsigned char * ASN1_STRING_data(ASN1_STRING *x);
> int ASN1_STRING_type(ASN1_STRING *x);
>Index: src/rand.c
>===================================================================
>RCS file: /cvs/dirsec/nss_compat_ossl/src/rand.c,v
>retrieving revision 1.2
>diff -u -r1.2 rand.c
>--- src/rand.c	23 Apr 2007 18:00:35 -0000	1.2
>+++ src/rand.c	26 Aug 2007 23:22:35 -0000
>@@ -78,27 +78,17 @@
> 
> int RAND_write_file(const char *file)
> {
>-    char buf[RAND_WRITE_BYTES];
>+    unsigned char buf[RAND_WRITE_BYTES];
>     int total = 0;
>-    int size;
>     FILE *fp;
> 
>     if ((fp = fopen(file, "wb")) != NULL) {
>-        while (total < RAND_WRITE_BYTES) {
>-            /* PR_GetRandomNoise is not guaranteed to return the number of
>-             * requested bytes so we'll keep trying */
>-            size = PR_GetRandomNoise(buf, RAND_WRITE_BYTES - total);
>-            if (size == 0 && total == 0) {
>-                /* PR_GetRandomNoise not implemented */
>-                fclose(fp);
>-                return 0;
>-            }
>-            fwrite(buf, 1, size, fp);
>-            total += size;
>-        }
>+	if (PK11_GenerateRandom(buf, sizeof (buf)) == SECSuccess) {
>+	    total = sizeof (buf);
>+            fwrite(buf, 1, total, fp);
>+	}
>+	fclose(fp);
>     }
>-    fclose(fp);
>-    
>     return total;
> }
> 
>Index: src/ssl.c
>===================================================================
>RCS file: /cvs/dirsec/nss_compat_ossl/src/ssl.c,v
>retrieving revision 1.12
>diff -u -r1.12 ssl.c
>--- src/ssl.c	29 May 2007 22:00:19 -0000	1.12
>+++ src/ssl.c	26 Aug 2007 23:22:35 -0000
>@@ -429,9 +429,14 @@
>      * use it. Otherwise fall back to the one provided by NSS.
>      */
>     if (ossl->verify_cb != NULL) {
>+	X509_STORE_CTX ctx;
>+
>         verify_callback = ossl->verify_cb;
> 
>-        rv = verify_callback((status == SECSuccess) ? 1 : 0, (X509_STORE_CTX *)ssl);
>+	ctx.current_cert = SSL_get_peer_certificate(ssl);
>+	ctx.error = PORT_GetError();
>+        rv = verify_callback((status == SECSuccess) ? 1 : 0, &ctx);
>+	X509_free(ctx.current_cert);
> 
>         if (rv == 1) {
>             ossl->verify_result = X509_V_OK;
>@@ -1492,6 +1497,11 @@
>     return create_context(PR_FALSE, PR_FALSE, PR_TRUE, PR_FALSE);
> }
> 
>+SSL_METHOD *SSLv2_server_method(void)
>+{
>+    return create_context(PR_TRUE, PR_FALSE, PR_FALSE, PR_TRUE);
>+}
>+
> SSL_METHOD *SSLv23_server_method(void)
> { 
>     return create_context(PR_TRUE, PR_TRUE, PR_FALSE, PR_TRUE);
>@@ -1890,6 +1900,9 @@
>     if (ssl)
>         cert = SSL_PeerCertificate(ssl);
> 
>+    if (cert == NULL)
>+	return NULL;
>+
>     x = (X509 *)malloc(sizeof(X509));
> 
>     x->cert = cert;
>@@ -2146,8 +2159,8 @@
> 
>     value = CERT_NameToAscii(x);
> 
>-    if (len)
>-        s = PL_strncpyz(s, value, len); 
>+    if (s)
>+        s = PL_strncpyz(s, value, len);
>     else
>         s = PORT_ArenaStrdup(x->arena, value);
> 
>@@ -2815,7 +2828,7 @@
> const char *SSL_state_string_long(const SSL *s)
> {
>     /* We have no visibility into the current NSS handshake state */
>-    return (NULL);
>+    return "Unknown";
> }
> 
> void SSL_CTX_set_info_callback(SSL_CTX *ctx, void(*cb)())
>@@ -2860,6 +2873,13 @@
>     return;
> }
> 
>+/* SSL_CTX_set_default_passwd_cb* is ignored */
>+int PEM_def_callback(char *buf, int num, int w, void *key)
>+{
>+    *buf = 0;
>+    return 0;
>+}
>+
> long SSL_session_reused(SSL *s)
> {
>   return 0;
>@@ -2867,19 +2887,59 @@
> 
> X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
> {
>-    X509 * x;
>-  
>-    /* Is it really the peer cert we want? Docs are slim on this */
>-    x = SSL_get_peer_certificate((SSL *)ctx);
>+    return ctx->current_cert;
>+}
> 
>-    return x;
>+#define X509_STORE_CTX_EX_DATA_SSL_IDX 42
>+int SSL_get_ex_data_X509_STORE_CTX_idx(void)
>+{
>+    return X509_STORE_CTX_EX_DATA_SSL_IDX;
> }
> 
>+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
>+{
>+    if (idx == X509_STORE_CTX_EX_DATA_SSL_IDX)
>+	return ctx->ssl__;
>+    return NULL;
>+}
>+
>+
>+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
>+			      X509_OBJECT *ret)
>+{
>+    PRArenaPool *arena;
>+    CERTCertificate * cert;
>+    SECItem *subject;
>+
>+    (void)vs;
>+    if (type != X509_LU_X509)
>+	return 0;
>+
>+    arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
>+    if (arena == NULL)
>+	return 0;
>+    subject = SEC_ASN1EncodeItem(arena, NULL, name, CERT_NameTemplate);
>+    cert = NULL;
>+    if (subject != NULL)
>+	cert = CERT_FindCertByName(CERT_GetDefaultCertDB(), subject);
>+    PORT_FreeArena(arena, PR_FALSE);
>+    if (cert == NULL)
>+	return 0;
>+    /* FIXME: a more useful representation of the certificate, e.g. one that
>+       does not leak? */
>+    ret->type = siBuffer;
>+    ret->data = (unsigned char *)cert;
>+    ret->len = sizeof (*cert);
>+    return 1;
>+}
>+
>+
> void CRYPTO_set_id_callback(unsigned long (*func)(void))
> {
> }
> 
>-void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line))
>+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
>+					      const char *file, int line))
> {
> }
>

Actions: View | Diff

Attachments on bug 259901: 176141