Attachment #459070 for bug #604882

Lines 802-807 if test -n "$OPENSSL_LIBS" -a "$linking_mode" != "dynamic"; then Link Here

(-)a/configure.ac (+2 lines)
802	LIBS=$old_LIBS	802	LIBS=$old_LIBS
803	fi	803	fi
804		804
		805	AC_CHECK_FUNC(SSL_CTX_get0_param, AC_DEFINE(HAVE_SSL_CTX_GET0_PARAM, 1, [SSL_CTX_get0_param is present]))
		806
805		807
806	dnl	808	dnl
807	dnl Right now, openssl is never linked statically as it is only used by the	809	dnl Right now, openssl is never linked statically as it is only used by the




#include <openssl/err.h>
#include <openssl/rand.h>

#ifndef SYSLOG_NG_HAVE_SSL_CTX_GET0_PARAM
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
  return ctx->param;
}
#endif

gboolean
tls_get_x509_digest(X509 *x, GString *hash_string)
{

      if (self->crl_dir)
        verify_flags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;

      X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(self->ssl_ctx), verify_flags);

      switch (self->verify_mode)
        {
- 
direct member access
--
lib/tlscontext.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)




  if (self->ctx->verify_mode & TVM_UNTRUSTED)
    return 1;

  int ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
  /* accept certificate if its fingerprint matches, again regardless whether x509 certificate validation was successful */
  if (ok && ctx_error_depth == 0 && !tls_session_verify_fingerprint(ctx))
    {
      msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting", NULL);
      return 0;
    }

  if (ok && ctx_error_depth != 0 && (ctx->current_cert->ex_flags & EXFLAG_CA) == 0)
    {
      msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);
      ctx->error = X509_V_ERR_INVALID_CA;

    }

  /* reject certificate if it is valid, but its DN is not trusted */
  if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx))
    {
      msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL);
      ctx->error = X509_V_ERR_CERT_UNTRUSTED;
- 
--
configure.ac                       |  6 +++--
lib/compat/Makefile.am             |  6 +++--
lib/compat/openssl_support.c       | 46 +++++++++++++++++++++++++++++++++
lib/compat/openssl_support.h       | 53 ++++++++++++++++++++++++++++++++++++++
lib/tlscontext.c                   | 52 +++++++++++++++++--------------------
modules/afsocket/afinet-dest.c     |  9 +++++--
modules/cryptofuncs/cryptofuncs.c  | 42 ++++++++++++++++++------------
modules/dbparser/pdbtool/pdbtool.c |  1 +
8 files changed, 165 insertions(+), 50 deletions(-)
create mode 100644 lib/compat/openssl_support.c
create mode 100644 lib/compat/openssl_support.h

Lines 802-809 if test -n "$OPENSSL_LIBS" -a "$linking_mode" != "dynamic"; then Link Here

(-)a/configure.ac (-2 / +4 lines)
802	LIBS=$old_LIBS	802	LIBS=$old_LIBS
803	fi	803	fi
804		804
805	AC_CHECK_FUNC(SSL_CTX_get0_param, AC_DEFINE(HAVE_SSL_CTX_GET0_PARAM, 1, [SSL_CTX_get0_param is present]))	805	AC_CHECK_DECLS([SSL_CTX_get0_param],[], [], [[#include <openssl/ssl.h>]])
806		806	AC_CHECK_DECLS([X509_STORE_CTX_get0_cert],[], [], [[#include <openssl/ssl.h>]])
		807	AC_CHECK_DECLS([X509_get_extension_flags], [], [], [[#include <openssl/x509v3.h>]])
		808	AC_CHECK_DECLS([EVP_MD_CTX_reset], [], [], [[#include <openssl/evp.h>]])
807		809
808	dnl	810	dnl
809	dnl Right now, openssl is never linked statically as it is only used by the	811	dnl Right now, openssl is never linked statically as it is only used by the

Lines 8-14 compatinclude_HEADERS = \ Link Here

(-)a/lib/compat/Makefile.am (-2 / +4 lines)
8	lib/compat/pio.h \	8	lib/compat/pio.h \
9	lib/compat/socket.h \	9	lib/compat/socket.h \
10	lib/compat/string.h \	10	lib/compat/string.h \
11	lib/compat/time.h	11	lib/compat/time.h \
		12	lib/compat/openssl_support.h
12		13
13	compat_sources = \	14	compat_sources = \
14	lib/compat/getutent.c \	15	lib/compat/getutent.c \
Lines 16-21 compat_sources = \ Link Here
16	lib/compat/memrchr.c \	17	lib/compat/memrchr.c \
17	lib/compat/pio.c \	18	lib/compat/pio.c \
18	lib/compat/strcasestr.c \	19	lib/compat/strcasestr.c \
19	lib/compat/strtok_r.c	20	lib/compat/strtok_r.c \
		21	lib/compat/openssl_support.c
20		22
21	include lib/compat/tests/Makefile.am	23	include lib/compat/tests/Makefile.am




/*
 * Copyright (c) 2002-2016 Balabit
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 *
 * As an additional exemption you are allowed to compile & link against the
 * OpenSSL libraries as published by the OpenSSL project. See the file
 * COPYING for details.
 *
 */

#include "compat/openssl_support.h"

#if !HAVE_DECL_SSL_CTX_GET0_PARAM
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
  return ctx->param;
}
#endif

#if !HAVE_DECL_X509_STORE_CTX_GET0_CERT
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
{
  return ctx->cert;
}
#endif

#if !HAVE_DECL_X509_GET_EXTENSION_FLAGS
uint32_t X509_get_extension_flags(X509 *x)
{
  return x->ex_flags;
}
#endif





/*
 * Copyright (c) 2002-2016 Balabit
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 *
 * As an additional exemption you are allowed to compile & link against the
 * OpenSSL libraries as published by the OpenSSL project. See the file
 * COPYING for details.
 *
 */

#ifndef OPENSSL_SUPPORT_H_INCLUDED
#define OPENSSL_SUPPORT_H_INCLUDED

#include "compat/compat.h"
#include <openssl/ssl.h>

#if !HAVE_DECL_SSL_CTX_GET0_PARAM
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
#endif

#if !HAVE_DECL_X509_STORE_CTX_GET0_CERT
X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx);
#endif

#if !HAVE_DECL_X509_GET_EXTENSION_FLAGS
#include <stdint.h>
uint32_t X509_get_extension_flags(X509 *x);
#endif

#if HAVE_DECL_EVP_MD_CTX_RESET
#include <openssl/evp.h>
#define EVP_MD_CTX_cleanup EVP_MD_CTX_reset
#define DECLARE_EVP_MD_CTX(md_ctx) EVP_MD_CTX * md_ctx = EVP_MD_CTX_create()
#else
#define DECLARE_EVP_MD_CTX(md_ctx) EVP_MD_CTX _##md_ctx; EVP_MD_CTX * md_ctx = & _##md_ctx
#define EVP_MD_CTX_destroy(md_ctx) EVP_MD_CTX_cleanup(md_ctx) 
#endif

#endif





#include "tlscontext.h"
#include "misc.h"
#include "messages.h"
#include "compat/openssl_support.h"

#include <arpa/inet.h>
#include <openssl/x509_vfy.h>

#include <openssl/err.h>
#include <openssl/rand.h>

#ifndef SYSLOG_NG_HAVE_SSL_CTX_GET0_PARAM
X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx)
{
  return ctx->param;
}
#endif

gboolean
tls_get_x509_digest(X509 *x, GString *hash_string)
{

      return 0;
    }

  X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
  if (ok && ctx_error_depth != 0 && (X509_get_extension_flags(current_cert) & EXFLAG_CA) == 0)
    {
      msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);
      X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_CA);
      return 0;
    }


  if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx))
    {
      msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL);
      X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
      return 0;
    }
  /* if the crl_dir is set in the configuration file but the directory is empty ignore this error */
  if (!ok && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
    {
      msg_notice("CRL directory is set but no CRLs found", NULL);
      return 1;
    }

  if (!ok && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_INVALID_PURPOSE)
    {
      msg_warning("Certificate valid, but purpose is invalid", NULL);
      return 1;

   */
  if (X509_STORE_CTX_get_current_cert(ctx) == NULL)
    {
      int ctx_error = X509_STORE_CTX_get_error(ctx);
      switch (ctx_error)
        {
        case X509_V_ERR_NO_EXPLICIT_POLICY:
          /* NOTE: Because we set the CHECK_POLICY_FLAG if the
             certificate contains ExplicitPolicy constraint
             we would get this error. But this error is because
             we do not set the policy what we want to check for.
           */
          ok = 1;
          break;
        default:
          msg_notice("Error occured during certificate validation",
		     evt_tag_int("error", X509_STORE_CTX_get_error(ctx)),
                     NULL);
          break;
        }
    }
  else
    {

Lines 27-32 Link Here

(-)a/modules/afsocket/afinet-dest.c (-2 / +7 lines)
27	#include "messages.h"	27	#include "messages.h"
28	#include "misc.h"	28	#include "misc.h"
29	#include "gprocess.h"	29	#include "gprocess.h"
		30	#include "compat/openssl_support.h"
30		31
31	#include <sys/types.h>	32	#include <sys/types.h>
32	#include <sys/socket.h>	33	#include <sys/socket.h>
Lines 98-106 afinet_dd_verify_callback(gint ok, X509_STORE_CTX *ctx, gpointer user_data) Link Here
98	AFInetDestDriver self G_GNUC_UNUSED = (AFInetDestDriver ) user_data;	99	AFInetDestDriver self G_GNUC_UNUSED = (AFInetDestDriver ) user_data;
99	TransportMapperInet transport_mapper_inet = (TransportMapperInet ) self->super.transport_mapper;	100	TransportMapperInet transport_mapper_inet = (TransportMapperInet ) self->super.transport_mapper;
100		101
101	if (ok && ctx->current_cert == ctx->cert && self->hostname && (transport_mapper_inet->tls_context->verify_mode & TVM_TRUSTED))	102	X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
		103	X509 *cert = X509_STORE_CTX_get0_cert(ctx);
		104
		105	if (ok && current_cert == cert && self->hostname
		106	&& (transport_mapper_inet->tls_context->verify_mode & TVM_TRUSTED))
102	{	107	{
103	ok = tls_verify_certificate_name(ctx->cert, self->hostname);	108	ok = tls_verify_certificate_name(cert, self->hostname);
104	}	109	}
105		110
106	return ok;	111	return ok;




#include "uuid.h"
#include "str-format.h"
#include "plugin-types.h"
#include "compat/openssl_support.h"
#include <openssl/evp.h>

static void

      return FALSE;
    }
  state->md = md;
  gint md_size = EVP_MD_size(md);
  if ((state->length == 0) || (state->length > md_size * 2))
    state->length = md_size * 2;
  return TRUE;
}

static guint
_hash(const EVP_MD *md, GString **argv, gint argc, guchar *hash, guint hash_size)
{
  gint i;
  guint md_len;
  DECLARE_EVP_MD_CTX(mdctx);
  EVP_MD_CTX_init(mdctx);
  EVP_DigestInit_ex(mdctx, md, NULL);

  for (i = 0; i < argc; i++)
    {
      EVP_DigestUpdate(mdctx, argv[i]->str, argv[i]->len);
    }

  EVP_DigestFinal_ex(mdctx, hash, &md_len);
  EVP_MD_CTX_cleanup(mdctx);
  EVP_MD_CTX_destroy(mdctx);

  return md_len;
}

static void
tf_hash_call(LogTemplateFunction *self, gpointer s, const LogTemplateInvokeArgs *args, GString *result)
{
  TFHashState *state = (TFHashState *) s;
  GString **argv;
  gint argc;
  gint i;
  EVP_MD_CTX mdctx;
  guchar hash[EVP_MAX_MD_SIZE];
  gchar hash_str[EVP_MAX_MD_SIZE * 2 + 1];
  guint md_len;

  argv = (GString **) args->bufs->pdata;
  argc = args->bufs->len;
  md_len = _hash(state->md, argv, argc, hash, sizeof(hash));
  EVP_MD_CTX_init(&mdctx);
  EVP_DigestInit_ex(&mdctx, state->md, NULL);

  for (i = 0; i < argc; i++)
    {
      EVP_DigestUpdate(&mdctx, argv[i]->str, argv[i]->len);
    }
  EVP_DigestFinal_ex(&mdctx, hash, &md_len);
  EVP_MD_CTX_cleanup(&mdctx);

  // we fetch the entire hash in a hex format otherwise we cannot truncate at
  // odd character numbers
  format_hex_string(hash, md_len, hash_str, sizeof(hash_str));

Lines 41-46 Link Here

(-)a/modules/dbparser/pdbtool/pdbtool.c (-1 / +1 lines)
41	#include "logproto/logproto-text-server.h"	41	#include "logproto/logproto-text-server.h"
42	#include "reloc.h"	42	#include "reloc.h"
43	#include "pathutils.h"	43	#include "pathutils.h"
		44	#include "compat/openssl_support.h"
44		45
45	#include <stdio.h>	46	#include <stdio.h>
46	#include <string.h>	47	#include <string.h>
47	-

Return to bug 604882

Lines 31-36 Link Here

(-)a/lib/tlscontext.c (-3 / +8 lines)
31	#include <openssl/err.h>	31	#include <openssl/err.h>
32	#include <openssl/rand.h>	32	#include <openssl/rand.h>
33		33
		34	#ifndef SYSLOG_NG_HAVE_SSL_CTX_GET0_PARAM
		35	X509_VERIFY_PARAM SSL_CTX_get0_param(SSL_CTX ctx)
		36	{
		37	return ctx->param;
		38	}
		39	#endif
		40
34	gboolean	41	gboolean
35	tls_get_x509_digest(X509 x, GString hash_string)	42	tls_get_x509_digest(X509 x, GString hash_string)
36	{	43	{
Lines 311-317 tls_context_setup_session(TLSContext *self) Link Here
311	if (self->crl_dir)	318	if (self->crl_dir)
312	verify_flags \|= X509_V_FLAG_CRL_CHECK \| X509_V_FLAG_CRL_CHECK_ALL;	319	verify_flags \|= X509_V_FLAG_CRL_CHECK \| X509_V_FLAG_CRL_CHECK_ALL;
313		320
314	X509_VERIFY_PARAM_set_flags(self->ssl_ctx->param, verify_flags);	321	X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(self->ssl_ctx), verify_flags);
315		322
316	switch (self->verify_mode)	323	switch (self->verify_mode)
317	{	324	{
318	-
319	direct member access	325	direct member access
320	--
321	lib/tlscontext.c \| 7 ++++---	326	lib/tlscontext.c \| 7 ++++---
322	1 file changed, 4 insertions(+), 3 deletions(-)	327	1 file changed, 4 insertions(+), 3 deletions(-)

Lines 24-29 Link Here

(-)a/lib/tlscontext.c (-28 / +24 lines)
24	#include "tlscontext.h"	24	#include "tlscontext.h"
25	#include "misc.h"	25	#include "misc.h"
26	#include "messages.h"	26	#include "messages.h"
		27	#include "compat/openssl_support.h"
27		28
28	#include <arpa/inet.h>	29	#include <arpa/inet.h>
29	#include <openssl/x509_vfy.h>	30	#include <openssl/x509_vfy.h>
Lines 31-43 Link Here
31	#include <openssl/err.h>	32	#include <openssl/err.h>
32	#include <openssl/rand.h>	33	#include <openssl/rand.h>
33		34
34	#ifndef SYSLOG_NG_HAVE_SSL_CTX_GET0_PARAM
35	X509_VERIFY_PARAM SSL_CTX_get0_param(SSL_CTX ctx)
36	{
37	return ctx->param;
38	}
39	#endif
40
41	gboolean	35	gboolean
42	tls_get_x509_digest(X509 x, GString hash_string)	36	tls_get_x509_digest(X509 x, GString hash_string)
43	{	37	{
Lines 150-159 tls_session_verify(TLSSession self, int ok, X509_STORE_CTX ctx) Link Here
150	return 0;	144	return 0;
151	}	145	}
152		146
153	if (ok && ctx_error_depth != 0 && (ctx->current_cert->ex_flags & EXFLAG_CA) == 0)	147	X509 *current_cert = X509_STORE_CTX_get_current_cert(ctx);
		148	if (ok && ctx_error_depth != 0 && (X509_get_extension_flags(current_cert) & EXFLAG_CA) == 0)
154	{	149	{
155	msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);	150	msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);
156	ctx->error = X509_V_ERR_INVALID_CA;	151	X509_STORE_CTX_set_error(ctx, X509_V_ERR_INVALID_CA);
157	return 0;	152	return 0;
158	}	153	}
159		154
Lines 161-177 tls_session_verify(TLSSession self, int ok, X509_STORE_CTX ctx) Link Here
161	if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx))	156	if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx))
162	{	157	{
163	msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL);	158	msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL);
164	ctx->error = X509_V_ERR_CERT_UNTRUSTED;	159	X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_UNTRUSTED);
165	return 0;	160	return 0;
166	}	161	}
167	/* if the crl_dir is set in the configuration file but the directory is empty ignore this error */	162	/* if the crl_dir is set in the configuration file but the directory is empty ignore this error */
168	if (!ok && ctx->error == X509_V_ERR_UNABLE_TO_GET_CRL)	163	if (!ok && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_UNABLE_TO_GET_CRL)
169	{	164	{
170	msg_notice("CRL directory is set but no CRLs found", NULL);	165	msg_notice("CRL directory is set but no CRLs found", NULL);
171	return 1;	166	return 1;
172	}	167	}
173		168
174	if (!ok && ctx->error == X509_V_ERR_INVALID_PURPOSE)	169	if (!ok && X509_STORE_CTX_get_error(ctx) == X509_V_ERR_INVALID_PURPOSE)
175	{	170	{
176	msg_warning("Certificate valid, but purpose is invalid", NULL);	171	msg_warning("Certificate valid, but purpose is invalid", NULL);
177	return 1;	172	return 1;
Lines 191-212 tls_session_verify_callback(int ok, X509_STORE_CTX *ctx) Link Here
191	*/	186	*/
192	if (X509_STORE_CTX_get_current_cert(ctx) == NULL)	187	if (X509_STORE_CTX_get_current_cert(ctx) == NULL)
193	{	188	{
194	switch (ctx->error)	189	int ctx_error = X509_STORE_CTX_get_error(ctx);
195	{	190	switch (ctx_error)
196	case X509_V_ERR_NO_EXPLICIT_POLICY:	191	{
197	/* NOTE: Because we set the CHECK_POLICY_FLAG if the	192	case X509_V_ERR_NO_EXPLICIT_POLICY:
198	certificate contains ExplicitPolicy constraint	193	/* NOTE: Because we set the CHECK_POLICY_FLAG if the
199	we would get this error. But this error is because	194	certificate contains ExplicitPolicy constraint
200	we do not set the policy what we want to check for.	195	we would get this error. But this error is because
201	*/	196	we do not set the policy what we want to check for.
202	ok = 1;	197	*/
203	break;	198	ok = 1;
204	default:	199	break;
205	msg_notice("Error occured during certificate validation",	200	default:
206	evt_tag_int("error", ctx->error),	201	msg_notice("Error occured during certificate validation",
207	NULL);	202	evt_tag_int("error", X509_STORE_CTX_get_error(ctx)),
208	break;	203	NULL);
209	}	204	break;
		205	}
210	}	206	}
211	else	207	else
212	{	208	{

Lines 142-155 tls_session_verify(TLSSession self, int ok, X509_STORE_CTX ctx) Link Here

(-)a/lib/tlscontext.c (-5 / +4 lines)
142	if (self->ctx->verify_mode & TVM_UNTRUSTED)	142	if (self->ctx->verify_mode & TVM_UNTRUSTED)
143	return 1;	143	return 1;
144		144
		145	int ctx_error_depth = X509_STORE_CTX_get_error_depth(ctx);
145	/* accept certificate if its fingerprint matches, again regardless whether x509 certificate validation was successful */	146	/* accept certificate if its fingerprint matches, again regardless whether x509 certificate validation was successful */
146	if (ok && ctx->error_depth == 0 && !tls_session_verify_fingerprint(ctx))	147	if (ok && ctx_error_depth == 0 && !tls_session_verify_fingerprint(ctx))
147	{	148	{
148	msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting", NULL);	149	msg_notice("Certificate valid, but fingerprint constraints were not met, rejecting", NULL);
149	return 0;	150	return 0;
150	}	151	}
151		152
152	if (ok && ctx->error_depth != 0 && (ctx->current_cert->ex_flags & EXFLAG_CA) == 0)	153	if (ok && ctx_error_depth != 0 && (ctx->current_cert->ex_flags & EXFLAG_CA) == 0)
153	{	154	{
154	msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);	155	msg_notice("Invalid certificate found in chain, basicConstraints.ca is unset in non-leaf certificate", NULL);
155	ctx->error = X509_V_ERR_INVALID_CA;	156	ctx->error = X509_V_ERR_INVALID_CA;
Lines 157-163 tls_session_verify(TLSSession self, int ok, X509_STORE_CTX ctx) Link Here
157	}	158	}
158		159
159	/* reject certificate if it is valid, but its DN is not trusted */	160	/* reject certificate if it is valid, but its DN is not trusted */
160	if (ok && ctx->error_depth == 0 && !tls_session_verify_dn(ctx))	161	if (ok && ctx_error_depth == 0 && !tls_session_verify_dn(ctx))
161	{	162	{
162	msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL);	163	msg_notice("Certificate valid, but DN constraints were not met, rejecting", NULL);
163	ctx->error = X509_V_ERR_CERT_UNTRUSTED;	164	ctx->error = X509_V_ERR_CERT_UNTRUSTED;
164	-
165	--
166	configure.ac \| 6 +++--	165	configure.ac \| 6 +++--
167	lib/compat/Makefile.am \| 6 +++--	166	lib/compat/Makefile.am \| 6 +++--
168	lib/compat/openssl_support.c \| 46 +++++++++++++++++++++++++++++++++	167	lib/compat/openssl_support.c \| 46 +++++++++++++++++++++++++++++++++
169	lib/compat/openssl_support.h \| 53 ++++++++++++++++++++++++++++++++++++++	168	lib/compat/openssl_support.h \| 53 ++++++++++++++++++++++++++++++++++++++
170	lib/tlscontext.c \| 52 +++++++++++++++++--------------------	169	lib/tlscontext.c \| 52 +++++++++++++++++--------------------
171	modules/afsocket/afinet-dest.c \| 9 +++++--	170	modules/afsocket/afinet-dest.c \| 9 +++++--
172	modules/cryptofuncs/cryptofuncs.c \| 42 ++++++++++++++++++------------	171	modules/cryptofuncs/cryptofuncs.c \| 42 ++++++++++++++++++------------
173	modules/dbparser/pdbtool/pdbtool.c \| 1 +	172	modules/dbparser/pdbtool/pdbtool.c \| 1 +
174	8 files changed, 165 insertions(+), 50 deletions(-)	173	8 files changed, 165 insertions(+), 50 deletions(-)
175	create mode 100644 lib/compat/openssl_support.c	174	create mode 100644 lib/compat/openssl_support.c
176	create mode 100644 lib/compat/openssl_support.h	175	create mode 100644 lib/compat/openssl_support.h

Line 0 Link Here

(-)a/lib/compat/openssl_support.c (+46 lines)
	1	/*
	2	* Copyright (c) 2002-2016 Balabit
	3	*
	4	* This library is free software; you can redistribute it and/or
	5	* modify it under the terms of the GNU Lesser General Public
	6	* License as published by the Free Software Foundation; either
	7	* version 2.1 of the License, or (at your option) any later version.
	8	*
	9	* This library is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	12	* Lesser General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU Lesser General Public
	15	* License along with this library; if not, write to the Free Software
	16	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	17	*
	18	* As an additional exemption you are allowed to compile & link against the
	19	* OpenSSL libraries as published by the OpenSSL project. See the file
	20	* COPYING for details.
	21	*
	22	*/
	23
	24	#include "compat/openssl_support.h"
	25
	26	#if !HAVE_DECL_SSL_CTX_GET0_PARAM
	27	X509_VERIFY_PARAM SSL_CTX_get0_param(SSL_CTX ctx)
	28	{
	29	return ctx->param;
	30	}
	31	#endif
	32
	33	#if !HAVE_DECL_X509_STORE_CTX_GET0_CERT
	34	X509 X509_STORE_CTX_get0_cert(X509_STORE_CTX ctx)
	35	{
	36	return ctx->cert;
	37	}
	38	#endif
	39
	40	#if !HAVE_DECL_X509_GET_EXTENSION_FLAGS
	41	uint32_t X509_get_extension_flags(X509 *x)
	42	{
	43	return x->ex_flags;
	44	}
	45	#endif
	46

Line 0 Link Here

(-)a/lib/compat/openssl_support.h (+53 lines)
	1	/*
	2	* Copyright (c) 2002-2016 Balabit
	3	*
	4	* This library is free software; you can redistribute it and/or
	5	* modify it under the terms of the GNU Lesser General Public
	6	* License as published by the Free Software Foundation; either
	7	* version 2.1 of the License, or (at your option) any later version.
	8	*
	9	* This library is distributed in the hope that it will be useful,
	10	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	12	* Lesser General Public License for more details.
	13	*
	14	* You should have received a copy of the GNU Lesser General Public
	15	* License along with this library; if not, write to the Free Software
	16	* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
	17	*
	18	* As an additional exemption you are allowed to compile & link against the
	19	* OpenSSL libraries as published by the OpenSSL project. See the file
	20	* COPYING for details.
	21	*
	22	*/
	23
	24	#ifndef OPENSSL_SUPPORT_H_INCLUDED
	25	#define OPENSSL_SUPPORT_H_INCLUDED
	26
	27	#include "compat/compat.h"
	28	#include <openssl/ssl.h>
	29
	30	#if !HAVE_DECL_SSL_CTX_GET0_PARAM
	31	X509_VERIFY_PARAM SSL_CTX_get0_param(SSL_CTX ctx);
	32	#endif
	33
	34	#if !HAVE_DECL_X509_STORE_CTX_GET0_CERT
	35	X509 X509_STORE_CTX_get0_cert(X509_STORE_CTX ctx);
	36	#endif
	37
	38	#if !HAVE_DECL_X509_GET_EXTENSION_FLAGS
	39	#include <stdint.h>
	40	uint32_t X509_get_extension_flags(X509 *x);
	41	#endif
	42
	43	#if HAVE_DECL_EVP_MD_CTX_RESET
	44	#include <openssl/evp.h>
	45	#define EVP_MD_CTX_cleanup EVP_MD_CTX_reset
	46	#define DECLARE_EVP_MD_CTX(md_ctx) EVP_MD_CTX * md_ctx = EVP_MD_CTX_create()
	47	#else
	48	#define DECLARE_EVP_MD_CTX(md_ctx) EVP_MD_CTX _##md_ctx; EVP_MD_CTX * md_ctx = & _##md_ctx
	49	#define EVP_MD_CTX_destroy(md_ctx) EVP_MD_CTX_cleanup(md_ctx)
	50	#endif
	51
	52	#endif
	53

Lines 27-32 Link Here

(-)a/modules/cryptofuncs/cryptofuncs.c (-16 / +26 lines)
27	#include "uuid.h"	27	#include "uuid.h"
28	#include "str-format.h"	28	#include "str-format.h"
29	#include "plugin-types.h"	29	#include "plugin-types.h"
		30	#include "compat/openssl_support.h"
30	#include <openssl/evp.h>	31	#include <openssl/evp.h>
31		32
32	static void	33	static void
Lines 98-133 tf_hash_prepare(LogTemplateFunction self, gpointer s, LogTemplate parent, gint Link Here
98	return FALSE;	99	return FALSE;
99	}	100	}
100	state->md = md;	101	state->md = md;
101	if ((state->length == 0) \|\| (state->length > md->md_size * 2))	102	gint md_size = EVP_MD_size(md);
102	state->length = md->md_size * 2;	103	if ((state->length == 0) \|\| (state->length > md_size * 2))
		104	state->length = md_size * 2;
103	return TRUE;	105	return TRUE;
104	}	106	}
105		107
		108	static guint
		109	_hash(const EVP_MD md, GString argv, gint argc, guchar hash, guint hash_size)
		110	{
		111	gint i;
		112	guint md_len;
		113	DECLARE_EVP_MD_CTX(mdctx);
		114	EVP_MD_CTX_init(mdctx);
		115	EVP_DigestInit_ex(mdctx, md, NULL);
		116
		117	for (i = 0; i < argc; i++)
		118	{
		119	EVP_DigestUpdate(mdctx, argv[i]->str, argv[i]->len);
		120	}
		121
		122	EVP_DigestFinal_ex(mdctx, hash, &md_len);
		123	EVP_MD_CTX_cleanup(mdctx);
		124	EVP_MD_CTX_destroy(mdctx);
		125
		126	return md_len;
		127	}
		128
106	static void	129	static void
107	tf_hash_call(LogTemplateFunction self, gpointer s, const LogTemplateInvokeArgs args, GString *result)	130	tf_hash_call(LogTemplateFunction self, gpointer s, const LogTemplateInvokeArgs args, GString *result)
108	{	131	{
109	TFHashState state = (TFHashState ) s;	132	TFHashState state = (TFHashState ) s;
110	GString **argv;	133	GString **argv;
111	gint argc;	134	gint argc;
112	gint i;
113	EVP_MD_CTX mdctx;
114	guchar hash[EVP_MAX_MD_SIZE];	135	guchar hash[EVP_MAX_MD_SIZE];
115	gchar hash_str[EVP_MAX_MD_SIZE * 2 + 1];	136	gchar hash_str[EVP_MAX_MD_SIZE * 2 + 1];
116	guint md_len;	137	guint md_len;
117
118	argv = (GString **) args->bufs->pdata;	138	argv = (GString **) args->bufs->pdata;
119	argc = args->bufs->len;	139	argc = args->bufs->len;
120		140	md_len = _hash(state->md, argv, argc, hash, sizeof(hash));
121	EVP_MD_CTX_init(&mdctx);
122	EVP_DigestInit_ex(&mdctx, state->md, NULL);
123
124	for (i = 0; i < argc; i++)
125	{
126	EVP_DigestUpdate(&mdctx, argv[i]->str, argv[i]->len);
127	}
128	EVP_DigestFinal_ex(&mdctx, hash, &md_len);
129	EVP_MD_CTX_cleanup(&mdctx);
130
131	// we fetch the entire hash in a hex format otherwise we cannot truncate at	141	// we fetch the entire hash in a hex format otherwise we cannot truncate at
132	// odd character numbers	142	// odd character numbers
133	format_hex_string(hash, md_len, hash_str, sizeof(hash_str));	143	format_hex_string(hash, md_len, hash_str, sizeof(hash_str));