Skip to content

Commit ba782cc

Browse files
berolinuxberolinux
committed
Add socat and rspamd patches
Signed-off-by: Bernhard Rosenkränzer <[email protected]>
1 parent 6038d98 commit ba782cc

File tree

2 files changed

+363
-0
lines changed

2 files changed

+363
-0
lines changed

rspamd/rspamd-1.3.5-openssl-1.1.patch

+232
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,232 @@
1+
--- rspamd-1.3.5/src/libcryptobox/cryptobox.c.omv~ 2016-09-17 14:46:16.722429415 +0200
2+
+++ rspamd-1.3.5/src/libcryptobox/cryptobox.c 2016-09-17 15:08:06.784867231 +0200
3+
@@ -314,7 +314,7 @@ rspamd_cryptobox_init (void)
4+
ctx->curve25519_impl = curve25519_load ();
5+
ctx->blake2_impl = blake2b_load ();
6+
ctx->ed25519_impl = ed25519_load ();
7+
-#ifdef HAVE_USABLE_OPENSSL
8+
+#if defined(HAVE_USABLE_OPENSSL) && OPENSSL_VERSION_NUMBER < 0x10100000L
9+
ERR_load_ECDSA_strings ();
10+
ERR_load_EC_strings ();
11+
ERR_load_RAND_strings ();
12+
@@ -479,14 +479,15 @@ rspamd_cryptobox_sign (guchar *sig, gsiz
13+
#else
14+
EC_KEY *lk;
15+
BIGNUM *bn_sec, *kinv = NULL, *rp = NULL;
16+
- EVP_MD_CTX sha_ctx;
17+
+ EVP_MD_CTX *sha_ctx = EVP_MD_CTX_new();
18+
unsigned char h[64];
19+
guint diglen = rspamd_cryptobox_signature_bytes (mode);
20+
21+
/* Prehash */
22+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
23+
- EVP_DigestUpdate (&sha_ctx, m, mlen);
24+
- EVP_DigestFinal (&sha_ctx, h, NULL);
25+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
26+
+ EVP_DigestUpdate (sha_ctx, m, mlen);
27+
+ EVP_DigestFinal (sha_ctx, h, NULL);
28+
+ EVP_MD_CTX_free(sha_ctx);
29+
30+
/* Key setup */
31+
lk = EC_KEY_new_by_curve_name (CRYPTOBOX_CURVE_NID);
32+
@@ -529,13 +530,14 @@ rspamd_cryptobox_verify (const guchar *s
33+
EC_KEY *lk;
34+
EC_POINT *ec_pub;
35+
BIGNUM *bn_pub;
36+
- EVP_MD_CTX sha_ctx;
37+
+ EVP_MD_CTX *sha_ctx = EVP_MD_CTX_new();
38+
unsigned char h[64];
39+
40+
/* Prehash */
41+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
42+
- EVP_DigestUpdate (&sha_ctx, m, mlen);
43+
- EVP_DigestFinal (&sha_ctx, h, NULL);
44+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
45+
+ EVP_DigestUpdate (sha_ctx, m, mlen);
46+
+ EVP_DigestFinal (sha_ctx, h, NULL);
47+
+ EVP_MD_CTX_free(sha_ctx);
48+
49+
/* Key setup */
50+
lk = EC_KEY_new_by_curve_name (CRYPTOBOX_CURVE_NID);
51+
@@ -559,6 +561,7 @@ rspamd_cryptobox_verify (const guchar *s
52+
return ret;
53+
}
54+
55+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
56+
static gsize
57+
rspamd_cryptobox_encrypt_ctx_len (enum rspamd_cryptobox_mode mode)
58+
{
59+
@@ -575,6 +578,7 @@ rspamd_cryptobox_encrypt_ctx_len (enum r
60+
61+
return 0;
62+
}
63+
+#endif
64+
65+
static gsize
66+
rspamd_cryptobox_auth_ctx_len (enum rspamd_cryptobox_mode mode)
67+
@@ -616,7 +620,7 @@ rspamd_cryptobox_encrypt_init (void *enc
68+
EVP_CIPHER_CTX *s;
69+
70+
s = cryptobox_align_ptr (enc_ctx, CRYPTOBOX_ALIGNMENT);
71+
- memset (s, 0, sizeof (*s));
72+
+ EVP_CIPHER_CTX_reset(s);
73+
g_assert (EVP_EncryptInit_ex (s, EVP_aes_256_gcm (), NULL, NULL, NULL) == 1);
74+
g_assert (EVP_CIPHER_CTX_ctrl (s, EVP_CTRL_GCM_SET_IVLEN,
75+
rspamd_cryptobox_nonce_bytes (mode), NULL) == 1);
76+
@@ -787,7 +791,7 @@ rspamd_cryptobox_decrypt_init (void *enc
77+
EVP_CIPHER_CTX *s;
78+
79+
s = cryptobox_align_ptr (enc_ctx, CRYPTOBOX_ALIGNMENT);
80+
- memset (s, 0, sizeof (*s));
81+
+ EVP_CIPHER_CTX_reset(s);
82+
g_assert (EVP_DecryptInit_ex(s, EVP_aes_256_gcm (), NULL, NULL, NULL) == 1);
83+
g_assert (EVP_CIPHER_CTX_ctrl (s, EVP_CTRL_GCM_SET_IVLEN,
84+
rspamd_cryptobox_nonce_bytes (mode), NULL) == 1);
85+
@@ -959,6 +963,9 @@ rspamd_cryptobox_cleanup (void *enc_ctx,
86+
EVP_CIPHER_CTX *s = enc_ctx;
87+
88+
EVP_CIPHER_CTX_cleanup (s);
89+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
90+
+ EVP_CIPHER_CTX_free (s);
91+
+#endif
92+
#endif
93+
}
94+
}
95+
@@ -972,7 +979,11 @@ void rspamd_cryptobox_encrypt_nm_inplace
96+
gsize r;
97+
void *enc_ctx, *auth_ctx;
98+
99+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
100+
+ enc_ctx = EVP_CIPHER_CTX_new();
101+
+#else
102+
enc_ctx = g_alloca (rspamd_cryptobox_encrypt_ctx_len (mode));
103+
+#endif
104+
auth_ctx = g_alloca (rspamd_cryptobox_auth_ctx_len (mode));
105+
106+
enc_ctx = rspamd_cryptobox_encrypt_init (enc_ctx, nonce, nm, mode);
107+
@@ -1016,7 +1027,11 @@ rspamd_cryptobox_encryptv_nm_inplace (st
108+
guchar *out, *in;
109+
gsize r, remain, inremain, seg_offset;
110+
111+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
112+
+ enc_ctx = EVP_CIPHER_CTX_new();
113+
+#else
114+
enc_ctx = g_alloca (rspamd_cryptobox_encrypt_ctx_len (mode));
115+
+#endif
116+
auth_ctx = g_alloca (rspamd_cryptobox_auth_ctx_len (mode));
117+
118+
enc_ctx = rspamd_cryptobox_encrypt_init (enc_ctx, nonce, nm, mode);
119+
@@ -1122,7 +1137,11 @@ rspamd_cryptobox_decrypt_nm_inplace (guc
120+
gboolean ret = TRUE;
121+
void *enc_ctx, *auth_ctx;
122+
123+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
124+
+ enc_ctx = EVP_CIPHER_CTX_new();
125+
+#else
126+
enc_ctx = g_alloca (rspamd_cryptobox_encrypt_ctx_len (mode));
127+
+#endif
128+
auth_ctx = g_alloca (rspamd_cryptobox_auth_ctx_len (mode));
129+
130+
enc_ctx = rspamd_cryptobox_decrypt_init (enc_ctx, nonce, nm, mode);
131+
--- rspamd-1.3.5/src/libcryptobox/ed25519/ref.c.omv~ 2016-09-17 14:49:51.946533386 +0200
132+
+++ rspamd-1.3.5/src/libcryptobox/ed25519/ref.c 2016-09-17 15:07:02.088767884 +0200
133+
@@ -28,11 +28,11 @@ ed_seed_keypair_ref (unsigned char *pk,
134+
const unsigned char *seed)
135+
{
136+
ge_p3 A;
137+
- EVP_MD_CTX sha_ctx;
138+
+ EVP_MD_CTX *sha_ctx = EVP_MD_CTX_new();
139+
140+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
141+
- EVP_DigestUpdate (&sha_ctx, seed, 32);
142+
- EVP_DigestFinal (&sha_ctx, sk, NULL);
143+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
144+
+ EVP_DigestUpdate (sha_ctx, seed, 32);
145+
+ EVP_DigestFinal (sha_ctx, sk, NULL);
146+
147+
sk[0] &= 248;
148+
sk[31] &= 63;
149+
@@ -44,6 +44,8 @@ ed_seed_keypair_ref (unsigned char *pk,
150+
memmove (sk, seed, 32);
151+
memmove (sk + 32, pk, 32);
152+
153+
+ EVP_MD_CTX_free(sha_ctx);
154+
+
155+
return 0;
156+
}
157+
158+
@@ -64,7 +66,7 @@ int
159+
ed_verify_ref(const unsigned char *sig, const unsigned char *m,
160+
size_t mlen, const unsigned char *pk)
161+
{
162+
- EVP_MD_CTX sha_ctx;
163+
+ EVP_MD_CTX *sha_ctx = EVP_MD_CTX_new();
164+
unsigned char h[64];
165+
unsigned char rcheck[32];
166+
unsigned int i;
167+
@@ -85,11 +87,12 @@ ed_verify_ref(const unsigned char *sig,
168+
return -1;
169+
}
170+
171+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
172+
- EVP_DigestUpdate (&sha_ctx, sig, 32);
173+
- EVP_DigestUpdate (&sha_ctx, pk, 32);
174+
- EVP_DigestUpdate (&sha_ctx, m, mlen);
175+
- EVP_DigestFinal (&sha_ctx, h, NULL);
176+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
177+
+ EVP_DigestUpdate (sha_ctx, sig, 32);
178+
+ EVP_DigestUpdate (sha_ctx, pk, 32);
179+
+ EVP_DigestUpdate (sha_ctx, m, mlen);
180+
+ EVP_DigestFinal (sha_ctx, h, NULL);
181+
+ EVP_MD_CTX_free (sha_ctx);
182+
sc_reduce (h);
183+
184+
ge_double_scalarmult_vartime (&R, h, &A, sig + 32);
185+
@@ -103,23 +106,23 @@ ed_sign_ref(unsigned char *sig, size_t *
186+
const unsigned char *m, size_t mlen,
187+
const unsigned char *sk)
188+
{
189+
- EVP_MD_CTX sha_ctx;
190+
+ EVP_MD_CTX *sha_ctx = EVP_MD_CTX_new();
191+
unsigned char az[64];
192+
unsigned char nonce[64];
193+
unsigned char hram[64];
194+
ge_p3 R;
195+
196+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
197+
- EVP_DigestUpdate (&sha_ctx, sk, 32);
198+
- EVP_DigestFinal (&sha_ctx, az, NULL);
199+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
200+
+ EVP_DigestUpdate (sha_ctx, sk, 32);
201+
+ EVP_DigestFinal (sha_ctx, az, NULL);
202+
az[0] &= 248;
203+
az[31] &= 63;
204+
az[31] |= 64;
205+
206+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
207+
- EVP_DigestUpdate (&sha_ctx, az + 32, 32);
208+
- EVP_DigestUpdate (&sha_ctx, m, mlen);
209+
- EVP_DigestFinal (&sha_ctx, nonce, NULL);
210+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
211+
+ EVP_DigestUpdate (sha_ctx, az + 32, 32);
212+
+ EVP_DigestUpdate (sha_ctx, m, mlen);
213+
+ EVP_DigestFinal (sha_ctx, nonce, NULL);
214+
215+
memmove (sig + 32, sk + 32, 32);
216+
217+
@@ -127,10 +130,11 @@ ed_sign_ref(unsigned char *sig, size_t *
218+
ge_scalarmult_base (&R, nonce);
219+
ge_p3_tobytes (sig, &R);
220+
221+
- g_assert (EVP_DigestInit (&sha_ctx, EVP_sha512()) == 1);
222+
- EVP_DigestUpdate (&sha_ctx, sig, 64);
223+
- EVP_DigestUpdate (&sha_ctx, m, mlen);
224+
- EVP_DigestFinal (&sha_ctx, hram, NULL);
225+
+ g_assert (EVP_DigestInit (sha_ctx, EVP_sha512()) == 1);
226+
+ EVP_DigestUpdate (sha_ctx, sig, 64);
227+
+ EVP_DigestUpdate (sha_ctx, m, mlen);
228+
+ EVP_DigestFinal (sha_ctx, hram, NULL);
229+
+ EVP_MD_CTX_free(sha_ctx);
230+
231+
sc_reduce (hram);
232+
sc_muladd (sig + 32, hram, az, nonce);

socat/socat-1.7.3.1-openssl-1.1.patch

+131
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,131 @@
1+
--- socat-1.7.3.1/sslcls.c.omv~ 2016-09-17 16:50:21.368370934 +0200
2+
+++ socat-1.7.3.1/sslcls.c 2016-09-17 16:57:38.046576828 +0200
3+
@@ -331,6 +331,7 @@ void sycSSL_free(SSL *ssl) {
4+
return;
5+
}
6+
7+
+#ifndef OPENSSL_NO_EGD
8+
int sycRAND_egd(const char *path) {
9+
int result;
10+
Debug1("RAND_egd(\"%s\")", path);
11+
@@ -338,6 +339,7 @@ int sycRAND_egd(const char *path) {
12+
Debug1("RAND_egd() -> %d", result);
13+
return result;
14+
}
15+
+#endif
16+
17+
DH *sycPEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) {
18+
DH *result;
19+
--- socat-1.7.3.1/xio-openssl.c.omv~ 2016-09-17 16:40:56.795922733 +0200
20+
+++ socat-1.7.3.1/xio-openssl.c 2016-09-17 16:58:28.620907037 +0200
21+
@@ -722,7 +722,9 @@ int
22+
char *opt_dhparam = NULL; /* file name of DH params */
23+
char *opt_cafile = NULL; /* certificate authority file */
24+
char *opt_capath = NULL; /* certificate authority directory */
25+
+#ifndef OPENSSL_NO_EGD
26+
char *opt_egd = NULL; /* entropy gathering daemon socket path */
27+
+#endif
28+
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
29+
char *opt_compress = NULL; /* compression method */
30+
#endif
31+
@@ -741,7 +743,9 @@ int
32+
retropt_string(opts, OPT_OPENSSL_CAPATH, &opt_capath);
33+
retropt_string(opts, OPT_OPENSSL_KEY, &opt_key);
34+
retropt_string(opts, OPT_OPENSSL_DHPARAM, &opt_dhparam);
35+
+#ifndef OPENSSL_NO_EGD
36+
retropt_string(opts, OPT_OPENSSL_EGD, &opt_egd);
37+
+#endif
38+
retropt_bool(opts,OPT_OPENSSL_PSEUDO, &opt_pseudo);
39+
#if OPENSSL_VERSION_NUMBER >= 0x00908000L
40+
retropt_string(opts, OPT_OPENSSL_COMPRESS, &opt_compress);
41+
@@ -877,9 +881,11 @@ int
42+
}
43+
}
44+
45+
+#ifndef OPENSSL_NO_EGD
46+
if (opt_egd) {
47+
sycRAND_egd(opt_egd);
48+
}
49+
+#endif
50+
51+
if (opt_pseudo) {
52+
long int randdata;
53+
@@ -945,24 +951,24 @@ int
54+
}
55+
Error("DH_new() failed");
56+
} else {
57+
- dh->p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
58+
- dh->g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
59+
- if ((dh->p == NULL) || (dh->g == NULL)) {
60+
+ BIGNUM *p = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
61+
+ BIGNUM *g = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
62+
+ if(p == NULL || g == NULL) {
63+
while (err = ERR_get_error()) {
64+
Warn1("BN_bin2bn(): %s",
65+
ERR_error_string(err, NULL));
66+
}
67+
Error("BN_bin2bn() failed");
68+
- } else {
69+
- if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
70+
- while (err = ERR_get_error()) {
71+
- Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
72+
- ERR_error_string(err, NULL));
73+
- }
74+
- Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
75+
+ }
76+
+ DH_set0_pqg(dh, p, NULL, g);
77+
+ if (sycSSL_CTX_set_tmp_dh(*ctx, dh) <= 0) {
78+
+ while (err = ERR_get_error()) {
79+
+ Warn3("SSL_CTX_set_tmp_dh(%p, %p): %s", *ctx, dh,
80+
+ ERR_error_string(err, NULL));
81+
}
82+
- /*! OPENSSL_free(dh->p,g)? doc does not tell so */
83+
+ Error2("SSL_CTX_set_tmp_dh(%p, %p) failed", *ctx, dh);
84+
}
85+
+ /*! OPENSSL_free(dh->p,g)? doc does not tell so */
86+
DH_free(dh);
87+
}
88+
}
89+
@@ -1103,7 +1109,7 @@ static int openssl_SSL_ERROR_SSL(int lev
90+
while (e = ERR_get_error()) {
91+
Debug1("ERR_get_error(): %lx", e);
92+
if (e == ((ERR_LIB_RAND<<24)|
93+
- (RAND_F_SSLEAY_RAND_BYTES<<12)|
94+
+ (RAND_F_RAND_BYTES<<12)|
95+
(RAND_R_PRNG_NOT_SEEDED)) /*0x24064064*/) {
96+
Error("too few entropy; use options \"egd\" or \"pseudo\"");
97+
stat = STAT_NORETRY;
98+
@@ -1236,13 +1242,13 @@ static int openssl_setenv_cert_fields(co
99+
X509_NAME_ENTRY *entry;
100+
ASN1_OBJECT *obj;
101+
ASN1_STRING *data;
102+
- unsigned char *text;
103+
+ unsigned const char *text;
104+
int nid;
105+
entry = X509_NAME_get_entry(name, i);
106+
obj = X509_NAME_ENTRY_get_object(entry);
107+
data = X509_NAME_ENTRY_get_data(entry);
108+
nid = OBJ_obj2nid(obj);
109+
- text = ASN1_STRING_data(data);
110+
+ text = ASN1_STRING_get0_data(data);
111+
Debug3("SSL peer cert %s entry: %s=\"%s\"", (field[0]?field:"subject"), OBJ_nid2ln(nid), text);
112+
if (field != NULL && field[0] != '\0') {
113+
xiosetenv3("OPENSSL_X509", field, OBJ_nid2ln(nid), (const char *)text, 2, " // ");
114+
@@ -1306,7 +1312,7 @@ static bool openssl_check_peername(X509_
115+
int ind = -1;
116+
X509_NAME_ENTRY *entry;
117+
ASN1_STRING *data;
118+
- unsigned char *text;
119+
+ unsigned const char *text;
120+
ind = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
121+
if (ind < 0) {
122+
Info("no COMMONNAME field in peer certificate");
123+
@@ -1314,7 +1320,7 @@ static bool openssl_check_peername(X509_
124+
}
125+
entry = X509_NAME_get_entry(name, ind);
126+
data = X509_NAME_ENTRY_get_data(entry);
127+
- text = ASN1_STRING_data(data);
128+
+ text = ASN1_STRING_get0_data(data);
129+
return openssl_check_name((const char *)text, peername);
130+
}
131+

0 commit comments

Comments
 (0)