rpms/stunnel
5
0
Fork 0
Code Issues Pull Requests Releases Activity
69617d0344
stunnel/nss_compat_ossl-0.9.1-stunnel.patch
Miloslav Trmac 69617d0344 - Port to NSS
2007-08-28 15:02:14 +00:00

419 lines
12 KiB
Diff
Raw Blame History

Index: src/Makefile.am
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/Makefile.am,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Makefile.am
--- src/Makefile.am 20 Apr 2007 22:33:27 -0000 1.1.1.1
+++ src/Makefile.am 26 Aug 2007 23:22:35 -0000
@@ -4,7 +4,7 @@
INCLUDES = @nspr_inc@ @nss_inc@
LIBS = @nspr_lib@ @nss_lib@ -lssl3 -lsmime3 -lnss3 -lsoftokn3 -lplc4 -lplds4 -lnspr4
-libnss_compat_ossl_la_SOURCES = ssl.c log.c rand.c
+libnss_compat_ossl_la_SOURCES = ssl.c algo.c log.c rand.c
pkginclude_HEADERS = nss_compat_ossl.h
Index: src/algo.c
===================================================================
RCS file: src/algo.c
diff -N src/algo.c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ src/algo.c 26 Aug 2007 23:22:35 -0000
@@ -0,0 +1,101 @@
+/*
+ * Copyright (C) 2007 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+*/
+
+#include <assert.h>
+
+#include "nss_compat_ossl.h"
+
+/* FIXME: is some error handling possible? */
+
+
+void DES_set_odd_parity(DES_cblock *key)
+{
+ size_t i;
+
+ for (i = 0; i < sizeof (*key)/sizeof (**key); i++) {
+ unsigned char val, b;
+
+ val = (*key)[i];
+ b = val;
+ b ^= (b >> 4); /* (b & 0x0F) == (b & 0x0F) ^ ((b & 0xF0) >> 4) */
+ b ^= (b >> 2); /* Likewise ... */
+ b ^= (b >> 1); /* (b & 0x01) == XOR (bits of b) */
+ if ((b & 0x01) == 0)
+ (*key)[i] = val ^ 0x01;
+ }
+}
+
+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule)
+{
+ assert (sizeof (schedule->key) == sizeof (*key));
+ memcpy (schedule->key, *key, sizeof (schedule->key));
+}
+
+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
+ DES_key_schedule *ks, int enc)
+{
+ static const CK_MECHANISM_TYPE mechanism = CKM_DES_ECB;
+
+ PK11SlotInfo *slot;
+ PK11Origin origin;
+ PK11SymKey *sym_key;
+ PK11Context *ctx;
+ SECItem key_item;
+ int out_len1;
+ unsigned out_len2;
+ /* FIXME: input and output may overlap */
+
+ slot = PK11_GetBestSlot(mechanism, NULL);
+ if (slot == NULL)
+ abort();
+ origin = enc != DES_DECRYPT ? CKA_ENCRYPT : CKA_DECRYPT,
+ key_item.data = ks->key;
+ key_item.len = sizeof (ks->key);
+ sym_key = PK11_ImportSymKey(slot, mechanism, PK11_OriginUnwrap, origin,
+ &key_item, NULL);
+ ctx = PK11_CreateContextBySymKey(mechanism, origin, sym_key, NULL);
+ (void)PK11_CipherOp(ctx, *output, &out_len1, sizeof (*output), *input,
+ sizeof (*input));
+ (void)PK11_DigestFinal(ctx, *output + out_len1, &out_len2,
+ sizeof (*output) - out_len1);
+ assert (out_len1 + out_len2 == sizeof (*output));
+ PK11_DestroyContext(ctx, PR_TRUE);
+ PK11_FreeSymKey(sym_key);
+ PK11_FreeSlot(slot);
+}
+
+
+void MD4_Init(MD4_CTX *c)
+{
+ *c = PK11_CreateDigestContext(SEC_OID_MD4);
+ (void)PK11_DigestBegin(*c);
+}
+
+void MD4_Update(MD4_CTX *c, const void *data, size_t len)
+{
+ (void)PK11_DigestOp(*c, data, len);
+}
+
+void MD4_Final(unsigned char *md, MD4_CTX *c)
+{
+ unsigned len;
+
+ (void)PK11_DigestFinal(*c, md, &len, 16);
+ assert (len == 16);
+ PK11_DestroyContext(*c, PR_TRUE);
+}
Index: src/nss_compat_ossl.h
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/nss_compat_ossl.h,v
retrieving revision 1.4
diff -u -r1.4 nss_compat_ossl.h
--- src/nss_compat_ossl.h 11 May 2007 21:25:00 -0000 1.4
+++ src/nss_compat_ossl.h 26 Aug 2007 23:22:35 -0000
@@ -44,6 +44,8 @@
#define NO_RSA 1 /* FIXME: ? */
#define USE_NSS 1 /* FIXME: autoconf? */
+#define PEM_BUFSIZE 1024
+
/* FIXME: need to map from SSL -> SSL_CTX */
#define OSSL_SSL2CTX(x) ((SSL_CTX *)NULL)
#define OSSL_X509_STORE_CTX2CERT(x) NULL
@@ -167,7 +169,14 @@
#define X509_OBJECT SECItem
#define X509_LOOKUP SECItem
#define X509_LOOKUP_METHOD SECItem
-#define X509_STORE_CTX CERTCertificate
+
+typedef struct
+{
+ X509 *current_cert;
+ SSL *ssl__;
+ int error;
+} X509_STORE_CTX;
+
#define X509_STORE SECItem
#define X509_NAME CERTName
#define X509_REVOKED SECItem
@@ -304,6 +313,7 @@
long SSL_CTX_set_mode(SSL_CTX *ctx, long mode);
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+int PEM_def_callback(char *buf, int num, int w, void *key);
/* SSL context statistics */
@@ -367,6 +377,7 @@
SSL_METHOD *SSLv3_client_method(void);
SSL_METHOD *SSLv23_client_method(void);
SSL_METHOD *TLSv1_client_method(void);
+SSL_METHOD *SSLv2_server_method(void);
SSL_METHOD *SSLv23_server_method(void);
SSL_METHOD *SSLv3_server_method(void);
SSL_METHOD *TLSv1_server_method(void);
@@ -392,6 +403,8 @@
#define X509_L_FILE_LOAD 1
#define X509_L_ADD_DIR 2
+#define X509_LU_X509 1
+
X509 *d2i_X509(void *reserved, unsigned char **data, int len);
X509_NAME *X509_get_issuer_name(X509 *x);
X509_NAME *X509_get_subject_name(X509 *x);
@@ -412,6 +425,10 @@
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx);
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+ X509_OBJECT *ret);
+int SSL_get_ex_data_X509_STORE_CTX_idx(void);
+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx);
/* Other */
@@ -489,12 +506,11 @@
const char *SSL_alert_type_string_long(int value);
const char *SSL_alert_desc_string_long(int value);
-#if 0
const char *SSL_state_string_long(const SSL *s);
-#endif
void CRYPTO_set_id_callback(unsigned long (*func)(void));
-void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line));
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ const char *file, int line));
/* RNG */
@@ -510,6 +526,24 @@
const char *nss_error(int error);
+/* Encryption functions */
+#define DES_DECRYPT 0
+#define DES_ENCRYPT 1
+typedef unsigned char DES_cblock[8], const_DES_cblock[8];
+typedef struct { DES_cblock key; } DES_key_schedule;
+
+void DES_set_odd_parity(DES_cblock *key);
+void DES_set_key_unchecked(const_DES_cblock *key, DES_key_schedule *schedule);
+void DES_ecb_encrypt(const_DES_cblock *input, DES_cblock *output,
+ DES_key_schedule *ks, int enc);
+
+/* Hash functions */
+typedef PK11Context *MD4_CTX;
+
+void MD4_Init(MD4_CTX *c);
+void MD4_Update(MD4_CTX *c, const void *data, size_t len);
+void MD4_Final(unsigned char *md, MD4_CTX *c);
+
/* ASN1 funcs */
unsigned char * ASN1_STRING_data(ASN1_STRING *x);
int ASN1_STRING_type(ASN1_STRING *x);
Index: src/rand.c
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/rand.c,v
retrieving revision 1.2
diff -u -r1.2 rand.c
--- src/rand.c 23 Apr 2007 18:00:35 -0000 1.2
+++ src/rand.c 26 Aug 2007 23:22:35 -0000
@@ -78,27 +78,17 @@
int RAND_write_file(const char *file)
{
- char buf[RAND_WRITE_BYTES];
+ unsigned char buf[RAND_WRITE_BYTES];
int total = 0;
- int size;
FILE *fp;
if ((fp = fopen(file, "wb")) != NULL) {
- while (total < RAND_WRITE_BYTES) {
- /* PR_GetRandomNoise is not guaranteed to return the number of
- * requested bytes so we'll keep trying */
- size = PR_GetRandomNoise(buf, RAND_WRITE_BYTES - total);
- if (size == 0 && total == 0) {
- /* PR_GetRandomNoise not implemented */
- fclose(fp);
- return 0;
- }
- fwrite(buf, 1, size, fp);
- total += size;
- }
+ if (PK11_GenerateRandom(buf, sizeof (buf)) == SECSuccess) {
+ total = sizeof (buf);
+ fwrite(buf, 1, total, fp);
+ }
+ fclose(fp);
}
- fclose(fp);
-
return total;
}
Index: src/ssl.c
===================================================================
RCS file: /cvs/dirsec/nss_compat_ossl/src/ssl.c,v
retrieving revision 1.12
diff -u -r1.12 ssl.c
--- src/ssl.c 29 May 2007 22:00:19 -0000 1.12
+++ src/ssl.c 26 Aug 2007 23:22:35 -0000
@@ -429,9 +429,14 @@
* use it. Otherwise fall back to the one provided by NSS.
*/
if (ossl->verify_cb != NULL) {
+ X509_STORE_CTX ctx;
+
verify_callback = ossl->verify_cb;
- rv = verify_callback((status == SECSuccess) ? 1 : 0, (X509_STORE_CTX *)ssl);
+ ctx.current_cert = SSL_get_peer_certificate(ssl);
+ ctx.error = PORT_GetError();
+ rv = verify_callback((status == SECSuccess) ? 1 : 0, &ctx);
+ X509_free(ctx.current_cert);
if (rv == 1) {
ossl->verify_result = X509_V_OK;
@@ -1492,6 +1497,11 @@
return create_context(PR_FALSE, PR_FALSE, PR_TRUE, PR_FALSE);
}
+SSL_METHOD *SSLv2_server_method(void)
+{
+ return create_context(PR_TRUE, PR_FALSE, PR_FALSE, PR_TRUE);
+}
+
SSL_METHOD *SSLv23_server_method(void)
{
return create_context(PR_TRUE, PR_TRUE, PR_FALSE, PR_TRUE);
@@ -1890,6 +1900,9 @@
if (ssl)
cert = SSL_PeerCertificate(ssl);
+ if (cert == NULL)
+ return NULL;
+
x = (X509 *)malloc(sizeof(X509));
x->cert = cert;
@@ -2146,8 +2159,8 @@
value = CERT_NameToAscii(x);
- if (len)
- s = PL_strncpyz(s, value, len);
+ if (s)
+ s = PL_strncpyz(s, value, len);
else
s = PORT_ArenaStrdup(x->arena, value);
@@ -2815,7 +2828,7 @@
const char *SSL_state_string_long(const SSL *s)
{
/* We have no visibility into the current NSS handshake state */
- return (NULL);
+ return "Unknown";
}
void SSL_CTX_set_info_callback(SSL_CTX *ctx, void(*cb)())
@@ -2860,6 +2873,13 @@
return;
}
+/* SSL_CTX_set_default_passwd_cb* is ignored */
+int PEM_def_callback(char *buf, int num, int w, void *key)
+{
+ *buf = 0;
+ return 0;
+}
+
long SSL_session_reused(SSL *s)
{
return 0;
@@ -2867,19 +2887,59 @@
X509 * X509_STORE_CTX_get_current_cert(X509_STORE_CTX *ctx)
{
- X509 * x;
-
- /* Is it really the peer cert we want? Docs are slim on this */
- x = SSL_get_peer_certificate((SSL *)ctx);
+ return ctx->current_cert;
+}
- return x;
+#define X509_STORE_CTX_EX_DATA_SSL_IDX 42
+int SSL_get_ex_data_X509_STORE_CTX_idx(void)
+{
+ return X509_STORE_CTX_EX_DATA_SSL_IDX;
}
+void *X509_STORE_CTX_get_ex_data(X509_STORE_CTX *ctx, int idx)
+{
+ if (idx == X509_STORE_CTX_EX_DATA_SSL_IDX)
+ return ctx->ssl__;
+ return NULL;
+}
+
+
+int X509_STORE_get_by_subject(X509_STORE_CTX *vs, int type, X509_NAME *name,
+ X509_OBJECT *ret)
+{
+ PRArenaPool *arena;
+ CERTCertificate * cert;
+ SECItem *subject;
+
+ (void)vs;
+ if (type != X509_LU_X509)
+ return 0;
+
+ arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+ if (arena == NULL)
+ return 0;
+ subject = SEC_ASN1EncodeItem(arena, NULL, name, CERT_NameTemplate);
+ cert = NULL;
+ if (subject != NULL)
+ cert = CERT_FindCertByName(CERT_GetDefaultCertDB(), subject);
+ PORT_FreeArena(arena, PR_FALSE);
+ if (cert == NULL)
+ return 0;
+ /* FIXME: a more useful representation of the certificate, e.g. one that
+ does not leak? */
+ ret->type = siBuffer;
+ ret->data = (unsigned char *)cert;
+ ret->len = sizeof (*cert);
+ return 1;
+}
+
+
void CRYPTO_set_id_callback(unsigned long (*func)(void))
{
}
-void CRYPTO_set_locking_callback(void (*func)(int mode,int type, int line))
+void CRYPTO_set_locking_callback(void (*func)(int mode,int type,
+ const char *file, int line))
{
}
Reference in New Issue View Git Blame Copy Permalink