Merge "Use accessors rather than reaching into BoringSSL structs." am: f555767bc6
Original change: https://android-review.googlesource.com/c/platform/external/ipsec-tools/+/1776665
Change-Id: I2ada03716bb15cae4b32501cf426f9b1295c782d
diff --git a/setup.c b/setup.c
index 58e86f1..9cbe2f9 100644
--- a/setup.c
+++ b/setup.c
@@ -674,7 +674,7 @@
/* misc.h */
-int racoon_hexdump(void *data, size_t length)
+int racoon_hexdump(const void *data, size_t length)
{
return 0;
}
diff --git a/src/racoon/crypto_openssl.c b/src/racoon/crypto_openssl.c
index cd6dc7b..b34b6dd 100644
--- a/src/racoon/crypto_openssl.c
+++ b/src/racoon/crypto_openssl.c
@@ -283,15 +283,19 @@
{
int i;
- if (a->length != b->length)
- return (a->length - b->length);
+ int a_length = ASN1_STRING_length(a);
+ int b_length = ASN1_STRING_length(b);
+ if (a_length != b_length)
+ return (a_length - b_length);
- for (i=0; i<a->length; i++)
+ const unsigned char *a_data = ASN1_STRING_get0_data(a);
+ const unsigned char *b_data = ASN1_STRING_get0_data(b);
+ for (i=0; i<a_length; i++)
{
int ca, cb;
- ca = tolower(a->data[i]);
- cb = tolower(b->data[i]);
+ ca = tolower(a_data[i]);
+ cb = tolower(b_data[i]);
if (ca != cb)
return(ca-cb);
@@ -305,13 +309,13 @@
*/
static int nocase_spacenorm_cmp(const ASN1_STRING *a, const ASN1_STRING *b)
{
- unsigned char *pa = NULL, *pb = NULL;
+ const unsigned char *pa = NULL, *pb = NULL;
int la, lb;
- la = a->length;
- lb = b->length;
- pa = a->data;
- pb = b->data;
+ la = ASN1_STRING_length(a);
+ lb = ASN1_STRING_length(b);
+ pa = ASN1_STRING_get0_data(a);
+ pb = ASN1_STRING_get0_data(b);
/* skip leading spaces */
while (la > 0 && isspace(*pa))
@@ -375,35 +379,37 @@
int i,j;
X509_NAME_ENTRY *na,*nb;
- if (sk_X509_NAME_ENTRY_num(a->entries)
- != sk_X509_NAME_ENTRY_num(b->entries))
- return sk_X509_NAME_ENTRY_num(a->entries)
- -sk_X509_NAME_ENTRY_num(b->entries);
- for (i=sk_X509_NAME_ENTRY_num(a->entries)-1; i>=0; i--)
+ if (X509_NAME_entry_count(a)
+ != X509_NAME_entry_count(b))
+ return X509_NAME_entry_count(a)
+ -X509_NAME_entry_count(b);
+ for (i=X509_NAME_entry_count(a)-1; i>=0; i--)
{
- na=sk_X509_NAME_ENTRY_value(a->entries,i);
- nb=sk_X509_NAME_ENTRY_value(b->entries,i);
- j=OBJ_cmp(na->object,nb->object);
+ na=X509_NAME_get_entry(a,i);
+ nb=X509_NAME_get_entry(b,i);
+ j=OBJ_cmp(X509_NAME_ENTRY_get_object(na),X509_NAME_ENTRY_get_object(nb));
if (j) return(j);
- if ((na->value->length == 1 && na->value->data[0] == '*')
- || (nb->value->length == 1 && nb->value->data[0] == '*'))
+ const ASN1_STRING *na_value=X509_NAME_ENTRY_get_data(na);
+ const ASN1_STRING *nb_value=X509_NAME_ENTRY_get_data(nb);
+ if ((ASN1_STRING_length(na_value) == 1 && ASN1_STRING_get0_data(na_value)[0] == '*')
+ || (ASN1_STRING_length(nb_value) == 1 && ASN1_STRING_get0_data(nb_value)[0] == '*'))
continue;
- j=na->value->type-nb->value->type;
+ j=ASN1_STRING_type(na_value)-ASN1_STRING_type(nb_value);
if (j) return(j);
- if (na->value->type == V_ASN1_PRINTABLESTRING)
- j=nocase_spacenorm_cmp(na->value, nb->value);
- else if (na->value->type == V_ASN1_IA5STRING
- && OBJ_obj2nid(na->object) == NID_pkcs9_emailAddress)
- j=nocase_cmp(na->value, nb->value);
+ if (ASN1_STRING_type(na_value) == V_ASN1_PRINTABLESTRING)
+ j=nocase_spacenorm_cmp(na_value, nb_value);
+ else if (ASN1_STRING_type(na_value) == V_ASN1_IA5STRING
+ && OBJ_obj2nid(X509_NAME_ENTRY_get_object(na)) == NID_pkcs9_emailAddress)
+ j=nocase_cmp(na_value, nb_value);
else
{
- j=na->value->length-nb->value->length;
+ j=ASN1_STRING_length(na_value)-ASN1_STRING_length(nb_value);
if (j) return(j);
- j=memcmp(na->value->data,nb->value->data,
- na->value->length);
+ j=memcmp(ASN1_STRING_get0_data(na_value),ASN1_STRING_get0_data(nb_value),
+ ASN1_STRING_length(na_value));
}
if (j) return(j);
- j=na->set-nb->set;
+ j=X509_NAME_ENTRY_set(na)-X509_NAME_ENTRY_set(nb);
if (j) return(j);
}
@@ -573,7 +579,7 @@
if (!ok) {
X509_NAME_oneline(
- X509_get_subject_name(ctx->current_cert),
+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
buf,
256);
/*
@@ -581,7 +587,8 @@
* ok if they are self signed. But we should still warn
* the user.
*/
- switch (ctx->error) {
+ int error = X509_STORE_CTX_get_error(ctx);
+ switch (error) {
case X509_V_ERR_CERT_HAS_EXPIRED:
case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
case X509_V_ERR_INVALID_CA:
@@ -596,9 +603,9 @@
}
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(ctx->error),
- ctx->error,
- ctx->error_depth,
+ X509_verify_cert_error_string(error),
+ error,
+ X509_STORE_CTX_get_error_depth(ctx),
buf);
}
ERR_clear_error();
@@ -620,10 +627,11 @@
if (!ok) {
X509_NAME_oneline(
- X509_get_subject_name(ctx->current_cert),
+ X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
buf,
256);
- switch (ctx->error) {
+ int error = X509_STORE_CTX_get_error(ctx);
+ switch (error) {
case X509_V_ERR_UNABLE_TO_GET_CRL:
ok = 1;
log_tag = LLV_WARNING;
@@ -633,9 +641,9 @@
}
plog(log_tag, LOCATION, NULL,
"%s(%d) at depth:%d SubjectName:%s\n",
- X509_verify_cert_error_string(ctx->error),
- ctx->error,
- ctx->error_depth,
+ X509_verify_cert_error_string(error),
+ error,
+ X509_STORE_CTX_get_error_depth(ctx),
buf);
}
ERR_clear_error();
@@ -662,13 +670,13 @@
goto error;
/* get the length of the name */
- len = i2d_X509_NAME(x509->cert_info->subject, NULL);
+ len = i2d_X509_NAME(X509_get_subject_name(x509), NULL);
name = vmalloc(len);
if (!name)
goto error;
/* get the name */
bp = (unsigned char *) name->v;
- len = i2d_X509_NAME(x509->cert_info->subject, &bp);
+ len = i2d_X509_NAME(X509_get_subject_name(x509), &bp);
X509_free(x509);
@@ -726,38 +734,37 @@
gen->type == GEN_URI )
{
/* make sure if the data is terminated by '\0'. */
- if (gen->d.ia5->data[gen->d.ia5->length] != '\0')
+ if (ASN1_STRING_get0_data(gen->d.ia5)[ASN1_STRING_length(gen->d.ia5)] != '\0')
{
plog(LLV_ERROR, LOCATION, NULL,
"data is not terminated by NUL.");
- racoon_hexdump(gen->d.ia5->data, gen->d.ia5->length + 1);
+ racoon_hexdump(ASN1_STRING_get0_data(gen->d.ia5), ASN1_STRING_length(gen->d.ia5) + 1);
goto end;
}
- len = gen->d.ia5->length + 1;
+ len = ASN1_STRING_length(gen->d.ia5) + 1;
*altname = racoon_malloc(len);
if (!*altname)
goto end;
- strlcpy(*altname, (char *) gen->d.ia5->data, len);
+ strlcpy(*altname, (const char *) ASN1_STRING_get0_data(gen->d.ia5), len);
*type = gen->type;
error = 0;
}
/* read IP address */
else if (gen->type == GEN_IPADD)
{
- unsigned char p[5], *ip;
- ip = p;
+ const unsigned char *ip;
/* only support IPv4 */
- if (gen->d.ip->length != 4)
+ if (ASN1_STRING_length(gen->d.ip) != 4)
goto end;
/* convert Octet String to String
* XXX ???????
*/
/*i2d_ASN1_OCTET_STRING(gen->d.ip,&ip);*/
- ip = gen->d.ip->data;
+ ip = ASN1_STRING_get0_data(gen->d.ip);
/* XXX Magic, enough for an IPv4 address
*/
@@ -976,7 +983,7 @@
return -1;
}
- res = eay_rsa_verify(source, sig, evp->pkey.rsa);
+ res = eay_rsa_verify(source, sig, EVP_PKEY_get0_RSA(evp));
EVP_PKEY_free(evp);
X509_free(x509);
@@ -1131,7 +1138,7 @@
if (evp == NULL)
return NULL;
- sig = eay_rsa_sign(src, evp->pkey.rsa);
+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
EVP_PKEY_free(evp);
@@ -2458,7 +2465,7 @@
u_int publen;
u_int32_t g;
{
- BIGNUM *p = NULL;
+ BIGNUM *p = NULL, *g_bn = NULL;
DH *dh = NULL;
int error = -1;
@@ -2469,20 +2476,18 @@
if ((dh = DH_new()) == NULL)
goto end;
- dh->p = p;
- p = NULL; /* p is now part of dh structure */
- dh->g = NULL;
- if ((dh->g = BN_new()) == NULL)
+ if ((g_bn = BN_new()) == NULL)
goto end;
- if (!BN_set_word(dh->g, g))
+ if (!BN_set_word(g_bn, g))
goto end;
+ if (!DH_set0_pqg(dh, p, NULL, g_bn))
+ goto end;
+ /* DH_set0_pqg takes ownership on success. */
+ p = NULL;
+ g_bn = NULL;
if (publen != 0) {
-#if defined(OPENSSL_IS_BORINGSSL)
- dh->priv_length = publen;
-#else
- dh->length = publen;
-#endif
+ DH_set_length(dh, publen);
}
/* generate public and private number */
@@ -2490,9 +2495,9 @@
goto end;
/* copy results to buffers */
- if (eay_bn2v(pub, dh->pub_key) < 0)
+ if (eay_bn2v(pub, DH_get0_pub_key(dh)) < 0)
goto end;
- if (eay_bn2v(priv, dh->priv_key) < 0) {
+ if (eay_bn2v(priv, DH_get0_priv_key(dh)) < 0) {
vfree(*pub);
goto end;
}
@@ -2502,8 +2507,10 @@
end:
if (dh != NULL)
DH_free(dh);
- if (p != 0)
+ if (p != NULL)
BN_free(p);
+ if (g_bn != NULL)
+ BN_free(g_bn);
return(error);
}
@@ -2513,39 +2520,48 @@
u_int32_t g;
{
BIGNUM *dh_pub = NULL;
+ BIGNUM *dh_pub2 = NULL;
+ BIGNUM *dh_priv = NULL;
+ BIGNUM *dh_p = NULL;
+ BIGNUM *dh_g = NULL;
DH *dh = NULL;
int l;
unsigned char *v = NULL;
int error = -1;
/* make public number to compute */
- if (eay_v2bn(&dh_pub, pub2) < 0)
+ if (eay_v2bn(&dh_pub2, pub2) < 0)
goto end;
/* make DH structure */
if ((dh = DH_new()) == NULL)
goto end;
- if (eay_v2bn(&dh->p, prime) < 0)
+ if (eay_v2bn(&dh_p, prime) < 0)
goto end;
- if (eay_v2bn(&dh->pub_key, pub) < 0)
+ if (eay_v2bn(&dh_pub, pub) < 0)
goto end;
- if (eay_v2bn(&dh->priv_key, priv) < 0)
+ if (eay_v2bn(&dh_priv, priv) < 0)
goto end;
-#if defined(OPENSSL_IS_BORINGSSL)
- dh->priv_length = pub2->l * 8;
-#else
- dh->length = pub2->l * 8;
-#endif
+ DH_set_length(dh, pub2->l * 8);
- dh->g = NULL;
- if ((dh->g = BN_new()) == NULL)
+ if ((dh_g = BN_new()) == NULL)
goto end;
- if (!BN_set_word(dh->g, g))
+ if (!BN_set_word(dh_g, g))
goto end;
+ if (!DH_set0_pqg(dh, dh_p, NULL, dh_g))
+ goto end;
+ /* DH_set0_pqg takes ownership on success. */
+ dh_p = NULL;
+ dh_g = NULL;
+ if (!DH_set0_key(dh, dh_pub, dh_priv))
+ goto end;
+ /* DH_set0_key takes ownership on success. */
+ dh_pub = NULL;
+ dh_priv = NULL;
if ((v = racoon_calloc(prime->l, sizeof(u_char))) == NULL)
goto end;
- if ((l = DH_compute_key(v, dh_pub, dh)) == -1)
+ if ((l = DH_compute_key(v, dh_pub2, dh)) == -1)
goto end;
memcpy((*key)->v + (prime->l - l), v, l);
@@ -2554,6 +2570,14 @@
end:
if (dh_pub != NULL)
BN_free(dh_pub);
+ if (dh_pub2 != NULL)
+ BN_free(dh_pub2);
+ if (dh_priv != NULL)
+ BN_free(dh_priv);
+ if (dh_p != NULL)
+ BN_free(dh_p);
+ if (dh_g != NULL)
+ BN_free(dh_g);
if (dh != NULL)
DH_free(dh);
if (v != NULL)
@@ -2588,7 +2612,7 @@
int
eay_bn2v(var, bn)
vchar_t **var;
- BIGNUM *bn;
+ const BIGNUM *bn;
{
#if defined(ANDROID_CHANGES)
*var = vmalloc(BN_num_bytes(bn));
@@ -2732,7 +2756,7 @@
binbuf->l - binbuf->v[0] - 1, NULL);
rsa_pub = RSA_new();
- if (!exp || !mod || !rsa_pub) {
+ if (!exp || !mod || !rsa_pub || !RSA_set0_key(rsa_pub, mod, exp, NULL)) {
plog(LLV_ERROR, LOCATION, NULL, "Plain RSA pubkey parsing error: %s\n", eay_strerror());
if (exp)
BN_free(exp);
@@ -2743,10 +2767,8 @@
rsa_pub = NULL;
goto out;
}
+ /* RSA_set0_key takes ownership of mod and exp on success. */
- rsa_pub->n = mod;
- rsa_pub->e = exp;
-
out:
return rsa_pub;
}
diff --git a/src/racoon/crypto_openssl.h b/src/racoon/crypto_openssl.h
index 9a17de8..983ffe5 100644
--- a/src/racoon/crypto_openssl.h
+++ b/src/racoon/crypto_openssl.h
@@ -224,7 +224,7 @@
extern int eay_revbnl __P((vchar_t *));
#include <openssl/bn.h>
extern int eay_v2bn __P((BIGNUM **, vchar_t *));
-extern int eay_bn2v __P((vchar_t **, BIGNUM *));
+extern int eay_bn2v __P((vchar_t **, const BIGNUM *));
extern const char *eay_version __P((void));
diff --git a/src/racoon/misc.c b/src/racoon/misc.c
index 4daa0ed..18a4f19 100644
--- a/src/racoon/misc.c
+++ b/src/racoon/misc.c
@@ -74,10 +74,10 @@
int
racoon_hexdump(buf0, len)
- void *buf0;
+ const void *buf0;
size_t len;
{
- caddr_t buf = (caddr_t)buf0;
+ const unsigned char *buf = buf0;
size_t i;
for (i = 0; i < len; i++) {
@@ -85,7 +85,7 @@
printf("\n");
if (i % 4 == 0)
printf(" ");
- printf("%02x", (unsigned char)buf[i]);
+ printf("%02x", buf[i]);
}
printf("\n");
diff --git a/src/racoon/misc.h b/src/racoon/misc.h
index 66e42b1..4979802 100644
--- a/src/racoon/misc.h
+++ b/src/racoon/misc.h
@@ -42,7 +42,7 @@
#define LOCATION debug_location(__FILE__, __LINE__, NULL)
#endif
-extern int racoon_hexdump __P((void *, size_t));
+extern int racoon_hexdump __P((const void *, size_t));
extern char *bit2str __P((int, int));
extern void *get_newbuf __P((void *, size_t));
extern const char *debug_location __P((const char *, int, const char *));
diff --git a/src/racoon/oakley.c b/src/racoon/oakley.c
index 6cdd82a..5b6ad46 100644
--- a/src/racoon/oakley.c
+++ b/src/racoon/oakley.c
@@ -1846,7 +1846,7 @@
}
if (EVP_PKEY_id(evp) == EVP_PKEY_RSA) {
- sig = eay_rsa_sign(src, evp->pkey.rsa);
+ sig = eay_rsa_sign(src, EVP_PKEY_get0_RSA(evp));
}
out:
