From 1afa0f7ffb5460245a1d84a525e31887165ec859 Mon Sep 17 00:00:00 2001 From: reyk Date: Thu, 22 Jan 2015 09:26:05 +0000 Subject: [PATCH] LibreSSL now supports loading of CA certificates from memory, replace the internal and long-serving ssl_ctx_load_verify_memory() function with a call to the SSL_CTX_load_verify_mem() API function. The ssl_privsep.c file with hacks for using OpenSSL in privsep'ed processes can now go away; portable versions of smtpd and relayd should start depending on LibreSSL or they have to carry ssl_privsep.c in openbsd-compat to work with legacy OpenSSL. No functional change. Based on previous discussions with gilles@ bluhm@ and many others OK bluhm@ (as part of the libcrypto/libssl/libtls diff) --- usr.sbin/relayd/Makefile | 4 +- usr.sbin/relayd/relay.c | 4 +- usr.sbin/relayd/relayd.h | 5 +- usr.sbin/relayd/ssl_privsep.c | 158 --------------------------------- usr.sbin/smtpd/smtpd/Makefile | 4 +- usr.sbin/smtpd/ssl.h | 4 +- usr.sbin/smtpd/ssl_privsep.c | 159 ---------------------------------- 7 files changed, 8 insertions(+), 330 deletions(-) delete mode 100644 usr.sbin/relayd/ssl_privsep.c delete mode 100644 usr.sbin/smtpd/ssl_privsep.c diff --git a/usr.sbin/relayd/Makefile b/usr.sbin/relayd/Makefile index e573d9acfd5..066acfa72f9 100644 --- a/usr.sbin/relayd/Makefile +++ b/usr.sbin/relayd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.27 2014/04/21 14:57:17 reyk Exp $ +# $OpenBSD: Makefile,v 1.28 2015/01/22 09:26:05 reyk Exp $ PROG= relayd SRCS= parse.y @@ -6,7 +6,7 @@ SRCS+= agentx.c ca.c carp.c check_icmp.c check_script.c \ check_tcp.c config.c control.c hce.c log.c name2id.c \ pfe.c pfe_filter.c pfe_route.c proc.c \ relay.c relay_http.c relay_udp.c relayd.c \ - shuffle.c snmp.c ssl.c ssl_privsep.c + shuffle.c snmp.c ssl.c MAN= relayd.8 relayd.conf.5 LDADD= -levent -lssl -lcrypto -lutil diff --git a/usr.sbin/relayd/relay.c b/usr.sbin/relayd/relay.c index 091db106075..f69a91228db 100644 --- a/usr.sbin/relayd/relay.c +++ b/usr.sbin/relayd/relay.c @@ -1,4 +1,4 @@ -/* $OpenBSD: relay.c,v 1.187 2015/01/16 15:08:52 reyk Exp $ */ +/* $OpenBSD: relay.c,v 1.188 2015/01/22 09:26:05 reyk Exp $ */ /* * Copyright (c) 2006 - 2014 Reyk Floeter @@ -2051,7 +2051,7 @@ relay_tls_ctx_create(struct relay *rlay) /* Verify the server certificate if we have a CA chain */ if ((rlay->rl_conf.flags & F_TLSCLIENT) && (rlay->rl_tls_ca != NULL)) { - if (!ssl_ctx_load_verify_memory(ctx, + if (!SSL_CTX_load_verify_mem(ctx, rlay->rl_tls_ca, rlay->rl_conf.tls_ca_len)) goto err; SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL); diff --git a/usr.sbin/relayd/relayd.h b/usr.sbin/relayd/relayd.h index e67ca49a5e3..e78ecc674fa 100644 --- a/usr.sbin/relayd/relayd.h +++ b/usr.sbin/relayd/relayd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: relayd.h,v 1.205 2015/01/16 15:08:52 reyk Exp $ */ +/* $OpenBSD: relayd.h,v 1.206 2015/01/22 09:26:05 reyk Exp $ */ /* * Copyright (c) 2006 - 2015 Reyk Floeter @@ -1220,9 +1220,6 @@ int ssl_load_pkey(const void *, size_t, char *, off_t, int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); -/* ssl_privsep.c */ -int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); - /* ca.c */ pid_t ca(struct privsep *, struct privsep_proc *); void ca_engine_init(struct relayd *); diff --git a/usr.sbin/relayd/ssl_privsep.c b/usr.sbin/relayd/ssl_privsep.c deleted file mode 100644 index b90d5960b11..00000000000 --- a/usr.sbin/relayd/ssl_privsep.c +++ /dev/null @@ -1,158 +0,0 @@ -/* $OpenBSD: ssl_privsep.c,v 1.11 2015/01/16 15:08:52 reyk Exp $ */ - -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* - * SSL operations needed when running in a privilege separated environment. - * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard . - */ - -#include -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); -int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); - -X509_LOOKUP_METHOD x509_mem_lookup = { - "Load cert from memory", - NULL, /* new */ - NULL, /* free */ - NULL, /* init */ - NULL, /* shutdown */ - ssl_by_mem_ctrl, /* ctrl */ - NULL, /* get_by_subject */ - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -}; - -#define X509_L_ADD_MEM 3 - -int -ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len) -{ - X509_LOOKUP *lu; - struct iovec iov; - - if ((lu = X509_STORE_add_lookup(ctx->cert_store, - &x509_mem_lookup)) == NULL) - return (0); - - iov.iov_base = buf; - iov.iov_len = len; - - if (!ssl_by_mem_ctrl(lu, X509_L_ADD_MEM, - (const char *)&iov, X509_FILETYPE_PEM, NULL)) - return (0); - - return (1); -} - -int -ssl_by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf, - long type, char **ret) -{ - STACK_OF(X509_INFO) *inf; - const struct iovec *iov; - X509_INFO *itmp; - BIO *in = NULL; - int i, count = 0; - - iov = (const struct iovec *)buf; - - if (type != X509_FILETYPE_PEM) - goto done; - - if ((in = BIO_new_mem_buf(iov->iov_base, iov->iov_len)) == NULL) - goto done; - - if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL) - goto done; - - for (i = 0; i < sk_X509_INFO_num(inf); i++) { - itmp = sk_X509_INFO_value(inf, i); - if (itmp->x509) { - X509_STORE_add_cert(lu->store_ctx, itmp->x509); - count++; - } - if (itmp->crl) { - X509_STORE_add_crl(lu->store_ctx, itmp->crl); - count++; - } - } - sk_X509_INFO_pop_free(inf, X509_INFO_free); - - done: - if (!count) - X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB); - - if (in != NULL) - BIO_free(in); - return (count); -} diff --git a/usr.sbin/smtpd/smtpd/Makefile b/usr.sbin/smtpd/smtpd/Makefile index cf751b62868..5defaf6039b 100644 --- a/usr.sbin/smtpd/smtpd/Makefile +++ b/usr.sbin/smtpd/smtpd/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.77 2014/12/14 15:26:56 gilles Exp $ +# $OpenBSD: Makefile,v 1.78 2015/01/22 09:26:05 reyk Exp $ .PATH: ${.CURDIR}/.. @@ -10,7 +10,7 @@ SRCS= aliases.c bounce.c ca.c compress_backend.c config.c \ log.c mda.c mproc.c \ mta.c mta_session.c parse.y pony.c queue.c queue_backend.c \ ruleset.c runq.c scheduler.c scheduler_backend.c \ - smtp.c smtp_session.c smtpd.c ssl.c ssl_privsep.c \ + smtp.c smtp_session.c smtpd.c ssl.c \ ssl_smtpd.c stat_backend.c table.c to.c tree.c util.c \ waitq.c diff --git a/usr.sbin/smtpd/ssl.h b/usr.sbin/smtpd/ssl.h index 28d4ed816a6..0bc82363f20 100644 --- a/usr.sbin/smtpd/ssl.h +++ b/usr.sbin/smtpd/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.10 2015/01/16 15:08:52 reyk Exp $ */ +/* $OpenBSD: ssl.h,v 1.11 2015/01/22 09:26:05 reyk Exp $ */ /* * Copyright (c) 2013 Gilles Chehade * @@ -50,7 +50,6 @@ DH *get_dh1024(void); DH *get_dh_from_memory(char *, size_t); void ssl_set_ephemeral_key_exchange(SSL_CTX *, DH *); void ssl_set_ecdh_curve(SSL_CTX *, const char *); -extern int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); char *ssl_load_file(const char *, off_t *, mode_t); char *ssl_load_key(const char *, off_t *, char *, mode_t, const char *); @@ -67,5 +66,4 @@ int ssl_ctx_fake_private_key(SSL_CTX *, const void *, size_t, char *, off_t, X509 **, EVP_PKEY **); /* ssl_privsep.c */ -int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); diff --git a/usr.sbin/smtpd/ssl_privsep.c b/usr.sbin/smtpd/ssl_privsep.c deleted file mode 100644 index aa8c15d7210..00000000000 --- a/usr.sbin/smtpd/ssl_privsep.c +++ /dev/null @@ -1,159 +0,0 @@ -/* $OpenBSD: ssl_privsep.c,v 1.8 2015/01/16 15:08:52 reyk Exp $ */ - -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* - * SSL operations needed when running in a privilege separated environment. - * Adapted from openssl's ssl_rsa.c by Pierre-Yves Ritschard . - */ - -#include -#include - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -int ssl_ctx_use_private_key(SSL_CTX *, char *, off_t); -int ssl_ctx_load_verify_memory(SSL_CTX *, char *, off_t); -int ssl_by_mem_ctrl(X509_LOOKUP *, int, const char *, long, char **); - -X509_LOOKUP_METHOD x509_mem_lookup = { - "Load cert from memory", - NULL, /* new */ - NULL, /* free */ - NULL, /* init */ - NULL, /* shutdown */ - ssl_by_mem_ctrl, /* ctrl */ - NULL, /* get_by_subject */ - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ -}; - -#define X509_L_ADD_MEM 3 - -int -ssl_ctx_load_verify_memory(SSL_CTX *ctx, char *buf, off_t len) -{ - X509_LOOKUP *lu; - struct iovec iov; - - if ((lu = X509_STORE_add_lookup(ctx->cert_store, - &x509_mem_lookup)) == NULL) - return (0); - - iov.iov_base = buf; - iov.iov_len = len; - - if (!ssl_by_mem_ctrl(lu, X509_L_ADD_MEM, - (const char *)&iov, X509_FILETYPE_PEM, NULL)) - return (0); - - return (1); -} - -int -ssl_by_mem_ctrl(X509_LOOKUP *lu, int cmd, const char *buf, - long type, char **ret) -{ - STACK_OF(X509_INFO) *inf; - const struct iovec *iov; - X509_INFO *itmp; - BIO *in = NULL; - int i, count = 0; - - iov = (const struct iovec *)buf; - - if (type != X509_FILETYPE_PEM) - goto done; - - if ((in = BIO_new_mem_buf(iov->iov_base, iov->iov_len)) == NULL) - goto done; - - if ((inf = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL)) == NULL) - goto done; - - for (i = 0; i < sk_X509_INFO_num(inf); i++) { - itmp = sk_X509_INFO_value(inf, i); - if (itmp->x509) { - X509_STORE_add_cert(lu->store_ctx, itmp->x509); - count++; - } - if (itmp->crl) { - X509_STORE_add_crl(lu->store_ctx, itmp->crl); - count++; - } - } - sk_X509_INFO_pop_free(inf, X509_INFO_free); - - done: - if (!count) - X509err(X509_F_X509_LOAD_CERT_CRL_FILE,ERR_R_PEM_LIB); - - if (in != NULL) - BIO_free(in); - return (count); -} -- 2.20.1