"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/md_crypt.c" between
mod_md-2.4.2.tar.gz and mod_md-2.4.4.tar.gz

About: mod_md is an Apache module that adds Let's Encrypt (ACME) support.

md_crypt.c  (mod_md-2.4.2):md_crypt.c  (mod_md-2.4.4)
skipping to change at line 74 skipping to change at line 74
/* Missing from LibreSSL and only available since OpenSSL v1.1.x */ /* Missing from LibreSSL and only available since OpenSSL v1.1.x */
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
#define OPENSSL_NO_CT #define OPENSSL_NO_CT
#endif #endif
#endif #endif
#ifndef OPENSSL_NO_CT #ifndef OPENSSL_NO_CT
#include <openssl/ct.h> #include <openssl/ct.h>
#endif #endif
#if defined(LIBRESSL_VERSION_NUMBER)
#define EVP_PKEY_X25519 NID_X25519
#define EVP_PKEY_X448 NID_X448
#endif
static int initialized; static int initialized;
struct md_pkey_t { struct md_pkey_t {
apr_pool_t *pool; apr_pool_t *pool;
EVP_PKEY *pkey; EVP_PKEY *pkey;
}; };
#ifdef MD_HAVE_ARC4RANDOM #ifdef MD_HAVE_ARC4RANDOM
static void seed_RAND(int pid) static void seed_RAND(int pid)
skipping to change at line 684 skipping to change at line 679
#else #else
if (!PEM_write_bio_PrivateKey(bio, pkey->pkey, cipher, NULL, 0, cb, cb_baton )) { if (!PEM_write_bio_PrivateKey(bio, pkey->pkey, cipher, NULL, 0, cb, cb_baton )) {
#endif #endif
BIO_free(bio); BIO_free(bio);
err = ERR_get_error(); err = ERR_get_error();
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "PEM_write key: %ld %s", md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "PEM_write key: %ld %s",
err, ERR_error_string(err, NULL)); err, ERR_error_string(err, NULL));
return APR_EINVAL; return APR_EINVAL;
} }
md_data_null(buf);
i = BIO_pending(bio); i = BIO_pending(bio);
if (i > 0) { if (i > 0) {
buf->data = apr_palloc(p, (apr_size_t)i); buf->data = apr_palloc(p, (apr_size_t)i);
i = BIO_read(bio, (char*)buf->data, i); i = BIO_read(bio, (char*)buf->data, i);
buf->len = (apr_size_t)i; buf->len = (apr_size_t)i;
} }
BIO_free(bio); BIO_free(bio);
return APR_SUCCESS; return APR_SUCCESS;
} }
skipping to change at line 804 skipping to change at line 800
#ifdef NID_X9_62_prime256v1 #ifdef NID_X9_62_prime256v1
if (NID_undef == curve_nid && !apr_strnatcasecmp("secp256r1", curve)) { if (NID_undef == curve_nid && !apr_strnatcasecmp("secp256r1", curve)) {
curve_nid = NID_X9_62_prime256v1; curve_nid = NID_X9_62_prime256v1;
} }
#endif #endif
#ifdef NID_X9_62_prime192v1 #ifdef NID_X9_62_prime192v1
if (NID_undef == curve_nid && !apr_strnatcasecmp("secp192r1", curve)) { if (NID_undef == curve_nid && !apr_strnatcasecmp("secp192r1", curve)) {
curve_nid = NID_X9_62_prime192v1; curve_nid = NID_X9_62_prime192v1;
} }
#endif #endif
#ifdef NID_X25519 #if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
if (NID_undef == curve_nid && !apr_strnatcasecmp("X25519", curve)) { if (NID_undef == curve_nid && !apr_strnatcasecmp("X25519", curve)) {
curve_nid = NID_X25519; curve_nid = NID_X25519;
} }
#endif #endif
if (NID_undef == curve_nid) { if (NID_undef == curve_nid) {
/* OpenSSL object/curve names */ /* OpenSSL object/curve names */
curve_nid = OBJ_sn2nid(curve); curve_nid = OBJ_sn2nid(curve);
} }
if (NID_undef == curve_nid) { if (NID_undef == curve_nid) {
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ec curve unknown: %s", cur ve); md_log_perror(MD_LOG_MARK, MD_LOG_ERR, 0, p, "ec curve unknown: %s", cur ve);
rv = APR_ENOTIMPL; goto leave; rv = APR_ENOTIMPL; goto leave;
} }
*ppkey = make_pkey(p); *ppkey = make_pkey(p);
switch (curve_nid) { switch (curve_nid) {
#ifdef NID_X25519 #if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
case NID_X25519: case NID_X25519:
/* no parameters */ /* no parameters */
if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL)) if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X25519, NULL))
|| EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen_init(ctx) <= 0
|| EVP_PKEY_keygen(ctx, &(*ppkey)->pkey) <= 0) { || EVP_PKEY_keygen(ctx, &(*ppkey)->pkey) <= 0) {
md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, 0, p, md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, 0, p,
"error generate EC key for group: %s", curve); "error generate EC key for group: %s", curve);
rv = APR_EGENERAL; goto leave; rv = APR_EGENERAL; goto leave;
} }
rv = APR_SUCCESS; rv = APR_SUCCESS;
break; break;
#endif #endif
#ifdef NID_X448 #if defined(NID_X448) && !defined(LIBRESSL_VERSION_NUMBER)
case NID_X448: case NID_X448:
/* no parameters */ /* no parameters */
if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL)) if (NULL == (ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_X448, NULL))
|| EVP_PKEY_keygen_init(ctx) <= 0 || EVP_PKEY_keygen_init(ctx) <= 0
|| EVP_PKEY_keygen(ctx, &(*ppkey)->pkey) <= 0) { || EVP_PKEY_keygen(ctx, &(*ppkey)->pkey) <= 0) {
md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, 0, p, md_log_perror(MD_LOG_MARK, MD_LOG_WARNING, 0, p,
"error generate EC key for group: %s", curve); "error generate EC key for group: %s", curve);
rv = APR_EGENERAL; goto leave; rv = APR_EGENERAL; goto leave;
} }
rv = APR_SUCCESS; rv = APR_SUCCESS;
skipping to change at line 911 skipping to change at line 907
*d = r->d; *d = r->d;
} }
#endif #endif
static const char *bn64(const BIGNUM *b, apr_pool_t *p) static const char *bn64(const BIGNUM *b, apr_pool_t *p)
{ {
if (b) { if (b) {
md_data_t buffer; md_data_t buffer;
buffer.len = (apr_size_t)BN_num_bytes(b); md_data_pinit(&buffer, (apr_size_t)BN_num_bytes(b), p);
buffer.data = apr_pcalloc(p, buffer.len);
if (buffer.data) { if (buffer.data) {
BN_bn2bin(b, (unsigned char *)buffer.data); BN_bn2bin(b, (unsigned char *)buffer.data);
return md_util_base64url_encode(&buffer, p); return md_util_base64url_encode(&buffer, p);
} }
} }
return NULL; return NULL;
} }
const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p) const char *md_pkey_get_rsa_e64(md_pkey_t *pkey, apr_pool_t *p)
{ {
skipping to change at line 954 skipping to change at line 949
apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t * p, apr_status_t md_crypt_sign64(const char **psign64, md_pkey_t *pkey, apr_pool_t * p,
const char *d, size_t dlen) const char *d, size_t dlen)
{ {
EVP_MD_CTX *ctx = NULL; EVP_MD_CTX *ctx = NULL;
md_data_t buffer; md_data_t buffer;
unsigned int blen; unsigned int blen;
const char *sign64 = NULL; const char *sign64 = NULL;
apr_status_t rv = APR_ENOMEM; apr_status_t rv = APR_ENOMEM;
buffer.len = (apr_size_t)EVP_PKEY_size(pkey->pkey); md_data_pinit(&buffer, (apr_size_t)EVP_PKEY_size(pkey->pkey), p);
buffer.data = apr_pcalloc(p, buffer.len);
if (buffer.data) { if (buffer.data) {
ctx = EVP_MD_CTX_create(); ctx = EVP_MD_CTX_create();
if (ctx) { if (ctx) {
rv = APR_ENOTIMPL; rv = APR_ENOTIMPL;
if (EVP_SignInit_ex(ctx, EVP_sha256(), NULL)) { if (EVP_SignInit_ex(ctx, EVP_sha256(), NULL)) {
rv = APR_EGENERAL; rv = APR_EGENERAL;
if (EVP_SignUpdate(ctx, d, dlen)) { if (EVP_SignUpdate(ctx, d, dlen)) {
if (EVP_SignFinal(ctx, (unsigned char*)buffer.data, &blen, p key->pkey)) { if (EVP_SignFinal(ctx, (unsigned char*)buffer.data, &blen, p key->pkey)) {
buffer.len = blen; buffer.len = blen;
sign64 = md_util_base64url_encode(&buffer, p); sign64 = md_util_base64url_encode(&buffer, p);
skipping to change at line 994 skipping to change at line 988
return rv; return rv;
} }
static apr_status_t sha256_digest(md_data_t **pdigest, apr_pool_t *p, const md_d ata_t *buf) static apr_status_t sha256_digest(md_data_t **pdigest, apr_pool_t *p, const md_d ata_t *buf)
{ {
EVP_MD_CTX *ctx = NULL; EVP_MD_CTX *ctx = NULL;
md_data_t *digest; md_data_t *digest;
apr_status_t rv = APR_ENOMEM; apr_status_t rv = APR_ENOMEM;
unsigned int dlen; unsigned int dlen;
digest = apr_palloc(p, sizeof(*digest)); digest = md_data_pmake(EVP_MAX_MD_SIZE, p);
if (!digest) goto leave; if (!digest) goto leave;
digest->data = apr_pcalloc(p, EVP_MAX_MD_SIZE);
if (!digest->data) goto leave;
ctx = EVP_MD_CTX_create(); ctx = EVP_MD_CTX_create();
if (ctx) { if (ctx) {
rv = APR_ENOTIMPL; rv = APR_ENOTIMPL;
if (EVP_DigestInit_ex(ctx, EVP_sha256(), NULL)) { if (EVP_DigestInit_ex(ctx, EVP_sha256(), NULL)) {
rv = APR_EGENERAL; rv = APR_EGENERAL;
if (EVP_DigestUpdate(ctx, (unsigned char*)buf->data, buf->len)) { if (EVP_DigestUpdate(ctx, (unsigned char*)buf->data, buf->len)) {
if (EVP_DigestFinal(ctx, (unsigned char*)digest->data, &dlen)) { if (EVP_DigestFinal(ctx, (unsigned char*)digest->data, &dlen)) {
digest->len = dlen; digest->len = dlen;
rv = APR_SUCCESS; rv = APR_SUCCESS;
skipping to change at line 1311 skipping to change at line 1303
BIO_free(bio); BIO_free(bio);
return APR_SUCCESS; return APR_SUCCESS;
} }
apr_status_t md_cert_fsave(md_cert_t *cert, apr_pool_t *p, apr_status_t md_cert_fsave(md_cert_t *cert, apr_pool_t *p,
const char *fname, apr_fileperms_t perms) const char *fname, apr_fileperms_t perms)
{ {
md_data_t buffer; md_data_t buffer;
apr_status_t rv; apr_status_t rv;
md_data_null(&buffer);
if (APR_SUCCESS == (rv = cert_to_buffer(&buffer, cert, p))) { if (APR_SUCCESS == (rv = cert_to_buffer(&buffer, cert, p))) {
return md_util_freplace(fname, perms, p, fwrite_buffer, &buffer); return md_util_freplace(fname, perms, p, fwrite_buffer, &buffer);
} }
return rv; return rv;
} }
apr_status_t md_cert_to_base64url(const char **ps64, const md_cert_t *cert, apr_ pool_t *p) apr_status_t md_cert_to_base64url(const char **ps64, const md_cert_t *cert, apr_ pool_t *p)
{ {
md_data_t buffer; md_data_t buffer;
apr_status_t rv; apr_status_t rv;
md_data_null(&buffer);
if (APR_SUCCESS == (rv = cert_to_buffer(&buffer, cert, p))) { if (APR_SUCCESS == (rv = cert_to_buffer(&buffer, cert, p))) {
*ps64 = md_util_base64url_encode(&buffer, p); *ps64 = md_util_base64url_encode(&buffer, p);
return APR_SUCCESS; return APR_SUCCESS;
} }
*ps64 = NULL; *ps64 = NULL;
return rv; return rv;
} }
apr_status_t md_cert_to_sha256_digest(md_data_t **pdigest, const md_cert_t *cert , apr_pool_t *p) apr_status_t md_cert_to_sha256_digest(md_data_t **pdigest, const md_cert_t *cert , apr_pool_t *p)
{ {
md_data_t *digest; md_data_t *digest;
unsigned int dlen; unsigned int dlen;
apr_status_t rv = APR_ENOMEM; apr_status_t rv = APR_ENOMEM;
digest = apr_palloc(p, sizeof(*digest)); digest = md_data_pmake(EVP_MAX_MD_SIZE, p);
if (!digest) goto leave; if (!digest) goto leave;
digest->data = apr_pcalloc(p, EVP_MAX_MD_SIZE);
if (!digest->data) goto leave;
X509_digest(cert->x509, EVP_sha256(), (unsigned char*)digest->data, &dlen); X509_digest(cert->x509, EVP_sha256(), (unsigned char*)digest->data, &dlen);
digest->len = dlen; digest->len = dlen;
rv = APR_SUCCESS; rv = APR_SUCCESS;
leave: leave:
*pdigest = (APR_SUCCESS == rv)? digest : NULL; *pdigest = (APR_SUCCESS == rv)? digest : NULL;
return rv; return rv;
} }
apr_status_t md_cert_to_sha256_fingerprint(const char **pfinger, const md_cert_t *cert, apr_pool_t *p) apr_status_t md_cert_to_sha256_fingerprint(const char **pfinger, const md_cert_t *cert, apr_pool_t *p)
skipping to change at line 1686 skipping to change at line 1678
const char *s, *csr_der_64 = NULL; const char *s, *csr_der_64 = NULL;
const unsigned char *domain; const unsigned char *domain;
X509_REQ *csr; X509_REQ *csr;
X509_NAME *n = NULL; X509_NAME *n = NULL;
STACK_OF(X509_EXTENSION) *exts = NULL; STACK_OF(X509_EXTENSION) *exts = NULL;
apr_status_t rv; apr_status_t rv;
md_data_t csr_der; md_data_t csr_der;
int csr_der_len; int csr_der_len;
assert(domains->nelts > 0); assert(domains->nelts > 0);
md_data_null(&csr_der);
if (NULL == (csr = X509_REQ_new()) if (NULL == (csr = X509_REQ_new())
|| NULL == (exts = sk_X509_EXTENSION_new_null()) || NULL == (exts = sk_X509_EXTENSION_new_null())
|| NULL == (n = X509_NAME_new())) { || NULL == (n = X509_NAME_new())) {
rv = APR_ENOMEM; rv = APR_ENOMEM;
md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: openssl alloc X509 th ings", name); md_log_perror(MD_LOG_MARK, MD_LOG_ERR, rv, p, "%s: openssl alloc X509 th ings", name);
goto out; goto out;
} }
/* subject name == first domain */ /* subject name == first domain */
skipping to change at line 1982 skipping to change at line 1975
while (1) { while (1) {
sct_list = X509_get_ext_d2i(cert->x509, nid, &critical, &idx); sct_list = X509_get_ext_d2i(cert->x509, nid, &critical, &idx);
if (sct_list) { if (sct_list) {
for (i = 0; i < sk_SCT_num(sct_list); i++) { for (i = 0; i < sk_SCT_num(sct_list); i++) {
sct_handle = sk_SCT_value(sct_list, i); sct_handle = sk_SCT_value(sct_list, i);
if (sct_handle) { if (sct_handle) {
sct = apr_pcalloc(p, sizeof(*sct)); sct = apr_pcalloc(p, sizeof(*sct));
sct->version = SCT_get_version(sct_handle); sct->version = SCT_get_version(sct_handle);
sct->timestamp = apr_time_from_msec(SCT_get_timestamp(sct_ha ndle)); sct->timestamp = apr_time_from_msec(SCT_get_timestamp(sct_ha ndle));
len = SCT_get0_log_id(sct_handle, (unsigned char**)&data); len = SCT_get0_log_id(sct_handle, (unsigned char**)&data);
sct->logid = md_data_create(p, data, len); sct->logid = md_data_make_pcopy(p, data, len);
sct->signature_type_nid = SCT_get_signature_nid(sct_handle); sct->signature_type_nid = SCT_get_signature_nid(sct_handle);
len = SCT_get0_signature(sct_handle, (unsigned char**)&data ); len = SCT_get0_signature(sct_handle, (unsigned char**)&data );
sct->signature = md_data_create(p, data, len); sct->signature = md_data_make_pcopy(p, data, len);
APR_ARRAY_PUSH(scts, md_sct*) = sct; APR_ARRAY_PUSH(scts, md_sct*) = sct;
} }
} }
} }
if (idx < 0) break; if (idx < 0) break;
} }
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p, "ct_sct, found %d SCT extens ions", scts->nelts); md_log_perror(MD_LOG_MARK, MD_LOG_TRACE3, 0, p, "ct_sct, found %d SCT extens ions", scts->nelts);
return APR_SUCCESS; return APR_SUCCESS;
#else #else
(void)scts; (void)scts;
(void)p; (void)p;
(void)cert; (void)cert;
return APR_ENOTIMPL; return APR_ENOTIMPL;
#endif #endif
} }
apr_status_t md_cert_get_ocsp_responder_url(const char **purl, apr_pool_t *p, co
nst md_cert_t *cert)
{
STACK_OF(OPENSSL_STRING) *ssk;
apr_status_t rv = APR_SUCCESS;
const char *url = NULL;
ssk = X509_get1_ocsp(md_cert_get_X509(cert));
if (!ssk) {
rv = APR_ENOENT;
goto cleanup;
}
url = apr_pstrdup(p, sk_OPENSSL_STRING_value(ssk, 0));
md_log_perror(MD_LOG_MARK, MD_LOG_TRACE2, 0, p, "ocsp responder found '%s'",
url);
cleanup:
if (ssk) X509_email_free(ssk);
*purl = url;
return rv;
}
 End of changes. 17 change blocks. 
20 lines changed or deleted 13 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)