Date: Wed, 18 Mar 2020 18:21:59 +0000 (UTC) From: Hiroki Sato <hrs@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r359081 - stable/12/contrib/sendmail/src Message-ID: <202003181821.02IILxet014042@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hrs Date: Wed Mar 18 18:21:58 2020 New Revision: 359081 URL: https://svnweb.freebsd.org/changeset/base/359081 Log: MFC of r358404, r358410, r358412, and r358413: Fix broken STARTTLS when SharedMemoryKey is enabled. OpenSSL 1.1 API patch for sendmail had a bug which prevented sm_RSA_generate_key() function from working. This function is used to generate a temporary RSA key for a shared memory region used for TLS processing. Note that 12.0 and 12.1-RELEASE include this bug. This affects only if SM_CONF_SHM compile-time option (enabled by default) and SharedMemoryKey run-time option (not enabled by default) in a .cf file are specified. The latter corresponds to confSHARED_MEMORY_KEY in a .mc file. Fix style inconsistencies. Do not free p and g parameters after calling DH_set0_pqg(3). PR: 242861 Differential Revision: https://reviews.freebsd.org/D23734 Modified: stable/12/contrib/sendmail/src/tls.c Directory Properties: stable/12/ (props changed) Modified: stable/12/contrib/sendmail/src/tls.c ============================================================================== --- stable/12/contrib/sendmail/src/tls.c Wed Mar 18 18:20:55 2020 (r359080) +++ stable/12/contrib/sendmail/src/tls.c Wed Mar 18 18:21:58 2020 (r359081) @@ -56,10 +56,10 @@ DH_set0_pqg(dh, p, q, g) BIGNUM *q; BIGNUM *g; { - dh->p=p; + dh->p = p; if (q != NULL) - dh->q=q; - dh->g=g; + dh->q = q; + dh->g = g; return 1; /* success */ } # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */ @@ -83,20 +83,25 @@ static unsigned char dh512_g[] = static DH * get_dh512() { - DH *dh = NULL; + DH *dh; BIGNUM *dhp_bn, *dhg_bn; if ((dh = DH_new()) == NULL) return NULL; dhp_bn = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); dhg_bn = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); - if ((dhp_bn == NULL) || (dhg_bn == NULL) || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + if ((dhp_bn == NULL) || (dhg_bn == NULL)) { DH_free(dh); BN_free(dhp_bn); BN_free(dhg_bn); - return(NULL); + return NULL; } + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + { + DH_free(dh); + return NULL; + } return dh; } @@ -117,7 +122,7 @@ oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg== static DH * get_dh2048() { - static unsigned char dh2048_p[]={ + static unsigned char dh2048_p[] = { 0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68, 0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96, 0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4, @@ -141,22 +146,27 @@ get_dh2048() 0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA, 0x6C,0x79,0xA2,0x83, }; - static unsigned char dh2048_g[]={ 0x02, }; + static unsigned char dh2048_g[] = { 0x02, }; DH *dh; BIGNUM *dhp_bn, *dhg_bn; - if ((dh=DH_new()) == NULL) - return(NULL); - dhp_bn = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); - dhg_bn = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); - if ((dhp_bn == NULL) || (dhg_bn == NULL) || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + if ((dh = DH_new()) == NULL) + return NULL; + dhp_bn = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL); + dhg_bn = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL); + if ((dhp_bn == NULL) || (dhg_bn == NULL)) { DH_free(dh); BN_free(dhp_bn); BN_free(dhg_bn); - return(NULL); + return NULL; } - return(dh); + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) + { + DH_free(dh); + return NULL; + } + return dh; } # endif /* !NO_DH */ @@ -744,19 +754,16 @@ sm_RSA_generate_key(num, e) unsigned long e; { RSA *rsa = NULL; - BIGNUM *bn_rsa_r4; - int rc; + BIGNUM *bn_rsa_r4; bn_rsa_r4 = BN_new(); - rc = BN_set_word(bn_rsa_r4, RSA_F4); - if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, RSA_F4) && (rsa = RSA_new()) != NULL) + if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, e) && (rsa = RSA_new()) != NULL) { - if (!RSA_generate_key_ex(rsa, RSA_KEYLENGTH, bn_rsa_r4, NULL)) + if (!RSA_generate_key_ex(rsa, num, bn_rsa_r4, NULL)) { RSA_free(rsa); rsa = NULL; } - return NULL; } BN_free(bn_rsa_r4); return rsa; @@ -1263,7 +1270,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cac if (tTd(96, 2)) sm_dprintf("inittls: Generating %d bit DH parameters\n", bits); - dsa=DSA_new(); + dsa = DSA_new(); /* this takes a while! */ (void)DSA_generate_parameters_ex(dsa, bits, NULL, 0, NULL, NULL, NULL);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202003181821.02IILxet014042>