Skip to content

Commit

Permalink
Merge pull request #2916 from jimis/openssl_1_1
Browse files Browse the repository at this point in the history 
CFE-2629: Openssl 1.1 compatibility
  • Loading branch information
@jimis
jimis committed Oct 25, 2017
2 parents 51b4a9a + 18ce44b commit f4b9c85
Show file tree
Hide file tree
Showing 29 changed files with 806 additions and 190 deletions.
2 changes: 2 additions & 0 deletions cf-agent/cf-agent.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,8 @@ int main(int argc, char *argv[])

GenericAgentDiscoverContext(ctx, config);

/* FIXME: (CFE-2709) ALWAYS_VALIDATE will always be false here, since it can
* only change in KeepPromises(), five lines later on. */
Policy *policy = SelectAndLoadPolicy(config, ctx, ALWAYS_VALIDATE, true);

if (!policy)
Expand Down
6 changes: 5 additions & 1 deletion cf-key/cf-key-functions.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@

#include <openssl/bn.h> /* BN_*, BIGNUM */
#include <openssl/rand.h> /* RAND_* */
#include <libcrypto-compat.h>

#include <lastseen.h>
#include <dir.h>
Expand All @@ -48,6 +49,7 @@ RSA *LoadPublicKey(const char *filename)
{
FILE *fp;
RSA *key;
const BIGNUM *n, *e;

fp = safe_fopen(filename, "r");
if (fp == NULL)
Expand All @@ -69,7 +71,9 @@ RSA *LoadPublicKey(const char *filename)

fclose(fp);

if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e))
RSA_get0_key(key, &n, &e, NULL);

if (BN_num_bits(e) < 2 || !BN_is_odd(e))
{
Log(LOG_LEVEL_ERR, "Error while reading public key '%s' - RSA Exponent is too small or not odd. (BN_num_bits: %s)",
filename, GetErrorStr());
Expand Down
1 change: 1 addition & 0 deletions cf-key/cf-key-functions.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
#include <eval_context.h>
#include <crypto.h>


extern bool LOOKUP_HOSTS;

RSA *LoadPublicKey(const char *filename);
Expand Down
8 changes: 7 additions & 1 deletion cf-serverd/cf-serverd-functions.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -869,7 +869,13 @@ static void AcceptAndHandle(EvalContext *ctx, int sd)
int StartServer(EvalContext *ctx, Policy **policy, GenericAgentConfig *config)
{
InitSignals();
ServerTLSInitialize();

bool tls_init_ok = ServerTLSInitialize();
if (!tls_init_ok)
{
return -1;
}

int sd = SetServerListenState(ctx, QUEUESIZE, SERVER_LISTEN, &InitServer);

/* Necessary for our use of select() to work in WaitForIncoming(): */
Expand Down
49 changes: 38 additions & 11 deletions cf-serverd/server_classic.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,9 @@
*/
#include <platform.h>

#include <openssl/bn.h> /* BN_* */
#include <openssl/bn.h> /* BN_* */
#include <openssl/err.h> /* ERR_get_error */
#include <libcrypto-compat.h>

#include <cf3.defs.h>
#include <item_lib.h> /* IsMatchItemIn */
Expand All @@ -36,6 +38,7 @@
#include <files_hashes.h> /* HashString */
#include <crypto.h> /* HavePublicKey */
#include <cf-serverd-enterprise-stubs.h> /* ReceiveCollectCall */
#include <tls_generic.h>

#include "server.h" /* ServerConnectionState */
#include "server_common.h" /* ListPersistentClasses */
Expand Down Expand Up @@ -579,7 +582,11 @@ static int CheckStoreKey(ServerConnectionState *conn, RSA *key)
"A public key was already known from %s/%s - no trust required",
conn->hostname, conn->ipaddr);

if ((BN_cmp(savedkey->e, key->e) == 0) && (BN_cmp(savedkey->n, key->n) == 0))
const BIGNUM *key_n, *key_e, *savedkey_n, *savedkey_e;
RSA_get0_key(key, &key_n, &key_e, NULL);
RSA_get0_key(savedkey, &savedkey_n, &savedkey_e, NULL);

if ((BN_cmp(savedkey_e, key_e) == 0) && (BN_cmp(savedkey_n, key_n) == 0))
{
Log(LOG_LEVEL_VERBOSE,
"The public key identity was confirmed as %s@%s",
Expand Down Expand Up @@ -770,25 +777,24 @@ char iscrypt, enterprise_field;
HashString(challenge, challenge_len, digest, digestType);
}

BIGNUM *newkey_n, *newkey_e;

/* proposition C2 - Receive client's public key modulus */
RSA *newkey = RSA_new();
{

int len_n = ReceiveTransaction(conn->conn_info, recvbuffer, NULL);
if (len_n == -1)
{
Log(LOG_LEVEL_ERR, "Authentication failure: "
"error while receiving public key modulus");
RSA_free(newkey);
return false;
}

if ((newkey->n = BN_mpi2bn(recvbuffer, len_n, NULL)) == NULL)
if ((newkey_n = BN_mpi2bn(recvbuffer, len_n, NULL)) == NULL)
{
Log(LOG_LEVEL_ERR, "Authentication failure: "
"private decrypt of received public key modulus failed "
"(%s)", CryptoLastErrorString());
RSA_free(newkey);
return false;
}
}
Expand All @@ -800,20 +806,38 @@ RSA *newkey = RSA_new();
{
Log(LOG_LEVEL_ERR, "Authentication failure: "
"error while receiving public key exponent");
RSA_free(newkey);
return false;
}

if ((newkey->e = BN_mpi2bn(recvbuffer, len_e, NULL)) == NULL)
if ((newkey_e = BN_mpi2bn(recvbuffer, len_e, NULL)) == NULL)
{
Log(LOG_LEVEL_ERR, "Authentication failure: "
"private decrypt of received public key exponent failed "
"(%s)", CryptoLastErrorString());
RSA_free(newkey);
BN_free(newkey_n);
return false;
}
}

RSA *newkey = RSA_new();
if (newkey == NULL)
{
Log(LOG_LEVEL_ERR, "Failed to allocate RSA key: %s",
TLSErrorString(ERR_get_error()));
BN_free(newkey_n);
BN_free(newkey_e);
return false;
}
if (RSA_set0_key(newkey, newkey_n, newkey_e, NULL) != 1)
{
Log(LOG_LEVEL_ERR, "Failed to set RSA key: %s",
TLSErrorString(ERR_get_error()));
BN_free(newkey_n);
BN_free(newkey_e);
RSA_free(newkey);
return false;
}

/* Compute and store hash of the client's public key. */
{
Key *key = KeyNew(newkey, CF_DEFAULT_DIGEST);
Expand Down Expand Up @@ -897,12 +921,15 @@ RSA *newkey = RSA_new();

char bignum_buf[CF_BUFSIZE] = { 0 };

const BIGNUM *n, *e;
RSA_get0_key(PUBKEY, &n, &e, NULL);

/* proposition S4 - conditional */
int len_n = BN_bn2mpi(PUBKEY->n, bignum_buf);
int len_n = BN_bn2mpi(n, bignum_buf);
SendTransaction(conn->conn_info, bignum_buf, len_n, CF_DONE);

/* proposition S5 - conditional */
int len_e = BN_bn2mpi(PUBKEY->e, bignum_buf);
int len_e = BN_bn2mpi(e, bignum_buf);
SendTransaction(conn->conn_info, bignum_buf, len_e, CF_DONE);
}
}
Expand Down
27 changes: 17 additions & 10 deletions cf-serverd/server_common.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ static const int CF_NOSIZE = -1;
#include <pipes.h>
#include <classic.h> /* SendSocketStream */
#include <net.h> /* SendTransaction,ReceiveTransaction */
#include <openssl/err.h> /* ERR_get_error */
#include <tls_generic.h> /* TLSSend */
#include <rlist.h>
#include <cf-serverd-enterprise-stubs.h>
Expand Down Expand Up @@ -557,7 +558,6 @@ void CfEncryptGetFile(ServerFileGetState *args)
unsigned char iv[32] =
{ 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 };
int blocksize = CF_BUFSIZE - 4 * CF_INBAND_OFFSET;
EVP_CIPHER_CTX ctx;
char *key, enctype;
struct stat sb;
ConnectionInfo *conn_info = args->conn->conn_info;
Expand All @@ -579,9 +579,16 @@ void CfEncryptGetFile(ServerFileGetState *args)
Log(LOG_LEVEL_INFO, "REFUSE access to file: %s", filename);
RefuseAccess(args->conn, args->replyfile);
FailedTransfer(conn_info);
return;
}

EVP_CIPHER_CTX_init(&ctx);
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
if (ctx == NULL)
{
Log(LOG_LEVEL_ERR, "Failed to allocate cipher: %s",
TLSErrorString(ERR_get_error()));
return;
}

if ((fd = safe_open(filename, O_RDONLY)) == -1)
{
Expand Down Expand Up @@ -630,20 +637,20 @@ void CfEncryptGetFile(ServerFileGetState *args)

if (n_read > 0)
{
EVP_EncryptInit_ex(&ctx, CfengineCipher(enctype), NULL, key, iv);
EVP_EncryptInit_ex(ctx, CfengineCipher(enctype), NULL, key, iv);

if (!EVP_EncryptUpdate(&ctx, out, &cipherlen, sendbuffer, n_read))
if (!EVP_EncryptUpdate(ctx, out, &cipherlen, sendbuffer, n_read))
{
FailedTransfer(conn_info);
EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
close(fd);
return;
}

if (!EVP_EncryptFinal_ex(&ctx, out + cipherlen, &finlen))
if (!EVP_EncryptFinal_ex(ctx, out + cipherlen, &finlen))
{
FailedTransfer(conn_info);
EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
close(fd);
return;
}
Expand All @@ -654,7 +661,7 @@ void CfEncryptGetFile(ServerFileGetState *args)
if (SendTransaction(conn_info, out, cipherlen + finlen, CF_DONE) == -1)
{
Log(LOG_LEVEL_VERBOSE, "Send failed in GetFile. (send: %s)", GetErrorStr());
EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
close(fd);
return;
}
Expand All @@ -666,14 +673,14 @@ void CfEncryptGetFile(ServerFileGetState *args)
{
Log(LOG_LEVEL_VERBOSE, "Send failed in GetFile. (send: %s)", GetErrorStr());
close(fd);
EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
return;
}
}
}
}

EVP_CIPHER_CTX_cleanup(&ctx);
EVP_CIPHER_CTX_free(ctx);
close(fd);
}

Expand Down
4 changes: 3 additions & 1 deletion cf-serverd/server_tls.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,9 @@ void ServerTLSDeInitialize()
*/
int ServerTLSPeek(ConnectionInfo *conn_info)
{
assert(SSLSERVERCONTEXT != NULL && PRIVKEY != NULL && PUBKEY != NULL);
assert(SSLSERVERCONTEXT != NULL);
assert(PRIVKEY != NULL);
assert(PUBKEY != NULL);

assert(ConnectionInfoProtocolVersion(conn_info) == CF_PROTOCOL_UNDEFINED);

Expand Down
2 changes: 1 addition & 1 deletion configure.ac
View file
Original file line number Diff line number Diff line change
Expand Up @@ -437,7 +437,7 @@ fi

CF3_WITH_LIBRARY(openssl, [
AC_CHECK_LIB(crypto, RSA_generate_key_ex, [], [])
AC_CHECK_LIB(ssl, SSL_library_init, [], [])
AC_CHECK_LIB(ssl, SSL_free, [], [])
AC_CHECK_DECLS([SSL_CTX_clear_options], [], [], [[#include <openssl/ssl.h>]])
AC_CHECK_HEADERS([openssl/opensslv.h], [], [AC_MSG_ERROR(Cannot find OpenSSL)])
Expand Down

0 comments on commit f4b9c85

Please sign in to comment.