c339e955cf
Fix CVE-2017-9287.
114 lines
3.8 KiB
Diff
114 lines
3.8 KiB
Diff
--- libraries/libldap/tls_o.c.orig
|
|
+++ libraries/libldap/tls_o.c
|
|
@@ -47,7 +47,7 @@
|
|
#include <ssl.h>
|
|
#endif
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
#define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
|
|
#endif
|
|
|
|
@@ -62,7 +62,7 @@ static void tlso_info_cb( const SSL *ssl, int where, i
|
|
static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
|
|
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
|
|
static int tlso_seed_PRNG( const char *randfile );
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
/*
|
|
* OpenSSL 1.1 API and later has new locking code
|
|
*/
|
|
@@ -157,7 +157,7 @@ tlso_init( void )
|
|
(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
|
|
#endif
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
SSL_load_error_strings();
|
|
SSL_library_init();
|
|
OpenSSL_add_all_digests();
|
|
@@ -179,7 +179,7 @@ tlso_destroy( void )
|
|
{
|
|
struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
EVP_cleanup();
|
|
#if OPENSSL_VERSION_NUMBER < 0x10000000
|
|
ERR_remove_state(0);
|
|
@@ -205,7 +205,7 @@ static void
|
|
tlso_ctx_ref( tls_ctx *ctx )
|
|
{
|
|
tlso_ctx *c = (tlso_ctx *)ctx;
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
#define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX )
|
|
#endif
|
|
SSL_CTX_up_ref( c );
|
|
@@ -367,7 +367,7 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls
|
|
SSL_CTX_set_verify( ctx, i,
|
|
lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
|
|
tlso_verify_ok : tlso_verify_cb );
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
|
|
#endif
|
|
#ifdef HAVE_OPENSSL_CRL
|
|
@@ -464,7 +464,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *
|
|
if (!x) return LDAP_INVALID_CREDENTIALS;
|
|
|
|
xn = X509_get_subject_name(x);
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
|
|
der_dn->bv_val = xn->bytes->data;
|
|
#else
|
|
@@ -500,7 +500,7 @@ tlso_session_peer_dn( tls_session *sess, struct berval
|
|
return LDAP_INVALID_CREDENTIALS;
|
|
|
|
xn = X509_get_subject_name(x);
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
|
|
der_dn->bv_val = xn->bytes->data;
|
|
#else
|
|
@@ -721,7 +721,7 @@ struct tls_data {
|
|
Sockbuf_IO_Desc *sbiod;
|
|
};
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
#define BIO_set_init(b, x) b->init = x
|
|
#define BIO_set_data(b, x) b->ptr = x
|
|
#define BIO_clear_flags(b, x) b->flags &= ~(x)
|
|
@@ -822,7 +822,7 @@ tlso_bio_puts( BIO *b, const char *str )
|
|
return tlso_bio_write( b, str, strlen( str ) );
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
+#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100000
|
|
struct bio_method_st {
|
|
int type;
|
|
const char *name;
|
|
@@ -1138,7 +1138,7 @@ tlso_report_error( void )
|
|
}
|
|
}
|
|
|
|
-#if OPENSSL_VERSION_NUMBER < 0x10100000
|
|
+#if defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < 0x10100000
|
|
static RSA *
|
|
tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
|
|
{
|
|
@@ -1186,10 +1186,11 @@
|
|
* The fact is that when $HOME is NULL, .rnd is used.
|
|
*/
|
|
randfile = RAND_file_name( buffer, sizeof( buffer ) );
|
|
-
|
|
+#ifdef HAVE_SSL_RAND_EGD
|
|
} else if (RAND_egd(randfile) > 0) {
|
|
/* EGD socket */
|
|
return 0;
|
|
+#endif
|
|
}
|
|
|
|
if (randfile == NULL) {
|