svn commit: r359081 - stable/12/contrib/sendmail/src

Wed Mar 18 18:22:00 UTC 2020

Author: hrs
Date: Wed Mar 18 18:21:58 2020
New Revision: 359081
URL: https://svnweb.freebsd.org/changeset/base/359081

Log:
  MFC of r358404, r358410, r358412, and r358413:
  
  Fix broken STARTTLS when SharedMemoryKey is enabled.
  
  OpenSSL 1.1 API patch for sendmail had a bug which
  prevented sm_RSA_generate_key() function from working.
  This function is used to generate a temporary RSA key
  for a shared memory region used for TLS processing.
  Note that 12.0 and 12.1-RELEASE include this bug.
  
  This affects only if SM_CONF_SHM compile-time
  option (enabled by default) and SharedMemoryKey
  run-time option (not enabled by default) in a .cf file are
  specified.  The latter corresponds to confSHARED_MEMORY_KEY in
  a .mc file.
  
  Fix style inconsistencies.
  
  Do not free p and g parameters after calling DH_set0_pqg(3).
  
  PR:		242861
  Differential Revision:	https://reviews.freebsd.org/D23734

Modified:
  stable/12/contrib/sendmail/src/tls.c
Directory Properties:
  stable/12/   (props changed)

Modified: stable/12/contrib/sendmail/src/tls.c
==============================================================================

--- stable/12/contrib/sendmail/src/tls.c	Wed Mar 18 18:20:55 2020	(r359080)
+++ stable/12/contrib/sendmail/src/tls.c	Wed Mar 18 18:21:58 2020	(r359081)
@@ -56,10 +56,10 @@ DH_set0_pqg(dh, p, q, g)
 	BIGNUM *q;
 	BIGNUM *g;
 {
-	dh->p=p;
+	dh->p = p;
 	if (q != NULL)
-		dh->q=q;
-	dh->g=g;
+		dh->q = q;
+	dh->g = g;
 	return 1; /* success */
 }
 # endif /* !defined() || OPENSSL_VERSION_NUMBER < 0x00907000L */
@@ -83,20 +83,25 @@ static unsigned char dh512_g[] =
 static DH *
 get_dh512()
 {
-	DH *dh = NULL;
+	DH *dh;
 	BIGNUM *dhp_bn, *dhg_bn;
 
 	if ((dh = DH_new()) == NULL)
 		return NULL;
 	dhp_bn = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
 	dhg_bn = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
-	if ((dhp_bn == NULL) || (dhg_bn == NULL) || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	if ((dhp_bn == NULL) || (dhg_bn == NULL))
 	{
 		DH_free(dh);
 		BN_free(dhp_bn);
 		BN_free(dhg_bn);
-		return(NULL);
+		return NULL;
 	}
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	{
+		DH_free(dh);
+		return NULL;
+	}
 	return dh;
 }
 
@@ -117,7 +122,7 @@ oK0jjSXgFyeU4/NfyA+zuNeWzUL6bHmigwIBAg==
 static DH *
 get_dh2048()
 {
-	static unsigned char dh2048_p[]={
+	static unsigned char dh2048_p[] = {
 		0xAC,0x37,0x20,0x70,0xBA,0x71,0x12,0x4B,0x10,0x1C,0xF9,0x68,
 		0x95,0x12,0x82,0x50,0x9D,0xAC,0xCC,0xA4,0x73,0x8A,0xC7,0x96,
 		0x57,0xD7,0x14,0x49,0x03,0x59,0x1B,0x1A,0x06,0xC3,0xB2,0xA4,
@@ -141,22 +146,27 @@ get_dh2048()
 		0xE3,0xF3,0x5F,0xC8,0x0F,0xB3,0xB8,0xD7,0x96,0xCD,0x42,0xFA,
 		0x6C,0x79,0xA2,0x83,
 		};
-	static unsigned char dh2048_g[]={ 0x02, };
+	static unsigned char dh2048_g[] = { 0x02, };
 	DH *dh;
 	BIGNUM *dhp_bn, *dhg_bn;
 
-	if ((dh=DH_new()) == NULL)
-		return(NULL);
-	dhp_bn = BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
-	dhg_bn = BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
-	if ((dhp_bn == NULL) || (dhg_bn == NULL) || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	if ((dh = DH_new()) == NULL)
+		return NULL;
+	dhp_bn = BN_bin2bn(dh2048_p, sizeof(dh2048_p), NULL);
+	dhg_bn = BN_bin2bn(dh2048_g, sizeof(dh2048_g), NULL);
+	if ((dhp_bn == NULL) || (dhg_bn == NULL))
 	{
 		DH_free(dh);
 		BN_free(dhp_bn);
 		BN_free(dhg_bn);
-		return(NULL);
+		return NULL;
 	}
-	return(dh);
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn))
+	{
+		DH_free(dh);
+		return NULL;
+	}
+	return dh;
 }
 # endif /* !NO_DH */
 
@@ -744,19 +754,16 @@ sm_RSA_generate_key(num, e)
 	unsigned long e;
 {
 	RSA *rsa = NULL;
-        BIGNUM *bn_rsa_r4;
-	int rc;
+	BIGNUM *bn_rsa_r4;
 
 	bn_rsa_r4 = BN_new();
-        rc = BN_set_word(bn_rsa_r4, RSA_F4);
-	if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, RSA_F4) && (rsa = RSA_new()) != NULL)
+	if ((bn_rsa_r4 != NULL) && BN_set_word(bn_rsa_r4, e) && (rsa = RSA_new()) != NULL)
 	{
-		if (!RSA_generate_key_ex(rsa, RSA_KEYLENGTH, bn_rsa_r4, NULL))
+		if (!RSA_generate_key_ex(rsa, num, bn_rsa_r4, NULL))
 		{
 			RSA_free(rsa);
 			rsa = NULL;
 		}
-		return NULL;
 	}
 	BN_free(bn_rsa_r4);
 	return rsa;
@@ -1263,7 +1270,7 @@ inittls(ctx, req, options, srv, certfile, keyfile, cac
 			if (tTd(96, 2))
 				sm_dprintf("inittls: Generating %d bit DH parameters\n", bits);
 
-			dsa=DSA_new();
+			dsa = DSA_new();
 			/* this takes a while! */
 			(void)DSA_generate_parameters_ex(dsa, bits, NULL, 0,
 							 NULL, NULL, NULL);
