Radish alpha
H
HardenedBSD-pkg
rad:z3QDZAW2FAfuLvihrhiyDC9fAD8G9
HardenedBSD Package Manager
Radicle
Git
Commits ebe901e
openssl: fix run with openssl3
Baptiste Daroussin committed 2 years ago
commit ebe901e2fa5068f51dfcc4aa2052cda87ddddf3a
parent f269873
1 file changed +9 -30
modified libpkg/rsa.c
@@ -37,31 +37,6 @@
#include "private/event.h"

#include "private/pkg.h"
- 
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
- 
/*
- 
 * This matches the historical usage for pkg.  Older versions sign the hex
- 
 * encoding of the SHA256 checksum.  If we ever deprecated RSA, this can go
- 
 * away.
- 
 */
- 
static EVP_MD *md_pkg_sha1;
-
- 
static EVP_MD *
- 
EVP_md_pkg_sha1(void)
- 
{
-
- 
	if (md_pkg_sha1 != NULL)
- 
		return (md_pkg_sha1);
-
- 
	md_pkg_sha1 = EVP_MD_meth_dup(EVP_sha1());
- 
	if (md_pkg_sha1 == NULL)
- 
		return (NULL);
-
- 
	EVP_MD_meth_set_result_size(md_pkg_sha1,
- 
	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
- 
	return (md_pkg_sha1);
- 
}
- 
#endif	/* OPENSSL_VERSION_NUMBER >= 0x10100000L */
- 


struct pkg_key {

	pkg_password_cb *pw_cb;

	char *path;
@@ -217,6 +192,7 @@ rsa_verify_cert(unsigned char *key, int keylen,
	OpenSSL_add_all_algorithms();

	OpenSSL_add_all_ciphers();
+ 


	ret = pkg_emit_sandbox_call(rsa_verify_cert_cb, fd, &cbdata);

	if (need_close)

		close(fd);
@@ -232,6 +208,7 @@ rsa_verify_cb(int fd, void *ud)
	char errbuf[1024];

	EVP_PKEY *pkey = NULL;

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
	const EVP_MD *md;

	EVP_PKEY_CTX *ctx;

#else

	RSA *rsa;
@@ -276,7 +253,8 @@ rsa_verify_cb(int fd, void *ud)
		return (EPKG_FATAL);

	}
- 
	if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) {
+ 
	md = EVP_sha1();
+ 
	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {

		EVP_PKEY_CTX_free(ctx);

		EVP_PKEY_free(pkey);

		free(sha256);
@@ -284,7 +262,7 @@ rsa_verify_cb(int fd, void *ud)
	}



	ret = EVP_PKEY_verify(ctx, cbdata->sig, cbdata->siglen, sha256,
- 
	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
+ 
	    EVP_MD_size(md));

#else

	rsa = EVP_PKEY_get1_RSA(pkey);
@@ -360,6 +338,7 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret,
	char errbuf[1024];

	int max_len = 0, ret;

#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+ 
	const EVP_MD *md;

	EVP_PKEY_CTX *ctx;

	size_t siglen;

#else
@@ -403,15 +382,15 @@ rsa_sign(char *path, struct pkg_key *keyinfo, unsigned char **sigret,
		return (EPKG_FATAL);

	}
- 
	if (EVP_PKEY_CTX_set_signature_md(ctx, EVP_md_pkg_sha1()) <= 0) {
+ 
	md = EVP_sha1();
+ 
	if (EVP_PKEY_CTX_set_signature_md(ctx, md) <= 0) {

		EVP_PKEY_CTX_free(ctx);

		free(sha256);

		return (EPKG_FATAL);

	}
- 


	siglen = max_len;

	ret = EVP_PKEY_sign(ctx, *sigret, &siglen, sha256,
- 
	    pkg_checksum_type_size(PKG_HASH_TYPE_SHA256_HEX));
+ 
	    EVP_MD_size(md));

#else

	rsa = EVP_PKEY_get1_RSA(keyinfo->key);