On Sat, Jul 02, 2016 at 06:48:58PM +0200, Hilko Bengen wrote:
> control: tag -1 help
> control: tag -1 moreinfo
>
> Hi Kurt,
>
> I have prepared a patch that allows most of bro to build with OpenSSL
> 1.1. There are still some issues that I haven't been able to figure out
> with looking at the OpenSSL source. Please have a look at the attached
> patch.
>
> The remaining issues (all in
> bro-2.4.0+dfsg/src/file_analysis/analyzer/x509/functions.bif) are about
> what seems to be missing OCSP getter functions:
>
> - For OCSP_RECPID *rid:
> - rid->type
> - rid->value.byKey->length
> - rid->value.byKey->data
I guess that's OCSP_RESPID.
> - For OCSP_BASICRESP *basic:
> - basic->certs
> - basic->tbsResponseData->responderId
Will look into it.
I also had a quick view at your patch.
> @@ -138,7 +138,9 @@ RecordVal* file_analysis::X509::ParseCertificate(X509Val*
> cert_val, const char*
> // we only read 255 bytes because byte 256 is always 0.
> // if the string is longer than 255, that will be our null-termination,
> // otherwhise i2t does null-terminate.
> - if ( ! i2t_ASN1_OBJECT(buf, 255,
> ssl_cert->cert_info->key->algor->algorithm) )
> + ASN1_OBJECT *algorithm;
> + X509_PUBKEY_get0_param(&algorithm, NULL, NULL, NULL,
> X509_get_X509_PUBKEY(ssl_cert));
> + if ( ! i2t_ASN1_OBJECT(buf, 255, algorithm) )
> buf[0] = 0;
>
> pX509Cert->Assign(7, new StringVal(buf));
> @@ -149,14 +151,17 @@ RecordVal*
> file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
> // actually should be (namely - rsaEncryption), so that OpenSSL will
> parse out the
> // key later. Otherwise it will just fail to parse the certificate key.
>
> - ASN1_OBJECT* old_algorithm = 0;
> - if ( OBJ_obj2nid(ssl_cert->cert_info->key->algor->algorithm) ==
> NID_md5WithRSAEncryption )
> + if ( X509_get_signature_nid(ssl_cert) == NID_md5WithRSAEncryption )
> {
> - old_algorithm = ssl_cert->cert_info->key->algor->algorithm;
> - ssl_cert->cert_info->key->algor->algorithm =
> OBJ_nid2obj(NID_rsaEncryption);
> + X509_PUBKEY_set0_param(X509_get_X509_PUBKEY(ssl_cert),
> OBJ_nid2obj(NID_rsaEncryption), 0, NULL, NULL, 0);
> + }
> + else
> + {
> + ASN1_OBJECT_free(algorithm);
> + algorithm = 0;
> }
The manpage says that algorithm is an internal pointer that should
not be freed.
> @@ -165,14 +170,16 @@ RecordVal*
> file_analysis::X509::ParseCertificate(X509Val* cert_val, const char*
> EVP_PKEY *pkey = X509_extract_key(ssl_cert);
> if ( pkey != NULL )
> {
> - if ( pkey->type == EVP_PKEY_DSA )
> + if ( DSA *dsa = EVP_PKEY_get0_DSA(pkey) )
I think you're looking EVP_PKEY_base_id?
> @@ -357,15 +357,15 @@ function x509_ocsp_verify%(certs: x509_opaque_vector,
> ocsp_reply: string, root_c
> else
> {
> // issuer not in list sent by server, check store
> - X509_OBJECT obj;
> - int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509,
> X509_get_subject_name(cert), &obj);
> + X509_OBJECT *obj = X509_OBJECT_new();
> + int lookup = X509_STORE_get_by_subject(csc, X509_LU_X509,
> X509_get_subject_name(cert), obj);
> if ( lookup <= 0)
> {
> rval = x509_result_record(lookup, "Could not find
> issuer of host certificate");
> goto x509_ocsp_cleanup;
> }
>
> - certid = OCSP_cert_to_id(NULL, cert, obj.data.x509);
> + certid = OCSP_cert_to_id(NULL, cert,X509_OBJECT_get0_X509(
> obj));
I think you forgot to call X509_OBJECT_free(obj) here.
Kurt