Bug#859718: Please review patches for ssldump

Sebastian Andrzej Siewior sebastian at breakpoint.cc
Fri Dec 15 20:41:09 UTC 2017 

On 2017-12-14 01:58:25 [+0100], Hilko Bengen wrote:
> Control: tag -1 patch
> 
> I have prepared patches for ssldump to
> 
> (1) recognize OpenSSL 1.1 at configure time

>Index: ssldump/configure.in
>===================================================================
>--- ssldump.orig/configure.in
>+++ ssldump/configure.in
>@@ -187,8 +187,13 @@ if test "$ac_use_openssl" != "false"; th
> 		save_LDFLAGS=$LDFLAGS
> 		LIBS="-lssl -lcrypto $LIBS"
> 		LDFLAGS="-L$dir $LDFLAGS"
>-		AC_TRY_LINK_FUNC(SSL_load_error_strings,ac_linked_libssl="true",
>-			ac_linked_libssl="false");
>+                AC_TRY_LINK([
>+                        #define OPENSSL_API_COMPAT 0x10000000L

you should not define this.

>+                        #include <openssl/ssl.h>
>+                        ],
>+                        [SSL_load_error_strings()],
>+                        ac_linked_libssl="true",
>+                        ac_linked_libssl="false");
> 		AC_TRY_LINK_FUNC(RC4_set_key,ac_linked_libcrypto="true",
> 			ac_linked_libcrypto="false");
> 		if test "$ac_linked_libssl" != "false" -a \

> (2) deal with API changes

>Index: ssldump/ssl/ssl_rec.c
>===================================================================
>--- ssldump.orig/ssl/ssl_rec.c
>+++ ssldump/ssl/ssl_rec.c
>@@ -116,7 +116,7 @@ int ssl_create_rec_decoder(dp,cs,mk,sk,i
>     dec->cs=cs;
>     if(r=r_data_create(&dec->mac_key,mk,cs->dig_len))
>       ABORT(r);
>-    if(!(dec->evp=(EVP_CIPHER_CTX *)malloc(sizeof(EVP_CIPHER_CTX))))
>+    if(!(dec->evp=EVP_CIPHER_CTX_new()))

the counter part uses probably free() but should use
EVP_CIPHER_CTX_free() instead.

>       ABORT(R_NO_MEMORY);
>     EVP_CIPHER_CTX_init(dec->evp);
>     EVP_CipherInit(dec->evp,ciph,sk,iv,0);
>@@ -228,35 +228,35 @@ static int tls_check_mac(d,ct,ver,data,d
>   UINT4 datalen;
>   UCHAR *mac;
>   {
>-    HMAC_CTX hm;
>+    HMAC_CTX *hm = HMAC_CTX_new();

`hm' can now be null. I assume that upstream would love if it would
still compile against 1.0.2 (which lacks HMAC_CTX_new()).

from the remaining part, nothing stands out.

> Cheers,
> -Hilko
> 

Sebastian

More information about the Pkg-security-team mailing list