diff --git a/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch b/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch index b4a4872..43a1d0a 100644 --- a/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch +++ b/0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch @@ -1,4 +1,4 @@ -From a3126babc502c7e79b866c3db04e92bd7cfa7bbb Mon Sep 17 00:00:00 2001 +From 7f0daf6cd3b6018c882c553ce0a3da51d47fec83 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= Date: Thu, 30 Jul 2015 10:48:47 +0200 Subject: [PATCH 1/3] Set sys.bindir to /usr/sbin, expect cf-*components there @@ -13,7 +13,7 @@ masterfiles/update/update_processes.cf:enable_cfengine_agents 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c -index 7c20d9263108..8bea42c7f7a7 100644 +index 5447659da5e1..5715d9acc7b7 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c @@ -589,8 +589,7 @@ static void GetNameInfo3(EvalContext *ctx) @@ -45,5 +45,5 @@ index 7c20d9263108..8bea42c7f7a7 100644 if (stat(name, &sb) != -1) -- -2.15.0 +2.17.1 diff --git a/0002-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch b/0002-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch index c85e022..d7ef59d 100644 --- a/0002-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch +++ b/0002-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch @@ -1,4 +1,4 @@ -From 7b2bde90b9499920872723c733aea202f044d709 Mon Sep 17 00:00:00 2001 +From 35f37177192c77c66634346db354140b3c494dd0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= Date: Fri, 11 Apr 2014 09:25:05 +0200 Subject: [PATCH 2/3] Simplify and fix parsing of /etc/SuSE-release (fixes @@ -13,14 +13,14 @@ to achieve the following first line of /etc/SuSE-release - verified for sles version 9,10,11,12; sled versions 10,11,12, openSUSE 13.1 --- - libenv/sysinfo.c | 187 ++++++++++++++++++------------------------------------- + libenv/sysinfo.c | 187 +++++++++++++++-------------------------------- 1 file changed, 60 insertions(+), 127 deletions(-) diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c -index 8bea42c7f7a7..b8fc9c76cf65 100644 +index 5715d9acc7b7..29b82b36807b 100644 --- a/libenv/sysinfo.c +++ b/libenv/sysinfo.c -@@ -1822,6 +1822,7 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -1954,6 +1954,7 @@ static int Linux_Suse_Version(EvalContext *ctx) #define SUSE_RELEASE_FLAG "linux " char classbuf[CF_MAXVARSIZE]; @@ -28,7 +28,7 @@ index 8bea42c7f7a7..b8fc9c76cf65 100644 Log(LOG_LEVEL_VERBOSE, "This appears to be a SUSE system."); EvalContextClassPutHard(ctx, "SUSE", "inventory,attribute_name=none,source=agent"); -@@ -1841,23 +1842,26 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -1973,23 +1974,26 @@ static int Linux_Suse_Version(EvalContext *ctx) return 1; } @@ -62,7 +62,7 @@ index 8bea42c7f7a7..b8fc9c76cf65 100644 } } if (ferror(fp)) -@@ -1871,28 +1875,38 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -2003,28 +2007,38 @@ static int Linux_Suse_Version(EvalContext *ctx) fclose(fp); @@ -117,7 +117,7 @@ index 8bea42c7f7a7..b8fc9c76cf65 100644 { Item *list, *ip; -@@ -1910,120 +1924,39 @@ static int Linux_Suse_Version(EvalContext *ctx) +@@ -2042,120 +2056,39 @@ static int Linux_Suse_Version(EvalContext *ctx) } else { @@ -203,7 +203,7 @@ index 8bea42c7f7a7..b8fc9c76cf65 100644 - EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); - strcat(classbuf, "_"); - strcat(classbuf, strmajor); -- SetFlavour(ctx, classbuf); +- SetFlavor(ctx, classbuf); - strcat(classbuf, "_"); - strcat(classbuf, strminor); - EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); @@ -241,7 +241,7 @@ index 8bea42c7f7a7..b8fc9c76cf65 100644 - EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); - - snprintf(classbuf, CF_MAXVARSIZE, "SUSE_%d", major); -- SetFlavour(ctx, classbuf); +- SetFlavor(ctx, classbuf); - - /* The correct spelling for SUSE is "SUSE" but CFEngine used to use "SuSE". - * Keep this for backwards compatibility until CFEngine 3.7 @@ -262,5 +262,5 @@ index 8bea42c7f7a7..b8fc9c76cf65 100644 } -- -2.15.0 +2.17.1 diff --git a/0003-CFE-2629-Openssl-1.1-compatibility.patch b/0003-CFE-2629-Openssl-1.1-compatibility.patch deleted file mode 100644 index b0f72f4..0000000 --- a/0003-CFE-2629-Openssl-1.1-compatibility.patch +++ /dev/null @@ -1,1902 +0,0 @@ -From b1d817e5e65a7db77c1a1b039229b894874f041d Mon Sep 17 00:00:00 2001 -From: Dimitrios Apostolou -Date: Wed, 25 Oct 2017 17:03:39 +0200 -Subject: [PATCH 3/3] CFE-2629: Openssl 1.1 compatibility - -Merge pull request #2916 from jimis/openssl_1_1 ---- - cf-agent/cf-agent.c | 2 + - cf-key/cf-key-functions.c | 6 +- - cf-key/cf-key-functions.h | 1 + - cf-serverd/cf-serverd-functions.c | 8 +- - cf-serverd/server_classic.c | 49 ++- - cf-serverd/server_common.c | 27 +- - cf-serverd/server_tls.c | 4 +- - configure.ac | 2 +- - libcfnet/client_code.c | 32 +- - libcfnet/client_protocol.c | 34 +- - libcfnet/connection_info.h | 2 + - libcfnet/key.h | 4 +- - libcfnet/tls_generic.c | 4 +- - libpromises/crypto.c | 58 +-- - libpromises/files_hashes.c | 111 +++--- - libpromises/files_hashes.h | 2 +- - libpromises/generic_agent.c | 12 +- - libpromises/locks.c | 32 +- - libutils/Makefile.am | 1 + - libutils/encode.c | 1 + - libutils/hash.c | 69 ++-- - libutils/hashes.c | 22 +- - libutils/libcrypto-compat.c | 414 +++++++++++++++++++++ - libutils/libcrypto-compat.h | 62 +++ - libutils/string_lib.c | 2 + - .../serial/nondefault_ciphers_tlsversion.srv | 4 +- - tests/unit/Makefile.am | 12 - - tests/unit/crypto_symmetric_test.c | 8 +- - tests/unit/tls_generic_test.c | 11 + - 29 files changed, 806 insertions(+), 190 deletions(-) - create mode 100644 libutils/libcrypto-compat.c - create mode 100644 libutils/libcrypto-compat.h - -diff --git a/cf-agent/cf-agent.c b/cf-agent/cf-agent.c -index 9578b291b4ac..a11f6ff4daad 100644 ---- a/cf-agent/cf-agent.c -+++ b/cf-agent/cf-agent.c -@@ -241,6 +241,8 @@ int main(int argc, char *argv[]) - - GenericAgentDiscoverContext(ctx, config); - -+ /* FIXME: (CFE-2709) ALWAYS_VALIDATE will always be false here, since it can -+ * only change in KeepPromises(), five lines later on. */ - Policy *policy = SelectAndLoadPolicy(config, ctx, ALWAYS_VALIDATE, true); - - if (!policy) -diff --git a/cf-key/cf-key-functions.c b/cf-key/cf-key-functions.c -index 68b1657e9ed8..ee994af6ad38 100644 ---- a/cf-key/cf-key-functions.c -+++ b/cf-key/cf-key-functions.c -@@ -27,6 +27,7 @@ - - #include /* BN_*, BIGNUM */ - #include /* RAND_* */ -+#include - - #include - #include -@@ -48,6 +49,7 @@ RSA *LoadPublicKey(const char *filename) - { - FILE *fp; - RSA *key; -+ const BIGNUM *n, *e; - - fp = safe_fopen(filename, "r"); - if (fp == NULL) -@@ -69,7 +71,9 @@ RSA *LoadPublicKey(const char *filename) - - fclose(fp); - -- if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e)) -+ RSA_get0_key(key, &n, &e, NULL); -+ -+ if (BN_num_bits(e) < 2 || !BN_is_odd(e)) - { - Log(LOG_LEVEL_ERR, "Error while reading public key '%s' - RSA Exponent is too small or not odd. (BN_num_bits: %s)", - filename, GetErrorStr()); -diff --git a/cf-key/cf-key-functions.h b/cf-key/cf-key-functions.h -index 59b33a56cc6d..7080b2c624fa 100644 ---- a/cf-key/cf-key-functions.h -+++ b/cf-key/cf-key-functions.h -@@ -39,6 +39,7 @@ - #include - #include - -+ - extern bool LOOKUP_HOSTS; - - RSA *LoadPublicKey(const char *filename); -diff --git a/cf-serverd/cf-serverd-functions.c b/cf-serverd/cf-serverd-functions.c -index 8d10a0f5487f..346c6493f925 100644 ---- a/cf-serverd/cf-serverd-functions.c -+++ b/cf-serverd/cf-serverd-functions.c -@@ -869,7 +869,13 @@ static void AcceptAndHandle(EvalContext *ctx, int sd) - int StartServer(EvalContext *ctx, Policy **policy, GenericAgentConfig *config) - { - InitSignals(); -- ServerTLSInitialize(); -+ -+ bool tls_init_ok = ServerTLSInitialize(); -+ if (!tls_init_ok) -+ { -+ return -1; -+ } -+ - int sd = SetServerListenState(ctx, QUEUESIZE, SERVER_LISTEN, &InitServer); - - /* Necessary for our use of select() to work in WaitForIncoming(): */ -diff --git a/cf-serverd/server_classic.c b/cf-serverd/server_classic.c -index 97bc8abb0c90..2ebec9a390c4 100644 ---- a/cf-serverd/server_classic.c -+++ b/cf-serverd/server_classic.c -@@ -23,7 +23,9 @@ - */ - #include - --#include /* BN_* */ -+#include /* BN_* */ -+#include /* ERR_get_error */ -+#include - - #include - #include /* IsMatchItemIn */ -@@ -36,6 +38,7 @@ - #include /* HashString */ - #include /* HavePublicKey */ - #include /* ReceiveCollectCall */ -+#include - - #include "server.h" /* ServerConnectionState */ - #include "server_common.h" /* ListPersistentClasses */ -@@ -579,7 +582,11 @@ static int CheckStoreKey(ServerConnectionState *conn, RSA *key) - "A public key was already known from %s/%s - no trust required", - conn->hostname, conn->ipaddr); - -- if ((BN_cmp(savedkey->e, key->e) == 0) && (BN_cmp(savedkey->n, key->n) == 0)) -+ const BIGNUM *key_n, *key_e, *savedkey_n, *savedkey_e; -+ RSA_get0_key(key, &key_n, &key_e, NULL); -+ RSA_get0_key(savedkey, &savedkey_n, &savedkey_e, NULL); -+ -+ if ((BN_cmp(savedkey_e, key_e) == 0) && (BN_cmp(savedkey_n, key_n) == 0)) - { - Log(LOG_LEVEL_VERBOSE, - "The public key identity was confirmed as %s@%s", -@@ -770,8 +777,9 @@ char iscrypt, enterprise_field; - HashString(challenge, challenge_len, digest, digestType); - } - -+BIGNUM *newkey_n, *newkey_e; -+ - /* proposition C2 - Receive client's public key modulus */ --RSA *newkey = RSA_new(); - { - - int len_n = ReceiveTransaction(conn->conn_info, recvbuffer, NULL); -@@ -779,16 +787,14 @@ RSA *newkey = RSA_new(); - { - Log(LOG_LEVEL_ERR, "Authentication failure: " - "error while receiving public key modulus"); -- RSA_free(newkey); - return false; - } - -- if ((newkey->n = BN_mpi2bn(recvbuffer, len_n, NULL)) == NULL) -+ if ((newkey_n = BN_mpi2bn(recvbuffer, len_n, NULL)) == NULL) - { - Log(LOG_LEVEL_ERR, "Authentication failure: " - "private decrypt of received public key modulus failed " - "(%s)", CryptoLastErrorString()); -- RSA_free(newkey); - return false; - } - } -@@ -800,20 +806,38 @@ RSA *newkey = RSA_new(); - { - Log(LOG_LEVEL_ERR, "Authentication failure: " - "error while receiving public key exponent"); -- RSA_free(newkey); - return false; - } - -- if ((newkey->e = BN_mpi2bn(recvbuffer, len_e, NULL)) == NULL) -+ if ((newkey_e = BN_mpi2bn(recvbuffer, len_e, NULL)) == NULL) - { - Log(LOG_LEVEL_ERR, "Authentication failure: " - "private decrypt of received public key exponent failed " - "(%s)", CryptoLastErrorString()); -- RSA_free(newkey); -+ BN_free(newkey_n); - return false; - } - } - -+RSA *newkey = RSA_new(); -+if (newkey == NULL) -+{ -+ Log(LOG_LEVEL_ERR, "Failed to allocate RSA key: %s", -+ TLSErrorString(ERR_get_error())); -+ BN_free(newkey_n); -+ BN_free(newkey_e); -+ return false; -+} -+if (RSA_set0_key(newkey, newkey_n, newkey_e, NULL) != 1) -+{ -+ Log(LOG_LEVEL_ERR, "Failed to set RSA key: %s", -+ TLSErrorString(ERR_get_error())); -+ BN_free(newkey_n); -+ BN_free(newkey_e); -+ RSA_free(newkey); -+ return false; -+} -+ - /* Compute and store hash of the client's public key. */ - { - Key *key = KeyNew(newkey, CF_DEFAULT_DIGEST); -@@ -897,12 +921,15 @@ RSA *newkey = RSA_new(); - - char bignum_buf[CF_BUFSIZE] = { 0 }; - -+ const BIGNUM *n, *e; -+ RSA_get0_key(PUBKEY, &n, &e, NULL); -+ - /* proposition S4 - conditional */ -- int len_n = BN_bn2mpi(PUBKEY->n, bignum_buf); -+ int len_n = BN_bn2mpi(n, bignum_buf); - SendTransaction(conn->conn_info, bignum_buf, len_n, CF_DONE); - - /* proposition S5 - conditional */ -- int len_e = BN_bn2mpi(PUBKEY->e, bignum_buf); -+ int len_e = BN_bn2mpi(e, bignum_buf); - SendTransaction(conn->conn_info, bignum_buf, len_e, CF_DONE); - } - } -diff --git a/cf-serverd/server_common.c b/cf-serverd/server_common.c -index 931689dff977..4cce4a7e9a1f 100644 ---- a/cf-serverd/server_common.c -+++ b/cf-serverd/server_common.c -@@ -43,6 +43,7 @@ static const int CF_NOSIZE = -1; - #include - #include /* SendSocketStream */ - #include /* SendTransaction,ReceiveTransaction */ -+#include /* ERR_get_error */ - #include /* TLSSend */ - #include - #include -@@ -557,7 +558,6 @@ void CfEncryptGetFile(ServerFileGetState *args) - unsigned char iv[32] = - { 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 }; - int blocksize = CF_BUFSIZE - 4 * CF_INBAND_OFFSET; -- EVP_CIPHER_CTX ctx; - char *key, enctype; - struct stat sb; - ConnectionInfo *conn_info = args->conn->conn_info; -@@ -579,9 +579,16 @@ void CfEncryptGetFile(ServerFileGetState *args) - Log(LOG_LEVEL_INFO, "REFUSE access to file: %s", filename); - RefuseAccess(args->conn, args->replyfile); - FailedTransfer(conn_info); -+ return; - } - -- EVP_CIPHER_CTX_init(&ctx); -+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ { -+ Log(LOG_LEVEL_ERR, "Failed to allocate cipher: %s", -+ TLSErrorString(ERR_get_error())); -+ return; -+ } - - if ((fd = safe_open(filename, O_RDONLY)) == -1) - { -@@ -630,20 +637,20 @@ void CfEncryptGetFile(ServerFileGetState *args) - - if (n_read > 0) - { -- EVP_EncryptInit_ex(&ctx, CfengineCipher(enctype), NULL, key, iv); -+ EVP_EncryptInit_ex(ctx, CfengineCipher(enctype), NULL, key, iv); - -- if (!EVP_EncryptUpdate(&ctx, out, &cipherlen, sendbuffer, n_read)) -+ if (!EVP_EncryptUpdate(ctx, out, &cipherlen, sendbuffer, n_read)) - { - FailedTransfer(conn_info); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - close(fd); - return; - } - -- if (!EVP_EncryptFinal_ex(&ctx, out + cipherlen, &finlen)) -+ if (!EVP_EncryptFinal_ex(ctx, out + cipherlen, &finlen)) - { - FailedTransfer(conn_info); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - close(fd); - return; - } -@@ -654,7 +661,7 @@ void CfEncryptGetFile(ServerFileGetState *args) - if (SendTransaction(conn_info, out, cipherlen + finlen, CF_DONE) == -1) - { - Log(LOG_LEVEL_VERBOSE, "Send failed in GetFile. (send: %s)", GetErrorStr()); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - close(fd); - return; - } -@@ -666,14 +673,14 @@ void CfEncryptGetFile(ServerFileGetState *args) - { - Log(LOG_LEVEL_VERBOSE, "Send failed in GetFile. (send: %s)", GetErrorStr()); - close(fd); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return; - } - } - } - } - -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - close(fd); - } - -diff --git a/cf-serverd/server_tls.c b/cf-serverd/server_tls.c -index 2bbc17f55f1b..0edcfc9b3a54 100644 ---- a/cf-serverd/server_tls.c -+++ b/cf-serverd/server_tls.c -@@ -186,7 +186,9 @@ void ServerTLSDeInitialize() - */ - int ServerTLSPeek(ConnectionInfo *conn_info) - { -- assert(SSLSERVERCONTEXT != NULL && PRIVKEY != NULL && PUBKEY != NULL); -+ assert(SSLSERVERCONTEXT != NULL); -+ assert(PRIVKEY != NULL); -+ assert(PUBKEY != NULL); - - assert(ConnectionInfoProtocolVersion(conn_info) == CF_PROTOCOL_UNDEFINED); - -diff --git a/configure.ac b/configure.ac -index 93323facd299..2eab4527e85c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -435,7 +435,7 @@ fi - - CF3_WITH_LIBRARY(openssl, [ - AC_CHECK_LIB(crypto, RSA_generate_key_ex, [], []) -- AC_CHECK_LIB(ssl, SSL_library_init, [], []) -+ AC_CHECK_LIB(ssl, SSL_free, [], []) - AC_CHECK_DECLS([SSL_CTX_clear_options], [], [], [[#include ]]) - AC_CHECK_HEADERS([openssl/opensslv.h], [], [AC_MSG_ERROR(Cannot find OpenSSL)]) - -diff --git a/libcfnet/client_code.c b/libcfnet/client_code.c -index f6348a16e021..0c1314d720f9 100644 ---- a/libcfnet/client_code.c -+++ b/libcfnet/client_code.c -@@ -28,6 +28,8 @@ - #include - #include /* RecvSocketStream */ - #include /* SendTransaction,ReceiveTransaction */ -+#include /* ERR_get_error */ -+#include - #include /* TLSTry */ - #include /* TLSVerifyPeer */ - #include -@@ -42,7 +44,6 @@ - #include /* MemSpan,MemSpanInverse */ - #include /* ProgrammingError */ - #include /* PRINTSIZE */ -- - #include /* LastSaw */ - - -@@ -514,7 +515,6 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - char *buf, in[CF_BUFSIZE], out[CF_BUFSIZE], workbuf[CF_BUFSIZE], cfchangedstr[265]; - unsigned char iv[32] = - { 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 }; -- EVP_CIPHER_CTX crypto_ctx; - - snprintf(cfchangedstr, 255, "%s%s", CF_CHANGEDSTR1, CF_CHANGEDSTR2); - -@@ -543,7 +543,6 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - } - - workbuf[0] = '\0'; -- EVP_CIPHER_CTX_init(&crypto_ctx); - - snprintf(in, CF_BUFSIZE - CF_PROTO_OFFSET, "GET dummykey %s", source); - cipherlen = EncryptString(out, sizeof(out), in, strlen(in) + 1, conn->encryption_type, conn->session_key); -@@ -568,6 +567,15 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - return false; - } - -+ EVP_CIPHER_CTX *crypto_ctx = EVP_CIPHER_CTX_new(); -+ if (crypto_ctx == NULL) -+ { -+ Log(LOG_LEVEL_ERR, "Failed to allocate cipher: %s", -+ TLSErrorString(ERR_get_error())); -+ close(dd); -+ return false; -+ } -+ - buf = xmalloc(CF_BUFSIZE + sizeof(int)); - - bool last_write_made_hole = false; -@@ -577,7 +585,9 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - { - if ((cipherlen = ReceiveTransaction(conn->conn_info, buf, &more)) == -1) - { -+ close(dd); - free(buf); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - -@@ -591,6 +601,7 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - Log(LOG_LEVEL_INFO, "Network access to '%s:%s' denied", conn->this_server, source); - close(dd); - free(buf); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - -@@ -599,22 +610,25 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - Log(LOG_LEVEL_INFO, "Source '%s:%s' changed while copying", conn->this_server, source); - close(dd); - free(buf); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - -- EVP_DecryptInit_ex(&crypto_ctx, CfengineCipher(CfEnterpriseOptions()), NULL, conn->session_key, iv); -+ EVP_DecryptInit_ex(crypto_ctx, CfengineCipher(CfEnterpriseOptions()), NULL, conn->session_key, iv); - -- if (!EVP_DecryptUpdate(&crypto_ctx, workbuf, &plainlen, buf, cipherlen)) -+ if (!EVP_DecryptUpdate(crypto_ctx, workbuf, &plainlen, buf, cipherlen)) - { - close(dd); - free(buf); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - -- if (!EVP_DecryptFinal_ex(&crypto_ctx, workbuf + plainlen, &finlen)) -+ if (!EVP_DecryptFinal_ex(crypto_ctx, workbuf + plainlen, &finlen)) - { - close(dd); - free(buf); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - -@@ -631,7 +645,7 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - unlink(dest); - close(dd); - conn->error = true; -- EVP_CIPHER_CTX_cleanup(&crypto_ctx); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - -@@ -646,12 +660,12 @@ int EncryptCopyRegularFileNet(const char *source, const char *dest, off_t size, - { - unlink(dest); - free(buf); -- EVP_CIPHER_CTX_cleanup(&crypto_ctx); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return false; - } - - free(buf); -- EVP_CIPHER_CTX_cleanup(&crypto_ctx); -+ EVP_CIPHER_CTX_free(crypto_ctx); - return true; - } - -diff --git a/libcfnet/client_protocol.c b/libcfnet/client_protocol.c -index ca2ddb4f94b1..db5909999ebe 100644 ---- a/libcfnet/client_protocol.c -+++ b/libcfnet/client_protocol.c -@@ -24,7 +24,9 @@ - - #include - --#include /* BN_* */ -+#include /* BN_* */ -+#include /* ERR_get_error */ -+#include - - #include - #include -@@ -43,6 +45,7 @@ extern char VFQNAME[]; - #include - #include - #include -+#include /* TLSErrorString */ - - - /*********************************************************************/ -@@ -196,7 +199,10 @@ static bool SetSessionKey(AgentConnection *conn) - return false; - } - -- conn->session_key = (unsigned char *) bp->d; -+ conn->session_key = xmalloc(BN_num_bytes(bp)); -+ BN_bn2bin(bp, conn->session_key); -+ -+ BN_clear_free(bp); - return true; - } - -@@ -293,13 +299,16 @@ int AuthenticateAgent(AgentConnection *conn, bool trust_key) - /*Send the public key - we don't know if server has it */ - /* proposition C2 */ - -+ const BIGNUM *pubkey_n, *pubkey_e; -+ RSA_get0_key(PUBKEY, &pubkey_n, &pubkey_e, NULL); -+ - memset(sendbuffer, 0, CF_EXPANDSIZE); -- len = BN_bn2mpi(PUBKEY->n, sendbuffer); -+ len = BN_bn2mpi(pubkey_n, sendbuffer); - SendTransaction(conn->conn_info, sendbuffer, len, CF_DONE); /* No need to encrypt the public key ... */ - - /* proposition C3 */ - memset(sendbuffer, 0, CF_EXPANDSIZE); -- len = BN_bn2mpi(PUBKEY->e, sendbuffer); -+ len = BN_bn2mpi(pubkey_e, sendbuffer); - SendTransaction(conn->conn_info, sendbuffer, len, CF_DONE); - - /* check reply about public key - server can break conn_info here */ -@@ -432,7 +441,8 @@ int AuthenticateAgent(AgentConnection *conn, bool trust_key) - return false; - } - -- if ((newkey->n = BN_mpi2bn(in, len, NULL)) == NULL) -+ BIGNUM *newkey_n, *newkey_e; -+ if ((newkey_n = BN_mpi2bn(in, len, NULL)) == NULL) - { - Log(LOG_LEVEL_ERR, - "Private key decrypt failed. (BN_mpi2bn: %s)", -@@ -447,15 +457,27 @@ int AuthenticateAgent(AgentConnection *conn, bool trust_key) - { - Log(LOG_LEVEL_INFO, "Protocol error in RSA authentation from IP '%s'", - conn->this_server); -+ BN_clear_free(newkey_n); - RSA_free(newkey); - return false; - } - -- if ((newkey->e = BN_mpi2bn(in, len, NULL)) == NULL) -+ if ((newkey_e = BN_mpi2bn(in, len, NULL)) == NULL) - { - Log(LOG_LEVEL_ERR, - "Public key decrypt failed. (BN_mpi2bn: %s)", - CryptoLastErrorString()); -+ BN_clear_free(newkey_n); -+ RSA_free(newkey); -+ return false; -+ } -+ -+ if (RSA_set0_key(newkey, newkey_n, newkey_e, NULL) != 1) -+ { -+ Log(LOG_LEVEL_ERR, "Failed to set RSA key: %s", -+ TLSErrorString(ERR_get_error())); -+ BN_clear_free(newkey_e); -+ BN_clear_free(newkey_n); - RSA_free(newkey); - return false; - } -diff --git a/libcfnet/connection_info.h b/libcfnet/connection_info.h -index 4d1dfff2d73a..d2eaf46a95d0 100644 ---- a/libcfnet/connection_info.h -+++ b/libcfnet/connection_info.h -@@ -27,7 +27,9 @@ - - - #include -+ - #include -+ - #include - - -diff --git a/libcfnet/key.h b/libcfnet/key.h -index 5ddab0e09a9d..efebce763a7e 100644 ---- a/libcfnet/key.h -+++ b/libcfnet/key.h -@@ -25,9 +25,11 @@ - #ifndef KEY_H - #define KEY_H - --#include - #include - -+#include -+ -+ - /** - @brief Structure to simplify the key management. - -diff --git a/libcfnet/tls_generic.c b/libcfnet/tls_generic.c -index db74be34221d..0e255a4441d0 100644 ---- a/libcfnet/tls_generic.c -+++ b/libcfnet/tls_generic.c -@@ -88,7 +88,7 @@ static int CompareCertToRSA(X509 *cert, RSA *rsa_key) - TLSErrorString(ERR_get_error())); - goto ret1; - } -- if (EVP_PKEY_type(cert_pkey->type) != EVP_PKEY_RSA) -+ if (EVP_PKEY_base_id(cert_pkey) != EVP_PKEY_RSA) - { - Log(LOG_LEVEL_ERR, - "Received key of unknown type, only RSA currently supported!"); -@@ -300,7 +300,7 @@ int TLSVerifyPeer(ConnectionInfo *conn_info, const char *remoteip, const char *u - retval = -1; - goto ret2; - } -- if (EVP_PKEY_type(received_pubkey->type) != EVP_PKEY_RSA) -+ if (EVP_PKEY_base_id(received_pubkey) != EVP_PKEY_RSA) - { - Log(LOG_LEVEL_ERR, - "Received key of unknown type, only RSA currently supported!"); -diff --git a/libpromises/crypto.c b/libpromises/crypto.c -index 36fbb9c903c2..56138f7fbd2a 100644 ---- a/libpromises/crypto.c -+++ b/libpromises/crypto.c -@@ -27,6 +27,7 @@ - #include /* ERR_* */ - #include /* RAND_* */ - #include /* BN_* */ -+#include - - #include - #include -@@ -220,11 +221,15 @@ bool LoadSecretKeys(void) - fclose(fp); - } - -- if (PUBKEY != NULL -- && ((BN_num_bits(PUBKEY->e) < 2) || (!BN_is_odd(PUBKEY->e)))) -+ if (PUBKEY != NULL) - { -- Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd"); -- return false; -+ const BIGNUM *n, *e; -+ RSA_get0_key(PUBKEY, &n, &e, NULL); -+ if ((BN_num_bits(e) < 2) || (!BN_is_odd(e))) -+ { -+ Log(LOG_LEVEL_ERR, "The public key RSA exponent is too small or not odd"); -+ return false; -+ } - } - - return true; -@@ -366,12 +371,16 @@ RSA *HavePublicKey(const char *username, const char *ipaddress, const char *dige - - fclose(fp); - -- if ((BN_num_bits(newkey->e) < 2) || (!BN_is_odd(newkey->e))) - { -- Log(LOG_LEVEL_ERR, "RSA Exponent too small or not odd for key: %s", -- newname); -- RSA_free(newkey); -- return NULL; -+ const BIGNUM *n, *e; -+ RSA_get0_key(newkey, &n, &e, NULL); -+ if ((BN_num_bits(e) < 2) || (!BN_is_odd(e))) -+ { -+ Log(LOG_LEVEL_ERR, "RSA Exponent too small or not odd for key: %s", -+ newname); -+ RSA_free(newkey); -+ return NULL; -+ } - } - - return newkey; -@@ -438,7 +447,6 @@ int EncryptString(char *out, size_t out_size, const char *in, int plainlen, - int cipherlen = 0, tmplen; - unsigned char iv[32] = - { 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 }; -- EVP_CIPHER_CTX ctx; - - if (key == NULL) - ProgrammingError("EncryptString: session key == NULL"); -@@ -451,18 +459,18 @@ int EncryptString(char *out, size_t out_size, const char *in, int plainlen, - max_ciphertext_size, out_size); - } - -- EVP_CIPHER_CTX_init(&ctx); -- EVP_EncryptInit_ex(&ctx, CfengineCipher(type), NULL, key, iv); -+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); -+ EVP_EncryptInit_ex(ctx, CfengineCipher(type), NULL, key, iv); - -- if (!EVP_EncryptUpdate(&ctx, out, &cipherlen, in, plainlen)) -+ if (!EVP_EncryptUpdate(ctx, out, &cipherlen, in, plainlen)) - { -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return -1; - } - -- if (!EVP_EncryptFinal_ex(&ctx, out + cipherlen, &tmplen)) -+ if (!EVP_EncryptFinal_ex(ctx, out + cipherlen, &tmplen)) - { -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return -1; - } - -@@ -474,7 +482,7 @@ int EncryptString(char *out, size_t out_size, const char *in, int plainlen, - cipherlen, max_ciphertext_size); - } - -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return cipherlen; - } - -@@ -521,7 +529,6 @@ int DecryptString(char *out, size_t out_size, const char *in, int cipherlen, - int plainlen = 0, tmplen; - unsigned char iv[32] = - { 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8, 1, 2, 3, 4, 5, 6, 7, 8 }; -- EVP_CIPHER_CTX ctx; - - if (key == NULL) - ProgrammingError("DecryptString: session key == NULL"); -@@ -534,22 +541,22 @@ int DecryptString(char *out, size_t out_size, const char *in, int cipherlen, - max_plaintext_size, out_size); - } - -- EVP_CIPHER_CTX_init(&ctx); -- EVP_DecryptInit_ex(&ctx, CfengineCipher(type), NULL, key, iv); -+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); -+ EVP_DecryptInit_ex(ctx, CfengineCipher(type), NULL, key, iv); - -- if (!EVP_DecryptUpdate(&ctx, out, &plainlen, in, cipherlen)) -+ if (!EVP_DecryptUpdate(ctx, out, &plainlen, in, cipherlen)) - { - Log(LOG_LEVEL_ERR, "Failed to decrypt string"); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return -1; - } - -- if (!EVP_DecryptFinal_ex(&ctx, out + plainlen, &tmplen)) -+ if (!EVP_DecryptFinal_ex(ctx, out + plainlen, &tmplen)) - { - unsigned long err = ERR_get_error(); - - Log(LOG_LEVEL_ERR, "Failed to decrypt at final of cipher length %d. (EVP_DecryptFinal_ex: %s)", cipherlen, ERR_error_string(err, NULL)); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_free(ctx); - return -1; - } - -@@ -561,8 +568,7 @@ int DecryptString(char *out, size_t out_size, const char *in, int cipherlen, - plainlen, max_plaintext_size); - } - -- EVP_CIPHER_CTX_cleanup(&ctx); -- -+ EVP_CIPHER_CTX_free(ctx); - return plainlen; - } - -diff --git a/libpromises/files_hashes.c b/libpromises/files_hashes.c -index 8663e2d06081..ce9d54ea129d 100644 ---- a/libpromises/files_hashes.c -+++ b/libpromises/files_hashes.c -@@ -24,8 +24,10 @@ - - #include - -+#include /* ERR_* */ - #include /* BN_* */ - #include /* EVP_* */ -+#include - - #include - #include -@@ -40,7 +42,6 @@ - void HashFile(const char *filename, unsigned char digest[EVP_MAX_MD_SIZE + 1], HashMethod type) - { - FILE *file; -- EVP_MD_CTX context; - int len, md_len; - unsigned char buffer[1024]; - const EVP_MD *md = NULL; -@@ -48,30 +49,37 @@ void HashFile(const char *filename, unsigned char digest[EVP_MAX_MD_SIZE + 1], H - if ((file = safe_fopen(filename, "rb")) == NULL) - { - Log(LOG_LEVEL_INFO, "Cannot open file for hashing '%s'. (fopen: %s)", filename, GetErrorStr()); -+ return; - } -- else -- { -- md = EVP_get_digestbyname(HashNameFromId(type)); - -- EVP_DigestInit(&context, md); -+ md = EVP_get_digestbyname(HashNameFromId(type)); - -+ EVP_MD_CTX *context = EVP_MD_CTX_new(); -+ if (context == NULL) -+ { -+ Log(LOG_LEVEL_ERR, "Failed to allocate openssl hashing context"); -+ return; -+ } -+ -+ if (EVP_DigestInit(context, md) == 1) -+ { - while ((len = fread(buffer, 1, 1024, file))) - { -- EVP_DigestUpdate(&context, buffer, len); -+ EVP_DigestUpdate(context, buffer, len); - } - -- EVP_DigestFinal(&context, digest, &md_len); -- -- /* Digest length stored in md_len */ -- fclose(file); -+ EVP_DigestFinal(context, digest, &md_len); - } -+ -+ /* Digest length stored in md_len */ -+ fclose(file); -+ EVP_MD_CTX_free(context); - } - - /*******************************************************************/ - - void HashString(const char *buffer, int len, unsigned char digest[EVP_MAX_MD_SIZE + 1], HashMethod type) - { -- EVP_MD_CTX context; - const EVP_MD *md = NULL; - int md_len; - -@@ -89,10 +97,18 @@ void HashString(const char *buffer, int len, unsigned char digest[EVP_MAX_MD_SIZ - { - Log(LOG_LEVEL_INFO, "Digest type %s not supported by OpenSSL library", HashNameFromId(type)); - } -- else if (EVP_DigestInit(&context, md)) -+ -+ EVP_MD_CTX *context = EVP_MD_CTX_new(); -+ if (context == NULL) -+ { -+ Log(LOG_LEVEL_ERR, "Failed to allocate openssl hashing context"); -+ return; -+ } -+ -+ if (EVP_DigestInit(context, md) == 1) - { -- EVP_DigestUpdate(&context, (unsigned char *) buffer, (size_t) len); -- EVP_DigestFinal(&context, digest, &md_len); -+ EVP_DigestUpdate(context, buffer, len); -+ EVP_DigestFinal(context, digest, &md_len); - } - else - { -@@ -100,63 +116,60 @@ void HashString(const char *buffer, int len, unsigned char digest[EVP_MAX_MD_SIZ - // TODO: handle this someway - } - -+ EVP_MD_CTX_free(context); - break; - } - } - - /*******************************************************************/ - --void HashPubKey(RSA *key, unsigned char digest[EVP_MAX_MD_SIZE + 1], HashMethod type) -+void HashPubKey(const RSA *key, unsigned char digest[EVP_MAX_MD_SIZE + 1], HashMethod type) - { -- EVP_MD_CTX context; -- const EVP_MD *md = NULL; -- int md_len, i, buf_len, actlen; -- unsigned char *buffer; -- -- if (key->n) -+ if (type == HASH_METHOD_CRYPT) - { -- buf_len = (size_t) BN_num_bytes(key->n); -+ Log(LOG_LEVEL_ERR, "The crypt support is not presently implemented, please use sha256 instead"); -+ return; - } -- else -+ -+ const EVP_MD *md = EVP_get_digestbyname(HashNameFromId(type)); -+ if (md == NULL) - { -- buf_len = 0; -+ Log(LOG_LEVEL_INFO, "Digest type %s not supported by OpenSSL library", HashNameFromId(type)); - } - -- if (key->e) -+ EVP_MD_CTX *context = EVP_MD_CTX_new(); -+ if (context == NULL) - { -- if (buf_len < (i = (size_t) BN_num_bytes(key->e))) -- { -- buf_len = i; -- } -+ Log(LOG_LEVEL_ERR, "Failed to allocate openssl hashing context"); -+ return; - } - -- buffer = xmalloc(buf_len + 10); -+ const BIGNUM *n, *e; -+ RSA_get0_key(key, &n, &e, NULL); - -- switch (type) -- { -- case HASH_METHOD_CRYPT: -- Log(LOG_LEVEL_ERR, "The crypt support is not presently implemented, please use sha256 instead"); -- break; -+ size_t n_len = (n == NULL) ? 0 : (size_t) BN_num_bytes(n); -+ size_t e_len = (e == NULL) ? 0 : (size_t) BN_num_bytes(e); -+ size_t buf_len = MAX(n_len, e_len); - -- default: -- md = EVP_get_digestbyname(HashNameFromId(type)); -+ unsigned char buffer[buf_len]; -+ int md_len, actlen; - -- if (md == NULL) -- { -- Log(LOG_LEVEL_INFO, "Digest type %s not supported by OpenSSL library", HashNameFromId(type)); -- } -+ if (EVP_DigestInit(context, md) == 1) -+ { -+ actlen = BN_bn2bin(n, buffer); -+ CF_ASSERT(actlen <= buf_len, "Buffer overflow n, %d > %zu!", -+ actlen, buf_len); -+ EVP_DigestUpdate(context, buffer, actlen); - -- EVP_DigestInit(&context, md); -+ actlen = BN_bn2bin(e, buffer); -+ CF_ASSERT(actlen <= buf_len, "Buffer overflow e, %d > %zu!", -+ actlen, buf_len); -+ EVP_DigestUpdate(context, buffer, actlen); - -- actlen = BN_bn2bin(key->n, buffer); -- EVP_DigestUpdate(&context, buffer, actlen); -- actlen = BN_bn2bin(key->e, buffer); -- EVP_DigestUpdate(&context, buffer, actlen); -- EVP_DigestFinal(&context, digest, &md_len); -- break; -+ EVP_DigestFinal(context, digest, &md_len); - } - -- free(buffer); -+ EVP_MD_CTX_free(context); - } - - /*******************************************************************/ -diff --git a/libpromises/files_hashes.h b/libpromises/files_hashes.h -index 0f6194291593..636a9ab2cd35 100644 ---- a/libpromises/files_hashes.h -+++ b/libpromises/files_hashes.h -@@ -40,7 +40,7 @@ int HashesMatch(const unsigned char digest1[EVP_MAX_MD_SIZE + 1], - char *HashPrintSafe(char *dst, size_t dst_size, const unsigned char *digest, - HashMethod type, bool use_prefix); - char *SkipHashType(char *hash); --void HashPubKey(RSA *key, unsigned char digest[EVP_MAX_MD_SIZE + 1], HashMethod type); -+void HashPubKey(const RSA *key, unsigned char digest[EVP_MAX_MD_SIZE + 1], HashMethod type); - - - #endif -diff --git a/libpromises/generic_agent.c b/libpromises/generic_agent.c -index b8c32f0baf59..0a247e55ee83 100644 ---- a/libpromises/generic_agent.c -+++ b/libpromises/generic_agent.c -@@ -66,6 +66,9 @@ - #include - #include - #include -+#include -+#include -+ - - static pthread_once_t pid_cleanup_once = PTHREAD_ONCE_INIT; /* GLOBAL_T */ - -@@ -1163,16 +1166,17 @@ static bool GeneratePolicyReleaseIDFromTree(char *release_id_out, size_t out_siz - } - - // fallback, produce some pseudo sha1 hash -- EVP_MD_CTX crypto_ctx; -- EVP_DigestInit(&crypto_ctx, EVP_get_digestbyname(HashNameFromId(GENERIC_AGENT_CHECKSUM_METHOD))); -+ EVP_MD_CTX *crypto_ctx = EVP_MD_CTX_new(); -+ EVP_DigestInit(crypto_ctx, EVP_get_digestbyname(HashNameFromId(GENERIC_AGENT_CHECKSUM_METHOD))); - - bool success = HashDirectoryTree(policy_dir, - (const char *[]) { ".cf", ".dat", ".txt", ".conf", ".mustache", ".json", ".yaml", NULL}, -- &crypto_ctx); -+ crypto_ctx); - - int md_len; - unsigned char digest[EVP_MAX_MD_SIZE + 1] = { 0 }; -- EVP_DigestFinal(&crypto_ctx, digest, &md_len); -+ EVP_DigestFinal(crypto_ctx, digest, &md_len); -+ EVP_MD_CTX_free(crypto_ctx); - - HashPrintSafe(release_id_out, out_size, digest, - GENERIC_AGENT_CHECKSUM_METHOD, false); -diff --git a/libpromises/locks.c b/libpromises/locks.c -index 8ebac0cd4a92..5f2542ee4def 100644 ---- a/libpromises/locks.c -+++ b/libpromises/locks.c -@@ -39,6 +39,9 @@ - #include - #include - #include -+#include -+#include -+ - - #define CFLOGSIZE 1048576 /* Size of lock-log before rotation */ - #define CF_LOCKHORIZON ((time_t)(SECONDS_PER_WEEK * 4)) -@@ -509,7 +512,7 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - { - static const char PACK_UPIFELAPSED_SALT[] = "packageuplist"; - -- EVP_MD_CTX context; -+ EVP_MD_CTX *context = EVP_MD_CTX_new(); - int md_len; - const EVP_MD *md = NULL; - Rlist *rp; -@@ -520,29 +523,29 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - - md = EVP_get_digestbyname(HashNameFromId(type)); - -- EVP_DigestInit(&context, md); -+ EVP_DigestInit(context, md); - - // multiple packages (promisers) may share same package_list_update_ifelapsed lock - if ( (!salt) || strcmp(salt, PACK_UPIFELAPSED_SALT) ) - { -- EVP_DigestUpdate(&context, pp->promiser, strlen(pp->promiser)); -+ EVP_DigestUpdate(context, pp->promiser, strlen(pp->promiser)); - } - - if (pp->comment) - { -- EVP_DigestUpdate(&context, pp->comment, strlen(pp->comment)); -+ EVP_DigestUpdate(context, pp->comment, strlen(pp->comment)); - } - - if (pp->parent_promise_type && pp->parent_promise_type->parent_bundle) - { - if (pp->parent_promise_type->parent_bundle->ns) - { -- EVP_DigestUpdate(&context, pp->parent_promise_type->parent_bundle->ns, strlen(pp->parent_promise_type->parent_bundle->ns)); -+ EVP_DigestUpdate(context, pp->parent_promise_type->parent_bundle->ns, strlen(pp->parent_promise_type->parent_bundle->ns)); - } - - if (pp->parent_promise_type->parent_bundle->name) - { -- EVP_DigestUpdate(&context, pp->parent_promise_type->parent_bundle->name, strlen(pp->parent_promise_type->parent_bundle->name)); -+ EVP_DigestUpdate(context, pp->parent_promise_type->parent_bundle->name, strlen(pp->parent_promise_type->parent_bundle->name)); - } - } - -@@ -550,7 +553,7 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - - if (salt) - { -- EVP_DigestUpdate(&context, salt, strlen(salt)); -+ EVP_DigestUpdate(context, salt, strlen(salt)); - } - - if (pp->conlist) -@@ -559,7 +562,7 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - { - Constraint *cp = SeqAt(pp->conlist, i); - -- EVP_DigestUpdate(&context, cp->lval, strlen(cp->lval)); -+ EVP_DigestUpdate(context, cp->lval, strlen(cp->lval)); - - // don't hash rvals that change (e.g. times) - doHash = true; -@@ -581,13 +584,13 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - switch (cp->rval.type) - { - case RVAL_TYPE_SCALAR: -- EVP_DigestUpdate(&context, cp->rval.item, strlen(cp->rval.item)); -+ EVP_DigestUpdate(context, cp->rval.item, strlen(cp->rval.item)); - break; - - case RVAL_TYPE_LIST: - for (rp = cp->rval.item; rp != NULL; rp = rp->next) - { -- EVP_DigestUpdate(&context, RlistScalarValue(rp), strlen(RlistScalarValue(rp))); -+ EVP_DigestUpdate(context, RlistScalarValue(rp), strlen(RlistScalarValue(rp))); - } - break; - -@@ -597,18 +600,18 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - - fp = (FnCall *) cp->rval.item; - -- EVP_DigestUpdate(&context, fp->name, strlen(fp->name)); -+ EVP_DigestUpdate(context, fp->name, strlen(fp->name)); - - for (rp = fp->args; rp != NULL; rp = rp->next) - { - switch (rp->val.type) - { - case RVAL_TYPE_SCALAR: -- EVP_DigestUpdate(&context, RlistScalarValue(rp), strlen(RlistScalarValue(rp))); -+ EVP_DigestUpdate(context, RlistScalarValue(rp), strlen(RlistScalarValue(rp))); - break; - - case RVAL_TYPE_FNCALL: -- EVP_DigestUpdate(&context, RlistFnCallValue(rp)->name, strlen(RlistFnCallValue(rp)->name)); -+ EVP_DigestUpdate(context, RlistFnCallValue(rp)->name, strlen(RlistFnCallValue(rp)->name)); - break; - - default: -@@ -624,7 +627,8 @@ void PromiseRuntimeHash(const Promise *pp, const char *salt, unsigned char diges - } - } - -- EVP_DigestFinal(&context, digest, &md_len); -+ EVP_DigestFinal(context, digest, &md_len); -+ EVP_MD_CTX_free(context); - - /* Digest length stored in md_len */ - } -diff --git a/libutils/Makefile.am b/libutils/Makefile.am -index c55379418a7a..f9dc629ceb6e 100644 ---- a/libutils/Makefile.am -+++ b/libutils/Makefile.am -@@ -75,6 +75,7 @@ libutils_la_SOURCES = \ - regex.c regex.h \ - encode.c encode.h \ - pcre_wrap.c pcre_wrap.h \ -+ libcrypto-compat.c libcrypto-compat.h \ - printsize.h - - if !NT -diff --git a/libutils/encode.c b/libutils/encode.c -index c0ee32714767..dc03729f8f1d 100644 ---- a/libutils/encode.c -+++ b/libutils/encode.c -@@ -28,6 +28,7 @@ - #include /* BUF_MEM */ - #include /* BIO_* */ - #include /* BIO_f_base64 */ -+#include - - #include - -diff --git a/libutils/hash.c b/libutils/hash.c -index 4e27152698ff..9a52944fb8f4 100644 ---- a/libutils/hash.c -+++ b/libutils/hash.c -@@ -26,10 +26,13 @@ - - #include /* EVP_* */ - #include /* BN_bn2bin */ -+#include - - #include - #include - #include -+#include -+ - - static const char *const CF_DIGEST_TYPES[10] = - { -@@ -198,49 +201,55 @@ Hash *HashNewFromKey(const RSA *rsa, HashMethod method) - { - return NULL; - } -- EVP_MD_CTX *context = NULL; -- const EVP_MD *md = NULL; -- int md_len = 0; -- unsigned char *buffer = NULL; -- int buffer_length = 0; -- int actual_length = 0; - -- if (rsa->n) -- { -- buffer_length = (size_t) BN_num_bytes(rsa->n); -- } -- else -+ const BIGNUM *n, *e; -+ RSA_get0_key(rsa, &n, &e, NULL); -+ -+ size_t n_len = (n == NULL) ? 0 : (size_t) BN_num_bytes(n); -+ size_t e_len = (e == NULL) ? 0 : (size_t) BN_num_bytes(e); -+ size_t buf_len = MAX(n_len, e_len); -+ -+ const EVP_MD *md = EVP_get_digestbyname(CF_DIGEST_TYPES[method]); -+ if (md == NULL) - { -- buffer_length = 0; -+ Log(LOG_LEVEL_INFO, "Digest type %s not supported by OpenSSL library", CF_DIGEST_TYPES[method]); -+ return NULL; - } - -- if (rsa->e) -+ EVP_MD_CTX *context = EVP_MD_CTX_new(); -+ if (context == NULL) - { -- if (buffer_length < (size_t) BN_num_bytes(rsa->e)) -- { -- buffer_length = (size_t) BN_num_bytes(rsa->e); -- } -+ Log(LOG_LEVEL_ERR, "Failed to allocate openssl hashing context"); -+ return NULL; - } -- md = EVP_get_digestbyname(CF_DIGEST_TYPES[method]); -- if (md == NULL) -+ -+ if (EVP_DigestInit_ex(context, md, NULL) != 1) - { -- Log(LOG_LEVEL_INFO, "Digest type %s not supported by OpenSSL library", CF_DIGEST_TYPES[method]); -+ EVP_MD_CTX_free(context); - return NULL; - } -+ -+ unsigned char buffer[buf_len]; -+ int md_len, actlen; -+ -+ actlen = BN_bn2bin(n, buffer); -+ CF_ASSERT(actlen <= buf_len, "Buffer overflow n, %d > %zu!", -+ actlen, buf_len); -+ EVP_DigestUpdate(context, buffer, actlen); -+ -+ actlen = BN_bn2bin(e, buffer); -+ CF_ASSERT(actlen <= buf_len, "Buffer overflow e, %d > %zu!", -+ actlen, buf_len); -+ EVP_DigestUpdate(context, buffer, actlen); -+ - Hash *hash = HashBasicInit(method); -- context = EVP_MD_CTX_create(); -- EVP_DigestInit_ex(context, md, NULL); -- buffer = xmalloc(buffer_length); -- actual_length = BN_bn2bin(rsa->n, buffer); -- EVP_DigestUpdate(context, buffer, actual_length); -- actual_length = BN_bn2bin(rsa->e, buffer); -- EVP_DigestUpdate(context, buffer, actual_length); - EVP_DigestFinal_ex(context, hash->digest, &md_len); -- EVP_MD_CTX_destroy(context); -- free (buffer); -+ -+ EVP_MD_CTX_free(context); -+ - /* Update the printable representation */ - HashCalculatePrintableRepresentation(hash); -- /* Return the hash */ -+ - return hash; - } - -diff --git a/libutils/hashes.c b/libutils/hashes.c -index b074ed2e43c5..1213c886ca77 100644 ---- a/libutils/hashes.c -+++ b/libutils/hashes.c -@@ -27,6 +27,7 @@ - #include - - #include -+#include - - - int FileChecksum(const char *filename, unsigned char digest[EVP_MAX_MD_SIZE + 1]) -@@ -40,25 +41,36 @@ int FileChecksum(const char *filename, unsigned char digest[EVP_MAX_MD_SIZE + 1] - else - { - const EVP_MD *md = EVP_get_digestbyname("md5"); -- - if (!md) - { - fclose(file); - return 0; - } - -- EVP_MD_CTX context; -- EVP_DigestInit(&context, md); -+ EVP_MD_CTX *context = EVP_MD_CTX_new(); -+ if (context == NULL) -+ { -+ fclose(file); -+ return 0; -+ } -+ -+ if (EVP_DigestInit_ex(context, md, NULL) != 1) -+ { -+ fclose(file); -+ EVP_MD_CTX_free(context); -+ return 0; -+ } - - int len = 0; - unsigned char buffer[1024]; - while ((len = fread(buffer, 1, 1024, file))) - { -- EVP_DigestUpdate(&context, buffer, len); -+ EVP_DigestUpdate(context, buffer, len); - } - - unsigned int md_len = 0; -- EVP_DigestFinal(&context, digest, &md_len); -+ EVP_DigestFinal(context, digest, &md_len); -+ EVP_MD_CTX_free(context); - fclose(file); - - return md_len; -diff --git a/libutils/libcrypto-compat.c b/libutils/libcrypto-compat.c -new file mode 100644 -index 000000000000..3fc39092a16d ---- /dev/null -+++ b/libutils/libcrypto-compat.c -@@ -0,0 +1,414 @@ -+/* -+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+ -+#include -+ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+#include -+#include /* BN_* */ -+ -+ -+static void *OPENSSL_zalloc(size_t num) -+{ -+ void *ret = OPENSSL_malloc(num); -+ -+ if (ret != NULL) -+ memset(ret, 0, num); -+ return ret; -+} -+ -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) -+{ -+ /* If the fields n and e in r are NULL, the corresponding input -+ * parameters MUST be non-NULL for n and e. d may be -+ * left NULL (in case only the public key is used). -+ */ -+ if ((r->n == NULL && n == NULL) -+ || (r->e == NULL && e == NULL)) -+ return 0; -+ -+ if (n != NULL) { -+ BN_free(r->n); -+ r->n = n; -+ } -+ if (e != NULL) { -+ BN_free(r->e); -+ r->e = e; -+ } -+ if (d != NULL) { -+ BN_free(r->d); -+ r->d = d; -+ } -+ -+ return 1; -+} -+ -+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) -+{ -+ /* If the fields p and q in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->p == NULL && p == NULL) -+ || (r->q == NULL && q == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(r->p); -+ r->p = p; -+ } -+ if (q != NULL) { -+ BN_free(r->q); -+ r->q = q; -+ } -+ -+ return 1; -+} -+ -+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) -+{ -+ /* If the fields dmp1, dmq1 and iqmp in r are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((r->dmp1 == NULL && dmp1 == NULL) -+ || (r->dmq1 == NULL && dmq1 == NULL) -+ || (r->iqmp == NULL && iqmp == NULL)) -+ return 0; -+ -+ if (dmp1 != NULL) { -+ BN_free(r->dmp1); -+ r->dmp1 = dmp1; -+ } -+ if (dmq1 != NULL) { -+ BN_free(r->dmq1); -+ r->dmq1 = dmq1; -+ } -+ if (iqmp != NULL) { -+ BN_free(r->iqmp); -+ r->iqmp = iqmp; -+ } -+ -+ return 1; -+} -+ -+void RSA_get0_key(const RSA *r, -+ const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -+{ -+ if (n != NULL) -+ *n = r->n; -+ if (e != NULL) -+ *e = r->e; -+ if (d != NULL) -+ *d = r->d; -+} -+ -+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) -+{ -+ if (p != NULL) -+ *p = r->p; -+ if (q != NULL) -+ *q = r->q; -+} -+ -+void RSA_get0_crt_params(const RSA *r, -+ const BIGNUM **dmp1, const BIGNUM **dmq1, -+ const BIGNUM **iqmp) -+{ -+ if (dmp1 != NULL) -+ *dmp1 = r->dmp1; -+ if (dmq1 != NULL) -+ *dmq1 = r->dmq1; -+ if (iqmp != NULL) -+ *iqmp = r->iqmp; -+} -+ -+void DSA_get0_pqg(const DSA *d, -+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -+{ -+ if (p != NULL) -+ *p = d->p; -+ if (q != NULL) -+ *q = d->q; -+ if (g != NULL) -+ *g = d->g; -+} -+ -+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p, q and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. -+ */ -+ if ((d->p == NULL && p == NULL) -+ || (d->q == NULL && q == NULL) -+ || (d->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(d->p); -+ d->p = p; -+ } -+ if (q != NULL) { -+ BN_free(d->q); -+ d->q = q; -+ } -+ if (g != NULL) { -+ BN_free(d->g); -+ d->g = g; -+ } -+ -+ return 1; -+} -+ -+void DSA_get0_key(const DSA *d, -+ const BIGNUM **pub_key, const BIGNUM **priv_key) -+{ -+ if (pub_key != NULL) -+ *pub_key = d->pub_key; -+ if (priv_key != NULL) -+ *priv_key = d->priv_key; -+} -+ -+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) -+{ -+ /* If the field pub_key in d is NULL, the corresponding input -+ * parameters MUST be non-NULL. The priv_key field may -+ * be left NULL. -+ */ -+ if (d->pub_key == NULL && pub_key == NULL) -+ return 0; -+ -+ if (pub_key != NULL) { -+ BN_free(d->pub_key); -+ d->pub_key = pub_key; -+ } -+ if (priv_key != NULL) { -+ BN_free(d->priv_key); -+ d->priv_key = priv_key; -+ } -+ -+ return 1; -+} -+ -+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) -+{ -+ if (pr != NULL) -+ *pr = sig->r; -+ if (ps != NULL) -+ *ps = sig->s; -+} -+ -+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) -+{ -+ if (r == NULL || s == NULL) -+ return 0; -+ BN_clear_free(sig->r); -+ BN_clear_free(sig->s); -+ sig->r = r; -+ sig->s = s; -+ return 1; -+} -+ -+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) -+{ -+ if (pr != NULL) -+ *pr = sig->r; -+ if (ps != NULL) -+ *ps = sig->s; -+} -+ -+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) -+{ -+ if (r == NULL || s == NULL) -+ return 0; -+ BN_clear_free(sig->r); -+ BN_clear_free(sig->s); -+ sig->r = r; -+ sig->s = s; -+ return 1; -+} -+ -+void DH_get0_pqg(const DH *dh, -+ const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -+{ -+ if (p != NULL) -+ *p = dh->p; -+ if (q != NULL) -+ *q = dh->q; -+ if (g != NULL) -+ *g = dh->g; -+} -+ -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -+{ -+ /* If the fields p and g in d are NULL, the corresponding input -+ * parameters MUST be non-NULL. q may remain NULL. -+ */ -+ if ((dh->p == NULL && p == NULL) -+ || (dh->g == NULL && g == NULL)) -+ return 0; -+ -+ if (p != NULL) { -+ BN_free(dh->p); -+ dh->p = p; -+ } -+ if (q != NULL) { -+ BN_free(dh->q); -+ dh->q = q; -+ } -+ if (g != NULL) { -+ BN_free(dh->g); -+ dh->g = g; -+ } -+ -+ if (q != NULL) { -+ dh->length = BN_num_bits(q); -+ } -+ -+ return 1; -+} -+ -+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) -+{ -+ if (pub_key != NULL) -+ *pub_key = dh->pub_key; -+ if (priv_key != NULL) -+ *priv_key = dh->priv_key; -+} -+ -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) -+{ -+ /* If the field pub_key in dh is NULL, the corresponding input -+ * parameters MUST be non-NULL. The priv_key field may -+ * be left NULL. -+ */ -+ if (dh->pub_key == NULL && pub_key == NULL) -+ return 0; -+ -+ if (pub_key != NULL) { -+ BN_free(dh->pub_key); -+ dh->pub_key = pub_key; -+ } -+ if (priv_key != NULL) { -+ BN_free(dh->priv_key); -+ dh->priv_key = priv_key; -+ } -+ -+ return 1; -+} -+ -+int DH_set_length(DH *dh, long length) -+{ -+ dh->length = length; -+ return 1; -+} -+ -+const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx) -+{ -+ return ctx->iv; -+} -+ -+unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx) -+{ -+ return ctx->iv; -+} -+ -+EVP_MD_CTX *EVP_MD_CTX_new(void) -+{ -+ return OPENSSL_zalloc(sizeof(EVP_MD_CTX)); -+} -+ -+void EVP_MD_CTX_free(EVP_MD_CTX *ctx) -+{ -+ EVP_MD_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+} -+ -+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth) -+{ -+ RSA_METHOD *ret; -+ -+ ret = OPENSSL_malloc(sizeof(RSA_METHOD)); -+ -+ if (ret != NULL) { -+ memcpy(ret, meth, sizeof(*meth)); -+ ret->name = OPENSSL_strdup(meth->name); -+ if (ret->name == NULL) { -+ OPENSSL_free(ret); -+ return NULL; -+ } -+ } -+ -+ return ret; -+} -+ -+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name) -+{ -+ char *tmpname; -+ -+ tmpname = OPENSSL_strdup(name); -+ if (tmpname == NULL) { -+ return 0; -+ } -+ -+ OPENSSL_free((char *)meth->name); -+ meth->name = tmpname; -+ -+ return 1; -+} -+ -+int RSA_meth_set_priv_enc(RSA_METHOD *meth, -+ int (*priv_enc) (int flen, const unsigned char *from, -+ unsigned char *to, RSA *rsa, -+ int padding)) -+{ -+ meth->rsa_priv_enc = priv_enc; -+ return 1; -+} -+ -+int RSA_meth_set_priv_dec(RSA_METHOD *meth, -+ int (*priv_dec) (int flen, const unsigned char *from, -+ unsigned char *to, RSA *rsa, -+ int padding)) -+{ -+ meth->rsa_priv_dec = priv_dec; -+ return 1; -+} -+ -+int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)) -+{ -+ meth->finish = finish; -+ return 1; -+} -+ -+void RSA_meth_free(RSA_METHOD *meth) -+{ -+ if (meth != NULL) { -+ OPENSSL_free((char *)meth->name); -+ OPENSSL_free(meth); -+ } -+} -+ -+int RSA_bits(const RSA *r) -+{ -+ return (BN_num_bits(r->n)); -+} -+ -+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey) -+{ -+ if (pkey->type != EVP_PKEY_RSA) { -+ return NULL; -+ } -+ return pkey->pkey.rsa; -+} -+ -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -diff --git a/libutils/libcrypto-compat.h b/libutils/libcrypto-compat.h -new file mode 100644 -index 000000000000..fa3eb1444a1e ---- /dev/null -+++ b/libutils/libcrypto-compat.h -@@ -0,0 +1,62 @@ -+#ifndef LIBCRYPTO_COMPAT_H -+#define LIBCRYPTO_COMPAT_H -+ -+#include -+#include -+ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); -+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); -+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); -+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d); -+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); -+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, const BIGNUM **iqmp); -+ -+void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); -+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); -+void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key); -+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); -+ -+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); -+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); -+ -+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); -+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -+ -+void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); -+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); -+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -+int DH_set_length(DH *dh, long length); -+ -+const unsigned char *EVP_CIPHER_CTX_iv(const EVP_CIPHER_CTX *ctx); -+unsigned char *EVP_CIPHER_CTX_iv_noconst(EVP_CIPHER_CTX *ctx); -+EVP_MD_CTX *EVP_MD_CTX_new(void); -+void EVP_MD_CTX_free(EVP_MD_CTX *ctx); -+#define EVP_CIPHER_impl_ctx_size(e) e->ctx_size -+#define EVP_CIPHER_CTX_get_cipher_data(ctx) ctx->cipher_data -+ -+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); -+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); -+#define RSA_meth_get_finish(meth) meth->finish -+int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); -+int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec) (int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); -+int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish) (RSA *rsa)); -+void RSA_meth_free(RSA_METHOD *meth); -+ -+int RSA_bits(const RSA *r); -+ -+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); -+ -+#endif /* OPENSSL_VERSION_NUMBER */ -+ -+#endif /* LIBCRYPTO_COMPAT_H */ -diff --git a/libutils/string_lib.c b/libutils/string_lib.c -index 8f4d58dcb376..2b8ef041eee6 100644 ---- a/libutils/string_lib.c -+++ b/libutils/string_lib.c -@@ -28,12 +28,14 @@ - #include /* BUF_MEM */ - #include /* BIO_* */ - #include /* BIO_f_base64 */ -+#include - - #include - #include - #include - #include - -+ - char *StringVFormat(const char *fmt, va_list ap) - { - char *value; -diff --git a/tests/acceptance/16_cf-serverd/serial/nondefault_ciphers_tlsversion.srv b/tests/acceptance/16_cf-serverd/serial/nondefault_ciphers_tlsversion.srv -index 39ed761fbc9d..9dad9f2a066d 100644 ---- a/tests/acceptance/16_cf-serverd/serial/nondefault_ciphers_tlsversion.srv -+++ b/tests/acceptance/16_cf-serverd/serial/nondefault_ciphers_tlsversion.srv -@@ -14,8 +14,8 @@ body server control - { - port => "9888"; - -- # Only this non-default cipher is to be accepted -- allowciphers => "RC4-MD5"; -+ # Only this cipher is to be accepted -+ allowciphers => "AES128-GCM-SHA256"; - - # Allow only TLSv1.1 or higher - allowtlsversion => "1.1"; -diff --git a/tests/unit/Makefile.am b/tests/unit/Makefile.am -index 9db71ed02184..073973c64158 100644 ---- a/tests/unit/Makefile.am -+++ b/tests/unit/Makefile.am -@@ -420,18 +420,6 @@ mon_load_test_LDADD = ../../libpromises/libpromises.la libtest.la - mon_processes_test_SOURCES = mon_processes_test.c ../../cf-monitord/mon.h ../../cf-monitord/mon_processes.c - mon_processes_test_LDADD = ../../libpromises/libpromises.la libtest.la - --# tls_generic_test uses stub functions interposition which does not work (yet) --# under OS X. Another way of stubbing functions from libpromises is needed. --if !XNU --check_PROGRAMS += tls_generic_test --tls_generic_test_SOURCES = tls_generic_test.c --tls_generic_test_LDADD = libtest.la \ -- ../../libutils/libutils.la \ -- ../../libpromises/libpromises.la \ -- ../../libcfnet/libcfnet.la \ -- ../../cf-serverd/libcf-serverd.la --endif -- - version_test_SOURCES = version_test.c - - hash_test_SOURCES = hash_test.c -diff --git a/tests/unit/crypto_symmetric_test.c b/tests/unit/crypto_symmetric_test.c -index 8bbdc4546079..89a34d040f31 100644 ---- a/tests/unit/crypto_symmetric_test.c -+++ b/tests/unit/crypto_symmetric_test.c -@@ -30,11 +30,11 @@ static void test_cipher_init(void) - { - unsigned char key[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15}; - unsigned char iv[] = {1,2,3,4,5,6,7,8}; -- EVP_CIPHER_CTX ctx; -+ EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); - -- EVP_CIPHER_CTX_init(&ctx); -- EVP_EncryptInit_ex(&ctx, EVP_bf_cbc(), NULL, key, iv); -- EVP_CIPHER_CTX_cleanup(&ctx); -+ EVP_CIPHER_CTX_init(ctx); -+ EVP_EncryptInit_ex(ctx, EVP_bf_cbc(), NULL, key, iv); -+ EVP_CIPHER_CTX_free(ctx); - } - - static void test_symmetric_encrypt(void) -diff --git a/tests/unit/tls_generic_test.c b/tests/unit/tls_generic_test.c -index 69579ecbf457..4b98c901c999 100644 ---- a/tests/unit/tls_generic_test.c -+++ b/tests/unit/tls_generic_test.c -@@ -1,3 +1,14 @@ -+/* -+ * WARNING: THIS TEST HAS BEEN DISABLED -+ * -+ * This test is written in a very unportable manner: it replicates source code -+ * of OpenSSL, it uses internals of data structures etc. Do not re-enable it -+ * unless you delete all the code from the OpenSSL internals, and refactor it -+ * to mock the library routines properly, for example with `ld --wrap`. See -+ * "CMocka" and "Mimick" unit testing frameworks. -+ */ -+ -+ - #include - - #include --- -2.15.1 - diff --git a/0003-Reduce-string-truncation-warnings.patch b/0003-Reduce-string-truncation-warnings.patch new file mode 100644 index 0000000..c026367 --- /dev/null +++ b/0003-Reduce-string-truncation-warnings.patch @@ -0,0 +1,662 @@ +From be9783fd1ba5f5150fef1c95349192271942a478 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= +Date: Tue, 3 Jul 2018 09:18:08 +0200 +Subject: [PATCH 3/3] Reduce string truncation warnings + +--- + cf-agent/verify_databases.c | 18 ++++++------- + cf-agent/verify_exec.c | 4 +-- + cf-agent/verify_packages.c | 2 +- + cf-execd/cf-execd-runner.c | 4 +-- + cf-monitord/env_monitor.c | 8 +++--- + cf-monitord/mon_network_sniffer.c | 6 ++--- + cf-runagent/cf-runagent.c | 6 ++--- + cf-serverd/server_common.c | 18 ++++++------- + libcfnet/client_protocol.c | 2 +- + libenv/sysinfo.c | 45 ++++++++++++++++--------------- + libpromises/cf3globals.c | 2 +- + libpromises/cf3lex.l | 6 ++--- + libpromises/cf3parse.y | 2 +- + libpromises/eval_context.c | 4 +-- + libpromises/evalfunction.c | 2 +- + libpromises/expand.c | 2 +- + libpromises/keyring.c | 4 +-- + libpromises/syslog_client.c | 2 +- + tests/unit/logging_test.c | 2 +- + tests/unit/set_domainname_test.c | 2 +- + 20 files changed, 71 insertions(+), 70 deletions(-) + +diff --git a/cf-agent/verify_databases.c b/cf-agent/verify_databases.c +index 704a938d1bc1..a60ccb9682a7 100644 +--- a/cf-agent/verify_databases.c ++++ b/cf-agent/verify_databases.c +@@ -221,7 +221,7 @@ static PromiseResult VerifySQLPromise(EvalContext *ctx, Attributes a, const Prom + } + else + { +- snprintf(query, CF_MAXVARSIZE - 1, "%s.%s", database, table); ++ snprintf(query, sizeof(query) - 1, "%s.%s", database, table); + + if (VerifyTablePromise(ctx, &cfdb, query, a.database.columns, a, pp, &result)) + { +@@ -300,7 +300,7 @@ static int VerifyDatabasePromise(CfdbConn *cfdb, char *database, Attributes a) + if (((a.transaction.action) != cfa_warn) && (!DONTDO)) + { + Log(LOG_LEVEL_VERBOSE, "Attempting to delete the database '%s'", database); +- snprintf(query, CF_MAXVARSIZE - 1, "drop database %s", database); ++ snprintf(query, sizeof(query) - 1, "drop database %s", database); + CfVoidQueryDB(cfdb, query); + return cfdb->result; + } +@@ -316,7 +316,7 @@ static int VerifyDatabasePromise(CfdbConn *cfdb, char *database, Attributes a) + if (((a.transaction.action) != cfa_warn) && (!DONTDO)) + { + Log(LOG_LEVEL_VERBOSE, "Attempting to create the database '%s'", database); +- snprintf(query, CF_MAXVARSIZE - 1, "create database %s", database); ++ snprintf(query, sizeof(query) - 1, "create database %s", database); + CfVoidQueryDB(cfdb, query); + return cfdb->result; + } +@@ -499,7 +499,7 @@ static int ValidateRegistryPromiser(char *key, const Promise *pp) + static int VerifyTablePromise(EvalContext *ctx, CfdbConn *cfdb, char *table_path, Rlist *columns, Attributes a, + const Promise *pp, PromiseResult *result) + { +- char name[CF_MAXVARSIZE], type[CF_MAXVARSIZE], query[CF_MAXVARSIZE], table[CF_MAXVARSIZE], db[CF_MAXVARSIZE]; ++ char name[CF_MAXVARSIZE], type[CF_MAXVARSIZE], query[CF_BUFSIZE], table[CF_MAXVARSIZE], db[CF_MAXVARSIZE]; + int i, count, size, no_of_cols, *size_table, *done, identified, retval = true; + char **name_table, **type_table; + +@@ -670,12 +670,12 @@ static int VerifyTablePromise(EvalContext *ctx, CfdbConn *cfdb, char *table_path + { + if (size_table[i] > 0) + { +- snprintf(query, CF_MAXVARSIZE - 1, "ALTER TABLE %s ADD %s %s(%d)", table, name_table[i], ++ snprintf(query, sizeof(query) - 1, "ALTER TABLE %s ADD %s %s(%d)", table, name_table[i], + type_table[i], size_table[i]); + } + else + { +- snprintf(query, CF_MAXVARSIZE - 1, "ALTER TABLE %s ADD %s %s", table, name_table[i], ++ snprintf(query, sizeof(query) - 1, "ALTER TABLE %s ADD %s %s", table, name_table[i], + type_table[i]); + } + +@@ -742,7 +742,7 @@ static int CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) + + if (no_of_cols > 0) + { +- snprintf(query, CF_BUFSIZE - 1, "create table %s(", table); ++ snprintf(query, sizeof(query) - 1, "create table %s(", table); + + for (i = 0; i < no_of_cols; i++) + { +@@ -781,7 +781,7 @@ static int CreateTableColumns(CfdbConn *cfdb, char *table, Rlist *columns) + static Rlist *GetSQLTables(CfdbConn *cfdb) + { + Rlist *list = NULL; +- char query[CF_MAXVARSIZE]; ++ char query[CF_BUFSIZE]; + + ListTables(cfdb->type, query); + +@@ -870,7 +870,7 @@ static int ValidateSQLTableName(char *table_path, char *db, char *table) + + static void QueryTableColumns(char *s, char *db, char *table) + { +- snprintf(s, CF_MAXVARSIZE - 1, ++ snprintf(s, CF_BUFSIZE - 1, + "SELECT column_name,data_type,character_maximum_length FROM information_schema.columns WHERE table_name ='%s' AND table_schema = '%s'", + table, db); + } +diff --git a/cf-agent/verify_exec.c b/cf-agent/verify_exec.c +index a21126c4fd48..a5a16ee68b8f 100644 +--- a/cf-agent/verify_exec.c ++++ b/cf-agent/verify_exec.c +@@ -203,7 +203,7 @@ static char *GetLockNameExec(Attributes a, const Promise *pp) + static ActionResult RepairExec(EvalContext *ctx, Attributes a, + const Promise *pp, PromiseResult *result) + { +- char eventname[CF_BUFSIZE]; ++ char eventname[CF_BUFSIZE * 2]; + char cmdline[CF_BUFSIZE]; + char comm[20]; + int outsourced, count = 0; +@@ -456,7 +456,7 @@ static ActionResult RepairExec(EvalContext *ctx, Attributes a, + umask(maskval); + #endif + +- snprintf(eventname, CF_BUFSIZE - 1, "Exec(%s)", cmdline); ++ snprintf(eventname, CF_BUFSIZE*2 - 1, "Exec(%s)", cmdline); + + #ifndef __MINGW32__ + if ((a.transaction.background) && outsourced) +diff --git a/cf-agent/verify_packages.c b/cf-agent/verify_packages.c +index 54b8564bca13..1e55a9513da6 100644 +--- a/cf-agent/verify_packages.c ++++ b/cf-agent/verify_packages.c +@@ -3176,7 +3176,7 @@ static void DeletePackageManagers(PackageManager *np) + + const char *PrefixLocalRepository(const Rlist *repositories, const char *package) + { +- static char quotedPath[CF_MAXVARSIZE]; /* GLOBAL_R, no need to initialize */ ++ static char quotedPath[CF_BUFSIZE * 2]; /* GLOBAL_R, no need to initialize */ + struct stat sb; + char path[CF_BUFSIZE]; + +diff --git a/cf-execd/cf-execd-runner.c b/cf-execd/cf-execd-runner.c +index 67263c1fb075..18a32a0a32f2 100644 +--- a/cf-execd/cf-execd-runner.c ++++ b/cf-execd/cf-execd-runner.c +@@ -195,7 +195,7 @@ void LocalExec(const ExecConfig *config) + strlcpy(esc_command, MapName(cmd), CF_BUFSIZE); + + +- char filename[CF_BUFSIZE]; ++ char filename[CF_BUFSIZE * 3]; + { + char line[CF_BUFSIZE]; + snprintf(line, CF_BUFSIZE, "_%jd_%s", (intmax_t) starttime, CanonifyName(ctime(&starttime))); +@@ -205,7 +205,7 @@ void LocalExec(const ExecConfig *config) + strlcpy(canonified_fq_name, config->fq_name, CF_BUFSIZE); + CanonifyNameInPlace(canonified_fq_name); + +- snprintf(filename, CF_BUFSIZE, "%s/outputs/cf_%s_%s_%p", ++ snprintf(filename, sizeof(filename), "%s/outputs/cf_%s_%s_%p", + GetWorkDir(), canonified_fq_name, line, thread_name); + + MapName(filename); +diff --git a/cf-monitord/env_monitor.c b/cf-monitord/env_monitor.c +index a55119625344..3f0f4faadc8d 100644 +--- a/cf-monitord/env_monitor.c ++++ b/cf-monitord/env_monitor.c +@@ -936,7 +936,7 @@ static double SetClasses(EvalContext *ctx, char *name, double variable, double a + { + Log(LOG_LEVEL_DEBUG, "No sigma variation .. can't measure class"); + +- snprintf(buffer, CF_MAXVARSIZE, "entropy_%s.*", name); ++ snprintf(buffer, sizeof(buffer), "entropy_%s.*", name); + MonEntropyPurgeUnused(buffer); + + return sig; +@@ -1044,13 +1044,13 @@ static void SetVariable(char *name, double value, double average, double stddev, + { + char var[CF_BUFSIZE]; + +- snprintf(var, CF_MAXVARSIZE, "value_%s=%.2lf", name, value); ++ snprintf(var, sizeof(var), "value_%s=%.2lf", name, value); + AppendItem(classlist, var, ""); + +- snprintf(var, CF_MAXVARSIZE, "av_%s=%.2lf", name, average); ++ snprintf(var, sizeof(var), "av_%s=%.2lf", name, average); + AppendItem(classlist, var, ""); + +- snprintf(var, CF_MAXVARSIZE, "dev_%s=%.2lf", name, stddev); ++ snprintf(var, sizeof(var), "dev_%s=%.2lf", name, stddev); + AppendItem(classlist, var, ""); + } + +diff --git a/cf-monitord/mon_network_sniffer.c b/cf-monitord/mon_network_sniffer.c +index 5813052768ea..1c5064a38b27 100644 +--- a/cf-monitord/mon_network_sniffer.c ++++ b/cf-monitord/mon_network_sniffer.c +@@ -210,7 +210,7 @@ static void IncrementCounter(Item **list, char *name) + + static void AnalyzeArrival(Item *ip_addresses, long iteration, char *arrival, double *cf_this) + { +- char src[CF_BUFSIZE], dest[CF_BUFSIZE], flag = '.', *arr; ++ char src[CF_BUFSIZE], dest[CF_BUFSIZE * 2], flag = '.', *arr; + int isme_dest, isme_src; + + src[0] = dest[0] = '\0'; +@@ -387,11 +387,11 @@ static void AnalyzeArrival(Item *ip_addresses, long iteration, char *arrival, do + + if (strstr(arrival, ".138")) + { +- snprintf(dest, CF_BUFSIZE - 1, "%s NETBIOS", src); ++ snprintf(dest, sizeof(dest) - 1, "%s NETBIOS", src); + } + else if (strstr(arrival, ".2049")) + { +- snprintf(dest, CF_BUFSIZE - 1, "%s NFS", src); ++ snprintf(dest, sizeof(dest) - 1, "%s NFS", src); + } + else + { +diff --git a/cf-runagent/cf-runagent.c b/cf-runagent/cf-runagent.c +index 92045d31c9fe..3942929fcb98 100644 +--- a/cf-runagent/cf-runagent.c ++++ b/cf-runagent/cf-runagent.c +@@ -794,15 +794,15 @@ static void HailExec(AgentConnection *conn, char *peer) + static FILE *NewStream(char *name) + { + FILE *fp; +- char filename[CF_BUFSIZE]; ++ char filename[CF_BUFSIZE * 2]; + + if (OUTPUT_DIRECTORY[0] != '\0') + { +- snprintf(filename, CF_BUFSIZE, "%s/%s_runagent.out", OUTPUT_DIRECTORY, name); ++ snprintf(filename, sizeof(filename), "%s/%s_runagent.out", OUTPUT_DIRECTORY, name); + } + else + { +- snprintf(filename, CF_BUFSIZE, "%s%coutputs%c%s_runagent.out", ++ snprintf(filename, sizeof(filename), "%s%coutputs%c%s_runagent.out", + GetWorkDir(), FILE_SEPARATOR, FILE_SEPARATOR, name); + } + +diff --git a/cf-serverd/server_common.c b/cf-serverd/server_common.c +index 6bf95be92852..bfcd25d386e2 100644 +--- a/cf-serverd/server_common.c ++++ b/cf-serverd/server_common.c +@@ -370,8 +370,8 @@ static void AbortTransfer(ConnectionInfo *connection, char *filename) + { + Log(LOG_LEVEL_VERBOSE, "Aborting transfer of file due to source changes"); + +- char sendbuffer[CF_BUFSIZE]; +- snprintf(sendbuffer, CF_BUFSIZE, "%s%s: %s", ++ char sendbuffer[CF_BUFSIZE*2]; ++ snprintf(sendbuffer, sizeof(sendbuffer), "%s%s: %s", + CF_CHANGEDSTR1, CF_CHANGEDSTR2, filename); + + if (SendTransaction(connection, sendbuffer, 0, CF_DONE) == -1) +@@ -385,9 +385,9 @@ static void FailedTransfer(ConnectionInfo *connection) + { + Log(LOG_LEVEL_VERBOSE, "Transfer failure"); + +- char sendbuffer[CF_BUFSIZE]; ++ char sendbuffer[CF_BUFSIZE*2]; + +- snprintf(sendbuffer, CF_BUFSIZE, "%s", CF_FAILEDSTR); ++ snprintf(sendbuffer, sizeof(sendbuffer), "%s", CF_FAILEDSTR); + + if (SendTransaction(connection, sendbuffer, 0, CF_DONE) == -1) + { +@@ -419,7 +419,7 @@ void CfGetFile(ServerFileGetState *args) + { + Log(LOG_LEVEL_INFO, "REFUSE access to file: %s", filename); + RefuseAccess(args->conn, args->replyfile); +- snprintf(sendbuffer, CF_BUFSIZE, "%s", CF_FAILEDSTR); ++ snprintf(sendbuffer, sizeof(sendbuffer), "%s", CF_FAILEDSTR); + if (ConnectionInfoProtocolVersion(conn_info) == CF_PROTOCOL_CLASSIC) + { + SendSocketStream(ConnectionInfoSocket(conn_info), sendbuffer, args->buf_size); +@@ -437,7 +437,7 @@ void CfGetFile(ServerFileGetState *args) + { + Log(LOG_LEVEL_ERR, "Open error of file '%s'. (open: %s)", + filename, GetErrorStr()); +- snprintf(sendbuffer, CF_BUFSIZE, "%s", CF_FAILEDSTR); ++ snprintf(sendbuffer, sizeof(sendbuffer), "%s", CF_FAILEDSTR); + if (ConnectionInfoProtocolVersion(conn_info) == CF_PROTOCOL_CLASSIC) + { + SendSocketStream(ConnectionInfoSocket(conn_info), sendbuffer, args->buf_size); +@@ -458,7 +458,7 @@ void CfGetFile(ServerFileGetState *args) + + while (true) + { +- memset(sendbuffer, 0, CF_BUFSIZE); ++ memset(sendbuffer, 0, sizeof(sendbuffer)); + + Log(LOG_LEVEL_DEBUG, "Now reading from disk..."); + +@@ -490,7 +490,7 @@ void CfGetFile(ServerFileGetState *args) + + if (sb.st_size != savedlen) + { +- snprintf(sendbuffer, CF_BUFSIZE, "%s%s: %s", CF_CHANGEDSTR1, CF_CHANGEDSTR2, filename); ++ snprintf(sendbuffer, sizeof(sendbuffer), "%s%s: %s", CF_CHANGEDSTR1, CF_CHANGEDSTR2, filename); + + if (ConnectionInfoProtocolVersion(conn_info) == CF_PROTOCOL_CLASSIC) + { +@@ -606,7 +606,7 @@ void CfEncryptGetFile(ServerFileGetState *args) + + while (true) + { +- memset(sendbuffer, 0, CF_BUFSIZE); ++ memset(sendbuffer, 0, sizeof(sendbuffer)); + + if ((n_read = read(fd, sendbuffer, blocksize)) == -1) + { +diff --git a/libcfnet/client_protocol.c b/libcfnet/client_protocol.c +index 0b80f0acf519..085b0fa27e30 100644 +--- a/libcfnet/client_protocol.c ++++ b/libcfnet/client_protocol.c +@@ -63,7 +63,7 @@ void SetSkipIdentify(bool enabled) + + int IdentifyAgent(ConnectionInfo *conn_info) + { +- char uname[CF_BUFSIZE], sendbuff[CF_BUFSIZE]; ++ char uname[CF_MAXVARSIZE], sendbuff[CF_BUFSIZE]; + char dnsname[CF_MAXVARSIZE], localip[CF_MAX_IP_LEN]; + int ret; + +diff --git a/libenv/sysinfo.c b/libenv/sysinfo.c +index 29b82b36807b..1f194c5522e5 100644 +--- a/libenv/sysinfo.c ++++ b/libenv/sysinfo.c +@@ -443,7 +443,7 @@ static void GetNameInfo3(EvalContext *ctx) + }; + int have_component[COMPONENTS_SIZE]; + struct stat sb; +- char name[CF_MAXVARSIZE], quoteName[CF_MAXVARSIZE], shortname[CF_MAXVARSIZE]; ++ char name[CF_MAXVARSIZE], quoteName[CF_BUFSIZE], shortname[CF_MAXVARSIZE]; + + if (uname(&VSYSNAME) == -1) + { +@@ -2064,7 +2064,7 @@ static int Linux_Suse_Version(EvalContext *ctx) + strncpy(classbuf, vendor, CF_MAXVARSIZE); + EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); + snprintf(classbuf + strlen(classbuf), CF_MAXVARSIZE - strlen(classbuf), "_%d", major); +- SetFlavour(ctx, classbuf); ++ SetFlavor(ctx, classbuf); + if (minor != -1) + { + snprintf(classbuf + strlen(classbuf), CF_MAXVARSIZE - strlen(classbuf), "_%d", minor); +@@ -2177,7 +2177,7 @@ static void LinuxDebianSanitizeIssue(char *buffer) + + static int Linux_Misc_Version(EvalContext *ctx) + { +- char flavor[CF_MAXVARSIZE]; ++ char flavor[CF_BUFSIZE]; + char version[CF_MAXVARSIZE]; + char os[CF_MAXVARSIZE]; + char buffer[CF_BUFSIZE]; +@@ -2218,7 +2218,7 @@ static int Linux_Misc_Version(EvalContext *ctx) + + if (*os && *version) + { +- snprintf(flavor, CF_MAXVARSIZE, "%s_%s", os, version); ++ snprintf(flavor, CF_BUFSIZE, "%s_%s", os, version); + SetFlavor(ctx, flavor); + return 1; + } +@@ -2233,7 +2233,7 @@ static int Linux_Debian_Version(EvalContext *ctx) + int major = -1; + int release = -1; + int result; +- char classname[CF_MAXVARSIZE], buffer[CF_MAXVARSIZE], os[CF_MAXVARSIZE], version[CF_MAXVARSIZE]; ++ char classname[CF_BUFSIZE], buffer[CF_BUFSIZE], os[CF_MAXVARSIZE], version[CF_MAXVARSIZE]; + + Log(LOG_LEVEL_VERBOSE, "This appears to be a debian system."); + EvalContextClassPutHard(ctx, "debian", "inventory,attribute_name=none,source=agent"); +@@ -2253,15 +2253,15 @@ static int Linux_Debian_Version(EvalContext *ctx) + { + case 2: + Log(LOG_LEVEL_VERBOSE, "This appears to be a Debian %u.%u system.", major, release); +- snprintf(classname, CF_MAXVARSIZE, "debian_%u_%u", major, release); ++ snprintf(classname, CF_BUFSIZE, "debian_%u_%u", major, release); + EvalContextClassPutHard(ctx, classname, "inventory,attribute_name=none,source=agent"); +- snprintf(classname, CF_MAXVARSIZE, "debian_%u", major); ++ snprintf(classname, CF_BUFSIZE, "debian_%u", major); + SetFlavor(ctx, classname); + break; + + case 1: + Log(LOG_LEVEL_VERBOSE, "This appears to be a Debian %u system.", major); +- snprintf(classname, CF_MAXVARSIZE, "debian_%u", major); ++ snprintf(classname, CF_BUFSIZE, "debian_%u", major); + SetFlavor(ctx, classname); + break; + +@@ -2270,7 +2270,7 @@ static int Linux_Debian_Version(EvalContext *ctx) + sscanf(buffer, "%25[^/]", version); + if (strlen(version) > 0) + { +- snprintf(classname, CF_MAXVARSIZE, "debian_%s", version); ++ snprintf(classname, CF_BUFSIZE, "debian_%s", version); + EvalContextClassPutHard(ctx, classname, "inventory,attribute_name=none,source=agent"); + } + break; +@@ -2288,7 +2288,7 @@ static int Linux_Debian_Version(EvalContext *ctx) + { + LinuxDebianSanitizeIssue(buffer); + sscanf(buffer, "%*s %*s %[^./]", version); +- snprintf(buffer, CF_MAXVARSIZE, "debian_%s", version); ++ snprintf(buffer, CF_BUFSIZE, "debian_%s", version); + EvalContextClassPutHard(ctx, "debian", "inventory,attribute_name=none,source=agent"); + SetFlavor(ctx, buffer); + } +@@ -2296,12 +2296,12 @@ static int Linux_Debian_Version(EvalContext *ctx) + { + LinuxDebianSanitizeIssue(buffer); + sscanf(buffer, "%*s %[^.].%d", version, &release); +- snprintf(buffer, CF_MAXVARSIZE, "ubuntu_%s", version); ++ snprintf(buffer, CF_BUFSIZE, "ubuntu_%s", version); + SetFlavor(ctx, buffer); + EvalContextClassPutHard(ctx, "ubuntu", "inventory,attribute_name=none,source=agent"); + if (release >= 0) + { +- snprintf(buffer, CF_MAXVARSIZE, "ubuntu_%s_%d", version, release); ++ snprintf(buffer, CF_BUFSIZE, "ubuntu_%s_%d", version, release); + EvalContextClassPutHard(ctx, buffer, "inventory,attribute_name=none,source=agent"); + } + } +@@ -2515,13 +2515,13 @@ static int EOS_Version(EvalContext *ctx) + { + if (strstr(buffer, "EOS")) + { +- char version[CF_MAXVARSIZE], class[CF_MAXVARSIZE]; ++ char version[CF_MAXVARSIZE], class[CF_BUFSIZE]; + EvalContextClassPutHard(ctx, "eos", "inventory,attribute_name=none,source=agent"); + EvalContextClassPutHard(ctx, "arista", "source=agent"); + version[0] = '\0'; + sscanf(buffer, "%*s %*s %*s %s", version); + CanonifyNameInPlace(version); +- snprintf(class, CF_MAXVARSIZE, "eos_%s", version); ++ snprintf(class, CF_BUFSIZE, "eos_%s", version); + EvalContextClassPutHard(ctx, class, "inventory,attribute_name=none,source=agent"); + } + } +@@ -2541,14 +2541,14 @@ static int MiscOS(EvalContext *ctx) + { + if (strstr(buffer, "BIG-IP")) + { +- char version[CF_MAXVARSIZE], build[CF_MAXVARSIZE], class[CF_MAXVARSIZE]; ++ char version[CF_MAXVARSIZE], build[CF_MAXVARSIZE], class[CF_BUFSIZE]; + EvalContextClassPutHard(ctx, "big_ip", "inventory,attribute_name=none,source=agent"); + sscanf(buffer, "%*s %s %*s %s", version, build); + CanonifyNameInPlace(version); + CanonifyNameInPlace(build); +- snprintf(class, CF_MAXVARSIZE, "big_ip_%s", version); ++ snprintf(class, CF_BUFSIZE, "big_ip_%s", version); + EvalContextClassPutHard(ctx, class, "inventory,attribute_name=none,source=agent"); +- snprintf(class, CF_MAXVARSIZE, "big_ip_%s_%s", version, build); ++ snprintf(class, CF_BUFSIZE, "big_ip_%s_%s", version, build); + EvalContextClassPutHard(ctx, class, "inventory,attribute_name=none,source=agent"); + SetFlavor(ctx, "BIG-IP"); + } +@@ -2561,7 +2561,8 @@ static int MiscOS(EvalContext *ctx) + + static int VM_Version(EvalContext *ctx) + { +- char *sp, buffer[CF_BUFSIZE], classbuf[CF_BUFSIZE], version[CF_BUFSIZE]; ++#define CF_CLASSBUFSIZE 2*CF_BUFSIZE ++ char *sp, buffer[CF_BUFSIZE], classbuf[CF_CLASSBUFSIZE], version[CF_BUFSIZE]; + int major, minor, bug; + int sufficient = 0; + +@@ -2573,17 +2574,17 @@ static int VM_Version(EvalContext *ctx) + { + if (sscanf(buffer, "VMware ESX Server %d.%d.%d", &major, &minor, &bug) > 0) + { +- snprintf(classbuf, CF_BUFSIZE, "VMware ESX Server %d", major); ++ snprintf(classbuf, CF_CLASSBUFSIZE, "VMware ESX Server %d", major); + EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); +- snprintf(classbuf, CF_BUFSIZE, "VMware ESX Server %d.%d", major, minor); ++ snprintf(classbuf, CF_CLASSBUFSIZE, "VMware ESX Server %d.%d", major, minor); + EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); +- snprintf(classbuf, CF_BUFSIZE, "VMware ESX Server %d.%d.%d", major, minor, bug); ++ snprintf(classbuf, CF_CLASSBUFSIZE, "VMware ESX Server %d.%d.%d", major, minor, bug); + EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); + sufficient = 1; + } + else if (sscanf(buffer, "VMware ESX Server %s", version) > 0) + { +- snprintf(classbuf, CF_BUFSIZE, "VMware ESX Server %s", version); ++ snprintf(classbuf, CF_CLASSBUFSIZE, "VMware ESX Server %s", version); + EvalContextClassPutHard(ctx, classbuf, "inventory,attribute_name=none,source=agent"); + sufficient = 1; + } +diff --git a/libpromises/cf3globals.c b/libpromises/cf3globals.c +index f16e14d688b8..8ede60fd8b0e 100644 +--- a/libpromises/cf3globals.c ++++ b/libpromises/cf3globals.c +@@ -55,7 +55,7 @@ long LASTSEENEXPIREAFTER = SECONDS_PER_WEEK; /* GLOBAL_P */ + bool DONTDO = false; /* GLOBAL_A */ + + /* NB! Check use before changing sizes */ +-char VFQNAME[CF_MAXVARSIZE] = ""; /* GLOBAL_E GLOBAL_P */ ++char VFQNAME[CF_BUFSIZE] = ""; /* GLOBAL_E GLOBAL_P */ + char VUQNAME[CF_MAXVARSIZE] = ""; /* GLOBAL_E */ + char VDOMAIN[CF_MAXVARSIZE] = ""; /* GLOBAL_E GLOBAL_P */ + +diff --git a/libpromises/cf3lex.l b/libpromises/cf3lex.l +index 7d9f666cc727..b18c573d0c64 100644 +--- a/libpromises/cf3lex.l ++++ b/libpromises/cf3lex.l +@@ -333,7 +333,7 @@ promise_type [a-zA-Z_]+: + { + yyerror("identifier too long"); + } +- strncpy(P.currentid, yytext, CF_MAXVARSIZE); ++ strncpy(P.currentid, yytext, CF_MAXVARSIZE-1); + return IDSYNTAX; + } + +@@ -346,7 +346,7 @@ promise_type [a-zA-Z_]+: + { + yyerror("qualified identifier too long"); + } +- strncpy(P.currentid, yytext, CF_MAXVARSIZE); ++ strncpy(P.currentid, yytext, CF_MAXVARSIZE-1); + return IDSYNTAX; + } + +@@ -440,7 +440,7 @@ promise_type [a-zA-Z_]+: + + tmp = xstrdup(yytext); + tmp[yyleng - 1] = '\0'; +- strncpy(P.currenttype, tmp, CF_MAXVARSIZE); ++ strncpy(P.currenttype, tmp, CF_MAXVARSIZE-1); + + if (P.currentclasses != NULL) + { +diff --git a/libpromises/cf3parse.y b/libpromises/cf3parse.y +index b29bb4445c68..bd899e240174 100644 +--- a/libpromises/cf3parse.y ++++ b/libpromises/cf3parse.y +@@ -1132,7 +1132,7 @@ functionid: IDSYNTAX + | NAKEDVAR + { + ParserDebug("\tP:%s:%s:%s:%s function nakedvar = %s\n", P.block, P.blocktype, P.blockid, P.currentclasses ? P.currentclasses : "any", P.currentstring); +- strncpy(P.currentid,P.currentstring,CF_MAXVARSIZE); // Make a var look like an ID ++ strncpy(P.currentid,P.currentstring,CF_MAXVARSIZE-1); // Make a var look like an ID + free(P.currentstring); + P.currentstring = NULL; + } +diff --git a/libpromises/eval_context.c b/libpromises/eval_context.c +index cb751ae46796..5257a7d13c95 100644 +--- a/libpromises/eval_context.c ++++ b/libpromises/eval_context.c +@@ -1568,7 +1568,7 @@ Class *EvalContextClassMatch(const EvalContext *ctx, const char *regex) + static bool EvalContextClassPut(EvalContext *ctx, const char *ns, const char *name, bool is_soft, ContextScope scope, const char *tags) + { + { +- char context_copy[CF_MAXVARSIZE]; ++ char context_copy[CF_BUFSIZE]; + char canonified_context[CF_MAXVARSIZE]; + + +@@ -1591,7 +1591,7 @@ static bool EvalContextClassPut(EvalContext *ctx, const char *ns, const char *na + + if (ns && strcmp(ns, "default") != 0) + { +- snprintf(context_copy, CF_MAXVARSIZE, "%s:%s", ns, canonified_context); ++ snprintf(context_copy, CF_BUFSIZE, "%s:%s", ns, canonified_context); + } + else + { +diff --git a/libpromises/evalfunction.c b/libpromises/evalfunction.c +index f4d5db0f8356..b88e6f20b0a2 100644 +--- a/libpromises/evalfunction.c ++++ b/libpromises/evalfunction.c +@@ -496,7 +496,7 @@ static Rlist *GetHostsFromLastseenDB(Item *addresses, time_t horizon, bool retur + Item *ip; + time_t now = time(NULL); + double entrytime; +- char address[CF_MAXVARSIZE]; ++ char address[CF_BUFSIZE]; + + for (ip = addresses; ip != NULL; ip = ip->next) + { +diff --git a/libpromises/expand.c b/libpromises/expand.c +index 7235930f41bf..62de3e091f2a 100644 +--- a/libpromises/expand.c ++++ b/libpromises/expand.c +@@ -870,7 +870,7 @@ static void ResolveControlBody(EvalContext *ctx, GenericAgentConfig *config, + + EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "domain"); + EvalContextVariableRemoveSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost"); +- snprintf(VFQNAME, CF_MAXVARSIZE, "%s.%s", VUQNAME, VDOMAIN); ++ snprintf(VFQNAME, CF_BUFSIZE, "%s.%s", VUQNAME, VDOMAIN); + EvalContextVariablePutSpecial(ctx, SPECIAL_SCOPE_SYS, "fqhost", + VFQNAME, CF_DATA_TYPE_STRING, + "inventory,source=agent,attribute_name=Host name"); +diff --git a/libpromises/keyring.c b/libpromises/keyring.c +index d6cbdfa51aba..134bd165adf8 100644 +--- a/libpromises/keyring.c ++++ b/libpromises/keyring.c +@@ -83,9 +83,9 @@ int RemovePublicKey(const char *id) + + if (c && c[strlen(suffix)] == '\0') /* dirp->d_name ends with suffix */ + { +- char keyfilename[CF_BUFSIZE]; ++ char keyfilename[CF_BUFSIZE * 2]; + +- snprintf(keyfilename, CF_BUFSIZE, "%s/%s", keysdir, dirp->d_name); ++ snprintf(keyfilename, CF_BUFSIZE * 2, "%s/%s", keysdir, dirp->d_name); + MapName(keyfilename); + + if (unlink(keyfilename) < 0) +diff --git a/libpromises/syslog_client.c b/libpromises/syslog_client.c +index 3109997436a1..d19572b6f970 100644 +--- a/libpromises/syslog_client.c ++++ b/libpromises/syslog_client.c +@@ -111,7 +111,7 @@ void RemoteSysLog(int log_priority, const char *log_string) + char message[rfc3164_len]; + char timebuffer[26]; + pid_t pid = getpid(); +- ++ // rfc3164_len is WAY too small + snprintf(message, sizeof(message), "<%i>%.15s %s %s[%d]: %s", + log_priority | SYSLOG_FACILITY, + cf_strtimestamp_local(now, timebuffer) + 4, +diff --git a/tests/unit/logging_test.c b/tests/unit/logging_test.c +index e625e2b8c945..dc6ee2451a88 100644 +--- a/tests/unit/logging_test.c ++++ b/tests/unit/logging_test.c +@@ -6,7 +6,7 @@ + #include + #include + +-char VFQNAME[CF_MAXVARSIZE]; ++char VFQNAME[CF_BUFSIZE]; + char VPREFIX[CF_MAXVARSIZE]; + + static struct sockaddr *got_address; +diff --git a/tests/unit/set_domainname_test.c b/tests/unit/set_domainname_test.c +index 7096109e8991..933d17d0d518 100644 +--- a/tests/unit/set_domainname_test.c ++++ b/tests/unit/set_domainname_test.c +@@ -9,7 +9,7 @@ + + /* Global variables we care about */ + +-char VFQNAME[CF_MAXVARSIZE]; ++char VFQNAME[CF_BUFSIZE]; + char VUQNAME[CF_MAXVARSIZE]; + char VDOMAIN[CF_MAXVARSIZE]; + +-- +2.17.1 + diff --git a/0004-make-home-dir-for-tests.patch b/0004-make-home-dir-for-tests.patch new file mode 100644 index 0000000..af013b0 --- /dev/null +++ b/0004-make-home-dir-for-tests.patch @@ -0,0 +1,27 @@ +From b5e4b0ca4384400cc8822ac06cdacbb97bc3c6e3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Klaus=20K=C3=A4mpf?= +Date: Tue, 3 Jul 2018 09:38:39 +0200 +Subject: [PATCH 4/4] make home dir for tests + +Author: Adam Majer +Upstream: https://tracker.mender.io/browse/CFE-2549 +BNC#1016848 +Summary: this tests requires home directory, otherwise spams logfile +--- + tests/load/run_lastseen_threaded_load.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/tests/load/run_lastseen_threaded_load.sh b/tests/load/run_lastseen_threaded_load.sh +index 7dc5bcae7c25..60ea99af0c55 100755 +--- a/tests/load/run_lastseen_threaded_load.sh ++++ b/tests/load/run_lastseen_threaded_load.sh +@@ -6,4 +6,6 @@ then + exit 0; + fi + ++text -x ~/.cfagent/state || mkdir -p ~/.cfagent/state ++ + ./lastseen_threaded_load -c 1 4 1 1 +-- +2.17.1 + diff --git a/cfengine.changes b/cfengine.changes index 61cf7f9..4793df0 100644 --- a/cfengine.changes +++ b/cfengine.changes @@ -1,3 +1,42 @@ +------------------------------------------------------------------- +Tue Jul 3 07:30:21 UTC 2018 - kkaempf@suse.com + +- Update to 3.12.0 (LTS) + New Features: + - Add a --key-type option to specify RSA key size to cf-key + - New hash_to_int policy function (CFE-2733) + - Issue a warning on ignored locking attributes (CFE-2748) + - Add IPv6 hard classes with the "ipv6_" prefix (CFE-2310) + - Introduce "missing_ok" attribute in body copy_from + This allows to ignore missing sources in file copy operations + (CFE-2365) + - Enable Xen hypervisor detection on all x86 platforms (CFE-2203) + - Add sys.policy_entry variables (CFE-2572) + - Added inline_mustache template method (CFE-1846) + - New component cf-net (cf-net is a CLI for the CFEngine network + protocol, useful for debugging, testing etc) and accompanying + policy variable sys.cf_net containing path to cf-net binary + - Added --log-level option to all components + This allows you to specify any log level (info, verbose, debug + etc.). + It is also less strict, allowing different spelling. As an example, + --log-level i, --log-level INFO, --log-level inform are all the same. + - Added special behavior for bundles named __main__ + If the bundle is defined in the entry policy it will be defined as + main. + If the bundle is defined elsewhere, it will be removed. + This makes it easy to make importable library policy which can also + be executed directly. + +- See https://github.com/cfengine/core/blob/3.12.x/ChangeLog for other + changes and bug fixes + +- drop 0003-CFE-2629-Openssl-1.1-compatibility.patch (upstream) + drop reproducible.patch (upstream) + add 0003-Reduce-string-truncation-warnings.patch + rename make_home_dir_for_tests.patch to + 0004-make-home-dir-for-tests.patch + ------------------------------------------------------------------- Tue Jun 19 10:58:32 UTC 2018 - adam.majer@suse.de diff --git a/cfengine.spec b/cfengine.spec index 46d7f0f..5a6fc65 100644 --- a/cfengine.spec +++ b/cfengine.spec @@ -16,7 +16,7 @@ # -%define srcversion 3.11.0 +%define srcversion 3.12.0 %define srcname core-%{srcversion} %define libname libpromises %define libsoname %{libname}3 @@ -70,12 +70,11 @@ Patch1: 0001-Set-sys.bindir-to-usr-sbin-expect-cf-components-ther.patch # PATCH-FEATURE-UPSTREAM better /etc/SuSE-release parsing, upstream #5423 # kkaempf@suse.de Patch2: 0002-Simplify-and-fix-parsing-of-etc-SuSE-release-fixes-i.patch -# PATCH-FIX-UPSTREAM https://github.com/cfengine/core/commit/f4b9c855c0b035c0188fcdf79d2cbddab2f1bdcc -Patch3: 0003-CFE-2629-Openssl-1.1-compatibility.patch -# PATCH-FIX-UPSTREAM https://github.com/cfengine/core/pull/2881 -Patch4: reproducible.patch +# PATCH-FIX-SUSE reduce "string truncated" (in strncpy) warnings +Patch3: 0003-Reduce-string-truncation-warnings.patch +# PATCH-FIX-SUSE BNC#1016848, adam.majer +Patch10: 0004-make-home-dir-for-tests.patch # SLE 11 or RHEL5 autoconf does not support AM_SUBST_NOTMAKE, kkaempf@suse.de -Patch10: make_home_dir_for_tests.patch Patch99: remove-am_subst_notmake.patch BuildRequires: bison @@ -89,8 +88,11 @@ BuildRequires: lmdb-devel >= 0.9.17 BuildRequires: openssl-devel >= 1.0.2e BuildRequires: pam-devel BuildRequires: pcre-devel >= 8.38 +BuildRequires: python # for flock BuildRequires: util-linux +# for llzma +BuildRequires: xz-devel Requires: %{libsoname} = %{version} BuildRoot: %{_tmppath}/%{name}-%{version}-build %if %{with mysql} @@ -170,11 +172,7 @@ Lots of example promises for CFEngine. %setup -q -n %{srcname} %patch1 -p1 %patch2 -p1 -%if 0%{?suse_version} >= 1500 -# openssl 1.1.0 %patch3 -p1 -%endif -%patch4 -p1 %if 0%{?suse_version} <= 1110 %patch99 -p1 %endif @@ -191,6 +189,7 @@ install -d docs cp -a $RPM_SOURCE_DIR/*pdf docs/ %build +echo %{version} > CFVERSION EXPLICIT_VERSION=%{version} autoreconf -fvi -I m4 CC=cc CFLAGS="%{optflags} -fno-strict-aliasing" \ %configure \ diff --git a/core-3.11.0.tar.gz b/core-3.11.0.tar.gz deleted file mode 100644 index 2760922..0000000 --- a/core-3.11.0.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:4a1403b19a362b8efd58cacc4c61e3da3e1dc438a8580072399bce7c6f317dfc -size 2039330 diff --git a/core-3.12.0.tar.gz b/core-3.12.0.tar.gz new file mode 100644 index 0000000..6010380 --- /dev/null +++ b/core-3.12.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f93e2f112063a7d5b9e2ee197e46d6dac0414cca66bf2726c05f9dd3fa8f1970 +size 2127099 diff --git a/make_home_dir_for_tests.patch b/make_home_dir_for_tests.patch deleted file mode 100644 index 6d2b593..0000000 --- a/make_home_dir_for_tests.patch +++ /dev/null @@ -1,15 +0,0 @@ -Author: Adam Majer -Upstream: https://tracker.mender.io/browse/CFE-2549 -BNC#1016848 -Summary: this tests requires home directory, otherwise spams logfile - -Index: cfengine-3.10.0b1/tests/load/run_lastseen_threaded_load.sh -=================================================================== ---- cfengine-3.10.0b1.orig/tests/load/run_lastseen_threaded_load.sh -+++ cfengine-3.10.0b1/tests/load/run_lastseen_threaded_load.sh -@@ -1,3 +1,5 @@ - #!/bin/sh - -+text -x ~/.cfagent/state || mkdir -p ~/.cfagent/state -+ - ./lastseen_threaded_load -c 1 4 1 1 diff --git a/reproducible.patch b/reproducible.patch deleted file mode 100644 index 13107a7..0000000 --- a/reproducible.patch +++ /dev/null @@ -1,28 +0,0 @@ -commit fb4e70f9be4b37ab40505118553caf5a5b7c7daf -Author: Bernhard M. Wiedemann -Date: Sun Jul 2 11:17:14 2017 +0200 - - libutils/man.c: allow to override build time - - in order to enable reproducible builds. - - See https://reproducible-builds.org/ for why this is good - and https://reproducible-builds.org/specs/source-date-epoch/ - for the definition of this variable. - -diff --git a/libutils/man.c b/libutils/man.c -index ef2cd1a28..ba46ba895 100644 ---- a/libutils/man.c -+++ b/libutils/man.c -@@ -206,6 +206,11 @@ void ManPageWrite(Writer *out, const char *program, time_t last_modified, - const struct option options[], - const char *const option_hints[], bool accepts_file_argument) - { -+ time_t overridetime; -+ char *source_date_epoch = getenv("SOURCE_DATE_EPOCH"); -+ if (source_date_epoch != NULL && -+ (overridetime = (time_t)strtoll(source_date_epoch, NULL, 10)) > 0) -+ last_modified = overridetime; - WriteCopyright(out); - WriteHeader(out, program, last_modified); - WriteName(out, program, short_description);