diff --git a/Makefile.am b/Makefile.am index caa54460..3dd37380 100755 --- a/Makefile.am +++ b/Makefile.am @@ -155,6 +155,7 @@ main_SOURCES = \ src/linkhash.c src/linkhash.h \ src/lock.c src/lock.h \ src/log.c src/log.h \ + src/md5.c src/md5.h \ src/msg.c src/msg.h \ src/pathcmp.c src/pathcmp.h \ src/prepend.c src/prepend.h \ diff --git a/UPGRADING b/UPGRADING index 20eb005c..fefe94eb 100644 --- a/UPGRADING +++ b/UPGRADING @@ -1,5 +1,12 @@ Things to watch out for when upgrading. +3.1.2 +----- +Blowfish has been deprecated by openssl. +Burp will now encrypt new files with AES-CBC-256, but will still be able +to decrypt files encrypted with blowfish as long as your openssl library +supports it. + 3.1.0 ----- Protocol 2 has been removed. diff --git a/manpages/burp.8.in b/manpages/burp.8.in index 7b42fada..986b0ad4 100644 --- a/manpages/burp.8.in +++ b/manpages/burp.8.in @@ -648,7 +648,7 @@ To prevent the server from initiating restores, set this to 0. The default is 1. When restoring, this path will be prefixed to the restore path. The '-d' command line option overrides this setting. This setting is required if you are using server initiated restores. .TP \fBencryption_password=[password]\fR -Set this to enable client side file Blowfish encryption. If you do not want encryption, leave this field out of your config file. \fBIMPORTANT:\fR Configuring an encryption_password renders delta differencing pointless, since the smallest real change to a file will make the whole file look different. Therefore, activating this option turns off delta differencing so that whenever a client file changes, the whole new file will be uploaded on the next backup. \fBALSO IMPORTANT:\fR If you manage to lose your encryption password, you will not be able to unencrypt your files. You should therefore think about having a copy of the encryption password somewhere off-box, in case of your client hard disk failing. Take care when copying and pasting special characters between client conf files, as the encoding of the config file matters. \fBFINALLY:\fR If you change your encryption password, you will end up with a mixture of files on the server with different encryption and it may become tricky to restore more than one file at a time. For this reason, if you change your encryption password, you may want to start a fresh chain of backups (by moving the original set aside, for example). @human_name@ will cope fine with turning the same encryption password on and off between backups, and will restore a backup of mixed encrypted and unencrypted files without a problem. +Set this to enable client side file AES-CBC-256 encryption. If you do not want encryption, leave this field out of your config file. \fBIMPORTANT:\fR Configuring an encryption_password renders delta differencing pointless, since the smallest real change to a file will make the whole file look different. Therefore, activating this option turns off delta differencing so that whenever a client file changes, the whole new file will be uploaded on the next backup. \fBALSO IMPORTANT:\fR If you manage to lose your encryption password, you will not be able to unencrypt your files. You should therefore think about having a copy of the encryption password somewhere off-box, in case of your client hard disk failing. Take care when copying and pasting special characters between client conf files, as the encoding of the config file matters. \fBFINALLY:\fR If you change your encryption password, you will end up with a mixture of files on the server with different encryption and it may become tricky to restore more than one file at a time. For this reason, if you change your encryption password, you may want to start a fresh chain of backups (by moving the original set aside, for example). @human_name@ will cope fine with turning the same encryption password on and off between backups, and will restore a backup of mixed encrypted and unencrypted files without a problem. .TP \fBglob_after_script_pre=[0|1]\fR Set this to 0 if you do not want include_glob settings to be evaluated after the pre script is run. The default is 1. diff --git a/src/client/backup_phase1.c b/src/client/backup_phase1.c index 9030278c..8a9720c2 100644 --- a/src/client/backup_phase1.c +++ b/src/client/backup_phase1.c @@ -223,7 +223,7 @@ int backup_phase1_client(struct asfd *asfd, struct conf **confs) if(get_string(confs[OPT_ENCRYPTION_PASSWORD])) { - encryption=ENCRYPTION_KEY_DERIVED; + encryption=ENCRYPTION_KEY_DERIVED_AES_CBC_256; filesymbol=CMD_ENC_FILE; metasymbol=CMD_ENC_METADATA; #ifdef HAVE_WIN32 diff --git a/src/client/backup_phase2.c b/src/client/backup_phase2.c index 09304899..fb4db239 100644 --- a/src/client/backup_phase2.c +++ b/src/client/backup_phase2.c @@ -9,6 +9,7 @@ #include "../conf.h" #include "../handy_extra.h" #include "../log.h" +#include "../md5.h" #include "../transfer.h" #include "extrameta.h" #include "find.h" @@ -115,9 +116,9 @@ static int load_signature_and_send_delta(struct asfd *asfd, case RS_DONE: *bytes=infb->bytes; *sentbytes=outfb->bytes; - if(!MD5_Final(checksum, infb->md5)) + if(!md5_final(infb->md5, checksum)) { - logp("MD5_Final() failed\n"); + logp("md5_final() failed\n"); goto end; } if(write_endfile(asfd, *bytes, checksum)) @@ -153,8 +154,7 @@ static enum send_e send_whole_file_w(struct asfd *asfd, { if((compression || encpassword) && sb->path.cmd!=CMD_EFS_FILE) { - int key_deriv=sb->encryption==ENCRYPTION_KEY_DERIVED; - + int key_deriv=sb->encryption; return send_whole_file_gzl(asfd, datapth, quick_read, bytes, encpassword, cntr, compression, bfd, extrameta, elen, key_deriv, sb->salt); @@ -223,7 +223,7 @@ static int deal_with_data(struct asfd *asfd, struct sbuf *sb, sb->compression=conf_compression; if(enc_password) { - sb->encryption=ENCRYPTION_KEY_DERIVED; + sb->encryption=ENCRYPTION_KEY_DERIVED_AES_CBC_256; if(!RAND_bytes((uint8_t *)&sb->salt, 8)) { logp("RAND_bytes() failed\n"); diff --git a/src/client/restore_switch.c b/src/client/restore_switch.c index 3c57dbf0..32b0270a 100644 --- a/src/client/restore_switch.c +++ b/src/client/restore_switch.c @@ -31,8 +31,8 @@ static int do_restore_file_or_get_meta(struct asfd *asfd, struct BFILE *bfd, if(sbuf_is_encrypted(sb)) { encpassword=encryption_password; - if(sb->encryption==ENCRYPTION_KEY_DERIVED) - key_deriv=1; + if(sb->encryption>ENCRYPTION_NONE) + key_deriv=sb->encryption; } enccompressed=dpth_is_compressed(sb->compression, sb->datapth.buf); diff --git a/src/handy_extra.c b/src/handy_extra.c index 6f9de76c..47887ec6 100644 --- a/src/handy_extra.c +++ b/src/handy_extra.c @@ -8,11 +8,19 @@ #include "hexmap.h" #include "iobuf.h" #include "log.h" +#include "md5.h" #include "handy_extra.h" +#include "sbuf.h" + +/* Not ready yet +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#endif +*/ static int do_encryption(struct asfd *asfd, EVP_CIPHER_CTX *ctx, uint8_t *inbuf, int inlen, uint8_t *outbuf, int *outlen, - MD5_CTX *md5) + struct md5 *md5) { if(!inlen) return 0; if(!EVP_CipherUpdate(ctx, outbuf, outlen, inbuf, inlen)) @@ -26,9 +34,9 @@ static int do_encryption(struct asfd *asfd, EVP_CIPHER_CTX *ctx, iobuf_set(&wbuf, CMD_APPEND, (char *)outbuf, *outlen); if(asfd->write(asfd, &wbuf)) return -1; - if(!MD5_Update(md5, outbuf, *outlen)) + if(!md5_update(md5, outbuf, *outlen)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); return -1; } } @@ -41,9 +49,22 @@ EVP_CIPHER_CTX *enc_setup(int encrypt, const char *encryption_password, uint8_t enc_iv[9]; uint8_t enc_key[256]; EVP_CIPHER_CTX *ctx=NULL; - const EVP_CIPHER *cipher=EVP_bf_cbc(); + const EVP_CIPHER *cipher=NULL; int key_len; - + + switch(key_deriv) + { + case ENCRYPTION_KEY_DERIVED_BF_CBC: + cipher=EVP_bf_cbc(); + break; + case ENCRYPTION_KEY_DERIVED_AES_CBC_256: + cipher=EVP_aes_256_cbc(); + break; + default: + logp("Could not determine cipher from: %d\n", key_deriv); + break; + } + if(!encryption_password) { logp("No encryption password in %s()\n", __func__); @@ -80,7 +101,10 @@ EVP_CIPHER_CTX *enc_setup(int encrypt, const char *encryption_password, } if(!(ctx=(EVP_CIPHER_CTX *)EVP_CIPHER_CTX_new())) + { + logp("EVP_CIPHER_CTX_new() failed\n"); goto error; + } // Don't set key or IV because we will modify the parameters. EVP_CIPHER_CTX_init(ctx); @@ -144,7 +168,7 @@ enum send_e send_whole_file_gzl(struct asfd *asfd, const char *datapth, { enum send_e ret=SEND_OK; int zret=0; - MD5_CTX *md5=NULL; + struct md5 *md5=NULL; size_t metalen=0; const char *metadata=NULL; struct iobuf wbuf; @@ -170,14 +194,13 @@ enum send_e send_whole_file_gzl(struct asfd *asfd, const char *datapth, && !(enc_ctx=enc_setup(1, encpassword, key_deriv, salt))) return SEND_FATAL; - if(!(md5=(MD5_CTX *)calloc_w(1, sizeof(MD5_CTX), __func__))) { + if(!(md5=md5_alloc(__func__))) return SEND_FATAL; - } - if(!MD5_Init(md5)) + if(!md5_init(md5)) { - logp("MD5_Init() failed\n"); - free_v((void **)&md5); + logp("md5_init() failed\n"); + md5_free(&md5); return SEND_FATAL; } @@ -194,7 +217,7 @@ enum send_e send_whole_file_gzl(struct asfd *asfd, const char *datapth, strm.opaque = Z_NULL; if((zret=deflateInit2(&strm, compression, Z_DEFLATED, (15+16), 8, Z_DEFAULT_STRATEGY))!=Z_OK) { - free_v((void **)&md5); + md5_free(&md5); return SEND_FATAL; } @@ -249,9 +272,9 @@ enum send_e send_whole_file_gzl(struct asfd *asfd, const char *datapth, // The checksum needs to be later if encryption is being used. if(!enc_ctx) { - if(!MD5_Update(md5, in, strm.avail_in)) + if(!md5_update(md5, in, strm.avail_in)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); ret=SEND_FATAL; break; } @@ -356,9 +379,9 @@ enum send_e send_whole_file_gzl(struct asfd *asfd, const char *datapth, (char *)eoutbuf, (size_t)eoutlen); if(asfd->write(asfd, &wbuf)) ret=SEND_FATAL; - else if(!MD5_Update(md5, eoutbuf, eoutlen)) + else if(!md5_update(md5, eoutbuf, eoutlen)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); ret=SEND_FATAL; } } @@ -378,23 +401,23 @@ enum send_e send_whole_file_gzl(struct asfd *asfd, const char *datapth, if(ret==SEND_OK) { uint8_t checksum[MD5_DIGEST_LENGTH]; - if(!MD5_Final(checksum, md5)) + if(!md5_final(md5, checksum)) { - logp("MD5_Final() failed\n"); - free_v((void **)&md5); + logp("md5_final() failed\n"); + md5_free(&md5); return SEND_FATAL; } if(write_endfile(asfd, *bytes, checksum)) return SEND_FATAL; } - free_v((void **)&md5); + md5_free(&md5); return ret; } #ifdef HAVE_WIN32 struct winbuf { - MD5_CTX *md5; + struct md5 *md5; int quick_read; const char *datapth; struct cntr *cntr; @@ -408,9 +431,9 @@ static DWORD WINAPI write_efs(PBYTE pbData, struct iobuf wbuf; struct winbuf *mybuf=(struct winbuf *)pvCallbackContext; (*(mybuf->bytes))+=ulLength; - if(!MD5_Update(mybuf->md5, pbData, ulLength)) + if(!md5_update(mybuf->md5, pbData, ulLength)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); return ERROR_FUNCTION_FAILED; } iobuf_set(&wbuf, CMD_APPEND, (char *)pbData, (size_t)ulLength); @@ -441,7 +464,7 @@ enum send_e send_whole_filel(struct asfd *asfd, { enum send_e ret=SEND_OK; ssize_t s=0; - MD5_CTX *md5=NULL; + struct md5 *md5=NULL; char buf[4096]=""; struct iobuf wbuf; @@ -451,13 +474,12 @@ enum send_e send_whole_filel(struct asfd *asfd, return SEND_FATAL; } - if(!(md5=(MD5_CTX *)calloc_w(1, sizeof(MD5_CTX), __func__))) { + if(!(md5=md5_alloc(__func__))) return SEND_FATAL; - } - if(!MD5_Init(md5)) + if(!md5_init(md5)) { - logp("MD5_Init() failed\n"); - free_v((void **)&md5); + logp("md5_init() failed\n"); + md5_free(&md5); return SEND_FATAL; } @@ -475,9 +497,9 @@ enum send_e send_whole_filel(struct asfd *asfd, if(metalen>ZCHUNK) s=ZCHUNK; else s=metalen; - if(!MD5_Update(md5, metadata, s)) + if(!md5_update(md5, metadata, s)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); ret=SEND_FATAL; } iobuf_set(&wbuf, CMD_APPEND, (char *)metadata, s); @@ -552,9 +574,9 @@ enum send_e send_whole_filel(struct asfd *asfd, } *bytes+=s; - if(!MD5_Update(md5, buf, s)) + if(!md5_update(md5, buf, s)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); ret=SEND_FATAL; break; } @@ -589,15 +611,15 @@ enum send_e send_whole_filel(struct asfd *asfd, if(ret!=SEND_FATAL) { uint8_t checksum[MD5_DIGEST_LENGTH]; - if(!MD5_Final(checksum, md5)) + if(!md5_final(md5, checksum)) { - logp("MD5_Final() failed\n"); - free_v((void **)&md5); + logp("md5_final() failed\n"); + md5_free(&md5); return SEND_FATAL; } if(write_endfile(asfd, *bytes, checksum)) return SEND_FATAL; } - free_v((void **)&md5); + md5_free(&md5); return ret; } diff --git a/src/md5.c b/src/md5.c new file mode 100644 index 00000000..14918f78 --- /dev/null +++ b/src/md5.c @@ -0,0 +1,107 @@ +#include "burp.h" +#include "alloc.h" +#include "conf.h" +#include "log.h" +#include "md5.h" + +/* Not ready yet +#if OPENSSL_VERSION_NUMBER < 0x30000000L +*/ +#if 1 + +struct md5 *md5_alloc( + const char *func +) { + struct md5 *md5; + if(!(md5=(struct md5 *)calloc_w(1, sizeof(struct md5), func))) + return NULL; + if(!(md5->ctx=(MD5_CTX *)calloc_w(1, sizeof(MD5_CTX), func))) + md5_free(&md5); + return md5; +} + +void md5_free( + struct md5 **md5 +) { + if(!md5 || !*md5) + return; + free_v((void **)&(*md5)->ctx); + free_v((void **)md5); +} + +int md5_init( + struct md5 *md5 +) { + return MD5_Init(md5->ctx); +} + +int md5_update( + struct md5 *md5, + const void *data, + unsigned long len +) { + return MD5_Update(md5->ctx, data, len); +} + +int md5_final( + struct md5 *md5, + unsigned char *md +) { + return MD5_Final(md, md5->ctx); +} + +#else + +struct md5 *md5_alloc( + const char *func +) { + struct md5 *md5; + if(!(md5=(struct md5 *)calloc_w(1, sizeof(struct md5), func))) + return NULL; + if((md5->ctx=EVP_MD_CTX_new())) + { +#ifdef UTEST + alloc_count++; +#endif + return md5; + } + log_oom_w(__func__, func); + md5_free(&md5); + return NULL; +} + +void md5_free( + struct md5 **md5 +) { + if(!md5 || !*md5) + return; + free_v((void **)&(*md5)->ctx); + EVP_MD_CTX_free((*md5)->ctx); +#ifdef UTEST + alloc_count--; +#endif + *md5=NULL; +} + +int md5_init( + struct md5 *md5 +) { + return EVP_MD_CTX_init(md5->ctx); +} + +int md5_update( + struct md5 *md5, + const void *data, + unsigned long len +) { + return EVP_DigestUpdate(md5->ctx, data, len); +} + +int md5_final( + struct md5 *md5, + unsigned char *md +) { + return EVP_DigestFinal_ex(md5->ctx, md, NULL); +} + +#endif diff --git a/src/md5.h b/src/md5.h new file mode 100644 index 00000000..d46d90f2 --- /dev/null +++ b/src/md5.h @@ -0,0 +1,39 @@ +#ifndef _BURP_MD5_H +#define _BURP_MD5_H + +#include + +/* Not ready yet +#if OPENSSL_VERSION_NUMBER < 0x30000000L +*/ +#if 1 +struct md5 { + MD5_CTX *ctx; +}; +#else +#include +struct md5 { + EVP_MD_CTX *ctx; +}; +#endif + +extern struct md5 *md5_alloc( + const char *func +); +extern void md5_free( + struct md5 **md5 +); +extern int md5_init( + struct md5 *md5 +); +extern int md5_update( + struct md5 *md5, + const void *data, + unsigned long len +); +extern int md5_final( + struct md5 *md5, + unsigned char *md +); + +#endif diff --git a/src/rs_buf.c b/src/rs_buf.c index 2050f930..2bdee44e 100644 --- a/src/rs_buf.c +++ b/src/rs_buf.c @@ -42,6 +42,7 @@ #include "handy.h" #include "iobuf.h" #include "log.h" +#include "md5.h" /* use fseeko instead of fseek for long file support if we have it */ #ifdef HAVE_FSEEKO @@ -58,7 +59,7 @@ rs_filebuf_t *rs_filebuf_new(struct BFILE *bfd, if(!(pf=(struct rs_filebuf *)calloc_w(1, sizeof(struct rs_filebuf), __func__)) || !(pf->buf=(char *)calloc_w(1, buf_len, __func__)) - || !(pf->md5=(MD5_CTX *)calloc_w(1, sizeof(MD5_CTX), __func__))) + || !(pf->md5=md5_alloc(__func__))) goto error; pf->buf_len=buf_len; pf->fzp=fzp; @@ -69,9 +70,9 @@ rs_filebuf_t *rs_filebuf_new(struct BFILE *bfd, pf->do_known_byte_count=1; else pf->do_known_byte_count=0; - if(!MD5_Init(pf->md5)) + if(!md5_init(pf->md5)) { - logp("MD5_Init() failed\n"); + logp("md5_init() failed\n"); goto error; } pf->asfd=asfd; @@ -84,8 +85,8 @@ rs_filebuf_t *rs_filebuf_new(struct BFILE *bfd, void rs_filebuf_free(rs_filebuf_t **fb) { if(!fb || !*fb) return; + md5_free(&((*fb)->md5)); free_w(&((*fb)->buf)); - free_v((void **)&((*fb)->md5)); free_v((void **)fb); } @@ -198,9 +199,9 @@ rs_result rs_infilebuf_fill(__attribute__ ((unused)) rs_job_t *job, } //logp("bread: ok: %d\n", len); fb->bytes+=len; - if(!MD5_Update(fb->md5, fb->buf, len)) + if(!md5_update(fb->md5, fb->buf, len)) { - logp("rs_infilebuf_fill: MD5_Update() failed\n"); + logp("rs_infilebuf_fill: md5_update() failed\n"); return RS_IO_ERROR; } } @@ -222,9 +223,9 @@ rs_result rs_infilebuf_fill(__attribute__ ((unused)) rs_job_t *job, } } fb->bytes+=len; - if(!MD5_Update(fb->md5, fb->buf, len)) + if(!md5_update(fb->md5, fb->buf, len)) { - logp("rs_infilebuf_fill: MD5_Update() failed\n"); + logp("rs_infilebuf_fill: md5_update() failed\n"); return RS_IO_ERROR; } } diff --git a/src/rs_buf.h b/src/rs_buf.h index 6512a757..7e976c11 100644 --- a/src/rs_buf.h +++ b/src/rs_buf.h @@ -27,9 +27,9 @@ #include "burp.h" #include "conf.h" #include "bfile.h" +#include "md5.h" #include -#include extern size_t block_len; extern size_t strong_len; @@ -44,7 +44,7 @@ struct rs_filebuf uint64_t bytes; size_t data_len; int do_known_byte_count; - MD5_CTX *md5; + struct md5 *md5; struct asfd *asfd; }; diff --git a/src/sbuf.h b/src/sbuf.h index 52782b37..9c94370f 100644 --- a/src/sbuf.h +++ b/src/sbuf.h @@ -33,9 +33,10 @@ #define SBUF_RECV_DELTA 0x1000 #define SBUF_CLIENT_RESTORE_HACK 0x2000 -#define ENCRYPTION_UNSET -1 // Also legacy -#define ENCRYPTION_NONE 0 -#define ENCRYPTION_KEY_DERIVED 1 +#define ENCRYPTION_UNSET -1 // Also legacy +#define ENCRYPTION_NONE 0 +#define ENCRYPTION_KEY_DERIVED_BF_CBC 1 // Legacy +#define ENCRYPTION_KEY_DERIVED_AES_CBC_256 2 typedef struct sbuf sbuf_t; diff --git a/src/server/bedup.c b/src/server/bedup.c index 3ff96b87..2644e876 100644 --- a/src/server/bedup.c +++ b/src/server/bedup.c @@ -7,6 +7,7 @@ #include "../fzp.h" #include "../lock.h" #include "../log.h" +#include "../md5.h" #include "../prepend.h" #include "../strlist.h" #include "bedup.h" @@ -181,7 +182,7 @@ static int full_match(struct file *o, struct file *n, static int get_part_cksum(struct file *f, struct fzp **fzp) { - MD5_CTX *md5=NULL; + struct md5 *md5=NULL; int ret=-1; int got=0; static char buf[PART_CHUNK]; @@ -194,25 +195,25 @@ static int get_part_cksum(struct file *f, struct fzp **fzp) return 0; } - if(!(md5=(MD5_CTX *)calloc_w(1, sizeof(MD5_CTX), __func__))) + if(!(md5=md5_alloc(__func__))) goto end; - if(!MD5_Init(md5)) + if(!md5_init(md5)) { - logp("MD5_Init() failed\n"); + logp("md5_init() failed\n"); goto end; } got=fzp_read(*fzp, buf, PART_CHUNK); - if(!MD5_Update(md5, buf, got)) + if(!md5_update(md5, buf, got)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); goto end; } - if(!MD5_Final(checksum, md5)) + if(!md5_final(md5, checksum)) { - logp("MD5_Final() failed\n"); + logp("md5_final() failed\n"); goto end; } @@ -224,7 +225,7 @@ static int get_part_cksum(struct file *f, struct fzp **fzp) ret=0; end: - free_v((void **)&md5); + md5_free(&md5); return ret; } @@ -232,7 +233,7 @@ static int get_full_cksum(struct file *f, struct fzp **fzp) { size_t s=0; int ret=-1; - MD5_CTX *md5=NULL; + struct md5 *md5=NULL; static char buf[FULL_CHUNK]; unsigned char checksum[MD5_DIGEST_LENGTH+1]; @@ -243,27 +244,27 @@ static int get_full_cksum(struct file *f, struct fzp **fzp) return 0; } - if(!(md5=(MD5_CTX *)calloc_w(1, sizeof(MD5_CTX), __func__))) + if(!(md5=md5_alloc(__func__))) goto end; - if(!MD5_Init(md5)) + if(!md5_init(md5)) { - logp("MD5_Init() failed\n"); + logp("md5_init() failed\n"); goto end; } while((s=fzp_read(*fzp, buf, FULL_CHUNK))>0) { - if(!MD5_Update(md5, buf, s)) + if(!md5_update(md5, buf, s)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); goto end; } if(s0) { cbytes+=b; - if(!MD5_Update(md5, in, b)) + if(!md5_update(md5, in, b)) { - logp("MD5_Update() failed\n"); + logp("md5_update() failed\n"); fzp_close(&fzp); - free_v((void **)&md5); + md5_free(&md5); return -1; } } @@ -225,18 +225,18 @@ int verify_file(struct asfd *asfd, struct sbuf *sb, { logw(asfd, cntr, "error while reading %s\n", best); fzp_close(&fzp); - free_v((void **)&md5); + md5_free(&md5); return 0; } fzp_close(&fzp); - if(!MD5_Final(checksum, md5)) + if(!md5_final(md5, checksum)) { - logp("MD5_Final() failed\n"); - free_v((void **)&md5); + logp("md5_final() failed\n"); + md5_free(&md5); return -1; } newsum=bytes_to_md5str(checksum); - free_v((void **)&md5); + md5_free(&md5); if(strcmp(newsum, cp)) { diff --git a/src/ssl.c b/src/ssl.c index 9b8d1f52..a025864e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -34,6 +34,10 @@ int ssl_do_accept(SSL *ssl) } } +/* Not ready yet +#if OPENSSL_VERSION_NUMBER < 0x30000000L +*/ +#if 1 int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs) { DH *ret=0; @@ -55,6 +59,51 @@ int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs) } return 0; } +#else +#include +int ssl_load_dh_params(SSL_CTX *ctx, struct conf **confs) +{ + BIO *bio=NULL; + EVP_PKEY *pkey=NULL; + OSSL_DECODER_CTX *dctx=NULL; + const char *ssl_dhfile=get_string(confs[OPT_SSL_DHFILE]); + + if(!(bio=BIO_new_file(ssl_dhfile, "r"))) + { + logp_ssl_err("Couldn't open ssl_dhfile: %s\n", ssl_dhfile); + return -1; + } + if(!(dctx=OSSL_DECODER_CTX_new_for_pkey( + &pkey, "PEM", NULL, "DH", + OSSL_KEYMGMT_SELECT_KEYPAIR, + NULL, NULL))) + { + logp_ssl_err("No suitable decoders found for: %s\n", ssl_dhfile); + BIO_free(bio); + OSSL_DECODER_CTX_free(dctx); + return -1; + } + + if(!OSSL_DECODER_from_bio(dctx, bio)) + { + logp_ssl_err("Decoding failure for: %s\n", ssl_dhfile); + BIO_free(bio); + OSSL_DECODER_CTX_free(dctx); + return -1; + + } + + if(SSL_CTX_set_tmp_dh(ctx, pkey)<0) + { + logp_ssl_err("Couldn't set DH parameters"); + OSSL_DECODER_CTX_free(dctx); + return -1; + } + + OSSL_DECODER_CTX_free(dctx); + return 0; +} +#endif static int password_cb(char *buf, int num, __attribute__ ((unused)) int rwflag, diff --git a/src/win32/Makefile.inc.in b/src/win32/Makefile.inc.in index 26365dec..7242c481 100644 --- a/src/win32/Makefile.inc.in +++ b/src/win32/Makefile.inc.in @@ -85,6 +85,13 @@ LIBS_SSL := \ LIBS_CRYPTO := \ $(DEPKGS)/lib/libcrypto.dll.a +# Not ready yet +#LIBS_SSL := \ +# $(DEPKGS)/lib64/libssl.dll.a +# +#LIBS_CRYPTO := \ +# $(DEPKGS)/lib64/libcrypto.dll.a + LIBS_RSYNC := \ $(DEPKGS)/lib/librsync.a diff --git a/src/win32/Makefile.installer b/src/win32/Makefile.installer index 957f92ac..b831e9ec 100644 --- a/src/win32/Makefile.installer +++ b/src/win32/Makefile.installer @@ -7,6 +7,10 @@ include ../Makefile.inc ifeq ($(WIN64),yes) SSL_DLL := libssl-1_1-x64.dll CRYPTO_DLL := libcrypto-1_1-x64.dll +# Not ready yet +# SSL_DLL := libssl-3-x64.dll +# SSL_LEGACY_DLL := legacy.dll +# CRYPTO_DLL := libcrypto-3-x64.dll LIBGCC_DLL := libgcc_s_seh-1.dll else SSL_DLL := libssl-1_1.dll @@ -24,7 +28,9 @@ DEFINES := \ -DBITS=$(BITS) \ -DSSL_DLL=$(SSL_DLL) \ -DCRYPTO_DLL=$(CRYPTO_DLL) \ - -DLIBGCC_DLL=$(LIBGCC_DLL) \ + -DLIBGCC_DLL=$(LIBGCC_DLL) +# Not ready yet +# -DSSL_LEGACY_DLL=$(SSL_LEGACY_DLL) INSTALL_EXE := $(BUILDDIR)/release$(BITS)/$(PACKAGE_TARNAME)-win$(BITS)-installer-$(PACKAGE_VERSION).exe @@ -111,6 +117,9 @@ $(INSTALL_EXE): winburp.nsi $(addprefix release$(BITS)/,$(BURP_BINARIES) $(DEPKG mv release$(BITS)/* bin mv bin/*.conf release$(BITS) mv bin release$(BITS) +# Not ready yet +# cp -r /burp/burp-depkgs/mingw-w64-x86_64/lib64/ossl-modules release$(BITS) +# $(STAB2CV) release$(BITS)/ossl-modules/$(SSL_LEGACY_DLL) NSISDIR=$(NSIS_DIR) $(NSIS_DIR)/makensis -V3 $(DEFINES) winburp.nsi include $(BUILDDIR)/Makefile.rules diff --git a/src/win32/burp/Makefile b/src/win32/burp/Makefile index dfe14943..50f858fe 100644 --- a/src/win32/burp/Makefile +++ b/src/win32/burp/Makefile @@ -73,6 +73,7 @@ CLIENT_OBJS = \ $(OBJDIR)/lock.o \ $(OBJDIR)/log.o \ $(OBJDIR)/main.o \ + $(OBJDIR)/md5.o \ $(OBJDIR)/msg.o \ $(OBJDIR)/pathcmp.o \ $(OBJDIR)/prepend.o \ diff --git a/src/win32/installer/winburp.nsi b/src/win32/installer/winburp.nsi index 1a470408..8017e9ce 100644 --- a/src/win32/installer/winburp.nsi +++ b/src/win32/installer/winburp.nsi @@ -314,6 +314,8 @@ Function InstallCommonFiles File "${SRC_DIR}\bin\${PACKAGE_TARNAME}_ca.bat" File "${SRC_DIR}\bin\${PACKAGE_TARNAME}.exe" File "${SRC_DIR}\bin\${SSL_DLL}" +; Not ready yet +; File "${SRC_DIR}\bin\ossl-modules\${SSL_LEGACY_DLL}" File "${SRC_DIR}\bin\utest.exe" File "${SRC_DIR}\bin\zlib1.dll" StrCpy $CommonFilesDone 1 diff --git a/src/win32/utest/Makefile b/src/win32/utest/Makefile index 1630dcd8..8c45dea9 100644 --- a/src/win32/utest/Makefile +++ b/src/win32/utest/Makefile @@ -74,6 +74,7 @@ CLIENT_OBJS = \ $(OBJDIR)/src/linkhash.o \ $(OBJDIR)/src/lock.o \ $(OBJDIR)/src/log.o \ + $(OBJDIR)/src/md5.o \ $(OBJDIR)/src/msg.o \ $(OBJDIR)/src/pathcmp.o \ $(OBJDIR)/src/prepend.o \ diff --git a/test/README b/test/README index 76495670..4ff92fa1 100644 --- a/test/README +++ b/test/README @@ -1,5 +1,4 @@ -IMPORTANT: Run the script 'test_self' whilst standing in the same directory as -the script. +Run the script 'test_self'. It will copy the source from the parent directory into 'build', and then install it into 'target'. diff --git a/test/test_main b/test/test_main index 56ac06c3..66247d8d 100755 --- a/test/test_main +++ b/test/test_main @@ -3,11 +3,8 @@ # Uncomment to get core dumps if segfaults are happening. ulimit -c unlimited -myscript=$(basename $0) -if [ ! -f "$myscript" ] ; then - echo "Please run $myscript whilst standing in the same directory" 1>&2 - exit 1 -fi +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$DIR" target="$1" burpbin="$2" diff --git a/test/test_self b/test/test_self index 8fd0f23d..24df6a06 100755 --- a/test/test_self +++ b/test/test_self @@ -2,11 +2,8 @@ # # Test a burp client on the same machine as the server. -myscript=$(basename $0) -if [ ! -f "$myscript" ] ; then - echo "Please run $myscript whilst standing in the same directory" 1>&2 - exit 1 -fi +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$DIR" path="$PWD" build="$path/build" diff --git a/test/test_self_ssh b/test/test_self_ssh index c044eb05..bbdea015 100755 --- a/test/test_self_ssh +++ b/test/test_self_ssh @@ -3,11 +3,8 @@ # Test a burp client on the same machine as the server, but interact with the # client over ssh. -myscript=$(basename $0) -if [ ! -f "$myscript" ] ; then - echo "Please run $myscript whilst standing in the same directory" 1>&2 - exit 1 -fi +DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +cd "$DIR" path="$PWD" build="$path/build" diff --git a/utest/test_handy_extra.c b/utest/test_handy_extra.c index baf71ed1..3095e281 100644 --- a/utest/test_handy_extra.c +++ b/utest/test_handy_extra.c @@ -1,6 +1,7 @@ #include "test.h" #include "../src/alloc.h" #include "../src/handy_extra.h" +#include "../src/sbuf.h" static void tear_down(void) { @@ -18,7 +19,8 @@ START_TEST(test_enc_setup_ok) { uint64_t salt=12389123; EVP_CIPHER_CTX *ctx; - fail_unless((ctx=enc_setup(1 /*encrypt*/, "somepass", 1, salt))!=NULL); + int key_deriv=ENCRYPTION_KEY_DERIVED_AES_CBC_256; + fail_unless((ctx=enc_setup(1 /*encrypt*/, "somepass", key_deriv, salt))!=NULL); EVP_CIPHER_CTX_cleanup(ctx); EVP_CIPHER_CTX_free(ctx); tear_down();