From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001 From: Sergey Poznyakoff Date: Wed, 28 Feb 2018 13:44:01 +0000 Subject: [PATCH] Support for Openssl 1.1 --- .gitignore | 15 ++++++++ config.c | 17 +++++++-- http.c | 12 ++++++- pound.h | 4 ++- svc.c | 101 +++++++++++++++++++++++++++++++++++++++++++---------- 5 files changed, 125 insertions(+), 24 deletions(-) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1afa3b2 --- /dev/null +++ b/.gitignore @@ -0,0 +1,15 @@ +Makefile +*.orig +*.rej +core +config.h +config.log +config.status +stamp-h1 +.emacs* +*.o +*~ +dh2048.h +dh512.h +pound +poundctl diff --git a/config.c b/config.c index d41a3ee..e8fec0f 100644 --- a/config.c +++ b/config.c @@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max) } } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +# define general_name_string(n) \ + strndup(ASN1_STRING_get0_data(n->d.dNSName), \ + ASN1_STRING_length(n->d.dNSName) + 1) +#else +# define general_name_string(n) \ + strndup(ASN1_STRING_data(n->d.dNSName), \ + ASN1_STRING_length(n->d.dNSName) + 1) +#endif + unsigned char ** get_subjectaltnames(X509 *x509, unsigned int *count) { @@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count) name = sk_GENERAL_NAME_pop(san_stack); switch(name->type) { case GEN_DNS: - temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName) - + 1); + temp[local_count] = general_name_string(name); if(temp[local_count] == NULL) conf_err("out of memory"); local_count++; @@ -565,7 +574,9 @@ parse_service(const char *svc_name) pthread_mutex_init(&res->mut, NULL); if(svc_name) strncpy(res->name, svc_name, KEY_SIZE); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL) +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL) #else if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL) diff --git a/http.c b/http.c index dd211e4..c8e756a 100644 --- a/http.c +++ b/http.c @@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt) /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +# define clear_error() +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L +# define clear_error() \ + if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); } +#else +# define clear_error() \ + if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } +#endif + #define clean_all() { \ if(ssl != NULL) { BIO_ssl_shutdown(cl); } \ if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \ if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \ if(x509 != NULL) { X509_free(x509); x509 = NULL; } \ - if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \ + clear_error(); \ } /* diff --git a/pound.h b/pound.h index fa22c36..9603b91 100644 --- a/pound.h +++ b/pound.h @@ -344,7 +344,9 @@ typedef struct _tn { /* maximal session key size */ #define KEY_SIZE 127 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + DEFINE_LHASH_OF(TABNODE); +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L DECLARE_LHASH_OF(TABNODE); #endif diff --git a/svc.c b/svc.c index 60ba488..063b92c 100644 --- a/svc.c +++ b/svc.c @@ -27,10 +27,17 @@ #include "pound.h" +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t) +# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n) +#else #ifndef LHASH_OF #define LHASH_OF(x) LHASH #define CHECKED_LHASH_OF(type, h) h #endif +# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load) +# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n) +#endif /* * Add a new key/content pair to a hash table @@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const } memcpy(t->content, content, cont_len); t->last_acc = time(NULL); -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if((old = lh_TABNODE_insert(tab, t)) != NULL) { +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) { #else if((old = (TABNODE *)lh_insert(tab, t)) != NULL) { @@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key) TABNODE t, *res; t.key = key; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) { +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) { #else if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) { @@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key) TABNODE t, *res; t.key = key; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if((res = lh_TABNODE_delete(tab, &t)) != NULL) { +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) { #else if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) { @@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a) TABNODE *res; if(t->last_acc < a->lim) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if((res = lh_TABNODE_delete(a->tab, t)) != NULL) { +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) { #else if((res = lh_delete(a->tab, t)) != NULL) { @@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG) IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *) #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG); +#endif + /* * Expire all old nodes */ @@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim) a.tab = tab; a.lim = lim; - down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load; - CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L + down_load = TABNODE_GET_DOWN_LOAD(tab); + TABNODE_SET_DOWN_LOAD(tab, 0); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a); +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a); #else lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a); #endif - CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load; + TABNODE_SET_DOWN_LOAD(tab, down_load); return; } @@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg) TABNODE *res; if(memcmp(t->content, arg->content, arg->cont_len) == 0) -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) { +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) { #else if((res = lh_delete(arg->tab, t)) != NULL) { @@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len a.tab = tab; a.content = content; a.cont_len = cont_len; - down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load; - CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L + down_load = TABNODE_GET_DOWN_LOAD(tab); + TABNODE_SET_DOWN_LOAD(tab, 0); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a); +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a); #else lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a); #endif - CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load; - return; + TABNODE_SET_DOWN_LOAD(tab, down_load); } /* @@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen return res; } +static int +generate_key(RSA **ret_rsa, unsigned long bits) +{ +#if OPENSSL_VERSION_NUMBER > 0x00908000L + int rc = 0; + RSA *rsa; + + rsa = RSA_new(); + if (rsa) { + BIGNUM *bne = BN_new(); + if (BN_set_word(bne, RSA_F4)) + rc = RSA_generate_key_ex(rsa, bits, bne, NULL); + BN_free(bne); + if (rc) + *ret_rsa = rsa; + else + RSA_free(rsa); + } + return rc; +#else + *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL); + return *ret_rsa != NULL; +#endif +} + /* * Periodically regenerate ephemeral RSA keys * runs every T_RSA_KEYS seconds @@ -1274,8 +1323,9 @@ do_RSAgen(void) RSA *t_RSA1024_keys[N_RSA_KEYS]; for(n = 0; n < N_RSA_KEYS; n++) { - t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL); - t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL); + /* FIXME: Error handling */ + generate_key(&t_RSA512_keys[n], 512); + generate_key(&t_RSA1024_keys[n], 1024); } if(ret_val = pthread_mutex_lock(&RSA_mut)) logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val)); @@ -1329,11 +1379,11 @@ init_timer(void) * Pre-generate ephemeral RSA keys */ for(n = 0; n < N_RSA_KEYS; n++) { - if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { + if(!generate_key(&RSA512_keys[n], 512)) { logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n); return; } - if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) { + if(!generate_key(&RSA1024_keys[n], 1024)) { logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n); return; } @@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG) IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *) #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG); +#endif + /* * write sessions to the control socket */ @@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const a.control_sock = control_sock; a.backends = backends; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a); +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a); #else lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a); @@ -1664,6 +1720,13 @@ thr_control(void *arg) } } +#ifndef SSL3_ST_SR_CLNT_HELLO_A +# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) +#endif +#ifndef SSL23_ST_SR_CLNT_HELLO_A +# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT) +#endif + void SSLINFO_callback(const SSL *ssl, int where, int rc) {