From 39414f8ff9df63c8bc2e4eee34f09f829a5bf8f5 Mon Sep 17 00:00:00 2001
From: Pierre-Louis Bonicoli <pierre-louis.bonicoli@gmx.fr>
Date: Wed, 29 Jun 2016 19:40:32 +0200
Subject: [PATCH] Handle OpenSSL version 1.1
adding forward-compatible code to older versions
---
src/connection.c | 82 +++++++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 69 insertions(+), 13 deletions(-)
diff --git a/src/connection.c b/src/connection.c
index 23ecb1e..37cda12 100644
--- a/src/connection.c
+++ b/src/connection.c
@@ -238,6 +238,49 @@ static int _write_socket_SSL(connection_t *cn, char* message)
mylog(LOG_DEBUGVERB, "%d/%d bytes sent", count, size);
return WRITE_OK;
}
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define X509_OBJECT_get0_X509(o) ((o)->data.x509)
+#define X509_STORE_CTX_get_by_subject(vs, type, name, ret) X509_STORE_get_by_subject(vs, type, name, ret)
+
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ // bip doesn't use q parameter
+ assert(q == NULL);
+ dh->p = p;
+ dh->g = g;
+
+ return 1;
+}
+
+X509_OBJECT *X509_OBJECT_new()
+{
+ X509_OBJECT *ret = OPENSSL_malloc(sizeof(*ret));
+
+ if (ret != NULL) {
+ memset(ret, 0, sizeof(*ret));
+ ret->type = X509_LU_FAIL;
+ }
+ return ret;
+}
+
+void X509_OBJECT_free(X509_OBJECT *a)
+{
+ if (a == NULL)
+ return;
+ switch (a->type) {
+ default:
+ break;
+ case X509_LU_X509:
+ X509_free(a->data.x509);
+ break;
+ case X509_LU_CRL:
+ X509_CRL_free(a->data.crl);
+ break;
+ }
+ OPENSSL_free(a);
+}
+#endif
#endif
static int _write_socket(connection_t *cn, char *message)
@@ -1089,6 +1132,8 @@ static connection_t *connection_init(int anti_flood, int ssl, int timeout,
static DH *dh_512(void)
{
DH *dh;
+ BIGNUM *p;
+ BIGNUM *g;
static DH *dh_512;
if (dh_512 == NULL) {
@@ -1096,15 +1141,19 @@ static DH *dh_512(void)
mylog(LOG_WARN, "SSL: cannot create DH parameter set");
return (0);
}
- dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0);
- dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0);
- if ((dh->p == NULL) || (dh->g == NULL)) {
+
+ p = BN_bin2bn(dh512_p, sizeof(dh512_p), (BIGNUM *) 0);
+ g = BN_bin2bn(dh512_g, sizeof(dh512_g), (BIGNUM *) 0);
+
+ if ((p == NULL) || (g == NULL)) {
mylog(LOG_WARN, "SSL: cannot load compiled-in DH "
"parameters");
DH_free(dh);
return (0);
- } else
+ } else {
+ DH_set0_pqg(dh, p, NULL, g);
dh_512 = dh;
+ }
}
return dh_512;
}
@@ -1113,6 +1162,8 @@ static DH *dh_512(void)
static DH *dh_1024(void)
{
DH *dh;
+ BIGNUM *p;
+ BIGNUM *g;
static DH *dh_1024;
if (dh_1024 == NULL) {
@@ -1120,15 +1171,19 @@ static DH *dh_1024(void)
mylog(LOG_WARN, "SSL: cannot create DH parameter set");
return (0);
}
- dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0);
- dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0);
- if ((dh->p == NULL) || (dh->g == NULL)) {
+
+ p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), (BIGNUM *) 0);
+ g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), (BIGNUM *) 0);
+
+ if ((p == NULL) || (g == NULL)) {
mylog(LOG_WARN, "SSL: cannot load compiled-in DH "
"parameters");
DH_free(dh);
return (0);
- } else
+ } else {
+ DH_set0_pqg(dh, p, NULL, g);
dh_1024 = dh;
+ }
}
return (dh_1024);
}
@@ -1315,7 +1370,7 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
int err, depth;
SSL *ssl;
connection_t *c;
- X509_OBJECT xobj;
+ X509_OBJECT *xobj;
int result;
err_cert = X509_STORE_CTX_get_current_cert(ctx);
@@ -1345,10 +1400,10 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
err == X509_V_ERR_CERT_HAS_EXPIRED ||
err == X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN)) {
- if (X509_STORE_get_by_subject(ctx, X509_LU_X509,
- X509_get_subject_name(err_cert), &xobj) > 0 &&
- !X509_cmp(xobj.data.x509, err_cert)) {
-
+ xobj = X509_OBJECT_new();
+ if (X509_STORE_CTX_get_by_subject(ctx, X509_LU_X509,
+ X509_get_subject_name(err_cert), xobj) > 0 &&
+ !X509_cmp(X509_OBJECT_get0_X509(xobj), err_cert)) {
if (err == X509_V_ERR_CERT_HAS_EXPIRED)
mylog(LOG_INFO, "Basic mode; Accepting "
"*expired* peer certificate "
@@ -1368,6 +1423,7 @@ static int bip_ssl_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
link_add_untrusted(c->user_data, X509_dup(err_cert));
}
+ X509_OBJECT_free(xobj);
}
if (!result) {
--
2.13.3