1From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001 2From: Sergey Poznyakoff <gray@gnu.org> 3Date: Wed, 28 Feb 2018 13:44:01 +0000 4Subject: [PATCH] Support for Openssl 1.1 5 6Fixes 7http://autobuild.buildroot.net/results/ef2/ef2de6c280bf8622a00d4573bc5bd143e3baa002 8 9Downloaded from github fork: 10https://github.com/graygnuorg/pound/commit/a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 11 12This patch was announced on the upstream mailinglist: 13http://www.apsis.ch/pound/pound_list/archive/2018/2018-03/1519920322000 14 15Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> 16--- 17 .gitignore | 15 ++++++++ 18 config.c | 17 +++++++-- 19 http.c | 12 ++++++- 20 pound.h | 4 ++- 21 svc.c | 101 +++++++++++++++++++++++++++++++++++++++++++---------- 22 5 files changed, 125 insertions(+), 24 deletions(-) 23 create mode 100644 .gitignore 24 25diff --git a/config.c b/config.c 26index d41a3ee..e8fec0f 100644 27--- a/config.c 28+++ b/config.c 29@@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max) 30 } 31 } 32 33+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 34+# define general_name_string(n) \ 35+ strndup(ASN1_STRING_get0_data(n->d.dNSName), \ 36+ ASN1_STRING_length(n->d.dNSName) + 1) 37+#else 38+# define general_name_string(n) \ 39+ strndup(ASN1_STRING_data(n->d.dNSName), \ 40+ ASN1_STRING_length(n->d.dNSName) + 1) 41+#endif 42+ 43 unsigned char ** 44 get_subjectaltnames(X509 *x509, unsigned int *count) 45 { 46@@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count) 47 name = sk_GENERAL_NAME_pop(san_stack); 48 switch(name->type) { 49 case GEN_DNS: 50- temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName) 51- + 1); 52+ temp[local_count] = general_name_string(name); 53 if(temp[local_count] == NULL) 54 conf_err("out of memory"); 55 local_count++; 56@@ -565,7 +574,9 @@ parse_service(const char *svc_name) 57 pthread_mutex_init(&res->mut, NULL); 58 if(svc_name) 59 strncpy(res->name, svc_name, KEY_SIZE); 60-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 61+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 62+ if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL) 63+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 64 if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL) 65 #else 66 if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL) 67diff --git a/http.c b/http.c 68index dd211e4..c8e756a 100644 69--- a/http.c 70+++ b/http.c 71@@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt) 72 73 /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */ 74 75+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 76+# define clear_error() 77+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 78+# define clear_error() \ 79+ if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); } 80+#else 81+# define clear_error() \ 82+ if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } 83+#endif 84+ 85 #define clean_all() { \ 86 if(ssl != NULL) { BIO_ssl_shutdown(cl); } \ 87 if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \ 88 if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \ 89 if(x509 != NULL) { X509_free(x509); x509 = NULL; } \ 90- if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \ 91+ clear_error(); \ 92 } 93 94 /* 95diff --git a/pound.h b/pound.h 96index fa22c36..9603b91 100644 97--- a/pound.h 98+++ b/pound.h 99@@ -344,7 +344,9 @@ typedef struct _tn { 100 /* maximal session key size */ 101 #define KEY_SIZE 127 102 103-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 104+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 105+ DEFINE_LHASH_OF(TABNODE); 106+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 107 DECLARE_LHASH_OF(TABNODE); 108 #endif 109 110diff --git a/svc.c b/svc.c 111index 60ba488..063b92c 100644 112--- a/svc.c 113+++ b/svc.c 114@@ -27,10 +27,17 @@ 115 116 #include "pound.h" 117 118+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 119+# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t) 120+# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n) 121+#else 122 #ifndef LHASH_OF 123 #define LHASH_OF(x) LHASH 124 #define CHECKED_LHASH_OF(type, h) h 125 #endif 126+# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load) 127+# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n) 128+#endif 129 130 /* 131 * Add a new key/content pair to a hash table 132@@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const 133 } 134 memcpy(t->content, content, cont_len); 135 t->last_acc = time(NULL); 136-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 137+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 138+ if((old = lh_TABNODE_insert(tab, t)) != NULL) { 139+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 140 if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) { 141 #else 142 if((old = (TABNODE *)lh_insert(tab, t)) != NULL) { 143@@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key) 144 TABNODE t, *res; 145 146 t.key = key; 147-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 148+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 149+ if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) { 150+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 151 if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) { 152 #else 153 if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) { 154@@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key) 155 TABNODE t, *res; 156 157 t.key = key; 158-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 159+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 160+ if((res = lh_TABNODE_delete(tab, &t)) != NULL) { 161+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 162 if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) { 163 #else 164 if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) { 165@@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a) 166 TABNODE *res; 167 168 if(t->last_acc < a->lim) 169-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 170+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 171+ if((res = lh_TABNODE_delete(a->tab, t)) != NULL) { 172+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 173 if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) { 174 #else 175 if((res = lh_delete(a->tab, t)) != NULL) { 176@@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG) 177 IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *) 178 #endif 179 180+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 181+IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG); 182+#endif 183+ 184 /* 185 * Expire all old nodes 186 */ 187@@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim) 188 189 a.tab = tab; 190 a.lim = lim; 191- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load; 192- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0; 193-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 194+ down_load = TABNODE_GET_DOWN_LOAD(tab); 195+ TABNODE_SET_DOWN_LOAD(tab, 0); 196+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 197+ lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a); 198+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 199 LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a); 200 #else 201 lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a); 202 #endif 203- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load; 204+ TABNODE_SET_DOWN_LOAD(tab, down_load); 205 return; 206 } 207 208@@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg) 209 TABNODE *res; 210 211 if(memcmp(t->content, arg->content, arg->cont_len) == 0) 212-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 213+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 214+ if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) { 215+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 216 if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) { 217 #else 218 if((res = lh_delete(arg->tab, t)) != NULL) { 219@@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len 220 a.tab = tab; 221 a.content = content; 222 a.cont_len = cont_len; 223- down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load; 224- CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0; 225-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 226+ down_load = TABNODE_GET_DOWN_LOAD(tab); 227+ TABNODE_SET_DOWN_LOAD(tab, 0); 228+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 229+ lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a); 230+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 231 LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a); 232 #else 233 lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a); 234 #endif 235- CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load; 236- return; 237+ TABNODE_SET_DOWN_LOAD(tab, down_load); 238 } 239 240 /* 241@@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen 242 return res; 243 } 244 245+static int 246+generate_key(RSA **ret_rsa, unsigned long bits) 247+{ 248+#if OPENSSL_VERSION_NUMBER > 0x00908000L 249+ int rc = 0; 250+ RSA *rsa; 251+ 252+ rsa = RSA_new(); 253+ if (rsa) { 254+ BIGNUM *bne = BN_new(); 255+ if (BN_set_word(bne, RSA_F4)) 256+ rc = RSA_generate_key_ex(rsa, bits, bne, NULL); 257+ BN_free(bne); 258+ if (rc) 259+ *ret_rsa = rsa; 260+ else 261+ RSA_free(rsa); 262+ } 263+ return rc; 264+#else 265+ *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL); 266+ return *ret_rsa != NULL; 267+#endif 268+} 269+ 270 /* 271 * Periodically regenerate ephemeral RSA keys 272 * runs every T_RSA_KEYS seconds 273@@ -1274,8 +1323,9 @@ do_RSAgen(void) 274 RSA *t_RSA1024_keys[N_RSA_KEYS]; 275 276 for(n = 0; n < N_RSA_KEYS; n++) { 277- t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL); 278- t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL); 279+ /* FIXME: Error handling */ 280+ generate_key(&t_RSA512_keys[n], 512); 281+ generate_key(&t_RSA1024_keys[n], 1024); 282 } 283 if(ret_val = pthread_mutex_lock(&RSA_mut)) 284 logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val)); 285@@ -1329,11 +1379,11 @@ init_timer(void) 286 * Pre-generate ephemeral RSA keys 287 */ 288 for(n = 0; n < N_RSA_KEYS; n++) { 289- if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) { 290+ if(!generate_key(&RSA512_keys[n], 512)) { 291 logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n); 292 return; 293 } 294- if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) { 295+ if(!generate_key(&RSA1024_keys[n], 1024)) { 296 logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n); 297 return; 298 } 299@@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG) 300 IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *) 301 #endif 302 303+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 304+IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG); 305+#endif 306+ 307 /* 308 * write sessions to the control socket 309 */ 310@@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const 311 312 a.control_sock = control_sock; 313 a.backends = backends; 314-#if OPENSSL_VERSION_NUMBER >= 0x10000000L 315+#if OPENSSL_VERSION_NUMBER >= 0x10100000L 316+ lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a); 317+#elif OPENSSL_VERSION_NUMBER >= 0x10000000L 318 LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a); 319 #else 320 lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a); 321@@ -1664,6 +1720,13 @@ thr_control(void *arg) 322 } 323 } 324 325+#ifndef SSL3_ST_SR_CLNT_HELLO_A 326+# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT) 327+#endif 328+#ifndef SSL23_ST_SR_CLNT_HELLO_A 329+# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT) 330+#endif 331+ 332 void 333 SSLINFO_callback(const SSL *ssl, int where, int rc) 334 { 335