tls: updates for compatibilty with libssl v1.1.0 api

(cherry picked from commit ef02155)
kamailio · Oct 27, 2016 · 58daa31 · 58daa31
1 parent f97df2e
commit 58daa31
Show file tree

Hide file tree

Showing 5 changed files with 117 additions and 35 deletions.
diff --git a/modules/tls/tls_bio.c b/modules/tls/tls_bio.c
@@ -63,6 +63,7 @@ static int tls_bio_mbuf_puts(BIO* b, const char* s);
 static long tls_bio_mbuf_ctrl(BIO* b, int cmd, long arg1, void* arg2);
 
 
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 static BIO_METHOD tls_mbuf_method = {
 	BIO_TYPE_TLS_MBUF,	/* type */
 	"sr_tls_mbuf",		/* name */
@@ -75,12 +76,35 @@ static BIO_METHOD tls_mbuf_method = {
 	tls_bio_mbuf_free,	/* destroy(free) function */
 	0					/* ctrl callback */
 };
+#else
+static BIO_METHOD *tls_mbuf_method = NULL;
+#endif
 
 
 /** returns a custom tls_mbuf BIO. */
 BIO_METHOD* tls_BIO_mbuf(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 	return &tls_mbuf_method;
+#else
+	if(tls_mbuf_method != NULL) {
+		return tls_mbuf_method;
+	}
+	tls_mbuf_method = BIO_meth_new(BIO_TYPE_TLS_MBUF, "sr_tls_mbuf");
+	if(tls_mbuf_method==NULL) {
+		LM_ERR("cannot get a new bio method structure\n");
+		return NULL;
+	}
+	BIO_meth_set_write(tls_mbuf_method, tls_bio_mbuf_write);
+	BIO_meth_set_read(tls_mbuf_method, tls_bio_mbuf_read);
+	BIO_meth_set_puts(tls_mbuf_method, tls_bio_mbuf_puts);
+	BIO_meth_set_gets(tls_mbuf_method, NULL);
+	BIO_meth_set_ctrl(tls_mbuf_method, tls_bio_mbuf_ctrl);
+	BIO_meth_set_create(tls_mbuf_method, tls_bio_mbuf_new);
+	BIO_meth_set_destroy(tls_mbuf_method, tls_bio_mbuf_free);
+	BIO_meth_set_callback_ctrl(tls_mbuf_method, NULL);
+	return tls_mbuf_method;
+#endif
 }
 
 
@@ -91,7 +115,7 @@ BIO_METHOD* tls_BIO_mbuf(void)
 BIO* tls_BIO_new_mbuf(struct tls_mbuf* rd, struct tls_mbuf* wr)
 {
 	BIO* ret;
-	
+
 	TLS_BIO_DBG("tls_BIO_new_mbuf called (%p, %p)\n", rd, wr);
 	ret = BIO_new(tls_BIO_mbuf());
 	if (unlikely(ret == 0))
@@ -111,7 +135,7 @@ BIO* tls_BIO_new_mbuf(struct tls_mbuf* rd, struct tls_mbuf* wr)
 int tls_BIO_mbuf_set(BIO* b, struct tls_mbuf* rd, struct tls_mbuf* wr)
 {
 	struct tls_bio_mbuf_data* d;
-	
+
 	TLS_BIO_DBG("tls_BIO_mbuf_set called (%p => %p, %p)\n", b, rd, wr);
 	if (unlikely(b->ptr == 0)){
 		BUG("null BIO ptr\n");

diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c
@@ -107,19 +107,31 @@ static unsigned char dh3072_g[] = { 0x02 };
 
 static void setup_dh(SSL_CTX *ctx)
 {
-   DH *dh;
+	DH *dh;
+	BIGNUM *p;
+	BIGNUM *g;
 
-   dh = DH_new();
-   if (dh == NULL) {
-      return;
-   }
+	dh = DH_new();
+	if (dh == NULL) {
+		return;
+	}
+
+	p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL);
+	g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL);
+
+	if (p == NULL || g == NULL) {
+		DH_free(dh);
+		return;
+	}
+
+#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+	/* libssl >= v1.1.0 */
+	DH_set0_pqg(dh, p, NULL, g);
+#else
+	dh->p = p;
+	dh->g = g;
+#endif
 
-   dh->p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL);
-   dh->g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL);
-   if (dh->p == NULL || dh->g == NULL) {
-      DH_free(dh);
-      return;
-   }
 
    SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE);
    SSL_CTX_set_tmp_dh(ctx, dh);
@@ -713,11 +725,13 @@ static void sr_ssl_ctx_info_callback(const SSL *ssl, int event, int ret)
 		if(data==0)
 			data = (struct tls_extra_data*)SSL_get_app_data(ssl);
 		LOG(tls_dbg, "SSL handshake done\n");
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 		/* CVE-2009-3555 - disable renegotiation */
 		if (ssl->s3) {
 			LOG(tls_dbg, "SSL disable renegotiation\n");
 			ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
 		}
+#endif
 		data->flags |= F_TLS_CON_HANDSHAKED;
 	}
 }
@@ -835,6 +849,7 @@ static int tls_ssl_ctx_mode(SSL_CTX* ctx, long mode, void* clear)
  */
 static int tls_ssl_ctx_set_freelist(SSL_CTX* ctx, long val, void* unused)
 {
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 	if (val >= 0)
 #if OPENSSL_VERSION_NUMBER >= 0x01000000L
 #ifndef OPENSSL_NO_BUF_FREELISTS
@@ -843,6 +858,7 @@ static int tls_ssl_ctx_set_freelist(SSL_CTX* ctx, long val, void* unused)
 #endif
 #if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L
 		return -1;
+#endif
 #endif
 	return 0;
 }
@@ -927,7 +943,7 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)
 	/* SSL_set_SSL_CTX only sets the correct certificate parameters, but does
 	   set the proper verify options. Thus this will be done manually! */
 
-	SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+	SSL_set_options(ssl, SSL_CTX_get_options(SSL_get_SSL_CTX(ssl)));
 	if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
 				(SSL_num_renegotiations(ssl) == 0)) {
 		/*
@@ -937,8 +953,8 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private)
 		 * Otherwise, we would possibly reset a per-directory
 		 * configuration which was put into effect by ssl_hook_access.
 		 */
-		SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
-			SSL_CTX_get_verify_callback(ssl->ctx));
+		SSL_set_verify(ssl, SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(ssl)),
+			SSL_CTX_get_verify_callback(SSL_get_SSL_CTX(ssl)));
 	}
 
 	return SSL_TLSEXT_ERR_OK;

diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c
@@ -269,6 +269,7 @@ static void* ser_realloc(void *ptr, size_t size, const char* file, int line)
 
 #else /*TLS_MALLOC_DBG */
 
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 static void* ser_malloc(size_t size)
 {
 	return shm_malloc(size);
@@ -279,9 +280,22 @@ static void* ser_realloc(void *ptr, size_t size)
 {
 		return shm_realloc(ptr, size);
 }
+#else
+static void* ser_malloc(size_t size, const char *fname, int fline)
+{
+	return shm_malloc(size);
+}
+
 
+static void* ser_realloc(void *ptr, size_t size, const char *fname, int fline)
+{
+		return shm_realloc(ptr, size);
+}
 #endif
 
+#endif
+
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 static void ser_free(void *ptr)
 {
 	/* The memory functions provided to openssl needs to behave like standard
@@ -294,6 +308,14 @@ static void ser_free(void *ptr)
 		shm_free(ptr);
 	}
 }
+#else
+static void ser_free(void *ptr, const char *fname, int fline)
+{
+	if (ptr) {
+		shm_free(ptr);
+	}
+}
+#endif
 
 
 /*
@@ -338,11 +360,13 @@ static void init_ssl_methods(void)
 	ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method();
 
 	/* only specific SSL or TLS version */
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 #ifndef OPENSSL_NO_SSL2
 	ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method();
 	ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method();
 	ssl_methods[TLS_USE_SSLv2 - 1] = SSLv2_method();
 #endif
+#endif
 
 #ifndef OPENSSL_NO_SSL3_METHOD
 	ssl_methods[TLS_USE_SSLv3_cli - 1] = SSLv3_client_method();
@@ -384,6 +408,7 @@ static void init_ssl_methods(void)
  */
 static int init_tls_compression(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 #if OPENSSL_VERSION_NUMBER >= 0x00908000L
 	int n, r;
 	STACK_OF(SSL_COMP)* comp_methods;
@@ -468,6 +493,7 @@ static int init_tls_compression(void)
 	}
 end:
 #endif /* OPENSSL_VERSION_NUMBER >= 0.9.8 */
+#endif /* OPENSSL_VERSION_NUMBER < 1.1.0 */
 	return 0;
 }
 
@@ -478,9 +504,16 @@ static int init_tls_compression(void)
  */
 int tls_pre_init(void)
 {
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 	void *(*mf)(size_t) = NULL;
 	void *(*rf)(void *, size_t) = NULL;
 	void (*ff)(void *) = NULL;
+#else
+	void *(*mf)(size_t, const char *, int) = NULL;
+	void *(*rf)(void *, size_t, const char *, int) = NULL;
+	void (*ff)(void *, const char *, int) = NULL;
+#endif
+
 	/*
 	 * this has to be called before any function calling CRYPTO_malloc,
 	 * CRYPTO_malloc will set allow_customize in openssl to 0

diff --git a/modules/tls/tls_server.c b/modules/tls/tls_server.c
@@ -258,12 +258,14 @@ static int tls_complete_init(struct tcp_connection* c)
 	}
 #endif
 
+#if OPENSSL_VERSION_NUMBER < 0x010100000L
 #ifdef TLS_KSSL_WORKARROUND
 	 /* if needed apply workaround for openssl bug #1467 */
 	if (data->ssl->kssl_ctx && openssl_kssl_malloc_bug){
 		kssl_ctx_free(data->ssl->kssl_ctx);
 		data->ssl->kssl_ctx=0;
 	}
+#endif
 #endif
 	SSL_set_bio(data->ssl, data->rwbio, data->rwbio);
 	c->extra_data = data;

diff --git a/modules/tls/tls_verify.c b/modules/tls/tls_verify.c
@@ -30,7 +30,7 @@
 /* FIXME: remove this and use the value in domains instead */
 #define VERIFY_DEPTH_S 3
 
-/* This callback is called during each verification process, 
+/* This callback is called during each verification process,
 at each step during the chain of certificates (this function
 is not the certificate_verification one!). */
 int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
@@ -44,49 +44,54 @@ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
 		LOG(L_NOTICE, "tls_init: verify_callback: cert chain too long ( depth > VERIFY_DEPTH_S)\n");
 		pre_verify_ok=0;
 	}
-	
+
 	if( pre_verify_ok ) {
 		LOG(L_NOTICE, "tls_init: verify_callback: preverify is good: verify return: %d\n", pre_verify_ok);
 		return pre_verify_ok;
 	}
-	
+
 	err_cert = X509_STORE_CTX_get_current_cert(ctx);
-	err = X509_STORE_CTX_get_error(ctx);	
+	err = X509_STORE_CTX_get_error(ctx);
 	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
-	
+
 	LOG(L_NOTICE, "tls_init: verify_callback: subject = %s\n", buf);
-	LOG(L_NOTICE, "tls_init: verify_callback: verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err));	
-	LOG(L_NOTICE, "tls_init: verify_callback: error code is %d\n", ctx->error);
-
-	switch (ctx->error) {
+	LOG(L_NOTICE, "tls_init: verify_callback: verify error - num=%d:%s\n", err,
+			X509_verify_cert_error_string(err));
+	LOG(L_NOTICE, "tls_init: verify_callback: error code is %d (depth: %d)\n",
+			err, depth);
+
+	switch (err) {
+		case X509_V_OK:
+			LOG(L_NOTICE, "tls_init: verify_callback: all ok\n");
+			break;
 		case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-			X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf);
+			X509_NAME_oneline(X509_get_issuer_name(err_cert),buf,sizeof buf);
 			LOG(L_NOTICE, "tls_init: verify_callback: issuer= %s\n",buf);
 			break;
-			
+
 		case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
 		case X509_V_ERR_CERT_NOT_YET_VALID:
 			LOG(L_NOTICE, "tls_init: verify_callback: notBefore\n");
 			break;
-		
+
 		case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
 		case X509_V_ERR_CERT_HAS_EXPIRED:
 			LOG(L_NOTICE, "tls_init: verify_callback: notAfter\n");
 			break;
-			
+
 		case X509_V_ERR_CERT_SIGNATURE_FAILURE:
 		case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE:
 			LOG(L_NOTICE, "tls_init: verify_callback: unable to decrypt cert signature\n");
 			break;
-			
+
 		case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY:
 			LOG(L_NOTICE, "tls_init: verify_callback: unable to decode issuer public key\n");
 			break;
-			
+
 		case X509_V_ERR_OUT_OF_MEM:
 			ERR("tls_init: verify_callback: Out of memory \n");
 			break;
-			
+
 		case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
 		case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN:
 			LOG(L_NOTICE, "tls_init: verify_callback: Self signed certificate issue\n");
@@ -110,12 +115,14 @@ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
 		case X509_V_ERR_CERT_REJECTED:
 			LOG(L_NOTICE, "tls_init: verify_callback: certificate rejected\n");
 			break;
-		
+
 		default:
-			LOG(L_NOTICE, "tls_init: verify_callback: something wrong with the cert ... error code is %d (check x509_vfy.h)\n", ctx->error);
+			LOG(L_NOTICE, "tls_init: verify_callback: something wrong with the"
+					" cert ... error code is %d (check x509_vfy.h)\n",
+					err);
 			break;
 	}
-	
+
 	LOG(L_NOTICE, "tls_init: verify_callback: verify return:%d\n", pre_verify_ok);
 	return(pre_verify_ok);
 }