diff --git a/modules/tls/tls_bio.c b/modules/tls/tls_bio.c index aee1953ebd9..d2c2107d327 100644 --- a/modules/tls/tls_bio.c +++ b/modules/tls/tls_bio.c @@ -63,6 +63,7 @@ static int tls_bio_mbuf_puts(BIO* b, const char* s); static long tls_bio_mbuf_ctrl(BIO* b, int cmd, long arg1, void* arg2); +#if OPENSSL_VERSION_NUMBER < 0x010100000L static BIO_METHOD tls_mbuf_method = { BIO_TYPE_TLS_MBUF, /* type */ "sr_tls_mbuf", /* name */ @@ -75,12 +76,35 @@ static BIO_METHOD tls_mbuf_method = { tls_bio_mbuf_free, /* destroy(free) function */ 0 /* ctrl callback */ }; +#else +static BIO_METHOD *tls_mbuf_method = NULL; +#endif /** returns a custom tls_mbuf BIO. */ BIO_METHOD* tls_BIO_mbuf(void) { +#if OPENSSL_VERSION_NUMBER < 0x010100000L return &tls_mbuf_method; +#else + if(tls_mbuf_method != NULL) { + return tls_mbuf_method; + } + tls_mbuf_method = BIO_meth_new(BIO_TYPE_TLS_MBUF, "sr_tls_mbuf"); + if(tls_mbuf_method==NULL) { + LM_ERR("cannot get a new bio method structure\n"); + return NULL; + } + BIO_meth_set_write(tls_mbuf_method, tls_bio_mbuf_write); + BIO_meth_set_read(tls_mbuf_method, tls_bio_mbuf_read); + BIO_meth_set_puts(tls_mbuf_method, tls_bio_mbuf_puts); + BIO_meth_set_gets(tls_mbuf_method, NULL); + BIO_meth_set_ctrl(tls_mbuf_method, tls_bio_mbuf_ctrl); + BIO_meth_set_create(tls_mbuf_method, tls_bio_mbuf_new); + BIO_meth_set_destroy(tls_mbuf_method, tls_bio_mbuf_free); + BIO_meth_set_callback_ctrl(tls_mbuf_method, NULL); + return tls_mbuf_method; +#endif } @@ -91,7 +115,7 @@ BIO_METHOD* tls_BIO_mbuf(void) BIO* tls_BIO_new_mbuf(struct tls_mbuf* rd, struct tls_mbuf* wr) { BIO* ret; - + TLS_BIO_DBG("tls_BIO_new_mbuf called (%p, %p)\n", rd, wr); ret = BIO_new(tls_BIO_mbuf()); if (unlikely(ret == 0)) @@ -111,7 +135,7 @@ BIO* tls_BIO_new_mbuf(struct tls_mbuf* rd, struct tls_mbuf* wr) int tls_BIO_mbuf_set(BIO* b, struct tls_mbuf* rd, struct tls_mbuf* wr) { struct tls_bio_mbuf_data* d; - + TLS_BIO_DBG("tls_BIO_mbuf_set called (%p => %p, %p)\n", b, rd, wr); if (unlikely(b->ptr == 0)){ BUG("null BIO ptr\n"); diff --git a/modules/tls/tls_domain.c b/modules/tls/tls_domain.c index e64e8bd1d3f..bf8d0f23f6e 100644 --- a/modules/tls/tls_domain.c +++ b/modules/tls/tls_domain.c @@ -107,19 +107,31 @@ static unsigned char dh3072_g[] = { 0x02 }; static void setup_dh(SSL_CTX *ctx) { - DH *dh; + DH *dh; + BIGNUM *p; + BIGNUM *g; - dh = DH_new(); - if (dh == NULL) { - return; - } + dh = DH_new(); + if (dh == NULL) { + return; + } + + p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL); + g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL); + + if (p == NULL || g == NULL) { + DH_free(dh); + return; + } + +#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) + /* libssl >= v1.1.0 */ + DH_set0_pqg(dh, p, NULL, g); +#else + dh->p = p; + dh->g = g; +#endif - dh->p = BN_bin2bn(dh3072_p, sizeof(dh3072_p), NULL); - dh->g = BN_bin2bn(dh3072_g, sizeof(dh3072_g), NULL); - if (dh->p == NULL || dh->g == NULL) { - DH_free(dh); - return; - } SSL_CTX_set_options(ctx, SSL_OP_SINGLE_DH_USE); SSL_CTX_set_tmp_dh(ctx, dh); @@ -713,11 +725,13 @@ static void sr_ssl_ctx_info_callback(const SSL *ssl, int event, int ret) if(data==0) data = (struct tls_extra_data*)SSL_get_app_data(ssl); LOG(tls_dbg, "SSL handshake done\n"); +#if OPENSSL_VERSION_NUMBER < 0x010100000L /* CVE-2009-3555 - disable renegotiation */ if (ssl->s3) { LOG(tls_dbg, "SSL disable renegotiation\n"); ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } +#endif data->flags |= F_TLS_CON_HANDSHAKED; } } @@ -835,6 +849,7 @@ static int tls_ssl_ctx_mode(SSL_CTX* ctx, long mode, void* clear) */ static int tls_ssl_ctx_set_freelist(SSL_CTX* ctx, long val, void* unused) { +#if OPENSSL_VERSION_NUMBER < 0x010100000L if (val >= 0) #if OPENSSL_VERSION_NUMBER >= 0x01000000L #ifndef OPENSSL_NO_BUF_FREELISTS @@ -843,6 +858,7 @@ static int tls_ssl_ctx_set_freelist(SSL_CTX* ctx, long val, void* unused) #endif #if defined (OPENSSL_NO_BUF_FREELISTS) || OPENSSL_VERSION_NUMBER < 0x01000000L return -1; +#endif #endif return 0; } @@ -927,7 +943,7 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private) /* SSL_set_SSL_CTX only sets the correct certificate parameters, but does set the proper verify options. Thus this will be done manually! */ - SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); + SSL_set_options(ssl, SSL_CTX_get_options(SSL_get_SSL_CTX(ssl))); if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || (SSL_num_renegotiations(ssl) == 0)) { /* @@ -937,8 +953,8 @@ static int tls_server_name_cb(SSL *ssl, int *ad, void *private) * Otherwise, we would possibly reset a per-directory * configuration which was put into effect by ssl_hook_access. */ - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), - SSL_CTX_get_verify_callback(ssl->ctx)); + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(SSL_get_SSL_CTX(ssl)), + SSL_CTX_get_verify_callback(SSL_get_SSL_CTX(ssl))); } return SSL_TLSEXT_ERR_OK; diff --git a/modules/tls/tls_init.c b/modules/tls/tls_init.c index ece8863903c..af2d4c54efa 100644 --- a/modules/tls/tls_init.c +++ b/modules/tls/tls_init.c @@ -269,6 +269,7 @@ static void* ser_realloc(void *ptr, size_t size, const char* file, int line) #else /*TLS_MALLOC_DBG */ +#if OPENSSL_VERSION_NUMBER < 0x010100000L static void* ser_malloc(size_t size) { return shm_malloc(size); @@ -279,9 +280,22 @@ static void* ser_realloc(void *ptr, size_t size) { return shm_realloc(ptr, size); } +#else +static void* ser_malloc(size_t size, const char *fname, int fline) +{ + return shm_malloc(size); +} + +static void* ser_realloc(void *ptr, size_t size, const char *fname, int fline) +{ + return shm_realloc(ptr, size); +} #endif +#endif + +#if OPENSSL_VERSION_NUMBER < 0x010100000L static void ser_free(void *ptr) { /* The memory functions provided to openssl needs to behave like standard @@ -294,6 +308,14 @@ static void ser_free(void *ptr) shm_free(ptr); } } +#else +static void ser_free(void *ptr, const char *fname, int fline) +{ + if (ptr) { + shm_free(ptr); + } +} +#endif /* @@ -338,11 +360,13 @@ static void init_ssl_methods(void) ssl_methods[TLS_USE_SSLv23 - 1] = SSLv23_method(); /* only specific SSL or TLS version */ +#if OPENSSL_VERSION_NUMBER < 0x010100000L #ifndef OPENSSL_NO_SSL2 ssl_methods[TLS_USE_SSLv2_cli - 1] = SSLv2_client_method(); ssl_methods[TLS_USE_SSLv2_srv - 1] = SSLv2_server_method(); ssl_methods[TLS_USE_SSLv2 - 1] = SSLv2_method(); #endif +#endif #ifndef OPENSSL_NO_SSL3_METHOD ssl_methods[TLS_USE_SSLv3_cli - 1] = SSLv3_client_method(); @@ -384,6 +408,7 @@ static void init_ssl_methods(void) */ static int init_tls_compression(void) { +#if OPENSSL_VERSION_NUMBER < 0x010100000L #if OPENSSL_VERSION_NUMBER >= 0x00908000L int n, r; STACK_OF(SSL_COMP)* comp_methods; @@ -468,6 +493,7 @@ static int init_tls_compression(void) } end: #endif /* OPENSSL_VERSION_NUMBER >= 0.9.8 */ +#endif /* OPENSSL_VERSION_NUMBER < 1.1.0 */ return 0; } @@ -478,9 +504,16 @@ static int init_tls_compression(void) */ int tls_pre_init(void) { +#if OPENSSL_VERSION_NUMBER < 0x010100000L void *(*mf)(size_t) = NULL; void *(*rf)(void *, size_t) = NULL; void (*ff)(void *) = NULL; +#else + void *(*mf)(size_t, const char *, int) = NULL; + void *(*rf)(void *, size_t, const char *, int) = NULL; + void (*ff)(void *, const char *, int) = NULL; +#endif + /* * this has to be called before any function calling CRYPTO_malloc, * CRYPTO_malloc will set allow_customize in openssl to 0 diff --git a/modules/tls/tls_server.c b/modules/tls/tls_server.c index 880fae25aa7..20faa4febae 100644 --- a/modules/tls/tls_server.c +++ b/modules/tls/tls_server.c @@ -258,12 +258,14 @@ static int tls_complete_init(struct tcp_connection* c) } #endif +#if OPENSSL_VERSION_NUMBER < 0x010100000L #ifdef TLS_KSSL_WORKARROUND /* if needed apply workaround for openssl bug #1467 */ if (data->ssl->kssl_ctx && openssl_kssl_malloc_bug){ kssl_ctx_free(data->ssl->kssl_ctx); data->ssl->kssl_ctx=0; } +#endif #endif SSL_set_bio(data->ssl, data->rwbio, data->rwbio); c->extra_data = data; diff --git a/modules/tls/tls_verify.c b/modules/tls/tls_verify.c index 728006dece9..1da392a7f20 100644 --- a/modules/tls/tls_verify.c +++ b/modules/tls/tls_verify.c @@ -30,7 +30,7 @@ /* FIXME: remove this and use the value in domains instead */ #define VERIFY_DEPTH_S 3 -/* This callback is called during each verification process, +/* This callback is called during each verification process, at each step during the chain of certificates (this function is not the certificate_verification one!). */ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) { @@ -44,49 +44,54 @@ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) { LOG(L_NOTICE, "tls_init: verify_callback: cert chain too long ( depth > VERIFY_DEPTH_S)\n"); pre_verify_ok=0; } - + if( pre_verify_ok ) { LOG(L_NOTICE, "tls_init: verify_callback: preverify is good: verify return: %d\n", pre_verify_ok); return pre_verify_ok; } - + err_cert = X509_STORE_CTX_get_current_cert(ctx); - err = X509_STORE_CTX_get_error(ctx); + err = X509_STORE_CTX_get_error(ctx); X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf); - + LOG(L_NOTICE, "tls_init: verify_callback: subject = %s\n", buf); - LOG(L_NOTICE, "tls_init: verify_callback: verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err)); - LOG(L_NOTICE, "tls_init: verify_callback: error code is %d\n", ctx->error); - - switch (ctx->error) { + LOG(L_NOTICE, "tls_init: verify_callback: verify error - num=%d:%s\n", err, + X509_verify_cert_error_string(err)); + LOG(L_NOTICE, "tls_init: verify_callback: error code is %d (depth: %d)\n", + err, depth); + + switch (err) { + case X509_V_OK: + LOG(L_NOTICE, "tls_init: verify_callback: all ok\n"); + break; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),buf,sizeof buf); + X509_NAME_oneline(X509_get_issuer_name(err_cert),buf,sizeof buf); LOG(L_NOTICE, "tls_init: verify_callback: issuer= %s\n",buf); break; - + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: case X509_V_ERR_CERT_NOT_YET_VALID: LOG(L_NOTICE, "tls_init: verify_callback: notBefore\n"); break; - + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: case X509_V_ERR_CERT_HAS_EXPIRED: LOG(L_NOTICE, "tls_init: verify_callback: notAfter\n"); break; - + case X509_V_ERR_CERT_SIGNATURE_FAILURE: case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: LOG(L_NOTICE, "tls_init: verify_callback: unable to decrypt cert signature\n"); break; - + case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: LOG(L_NOTICE, "tls_init: verify_callback: unable to decode issuer public key\n"); break; - + case X509_V_ERR_OUT_OF_MEM: ERR("tls_init: verify_callback: Out of memory \n"); break; - + case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: LOG(L_NOTICE, "tls_init: verify_callback: Self signed certificate issue\n"); @@ -110,12 +115,14 @@ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) { case X509_V_ERR_CERT_REJECTED: LOG(L_NOTICE, "tls_init: verify_callback: certificate rejected\n"); break; - + default: - LOG(L_NOTICE, "tls_init: verify_callback: something wrong with the cert ... error code is %d (check x509_vfy.h)\n", ctx->error); + LOG(L_NOTICE, "tls_init: verify_callback: something wrong with the" + " cert ... error code is %d (check x509_vfy.h)\n", + err); break; } - + LOG(L_NOTICE, "tls_init: verify_callback: verify return:%d\n", pre_verify_ok); return(pre_verify_ok); }