Add OpenSSL 1.1 compatibility #83
Conversation
|
|
||
| len = SSL_read( ssl, pt, UdpTransport::MaxBufferSize ) ; | ||
| int err = SSL_get_error( ssl, len ) ; | ||
|
|
||
| /* done with the rbio */ | ||
| BIO_free( ssl->rbio ) ; | ||
| ssl->rbio = mDummyBio ; | ||
| SSL_set0_rbio( ssl, mDummyBio ); |
There was a problem hiding this comment.
I'm not sure if this could lead to errors. Formerly BIO_free was used. Now BIO_free_all is used instead. IMHO the difference is that the later is freeing recursively. But our rbio seems to be not stacked, so the difference might not matter at all.
|
In the debian bug tracker is also a patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=859715;filename=resip.patch;msg=15 |
|
Hey @FauxFaux, I merged my patch (which preserves OpenSSL 1.0 compatibility) with yours. Could you please give it a review? Differences from your patch to this PR are: https://gist.github.com/gjasny/04463e481d9b14e81c08d0fa3b9071af |
gjasny
force-pushed
the
openssl-1.1
branch
3 times, most recently
from
e88b3b5
to
c971c02
Compare
resip/stack/ssl/Security.hxx
Outdated
| @@ -181,7 +181,7 @@ class BaseSecurity | |||
| // retrieves a list of all certificate names (subjectAltNAme's and CommonName) | |||
| static void getCertNames(X509 *cert, std::list<PeerName> &peerNames, bool useEmailAsSIP = false); | |||
|
|
|||
| static bool isSelfSigned(const X509* cert); | |||
| static bool isSelfSigned(X509* cert); | |||
There was a problem hiding this comment.
This should not be needed. The operation is not supposed to modify the certificate and both X509_get_issuer_name and X509_get_subject_name accept const X509*.
There was a problem hiding this comment.
In OpenSSL 1.0.2 the property accessors just take a non-const X509 pointer.
See x509.h
There was a problem hiding this comment.
Then, I believe, isSelfSigned should perform the const_cast internally or use the old code for OpenSSL 1.0.x. There is no reason to change the public interface of isSelfSigned.
reflow/dtls_wrapper/bf_dwrap.c
Outdated
| @@ -43,19 +58,28 @@ typedef struct BIO_F_DWRAP_CTX_ | |||
|
|
|||
| BIO_METHOD *BIO_f_dwrap(void) | |||
| { | |||
| return(&methods_dwrap); | |||
| BIO_METHOD *meth = BIO_meth_new(BIO_TYPE_DWRAP, "dtls_wrapper"); | |||
There was a problem hiding this comment.
I believe, this memory leaks.
There was a problem hiding this comment.
I will try to create an unit test and check for memory leaks.
|
Also, I believe, |
|
In |
|
@Lastique I think I addressed all of your comments. The dtls_wrapper tests no exit without leaked memory. (For enabling and fixing those tests see future PR). The |
reflow/dtls_wrapper/bf_dwrap.c
Outdated
| BIO_METHOD *BIO_f_dwrap(void) | ||
| { | ||
| if (!dtls_meth) { | ||
| dtls_meth = BIO_meth_new(BIO_TYPE_DWRAP, "dtls_wrapper"); |
There was a problem hiding this comment.
This is not thread-safe. Not sure if there are cases when this code can run in different threads, though. I would recommend using pthread_once or atomics instead.
There was a problem hiding this comment.
You're right but this codebase is still C++03. How about using a static auto_ptr holding the BIO_method? That would also enable me to get rid of the atexit hack.
There was a problem hiding this comment.
A simpler solution is to convert dtls_meth to an object with a constructor and destructor and move the BIO_METHOD initialization to the constructor. This would still be not thread-safe, but in practical sense this would be better because the constructor will be run at library load time, when there are typically no multiple threads.
There was a problem hiding this comment.
OTOH who knows if calling into OpenSSL works before initalization ...
There was a problem hiding this comment.
How about using a static auto_ptr holding the BIO_method?
This won't help. The race is between loading the pointer for testing against NULL and storing the allocated pointer. auto_ptr doesn't help with it.
Re atomics, I was meaning compiler-specific intrinsics. One would likely have to introduce some abstraction layer for portability. pthread_once is available for C++03 programs but not on Windows. I would probably use Interlocked* intrinsics on Windows and pthread_once everywhere else.
There was a problem hiding this comment.
Will work on something like this. But I have to finish some unrelated work first.
There was a problem hiding this comment.
OTOH who knows if calling into OpenSSL works before initalization
I would assume it should work for the methods we need - those are just memory allocation and accessors, no apparent reason for them to not work.
There was a problem hiding this comment.
@Lastique I changed the code as you suggested. Could you pleas give it another review?
Thanks a lot for your time!
Those changes have been compile tested with OpenSSL 1.0.2 and OpenSSL 1.1.0.
|
@sgodin Are you ok with merging this? |
|
Hi Gregor,
I haven't had a chance to try it out, but I trust you have, and I see a
number of names on this pull request that have, so I'm good with it. If
you haven't tried a Windows build and there are issues after you merge, I
can try to resolve those ASAP.
Thanks for your efforts with this!!
Scott
…On Sat, Mar 3, 2018 at 6:50 AM, Gregor Jasny ***@***.***> wrote:
@sgodin <https://github.com/sgodin> Are you ok with merging this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#83 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACtNUaDpmKhBPn3QX-N_igA2p_zv5QTPks5taoOhgaJpZM4OXiZH>
.
|
Hello,
I tried to migrate reSIProcate to the OpenSSL 1.1 API. Those changes have been compile tested with OpenSSL 1.0.2 and OpenSSL 1.1.0.
Unfortunately my (D)TLS and OpenSSL knowledge is quite small. So I consider this PR just a discussion and review starter instead of a polished PR.
Thanks,
Gregor