|
 |
9e34244 |
From 53b731b290a1c625c79b5e6463916b4ea719c9a8 Mon Sep 17 00:00:00 2001
|
|
|
9e34244 |
From: =?UTF-8?q?P=C3=A5l=20Hermunn=20Johansen?=
|
|
|
9e34244 |
<hermunn@varnish-software.com>
|
|
|
9e34244 |
Date: Tue, 15 Nov 2016 16:25:54 +0100
|
|
|
9e34244 |
Subject: [PATCH] Make Hitch compatible with OpenSSL 1.1.0
|
|
|
9e34244 |
|
|
|
9e34244 |
This should address #100. Most of the work is thanks to #sesse.
|
|
|
9e34244 |
|
|
|
9e34244 |
Advice on https://wiki.openssl.org/index.php/1.1_API_Changes was
|
|
|
9e34244 |
helpful when doing this work.
|
|
|
9e34244 |
---
|
|
|
9e34244 |
src/hitch.c | 19 ++++++++++++++++---
|
|
|
9e34244 |
1 file changed, 16 insertions(+), 3 deletions(-)
|
|
|
9e34244 |
|
|
|
9e34244 |
diff --git a/src/hitch.c b/src/hitch.c
|
|
|
9e34244 |
index 81acb2b..e5e432a 100644
|
|
|
9e34244 |
--- a/src/hitch.c
|
|
|
9e34244 |
+++ b/src/hitch.c
|
|
|
9e34244 |
@@ -683,9 +683,13 @@ load_privatekey(SSL_CTX *ctx, const char *file)
|
|
|
9e34244 |
return NULL;
|
|
|
9e34244 |
}
|
|
|
9e34244 |
|
|
|
9e34244 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
9e34244 |
+#define SSL_CTX_get_default_passwd_cb(ctx) (ctx->default_passwd_callback)
|
|
|
9e34244 |
+#define SSL_CTX_get_default_passwd_cb_userdata(ctx) (ctx->default_passwd_callback_userdata)
|
|
|
9e34244 |
+#endif
|
|
|
9e34244 |
pkey = PEM_read_bio_PrivateKey(bio, NULL,
|
|
|
9e34244 |
- ctx->default_passwd_callback,
|
|
|
9e34244 |
- ctx->default_passwd_callback_userdata);
|
|
|
9e34244 |
+ SSL_CTX_get_default_passwd_cb(ctx),
|
|
|
9e34244 |
+ SSL_CTX_get_default_passwd_cb_userdata(ctx));
|
|
|
9e34244 |
BIO_free(bio);
|
|
|
9e34244 |
|
|
|
9e34244 |
return (pkey);
|
|
|
9e34244 |
@@ -1091,8 +1095,11 @@ load_cert_ctx(sslctx *so)
|
|
|
9e34244 |
return (1);
|
|
|
9e34244 |
}
|
|
|
9e34244 |
x509_entry = X509_NAME_get_entry(x509_name, i);
|
|
|
9e34244 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
9e34244 |
+#define X509_NAME_ENTRY_get_data(e) (e->value)
|
|
|
9e34244 |
+#endif
|
|
|
9e34244 |
AN(x509_entry);
|
|
|
9e34244 |
- PUSH_CTX(x509_entry->value, ctx);
|
|
|
9e34244 |
+ PUSH_CTX(X509_NAME_ENTRY_get_data(x509_entry), ctx);
|
|
|
9e34244 |
|
|
|
9e34244 |
return (0);
|
|
|
9e34244 |
}
|
|
|
9e34244 |
@@ -1883,9 +1890,15 @@ static void end_handshake(proxystate *ps) {
|
|
|
9e34244 |
#endif
|
|
|
9e34244 |
LOGPROXY(ps,"ssl end handshake\n");
|
|
|
9e34244 |
/* Disable renegotiation (CVE-2009-3555) */
|
|
|
9e34244 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
9e34244 |
+ /* For OpenSSL 1.1, setting the following flag does not seem
|
|
|
9e34244 |
+ * to be possible. This is OK, since SSLv3 negotiation will
|
|
|
9e34244 |
+ * not happen in OpenSSL 0.9.8m or later unless
|
|
|
9e34244 |
+ * SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION is set. */
|
|
|
9e34244 |
if (ps->ssl->s3) {
|
|
|
9e34244 |
ps->ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
|
|
|
9e34244 |
}
|
|
|
9e34244 |
+#endif
|
|
|
9e34244 |
ps->handshaked = 1;
|
|
|
9e34244 |
|
|
|
9e34244 |
/* Check if clear side is connected */
|