|
|
aca7c2c |
From: Razvan Crainea <razvan@opensips.org>
|
|
|
aca7c2c |
Date: Tue, 29 Nov 2016 14:16:11 +0200
|
|
|
aca7c2c |
Subject: [PATCH] Add support for openssl 1.1.0
|
|
|
aca7c2c |
|
|
|
aca7c2c |
Reported by Petr Pisar in issue #996
|
|
|
aca7c2c |
|
|
|
aca7c2c |
diff --git a/modules/tls_mgm/tls.h b/modules/tls_mgm/tls.h
|
|
|
aca7c2c |
index 97ac01c..04cb78c 100644
|
|
|
aca7c2c |
--- a/modules/tls_mgm/tls.h
|
|
|
aca7c2c |
+++ b/modules/tls_mgm/tls.h
|
|
|
aca7c2c |
@@ -64,41 +64,50 @@
|
|
|
aca7c2c |
#warning ""
|
|
|
aca7c2c |
#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
-static int tls_static_locks_no=0;
|
|
|
aca7c2c |
-static gen_lock_set_t* tls_static_locks=NULL;
|
|
|
aca7c2c |
-
|
|
|
aca7c2c |
static SSL_METHOD *ssl_methods[TLS_USE_TLSv1_2 + 1];
|
|
|
aca7c2c |
|
|
|
aca7c2c |
#define VERIFY_DEPTH_S 3
|
|
|
aca7c2c |
|
|
|
aca7c2c |
|
|
|
aca7c2c |
-struct CRYPTO_dynlock_value {
|
|
|
aca7c2c |
- gen_lock_t lock;
|
|
|
aca7c2c |
-};
|
|
|
aca7c2c |
-
|
|
|
aca7c2c |
-static unsigned long tls_get_id(void)
|
|
|
aca7c2c |
-{
|
|
|
aca7c2c |
- return my_pid();
|
|
|
aca7c2c |
-}
|
|
|
aca7c2c |
-
|
|
|
aca7c2c |
/*
|
|
|
aca7c2c |
* Wrappers around OpenSIPS shared memory functions
|
|
|
aca7c2c |
* (which can be macros)
|
|
|
aca7c2c |
*/
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
aca7c2c |
+static void* os_malloc(size_t size, const char *file, int line)
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
static void* os_malloc(size_t size)
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
+#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
|
|
aca7c2c |
+ return _shm_malloc(size, file, __FUNCTION__, line);
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
return shm_malloc(size);
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
aca7c2c |
+static void* os_realloc(void *ptr, size_t size, const char *file, int line)
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
static void* os_realloc(void *ptr, size_t size)
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
+#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
|
|
|
aca7c2c |
+ return _shm_realloc(ptr, size, file, __FUNCTION__, line);
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
return shm_realloc(ptr, size);
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
aca7c2c |
+static void os_free(void *ptr, const char *file, int line)
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
static void os_free(void *ptr)
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
+ /* TODO: also handle free file and line */
|
|
|
aca7c2c |
if (ptr)
|
|
|
aca7c2c |
shm_free(ptr);
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
@@ -106,21 +115,17 @@ static void os_free(void *ptr)
|
|
|
aca7c2c |
|
|
|
aca7c2c |
|
|
|
aca7c2c |
|
|
|
aca7c2c |
-static void tls_static_locks_ops(int mode, int n, const char* file, int line)
|
|
|
aca7c2c |
-{
|
|
|
aca7c2c |
- if (n<0 || n>tls_static_locks_no) {
|
|
|
aca7c2c |
- LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
|
|
|
aca7c2c |
- abort();
|
|
|
aca7c2c |
- }
|
|
|
aca7c2c |
+/* these locks can not be used in 1.1.0, because the interface has changed */
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
aca7c2c |
+struct CRYPTO_dynlock_value {
|
|
|
aca7c2c |
+ gen_lock_t lock;
|
|
|
aca7c2c |
+};
|
|
|
aca7c2c |
|
|
|
aca7c2c |
- if (mode & CRYPTO_LOCK) {
|
|
|
aca7c2c |
- lock_set_get(tls_static_locks,n);
|
|
|
aca7c2c |
- } else {
|
|
|
aca7c2c |
- lock_set_release(tls_static_locks,n);
|
|
|
aca7c2c |
- }
|
|
|
aca7c2c |
+static unsigned long tls_get_id(void)
|
|
|
aca7c2c |
+{
|
|
|
aca7c2c |
+ return my_pid();
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
-
|
|
|
aca7c2c |
static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file,
|
|
|
aca7c2c |
int line)
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
@@ -158,5 +163,6 @@ static void tls_dyn_lock_destroy(struct CRYPTO_dynlock_value *dyn_lock,
|
|
|
aca7c2c |
lock_destroy(&dyn_lock->lock);
|
|
|
aca7c2c |
shm_free(dyn_lock);
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
#endif /* _PROTO_TLS_H_ */
|
|
|
aca7c2c |
diff --git a/modules/tls_mgm/tls_conn_ops.h b/modules/tls_mgm/tls_conn_ops.h
|
|
|
aca7c2c |
index acb5c66..ca901bd 100644
|
|
|
aca7c2c |
--- a/modules/tls_mgm/tls_conn_ops.h
|
|
|
aca7c2c |
+++ b/modules/tls_mgm/tls_conn_ops.h
|
|
|
aca7c2c |
@@ -116,12 +116,14 @@ static int tls_conn_init(struct tcp_connection* c, struct tls_mgm_binds *api)
|
|
|
aca7c2c |
return -1;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
aca7c2c |
#ifndef OPENSSL_NO_KRB5
|
|
|
aca7c2c |
if ( ((SSL *)c->extra_data)->kssl_ctx ) {
|
|
|
aca7c2c |
kssl_ctx_free( ((SSL *)c->extra_data)->kssl_ctx );
|
|
|
aca7c2c |
((SSL *)c->extra_data)->kssl_ctx = 0;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
#endif
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
if ( c->proto_flags & F_TLS_DO_ACCEPT ) {
|
|
|
aca7c2c |
LM_DBG("Setting in ACCEPT mode (server)\n");
|
|
|
aca7c2c |
diff --git a/modules/tls_mgm/tls_conn_server.h b/modules/tls_mgm/tls_conn_server.h
|
|
|
aca7c2c |
index 4a4fe7a..2409632 100644
|
|
|
aca7c2c |
--- a/modules/tls_mgm/tls_conn_server.h
|
|
|
aca7c2c |
+++ b/modules/tls_mgm/tls_conn_server.h
|
|
|
aca7c2c |
@@ -148,17 +148,21 @@ static int tls_accept(struct tcp_connection *c, short *poll_events)
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
ssl = (SSL *) c->extra_data;
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
aca7c2c |
#ifndef OPENSSL_NO_KRB5
|
|
|
aca7c2c |
if ( ssl->kssl_ctx==NULL )
|
|
|
aca7c2c |
ssl->kssl_ctx = kssl_ctx_new( );
|
|
|
aca7c2c |
#endif
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
ret = SSL_accept(ssl);
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
aca7c2c |
#ifndef OPENSSL_NO_KRB5
|
|
|
aca7c2c |
if ( ssl->kssl_ctx ) {
|
|
|
aca7c2c |
kssl_ctx_free( ssl->kssl_ctx );
|
|
|
aca7c2c |
ssl->kssl_ctx = 0;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
#endif
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
if (ret > 0) {
|
|
|
aca7c2c |
LM_INFO("New TLS connection from %s:%d accepted\n",
|
|
|
aca7c2c |
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
|
|
|
aca7c2c |
diff --git a/modules/tls_mgm/tls_mgm.c b/modules/tls_mgm/tls_mgm.c
|
|
|
aca7c2c |
index 7c1e3c4..874edc0 100644
|
|
|
aca7c2c |
--- a/modules/tls_mgm/tls_mgm.c
|
|
|
aca7c2c |
+++ b/modules/tls_mgm/tls_mgm.c
|
|
|
aca7c2c |
@@ -557,11 +557,10 @@ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
|
|
|
aca7c2c |
LM_NOTICE("subject = %s\n", buf);
|
|
|
aca7c2c |
LM_NOTICE("verify error:num=%d:%s\n",
|
|
|
aca7c2c |
err, X509_verify_cert_error_string(err));
|
|
|
aca7c2c |
- LM_NOTICE("error code is %d\n", ctx->error);
|
|
|
aca7c2c |
|
|
|
aca7c2c |
- switch (ctx->error) {
|
|
|
aca7c2c |
+ switch (err) {
|
|
|
aca7c2c |
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
|
|
aca7c2c |
- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
|
|
|
aca7c2c |
+ X509_NAME_oneline(X509_get_issuer_name(err_cert),
|
|
|
aca7c2c |
buf,sizeof buf);
|
|
|
aca7c2c |
LM_NOTICE("issuer= %s\n",buf);
|
|
|
aca7c2c |
break;
|
|
|
aca7c2c |
@@ -611,7 +610,7 @@ int verify_callback(int pre_verify_ok, X509_STORE_CTX *ctx) {
|
|
|
aca7c2c |
|
|
|
aca7c2c |
default:
|
|
|
aca7c2c |
LM_NOTICE("something wrong with the cert"
|
|
|
aca7c2c |
- " ... error code is %d (check x509_vfy.h)\n", ctx->error);
|
|
|
aca7c2c |
+ " ... error code is %d (check x509_vfy.h)\n", err);
|
|
|
aca7c2c |
break;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
@@ -1074,9 +1073,11 @@ static int init_tls_domains(struct tls_domain *d)
|
|
|
aca7c2c |
return 0;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
|
aca7c2c |
static int check_for_krb(void)
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
SSL_CTX *xx;
|
|
|
aca7c2c |
+
|
|
|
aca7c2c |
int j;
|
|
|
aca7c2c |
|
|
|
aca7c2c |
xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]);
|
|
|
aca7c2c |
@@ -1096,6 +1097,27 @@ static int check_for_krb(void)
|
|
|
aca7c2c |
SSL_CTX_free(xx);
|
|
|
aca7c2c |
return 0;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
+
|
|
|
aca7c2c |
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
|
aca7c2c |
+static int tls_static_locks_no=0;
|
|
|
aca7c2c |
+static gen_lock_set_t* tls_static_locks=NULL;
|
|
|
aca7c2c |
+
|
|
|
aca7c2c |
+static void tls_static_locks_ops(int mode, int n, const char* file, int line)
|
|
|
aca7c2c |
+{
|
|
|
aca7c2c |
+ if (n<0 || n>tls_static_locks_no) {
|
|
|
aca7c2c |
+ LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
|
|
|
aca7c2c |
+ abort();
|
|
|
aca7c2c |
+ }
|
|
|
aca7c2c |
+
|
|
|
aca7c2c |
+ if (mode & CRYPTO_LOCK) {
|
|
|
aca7c2c |
+ lock_set_get(tls_static_locks,n);
|
|
|
aca7c2c |
+ } else {
|
|
|
aca7c2c |
+ lock_set_release(tls_static_locks,n);
|
|
|
aca7c2c |
+ }
|
|
|
aca7c2c |
+}
|
|
|
aca7c2c |
+
|
|
|
aca7c2c |
+
|
|
|
aca7c2c |
|
|
|
aca7c2c |
static int tls_init_multithread(void)
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
@@ -1126,6 +1148,7 @@ static int tls_init_multithread(void)
|
|
|
aca7c2c |
|
|
|
aca7c2c |
return 0;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
/*
|
|
|
aca7c2c |
* initialize ssl methods
|
|
|
aca7c2c |
@@ -1135,19 +1158,31 @@ init_ssl_methods(void)
|
|
|
aca7c2c |
{
|
|
|
aca7c2c |
LM_DBG("entered\n");
|
|
|
aca7c2c |
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
aca7c2c |
+ ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLS_client_method();
|
|
|
aca7c2c |
+ ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLS_server_method();
|
|
|
aca7c2c |
+ ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLS_method();
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method();
|
|
|
aca7c2c |
ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method();
|
|
|
aca7c2c |
ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method();
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method();
|
|
|
aca7c2c |
ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method();
|
|
|
aca7c2c |
ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method();
|
|
|
aca7c2c |
|
|
|
aca7c2c |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
|
aca7c2c |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
aca7c2c |
+ ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLS_client_method();
|
|
|
aca7c2c |
+ ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLS_server_method();
|
|
|
aca7c2c |
+ ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLS_method();
|
|
|
aca7c2c |
+#else
|
|
|
aca7c2c |
ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method();
|
|
|
aca7c2c |
ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method();
|
|
|
aca7c2c |
ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method();
|
|
|
aca7c2c |
#endif
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
/* reloads data from the db */
|
|
|
aca7c2c |
@@ -1274,9 +1309,10 @@ static int mod_init(void){
|
|
|
aca7c2c |
*/
|
|
|
aca7c2c |
if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) {
|
|
|
aca7c2c |
LM_ERR("unable to set the memory allocation functions\n");
|
|
|
aca7c2c |
- LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this "
|
|
|
aca7c2c |
- "version is know to be broken; if so, you need to upgrade or "
|
|
|
aca7c2c |
- "downgrade to a differen openssl version !!\n");
|
|
|
aca7c2c |
+ LM_ERR("NOTE: check if you are using openssl 1.0.1e-fips, (or other "
|
|
|
aca7c2c |
+ "FIPS version of openssl, as this is known to be broken; if so, "
|
|
|
aca7c2c |
+ "you need to upgrade or downgrade to a different openssl version!\n");
|
|
|
aca7c2c |
+ LM_ERR("current version: %s\n", SSLeay_version(SSLEAY_VERSION));
|
|
|
aca7c2c |
return -1;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
|
|
|
aca7c2c |
@@ -1291,15 +1327,18 @@ static int mod_init(void){
|
|
|
aca7c2c |
sk_SSL_COMP_zero(comp_methods);
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
#endif
|
|
|
aca7c2c |
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
|
aca7c2c |
if (tls_init_multithread() < 0) {
|
|
|
aca7c2c |
LM_ERR("failed to init multi-threading support\n");
|
|
|
aca7c2c |
return -1;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
SSL_library_init();
|
|
|
aca7c2c |
SSL_load_error_strings();
|
|
|
aca7c2c |
init_ssl_methods();
|
|
|
aca7c2c |
|
|
|
aca7c2c |
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
|
|
|
aca7c2c |
n = check_for_krb();
|
|
|
aca7c2c |
if (n==-1) {
|
|
|
aca7c2c |
LM_ERR("kerberos check failed\n");
|
|
|
aca7c2c |
@@ -1318,6 +1357,7 @@ static int mod_init(void){
|
|
|
aca7c2c |
(n==1)?"":"no ",(n!=1)?"no ":"");
|
|
|
aca7c2c |
return -1;
|
|
|
aca7c2c |
}
|
|
|
aca7c2c |
+#endif
|
|
|
aca7c2c |
|
|
|
aca7c2c |
/*
|
|
|
aca7c2c |
* finish setting up the tls default domains
|