Pull request OpenSSL 1.1 support #1196

2019-10-08 04:08:27 -05:00 · 2019-10-08 04:08:27 -05:00 · b20332ff51
commit b20332ff51
parent 4615b41c4c
2 changed files with 259 additions and 76 deletions
--- a/www-servers/cherokee/Manifest
+++ b/www-servers/cherokee/Manifest
@ -1,7 +1,7 @@
 AUX cherokee-1.2.99-gentoo.patch 1763 BLAKE2B d4ab785332c60fcac0c22b1b0aefabe44db710a7a0973114e8ddbe0423dd1331c64493b4e862ce944f5afa6da30b307cbd27eead278ea9a080309d4bf1d08cc9 SHA512 2f2b1aa03cd7656ceb90f9a94d24704b4a411b3ab99e084444d1f60ce0270bad650b597b1edbdcb4fb0dda750215f42c3f5de3e9f6253825f3742dfbe871be4b
 AUX cherokee-confd-1.2.98 144 BLAKE2B 9462724ac4500ed501a005e2b001eefa53f2e71e48181a39f497c492cf69cdce1d5d325227535bfdb465b5bb6940cb89aedafb6420a7c14074b15f36b93866e1 SHA512 e010ec9e6d6bd6862c486c494e968cf93ff5f7eeaa523f1bc1fb9db72dc878c17fbc04443e74aef0bbfef1e2ba64ba00a7dc8bbd1b58f6759d2e000c76e88f84
 AUX cherokee-initd-1.2.99 1186 BLAKE2B 3c4d0bbc378940e425bcc8ae4f451e44ded8bc4d4f9d9375c26f6af04c120bccc49c6259aaf33749b071c151b80a096766cc98dee44bfc65af10208b9a43c936 SHA512 595e37b6cf70d4fbd466be918db6c17c37766f5e39a9ee4384a21025f1ce04367aeca495217b1e2c74ed2bce9ff8cfd9a58523b59d1181ce9f470eca97445641
-AUX cherokee-openssl-1.1.patch 2753 BLAKE2B e01ef08edf93e8c8a85fd10b269253bc6d92fc5bd49c9ed364bd2e9aab4bb12a47dc11acf8de1c417fbf880808763cd7307846a60c0451c7b9c01cb667d0bb67 SHA512 8556fa8d787ea519926204ecc31d04f01e4809be316f9e2bddbf8d3e0d6f9656d92c2723e561d793f41e49fcefcf7ac3433fd178088c85ce97ad6ba0c3620634
+AUX cherokee-openssl-1.1.patch 7947 BLAKE2B 65de6c1c46c947f92ca660fd3ba5f41ef13a04391aca6ea4f59f3839af1c4c6c063e60eff28fab1e17c4fa667b4c18d1a467989621b1137687ed804b2899d46b SHA512 9b1d39881b69066f02da9c5320e0ba5abcbd6b7bb094f0e0aedb6a673cf46f3e04e789e6b87c689c192e26f52b4fa4143d3c3b9b34278ddce51697fe3bee11a3
 AUX cherokee.logrotate-r1 255 BLAKE2B 33d6c7dca525e424d1a88c0248595d011215cebae749a5d6aacc9eecd2b6e8d447d67655570baf62b23db96c5f5611d4a98b99bfcb6be9e194b52794264fcf49 SHA512 73be4a46f217302b3e7969f0a5acf7f83357a831331f85c89c17320c594eb9e6fd87da111b7d8eb06840e0b1bb094106a5bb6f7dbf7923e834164a367f85d5ad
 AUX cherokee.service 184 BLAKE2B 76a55b38f5a7d78df80fd57f9461f68dc360b5efafe19338cc242c71f625b6900c5872283c32a97b6234f58621b89616e123983dec027d3bb1f797d388cf743b SHA512 e05cfe0805bcd7f133fc0bf485fbf781b9cc5e6f9e222b8ea89bdc4e9d4531caa6049100670b67d12bdb73c1e93ed5d949cc1828241213cfcd60a39b7424d8ec
 DIST cherokee-1.2.104.zip 6200164 BLAKE2B 55ff5b5475c478078727ec072da4f1205209701b972efa420fbee4133cb83cf2ebd4a0f49165e4653c4a6b6f9e0f6ef633258e6ee4732d998b19863e99e6e2f2 SHA512 9c9f44643d0d2636f2e3e61ef8e2918d91d9bb6099be761826c8ffad01d339739ed40984d01151044c2e536d4754b5157d6d20c37627ce49eecdb404a716cd9d
--- a/www-servers/cherokee/files/cherokee-openssl-1.1.patch
+++ b/www-servers/cherokee/files/cherokee-openssl-1.1.patch
@ -1,88 +1,271 @@
 diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
-index fabf9912..80a5c2eb 100644
+index 74af1cb5..fabf9912 100644
 --- a/cherokee/cryptor_libssl.c
 +++ b/cherokee/cryptor_libssl.c
-@@ -356,7 +356,7 @@ verify_trace_cb(int preverify_ok, X509_STORE_CTX *x509_store)
- 		char *ptr;
- 		X509_print (mem, peer_certificate);
- 		BIO_get_mem_data(mem, &ptr);
-		TRACE (ENTRIES, "SSL: %s", ptr);
-+		TRACE (ENTRIES, "SSL: %s\n", ptr);
- 		BIO_free (mem);
+@@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL;
+ static DH *dh_param_2048 = NULL;
+ static DH *dh_param_4096 = NULL;
+ 
+#include "cryptor_libssl_compat.h"
+
+ #include "cryptor_libssl_dh_512.c"
+ #include "cryptor_libssl_dh_1024.c"
+ #include "cryptor_libssl_dh_2048.c"
+@@ -238,13 +240,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl,
+ 	/* SSL_set_SSL_CTX() only change certificates. We need to
+ 	 * changes more options by hand.
+ 	 */
+-	SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+	SSL_set_options(ssl, SSL_CTX_get_options(ctx));
+ 
+ 	if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
+ 	    (SSL_num_renegotiations(ssl) == 0)) {
+ 
+-		SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
+-		               SSL_CTX_get_verify_callback(ssl->ctx));
+		SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+		               SSL_CTX_get_verify_callback(ctx));
 	}
 
-@@ -785,7 +785,7 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
- 		if (cipher) {
- 			SSL_CIPHER_description (cipher, &buf[0], buf_size-1);
+ 	return ret_ok;
+@@ -790,11 +792,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
+ 	}
+ #endif
 
-			TRACE (ENTRIES, "SSL: %s, %sREUSED, Ciphers: %s",
-+			TRACE (ENTRIES, "SSL: %s, %sREUSED, Ciphers: %s\n",
- 			       SSL_get_version(cryp->session),
- 			       SSL_session_reused(cryp->session)? "" : "Not ", &buf[0]);
- 		}
-diff --git a/cherokee/post.c b/cherokee/post.c
-index 5d98b920..8a1fe4bd 100644
--- a/cherokee/post.c
-+++ b/cherokee/post.c
-@@ -309,6 +309,7 @@ process_chunk (cherokee_post_t   *post,
- 		}
- 
- 		if (unlikely (p+2 > end)) {
-+			cherokee_buffer_clean (in);
- 			return ret_ok;
- 		}
- 
-@@ -325,6 +326,7 @@ process_chunk (cherokee_post_t   *post,
- 
- 		/* Read the length
- 		*/
-+		errno = 0;
- 		content_size = (size_t) strtoul (begin, NULL, 16);
- 		if (unlikely (errno != 0)) {
- 			return ret_error;
-@@ -349,6 +351,7 @@ process_chunk (cherokee_post_t   *post,
- 			if (post->chunked.retransmit) {
- 				cherokee_buffer_add_str (out, "0" CRLF);
- 			}
-+			p += 2; /* CRLF */
- 			begin = p;
- 			break;
- 		}
-@@ -378,7 +381,7 @@ process_chunk (cherokee_post_t   *post,
- 	/* Very unlikely, but still possible
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	/* Disable Ciphers renegotiation (CVE-2009-3555)
 	 */
- 	if (! cherokee_buffer_is_empty(in)) {
-		TRACE (ENTRIES, "There are %d left-over bytes in the post buffer -> incoming header", in->len);
-+		TRACE (ENTRIES, "There are %d left-over bytes in the post buffer -> incoming header\n", in->len);
- #if 0
- 		cherokee_buffer_add_buffer (&conn->incoming_header, in);
- 		cherokee_buffer_clean (in);
-diff --git a/cherokee/rule_url_arg.c b/cherokee/rule_url_arg.c
-index 4c88f6e1..0cdf8668 100644
--- a/cherokee/rule_url_arg.c
-+++ b/cherokee/rule_url_arg.c
-@@ -42,6 +42,11 @@ check_argument (cherokee_rule_url_arg_t *rule,
- {
- 	int re;
+ 	if (cryp->session->s3) {
+ 		cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
+ 	}
+#endif
 
-+	if (value == NULL) {
-+		TRACE (ENTRIES, "Empty parameter value\n");
-+		return ret_not_found;
+ 	return ret_ok;
+ }
+@@ -1330,10 +1334,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader)
+ 
+ 	/* Init OpenSSL
+ 	 */
+-	OPENSSL_config (NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	OPENSSL_config(NULL);
+ 	SSL_library_init();
+ 	SSL_load_error_strings();
+ 	OpenSSL_add_all_algorithms();
+#else
+	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#endif
+ 
+ 	/* Ensure PRNG has been seeded with enough data
+ 	 */
+diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h
+new file mode 100644
+index 00000000..832a122a
+--- /dev/null
+++ b/cherokee/cryptor_libssl_compat.h
+@@ -0,0 +1,36 @@
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#include <string.h>
+#include <openssl/engine.h>
+
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+	/* If the fields p and g in d are NULL, the corresponding input
+	 * parameters MUST be non-NULL.  q may remain NULL.
+	 */
+
+	if ((dh->p == NULL && p == NULL)
+	    || (dh->g == NULL && g == NULL))
+		return 0;
+
+	if (p != NULL) {
+		BN_free(dh->p);
+		dh->p = p;
 +	}
 +
- 	/* Check whether it matches
- 	 */
- 	re = pcre_exec (rule->pcre, NULL,
-diff --git a/cherokee/server.c b/cherokee/server.c
-index 7afbf19d..64faccdd 100644
--- a/cherokee/server.c
-+++ b/cherokee/server.c
-@@ -1770,7 +1770,7 @@ cherokee_server_daemonize (cherokee_server_t *srv)
+	if (q != NULL) {
+		BN_free(dh->q);
+		dh->q = q;
+	}
+
+	if (g != NULL) {
+		BN_free(dh->g);
+		dh->g = g;
+	}
+
+	if (q != NULL) {
+		dh->length = BN_num_bits(q);
+	}
+
+	return 1;
+}
+#endif
+diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
+index 7f7702d5..74a56c38 100644
+--- a/cherokee/cryptor_libssl_dh_1024.c
+++ b/cherokee/cryptor_libssl_dh_1024.c
+@@ -2,9 +2,10 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
+
+ static DH *get_dh1024()
 {
- 	pid_t child_pid;
+-	static unsigned char dh1024_p[]={
+	static unsigned char dhp_1024[]={
+ 		0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47,
+ 		0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02,
+ 		0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20,
+@@ -17,16 +18,20 @@ static DH *get_dh1024()
+ 		0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69,
+ 		0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B,
+ 	};
+-	static unsigned char dh1024_g[]={
+	static unsigned char dhg_1024[]={
+ 		0x02,
+ 	};
+ 	DH *dh;
+	BIGNUM *dhp_bn, *dhg_bn;
 
-	TRACE (ENTRIES, "server (%p) about to become evil", srv);
-+	TRACE (ENTRIES, "server (%p) about to become evil\n", srv);
+ 	if ((dh=DH_new()) == NULL) return(NULL);
+-	dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
+-	dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
+-	if ((dh->p == NULL) || (dh->g == NULL)) {
+-		DH_free(dh); return(NULL);
+	dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
+	dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+		DH_free(dh);
+		BN_free(dhp_bn);
+		BN_free(dhg_bn);
+		return(NULL);
+ 	}
+ 	return(dh);
+ }
+diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
+index 392361ec..dbb481aa 100644
+--- a/cherokee/cryptor_libssl_dh_2048.c
+++ b/cherokee/cryptor_libssl_dh_2048.c
+@@ -2,9 +2,10 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
+
+ static DH *get_dh2048()
+ {
+-	static unsigned char dh2048_p[]={
+	static unsigned char dhp_2048[]={
+ 		0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49,
+ 		0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8,
+ 		0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF,
+@@ -28,16 +29,20 @@ static DH *get_dh2048()
+ 		0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66,
+ 		0xF8,0xAA,0x70,0x6B,
+ 	};
+-	static unsigned char dh2048_g[]={
+	static unsigned char dhg_2048[]={
+ 		0x02,
+ 	};
+ 	DH *dh;
+	BIGNUM *dhp_bn, *dhg_bn;
 
- 	child_pid = fork();
- 	switch (child_pid) {
+ 	if ((dh=DH_new()) == NULL) return(NULL);
+-	dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
+-	dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
+-	if ((dh->p == NULL) || (dh->g == NULL)) {
+-		DH_free(dh); return(NULL);
+	dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+	dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+		DH_free(dh);
+		BN_free(dhp_bn);
+		BN_free(dhg_bn);
+		return(NULL);
+ 	}
+ 	return(dh);
+ }
+diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
+index 94845775..aeaf3abc 100644
+--- a/cherokee/cryptor_libssl_dh_4096.c
+++ b/cherokee/cryptor_libssl_dh_4096.c
+@@ -2,9 +2,10 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
+
+ static DH *get_dh4096()
+ {
+-	static unsigned char dh4096_p[]={
+	static unsigned char dhp_4096[]={
+ 		0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A,
+ 		0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48,
+ 		0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49,
+@@ -49,16 +50,20 @@ static DH *get_dh4096()
+ 		0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45,
+ 		0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33,
+ 	};
+-	static unsigned char dh4096_g[]={
+	static unsigned char dhg_4096[]={
+ 		0x02,
+ 	};
+ 	DH *dh;
+	BIGNUM *dhp_bn, *dhg_bn;
+ 
+ 	if ((dh=DH_new()) == NULL) return(NULL);
+-	dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL);
+-	dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL);
+-	if ((dh->p == NULL) || (dh->g == NULL)) {
+-		DH_free(dh); return(NULL);
+	dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
+	dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+		DH_free(dh);
+		BN_free(dhp_bn);
+		BN_free(dhg_bn);
+		return(NULL);
+ 	}
+ 	return(dh);
+ }
+diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
+index bc1d8778..ed776636 100644
+--- a/cherokee/cryptor_libssl_dh_512.c
+++ b/cherokee/cryptor_libssl_dh_512.c
+@@ -2,9 +2,10 @@
+ #ifndef HEADER_DH_H
+ #include <openssl/dh.h>
+ #endif
+
+ static DH *get_dh512()
+ {
+-	static unsigned char dh512_p[]={
+	static unsigned char dhp_512[]={
+ 		0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49,
+ 		0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE,
+ 		0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B,
+@@ -12,16 +13,20 @@ static DH *get_dh512()
+ 		0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3,
+ 		0xD9,0x23,0xD1,0x83,
+ 	};
+-	static unsigned char dh512_g[]={
+	static unsigned char dhg_512[]={
+ 		0x02,
+ 	};
+ 	DH *dh;
+	BIGNUM *dhp_bn, *dhg_bn;
+ 
+ 	if ((dh=DH_new()) == NULL) return(NULL);
+-	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+-	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+-	if ((dh->p == NULL) || (dh->g == NULL)) {
+-		DH_free(dh); return(NULL);
+	dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
+	dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
+	if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+		DH_free(dh);
+		BN_free(dhp_bn);
+		BN_free(dhg_bn);
+		return(NULL);
+ 	}
+ 	return(dh);
+ }