Pull request OpenSSL 1.1 support #1196

This commit is contained in:
Sandino Araico Sanchez 2019-10-08 04:08:27 -05:00
parent 4615b41c4c
commit b20332ff51
2 changed files with 259 additions and 76 deletions

View file

@ -1,7 +1,7 @@
AUX cherokee-1.2.99-gentoo.patch 1763 BLAKE2B d4ab785332c60fcac0c22b1b0aefabe44db710a7a0973114e8ddbe0423dd1331c64493b4e862ce944f5afa6da30b307cbd27eead278ea9a080309d4bf1d08cc9 SHA512 2f2b1aa03cd7656ceb90f9a94d24704b4a411b3ab99e084444d1f60ce0270bad650b597b1edbdcb4fb0dda750215f42c3f5de3e9f6253825f3742dfbe871be4b
AUX cherokee-confd-1.2.98 144 BLAKE2B 9462724ac4500ed501a005e2b001eefa53f2e71e48181a39f497c492cf69cdce1d5d325227535bfdb465b5bb6940cb89aedafb6420a7c14074b15f36b93866e1 SHA512 e010ec9e6d6bd6862c486c494e968cf93ff5f7eeaa523f1bc1fb9db72dc878c17fbc04443e74aef0bbfef1e2ba64ba00a7dc8bbd1b58f6759d2e000c76e88f84
AUX cherokee-initd-1.2.99 1186 BLAKE2B 3c4d0bbc378940e425bcc8ae4f451e44ded8bc4d4f9d9375c26f6af04c120bccc49c6259aaf33749b071c151b80a096766cc98dee44bfc65af10208b9a43c936 SHA512 595e37b6cf70d4fbd466be918db6c17c37766f5e39a9ee4384a21025f1ce04367aeca495217b1e2c74ed2bce9ff8cfd9a58523b59d1181ce9f470eca97445641
AUX cherokee-openssl-1.1.patch 2753 BLAKE2B e01ef08edf93e8c8a85fd10b269253bc6d92fc5bd49c9ed364bd2e9aab4bb12a47dc11acf8de1c417fbf880808763cd7307846a60c0451c7b9c01cb667d0bb67 SHA512 8556fa8d787ea519926204ecc31d04f01e4809be316f9e2bddbf8d3e0d6f9656d92c2723e561d793f41e49fcefcf7ac3433fd178088c85ce97ad6ba0c3620634
AUX cherokee-openssl-1.1.patch 7947 BLAKE2B 65de6c1c46c947f92ca660fd3ba5f41ef13a04391aca6ea4f59f3839af1c4c6c063e60eff28fab1e17c4fa667b4c18d1a467989621b1137687ed804b2899d46b SHA512 9b1d39881b69066f02da9c5320e0ba5abcbd6b7bb094f0e0aedb6a673cf46f3e04e789e6b87c689c192e26f52b4fa4143d3c3b9b34278ddce51697fe3bee11a3
AUX cherokee.logrotate-r1 255 BLAKE2B 33d6c7dca525e424d1a88c0248595d011215cebae749a5d6aacc9eecd2b6e8d447d67655570baf62b23db96c5f5611d4a98b99bfcb6be9e194b52794264fcf49 SHA512 73be4a46f217302b3e7969f0a5acf7f83357a831331f85c89c17320c594eb9e6fd87da111b7d8eb06840e0b1bb094106a5bb6f7dbf7923e834164a367f85d5ad
AUX cherokee.service 184 BLAKE2B 76a55b38f5a7d78df80fd57f9461f68dc360b5efafe19338cc242c71f625b6900c5872283c32a97b6234f58621b89616e123983dec027d3bb1f797d388cf743b SHA512 e05cfe0805bcd7f133fc0bf485fbf781b9cc5e6f9e222b8ea89bdc4e9d4531caa6049100670b67d12bdb73c1e93ed5d949cc1828241213cfcd60a39b7424d8ec
DIST cherokee-1.2.104.zip 6200164 BLAKE2B 55ff5b5475c478078727ec072da4f1205209701b972efa420fbee4133cb83cf2ebd4a0f49165e4653c4a6b6f9e0f6ef633258e6ee4732d998b19863e99e6e2f2 SHA512 9c9f44643d0d2636f2e3e61ef8e2918d91d9bb6099be761826c8ffad01d339739ed40984d01151044c2e536d4754b5157d6d20c37627ce49eecdb404a716cd9d

View file

@ -1,88 +1,271 @@
diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
index fabf9912..80a5c2eb 100644
index 74af1cb5..fabf9912 100644
--- a/cherokee/cryptor_libssl.c
+++ b/cherokee/cryptor_libssl.c
@@ -356,7 +356,7 @@ verify_trace_cb(int preverify_ok, X509_STORE_CTX *x509_store)
char *ptr;
X509_print (mem, peer_certificate);
BIO_get_mem_data(mem, &ptr);
- TRACE (ENTRIES, "SSL: %s", ptr);
+ TRACE (ENTRIES, "SSL: %s\n", ptr);
BIO_free (mem);
@@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL;
static DH *dh_param_2048 = NULL;
static DH *dh_param_4096 = NULL;
+#include "cryptor_libssl_compat.h"
+
#include "cryptor_libssl_dh_512.c"
#include "cryptor_libssl_dh_1024.c"
#include "cryptor_libssl_dh_2048.c"
@@ -238,13 +240,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl,
/* SSL_set_SSL_CTX() only change certificates. We need to
* changes more options by hand.
*/
- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+ SSL_CTX_get_verify_callback(ctx));
}
@@ -785,7 +785,7 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
if (cipher) {
SSL_CIPHER_description (cipher, &buf[0], buf_size-1);
- TRACE (ENTRIES, "SSL: %s, %sREUSED, Ciphers: %s",
+ TRACE (ENTRIES, "SSL: %s, %sREUSED, Ciphers: %s\n",
SSL_get_version(cryp->session),
SSL_session_reused(cryp->session)? "" : "Not ", &buf[0]);
}
diff --git a/cherokee/post.c b/cherokee/post.c
index 5d98b920..8a1fe4bd 100644
--- a/cherokee/post.c
+++ b/cherokee/post.c
@@ -309,6 +309,7 @@ process_chunk (cherokee_post_t *post,
return ret_ok;
@@ -790,11 +792,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
}
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* Disable Ciphers renegotiation (CVE-2009-3555)
*/
if (cryp->session->s3) {
cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
+#endif
if (unlikely (p+2 > end)) {
+ cherokee_buffer_clean (in);
return ret_ok;
}
@@ -1330,10 +1334,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader)
@@ -325,6 +326,7 @@ process_chunk (cherokee_post_t *post,
/* Read the length
/* Init OpenSSL
*/
+ errno = 0;
content_size = (size_t) strtoul (begin, NULL, 16);
if (unlikely (errno != 0)) {
return ret_error;
@@ -349,6 +351,7 @@ process_chunk (cherokee_post_t *post,
if (post->chunked.retransmit) {
cherokee_buffer_add_str (out, "0" CRLF);
}
+ p += 2; /* CRLF */
begin = p;
break;
}
@@ -378,7 +381,7 @@ process_chunk (cherokee_post_t *post,
/* Very unlikely, but still possible
*/
if (! cherokee_buffer_is_empty(in)) {
- TRACE (ENTRIES, "There are %d left-over bytes in the post buffer -> incoming header", in->len);
+ TRACE (ENTRIES, "There are %d left-over bytes in the post buffer -> incoming header\n", in->len);
#if 0
cherokee_buffer_add_buffer (&conn->incoming_header, in);
cherokee_buffer_clean (in);
diff --git a/cherokee/rule_url_arg.c b/cherokee/rule_url_arg.c
index 4c88f6e1..0cdf8668 100644
--- a/cherokee/rule_url_arg.c
+++ b/cherokee/rule_url_arg.c
@@ -42,6 +42,11 @@ check_argument (cherokee_rule_url_arg_t *rule,
{
int re;
- OPENSSL_config (NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
+#else
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#endif
+ if (value == NULL) {
+ TRACE (ENTRIES, "Empty parameter value\n");
+ return ret_not_found;
/* Ensure PRNG has been seeded with enough data
*/
diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h
new file mode 100644
index 00000000..832a122a
--- /dev/null
+++ b/cherokee/cryptor_libssl_compat.h
@@ -0,0 +1,36 @@
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#include <string.h>
+#include <openssl/engine.h>
+
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+
/* Check whether it matches
*/
re = pcre_exec (rule->pcre, NULL,
diff --git a/cherokee/server.c b/cherokee/server.c
index 7afbf19d..64faccdd 100644
--- a/cherokee/server.c
+++ b/cherokee/server.c
@@ -1770,7 +1770,7 @@ cherokee_server_daemonize (cherokee_server_t *srv)
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif
diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
index 7f7702d5..74a56c38 100644
--- a/cherokee/cryptor_libssl_dh_1024.c
+++ b/cherokee/cryptor_libssl_dh_1024.c
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh1024()
{
pid_t child_pid;
- static unsigned char dh1024_p[]={
+ static unsigned char dhp_1024[]={
0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47,
0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02,
0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20,
@@ -17,16 +18,20 @@ static DH *get_dh1024()
0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69,
0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B,
};
- static unsigned char dh1024_g[]={
+ static unsigned char dhg_1024[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
- TRACE (ENTRIES, "server (%p) about to become evil", srv);
+ TRACE (ENTRIES, "server (%p) about to become evil\n", srv);
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
- dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
+ dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}
diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
index 392361ec..dbb481aa 100644
--- a/cherokee/cryptor_libssl_dh_2048.c
+++ b/cherokee/cryptor_libssl_dh_2048.c
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh2048()
{
- static unsigned char dh2048_p[]={
+ static unsigned char dhp_2048[]={
0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49,
0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8,
0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF,
@@ -28,16 +29,20 @@ static DH *get_dh2048()
0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66,
0xF8,0xAA,0x70,0x6B,
};
- static unsigned char dh2048_g[]={
+ static unsigned char dhg_2048[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
child_pid = fork();
switch (child_pid) {
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}
diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
index 94845775..aeaf3abc 100644
--- a/cherokee/cryptor_libssl_dh_4096.c
+++ b/cherokee/cryptor_libssl_dh_4096.c
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh4096()
{
- static unsigned char dh4096_p[]={
+ static unsigned char dhp_4096[]={
0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A,
0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48,
0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49,
@@ -49,16 +50,20 @@ static DH *get_dh4096()
0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45,
0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33,
};
- static unsigned char dh4096_g[]={
+ static unsigned char dhg_4096[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL);
- dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
+ dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}
diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
index bc1d8778..ed776636 100644
--- a/cherokee/cryptor_libssl_dh_512.c
+++ b/cherokee/cryptor_libssl_dh_512.c
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh512()
{
- static unsigned char dh512_p[]={
+ static unsigned char dhp_512[]={
0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49,
0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE,
0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B,
@@ -12,16 +13,20 @@ static DH *get_dh512()
0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3,
0xD9,0x23,0xD1,0x83,
};
- static unsigned char dh512_g[]={
+ static unsigned char dhg_512[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
+ dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}