From e6fa6e5dc48ec7102ab6271cfd53613198df4ee9 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Arkadiusz=20Mi=C5=9Bkiewicz?= Date: Thu, 20 Sep 2018 10:12:44 +0200 Subject: [PATCH] - up to 1.2.104; add openssl 1.1.1 build from upstream git --- cherokee.spec | 9 +- openssl.patch | 596 ++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 601 insertions(+), 4 deletions(-) create mode 100644 openssl.patch diff --git a/cherokee.spec b/cherokee.spec index 4cc9109..e5ffa9e 100644 --- a/cherokee.spec +++ b/cherokee.spec @@ -13,12 +13,12 @@ Summary: Fast, Flexible and Lightweight Web server Summary(pl.UTF-8): Cherokee - serwer WWW Name: cherokee -Version: 1.2.103 -Release: 9 +Version: 1.2.104 +Release: 1 License: GPL v2 Group: Networking/Daemons Source0: https://github.com/cherokee/webserver/archive/v%{version}.zip -# Source0-md5: 9e6d8e0dd95808d365d32ecb0a9b80fe +# Source0-md5: 1f4fe0f0317c07b93c9cbbf4f843e724 # the last snapshot from https://github.com/cherokee/CTK Source1: CTK-20120806.tar.xz # Source1-md5: 567f087cd6cdf10b89047535cbe94f8e @@ -29,6 +29,7 @@ Patch0: %{name}-config.patch Patch1: %{name}-panic_path.patch Patch2: ffmpeg0.11.patch Patch3: time_t_x32.patch +Patch4: openssl.patch URL: http://www.cherokee-project.com/ %{?with_geoip:BuildRequires: GeoIP-devel} BuildRequires: autoconf @@ -130,6 +131,7 @@ Biblioteki serwera WWW Cherokee. %patch1 -p1 #%patch2 -p1 %patch3 -p1 +%patch4 -p1 %build %{__libtoolize} @@ -191,7 +193,6 @@ rm $RPM_BUILD_ROOT/etc/cherokee/cherokee.conf.perf_sample rm $RPM_BUILD_ROOT%{_bindir}/cherokee-macos-askpass mv $RPM_BUILD_ROOT%{_localedir}/{sv_SE,sv} -mv $RPM_BUILD_ROOT%{_localedir}/{jp,ja} %find_lang %{name} diff --git a/openssl.patch b/openssl.patch new file mode 100644 index 0000000..1b78b42 --- /dev/null +++ b/openssl.patch @@ -0,0 +1,596 @@ +commit 219b03891818f015317d60135e46307974794a82 +Author: Stefan de Konink +Date: Fri Oct 17 19:20:36 2014 +0200 + + Disable SSLv3 by default. + + http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html + +diff --git a/admin/PageAdvanced.py b/admin/PageAdvanced.py +index 9d6a1420..21a9d0c9 100644 +--- a/admin/PageAdvanced.py ++++ b/admin/PageAdvanced.py +@@ -96,7 +96,7 @@ NOTE_DH2048 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 2048 + NOTE_DH4096 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.') + NOTE_TLS_TIMEOUT = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.') + NOTE_TLS_SSLv2 = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)') +-NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 (Default: Yes)') ++NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 - Beware: it is vulnerable. (Default: No)') + NOTE_TLS_TLSv1 = N_('Allow clients to use TLS version 1 (Default: Yes)') + NOTE_TLS_TLSv1_1 = N_('Allow clients to use TLS version 1.1 (Default: Yes)') + NOTE_TLS_TLSv1_2 = N_('Allow clients to use TLS version 1.2 (Default: Yes)') +@@ -181,7 +181,7 @@ class TLSWidget (CTK.Container): + + table = CTK.PropsAuto(URL_APPLY) + table.Add (_('SSL version 2'), CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2)) +- table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', True, _("Allow")), _(NOTE_TLS_SSLv3)) ++ table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', False, _("Allow")), _(NOTE_TLS_SSLv3)) + table.Add (_('TLS version 1'), CTK.CheckCfgText('server!tls!protocol!TLSv1', True, _("Allow")), _(NOTE_TLS_TLSv1)) + table.Add (_('TLS version 1.1'), CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1)) + table.Add (_('TLS version 1.2'), CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2)) +diff --git a/cherokee/cryptor.c b/cherokee/cryptor.c +index 640b5379..4ae92fdd 100644 +--- a/cherokee/cryptor.c ++++ b/cherokee/cryptor.c +@@ -49,7 +49,7 @@ cherokee_cryptor_init_base (cherokee_cryptor_t *cryp, + */ + cryp->timeout_handshake = TIMEOUT_DEFAULT; + cryp->allow_SSLv2 = false; +- cryp->allow_SSLv3 = true; ++ cryp->allow_SSLv3 = false; + cryp->allow_TLSv1 = true; + cryp->allow_TLSv1_1 = true; + cryp->allow_TLSv1_2 = true; + +commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 +Author: Ilya +Date: Wed Dec 10 12:59:19 2014 +0500 + + Update ciphers configuration + + In accordance to Mozilla's [Forward Secrecy recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) (Intermediate compatibility). + + This will also disable RC4 ciphers to mitigate POODLE in TLS attack. + +diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h +index ed1f8ee0..1adfa97e 100644 +--- a/cherokee/cryptor.h ++++ b/cherokee/cryptor.h +@@ -35,7 +35,7 @@ + + CHEROKEE_BEGIN_DECLS + +-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" ++#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + + /* Callback function prototipes + */ + +commit c6ac753005a2857c4af2f489b674c7449e04e64c +Merge: 219b0389 5bdd6dd6 +Author: Stefan de Konink +Date: Wed Dec 10 12:01:16 2014 +0100 + + Merge pull request #1168 from 13xforever/patch-1 + + Update ciphers configuration + +commit 4600b2e70df54044d301b77354979409e9413294 +Author: Stefan de Konink +Date: Wed Dec 10 12:10:24 2014 +0100 + + Revert "Update ciphers configuration" + +diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h +index 1adfa97e..ed1f8ee0 100644 +--- a/cherokee/cryptor.h ++++ b/cherokee/cryptor.h +@@ -35,7 +35,7 @@ + + CHEROKEE_BEGIN_DECLS + +-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" ++#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" + + /* Callback function prototipes + */ + +commit a02d96fe5960c5e906ad4952dfc36d5dc6eb4849 +Merge: c6ac7530 4600b2e7 +Author: Stefan de Konink +Date: Wed Dec 10 12:10:49 2014 +0100 + + Merge pull request #1169 from cherokee/revert-1168-patch-1 + + Revert "Update ciphers configuration" + +commit a917d76ed9b4272478ca973084ec1037a950c443 +Author: Stefan de Konink +Date: Wed Dec 10 13:35:45 2014 +0100 + + Reapply previous patch from commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 by @13xforever + + In accordance to Mozilla's [Forward Secrecy + recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) + (Intermediate compatibility). + + This will also disable RC4 ciphers to mitigate POODLE in TLS attack. + + In addition: we loose the ability to do server side BEAST mitigation. + See the discussion at: https://github.com/cherokee/webserver/pull/1168 + +diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h +index ed1f8ee0..1adfa97e 100644 +--- a/cherokee/cryptor.h ++++ b/cherokee/cryptor.h +@@ -35,7 +35,7 @@ + + CHEROKEE_BEGIN_DECLS + +-#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" ++#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" + + /* Callback function prototipes + */ + +commit 57b04ec506cde04794775e769d5485800427373e +Author: Stefan de Konink +Date: Mon May 8 13:20:32 2017 +0200 + + OpenSSL 1.1 uses the Secure Renegotiation Extension + +diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c +index 74af1cb5..5f430b73 100644 +--- a/cherokee/cryptor_libssl.c ++++ b/cherokee/cryptor_libssl.c +@@ -790,11 +790,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp, + } + #endif + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L + /* Disable Ciphers renegotiation (CVE-2009-3555) + */ + if (cryp->session->s3) { + cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; + } ++#endif + + return ret_ok; + } + +commit 07ab26e6683f5166f7cd7785fe714338e3ad369f +Author: Stefan de Konink +Date: Mon May 8 13:49:56 2017 +0200 + + Second attempt to update to OpenSSL 1.1. + + To test if Cherokee now is able to compile on both installations. + +diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c +index 5f430b73..1a4c452a 100644 +--- a/cherokee/cryptor_libssl.c ++++ b/cherokee/cryptor_libssl.c +@@ -238,13 +238,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl, + /* SSL_set_SSL_CTX() only change certificates. We need to + * changes more options by hand. + */ +- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); ++ SSL_set_options(ssl, SSL_CTX_get_options(ctx)); + + if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || + (SSL_num_renegotiations(ssl) == 0)) { + +- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), +- SSL_CTX_get_verify_callback(ssl->ctx)); ++ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), ++ SSL_CTX_get_verify_callback(ctx)); + } + + return ret_ok; +@@ -1332,10 +1332,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader) + + /* Init OpenSSL + */ +- OPENSSL_config (NULL); ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ OPENSSL_config(NULL); + SSL_library_init(); + SSL_load_error_strings(); + OpenSSL_add_all_algorithms(); ++#else ++ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); ++ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); ++#endif + + /* Ensure PRNG has been seeded with enough data + */ +diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c +index 7f7702d5..0512baf5 100644 +--- a/cherokee/cryptor_libssl_dh_1024.c ++++ b/cherokee/cryptor_libssl_dh_1024.c +@@ -4,7 +4,7 @@ + #endif + static DH *get_dh1024() + { +- static unsigned char dh1024_p[]={ ++ static unsigned char dhp_1024[]={ + 0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47, + 0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02, + 0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20, +@@ -17,16 +17,21 @@ static DH *get_dh1024() + 0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69, + 0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B, + }; +- static unsigned char dh1024_g[]={ ++ static unsigned char dhg_1024[]={ + 0x02, + }; + DH *dh; ++ BIGNUM *dhp_bn, *dhg_bn; + + if ((dh=DH_new()) == NULL) return(NULL); +- dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); +- dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) { +- DH_free(dh); return(NULL); ++ dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL); ++ dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL || ++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return(NULL); + } + return(dh); + } +diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c +index 392361ec..463ba35a 100644 +--- a/cherokee/cryptor_libssl_dh_2048.c ++++ b/cherokee/cryptor_libssl_dh_2048.c +@@ -4,7 +4,7 @@ + #endif + static DH *get_dh2048() + { +- static unsigned char dh2048_p[]={ ++ static unsigned char dhp_2048[]={ + 0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49, + 0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8, + 0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF, +@@ -28,16 +28,21 @@ static DH *get_dh2048() + 0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66, + 0xF8,0xAA,0x70,0x6B, + }; +- static unsigned char dh2048_g[]={ ++ static unsigned char dhg_2048[]={ + 0x02, + }; + DH *dh; ++ BIGNUM *dhp_bn, *dhg_bn; + + if ((dh=DH_new()) == NULL) return(NULL); +- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); +- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) { +- DH_free(dh); return(NULL); ++ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); ++ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL || ++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return(NULL); + } + return(dh); + } +diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c +index 94845775..1c329a00 100644 +--- a/cherokee/cryptor_libssl_dh_4096.c ++++ b/cherokee/cryptor_libssl_dh_4096.c +@@ -4,7 +4,7 @@ + #endif + static DH *get_dh4096() + { +- static unsigned char dh4096_p[]={ ++ static unsigned char dhp_4096[]={ + 0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A, + 0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48, + 0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49, +@@ -49,16 +49,21 @@ static DH *get_dh4096() + 0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45, + 0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33, + }; +- static unsigned char dh4096_g[]={ ++ static unsigned char dhg_4096[]={ + 0x02, + }; + DH *dh; ++ BIGNUM *dhp_bn, *dhg_bn; + + if ((dh=DH_new()) == NULL) return(NULL); +- dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL); +- dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) { +- DH_free(dh); return(NULL); ++ dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL); ++ dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL || ++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return(NULL); + } + return(dh); + } +diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c +index bc1d8778..e7f64ed4 100644 +--- a/cherokee/cryptor_libssl_dh_512.c ++++ b/cherokee/cryptor_libssl_dh_512.c +@@ -4,7 +4,7 @@ + #endif + static DH *get_dh512() + { +- static unsigned char dh512_p[]={ ++ static unsigned char dhp_512[]={ + 0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49, + 0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE, + 0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B, +@@ -12,16 +12,21 @@ static DH *get_dh512() + 0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3, + 0xD9,0x23,0xD1,0x83, + }; +- static unsigned char dh512_g[]={ ++ static unsigned char dhg_512[]={ + 0x02, + }; + DH *dh; ++ BIGNUM *dhp_bn, *dhg_bn; + + if ((dh=DH_new()) == NULL) return(NULL); +- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); +- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); +- if ((dh->p == NULL) || (dh->g == NULL)) { +- DH_free(dh); return(NULL); ++ dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL); ++ dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL); ++ if (dhp_bn == NULL || dhg_bn == NULL || ++ !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ DH_free(dh); ++ BN_free(dhp_bn); ++ BN_free(dhg_bn); ++ return(NULL); + } + return(dh); + } + +commit d20bf585c0d5f62e39c237575ba89ef0fed10d89 +Author: Stefan de Konink +Date: Tue May 9 10:55:34 2017 +0200 + + Create more compatibility with openssl 1.1. + + Remove the NULL checks, as they are already happening in the function below. + +diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h +new file mode 100644 +index 00000000..832a122a +--- /dev/null ++++ b/cherokee/cryptor_libssl_compat.h +@@ -0,0 +1,36 @@ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#include ++#include ++ ++int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) ++{ ++ /* If the fields p and g in d are NULL, the corresponding input ++ * parameters MUST be non-NULL. q may remain NULL. ++ */ ++ ++ if ((dh->p == NULL && p == NULL) ++ || (dh->g == NULL && g == NULL)) ++ return 0; ++ ++ if (p != NULL) { ++ BN_free(dh->p); ++ dh->p = p; ++ } ++ ++ if (q != NULL) { ++ BN_free(dh->q); ++ dh->q = q; ++ } ++ ++ if (g != NULL) { ++ BN_free(dh->g); ++ dh->g = g; ++ } ++ ++ if (q != NULL) { ++ dh->length = BN_num_bits(q); ++ } ++ ++ return 1; ++} ++#endif +diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c +index 0512baf5..2a863f4c 100644 +--- a/cherokee/cryptor_libssl_dh_1024.c ++++ b/cherokee/cryptor_libssl_dh_1024.c +@@ -2,6 +2,9 @@ + #ifndef HEADER_DH_H + #include + #endif ++ ++#include "cryptor_libssl_compat.h" ++ + static DH *get_dh1024() + { + static unsigned char dhp_1024[]={ +@@ -26,8 +29,7 @@ static DH *get_dh1024() + if ((dh=DH_new()) == NULL) return(NULL); + dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL); + dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL); +- if (dhp_bn == NULL || dhg_bn == NULL || +- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { + DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); +diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c +index 463ba35a..e81e6e3f 100644 +--- a/cherokee/cryptor_libssl_dh_2048.c ++++ b/cherokee/cryptor_libssl_dh_2048.c +@@ -2,6 +2,9 @@ + #ifndef HEADER_DH_H + #include + #endif ++ ++#include "cryptor_libssl_compat.h" ++ + static DH *get_dh2048() + { + static unsigned char dhp_2048[]={ +@@ -37,8 +40,7 @@ static DH *get_dh2048() + if ((dh=DH_new()) == NULL) return(NULL); + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); +- if (dhp_bn == NULL || dhg_bn == NULL || +- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { + DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); +diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c +index 1c329a00..b90c599f 100644 +--- a/cherokee/cryptor_libssl_dh_4096.c ++++ b/cherokee/cryptor_libssl_dh_4096.c +@@ -2,6 +2,9 @@ + #ifndef HEADER_DH_H + #include + #endif ++ ++#include "cryptor_libssl_compat.h" ++ + static DH *get_dh4096() + { + static unsigned char dhp_4096[]={ +@@ -58,8 +61,7 @@ static DH *get_dh4096() + if ((dh=DH_new()) == NULL) return(NULL); + dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL); + dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL); +- if (dhp_bn == NULL || dhg_bn == NULL || +- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { + DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); +diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c +index e7f64ed4..93d63d48 100644 +--- a/cherokee/cryptor_libssl_dh_512.c ++++ b/cherokee/cryptor_libssl_dh_512.c +@@ -2,6 +2,9 @@ + #ifndef HEADER_DH_H + #include + #endif ++ ++#include "cryptor_libssl_compat.h" ++ + static DH *get_dh512() + { + static unsigned char dhp_512[]={ +@@ -21,8 +24,7 @@ static DH *get_dh512() + if ((dh=DH_new()) == NULL) return(NULL); + dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL); + dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL); +- if (dhp_bn == NULL || dhg_bn == NULL || +- !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { ++ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { + DH_free(dh); + BN_free(dhp_bn); + BN_free(dhg_bn); + +commit 43e5d17b3bd5fbb926f526f6ee84cf4ae299b8c8 +Author: Stefan de Konink +Date: Tue May 9 11:41:45 2017 +0200 + + Fix for compilation. + +diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c +index 1a4c452a..fabf9912 100644 +--- a/cherokee/cryptor_libssl.c ++++ b/cherokee/cryptor_libssl.c +@@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL; + static DH *dh_param_2048 = NULL; + static DH *dh_param_4096 = NULL; + ++#include "cryptor_libssl_compat.h" ++ + #include "cryptor_libssl_dh_512.c" + #include "cryptor_libssl_dh_1024.c" + #include "cryptor_libssl_dh_2048.c" +diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c +index 2a863f4c..74a56c38 100644 +--- a/cherokee/cryptor_libssl_dh_1024.c ++++ b/cherokee/cryptor_libssl_dh_1024.c +@@ -3,8 +3,6 @@ + #include + #endif + +-#include "cryptor_libssl_compat.h" +- + static DH *get_dh1024() + { + static unsigned char dhp_1024[]={ +diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c +index e81e6e3f..dbb481aa 100644 +--- a/cherokee/cryptor_libssl_dh_2048.c ++++ b/cherokee/cryptor_libssl_dh_2048.c +@@ -3,8 +3,6 @@ + #include + #endif + +-#include "cryptor_libssl_compat.h" +- + static DH *get_dh2048() + { + static unsigned char dhp_2048[]={ +diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c +index b90c599f..aeaf3abc 100644 +--- a/cherokee/cryptor_libssl_dh_4096.c ++++ b/cherokee/cryptor_libssl_dh_4096.c +@@ -3,8 +3,6 @@ + #include + #endif + +-#include "cryptor_libssl_compat.h" +- + static DH *get_dh4096() + { + static unsigned char dhp_4096[]={ +diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c +index 93d63d48..ed776636 100644 +--- a/cherokee/cryptor_libssl_dh_512.c ++++ b/cherokee/cryptor_libssl_dh_512.c +@@ -3,8 +3,6 @@ + #include + #endif + +-#include "cryptor_libssl_compat.h" +- + static DH *get_dh512() + { + static unsigned char dhp_512[]={ + +commit 75f041e2255e6dd0692db2f14611c2647dbe8425 +Merge: dad221a9 43e5d17b +Author: Stefan de Konink +Date: Mon May 29 07:03:22 2017 +0200 + + Merge pull request #1196 from cherokee/openssl-1.1 + + OpenSSL 1.1 support + + -- 2.44.0