]>
Commit | Line | Data |
---|---|---|
e6fa6e5d AM |
1 | commit 219b03891818f015317d60135e46307974794a82 |
2 | Author: Stefan de Konink <stefan@konink.de> | |
3 | Date: Fri Oct 17 19:20:36 2014 +0200 | |
4 | ||
5 | Disable SSLv3 by default. | |
6 | ||
7 | http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html | |
8 | ||
9 | diff --git a/admin/PageAdvanced.py b/admin/PageAdvanced.py | |
10 | index 9d6a1420..21a9d0c9 100644 | |
11 | --- a/admin/PageAdvanced.py | |
12 | +++ b/admin/PageAdvanced.py | |
13 | @@ -96,7 +96,7 @@ NOTE_DH2048 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 2048 | |
14 | NOTE_DH4096 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.') | |
15 | NOTE_TLS_TIMEOUT = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.') | |
16 | NOTE_TLS_SSLv2 = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)') | |
17 | -NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 (Default: Yes)') | |
18 | +NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 - Beware: it is vulnerable. (Default: No)') | |
19 | NOTE_TLS_TLSv1 = N_('Allow clients to use TLS version 1 (Default: Yes)') | |
20 | NOTE_TLS_TLSv1_1 = N_('Allow clients to use TLS version 1.1 (Default: Yes)') | |
21 | NOTE_TLS_TLSv1_2 = N_('Allow clients to use TLS version 1.2 (Default: Yes)') | |
22 | @@ -181,7 +181,7 @@ class TLSWidget (CTK.Container): | |
23 | ||
24 | table = CTK.PropsAuto(URL_APPLY) | |
25 | table.Add (_('SSL version 2'), CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2)) | |
26 | - table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', True, _("Allow")), _(NOTE_TLS_SSLv3)) | |
27 | + table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', False, _("Allow")), _(NOTE_TLS_SSLv3)) | |
28 | table.Add (_('TLS version 1'), CTK.CheckCfgText('server!tls!protocol!TLSv1', True, _("Allow")), _(NOTE_TLS_TLSv1)) | |
29 | table.Add (_('TLS version 1.1'), CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1)) | |
30 | table.Add (_('TLS version 1.2'), CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2)) | |
31 | diff --git a/cherokee/cryptor.c b/cherokee/cryptor.c | |
32 | index 640b5379..4ae92fdd 100644 | |
33 | --- a/cherokee/cryptor.c | |
34 | +++ b/cherokee/cryptor.c | |
35 | @@ -49,7 +49,7 @@ cherokee_cryptor_init_base (cherokee_cryptor_t *cryp, | |
36 | */ | |
37 | cryp->timeout_handshake = TIMEOUT_DEFAULT; | |
38 | cryp->allow_SSLv2 = false; | |
39 | - cryp->allow_SSLv3 = true; | |
40 | + cryp->allow_SSLv3 = false; | |
41 | cryp->allow_TLSv1 = true; | |
42 | cryp->allow_TLSv1_1 = true; | |
43 | cryp->allow_TLSv1_2 = true; | |
44 | ||
45 | commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 | |
46 | Author: Ilya <ilya.veselov@gmail.com> | |
47 | Date: Wed Dec 10 12:59:19 2014 +0500 | |
48 | ||
49 | Update ciphers configuration | |
50 | ||
51 | In accordance to Mozilla's [Forward Secrecy recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) (Intermediate compatibility). | |
52 | ||
53 | This will also disable RC4 ciphers to mitigate POODLE in TLS attack. | |
54 | ||
55 | diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h | |
56 | index ed1f8ee0..1adfa97e 100644 | |
57 | --- a/cherokee/cryptor.h | |
58 | +++ b/cherokee/cryptor.h | |
59 | @@ -35,7 +35,7 @@ | |
60 | ||
61 | CHEROKEE_BEGIN_DECLS | |
62 | ||
63 | -#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" | |
64 | +#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" | |
65 | ||
66 | /* Callback function prototipes | |
67 | */ | |
68 | ||
69 | commit c6ac753005a2857c4af2f489b674c7449e04e64c | |
70 | Merge: 219b0389 5bdd6dd6 | |
71 | Author: Stefan de Konink <stefan@konink.de> | |
72 | Date: Wed Dec 10 12:01:16 2014 +0100 | |
73 | ||
74 | Merge pull request #1168 from 13xforever/patch-1 | |
75 | ||
76 | Update ciphers configuration | |
77 | ||
78 | commit 4600b2e70df54044d301b77354979409e9413294 | |
79 | Author: Stefan de Konink <stefan@konink.de> | |
80 | Date: Wed Dec 10 12:10:24 2014 +0100 | |
81 | ||
82 | Revert "Update ciphers configuration" | |
83 | ||
84 | diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h | |
85 | index 1adfa97e..ed1f8ee0 100644 | |
86 | --- a/cherokee/cryptor.h | |
87 | +++ b/cherokee/cryptor.h | |
88 | @@ -35,7 +35,7 @@ | |
89 | ||
90 | CHEROKEE_BEGIN_DECLS | |
91 | ||
92 | -#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" | |
93 | +#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" | |
94 | ||
95 | /* Callback function prototipes | |
96 | */ | |
97 | ||
98 | commit a02d96fe5960c5e906ad4952dfc36d5dc6eb4849 | |
99 | Merge: c6ac7530 4600b2e7 | |
100 | Author: Stefan de Konink <stefan@konink.de> | |
101 | Date: Wed Dec 10 12:10:49 2014 +0100 | |
102 | ||
103 | Merge pull request #1169 from cherokee/revert-1168-patch-1 | |
104 | ||
105 | Revert "Update ciphers configuration" | |
106 | ||
107 | commit a917d76ed9b4272478ca973084ec1037a950c443 | |
108 | Author: Stefan de Konink <stefan@konink.de> | |
109 | Date: Wed Dec 10 13:35:45 2014 +0100 | |
110 | ||
111 | Reapply previous patch from commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 by @13xforever | |
112 | ||
113 | In accordance to Mozilla's [Forward Secrecy | |
114 | recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) | |
115 | (Intermediate compatibility). | |
116 | ||
117 | This will also disable RC4 ciphers to mitigate POODLE in TLS attack. | |
118 | ||
119 | In addition: we loose the ability to do server side BEAST mitigation. | |
120 | See the discussion at: https://github.com/cherokee/webserver/pull/1168 | |
121 | ||
122 | diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h | |
123 | index ed1f8ee0..1adfa97e 100644 | |
124 | --- a/cherokee/cryptor.h | |
125 | +++ b/cherokee/cryptor.h | |
126 | @@ -35,7 +35,7 @@ | |
127 | ||
128 | CHEROKEE_BEGIN_DECLS | |
129 | ||
130 | -#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" | |
131 | +#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA" | |
132 | ||
133 | /* Callback function prototipes | |
134 | */ | |
135 | ||
136 | commit 57b04ec506cde04794775e769d5485800427373e | |
137 | Author: Stefan de Konink <stefan@konink.de> | |
138 | Date: Mon May 8 13:20:32 2017 +0200 | |
139 | ||
140 | OpenSSL 1.1 uses the Secure Renegotiation Extension | |
141 | ||
142 | diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c | |
143 | index 74af1cb5..5f430b73 100644 | |
144 | --- a/cherokee/cryptor_libssl.c | |
145 | +++ b/cherokee/cryptor_libssl.c | |
146 | @@ -790,11 +790,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp, | |
147 | } | |
148 | #endif | |
149 | ||
150 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | |
151 | /* Disable Ciphers renegotiation (CVE-2009-3555) | |
152 | */ | |
153 | if (cryp->session->s3) { | |
154 | cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; | |
155 | } | |
156 | +#endif | |
157 | ||
158 | return ret_ok; | |
159 | } | |
160 | ||
161 | commit 07ab26e6683f5166f7cd7785fe714338e3ad369f | |
162 | Author: Stefan de Konink <stefan@konink.de> | |
163 | Date: Mon May 8 13:49:56 2017 +0200 | |
164 | ||
165 | Second attempt to update to OpenSSL 1.1. | |
166 | ||
167 | To test if Cherokee now is able to compile on both installations. | |
168 | ||
169 | diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c | |
170 | index 5f430b73..1a4c452a 100644 | |
171 | --- a/cherokee/cryptor_libssl.c | |
172 | +++ b/cherokee/cryptor_libssl.c | |
173 | @@ -238,13 +238,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl, | |
174 | /* SSL_set_SSL_CTX() only change certificates. We need to | |
175 | * changes more options by hand. | |
176 | */ | |
177 | - SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx)); | |
178 | + SSL_set_options(ssl, SSL_CTX_get_options(ctx)); | |
179 | ||
180 | if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) || | |
181 | (SSL_num_renegotiations(ssl) == 0)) { | |
182 | ||
183 | - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx), | |
184 | - SSL_CTX_get_verify_callback(ssl->ctx)); | |
185 | + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx), | |
186 | + SSL_CTX_get_verify_callback(ctx)); | |
187 | } | |
188 | ||
189 | return ret_ok; | |
190 | @@ -1332,10 +1332,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader) | |
191 | ||
192 | /* Init OpenSSL | |
193 | */ | |
194 | - OPENSSL_config (NULL); | |
195 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | |
196 | + OPENSSL_config(NULL); | |
197 | SSL_library_init(); | |
198 | SSL_load_error_strings(); | |
199 | OpenSSL_add_all_algorithms(); | |
200 | +#else | |
201 | + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL); | |
202 | + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); | |
203 | +#endif | |
204 | ||
205 | /* Ensure PRNG has been seeded with enough data | |
206 | */ | |
207 | diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c | |
208 | index 7f7702d5..0512baf5 100644 | |
209 | --- a/cherokee/cryptor_libssl_dh_1024.c | |
210 | +++ b/cherokee/cryptor_libssl_dh_1024.c | |
211 | @@ -4,7 +4,7 @@ | |
212 | #endif | |
213 | static DH *get_dh1024() | |
214 | { | |
215 | - static unsigned char dh1024_p[]={ | |
216 | + static unsigned char dhp_1024[]={ | |
217 | 0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47, | |
218 | 0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02, | |
219 | 0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20, | |
220 | @@ -17,16 +17,21 @@ static DH *get_dh1024() | |
221 | 0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69, | |
222 | 0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B, | |
223 | }; | |
224 | - static unsigned char dh1024_g[]={ | |
225 | + static unsigned char dhg_1024[]={ | |
226 | 0x02, | |
227 | }; | |
228 | DH *dh; | |
229 | + BIGNUM *dhp_bn, *dhg_bn; | |
230 | ||
231 | if ((dh=DH_new()) == NULL) return(NULL); | |
232 | - dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); | |
233 | - dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); | |
234 | - if ((dh->p == NULL) || (dh->g == NULL)) { | |
235 | - DH_free(dh); return(NULL); | |
236 | + dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL); | |
237 | + dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL); | |
238 | + if (dhp_bn == NULL || dhg_bn == NULL || | |
239 | + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
240 | + DH_free(dh); | |
241 | + BN_free(dhp_bn); | |
242 | + BN_free(dhg_bn); | |
243 | + return(NULL); | |
244 | } | |
245 | return(dh); | |
246 | } | |
247 | diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c | |
248 | index 392361ec..463ba35a 100644 | |
249 | --- a/cherokee/cryptor_libssl_dh_2048.c | |
250 | +++ b/cherokee/cryptor_libssl_dh_2048.c | |
251 | @@ -4,7 +4,7 @@ | |
252 | #endif | |
253 | static DH *get_dh2048() | |
254 | { | |
255 | - static unsigned char dh2048_p[]={ | |
256 | + static unsigned char dhp_2048[]={ | |
257 | 0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49, | |
258 | 0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8, | |
259 | 0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF, | |
260 | @@ -28,16 +28,21 @@ static DH *get_dh2048() | |
261 | 0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66, | |
262 | 0xF8,0xAA,0x70,0x6B, | |
263 | }; | |
264 | - static unsigned char dh2048_g[]={ | |
265 | + static unsigned char dhg_2048[]={ | |
266 | 0x02, | |
267 | }; | |
268 | DH *dh; | |
269 | + BIGNUM *dhp_bn, *dhg_bn; | |
270 | ||
271 | if ((dh=DH_new()) == NULL) return(NULL); | |
272 | - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL); | |
273 | - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL); | |
274 | - if ((dh->p == NULL) || (dh->g == NULL)) { | |
275 | - DH_free(dh); return(NULL); | |
276 | + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); | |
277 | + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); | |
278 | + if (dhp_bn == NULL || dhg_bn == NULL || | |
279 | + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
280 | + DH_free(dh); | |
281 | + BN_free(dhp_bn); | |
282 | + BN_free(dhg_bn); | |
283 | + return(NULL); | |
284 | } | |
285 | return(dh); | |
286 | } | |
287 | diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c | |
288 | index 94845775..1c329a00 100644 | |
289 | --- a/cherokee/cryptor_libssl_dh_4096.c | |
290 | +++ b/cherokee/cryptor_libssl_dh_4096.c | |
291 | @@ -4,7 +4,7 @@ | |
292 | #endif | |
293 | static DH *get_dh4096() | |
294 | { | |
295 | - static unsigned char dh4096_p[]={ | |
296 | + static unsigned char dhp_4096[]={ | |
297 | 0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A, | |
298 | 0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48, | |
299 | 0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49, | |
300 | @@ -49,16 +49,21 @@ static DH *get_dh4096() | |
301 | 0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45, | |
302 | 0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33, | |
303 | }; | |
304 | - static unsigned char dh4096_g[]={ | |
305 | + static unsigned char dhg_4096[]={ | |
306 | 0x02, | |
307 | }; | |
308 | DH *dh; | |
309 | + BIGNUM *dhp_bn, *dhg_bn; | |
310 | ||
311 | if ((dh=DH_new()) == NULL) return(NULL); | |
312 | - dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL); | |
313 | - dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL); | |
314 | - if ((dh->p == NULL) || (dh->g == NULL)) { | |
315 | - DH_free(dh); return(NULL); | |
316 | + dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL); | |
317 | + dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL); | |
318 | + if (dhp_bn == NULL || dhg_bn == NULL || | |
319 | + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
320 | + DH_free(dh); | |
321 | + BN_free(dhp_bn); | |
322 | + BN_free(dhg_bn); | |
323 | + return(NULL); | |
324 | } | |
325 | return(dh); | |
326 | } | |
327 | diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c | |
328 | index bc1d8778..e7f64ed4 100644 | |
329 | --- a/cherokee/cryptor_libssl_dh_512.c | |
330 | +++ b/cherokee/cryptor_libssl_dh_512.c | |
331 | @@ -4,7 +4,7 @@ | |
332 | #endif | |
333 | static DH *get_dh512() | |
334 | { | |
335 | - static unsigned char dh512_p[]={ | |
336 | + static unsigned char dhp_512[]={ | |
337 | 0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49, | |
338 | 0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE, | |
339 | 0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B, | |
340 | @@ -12,16 +12,21 @@ static DH *get_dh512() | |
341 | 0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3, | |
342 | 0xD9,0x23,0xD1,0x83, | |
343 | }; | |
344 | - static unsigned char dh512_g[]={ | |
345 | + static unsigned char dhg_512[]={ | |
346 | 0x02, | |
347 | }; | |
348 | DH *dh; | |
349 | + BIGNUM *dhp_bn, *dhg_bn; | |
350 | ||
351 | if ((dh=DH_new()) == NULL) return(NULL); | |
352 | - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); | |
353 | - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); | |
354 | - if ((dh->p == NULL) || (dh->g == NULL)) { | |
355 | - DH_free(dh); return(NULL); | |
356 | + dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL); | |
357 | + dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL); | |
358 | + if (dhp_bn == NULL || dhg_bn == NULL || | |
359 | + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
360 | + DH_free(dh); | |
361 | + BN_free(dhp_bn); | |
362 | + BN_free(dhg_bn); | |
363 | + return(NULL); | |
364 | } | |
365 | return(dh); | |
366 | } | |
367 | ||
368 | commit d20bf585c0d5f62e39c237575ba89ef0fed10d89 | |
369 | Author: Stefan de Konink <stefan@konink.de> | |
370 | Date: Tue May 9 10:55:34 2017 +0200 | |
371 | ||
372 | Create more compatibility with openssl 1.1. | |
373 | ||
374 | Remove the NULL checks, as they are already happening in the function below. | |
375 | ||
376 | diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h | |
377 | new file mode 100644 | |
378 | index 00000000..832a122a | |
379 | --- /dev/null | |
380 | +++ b/cherokee/cryptor_libssl_compat.h | |
381 | @@ -0,0 +1,36 @@ | |
382 | +#if OPENSSL_VERSION_NUMBER < 0x10100000L | |
383 | +#include <string.h> | |
384 | +#include <openssl/engine.h> | |
385 | + | |
386 | +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) | |
387 | +{ | |
388 | + /* If the fields p and g in d are NULL, the corresponding input | |
389 | + * parameters MUST be non-NULL. q may remain NULL. | |
390 | + */ | |
391 | + | |
392 | + if ((dh->p == NULL && p == NULL) | |
393 | + || (dh->g == NULL && g == NULL)) | |
394 | + return 0; | |
395 | + | |
396 | + if (p != NULL) { | |
397 | + BN_free(dh->p); | |
398 | + dh->p = p; | |
399 | + } | |
400 | + | |
401 | + if (q != NULL) { | |
402 | + BN_free(dh->q); | |
403 | + dh->q = q; | |
404 | + } | |
405 | + | |
406 | + if (g != NULL) { | |
407 | + BN_free(dh->g); | |
408 | + dh->g = g; | |
409 | + } | |
410 | + | |
411 | + if (q != NULL) { | |
412 | + dh->length = BN_num_bits(q); | |
413 | + } | |
414 | + | |
415 | + return 1; | |
416 | +} | |
417 | +#endif | |
418 | diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c | |
419 | index 0512baf5..2a863f4c 100644 | |
420 | --- a/cherokee/cryptor_libssl_dh_1024.c | |
421 | +++ b/cherokee/cryptor_libssl_dh_1024.c | |
422 | @@ -2,6 +2,9 @@ | |
423 | #ifndef HEADER_DH_H | |
424 | #include <openssl/dh.h> | |
425 | #endif | |
426 | + | |
427 | +#include "cryptor_libssl_compat.h" | |
428 | + | |
429 | static DH *get_dh1024() | |
430 | { | |
431 | static unsigned char dhp_1024[]={ | |
432 | @@ -26,8 +29,7 @@ static DH *get_dh1024() | |
433 | if ((dh=DH_new()) == NULL) return(NULL); | |
434 | dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL); | |
435 | dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL); | |
436 | - if (dhp_bn == NULL || dhg_bn == NULL || | |
437 | - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
438 | + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
439 | DH_free(dh); | |
440 | BN_free(dhp_bn); | |
441 | BN_free(dhg_bn); | |
442 | diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c | |
443 | index 463ba35a..e81e6e3f 100644 | |
444 | --- a/cherokee/cryptor_libssl_dh_2048.c | |
445 | +++ b/cherokee/cryptor_libssl_dh_2048.c | |
446 | @@ -2,6 +2,9 @@ | |
447 | #ifndef HEADER_DH_H | |
448 | #include <openssl/dh.h> | |
449 | #endif | |
450 | + | |
451 | +#include "cryptor_libssl_compat.h" | |
452 | + | |
453 | static DH *get_dh2048() | |
454 | { | |
455 | static unsigned char dhp_2048[]={ | |
456 | @@ -37,8 +40,7 @@ static DH *get_dh2048() | |
457 | if ((dh=DH_new()) == NULL) return(NULL); | |
458 | dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL); | |
459 | dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL); | |
460 | - if (dhp_bn == NULL || dhg_bn == NULL || | |
461 | - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
462 | + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
463 | DH_free(dh); | |
464 | BN_free(dhp_bn); | |
465 | BN_free(dhg_bn); | |
466 | diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c | |
467 | index 1c329a00..b90c599f 100644 | |
468 | --- a/cherokee/cryptor_libssl_dh_4096.c | |
469 | +++ b/cherokee/cryptor_libssl_dh_4096.c | |
470 | @@ -2,6 +2,9 @@ | |
471 | #ifndef HEADER_DH_H | |
472 | #include <openssl/dh.h> | |
473 | #endif | |
474 | + | |
475 | +#include "cryptor_libssl_compat.h" | |
476 | + | |
477 | static DH *get_dh4096() | |
478 | { | |
479 | static unsigned char dhp_4096[]={ | |
480 | @@ -58,8 +61,7 @@ static DH *get_dh4096() | |
481 | if ((dh=DH_new()) == NULL) return(NULL); | |
482 | dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL); | |
483 | dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL); | |
484 | - if (dhp_bn == NULL || dhg_bn == NULL || | |
485 | - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
486 | + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
487 | DH_free(dh); | |
488 | BN_free(dhp_bn); | |
489 | BN_free(dhg_bn); | |
490 | diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c | |
491 | index e7f64ed4..93d63d48 100644 | |
492 | --- a/cherokee/cryptor_libssl_dh_512.c | |
493 | +++ b/cherokee/cryptor_libssl_dh_512.c | |
494 | @@ -2,6 +2,9 @@ | |
495 | #ifndef HEADER_DH_H | |
496 | #include <openssl/dh.h> | |
497 | #endif | |
498 | + | |
499 | +#include "cryptor_libssl_compat.h" | |
500 | + | |
501 | static DH *get_dh512() | |
502 | { | |
503 | static unsigned char dhp_512[]={ | |
504 | @@ -21,8 +24,7 @@ static DH *get_dh512() | |
505 | if ((dh=DH_new()) == NULL) return(NULL); | |
506 | dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL); | |
507 | dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL); | |
508 | - if (dhp_bn == NULL || dhg_bn == NULL || | |
509 | - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
510 | + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) { | |
511 | DH_free(dh); | |
512 | BN_free(dhp_bn); | |
513 | BN_free(dhg_bn); | |
514 | ||
515 | commit 43e5d17b3bd5fbb926f526f6ee84cf4ae299b8c8 | |
516 | Author: Stefan de Konink <stefan@konink.de> | |
517 | Date: Tue May 9 11:41:45 2017 +0200 | |
518 | ||
519 | Fix for compilation. | |
520 | ||
521 | diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c | |
522 | index 1a4c452a..fabf9912 100644 | |
523 | --- a/cherokee/cryptor_libssl.c | |
524 | +++ b/cherokee/cryptor_libssl.c | |
525 | @@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL; | |
526 | static DH *dh_param_2048 = NULL; | |
527 | static DH *dh_param_4096 = NULL; | |
528 | ||
529 | +#include "cryptor_libssl_compat.h" | |
530 | + | |
531 | #include "cryptor_libssl_dh_512.c" | |
532 | #include "cryptor_libssl_dh_1024.c" | |
533 | #include "cryptor_libssl_dh_2048.c" | |
534 | diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c | |
535 | index 2a863f4c..74a56c38 100644 | |
536 | --- a/cherokee/cryptor_libssl_dh_1024.c | |
537 | +++ b/cherokee/cryptor_libssl_dh_1024.c | |
538 | @@ -3,8 +3,6 @@ | |
539 | #include <openssl/dh.h> | |
540 | #endif | |
541 | ||
542 | -#include "cryptor_libssl_compat.h" | |
543 | - | |
544 | static DH *get_dh1024() | |
545 | { | |
546 | static unsigned char dhp_1024[]={ | |
547 | diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c | |
548 | index e81e6e3f..dbb481aa 100644 | |
549 | --- a/cherokee/cryptor_libssl_dh_2048.c | |
550 | +++ b/cherokee/cryptor_libssl_dh_2048.c | |
551 | @@ -3,8 +3,6 @@ | |
552 | #include <openssl/dh.h> | |
553 | #endif | |
554 | ||
555 | -#include "cryptor_libssl_compat.h" | |
556 | - | |
557 | static DH *get_dh2048() | |
558 | { | |
559 | static unsigned char dhp_2048[]={ | |
560 | diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c | |
561 | index b90c599f..aeaf3abc 100644 | |
562 | --- a/cherokee/cryptor_libssl_dh_4096.c | |
563 | +++ b/cherokee/cryptor_libssl_dh_4096.c | |
564 | @@ -3,8 +3,6 @@ | |
565 | #include <openssl/dh.h> | |
566 | #endif | |
567 | ||
568 | -#include "cryptor_libssl_compat.h" | |
569 | - | |
570 | static DH *get_dh4096() | |
571 | { | |
572 | static unsigned char dhp_4096[]={ | |
573 | diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c | |
574 | index 93d63d48..ed776636 100644 | |
575 | --- a/cherokee/cryptor_libssl_dh_512.c | |
576 | +++ b/cherokee/cryptor_libssl_dh_512.c | |
577 | @@ -3,8 +3,6 @@ | |
578 | #include <openssl/dh.h> | |
579 | #endif | |
580 | ||
581 | -#include "cryptor_libssl_compat.h" | |
582 | - | |
583 | static DH *get_dh512() | |
584 | { | |
585 | static unsigned char dhp_512[]={ | |
586 | ||
587 | commit 75f041e2255e6dd0692db2f14611c2647dbe8425 | |
588 | Merge: dad221a9 43e5d17b | |
589 | Author: Stefan de Konink <stefan@konink.de> | |
590 | Date: Mon May 29 07:03:22 2017 +0200 | |
591 | ||
592 | Merge pull request #1196 from cherokee/openssl-1.1 | |
593 | ||
594 | OpenSSL 1.1 support | |
595 | ||
596 |