1 commit 219b03891818f015317d60135e46307974794a82
2 Author: Stefan de Konink <stefan@konink.de>
3 Date: Fri Oct 17 19:20:36 2014 +0200
5 Disable SSLv3 by default.
7 http://googleonlinesecurity.blogspot.nl/2014/10/this-poodle-bites-exploiting-ssl-30.html
9 diff --git a/admin/PageAdvanced.py b/admin/PageAdvanced.py
10 index 9d6a1420..21a9d0c9 100644
11 --- a/admin/PageAdvanced.py
12 +++ b/admin/PageAdvanced.py
13 @@ -96,7 +96,7 @@ NOTE_DH2048 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 2048
14 NOTE_DH4096 = N_('Path to a Diffie Hellman (DH) parameters PEM file: 4096 bits.')
15 NOTE_TLS_TIMEOUT = N_('Timeout for the TLS/SSL handshake. Default: 15 seconds.')
16 NOTE_TLS_SSLv2 = N_('Allow clients to use SSL version 2 - Beware: it is vulnerable. (Default: No)')
17 -NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 (Default: Yes)')
18 +NOTE_TLS_SSLv3 = N_('Allow clients to use SSL version 3 - Beware: it is vulnerable. (Default: No)')
19 NOTE_TLS_TLSv1 = N_('Allow clients to use TLS version 1 (Default: Yes)')
20 NOTE_TLS_TLSv1_1 = N_('Allow clients to use TLS version 1.1 (Default: Yes)')
21 NOTE_TLS_TLSv1_2 = N_('Allow clients to use TLS version 1.2 (Default: Yes)')
22 @@ -181,7 +181,7 @@ class TLSWidget (CTK.Container):
24 table = CTK.PropsAuto(URL_APPLY)
25 table.Add (_('SSL version 2'), CTK.CheckCfgText('server!tls!protocol!SSLv2', False, _("Allow")), _(NOTE_TLS_SSLv2))
26 - table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', True, _("Allow")), _(NOTE_TLS_SSLv3))
27 + table.Add (_('SSL version 3'), CTK.CheckCfgText('server!tls!protocol!SSLv3', False, _("Allow")), _(NOTE_TLS_SSLv3))
28 table.Add (_('TLS version 1'), CTK.CheckCfgText('server!tls!protocol!TLSv1', True, _("Allow")), _(NOTE_TLS_TLSv1))
29 table.Add (_('TLS version 1.1'), CTK.CheckCfgText('server!tls!protocol!TLSv1_1', True, _("Allow")), _(NOTE_TLS_TLSv1_1))
30 table.Add (_('TLS version 1.2'), CTK.CheckCfgText('server!tls!protocol!TLSv1_2', True, _("Allow")), _(NOTE_TLS_TLSv1_2))
31 diff --git a/cherokee/cryptor.c b/cherokee/cryptor.c
32 index 640b5379..4ae92fdd 100644
33 --- a/cherokee/cryptor.c
34 +++ b/cherokee/cryptor.c
35 @@ -49,7 +49,7 @@ cherokee_cryptor_init_base (cherokee_cryptor_t *cryp,
37 cryp->timeout_handshake = TIMEOUT_DEFAULT;
38 cryp->allow_SSLv2 = false;
39 - cryp->allow_SSLv3 = true;
40 + cryp->allow_SSLv3 = false;
41 cryp->allow_TLSv1 = true;
42 cryp->allow_TLSv1_1 = true;
43 cryp->allow_TLSv1_2 = true;
45 commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6
46 Author: Ilya <ilya.veselov@gmail.com>
47 Date: Wed Dec 10 12:59:19 2014 +0500
49 Update ciphers configuration
51 In accordance to Mozilla's [Forward Secrecy recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy) (Intermediate compatibility).
53 This will also disable RC4 ciphers to mitigate POODLE in TLS attack.
55 diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
56 index ed1f8ee0..1adfa97e 100644
57 --- a/cherokee/cryptor.h
58 +++ b/cherokee/cryptor.h
63 -#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
64 +#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
66 /* Callback function prototipes
69 commit c6ac753005a2857c4af2f489b674c7449e04e64c
70 Merge: 219b0389 5bdd6dd6
71 Author: Stefan de Konink <stefan@konink.de>
72 Date: Wed Dec 10 12:01:16 2014 +0100
74 Merge pull request #1168 from 13xforever/patch-1
76 Update ciphers configuration
78 commit 4600b2e70df54044d301b77354979409e9413294
79 Author: Stefan de Konink <stefan@konink.de>
80 Date: Wed Dec 10 12:10:24 2014 +0100
82 Revert "Update ciphers configuration"
84 diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
85 index 1adfa97e..ed1f8ee0 100644
86 --- a/cherokee/cryptor.h
87 +++ b/cherokee/cryptor.h
92 -#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
93 +#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
95 /* Callback function prototipes
98 commit a02d96fe5960c5e906ad4952dfc36d5dc6eb4849
99 Merge: c6ac7530 4600b2e7
100 Author: Stefan de Konink <stefan@konink.de>
101 Date: Wed Dec 10 12:10:49 2014 +0100
103 Merge pull request #1169 from cherokee/revert-1168-patch-1
105 Revert "Update ciphers configuration"
107 commit a917d76ed9b4272478ca973084ec1037a950c443
108 Author: Stefan de Konink <stefan@konink.de>
109 Date: Wed Dec 10 13:35:45 2014 +0100
111 Reapply previous patch from commit 5bdd6dd6a5fa41ee11474e4f722a7a03806d1be6 by @13xforever
113 In accordance to Mozilla's [Forward Secrecy
114 recommendation](https://wiki.mozilla.org/Security/Server_Side_TLS#Forward_Secrecy)
115 (Intermediate compatibility).
117 This will also disable RC4 ciphers to mitigate POODLE in TLS attack.
119 In addition: we loose the ability to do server side BEAST mitigation.
120 See the discussion at: https://github.com/cherokee/webserver/pull/1168
122 diff --git a/cherokee/cryptor.h b/cherokee/cryptor.h
123 index ed1f8ee0..1adfa97e 100644
124 --- a/cherokee/cryptor.h
125 +++ b/cherokee/cryptor.h
130 -#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA"
131 +#define CHEROKEE_CIPHERS_DEFAULT "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
133 /* Callback function prototipes
136 commit 57b04ec506cde04794775e769d5485800427373e
137 Author: Stefan de Konink <stefan@konink.de>
138 Date: Mon May 8 13:20:32 2017 +0200
140 OpenSSL 1.1 uses the Secure Renegotiation Extension
142 diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
143 index 74af1cb5..5f430b73 100644
144 --- a/cherokee/cryptor_libssl.c
145 +++ b/cherokee/cryptor_libssl.c
146 @@ -790,11 +790,13 @@ _socket_init_tls (cherokee_cryptor_socket_libssl_t *cryp,
150 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
151 /* Disable Ciphers renegotiation (CVE-2009-3555)
153 if (cryp->session->s3) {
154 cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
161 commit 07ab26e6683f5166f7cd7785fe714338e3ad369f
162 Author: Stefan de Konink <stefan@konink.de>
163 Date: Mon May 8 13:49:56 2017 +0200
165 Second attempt to update to OpenSSL 1.1.
167 To test if Cherokee now is able to compile on both installations.
169 diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
170 index 5f430b73..1a4c452a 100644
171 --- a/cherokee/cryptor_libssl.c
172 +++ b/cherokee/cryptor_libssl.c
173 @@ -238,13 +238,13 @@ cherokee_cryptor_libssl_find_vserver (SSL *ssl,
174 /* SSL_set_SSL_CTX() only change certificates. We need to
175 * changes more options by hand.
177 - SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
178 + SSL_set_options(ssl, SSL_CTX_get_options(ctx));
180 if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
181 (SSL_num_renegotiations(ssl) == 0)) {
183 - SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
184 - SSL_CTX_get_verify_callback(ssl->ctx));
185 + SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
186 + SSL_CTX_get_verify_callback(ctx));
190 @@ -1332,10 +1332,15 @@ PLUGIN_INIT_NAME(libssl) (cherokee_plugin_loader_t *loader)
194 - OPENSSL_config (NULL);
195 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
196 + OPENSSL_config(NULL);
198 SSL_load_error_strings();
199 OpenSSL_add_all_algorithms();
201 + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
202 + OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
205 /* Ensure PRNG has been seeded with enough data
207 diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
208 index 7f7702d5..0512baf5 100644
209 --- a/cherokee/cryptor_libssl_dh_1024.c
210 +++ b/cherokee/cryptor_libssl_dh_1024.c
213 static DH *get_dh1024()
215 - static unsigned char dh1024_p[]={
216 + static unsigned char dhp_1024[]={
217 0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47,
218 0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02,
219 0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20,
220 @@ -17,16 +17,21 @@ static DH *get_dh1024()
221 0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69,
222 0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B,
224 - static unsigned char dh1024_g[]={
225 + static unsigned char dhg_1024[]={
229 + BIGNUM *dhp_bn, *dhg_bn;
231 if ((dh=DH_new()) == NULL) return(NULL);
232 - dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
233 - dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
234 - if ((dh->p == NULL) || (dh->g == NULL)) {
235 - DH_free(dh); return(NULL);
236 + dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
237 + dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
238 + if (dhp_bn == NULL || dhg_bn == NULL ||
239 + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
247 diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
248 index 392361ec..463ba35a 100644
249 --- a/cherokee/cryptor_libssl_dh_2048.c
250 +++ b/cherokee/cryptor_libssl_dh_2048.c
253 static DH *get_dh2048()
255 - static unsigned char dh2048_p[]={
256 + static unsigned char dhp_2048[]={
257 0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49,
258 0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8,
259 0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF,
260 @@ -28,16 +28,21 @@ static DH *get_dh2048()
261 0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66,
264 - static unsigned char dh2048_g[]={
265 + static unsigned char dhg_2048[]={
269 + BIGNUM *dhp_bn, *dhg_bn;
271 if ((dh=DH_new()) == NULL) return(NULL);
272 - dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
273 - dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
274 - if ((dh->p == NULL) || (dh->g == NULL)) {
275 - DH_free(dh); return(NULL);
276 + dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
277 + dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
278 + if (dhp_bn == NULL || dhg_bn == NULL ||
279 + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
287 diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
288 index 94845775..1c329a00 100644
289 --- a/cherokee/cryptor_libssl_dh_4096.c
290 +++ b/cherokee/cryptor_libssl_dh_4096.c
293 static DH *get_dh4096()
295 - static unsigned char dh4096_p[]={
296 + static unsigned char dhp_4096[]={
297 0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A,
298 0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48,
299 0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49,
300 @@ -49,16 +49,21 @@ static DH *get_dh4096()
301 0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45,
302 0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33,
304 - static unsigned char dh4096_g[]={
305 + static unsigned char dhg_4096[]={
309 + BIGNUM *dhp_bn, *dhg_bn;
311 if ((dh=DH_new()) == NULL) return(NULL);
312 - dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL);
313 - dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL);
314 - if ((dh->p == NULL) || (dh->g == NULL)) {
315 - DH_free(dh); return(NULL);
316 + dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
317 + dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
318 + if (dhp_bn == NULL || dhg_bn == NULL ||
319 + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
327 diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
328 index bc1d8778..e7f64ed4 100644
329 --- a/cherokee/cryptor_libssl_dh_512.c
330 +++ b/cherokee/cryptor_libssl_dh_512.c
333 static DH *get_dh512()
335 - static unsigned char dh512_p[]={
336 + static unsigned char dhp_512[]={
337 0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49,
338 0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE,
339 0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B,
340 @@ -12,16 +12,21 @@ static DH *get_dh512()
341 0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3,
344 - static unsigned char dh512_g[]={
345 + static unsigned char dhg_512[]={
349 + BIGNUM *dhp_bn, *dhg_bn;
351 if ((dh=DH_new()) == NULL) return(NULL);
352 - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
353 - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
354 - if ((dh->p == NULL) || (dh->g == NULL)) {
355 - DH_free(dh); return(NULL);
356 + dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
357 + dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
358 + if (dhp_bn == NULL || dhg_bn == NULL ||
359 + !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
368 commit d20bf585c0d5f62e39c237575ba89ef0fed10d89
369 Author: Stefan de Konink <stefan@konink.de>
370 Date: Tue May 9 10:55:34 2017 +0200
372 Create more compatibility with openssl 1.1.
374 Remove the NULL checks, as they are already happening in the function below.
376 diff --git a/cherokee/cryptor_libssl_compat.h b/cherokee/cryptor_libssl_compat.h
378 index 00000000..832a122a
380 +++ b/cherokee/cryptor_libssl_compat.h
382 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
384 +#include <openssl/engine.h>
386 +int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
388 + /* If the fields p and g in d are NULL, the corresponding input
389 + * parameters MUST be non-NULL. q may remain NULL.
392 + if ((dh->p == NULL && p == NULL)
393 + || (dh->g == NULL && g == NULL))
412 + dh->length = BN_num_bits(q);
418 diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
419 index 0512baf5..2a863f4c 100644
420 --- a/cherokee/cryptor_libssl_dh_1024.c
421 +++ b/cherokee/cryptor_libssl_dh_1024.c
424 #include <openssl/dh.h>
427 +#include "cryptor_libssl_compat.h"
429 static DH *get_dh1024()
431 static unsigned char dhp_1024[]={
432 @@ -26,8 +29,7 @@ static DH *get_dh1024()
433 if ((dh=DH_new()) == NULL) return(NULL);
434 dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
435 dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
436 - if (dhp_bn == NULL || dhg_bn == NULL ||
437 - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
438 + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
442 diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
443 index 463ba35a..e81e6e3f 100644
444 --- a/cherokee/cryptor_libssl_dh_2048.c
445 +++ b/cherokee/cryptor_libssl_dh_2048.c
448 #include <openssl/dh.h>
451 +#include "cryptor_libssl_compat.h"
453 static DH *get_dh2048()
455 static unsigned char dhp_2048[]={
456 @@ -37,8 +40,7 @@ static DH *get_dh2048()
457 if ((dh=DH_new()) == NULL) return(NULL);
458 dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
459 dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
460 - if (dhp_bn == NULL || dhg_bn == NULL ||
461 - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
462 + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
466 diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
467 index 1c329a00..b90c599f 100644
468 --- a/cherokee/cryptor_libssl_dh_4096.c
469 +++ b/cherokee/cryptor_libssl_dh_4096.c
472 #include <openssl/dh.h>
475 +#include "cryptor_libssl_compat.h"
477 static DH *get_dh4096()
479 static unsigned char dhp_4096[]={
480 @@ -58,8 +61,7 @@ static DH *get_dh4096()
481 if ((dh=DH_new()) == NULL) return(NULL);
482 dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
483 dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
484 - if (dhp_bn == NULL || dhg_bn == NULL ||
485 - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
486 + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
490 diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
491 index e7f64ed4..93d63d48 100644
492 --- a/cherokee/cryptor_libssl_dh_512.c
493 +++ b/cherokee/cryptor_libssl_dh_512.c
496 #include <openssl/dh.h>
499 +#include "cryptor_libssl_compat.h"
501 static DH *get_dh512()
503 static unsigned char dhp_512[]={
504 @@ -21,8 +24,7 @@ static DH *get_dh512()
505 if ((dh=DH_new()) == NULL) return(NULL);
506 dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
507 dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
508 - if (dhp_bn == NULL || dhg_bn == NULL ||
509 - !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
510 + if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
515 commit 43e5d17b3bd5fbb926f526f6ee84cf4ae299b8c8
516 Author: Stefan de Konink <stefan@konink.de>
517 Date: Tue May 9 11:41:45 2017 +0200
521 diff --git a/cherokee/cryptor_libssl.c b/cherokee/cryptor_libssl.c
522 index 1a4c452a..fabf9912 100644
523 --- a/cherokee/cryptor_libssl.c
524 +++ b/cherokee/cryptor_libssl.c
525 @@ -53,6 +53,8 @@ static DH *dh_param_1024 = NULL;
526 static DH *dh_param_2048 = NULL;
527 static DH *dh_param_4096 = NULL;
529 +#include "cryptor_libssl_compat.h"
531 #include "cryptor_libssl_dh_512.c"
532 #include "cryptor_libssl_dh_1024.c"
533 #include "cryptor_libssl_dh_2048.c"
534 diff --git a/cherokee/cryptor_libssl_dh_1024.c b/cherokee/cryptor_libssl_dh_1024.c
535 index 2a863f4c..74a56c38 100644
536 --- a/cherokee/cryptor_libssl_dh_1024.c
537 +++ b/cherokee/cryptor_libssl_dh_1024.c
539 #include <openssl/dh.h>
542 -#include "cryptor_libssl_compat.h"
544 static DH *get_dh1024()
546 static unsigned char dhp_1024[]={
547 diff --git a/cherokee/cryptor_libssl_dh_2048.c b/cherokee/cryptor_libssl_dh_2048.c
548 index e81e6e3f..dbb481aa 100644
549 --- a/cherokee/cryptor_libssl_dh_2048.c
550 +++ b/cherokee/cryptor_libssl_dh_2048.c
552 #include <openssl/dh.h>
555 -#include "cryptor_libssl_compat.h"
557 static DH *get_dh2048()
559 static unsigned char dhp_2048[]={
560 diff --git a/cherokee/cryptor_libssl_dh_4096.c b/cherokee/cryptor_libssl_dh_4096.c
561 index b90c599f..aeaf3abc 100644
562 --- a/cherokee/cryptor_libssl_dh_4096.c
563 +++ b/cherokee/cryptor_libssl_dh_4096.c
565 #include <openssl/dh.h>
568 -#include "cryptor_libssl_compat.h"
570 static DH *get_dh4096()
572 static unsigned char dhp_4096[]={
573 diff --git a/cherokee/cryptor_libssl_dh_512.c b/cherokee/cryptor_libssl_dh_512.c
574 index 93d63d48..ed776636 100644
575 --- a/cherokee/cryptor_libssl_dh_512.c
576 +++ b/cherokee/cryptor_libssl_dh_512.c
578 #include <openssl/dh.h>
581 -#include "cryptor_libssl_compat.h"
583 static DH *get_dh512()
585 static unsigned char dhp_512[]={
587 commit 75f041e2255e6dd0692db2f14611c2647dbe8425
588 Merge: dad221a9 43e5d17b
589 Author: Stefan de Konink <stefan@konink.de>
590 Date: Mon May 29 07:03:22 2017 +0200
592 Merge pull request #1196 from cherokee/openssl-1.1