1 From a2c9dde4d055ea8942afb150b7fc3a807d4e5d60 Mon Sep 17 00:00:00 2001
2 From: Sergey Poznyakoff <gray@gnu.org>
3 Date: Wed, 28 Feb 2018 13:44:01 +0000
4 Subject: [PATCH] Support for Openssl 1.1
7 .gitignore | 15 ++++++++
8 config.c | 17 +++++++--
11 svc.c | 101 +++++++++++++++++++++++++++++++++++++++++++----------
12 5 files changed, 125 insertions(+), 24 deletions(-)
13 create mode 100644 .gitignore
15 diff --git a/config.c b/config.c
16 index d41a3ee..e8fec0f 100644
19 @@ -174,6 +174,16 @@ conf_fgets(char *buf, const int max)
23 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
24 +# define general_name_string(n) \
25 + strndup(ASN1_STRING_get0_data(n->d.dNSName), \
26 + ASN1_STRING_length(n->d.dNSName) + 1)
28 +# define general_name_string(n) \
29 + strndup(ASN1_STRING_data(n->d.dNSName), \
30 + ASN1_STRING_length(n->d.dNSName) + 1)
34 get_subjectaltnames(X509 *x509, unsigned int *count)
36 @@ -194,8 +204,7 @@ get_subjectaltnames(X509 *x509, unsigned int *count)
37 name = sk_GENERAL_NAME_pop(san_stack);
40 - temp[local_count] = strndup(ASN1_STRING_data(name->d.dNSName), ASN1_STRING_length(name->d.dNSName)
42 + temp[local_count] = general_name_string(name);
43 if(temp[local_count] == NULL)
44 conf_err("out of memory");
46 @@ -565,7 +574,9 @@ parse_service(const char *svc_name)
47 pthread_mutex_init(&res->mut, NULL);
49 strncpy(res->name, svc_name, KEY_SIZE);
50 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
51 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
52 + if((res->sessions = lh_TABNODE_new(t_hash, t_cmp)) == NULL)
53 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
54 if((res->sessions = LHM_lh_new(TABNODE, t)) == NULL)
56 if((res->sessions = lh_new(LHASH_HASH_FN(t_hash), LHASH_COMP_FN(t_cmp))) == NULL)
57 diff --git a/http.c b/http.c
58 index dd211e4..c8e756a 100644
61 @@ -527,12 +527,22 @@ log_bytes(char *res, const LONG cnt)
63 /* Cleanup code. This should really be in the pthread_cleanup_push, except for bugs in some implementations */
65 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
66 +# define clear_error()
67 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
68 +# define clear_error() \
69 + if(ssl != NULL) { ERR_clear_error(); ERR_remove_thread_state(NULL); }
71 +# define clear_error() \
72 + if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); }
75 #define clean_all() { \
76 if(ssl != NULL) { BIO_ssl_shutdown(cl); } \
77 if(be != NULL) { BIO_flush(be); BIO_reset(be); BIO_free_all(be); be = NULL; } \
78 if(cl != NULL) { BIO_flush(cl); BIO_reset(cl); BIO_free_all(cl); cl = NULL; } \
79 if(x509 != NULL) { X509_free(x509); x509 = NULL; } \
80 - if(ssl != NULL) { ERR_clear_error(); ERR_remove_state(0); } \
85 diff --git a/pound.h b/pound.h
86 index fa22c36..9603b91 100644
89 @@ -344,7 +344,9 @@ typedef struct _tn {
90 /* maximal session key size */
93 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
94 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
95 + DEFINE_LHASH_OF(TABNODE);
96 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
97 DECLARE_LHASH_OF(TABNODE);
100 diff --git a/svc.c b/svc.c
101 index 60ba488..063b92c 100644
108 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
109 +# define TABNODE_GET_DOWN_LOAD(t) lh_TABNODE_get_down_load(t)
110 +# define TABNODE_SET_DOWN_LOAD(t,n) lh_TABNODE_set_down_load(t,n)
113 #define LHASH_OF(x) LHASH
114 #define CHECKED_LHASH_OF(type, h) h
116 +# define TABNODE_GET_DOWN_LOAD(t) (CHECKED_LHASH_OF(TABNODE, t)->down_load)
117 +# define TABNODE_SET_DOWN_LOAD(t,n) (CHECKED_LHASH_OF(TABNODE, t)->down_load = n)
121 * Add a new key/content pair to a hash table
122 @@ -58,7 +65,9 @@ t_add(LHASH_OF(TABNODE) *const tab, const char *key, const void *content, const
124 memcpy(t->content, content, cont_len);
125 t->last_acc = time(NULL);
126 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
127 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
128 + if((old = lh_TABNODE_insert(tab, t)) != NULL) {
129 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
130 if((old = LHM_lh_insert(TABNODE, tab, t)) != NULL) {
132 if((old = (TABNODE *)lh_insert(tab, t)) != NULL) {
133 @@ -82,7 +91,9 @@ t_find(LHASH_OF(TABNODE) *const tab, char *const key)
137 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
138 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
139 + if((res = lh_TABNODE_retrieve(tab, &t)) != NULL) {
140 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
141 if((res = (TABNODE *)LHM_lh_retrieve(TABNODE, tab, &t)) != NULL) {
143 if((res = (TABNODE *)lh_retrieve(tab, &t)) != NULL) {
144 @@ -102,7 +113,9 @@ t_remove(LHASH_OF(TABNODE) *const tab, char *const key)
148 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
149 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
150 + if((res = lh_TABNODE_delete(tab, &t)) != NULL) {
151 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
152 if((res = LHM_lh_delete(TABNODE, tab, &t)) != NULL) {
154 if((res = (TABNODE *)lh_delete(tab, &t)) != NULL) {
155 @@ -127,7 +140,9 @@ t_old_doall_arg(TABNODE *t, ALL_ARG *a)
158 if(t->last_acc < a->lim)
159 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
160 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
161 + if((res = lh_TABNODE_delete(a->tab, t)) != NULL) {
162 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
163 if((res = LHM_lh_delete(TABNODE, a->tab, t)) != NULL) {
165 if((res = lh_delete(a->tab, t)) != NULL) {
166 @@ -145,6 +160,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE, ALL_ARG)
167 IMPLEMENT_LHASH_DOALL_ARG_FN(t_old, TABNODE *, ALL_ARG *)
170 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
171 +IMPLEMENT_LHASH_DOALL_ARG(TABNODE,ALL_ARG);
175 * Expire all old nodes
177 @@ -156,14 +175,16 @@ t_expire(LHASH_OF(TABNODE) *const tab, const time_t lim)
181 - down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
182 - CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
183 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
184 + down_load = TABNODE_GET_DOWN_LOAD(tab);
185 + TABNODE_SET_DOWN_LOAD(tab, 0);
186 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
187 + lh_TABNODE_doall_ALL_ARG(tab, t_old_doall_arg, &a);
188 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
189 LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_old), ALL_ARG, &a);
191 lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_old), &a);
193 - CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
194 + TABNODE_SET_DOWN_LOAD(tab, down_load);
198 @@ -173,7 +194,9 @@ t_cont_doall_arg(TABNODE *t, ALL_ARG *arg)
201 if(memcmp(t->content, arg->content, arg->cont_len) == 0)
202 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
203 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
204 + if((res = lh_TABNODE_delete(arg->tab, t)) != NULL) {
205 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
206 if((res = LHM_lh_delete(TABNODE, arg->tab, t)) != NULL) {
208 if((res = lh_delete(arg->tab, t)) != NULL) {
209 @@ -203,15 +226,16 @@ t_clean(LHASH_OF(TABNODE) *const tab, void *const content, const size_t cont_len
212 a.cont_len = cont_len;
213 - down_load = CHECKED_LHASH_OF(TABNODE, tab)->down_load;
214 - CHECKED_LHASH_OF(TABNODE, tab)->down_load = 0;
215 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
216 + down_load = TABNODE_GET_DOWN_LOAD(tab);
217 + TABNODE_SET_DOWN_LOAD(tab, 0);
218 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
219 + lh_TABNODE_doall_ALL_ARG(tab, t_cont_doall_arg, &a);
220 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
221 LHM_lh_doall_arg(TABNODE, tab, LHASH_DOALL_ARG_FN(t_cont), ALL_ARG, &a);
223 lh_doall_arg(tab, LHASH_DOALL_ARG_FN(t_cont), &a);
225 - CHECKED_LHASH_OF(TABNODE, tab)->down_load = down_load;
227 + TABNODE_SET_DOWN_LOAD(tab, down_load);
231 @@ -1262,6 +1286,31 @@ RSA_tmp_callback(/* not used */SSL *ssl, /* not used */int is_export, int keylen
236 +generate_key(RSA **ret_rsa, unsigned long bits)
238 +#if OPENSSL_VERSION_NUMBER > 0x00908000L
244 + BIGNUM *bne = BN_new();
245 + if (BN_set_word(bne, RSA_F4))
246 + rc = RSA_generate_key_ex(rsa, bits, bne, NULL);
255 + *ret_rsa = RSA_generate_key(bits, RSA_F4, NULL, NULL);
256 + return *ret_rsa != NULL;
261 * Periodically regenerate ephemeral RSA keys
262 * runs every T_RSA_KEYS seconds
263 @@ -1274,8 +1323,9 @@ do_RSAgen(void)
264 RSA *t_RSA1024_keys[N_RSA_KEYS];
266 for(n = 0; n < N_RSA_KEYS; n++) {
267 - t_RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL);
268 - t_RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL);
269 + /* FIXME: Error handling */
270 + generate_key(&t_RSA512_keys[n], 512);
271 + generate_key(&t_RSA1024_keys[n], 1024);
273 if(ret_val = pthread_mutex_lock(&RSA_mut))
274 logmsg(LOG_WARNING, "thr_RSAgen() lock: %s", strerror(ret_val));
275 @@ -1329,11 +1379,11 @@ init_timer(void)
276 * Pre-generate ephemeral RSA keys
278 for(n = 0; n < N_RSA_KEYS; n++) {
279 - if((RSA512_keys[n] = RSA_generate_key(512, RSA_F4, NULL, NULL)) == NULL) {
280 + if(!generate_key(&RSA512_keys[n], 512)) {
281 logmsg(LOG_WARNING,"RSA_generate(%d, 512) failed", n);
284 - if((RSA1024_keys[n] = RSA_generate_key(1024, RSA_F4, NULL, NULL)) == NULL) {
285 + if(!generate_key(&RSA1024_keys[n], 1024)) {
286 logmsg(LOG_WARNING,"RSA_generate(%d, 1024) failed", n);
289 @@ -1420,6 +1470,10 @@ IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE, DUMP_ARG)
290 IMPLEMENT_LHASH_DOALL_ARG_FN(t_dump, TABNODE *, DUMP_ARG *)
293 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
294 +IMPLEMENT_LHASH_DOALL_ARG(TABNODE,DUMP_ARG);
298 * write sessions to the control socket
300 @@ -1430,7 +1484,9 @@ dump_sess(const int control_sock, LHASH_OF(TABNODE) *const sess, BACKEND *const
302 a.control_sock = control_sock;
303 a.backends = backends;
304 -#if OPENSSL_VERSION_NUMBER >= 0x10000000L
305 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
306 + lh_TABNODE_doall_DUMP_ARG(sess, t_dump_doall_arg, &a);
307 +#elif OPENSSL_VERSION_NUMBER >= 0x10000000L
308 LHM_lh_doall_arg(TABNODE, sess, LHASH_DOALL_ARG_FN(t_dump), DUMP_ARG, &a);
310 lh_doall_arg(sess, LHASH_DOALL_ARG_FN(t_dump), &a);
311 @@ -1664,6 +1720,13 @@ thr_control(void *arg)
315 +#ifndef SSL3_ST_SR_CLNT_HELLO_A
316 +# define SSL3_ST_SR_CLNT_HELLO_A (0x110|SSL_ST_ACCEPT)
318 +#ifndef SSL23_ST_SR_CLNT_HELLO_A
319 +# define SSL23_ST_SR_CLNT_HELLO_A (0x210|SSL_ST_ACCEPT)
323 SSLINFO_callback(const SSL *ssl, int where, int rc)