Description: Port tls_mgm module to openssl 1.1.0. Author: Răzvan Crainea Last-Update: 2016-12-01 --- a/modules/tls_mgm/tls.h +++ b/modules/tls_mgm/tls.h @@ -64,41 +64,50 @@ #warning "" #endif -static int tls_static_locks_no=0; -static gen_lock_set_t* tls_static_locks=NULL; - static SSL_METHOD *ssl_methods[TLS_USE_TLSv1_2 + 1]; #define VERIFY_DEPTH_S 3 -struct CRYPTO_dynlock_value { - gen_lock_t lock; -}; - -static unsigned long tls_get_id(void) -{ - return my_pid(); -} - /* * Wrappers around OpenSIPS shared memory functions * (which can be macros) */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +static void* os_malloc(size_t size, const char *file, int line) +#else static void* os_malloc(size_t size) +#endif { +#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L) + return _shm_malloc(size, file, __FUNCTION__, line); +#else return shm_malloc(size); +#endif } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +static void* os_realloc(void *ptr, size_t size, const char *file, int line) +#else static void* os_realloc(void *ptr, size_t size) +#endif { +#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L) + return _shm_realloc(ptr, size, file, __FUNCTION__, line); +#else return shm_realloc(ptr, size); +#endif } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L +static void os_free(void *ptr, const char *file, int line) +#else static void os_free(void *ptr) +#endif { + /* TODO: also handle free file and line */ if (ptr) shm_free(ptr); } @@ -106,21 +115,17 @@ -static void tls_static_locks_ops(int mode, int n, const char* file, int line) -{ - if (n<0 || n>tls_static_locks_no) { - LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n"); - abort(); - } +/* these locks can not be used in 1.1.0, because the interface has changed */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +struct CRYPTO_dynlock_value { + gen_lock_t lock; +}; - if (mode & CRYPTO_LOCK) { - lock_set_get(tls_static_locks,n); - } else { - lock_set_release(tls_static_locks,n); - } +static unsigned long tls_get_id(void) +{ + return my_pid(); } - static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file, int line) { @@ -158,5 +163,6 @@ lock_destroy(&dyn_lock->lock); shm_free(dyn_lock); } +#endif #endif /* _PROTO_TLS_H_ */ --- a/modules/tls_mgm/tls_conn_ops.h +++ b/modules/tls_mgm/tls_conn_ops.h @@ -116,12 +116,14 @@ return -1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef OPENSSL_NO_KRB5 if ( ((SSL *)c->extra_data)->kssl_ctx ) { kssl_ctx_free( ((SSL *)c->extra_data)->kssl_ctx ); ((SSL *)c->extra_data)->kssl_ctx = 0; } #endif +#endif if ( c->proto_flags & F_TLS_DO_ACCEPT ) { LM_DBG("Setting in ACCEPT mode (server)\n"); --- a/modules/tls_mgm/tls_conn_server.h +++ b/modules/tls_mgm/tls_conn_server.h @@ -148,17 +148,21 @@ } ssl = (SSL *) c->extra_data; +#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef OPENSSL_NO_KRB5 if ( ssl->kssl_ctx==NULL ) ssl->kssl_ctx = kssl_ctx_new( ); #endif +#endif ret = SSL_accept(ssl); +#if OPENSSL_VERSION_NUMBER < 0x10100000L #ifndef OPENSSL_NO_KRB5 if ( ssl->kssl_ctx ) { kssl_ctx_free( ssl->kssl_ctx ); ssl->kssl_ctx = 0; } #endif +#endif if (ret > 0) { LM_INFO("New TLS connection from %s:%d accepted\n", ip_addr2a(&c->rcv.src_ip), c->rcv.src_port); --- a/modules/tls_mgm/tls_mgm.c +++ b/modules/tls_mgm/tls_mgm.c @@ -557,11 +557,10 @@ LM_NOTICE("subject = %s\n", buf); LM_NOTICE("verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err)); - LM_NOTICE("error code is %d\n", ctx->error); - switch (ctx->error) { + switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), + X509_NAME_oneline(X509_get_issuer_name(err_cert), buf,sizeof buf); LM_NOTICE("issuer= %s\n",buf); break; @@ -611,7 +610,7 @@ default: LM_NOTICE("something wrong with the cert" - " ... error code is %d (check x509_vfy.h)\n", ctx->error); + " ... error code is %d (check x509_vfy.h)\n", err); break; } @@ -1074,9 +1073,11 @@ return 0; } +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) static int check_for_krb(void) { SSL_CTX *xx; + int j; xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]); @@ -1096,6 +1097,27 @@ SSL_CTX_free(xx); return 0; } +#endif + +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +static int tls_static_locks_no=0; +static gen_lock_set_t* tls_static_locks=NULL; + +static void tls_static_locks_ops(int mode, int n, const char* file, int line) +{ + if (n<0 || n>tls_static_locks_no) { + LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n"); + abort(); + } + + if (mode & CRYPTO_LOCK) { + lock_set_get(tls_static_locks,n); + } else { + lock_set_release(tls_static_locks,n); + } +} + + static int tls_init_multithread(void) { @@ -1126,6 +1148,7 @@ return 0; } +#endif /* * initialize ssl methods @@ -1135,19 +1158,31 @@ { LM_DBG("entered\n"); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLS_client_method(); + ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLS_server_method(); + ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLS_method(); +#else ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method(); ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method(); ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method(); +#endif ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method(); ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method(); ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method(); #if OPENSSL_VERSION_NUMBER >= 0x10001000L +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLS_client_method(); + ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLS_server_method(); + ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLS_method(); +#else ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method(); ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method(); ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method(); #endif +#endif } /* reloads data from the db */ @@ -1273,10 +1308,10 @@ * CRYPTO_malloc will set allow_customize in openssl to 0 */ if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) { - LM_ERR("unable to set the memory allocation functions\n"); - LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this " - "version is know to be broken; if so, you need to upgrade or " - "downgrade to a differen openssl version !!\n"); + LM_ERR("NOTE: check if you are using openssl 1.0.1e-fips, (or other " + "FIPS version of openssl, as this is known to be broken; if so, " + "you need to upgrade or downgrade to a different openssl version!\n"); + LM_ERR("current version: %s\n", SSLeay_version(SSLEAY_VERSION)); return -1; } @@ -1291,15 +1326,18 @@ sk_SSL_COMP_zero(comp_methods); } #endif +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) if (tls_init_multithread() < 0) { LM_ERR("failed to init multi-threading support\n"); return -1; } +#endif SSL_library_init(); SSL_load_error_strings(); init_ssl_methods(); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) n = check_for_krb(); if (n==-1) { LM_ERR("kerberos check failed\n"); @@ -1318,6 +1356,7 @@ (n==1)?"":"no ",(n!=1)?"no ":""); return -1; } +#endif /* * finish setting up the tls default domains --- a/modules/identity/identity.c +++ b/modules/identity/identity.c @@ -107,6 +107,9 @@ #include "identity.h" +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define EVP_MD_CTX_free EVP_MD_CTX_cleanup +#endif /* parameters */ @@ -831,7 +834,11 @@ { #define IDENTITY_HDR_S "Identity: \"" #define IDENTITY_HDR_L (sizeof(IDENTITY_HDR_S)-1) - EVP_MD_CTX ctx; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *pctx; +#else + EVP_MD_CTX ctx, *pctx = &ctx; +#endif unsigned int siglen = 0; int b64len = 0; unsigned char * sig = NULL; @@ -843,27 +850,30 @@ LM_ERR("error making digest string\n"); return 0; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + pctx = EVP_MD_CTX_new(); +#endif - EVP_SignInit(&ctx, EVP_sha1()); + EVP_SignInit(pctx, EVP_sha1()); - EVP_SignUpdate(&ctx, digestString, strlen(digestString)); + EVP_SignUpdate(pctx, digestString, strlen(digestString)); sig = pkg_malloc(EVP_PKEY_size(privKey_evp)); if(!sig) { - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(pctx); LM_ERR("failed allocating memory\n"); return 0; } - if(!EVP_SignFinal(&ctx, sig, &siglen, privKey_evp)) + if(!EVP_SignFinal(pctx, sig, &siglen, privKey_evp)) { - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(pctx); pkg_free(sig); LM_ERR("error calculating signature\n"); return 0; } - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(pctx); /* ###Base64-encoding### */ /* annotation: The next few lines are based on example 7-11 of [VIE-02] */ @@ -1138,6 +1148,10 @@ const unsigned char * data; STACK_OF(CONF_VALUE) * val; CONF_VALUE * nval; + int len; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + ASN1_OCTET_STRING *adata; +#endif if(!cert || !msg) { @@ -1190,15 +1204,22 @@ LM_ERR("X509V3_EXT_get failed\n"); return 0; } +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + adata = X509_EXTENSION_get_data(cext); + data = ASN1_STRING_get0_data(adata); + len = ASN1_STRING_length(adata); +#else data = cext->value->data; + len = cext->value->length; +#endif if(meth->it) { ext_str = ASN1_item_d2i(NULL, &data, - cext->value->length, ASN1_ITEM_ptr(meth->it)); + len, ASN1_ITEM_ptr(meth->it)); } else { - ext_str = meth->d2i(NULL, &data, cext->value->length); + ext_str = meth->d2i(NULL, &data, len); } val = meth->i2v(meth, ext_str, NULL); @@ -1251,7 +1272,11 @@ int siglen = -1; unsigned char * sigbuf = NULL; int b64len = 0; - EVP_MD_CTX ctx; +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + EVP_MD_CTX *pctx; +#else + EVP_MD_CTX ctx, *pctx = &ctx; +#endif int result = 0; char *p; unsigned long err; @@ -1295,22 +1320,25 @@ p=strstr(identityHF , "="); siglen-=strspn(p , "="); - EVP_VerifyInit(&ctx, EVP_sha1()); - EVP_VerifyUpdate(&ctx, digestString, strlen(digestString)); +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + pctx = EVP_MD_CTX_new(); +#endif + EVP_VerifyInit(pctx, EVP_sha1()); + EVP_VerifyUpdate(pctx, digestString, strlen(digestString)); pubkey = X509_get_pubkey(cert); if(!pubkey) { - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(pctx); pkg_free(sigbuf); LM_ERR("error reading pubkey from cert\n"); return 0; } - result = EVP_VerifyFinal(&ctx, sigbuf, siglen, pubkey); + result = EVP_VerifyFinal(pctx, sigbuf, siglen, pubkey); EVP_PKEY_free(pubkey); - EVP_MD_CTX_cleanup(&ctx); + EVP_MD_CTX_free(pctx); pkg_free(sigbuf); switch(result) @@ -1715,8 +1743,9 @@ { if (!ok) { + int err = X509_STORE_CTX_get_error(stor); LM_INFO("certificate validation failed: %s\n", - X509_verify_cert_error_string(stor->error)); + X509_verify_cert_error_string(err)); } return ok;