Brad Bishop | 1a4b7ee | 2018-12-16 17:11:34 -0800 | [diff] [blame^] | 1 | From f78643d2388dd0697f83f17880403253a0596d83 Mon Sep 17 00:00:00 2001 |
| 2 | From: Vitezslav Crhonek <vcrhonek@redhat.com> |
| 3 | Date: Wed, 5 Sep 2018 11:23:46 -0700 |
| 4 | Subject: [PATCH 1/2] Port to OpenSSL 1.1.0 |
| 5 | |
| 6 | Upstream-Status: Submitted [https://github.com/Openwsman/openwsman/pull/99] |
| 7 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 8 | --- |
| 9 | src/lib/wsman-curl-client-transport.c | 6 +++- |
| 10 | src/server/shttpd/io_ssl.c | 17 ---------- |
| 11 | src/server/shttpd/shttpd.c | 20 ++++-------- |
| 12 | src/server/shttpd/ssl.h | 46 --------------------------- |
| 13 | 4 files changed, 12 insertions(+), 77 deletions(-) |
| 14 | |
| 15 | diff --git a/src/lib/wsman-curl-client-transport.c b/src/lib/wsman-curl-client-transport.c |
| 16 | index cd7f517a..e64ad097 100644 |
| 17 | --- a/src/lib/wsman-curl-client-transport.c |
| 18 | +++ b/src/lib/wsman-curl-client-transport.c |
| 19 | @@ -241,12 +241,16 @@ write_handler( void *ptr, size_t size, size_t nmemb, void *data) |
| 20 | static int ssl_certificate_thumbprint_verify_callback(X509_STORE_CTX *ctx, void *arg) |
| 21 | { |
| 22 | unsigned char *thumbprint = (unsigned char *)arg; |
| 23 | - X509 *cert = ctx->cert; |
| 24 | EVP_MD *tempDigest; |
| 25 | |
| 26 | unsigned char tempFingerprint[EVP_MAX_MD_SIZE]; |
| 27 | unsigned int tempFingerprintLen; |
| 28 | tempDigest = (EVP_MD*)EVP_sha1( ); |
| 29 | + |
| 30 | + X509 *cert = X509_STORE_CTX_get_current_cert(ctx); |
| 31 | + if(!cert) |
| 32 | + return 0; |
| 33 | + |
| 34 | if ( X509_digest(cert, tempDigest, tempFingerprint, &tempFingerprintLen ) <= 0) |
| 35 | return 0; |
| 36 | if(!memcmp(tempFingerprint, thumbprint, tempFingerprintLen)) |
| 37 | diff --git a/src/server/shttpd/io_ssl.c b/src/server/shttpd/io_ssl.c |
| 38 | index 6de0db2a..7ac669e4 100644 |
| 39 | --- a/src/server/shttpd/io_ssl.c |
| 40 | +++ b/src/server/shttpd/io_ssl.c |
| 41 | @@ -11,23 +11,6 @@ |
| 42 | #include "defs.h" |
| 43 | |
| 44 | #if !defined(NO_SSL) |
| 45 | -struct ssl_func ssl_sw[] = { |
| 46 | - {"SSL_free", {0}}, |
| 47 | - {"SSL_accept", {0}}, |
| 48 | - {"SSL_connect", {0}}, |
| 49 | - {"SSL_read", {0}}, |
| 50 | - {"SSL_write", {0}}, |
| 51 | - {"SSL_get_error", {0}}, |
| 52 | - {"SSL_set_fd", {0}}, |
| 53 | - {"SSL_new", {0}}, |
| 54 | - {"SSL_CTX_new", {0}}, |
| 55 | - {"SSLv23_server_method", {0}}, |
| 56 | - {"SSL_library_init", {0}}, |
| 57 | - {"SSL_CTX_use_PrivateKey_file", {0}}, |
| 58 | - {"SSL_CTX_use_certificate_file",{0}}, |
| 59 | - {NULL, {0}} |
| 60 | -}; |
| 61 | - |
| 62 | void |
| 63 | _shttpd_ssl_handshake(struct stream *stream) |
| 64 | { |
| 65 | diff --git a/src/server/shttpd/shttpd.c b/src/server/shttpd/shttpd.c |
| 66 | index 5876392e..4c1dbf32 100644 |
| 67 | --- a/src/server/shttpd/shttpd.c |
| 68 | +++ b/src/server/shttpd/shttpd.c |
| 69 | @@ -1476,20 +1476,14 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem) |
| 70 | int retval = FALSE; |
| 71 | EC_KEY* key; |
| 72 | |
| 73 | - /* Load SSL library dynamically */ |
| 74 | - if ((lib = dlopen(SSL_LIB, RTLD_LAZY)) == NULL) { |
| 75 | - _shttpd_elog(E_LOG, NULL, "set_ssl: cannot load %s", SSL_LIB); |
| 76 | - return (FALSE); |
| 77 | - } |
| 78 | - |
| 79 | - for (fp = ssl_sw; fp->name != NULL; fp++) |
| 80 | - if ((fp->ptr.v_void = dlsym(lib, fp->name)) == NULL) { |
| 81 | - _shttpd_elog(E_LOG, NULL,"set_ssl: cannot find %s", fp->name); |
| 82 | - return (FALSE); |
| 83 | - } |
| 84 | - |
| 85 | /* Initialize SSL crap */ |
| 86 | + debug("Initialize SSL"); |
| 87 | + SSL_load_error_strings(); |
| 88 | + #if OPENSSL_VERSION_NUMBER < 0x10100000L |
| 89 | SSL_library_init(); |
| 90 | + #else |
| 91 | + OPENSSL_init_ssl(0, NULL); |
| 92 | + #endif |
| 93 | |
| 94 | if ((CTX = SSL_CTX_new(SSLv23_server_method())) == NULL) |
| 95 | _shttpd_elog(E_LOG, NULL, "SSL_CTX_new error"); |
| 96 | @@ -1532,7 +1526,7 @@ set_ssl(struct shttpd_ctx *ctx, const char *pem) |
| 97 | if (strncasecmp(protocols[idx].name, ssl_disabled_protocols, blank_ptr-ssl_disabled_protocols) == 0) { |
| 98 | //_shttpd_elog(E_LOG, NULL, "SSL: disable %s protocol", protocols[idx].name); |
| 99 | debug("SSL: disable %s protocol", protocols[idx].name); |
| 100 | - SSL_CTX_ctrl(CTX, SSL_CTRL_OPTIONS, protocols[idx].opt, NULL); |
| 101 | + SSL_CTX_set_options(CTX, protocols[idx].opt); |
| 102 | break; |
| 103 | } |
| 104 | } |
| 105 | diff --git a/src/server/shttpd/ssl.h b/src/server/shttpd/ssl.h |
| 106 | index a863f2c7..8dad0109 100644 |
| 107 | --- a/src/server/shttpd/ssl.h |
| 108 | +++ b/src/server/shttpd/ssl.h |
| 109 | @@ -12,50 +12,4 @@ |
| 110 | |
| 111 | #include <openssl/ssl.h> |
| 112 | |
| 113 | -#else |
| 114 | - |
| 115 | -/* |
| 116 | - * Snatched from OpenSSL includes. I put the prototypes here to be independent |
| 117 | - * from the OpenSSL source installation. Having this, shttpd + SSL can be |
| 118 | - * built on any system with binary SSL libraries installed. |
| 119 | - */ |
| 120 | - |
| 121 | -typedef struct ssl_st SSL; |
| 122 | -typedef struct ssl_method_st SSL_METHOD; |
| 123 | -typedef struct ssl_ctx_st SSL_CTX; |
| 124 | - |
| 125 | -#define SSL_ERROR_WANT_READ 2 |
| 126 | -#define SSL_ERROR_WANT_WRITE 3 |
| 127 | -#define SSL_ERROR_SYSCALL 5 |
| 128 | -#define SSL_FILETYPE_PEM 1 |
| 129 | - |
| 130 | #endif |
| 131 | - |
| 132 | -/* |
| 133 | - * Dynamically loaded SSL functionality |
| 134 | - */ |
| 135 | -struct ssl_func { |
| 136 | - const char *name; /* SSL function name */ |
| 137 | - union variant ptr; /* Function pointer */ |
| 138 | -}; |
| 139 | - |
| 140 | -extern struct ssl_func ssl_sw[]; |
| 141 | - |
| 142 | -#define FUNC(x) ssl_sw[x].ptr.v_func |
| 143 | - |
| 144 | -#define SSL_free(x) (* (void (*)(SSL *)) FUNC(0))(x) |
| 145 | -#define SSL_accept(x) (* (int (*)(SSL *)) FUNC(1))(x) |
| 146 | -#define SSL_connect(x) (* (int (*)(SSL *)) FUNC(2))(x) |
| 147 | -#define SSL_read(x,y,z) (* (int (*)(SSL *, void *, int)) FUNC(3))((x),(y),(z)) |
| 148 | -#define SSL_write(x,y,z) \ |
| 149 | - (* (int (*)(SSL *, const void *,int)) FUNC(4))((x), (y), (z)) |
| 150 | -#define SSL_get_error(x,y)(* (int (*)(SSL *, int)) FUNC(5))((x), (y)) |
| 151 | -#define SSL_set_fd(x,y) (* (int (*)(SSL *, int)) FUNC(6))((x), (y)) |
| 152 | -#define SSL_new(x) (* (SSL * (*)(SSL_CTX *)) FUNC(7))(x) |
| 153 | -#define SSL_CTX_new(x) (* (SSL_CTX * (*)(SSL_METHOD *)) FUNC(8))(x) |
| 154 | -#define SSLv23_server_method() (* (SSL_METHOD * (*)(void)) FUNC(9))() |
| 155 | -#define SSL_library_init() (* (int (*)(void)) FUNC(10))() |
| 156 | -#define SSL_CTX_use_PrivateKey_file(x,y,z) (* (int (*)(SSL_CTX *, \ |
| 157 | - const char *, int)) FUNC(11))((x), (y), (z)) |
| 158 | -#define SSL_CTX_use_certificate_file(x,y,z) (* (int (*)(SSL_CTX *, \ |
| 159 | - const char *, int)) FUNC(12))((x), (y), (z)) |
| 160 | -- |
| 161 | 2.18.0 |
| 162 | |