Skip to content
Snippets Groups Projects
Commit 8e6145ca authored by Jan de Groot's avatar Jan de Groot
Browse files

OpenSSL 1.1

parent 4d5b07e6
No related branches found
No related tags found
No related merge requests found
......@@ -2,7 +2,7 @@
pkgname=opensips
pkgver=2.2.2
pkgrel=3
pkgrel=4
pkgdesc="An Open Source SIP Server able to act as a SIP proxy, registrar, location server, redirect server ..."
url="http://www.opensips.org"
depends=('gcc-libs' 'openssl' 'db' 'attr' 'libxml2')
......@@ -16,16 +16,18 @@ optdepends=('postgresql-libs'
'python2'
'pcre')
backup=("etc/opensips/opensips.cfg"
"etc/opensips/dictionary.radius"
"etc/opensips/osipsconsolerc"
"etc/opensips/opensipsctlrc")
arch=('i686' 'x86_64')
license=('GPL')
install=opensips.install
options=('!emptydirs' 'zipman' '!makeflags' 'docs')
source=(https://opensips.org/pub/opensips/${pkgver}/opensips-${pkgver}.tar.gz
opensips.service)
opensips.service
port-tls-1.1.0.patch)
sha256sums=('a21777b37c3669617d24b97697dc3f4e613ec87b292f4541cf956a2d539e70c4'
'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819')
'c2fec4be085b108db10834fa9832e98d696c2de6408f85f96cf89c13bf6be819'
'1ad2558c329a1b41948ff9ef1c8169289b38500ce8183e50bae653ef82afdbec')
prepare() {
cd "$srcdir"/$pkgname-$pkgver/
......@@ -38,6 +40,8 @@ prepare() {
sed -i 's|sbin|bin|g' Makefile
sed -i 's|bin-dir = sbin/|bin-dir = bin/|' Makefile.defs
patch -Np1 -i ../port-tls-1.1.0.patch
}
_modules="ldap db_mysql db_postgres db_unixodbc presence presence_xml h350 proto_tls tlsops tls_mgm db_http httpd tm rr"
......
Description: Port tls_mgm module to openssl 1.1.0.
Author: Răzvan Crainea <razvan@opensips.org>
Last-Update: 2016-12-01
--- a/modules/tls_mgm/tls.h
+++ b/modules/tls_mgm/tls.h
@@ -64,41 +64,50 @@
#warning ""
#endif
-static int tls_static_locks_no=0;
-static gen_lock_set_t* tls_static_locks=NULL;
-
static SSL_METHOD *ssl_methods[TLS_USE_TLSv1_2 + 1];
#define VERIFY_DEPTH_S 3
-struct CRYPTO_dynlock_value {
- gen_lock_t lock;
-};
-
-static unsigned long tls_get_id(void)
-{
- return my_pid();
-}
-
/*
* Wrappers around OpenSIPS shared memory functions
* (which can be macros)
*/
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static void* os_malloc(size_t size, const char *file, int line)
+#else
static void* os_malloc(size_t size)
+#endif
{
+#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ return _shm_malloc(size, file, __FUNCTION__, line);
+#else
return shm_malloc(size);
+#endif
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static void* os_realloc(void *ptr, size_t size, const char *file, int line)
+#else
static void* os_realloc(void *ptr, size_t size)
+#endif
{
+#if (defined DBG_MALLOC && OPENSSL_VERSION_NUMBER >= 0x10100000L)
+ return _shm_realloc(ptr, size, file, __FUNCTION__, line);
+#else
return shm_realloc(ptr, size);
+#endif
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+static void os_free(void *ptr, const char *file, int line)
+#else
static void os_free(void *ptr)
+#endif
{
+ /* TODO: also handle free file and line */
if (ptr)
shm_free(ptr);
}
@@ -106,21 +115,17 @@
-static void tls_static_locks_ops(int mode, int n, const char* file, int line)
-{
- if (n<0 || n>tls_static_locks_no) {
- LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
- abort();
- }
+/* these locks can not be used in 1.1.0, because the interface has changed */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+struct CRYPTO_dynlock_value {
+ gen_lock_t lock;
+};
- if (mode & CRYPTO_LOCK) {
- lock_set_get(tls_static_locks,n);
- } else {
- lock_set_release(tls_static_locks,n);
- }
+static unsigned long tls_get_id(void)
+{
+ return my_pid();
}
-
static struct CRYPTO_dynlock_value* tls_dyn_lock_create(const char* file,
int line)
{
@@ -158,5 +163,6 @@
lock_destroy(&dyn_lock->lock);
shm_free(dyn_lock);
}
+#endif
#endif /* _PROTO_TLS_H_ */
--- a/modules/tls_mgm/tls_conn_ops.h
+++ b/modules/tls_mgm/tls_conn_ops.h
@@ -116,12 +116,14 @@
return -1;
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_KRB5
if ( ((SSL *)c->extra_data)->kssl_ctx ) {
kssl_ctx_free( ((SSL *)c->extra_data)->kssl_ctx );
((SSL *)c->extra_data)->kssl_ctx = 0;
}
#endif
+#endif
if ( c->proto_flags & F_TLS_DO_ACCEPT ) {
LM_DBG("Setting in ACCEPT mode (server)\n");
--- a/modules/tls_mgm/tls_conn_server.h
+++ b/modules/tls_mgm/tls_conn_server.h
@@ -148,17 +148,21 @@
}
ssl = (SSL *) c->extra_data;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_KRB5
if ( ssl->kssl_ctx==NULL )
ssl->kssl_ctx = kssl_ctx_new( );
#endif
+#endif
ret = SSL_accept(ssl);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
#ifndef OPENSSL_NO_KRB5
if ( ssl->kssl_ctx ) {
kssl_ctx_free( ssl->kssl_ctx );
ssl->kssl_ctx = 0;
}
#endif
+#endif
if (ret > 0) {
LM_INFO("New TLS connection from %s:%d accepted\n",
ip_addr2a(&c->rcv.src_ip), c->rcv.src_port);
--- a/modules/tls_mgm/tls_mgm.c
+++ b/modules/tls_mgm/tls_mgm.c
@@ -557,11 +557,10 @@
LM_NOTICE("subject = %s\n", buf);
LM_NOTICE("verify error:num=%d:%s\n",
err, X509_verify_cert_error_string(err));
- LM_NOTICE("error code is %d\n", ctx->error);
- switch (ctx->error) {
+ switch (err) {
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert),
+ X509_NAME_oneline(X509_get_issuer_name(err_cert),
buf,sizeof buf);
LM_NOTICE("issuer= %s\n",buf);
break;
@@ -611,7 +610,7 @@
default:
LM_NOTICE("something wrong with the cert"
- " ... error code is %d (check x509_vfy.h)\n", ctx->error);
+ " ... error code is %d (check x509_vfy.h)\n", err);
break;
}
@@ -1074,9 +1073,11 @@
return 0;
}
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
static int check_for_krb(void)
{
SSL_CTX *xx;
+
int j;
xx = SSL_CTX_new(ssl_methods[tls_default_method - 1]);
@@ -1096,6 +1097,27 @@
SSL_CTX_free(xx);
return 0;
}
+#endif
+
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+static int tls_static_locks_no=0;
+static gen_lock_set_t* tls_static_locks=NULL;
+
+static void tls_static_locks_ops(int mode, int n, const char* file, int line)
+{
+ if (n<0 || n>tls_static_locks_no) {
+ LM_ERR("BUG - SSL Lib attempting to acquire bogus lock\n");
+ abort();
+ }
+
+ if (mode & CRYPTO_LOCK) {
+ lock_set_get(tls_static_locks,n);
+ } else {
+ lock_set_release(tls_static_locks,n);
+ }
+}
+
+
static int tls_init_multithread(void)
{
@@ -1126,6 +1148,7 @@
return 0;
}
+#endif
/*
* initialize ssl methods
@@ -1135,19 +1158,31 @@
{
LM_DBG("entered\n");
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLS_client_method();
+ ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLS_server_method();
+ ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLS_method();
+#else
ssl_methods[TLS_USE_TLSv1_cli-1] = (SSL_METHOD*)TLSv1_client_method();
ssl_methods[TLS_USE_TLSv1_srv-1] = (SSL_METHOD*)TLSv1_server_method();
ssl_methods[TLS_USE_TLSv1-1] = (SSL_METHOD*)TLSv1_method();
+#endif
ssl_methods[TLS_USE_SSLv23_cli-1] = (SSL_METHOD*)SSLv23_client_method();
ssl_methods[TLS_USE_SSLv23_srv-1] = (SSL_METHOD*)SSLv23_server_method();
ssl_methods[TLS_USE_SSLv23-1] = (SSL_METHOD*)SSLv23_method();
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLS_client_method();
+ ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLS_server_method();
+ ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLS_method();
+#else
ssl_methods[TLS_USE_TLSv1_2_cli-1] = (SSL_METHOD*)TLSv1_2_client_method();
ssl_methods[TLS_USE_TLSv1_2_srv-1] = (SSL_METHOD*)TLSv1_2_server_method();
ssl_methods[TLS_USE_TLSv1_2-1] = (SSL_METHOD*)TLSv1_2_method();
#endif
+#endif
}
/* reloads data from the db */
@@ -1273,10 +1308,10 @@
* CRYPTO_malloc will set allow_customize in openssl to 0
*/
if (!CRYPTO_set_mem_functions(os_malloc, os_realloc, os_free)) {
- LM_ERR("unable to set the memory allocation functions\n");
- LM_ERR("NOTE: check if you have openssl 1.0.1e-fips, as this "
- "version is know to be broken; if so, you need to upgrade or "
- "downgrade to a differen openssl version !!\n");
+ LM_ERR("NOTE: check if you are using openssl 1.0.1e-fips, (or other "
+ "FIPS version of openssl, as this is known to be broken; if so, "
+ "you need to upgrade or downgrade to a different openssl version!\n");
+ LM_ERR("current version: %s\n", SSLeay_version(SSLEAY_VERSION));
return -1;
}
@@ -1291,15 +1326,18 @@
sk_SSL_COMP_zero(comp_methods);
}
#endif
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
if (tls_init_multithread() < 0) {
LM_ERR("failed to init multi-threading support\n");
return -1;
}
+#endif
SSL_library_init();
SSL_load_error_strings();
init_ssl_methods();
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
n = check_for_krb();
if (n==-1) {
LM_ERR("kerberos check failed\n");
@@ -1318,6 +1356,7 @@
(n==1)?"":"no ",(n!=1)?"no ":"");
return -1;
}
+#endif
/*
* finish setting up the tls default domains
--- a/modules/identity/identity.c
+++ b/modules/identity/identity.c
@@ -107,6 +107,9 @@
#include "identity.h"
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define EVP_MD_CTX_free EVP_MD_CTX_cleanup
+#endif
/* parameters */
@@ -831,7 +834,11 @@
{
#define IDENTITY_HDR_S "Identity: \""
#define IDENTITY_HDR_L (sizeof(IDENTITY_HDR_S)-1)
- EVP_MD_CTX ctx;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *pctx;
+#else
+ EVP_MD_CTX ctx, *pctx = &ctx;
+#endif
unsigned int siglen = 0;
int b64len = 0;
unsigned char * sig = NULL;
@@ -843,27 +850,30 @@
LM_ERR("error making digest string\n");
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ pctx = EVP_MD_CTX_new();
+#endif
- EVP_SignInit(&ctx, EVP_sha1());
+ EVP_SignInit(pctx, EVP_sha1());
- EVP_SignUpdate(&ctx, digestString, strlen(digestString));
+ EVP_SignUpdate(pctx, digestString, strlen(digestString));
sig = pkg_malloc(EVP_PKEY_size(privKey_evp));
if(!sig)
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
LM_ERR("failed allocating memory\n");
return 0;
}
- if(!EVP_SignFinal(&ctx, sig, &siglen, privKey_evp))
+ if(!EVP_SignFinal(pctx, sig, &siglen, privKey_evp))
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
pkg_free(sig);
LM_ERR("error calculating signature\n");
return 0;
}
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
/* ###Base64-encoding### */
/* annotation: The next few lines are based on example 7-11 of [VIE-02] */
@@ -1138,6 +1148,10 @@
const unsigned char * data;
STACK_OF(CONF_VALUE) * val;
CONF_VALUE * nval;
+ int len;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ ASN1_OCTET_STRING *adata;
+#endif
if(!cert || !msg)
{
@@ -1190,15 +1204,22 @@
LM_ERR("X509V3_EXT_get failed\n");
return 0;
}
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ adata = X509_EXTENSION_get_data(cext);
+ data = ASN1_STRING_get0_data(adata);
+ len = ASN1_STRING_length(adata);
+#else
data = cext->value->data;
+ len = cext->value->length;
+#endif
if(meth->it)
{
ext_str = ASN1_item_d2i(NULL, &data,
- cext->value->length, ASN1_ITEM_ptr(meth->it));
+ len, ASN1_ITEM_ptr(meth->it));
}
else
{
- ext_str = meth->d2i(NULL, &data, cext->value->length);
+ ext_str = meth->d2i(NULL, &data, len);
}
val = meth->i2v(meth, ext_str, NULL);
@@ -1251,7 +1272,11 @@
int siglen = -1;
unsigned char * sigbuf = NULL;
int b64len = 0;
- EVP_MD_CTX ctx;
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ EVP_MD_CTX *pctx;
+#else
+ EVP_MD_CTX ctx, *pctx = &ctx;
+#endif
int result = 0;
char *p;
unsigned long err;
@@ -1295,22 +1320,25 @@
p=strstr(identityHF , "=");
siglen-=strspn(p , "=");
- EVP_VerifyInit(&ctx, EVP_sha1());
- EVP_VerifyUpdate(&ctx, digestString, strlen(digestString));
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ pctx = EVP_MD_CTX_new();
+#endif
+ EVP_VerifyInit(pctx, EVP_sha1());
+ EVP_VerifyUpdate(pctx, digestString, strlen(digestString));
pubkey = X509_get_pubkey(cert);
if(!pubkey)
{
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
pkg_free(sigbuf);
LM_ERR("error reading pubkey from cert\n");
return 0;
}
- result = EVP_VerifyFinal(&ctx, sigbuf, siglen, pubkey);
+ result = EVP_VerifyFinal(pctx, sigbuf, siglen, pubkey);
EVP_PKEY_free(pubkey);
- EVP_MD_CTX_cleanup(&ctx);
+ EVP_MD_CTX_free(pctx);
pkg_free(sigbuf);
switch(result)
@@ -1715,8 +1743,9 @@
{
if (!ok)
{
+ int err = X509_STORE_CTX_get_error(stor);
LM_INFO("certificate validation failed: %s\n",
- X509_verify_cert_error_string(stor->error));
+ X509_verify_cert_error_string(err));
}
return ok;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment