[OpenWrt-Devel,v3,1/3] ustream-ssl: add openssl-1.1.0 compatibility

Message ID mailman.4710.1529121856.25356.openwrt-devel@lists.openwrt.org
State New
Delegated to: Felix Fietkau
Headers show
Series
  • [OpenWrt-Devel,v3,1/3] ustream-ssl: add openssl-1.1.0 compatibility
Related show

Commit Message

Michał Kępień via openwrt-devel June 16, 2018, 4:05 a.m.
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.

To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Patch to compile ustream-ssl with openssl-1.1.0, maintaining
compatibility with openssl 1.0.2.

Fixed flag handling in ustream-io-openssl.c.

Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
---
 openssl_bio_compat.h | 33 +++++++++++++++++++++++++++++++++
 ustream-io-openssl.c | 46 ++++++++++++++++++++++------------------------
 ustream-openssl.c    | 30 +++++++++++++++++++-----------
 3 files changed, 74 insertions(+), 35 deletions(-)
 create mode 100644 openssl_bio_compat.h

Patch

diff --git a/openssl_bio_compat.h b/openssl_bio_compat.h
new file mode 100644
index 0000000..9355c86
--- /dev/null
+++ b/openssl_bio_compat.h
@@ -0,0 +1,33 @@ 
+#ifndef OPENSSL_BIO_COMPAT_H
+#define OPENSSL_BIO_COMPAT_H
+
+#include <openssl/opensslv.h>
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+#include <openssl/bio.h>
+#include <string.h>
+
+#define BIO_get_data(b) (b->ptr)
+#define BIO_set_data(b, v) (b->ptr = v)
+#define BIO_set_init(b, v) (b->init = v)
+#define BIO_meth_set_write(m, f) (m->bwrite = f)
+#define BIO_meth_set_read(m, f) (m->bread = f)
+#define BIO_meth_set_puts(m, f) (m->bputs = f)
+#define BIO_meth_set_gets(m, f) (m->bgets = f)
+#define BIO_meth_set_ctrl(m, f) (m->ctrl = f)
+#define BIO_meth_set_create(m, f) (m->create = f)
+#define BIO_meth_set_destroy(m, f) (m->destroy = f)
+
+static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
+{
+	BIO_METHOD *bm = calloc(1, sizeof(BIO_METHOD));
+	if (bm) {
+		bm->type = type;
+		bm->name = name;
+	}
+	return bm;
+}
+
+#endif /* OPENSSL_VERSION_NUMBER */
+
+#endif /* OPENSSL_BIO_COMPAT_H */
diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c
index 6711055..606ed4a 100644
--- a/ustream-io-openssl.c
+++ b/ustream-io-openssl.c
@@ -21,15 +21,15 @@ 
 #include <libubox/ustream.h>
 
 #include "ustream-ssl.h"
+#include "openssl_bio_compat.h"
 #include "ustream-internal.h"
 
 static int
 s_ustream_new(BIO *b)
 {
-	b->init = 1;
-	b->num = 0;
-	b->ptr = NULL;
-	b->flags = 0;
+	BIO_set_init(b, 1);
+	BIO_set_data(b, NULL);
+	BIO_clear_flags(b, ~0);
 	return 1;
 }
 
@@ -39,9 +39,9 @@  s_ustream_free(BIO *b)
 	if (!b)
 		return 0;
 
-	b->ptr = NULL;
-	b->init = 0;
-	b->flags = 0;
+	BIO_set_data(b, NULL);
+	BIO_set_init(b, 0);
+	BIO_clear_flags(b, ~0);
 	return 1;
 }
 
@@ -55,7 +55,7 @@  s_ustream_read(BIO *b, char *buf, int len)
 	if (!buf || len <= 0)
 		return 0;
 
-	s = (struct ustream *)b->ptr;
+	s = (struct ustream *)BIO_get_data(b);
 	if (!s)
 		return 0;
 
@@ -84,7 +84,7 @@  s_ustream_write(BIO *b, const char *buf, int len)
 	if (!buf || len <= 0)
 		return 0;
 
-	s = (struct ustream *)b->ptr;
+	s = (struct ustream *)BIO_get_data(b);
 	if (!s)
 		return 0;
 
@@ -116,25 +116,23 @@  static long s_ustream_ctrl(BIO *b, int cmd, long num, void *ptr)
 	};
 }
 
-static BIO_METHOD methods_ustream = {
-	100 | BIO_TYPE_SOURCE_SINK,
-	"ustream",
-	s_ustream_write,
-	s_ustream_read,
-	s_ustream_puts,
-	s_ustream_gets,
-	s_ustream_ctrl,
-	s_ustream_new,
-	s_ustream_free,
-	NULL,
-};
-
 static BIO *ustream_bio_new(struct ustream *s)
 {
 	BIO *bio;
 
-	bio = BIO_new(&methods_ustream);
-	bio->ptr = s;
+	BIO_METHOD *methods_ustream;
+
+	methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream");
+	BIO_meth_set_write(methods_ustream, s_ustream_write);
+	BIO_meth_set_read(methods_ustream, s_ustream_read);
+	BIO_meth_set_puts(methods_ustream, s_ustream_puts);
+	BIO_meth_set_gets(methods_ustream, s_ustream_gets);
+	BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl);
+	BIO_meth_set_create(methods_ustream, s_ustream_new);
+	BIO_meth_set_destroy(methods_ustream, s_ustream_free);
+	bio = BIO_new(methods_ustream);
+	BIO_set_data(bio, s);
+
 	return bio;
 }
 
diff --git a/ustream-openssl.c b/ustream-openssl.c
index 91bc4e8..c6839ea 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -25,35 +25,43 @@ 
 __hidden struct ustream_ssl_ctx *
 __ustream_ssl_context_new(bool server)
 {
-	static bool _init = false;
 	const void *m;
 	SSL_CTX *c;
 
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+	static bool _init = false;
+
 	if (!_init) {
 		SSL_load_error_strings();
 		SSL_library_init();
 		_init = true;
 	}
-
-	if (server)
-#ifdef CYASSL_OPENSSL_H_
-		m = SSLv23_server_method();
-#else
-		m = TLSv1_2_server_method();
+# define TLS_server_method SSLv23_server_method
+# define TLS_client_method SSLv23_client_method
 #endif
-	else
-		m = SSLv23_client_method();
+
+	if (server) {
+		m = TLS_server_method();
+	} else
+		m = TLS_client_method();
 
 	c = SSL_CTX_new((void *) m);
 	if (!c)
 		return NULL;
 
 	SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
-#if !defined(OPENSSL_NO_ECDH) && !defined(CYASSL_OPENSSL_H_)
+	SSL_CTX_set_options (c, SSL_OP_NO_COMPRESSION); /* avoid CRIME attack */
+#if !defined(OPENSSL_NO_ECDH) && !defined(CYASSL_OPENSSL_H_) && OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_CTX_set_ecdh_auto(c, 1);
 #endif
-	if (server)
+	if (server) {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+		SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION);
+#else
+		SSL_CTX_set_options (c, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
+#endif
 		SSL_CTX_set_cipher_list(c, "DEFAULT:!RC4:@STRENGTH");
+	}
 	SSL_CTX_set_quiet_shutdown(c, 1);
 
 	return (void *) c;