| Message ID | 20180520202633.8175-1-jo@mein.io |
|---|---|
| State | RFC |
| Headers | show |
| Series | [OpenWrt-Devel,RFC,ustream-ssl] openssl: support OpenSSL 1.1.x API | expand |
On Sun, May 20, 2018 at 1:26 PM, Jo-Philipp Wich <jo@mein.io> wrote: > This commit changes ustream-ssl to support OpenSSL 1.1x as backend. > > OpenSSL 1.1.x made the BIO and BIO_METHOD structures opaque and > introduced new getter/setter APIs to deal with them, therfore define > forward-compat stubs for older OpenSSL versions and change the code in > ustream-io-openssl.c to only use the new API. > > The new OpenSSL version also deprecated the use of TLSv1_2_server_method() > in favor to versionless method names, therefor use TLS_server_method() for > version 1.1.0 and later. > > Finally, even the library initialization is not compatible anymore as > version 1.1.0 deprecated SSL_library_init() and SSL_load_error_string() in > favor to calling OPENSSL_init_ssl() instead, so adjust the ustream > initalization to use either variant, depending on the OpenSSL version. > > Signed-off-by: Jo-Philipp Wich <jo@mein.io> The other patch: https://github.com/openwrt/openwrt/pull/967 If deprecated APIs are disabled, there's this error: /home/mangix/devstuff/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-openssl/ustream-ssl-2018-04-30-527e7002/ustream-openssl.c: In function '__ustream_ssl_context_new': /home/mangix/devstuff/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-openssl/ustream-ssl-2018-04-30-527e7002/ustream-openssl.c:59:2: error: implicit declaration of function 'SSL_CTX_set_ecdh_auto'; did you mean 'SSL_CTX_set_dh_auto'? [-Werror=implicit-function-declaration] SSL_CTX_set_ecdh_auto(c, 1); ^~~~~~~~~~~~~~~~~~~~~ SSL_CTX_set_dh_auto cc1: all warnings being treated as errors I suggest completely removing it. It causes issues here and with WolfSSL. I believe the versionless server_method enables TLS 1.0 and 1.1, which is pointless for servers. The only point to it is to keep compatibility with outdated clients (XP, iOS < 6, Android < 4.4, etc...). The other patch also calls SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION) which is the recommended way now. > --- > ustream-io-openssl.c | 73 +++++++++++++++++++++++++++++++++++----------------- > ustream-openssl.c | 10 +++++-- > 2 files changed, 58 insertions(+), 25 deletions(-) > > diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c > index 6711055..0e45e5f 100644 > --- a/ustream-io-openssl.c > +++ b/ustream-io-openssl.c > @@ -23,13 +23,37 @@ > #include "ustream-ssl.h" > #include "ustream-internal.h" > > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > +# define BIO_get_data(b) (b->ptr) > +# define BIO_set_init(b, v) (b->init = v) > +# define BIO_set_data(b, v) (b->ptr = v) > +# define BIO_meth_set_write(m, f) (m->bwrite = f) > +# define BIO_meth_set_read(m, f) (m->bread = f) > +# define BIO_meth_set_puts(m, f) (m->bputs = f) > +# define BIO_meth_set_gets(m, f) (m->bgets = f) > +# define BIO_meth_set_ctrl(m, f) (m->ctrl = f) > +# define BIO_meth_set_create(m, f) (m->create = f) > +# define BIO_meth_set_destroy(m, f) (m->destroy = f) > + > +static BIO_METHOD *BIO_meth_new(int type, const char *name) > +{ > + BIO_METHOD *bm; > + > + bm = calloc(1, sizeof(*bm)); > + > + if (bm) { > + bm->type = type; > + bm->name = name; > + } > + > + return bm; > +} > +#endif > + > static int > s_ustream_new(BIO *b) > { > - b->init = 1; > - b->num = 0; > - b->ptr = NULL; > - b->flags = 0; > + BIO_set_init(b, 1); > return 1; > } > > @@ -39,9 +63,8 @@ s_ustream_free(BIO *b) > if (!b) > return 0; > > - b->ptr = NULL; > - b->init = 0; > - b->flags = 0; > + BIO_set_init(b, 0); > + BIO_set_data(b, NULL); > return 1; > } > > @@ -55,7 +78,7 @@ s_ustream_read(BIO *b, char *buf, int len) > if (!buf || len <= 0) > return 0; > > - s = (struct ustream *)b->ptr; > + s = (struct ustream *)BIO_get_data(b); > if (!s) > return 0; > > @@ -84,7 +107,7 @@ s_ustream_write(BIO *b, const char *buf, int len) > if (!buf || len <= 0) > return 0; > > - s = (struct ustream *)b->ptr; > + s = (struct ustream *)BIO_get_data(b); > if (!s) > return 0; > > @@ -116,25 +139,29 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num, void *ptr) > }; > } > > -static BIO_METHOD methods_ustream = { > - 100 | BIO_TYPE_SOURCE_SINK, > - "ustream", > - s_ustream_write, > - s_ustream_read, > - s_ustream_puts, > - s_ustream_gets, > - s_ustream_ctrl, > - s_ustream_new, > - s_ustream_free, > - NULL, > -}; > +static BIO_METHOD *methods_ustream; > > static BIO *ustream_bio_new(struct ustream *s) > { > BIO *bio; > > - bio = BIO_new(&methods_ustream); > - bio->ptr = s; > + if (!methods_ustream) { > + methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream"); > + > + if (!methods_ustream) > + return NULL; > + > + BIO_meth_set_write(methods_ustream, s_ustream_write); > + BIO_meth_set_read(methods_ustream, s_ustream_read); > + BIO_meth_set_puts(methods_ustream, s_ustream_puts); > + BIO_meth_set_gets(methods_ustream, s_ustream_gets); > + BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl); > + BIO_meth_set_create(methods_ustream, s_ustream_new); > + BIO_meth_set_destroy(methods_ustream, s_ustream_free); > + } > + > + bio = BIO_new(methods_ustream); > + BIO_set_data(bio, s); > return bio; > } > > diff --git a/ustream-openssl.c b/ustream-openssl.c > index eb03dab..6ea6429 100644 > --- a/ustream-openssl.c > +++ b/ustream-openssl.c > @@ -30,16 +30,22 @@ __ustream_ssl_context_new(bool server) > SSL_CTX *c; > > if (!_init) { > +#if OPENSSL_VERSION_NUMBER < 0x10100000L > SSL_load_error_strings(); > SSL_library_init(); > +#else > + OPENSSL_init_ssl(0, NULL); > +#endif > _init = true; > } > > if (server) > -#ifdef CYASSL_OPENSSL_H_ > +#if defined(CYASSL_OPENSSL_H_) > m = SSLv23_server_method(); > -#else > +#elif OPENSSL_VERSION_NUMBER < 0x10100000L > m = TLSv1_2_server_method(); > +#else > + m = TLS_server_method(); > #endif > else > m = SSLv23_client_method(); > -- > 2.11.0 > > > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > http://lists.infradead.org/mailman/listinfo/openwrt-devel
diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c index 6711055..0e45e5f 100644 --- a/ustream-io-openssl.c +++ b/ustream-io-openssl.c @@ -23,13 +23,37 @@ #include "ustream-ssl.h" #include "ustream-internal.h" +#if OPENSSL_VERSION_NUMBER < 0x10100000L +# define BIO_get_data(b) (b->ptr) +# define BIO_set_init(b, v) (b->init = v) +# define BIO_set_data(b, v) (b->ptr = v) +# define BIO_meth_set_write(m, f) (m->bwrite = f) +# define BIO_meth_set_read(m, f) (m->bread = f) +# define BIO_meth_set_puts(m, f) (m->bputs = f) +# define BIO_meth_set_gets(m, f) (m->bgets = f) +# define BIO_meth_set_ctrl(m, f) (m->ctrl = f) +# define BIO_meth_set_create(m, f) (m->create = f) +# define BIO_meth_set_destroy(m, f) (m->destroy = f) + +static BIO_METHOD *BIO_meth_new(int type, const char *name) +{ + BIO_METHOD *bm; + + bm = calloc(1, sizeof(*bm)); + + if (bm) { + bm->type = type; + bm->name = name; + } + + return bm; +} +#endif + static int s_ustream_new(BIO *b) { - b->init = 1; - b->num = 0; - b->ptr = NULL; - b->flags = 0; + BIO_set_init(b, 1); return 1; } @@ -39,9 +63,8 @@ s_ustream_free(BIO *b) if (!b) return 0; - b->ptr = NULL; - b->init = 0; - b->flags = 0; + BIO_set_init(b, 0); + BIO_set_data(b, NULL); return 1; } @@ -55,7 +78,7 @@ s_ustream_read(BIO *b, char *buf, int len) if (!buf || len <= 0) return 0; - s = (struct ustream *)b->ptr; + s = (struct ustream *)BIO_get_data(b); if (!s) return 0; @@ -84,7 +107,7 @@ s_ustream_write(BIO *b, const char *buf, int len) if (!buf || len <= 0) return 0; - s = (struct ustream *)b->ptr; + s = (struct ustream *)BIO_get_data(b); if (!s) return 0; @@ -116,25 +139,29 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num, void *ptr) }; } -static BIO_METHOD methods_ustream = { - 100 | BIO_TYPE_SOURCE_SINK, - "ustream", - s_ustream_write, - s_ustream_read, - s_ustream_puts, - s_ustream_gets, - s_ustream_ctrl, - s_ustream_new, - s_ustream_free, - NULL, -}; +static BIO_METHOD *methods_ustream; static BIO *ustream_bio_new(struct ustream *s) { BIO *bio; - bio = BIO_new(&methods_ustream); - bio->ptr = s; + if (!methods_ustream) { + methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream"); + + if (!methods_ustream) + return NULL; + + BIO_meth_set_write(methods_ustream, s_ustream_write); + BIO_meth_set_read(methods_ustream, s_ustream_read); + BIO_meth_set_puts(methods_ustream, s_ustream_puts); + BIO_meth_set_gets(methods_ustream, s_ustream_gets); + BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl); + BIO_meth_set_create(methods_ustream, s_ustream_new); + BIO_meth_set_destroy(methods_ustream, s_ustream_free); + } + + bio = BIO_new(methods_ustream); + BIO_set_data(bio, s); return bio; } diff --git a/ustream-openssl.c b/ustream-openssl.c index eb03dab..6ea6429 100644 --- a/ustream-openssl.c +++ b/ustream-openssl.c @@ -30,16 +30,22 @@ __ustream_ssl_context_new(bool server) SSL_CTX *c; if (!_init) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_load_error_strings(); SSL_library_init(); +#else + OPENSSL_init_ssl(0, NULL); +#endif _init = true; } if (server) -#ifdef CYASSL_OPENSSL_H_ +#if defined(CYASSL_OPENSSL_H_) m = SSLv23_server_method(); -#else +#elif OPENSSL_VERSION_NUMBER < 0x10100000L m = TLSv1_2_server_method(); +#else + m = TLS_server_method(); #endif else m = SSLv23_client_method();
This commit changes ustream-ssl to support OpenSSL 1.1x as backend. OpenSSL 1.1.x made the BIO and BIO_METHOD structures opaque and introduced new getter/setter APIs to deal with them, therfore define forward-compat stubs for older OpenSSL versions and change the code in ustream-io-openssl.c to only use the new API. The new OpenSSL version also deprecated the use of TLSv1_2_server_method() in favor to versionless method names, therefor use TLS_server_method() for version 1.1.0 and later. Finally, even the library initialization is not compatible anymore as version 1.1.0 deprecated SSL_library_init() and SSL_load_error_string() in favor to calling OPENSSL_init_ssl() instead, so adjust the ustream initalization to use either variant, depending on the OpenSSL version. Signed-off-by: Jo-Philipp Wich <jo@mein.io> --- ustream-io-openssl.c | 73 +++++++++++++++++++++++++++++++++++----------------- ustream-openssl.c | 10 +++++-- 2 files changed, 58 insertions(+), 25 deletions(-)