summaryrefslogtreecommitdiffstats
path: root/tcpd
diff options
context:
space:
mode:
Diffstat (limited to 'tcpd')
-rw-r--r--tcpd/configure.ac25
-rw-r--r--tcpd/libcouriertls.c34
-rw-r--r--tcpd/tlspasswordcache.c146
3 files changed, 150 insertions, 55 deletions
diff --git a/tcpd/configure.ac b/tcpd/configure.ac
index abbad25..13aec55 100644
--- a/tcpd/configure.ac
+++ b/tcpd/configure.ac
@@ -506,6 +506,31 @@ RAND_pseudo_bytes(dummy, 1);
[ Whether OpenSSL 0.9.7 is installed ])
], [
AC_MSG_RESULT(no)
+
+
+
+ AC_MSG_CHECKING(for OpenSSL 1.1.0)
+ AC_TRY_LINK( [
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+],
+[
+char dummy[1];
+unsigned char a[1], b[1];
+
+EVP_CIPHER_CTX *ctx=EVP_CIPHER_CTX_new();
+EVP_EncryptInit_ex(ctx, EVP_des_cbc(), NULL, a, b);
+RAND_bytes(dummy, 1);
+
+], [
+ CRYPTLIBS="-lcrypto $KRBLIBS"
+ AC_MSG_RESULT(yes)
+ AC_DEFINE_UNQUOTED(HAVE_OPENSSL110, 1,
+ [ Whether OpenSSL 1.1.0 is installed ])
+], [
+ AC_MSG_RESULT(no)
+])
+
]
)
LIBS="-lssl $LIBS"
diff --git a/tcpd/libcouriertls.c b/tcpd/libcouriertls.c
index 321b812..8144395 100644
--- a/tcpd/libcouriertls.c
+++ b/tcpd/libcouriertls.c
@@ -62,6 +62,7 @@ struct proto_ops {
};
struct proto_ops op_list[] =
{
+#ifndef HAVE_OPENSSL110
#ifdef HAVE_TLSV1_2_METHOD
{ "TLSv1.2+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1 },
{ "TLSv1.2", &TLSv1_2_method, SSL_OP_ALL },
@@ -70,9 +71,11 @@ struct proto_ops op_list[] =
{ "TLSv1.1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1 },
{ "TLSv1.1", &TLSv1_1_method, SSL_OP_ALL },
#endif
- { "TLSv1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
{ "TLSv1", &TLSv1_method, SSL_OP_ALL },
{ "TLS1", &TLSv1_method, SSL_OP_ALL },
+#endif
+
+ { "TLSv1+", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
{ "", &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
{ NULL, &SSLv23_method, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3 },
};
@@ -184,7 +187,7 @@ static int verifypeer(const struct tls_info *info, SSL *ssl)
ASN1_STRING *d;
int dlen;
- unsigned char *ddata;
+ const unsigned char *ddata;
e=X509_NAME_get_entry(subj, j);
if (!e)
@@ -199,8 +202,11 @@ static int verifypeer(const struct tls_info *info, SSL *ssl)
obj_name=OBJ_nid2sn(OBJ_obj2nid(o));
dlen=ASN1_STRING_length(d);
+#ifdef HAVE_OPENSSL110
+ ddata=ASN1_STRING_get0_data(d);
+#else
ddata=ASN1_STRING_data(d);
-
+#endif
if (strcasecmp(obj_name, "CN") == 0)
{
if (dlen >= sizeof(domain)-1)
@@ -811,8 +817,14 @@ void tls_destroy(SSL_CTX *ctx)
static int cache_add(SSL *ssl, SSL_SESSION *sess);
+#ifdef HAVE_OPENSSL110
+static SSL_SESSION *cache_get(SSL *ssl, const unsigned char *id, int id_len,
+ int *copyflag);
+#else
static SSL_SESSION *cache_get(SSL *ssl, unsigned char *id, int id_len,
int *copyflag);
+#endif
+
static void cache_del(SSL_CTX *ctx, SSL_SESSION *ssl);
static void init_session_cache(struct tls_info *info, SSL_CTX *ctx)
@@ -889,7 +901,7 @@ static int cache_add(SSL *ssl, SSL_SESSION *sess)
}
struct walk_info {
- unsigned char *id;
+ const unsigned char *id;
int id_len;
int *copyflag;
SSL_SESSION *ret;
@@ -899,8 +911,13 @@ struct walk_info {
static int get_func(void *rec, size_t recsize,
int *doupdate, void *arg);
+#ifdef HAVE_OPENSSL110
+static SSL_SESSION *cache_get(SSL *ssl, const unsigned char *id, int id_len,
+ int *copyflag)
+#else
static SSL_SESSION *cache_get(SSL *ssl, unsigned char *id, int id_len,
int *copyflag)
+#endif
{
const struct tls_info *info=SSL_get_app_data(ssl);
struct walk_info wi;
@@ -1143,7 +1160,10 @@ void tls_disconnect(SSL *ssl, int fd)
fcntl(fd, F_SETFL, 0);
SSL_set_shutdown(ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_free(ssl);
+#ifdef HAVE_OPENSSL110
+#else
ERR_remove_state(0);
+#endif
}
/* --------------------------------------- */
@@ -1408,7 +1428,7 @@ static void dump_x509(X509 *x509,
ASN1_STRING *d;
int dlen;
- unsigned char *ddata;
+ const unsigned char *ddata;
e=X509_NAME_get_entry(subj, j);
if (!e)
@@ -1423,7 +1443,11 @@ static void dump_x509(X509 *x509,
obj_name=OBJ_nid2sn(OBJ_obj2nid(o));
dlen=ASN1_STRING_length(d);
+#ifdef HAVE_OPENSSL110
+ ddata=ASN1_STRING_get0_data(d);
+#else
ddata=ASN1_STRING_data(d);
+#endif
(*dump_func)(" ", -1, dump_arg);
(*dump_func)(obj_name, -1, dump_arg);
diff --git a/tcpd/tlspasswordcache.c b/tcpd/tlspasswordcache.c
index 5f3ca2b..e26b72e 100644
--- a/tcpd/tlspasswordcache.c
+++ b/tcpd/tlspasswordcache.c
@@ -23,7 +23,25 @@ static void sslerror(EVP_CIPHER_CTX *ctx, const char *pfix)
{
char errmsg[256];
int errnum=ERR_get_error();
-
+
+ ERR_error_string_n(errnum, errmsg, sizeof(errmsg)-1);
+
+ fprintf(stderr, "%s: %s\n", pfix, errmsg);
+}
+
+
+#endif
+
+#if HAVE_OPENSSL110
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+
+static void sslerror(EVP_CIPHER_CTX *ctx, const char *pfix)
+{
+ char errmsg[256];
+ int errnum=ERR_get_error();
+
ERR_error_string_n(errnum, errmsg, sizeof(errmsg)-1);
fprintf(stderr, "%s: %s\n", pfix, errmsg);
@@ -202,7 +220,7 @@ static int EVP_EncryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *out,
if (!EVP_EncryptUpdate(ctx, out, &n_outl, &pad, 1))
return 0;
-
+
out += n_outl;
*outl += n_outl;
}
@@ -331,6 +349,30 @@ static int EVP_DecryptFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm,
#define HAVE_OPENSSL097 1
#endif
+
+#if HAVE_OPENSSL110
+
+#define RANDOM_BYTES RAND_bytes
+
+typedef EVP_CIPHER_CTX *CIPHER_CONTEXT;
+
+#define CIPHER_INIT(p) (p=EVP_CIPHER_CTX_new())
+#define CIPHER_CLEANUP(p) (EVP_CIPHER_CTX_free(p))
+#define HAVE_OPENSSL097 1
+#define RANDOM_BYTES RAND_bytes
+#define CONTEXT(ctx) (*(ctx))
+#else
+
+typedef EVP_CIPHER_CTX CIPHER_CONTEXT;
+
+#define CIPHER_INIT(p) EVP_CIPHER_CTX_init(&p)
+#define CIPHER_CLEANUP(p) EVP_CIPHER_CTX_cleanup(&p)
+#define RANDOM_BYTES RAND_pseudo_bytes
+
+#define CONTEXT(ctx) (ctx)
+#endif
+
+
#if HAVE_OPENSSL097
#if BUFSIZ < 8192
@@ -343,7 +385,7 @@ int tlspassword_init()
return 1;
}
-static int save_string(EVP_CIPHER_CTX *,
+static int save_string(CIPHER_CONTEXT *,
const char *, char *,
int (*)(const char *, size_t, void *),
void *);
@@ -363,22 +405,22 @@ int tlspassword_save( const char * const *urls,
unsigned char iv2_buf[16];
MD5_DIGEST md5_password;
int iv_len, key_len;
- EVP_CIPHER_CTX ctx;
+ CIPHER_CONTEXT ctx;
const EVP_CIPHER *des=EVP_des_cbc();
md5_digest(mpw, strlen(mpw), md5_password);
- EVP_CIPHER_CTX_init(&ctx);
+ CIPHER_INIT(ctx);
iv_len=EVP_CIPHER_iv_length(des);
key_len=EVP_CIPHER_key_length(des);
- if (RAND_pseudo_bytes(iv1_buf, sizeof(iv1_buf)) < 0 ||
- RAND_pseudo_bytes(iv2_buf, sizeof(iv2_buf)) < 0)
+ if (RANDOM_BYTES(iv1_buf, sizeof(iv1_buf)) < 0 ||
+ RANDOM_BYTES(iv2_buf, sizeof(iv2_buf)) < 0)
{
fprintf(stderr,
"tlspassword_save: internal error - "
- "RAND_pseudo_bytes() failed.\n");
- EVP_CIPHER_CTX_cleanup(&ctx);
+ "RANDOM_BYTES() failed.\n");
+ CIPHER_CLEANUP(ctx);
errno=EIO;
return -1;
}
@@ -390,27 +432,27 @@ int tlspassword_save( const char * const *urls,
fprintf(stderr,
"tlspassword_save: internal error - "
"unexpected key sizes.\n");
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
errno=EIO;
return -1;
}
p=buf+3;
- if (!EVP_EncryptInit_ex(&ctx, des, NULL,
+ if (!EVP_EncryptInit_ex(CONTEXT(&ctx), des, NULL,
(unsigned char *)md5_password,
iv1_buf) ||
- !EVP_EncryptUpdate(&ctx, (unsigned char *)p, &l,
+ !EVP_EncryptUpdate(CONTEXT(&ctx), (unsigned char *)p, &l,
(unsigned char *)md5_password + key_len,
sizeof(md5_password)-key_len) ||
- !EVP_EncryptUpdate(&ctx, (unsigned char *)(p += l), &l,
+ !EVP_EncryptUpdate(CONTEXT(&ctx), (unsigned char *)(p += l), &l,
iv2_buf,
iv_len + key_len) ||
- !EVP_EncryptFinal_ex(&ctx, (unsigned char *)(p += l), &l))
+ !EVP_EncryptFinal_ex(CONTEXT(&ctx), (unsigned char *)(p += l), &l))
{
- sslerror(&ctx, "EVP_EncryptInit_ex");
- EVP_CIPHER_CTX_cleanup(&ctx);
+ sslerror(CONTEXT(&ctx), "EVP_EncryptInit_ex");
+ CIPHER_CLEANUP(ctx);
errno=EIO;
return -1;
}
@@ -446,12 +488,12 @@ int tlspassword_save( const char * const *urls,
}
#endif
- if (!EVP_EncryptInit_ex(&ctx, des, NULL,
+ if (!EVP_EncryptInit_ex(CONTEXT(&ctx), des, NULL,
(unsigned char *)&iv2_buf,
(unsigned char *)&iv2_buf + key_len))
{
- sslerror(&ctx, "EVP_EncryptInit_ex");
- EVP_CIPHER_CTX_cleanup(&ctx);
+ sslerror(CONTEXT(&ctx), "EVP_EncryptInit_ex");
+ CIPHER_CLEANUP(ctx);
errno=EIO;
return -1;
}
@@ -469,10 +511,10 @@ int tlspassword_save( const char * const *urls,
return n;
}
- if (!EVP_EncryptFinal_ex(&ctx, (unsigned char *)buf, &l))
+ if (!EVP_EncryptFinal_ex(CONTEXT(&ctx), (unsigned char *)buf, &l))
{
- sslerror(&ctx, "EVP_EncryptInit_ex");
- EVP_CIPHER_CTX_cleanup(&ctx);
+ sslerror(CONTEXT(&ctx), "EVP_EncryptInit_ex");
+ CIPHER_CLEANUP(ctx);
errno=EIO;
return -1;
}
@@ -480,11 +522,11 @@ int tlspassword_save( const char * const *urls,
if (l)
l=(*writefunc)(buf, l, writefuncarg);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return l;
}
-static int save_string(EVP_CIPHER_CTX *ctx,
+static int save_string(CIPHER_CONTEXT *ctx,
const char *str, char *buf,
int (*writefunc)(const char *, size_t, void *),
void *writefuncarg)
@@ -505,9 +547,9 @@ static int save_string(EVP_CIPHER_CTX *ctx,
b[0]=len / 256;
b[1]=len % 256;
- if (!EVP_EncryptUpdate(ctx, (unsigned char *)buf, &l, b, 2))
+ if (!EVP_EncryptUpdate(CONTEXT(ctx), (unsigned char *)buf, &l, b, 2))
{
- sslerror(ctx, "EVP_EncryptUpdate");
+ sslerror(CONTEXT(ctx), "EVP_EncryptUpdate");
return -1;
}
@@ -526,10 +568,10 @@ static int save_string(EVP_CIPHER_CTX *ctx,
if (n > BUFSIZ / 4)
n=BUFSIZ/4;
- if (!EVP_EncryptUpdate(ctx, (unsigned char *)buf, &l,
+ if (!EVP_EncryptUpdate(CONTEXT(ctx), (unsigned char *)buf, &l,
(unsigned char *)str, n))
{
- sslerror(ctx, "EVP_EncryptUpdate");
+ sslerror(CONTEXT(ctx), "EVP_EncryptUpdate");
return -1;
}
@@ -639,7 +681,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
MD5_DIGEST md5_password;
int iv_len, key_len;
- EVP_CIPHER_CTX ctx;
+ CIPHER_CONTEXT ctx;
const EVP_CIPHER *des=EVP_des_cbc();
struct tlspassword_readinfo readinfo;
char header[3];
@@ -656,20 +698,20 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
md5_digest(mpw, strlen(mpw), md5_password);
- EVP_CIPHER_CTX_init(&ctx);
+ CIPHER_INIT(ctx);
iv_len=EVP_CIPHER_iv_length(des);
key_len=EVP_CIPHER_key_length(des);
if (tlspassword_read(&readinfo, header, 3) ||
tlspassword_read(&readinfo, iv1_buf, iv_len))
{
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
if (header[0] != PASSFILEFORMAT)
{
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -677,7 +719,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
+ (unsigned char)header[2]) > sizeof(buf) / 4)
{
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -685,15 +727,15 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
return -1;
p=buf + sizeof(buf)/2;
- if (!EVP_DecryptInit_ex(&ctx, des, NULL,
+ if (!EVP_DecryptInit_ex(CONTEXT(&ctx), des, NULL,
(unsigned char *)md5_password,
(unsigned char *)&iv1_buf) ||
- !EVP_DecryptUpdate(&ctx, (unsigned char *)p, &outl,
+ !EVP_DecryptUpdate(CONTEXT(&ctx), (unsigned char *)p, &outl,
(unsigned char *)buf, l) ||
- !EVP_DecryptFinal_ex(&ctx, (unsigned char *)(p += outl), &outl))
+ !EVP_DecryptFinal_ex(CONTEXT(&ctx), (unsigned char *)(p += outl), &outl))
{
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -704,7 +746,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
sizeof(md5_password)-key_len))
{
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -720,12 +762,12 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
}
#endif
- if (!EVP_DecryptInit_ex(&ctx, des, NULL,
+ if (!EVP_DecryptInit_ex(CONTEXT(&ctx), des, NULL,
(unsigned char *)(p-iv_len-key_len),
(unsigned char *)(p-iv_len)))
{
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -746,7 +788,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
{
tlspassword_readcleanup(&readinfo);
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -754,13 +796,13 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
readinfo.bufleft=outl;
}
- if (!EVP_DecryptUpdate(&ctx, (unsigned char *)buf, &outl,
+ if (!EVP_DecryptUpdate(CONTEXT(&ctx), (unsigned char *)buf, &outl,
(unsigned char *)
readinfo.bufptr, readinfo.bufleft))
{
tlspassword_readcleanup(&readinfo);
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
readinfo.bufleft=0;
@@ -773,7 +815,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
if (n < 0)
{
tlspassword_readcleanup(&readinfo);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -782,11 +824,11 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
}
}
- if (!EVP_DecryptFinal_ex(&ctx, (unsigned char *)buf, &outl))
+ if (!EVP_DecryptFinal_ex(CONTEXT(&ctx), (unsigned char *)buf, &outl))
{
tlspassword_readcleanup(&readinfo);
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -799,7 +841,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
{
tlspassword_readcleanup(&readinfo);
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return -1;
}
@@ -812,7 +854,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
{
tlspassword_readcleanup(&readinfo);
errno=EINVAL;
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return (-1);
}
@@ -823,7 +865,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
free(urls);
tlspassword_readcleanup(&readinfo);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return (-1);
}
@@ -844,7 +886,7 @@ int tlspassword_load( int (*callback)(char *, size_t, void *),
free(pws);
tlspassword_readcleanup(&readinfo);
- EVP_CIPHER_CTX_cleanup(&ctx);
+ CIPHER_CLEANUP(ctx);
return 0;
}
@@ -923,6 +965,10 @@ static int read_string(struct tlspassword_readinfo *info, char *p, int n)
#else
+
+
+
+
int tlspassword_init()
{
return 0;
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-01 20:48:11 +0000