Browse code

tls: updated tls version selection for libssl 1.1.0 api

- fixes compile warnings for deprecated TLSXY_method() functions

Daniel-Constantin Mierla authored on 28/06/2017 09:41:15
Showing 4 changed files
... ...
@@ -987,6 +987,9 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
987 987
 	}
988 988
 	memset(d->ctx, 0, sizeof(SSL_CTX*) * procs_no);
989 989
 	for(i = 0; i < procs_no; i++) {
990
+
991
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
992
+		/* libssl < 1.1.0 */
990 993
 		if(d->method>TLS_USE_TLSvRANGE) {
991 994
 			d->ctx[i] = SSL_CTX_new(SSLv23_method());
992 995
 		} else {
... ...
@@ -999,6 +1002,30 @@ static int fix_domain(tls_domain_t* d, tls_domain_t* def)
999 1002
 		if(d->method>TLS_USE_TLSvRANGE) {
1000 1003
 			SSL_CTX_set_options(d->ctx[i], (long)ssl_methods[d->method - 1]);
1001 1004
 		}
1005
+#else
1006
+		/* libssl >= 1.1.0 */
1007
+		d->ctx[i] = SSL_CTX_new(sr_tls_methods[d->method - 1].TLSMethod);
1008
+		if (d->ctx[i] == NULL) {
1009
+			ERR("%s: Cannot create SSL context\n", tls_domain_str(d));
1010
+			return -1;
1011
+		}
1012
+		if(d->method>TLS_USE_TLSvRANGE) {
1013
+			if(sr_tls_methods[d->method - 1].TLSMethodMin) {
1014
+				SSL_CTX_set_min_proto_version(d->ctx[i],
1015
+						sr_tls_methods[d->method - 1].TLSMethodMin);
1016
+			}
1017
+		} else {
1018
+			if(sr_tls_methods[d->method - 1].TLSMethodMin) {
1019
+				SSL_CTX_set_min_proto_version(d->ctx[i],
1020
+						sr_tls_methods[d->method - 1].TLSMethodMin);
1021
+			}
1022
+			if(sr_tls_methods[d->method - 1].TLSMethodMax) {
1023
+				SSL_CTX_set_max_proto_version(d->ctx[i],
1024
+						sr_tls_methods[d->method - 1].TLSMethodMax);
1025
+			}
1026
+		}
1027
+#endif
1028
+
1002 1029
 #ifndef OPENSSL_NO_TLSEXT
1003 1030
 		/*
1004 1031
 		* check server domains for server_name extension and register
... ...
@@ -73,7 +73,7 @@ enum tls_method {
73 73
 	TLS_USE_TLSvRANGE,    /* placeholder - TLSvX ranges must be after it */
74 74
 	TLS_USE_TLSv1_PLUS,   /* TLSv1.0 or greater */
75 75
 	TLS_USE_TLSv1_1_PLUS, /* TLSv1.1 or greater */
76
-	TLS_USE_TLSv1_2_PLUS, /* TLSv1.1 or greater */
76
+	TLS_USE_TLSv1_2_PLUS, /* TLSv1.2 or greater */
77 77
 	TLS_METHOD_MAX
78 78
 };
79 79
 
... ...
@@ -119,7 +119,11 @@ to compile on the  _target_ system)"
119 119
 int openssl_kssl_malloc_bug=0; /* is openssl bug #1467 present ? */
120 120
 #endif
121 121
 
122
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
122 123
 const SSL_METHOD* ssl_methods[TLS_METHOD_MAX];
124
+#else
125
+sr_tls_methods_t sr_tls_methods[TLS_METHOD_MAX];
126
+#endif
123 127
 
124 128
 #ifdef NO_TLS_MALLOC_DBG
125 129
 #undef TLS_MALLOC_DBG /* extra malloc debug info from openssl */
... ...
@@ -352,6 +356,8 @@ error:
352 356
  */
353 357
 static void init_ssl_methods(void)
354 358
 {
359
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
360
+	/* libssl < 1.1.0 */
355 361
 	memset(ssl_methods, 0, sizeof(ssl_methods));
356 362
 
357 363
 	/* any SSL/TLS version */
... ...
@@ -400,6 +406,69 @@ static void init_ssl_methods(void)
400 406
 #if OPENSSL_VERSION_NUMBER >= 0x1000105fL
401 407
 	ssl_methods[TLS_USE_TLSv1_2_PLUS - 1] = (void*)TLS_OP_TLSv1_2_PLUS;
402 408
 #endif
409
+
410
+#else
411
+	/* openssl 1.1.0+ */
412
+	memset(sr_tls_methods, 0, sizeof(sr_tls_methods));
413
+
414
+	/* any SSL/TLS version */
415
+	sr_tls_methods[TLS_USE_SSLv23_cli - 1].TLSMethod = TLS_client_method();
416
+	sr_tls_methods[TLS_USE_SSLv23_srv - 1].TLSMethod = TLS_server_method();
417
+	sr_tls_methods[TLS_USE_SSLv23 - 1].TLSMethod = TLS_method();
418
+
419
+#ifndef OPENSSL_NO_SSL3_METHOD
420
+	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethod = TLS_client_method();
421
+	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethodMin = SSL3_VERSION;
422
+	sr_tls_methods[TLS_USE_SSLv3_cli - 1].TLSMethodMax = SSL3_VERSION;
423
+	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethod = TLS_server_method();
424
+	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethodMin = SSL3_VERSION;
425
+	sr_tls_methods[TLS_USE_SSLv3_srv - 1].TLSMethodMax = SSL3_VERSION;
426
+	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethod = TLS_method();
427
+	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethodMin = SSL3_VERSION;
428
+	sr_tls_methods[TLS_USE_SSLv3 - 1].TLSMethodMax = SSL3_VERSION;
429
+#endif
430
+
431
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethod = TLS_client_method();
432
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethodMin = TLS1_VERSION;
433
+	sr_tls_methods[TLS_USE_TLSv1_cli - 1].TLSMethodMax = TLS1_VERSION;
434
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethod = TLS_server_method();
435
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethodMin = TLS1_VERSION;
436
+	sr_tls_methods[TLS_USE_TLSv1_srv - 1].TLSMethodMax = TLS1_VERSION;
437
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethod = TLS_method();
438
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethodMin = TLS1_VERSION;
439
+	sr_tls_methods[TLS_USE_TLSv1 - 1].TLSMethodMax = TLS1_VERSION;
440
+
441
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethod = TLS_client_method();
442
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethodMin = TLS1_1_VERSION;
443
+	sr_tls_methods[TLS_USE_TLSv1_1_cli - 1].TLSMethodMax = TLS1_1_VERSION;
444
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethod = TLS_server_method();
445
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethodMin = TLS1_1_VERSION;
446
+	sr_tls_methods[TLS_USE_TLSv1_1_srv - 1].TLSMethodMax = TLS1_1_VERSION;
447
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethod = TLS_method();
448
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethodMin = TLS1_1_VERSION;
449
+	sr_tls_methods[TLS_USE_TLSv1_1 - 1].TLSMethodMax = TLS1_1_VERSION;
450
+
451
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethod = TLS_client_method();
452
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethodMin = TLS1_2_VERSION;
453
+	sr_tls_methods[TLS_USE_TLSv1_2_cli - 1].TLSMethodMax = TLS1_2_VERSION;
454
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethod = TLS_server_method();
455
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethodMin = TLS1_2_VERSION;
456
+	sr_tls_methods[TLS_USE_TLSv1_2_srv - 1].TLSMethodMax = TLS1_2_VERSION;
457
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethod = TLS_method();
458
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMin = TLS1_2_VERSION;
459
+	sr_tls_methods[TLS_USE_TLSv1_2 - 1].TLSMethodMax = TLS1_2_VERSION;
460
+
461
+	/* ranges of TLS versions (require a minimum TLS version) */
462
+	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethod = TLS_method();
463
+	sr_tls_methods[TLS_USE_TLSv1_PLUS - 1].TLSMethodMin = TLS1_VERSION;
464
+
465
+	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethod = TLS_method();
466
+	sr_tls_methods[TLS_USE_TLSv1_1_PLUS - 1].TLSMethodMin = TLS1_1_VERSION;
467
+
468
+	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethod = TLS_method();
469
+	sr_tls_methods[TLS_USE_TLSv1_2_PLUS - 1].TLSMethodMin = TLS1_2_VERSION;
470
+
471
+#endif
403 472
 }
404 473
 
405 474
 
... ...
@@ -38,15 +38,23 @@
38 38
 #endif /* OPENSSL_VERION < 1.0 */
39 39
 #ifndef OPENSSL_NO_KRB5
40 40
 /* enable workarround for openssl kerberos wrong malloc bug
41
- * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc & 
41
+ * (kssl code uses libc malloc/free/calloc instead of OPENSSL_malloc &
42 42
  * friends)*/
43 43
 #define TLS_KSSL_WORKARROUND
44 44
 extern int openssl_kssl_malloc_bug; /* is openssl bug #1467 present ? */
45 45
 #endif
46 46
 
47 47
 
48
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
48 49
 extern const SSL_METHOD* ssl_methods[];
49
-
50
+#else
51
+typedef struct sr_tls_methods_s {
52
+	const SSL_METHOD* TLSMethod;
53
+	int TLSMethodMin;
54
+	int TLSMethodMax;
55
+} sr_tls_methods_t;
56
+extern sr_tls_methods_t sr_tls_methods[];
57
+#endif
50 58
 
51 59
 /*
52 60
  * just once, pre-initialize the tls subsystem