OpenSSL 1.1 support

This commit is contained in:
Willem Toorop 2016-10-13 23:04:50 +02:00
parent 1d34fcbdd5
commit 47e718eeb8
8 changed files with 73 additions and 25 deletions

View File

@ -255,6 +255,7 @@ else
fi fi
AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT]) AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method]) AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [ AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
AC_INCLUDES_DEFAULT AC_INCLUDES_DEFAULT

View File

@ -693,6 +693,15 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
GETDNS_FREE(upstreams->mf, upstreams); GETDNS_FREE(upstreams->mf, upstreams);
} }
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
static char*
getdns_auth_str_array[] = {
GETDNS_STR_AUTH_NONE,
GETDNS_STR_AUTH_FAILED,
GETDNS_STR_AUTH_OK
};
#endif
void void
_getdns_upstream_shutdown(getdns_upstream *upstream) _getdns_upstream_shutdown(getdns_upstream *upstream)
{ {

View File

@ -23,6 +23,15 @@
#ifdef HAVE_OPENSSL_ENGINE_H #ifdef HAVE_OPENSSL_ENGINE_H
# include <openssl/engine.h> # include <openssl/engine.h>
#endif #endif
#ifdef HAVE_OPENSSL_BN_H
#include <openssl/bn.h>
#endif
#ifdef HAVE_OPENSSL_RSA_H
#include <openssl/rsa.h>
#endif
#ifdef HAVE_OPENSSL_DSA_H
#include <openssl/dsa.h>
#endif
#endif /* HAVE_SSL */ #endif /* HAVE_SSL */
size_t size_t
@ -215,6 +224,7 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
BN_free(Y); BN_free(Y);
return NULL; return NULL;
} }
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S #ifndef S_SPLINT_S
dsa->p = P; dsa->p = P;
dsa->q = Q; dsa->q = Q;
@ -222,6 +232,25 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
dsa->pub_key = Y; dsa->pub_key = Y;
#endif /* splint */ #endif /* splint */
#else /* OPENSSL_VERSION_NUMBER */
if (!DSA_set0_pqg(dsa, P, Q, G)) {
/* QPG not yet attached, need to free */
BN_free(Q);
BN_free(P);
BN_free(G);
DSA_free(dsa);
BN_free(Y);
return NULL;
}
if (!DSA_set0_key(dsa, Y, NULL)) {
/* QPG attached, cleaned up by DSA_fre() */
DSA_free(dsa);
BN_free(Y);
return NULL;
}
#endif
return dsa; return dsa;
} }
@ -273,11 +302,21 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
BN_free(modulus); BN_free(modulus);
return NULL; return NULL;
} }
#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
#ifndef S_SPLINT_S #ifndef S_SPLINT_S
rsa->n = modulus; rsa->n = modulus;
rsa->e = exponent; rsa->e = exponent;
#endif /* splint */ #endif /* splint */
#else /* OPENSSL_VERSION_NUMBER */
if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
BN_free(exponent);
BN_free(modulus);
RSA_free(rsa);
return NULL;
}
#endif
return rsa; return rsa;
} }

View File

@ -195,7 +195,7 @@ enum gldns_enum_rr_type
GLDNS_RR_TYPE_TALINK = 58, GLDNS_RR_TYPE_TALINK = 58,
GLDNS_RR_TYPE_CDS = 59, /** RFC 7344 */ GLDNS_RR_TYPE_CDS = 59, /** RFC 7344 */
GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */ GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
GLDNS_RR_TYPE_OPENPGPKEY = 61, /* draft-ietf-dane-openpgpkey */ GLDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */ GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */ GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */

View File

@ -118,7 +118,7 @@ int gldns_str_print(char** str, size_t* slen, const char* format, ...)
* @param str_len: the size of the string buffer. If more is needed, it'll * @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer. * silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_pkt_buf(uint8_t* data, size_t data_len, char* str, int gldns_wire2str_pkt_buf(uint8_t* data, size_t data_len, char* str,
size_t str_len); size_t str_len);
@ -351,7 +351,7 @@ int gldns_wire2str_edns_option_code_print(char** str, size_t* str_len,
* @param str_len: the size of the string buffer. If more is needed, it'll * @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer. * silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str, int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
size_t str_len); size_t str_len);
@ -369,7 +369,7 @@ int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
* @param str_len: the size of the string buffer. If more is needed, it'll * @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer. * silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str, int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
size_t str_len); size_t str_len);
@ -389,7 +389,7 @@ int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
* @param str_len: the size of the string buffer. If more is needed, it'll * @param str_len: the size of the string buffer. If more is needed, it'll
* silently truncate the output to fit in the buffer. * silently truncate the output to fit in the buffer.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len, int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
char* str, size_t str_len); char* str, size_t str_len);
@ -406,7 +406,7 @@ int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
* silently truncate the output to fit in the buffer. * silently truncate the output to fit in the buffer.
* @param rrtype: rr type of the data * @param rrtype: rr type of the data
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str, int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
size_t str_len, uint16_t rrtype); size_t str_len, uint16_t rrtype);
@ -417,7 +417,7 @@ int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
* @param str: the string to write to. * @param str: the string to write to.
* @param len: length of str. * @param len: length of str.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len); int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
@ -427,7 +427,7 @@ int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
* @param str: the string to write to. * @param str: the string to write to.
* @param len: length of str. * @param len: length of str.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len); int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
@ -437,7 +437,7 @@ int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
* @param str: the string to write to. * @param str: the string to write to.
* @param len: length of str. * @param len: length of str.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len); int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
@ -448,7 +448,7 @@ int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
* @param str: the string to write to. * @param str: the string to write to.
* @param len: length of string. * @param len: length of string.
* @return the number of characters for this element, excluding zerobyte. * @return the number of characters for this element, excluding zerobyte.
* Is larger than str_len if output was truncated. * Is larger or equal than str_len if output was truncated.
*/ */
int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str, int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
size_t len); size_t len);

View File

@ -56,6 +56,10 @@
#include "context.h" #include "context.h"
#include "util-internal.h" #include "util-internal.h"
#ifndef X509_STORE_CTX_get0_untrusted
#define X509_STORE_CTX_get0_untrusted(store) store->untrusted
#endif
/* we only support sha256 at the moment. adding support for another /* we only support sha256 at the moment. adding support for another
digest is more complex than just adding another entry here. in digest is more complex than just adding another entry here. in
particular, you'll probably need a match for a particular cert particular, you'll probably need a match for a particular cert
@ -314,11 +318,11 @@ _get_ssl_getdns_upstream_idx()
{ {
static volatile int idx = -1; static volatile int idx = -1;
if (idx < 0) { if (idx < 0) {
CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); /* CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); */
if (idx < 0) if (idx < 0)
idx = SSL_get_ex_new_index(0, "associated getdns upstream", idx = SSL_get_ex_new_index(0, "associated getdns upstream",
NULL,NULL,NULL); NULL,NULL,NULL);
CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); /* CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); */
} }
return idx; return idx;
} }
@ -383,7 +387,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
/* TODO: how do we handle raw public keys? */ /* TODO: how do we handle raw public keys? */
for (i = 0; i < sk_X509_num(store->untrusted); i++) { for (i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++) {
if (i > 0) { if (i > 0) {
/* TODO: how do we ensure that the certificates in /* TODO: how do we ensure that the certificates in
* each stage appropriately sign the previous one? * each stage appropriately sign the previous one?
@ -392,7 +396,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
return GETDNS_RETURN_GENERIC_ERROR; return GETDNS_RETURN_GENERIC_ERROR;
} }
x = sk_X509_value(store->untrusted, i); x = sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i);
#if defined(STUB_DEBUG) && STUB_DEBUG #if defined(STUB_DEBUG) && STUB_DEBUG
DEBUG_STUB("%s %-35s: Name of cert: %d ", DEBUG_STUB("%s %-35s: Name of cert: %d ",
STUB_DEBUG_SETUP_TLS, __FUNCTION__, i); STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);

View File

@ -67,13 +67,6 @@ typedef enum getdns_auth_state {
#define GETDNS_STR_AUTH_FAILED "Failed" #define GETDNS_STR_AUTH_FAILED "Failed"
#define GETDNS_STR_AUTH_OK "Success" #define GETDNS_STR_AUTH_OK "Success"
static char*
getdns_auth_str_array[] = {
GETDNS_STR_AUTH_NONE,
GETDNS_STR_AUTH_FAILED,
GETDNS_STR_AUTH_OK
};
struct getdns_context; struct getdns_context;
struct getdns_upstreams; struct getdns_upstreams;
struct getdns_upstream; struct getdns_upstream;

View File

@ -590,7 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
log_err("EVP_MD_CTX_new: malloc failure"); log_err("EVP_MD_CTX_new: malloc failure");
EVP_PKEY_free(evp_key); EVP_PKEY_free(evp_key);
if(dofree) free(sigblock); if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock); else if(docrypto_free) OPENSSL_free(sigblock);
return 0; return 0;
} }
if(EVP_VerifyInit(ctx, digest_type) == 0) { if(EVP_VerifyInit(ctx, digest_type) == 0) {
@ -598,7 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
EVP_MD_CTX_destroy(ctx); EVP_MD_CTX_destroy(ctx);
EVP_PKEY_free(evp_key); EVP_PKEY_free(evp_key);
if(dofree) free(sigblock); if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock); else if(docrypto_free) OPENSSL_free(sigblock);
return 0; return 0;
} }
if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf),
@ -607,7 +607,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
EVP_MD_CTX_destroy(ctx); EVP_MD_CTX_destroy(ctx);
EVP_PKEY_free(evp_key); EVP_PKEY_free(evp_key);
if(dofree) free(sigblock); if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock); else if(docrypto_free) OPENSSL_free(sigblock);
return 0; return 0;
} }
@ -621,7 +621,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
EVP_PKEY_free(evp_key); EVP_PKEY_free(evp_key);
if(dofree) free(sigblock); if(dofree) free(sigblock);
else if(docrypto_free) CRYPTO_free(sigblock); else if(docrypto_free) OPENSSL_free(sigblock);
if(res == 1) { if(res == 1) {
return 1; return 1;
@ -1359,6 +1359,7 @@ _getdns_dnskey_algo_id_is_supported(int id)
} }
} }
#ifdef USE_DSA
static char * static char *
_verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock, _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
unsigned int sigblock_len, unsigned char* key, unsigned int keylen) unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
@ -1446,6 +1447,7 @@ _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
else else
return NULL; return NULL;
} }
#endif /* USE_DSA */
static char * static char *
_verify_nettle_rsa(gldns_buffer* buf, unsigned int digest_size, char* sigblock, _verify_nettle_rsa(gldns_buffer* buf, unsigned int digest_size, char* sigblock,