Merge pull request #216 from wtoorop/develop

Openssl 1.1.0 support (for the 1.0.0 release)
2016-10-31 11:36:58 +01:00 · 2016-10-31 11:36:58 +01:00 · 9569e3607e
parent 45643b6da5 6fe4b5a6d9
commit 9569e3607e
7 changed files with 106 additions and 22 deletions
--- a/configure.ac
+++ b/configure.ac
@ -245,6 +245,7 @@ else
 fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
 AC_INCLUDES_DEFAULT
@ -552,10 +553,16 @@ fi

 # Checks for libraries.
 found_all_libs=1
+MISSING_DEPS=""
+MISSING_SEP=""
 if test $my_with_libidn = 1
 then
 	AC_MSG_NOTICE([Checking for dependency libidn])
-	AC_CHECK_LIB([idn], [idna_to_ascii_8z], [], [found_all_libs=0])
+	AC_CHECK_LIB([idn], [idna_to_ascii_8z], [], [
+		MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libidn"
+		MISSING_SEP=", "
+		found_all_libs=0
+	])
 fi

 AC_ARG_ENABLE(unbound-event-api, AC_HELP_STRING([--disable-unbound-event-api], [Disable usage of libunbounds event API]))
@ -584,12 +591,16 @@ then
 			])
 		fi
 		AC_CHECK_FUNCS([ub_ctx_set_stub])
-	], [found_all_libs=0])
+	], [
+		MISSING_DEPS="${MISSING_DEPS}${MISSING_SEP}libunbound"
+		MISSING_SEP=", "
+		found_all_libs=0
+	])
 fi

 if test $found_all_libs = 0
 then
-    AC_MSG_ERROR([One more dependencies is missing])
+    AC_MSG_ERROR([Missing dependencies: $MISSING_DEPS])
 fi

 AC_PATH_PROG([DOXYGEN], [doxygen])
--- a/src/context.c
+++ b/src/context.c
@ -672,6 +672,15 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 	GETDNS_FREE(upstreams->mf, upstreams);
 }

+#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
+static char*
+getdns_auth_str_array[] = {
+	GETDNS_STR_AUTH_NONE,
+	GETDNS_STR_AUTH_FAILED,
+	GETDNS_STR_AUTH_OK
+};
+#endif
+
 void
 _getdns_upstream_shutdown(getdns_upstream *upstream)
 {
@ -3698,8 +3707,7 @@ getdns_context_get_suffix(getdns_context *context, getdns_list **value)
 			r = GETDNS_RETURN_GENERIC_ERROR;
 			break;
 		}
-		if ((r = _getdns_list_append_const_bindata(
-		    list, strlen(name) + 1, name)))
+		if ((r = _getdns_list_append_string(list, name)))
 			break;
 		dname += dname_len;
 		dname_len = *dname++;
--- a/src/gldns/keyraw.c
+++ b/src/gldns/keyraw.c
@ -23,6 +23,15 @@
 #ifdef HAVE_OPENSSL_ENGINE_H
 #  include <openssl/engine.h>
 #endif
+#ifdef HAVE_OPENSSL_BN_H
+#include <openssl/bn.h>
+#endif
+#ifdef HAVE_OPENSSL_RSA_H
+#include <openssl/rsa.h>
+#endif
+#ifdef HAVE_OPENSSL_DSA_H
+#include <openssl/dsa.h>
+#endif
 #endif /* HAVE_SSL */

 size_t
@ -215,6 +224,7 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
@ -222,6 +232,25 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 	dsa->pub_key = Y;
 #endif /* splint */

+#else /* OPENSSL_VERSION_NUMBER */
+	if (!DSA_set0_pqg(dsa, P, Q, G)) {
+		/* QPG not yet attached, need to free */
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);
+
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_key(dsa, Y, NULL)) {
+		/* QPG attached, cleaned up by DSA_fre() */
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+#endif
+
 	return dsa;
 }

@ -273,11 +302,21 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
 #endif /* splint */

+#else /* OPENSSL_VERSION_NUMBER */
+	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+		BN_free(exponent);
+		BN_free(modulus);
+		RSA_free(rsa);
+		return NULL;
+	}
+#endif
+
 	return rsa;
 }

--- a/src/gldns/rrdef.h
+++ b/src/gldns/rrdef.h
@ -195,7 +195,7 @@ enum gldns_enum_rr_type
        GLDNS_RR_TYPE_TALINK = 58,
 	GLDNS_RR_TYPE_CDS = 59, /** RFC 7344 */
 	GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
-	GLDNS_RR_TYPE_OPENPGPKEY = 61, /* draft-ietf-dane-openpgpkey */
+	GLDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
 	GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */

 	GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */
--- a/src/gldns/wire2str.h
+++ b/src/gldns/wire2str.h
@ -118,7 +118,7 @@ int gldns_str_print(char** str, size_t* slen, const char* format, ...)
 * @param str_len: the size of the string buffer.  If more is needed, it'll
 * 	silently truncate the output to fit in the buffer.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_pkt_buf(uint8_t* data, size_t data_len, char* str,
 	size_t str_len);
@ -351,7 +351,7 @@ int gldns_wire2str_edns_option_code_print(char** str, size_t* str_len,
 * @param str_len: the size of the string buffer.  If more is needed, it'll
 * 	silently truncate the output to fit in the buffer.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
 	size_t str_len);
@ -369,7 +369,7 @@ int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
 * @param str_len: the size of the string buffer.  If more is needed, it'll
 * 	silently truncate the output to fit in the buffer.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
 	size_t str_len);
@ -389,7 +389,7 @@ int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
 * @param str_len: the size of the string buffer.  If more is needed, it'll
 * 	silently truncate the output to fit in the buffer.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
 	char* str, size_t str_len);
@ -406,7 +406,7 @@ int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
 * 	silently truncate the output to fit in the buffer.
 * @param rrtype: rr type of the data
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
 	size_t str_len, uint16_t rrtype);
@ -417,7 +417,7 @@ int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
 * @param str: the string to write to.
 * @param len: length of str.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);

@ -427,7 +427,7 @@ int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
 * @param str: the string to write to.
 * @param len: length of str.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);

@ -437,7 +437,7 @@ int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
 * @param str: the string to write to.
 * @param len: length of str.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);

@ -448,7 +448,7 @@ int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
 * @param str: the string to write to.
 * @param len: length of string.
 * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
 */
 int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
 	size_t len);
--- a/src/pubkey-pinning.c
+++ b/src/pubkey-pinning.c
@ -56,6 +56,10 @@
 #include "context.h"
 #include "util-internal.h"

+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+#define X509_STORE_CTX_get0_untrusted(store) store->untrusted
+#endif
+
 /* we only support sha256 at the moment.  adding support for another
   digest is more complex than just adding another entry here. in
   particular, you'll probably need a match for a particular cert
@ -310,15 +314,27 @@ _getdns_get_pubkey_pinset_list(getdns_context *ctx,
   see doc/HOWTO/proxy_certificates.txt as an example
 */
 static int
-_get_ssl_getdns_upstream_idx()
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
+_get_ssl_getdns_upstream_idx(void)
+#else
+_get_ssl_getdns_upstream_idx(X509_STORE *store)
+#endif
 {
 	static volatile int idx = -1;
 	if (idx < 0) {
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+#else
+		X509_STORE_lock(store);
+#endif
 		if (idx < 0)
 			idx = SSL_get_ex_new_index(0, "associated getdns upstream",
 						   NULL,NULL,NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+#else
+		X509_STORE_unlock(store);
+#endif
 	}
 	return idx;
 }
@ -326,7 +342,11 @@ _get_ssl_getdns_upstream_idx()
 getdns_upstream*
 _getdns_upstream_from_x509_store(X509_STORE_CTX *store)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 	int uidx = _get_ssl_getdns_upstream_idx();
+#else
+	int uidx = _get_ssl_getdns_upstream_idx(X509_STORE_CTX_get0_store(store));
+#endif
 	int sslidx = SSL_get_ex_data_X509_STORE_CTX_idx();
 	const SSL *ssl;

@ -344,7 +364,11 @@ getdns_return_t
 _getdns_associate_upstream_with_SSL(SSL *ssl,
 				    getdns_upstream *upstream)
 {
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 	int uidx = _get_ssl_getdns_upstream_idx();
+#else
+	int uidx = _get_ssl_getdns_upstream_idx(SSL_CTX_get_cert_store(SSL_get_SSL_CTX(ssl)));
+#endif
 	if (SSL_set_ex_data(ssl, uidx, upstream))
 		return GETDNS_RETURN_GOOD;
 	else
@ -383,7 +407,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,

 	/* TODO: how do we handle raw public keys? */

-	for (i = 0; i < sk_X509_num(store->untrusted); i++) {
+	for (i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++) {
 		if (i > 0) {
 		/* TODO: how do we ensure that the certificates in
 		 * each stage appropriately sign the previous one?
@ -392,7 +416,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 			return GETDNS_RETURN_GENERIC_ERROR;
 		}

-		x = sk_X509_value(store->untrusted, i);
+		x = sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i);
 #if defined(STUB_DEBUG) && STUB_DEBUG
 		DEBUG_STUB("%s %-35s: Name of cert: %d ",
 		           STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);
--- a/src/util/val_secalgo.c
+++ b/src/util/val_secalgo.c
@ -590,7 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		log_err("EVP_MD_CTX_new: malloc failure");
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
@ -598,7 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), 
@ -607,7 +607,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return 0;
 	}

@ -621,7 +621,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 	EVP_PKEY_free(evp_key);

 	if(dofree) free(sigblock);
-	else if(docrypto_free) CRYPTO_free(sigblock);
+	else if(docrypto_free) OPENSSL_free(sigblock);

 	if(res == 1) {
 		return 1;
@ -1359,6 +1359,7 @@ _getdns_dnskey_algo_id_is_supported(int id)
 	}
 }

+#ifdef USE_DSA
 static char *
 _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
@ -1446,6 +1447,7 @@ _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
 	else
 		return NULL;
 }
+#endif /* USE_DSA */

 static char *
 _verify_nettle_rsa(gldns_buffer* buf, unsigned int digest_size, char* sigblock,