OpenSSL 1.1 support

configure.ac

@@ -245,6 +245,7 @@ else
 fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
+AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method])
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [
 AC_INCLUDES_DEFAULT

src/context.c

@@ -672,6 +672,15 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 	GETDNS_FREE(upstreams->mf, upstreams);
 }
 
+#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
+static char*
+getdns_auth_str_array[] = {
+	GETDNS_STR_AUTH_NONE,
+	GETDNS_STR_AUTH_FAILED,
+	GETDNS_STR_AUTH_OK
+};
+#endif
+
 void
 _getdns_upstream_shutdown(getdns_upstream *upstream)
 {

src/gldns/keyraw.c

@@ -23,6 +23,15 @@
 #ifdef HAVE_OPENSSL_ENGINE_H
 #  include <openssl/engine.h>
 #endif
+#ifdef HAVE_OPENSSL_BN_H
+#include <openssl/bn.h>
+#endif
+#ifdef HAVE_OPENSSL_RSA_H
+#include <openssl/rsa.h>
+#endif
+#ifdef HAVE_OPENSSL_DSA_H
+#include <openssl/dsa.h>
+#endif
 #endif /* HAVE_SSL */
 
 size_t
@@ -215,6 +224,7 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #ifndef S_SPLINT_S
 	dsa->p = P;
 	dsa->q = Q;
@@ -222,6 +232,25 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 	dsa->pub_key = Y;
 #endif /* splint */
 
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!DSA_set0_pqg(dsa, P, Q, G)) {
+		/* QPG not yet attached, need to free */
+		BN_free(Q);
+		BN_free(P);
+		BN_free(G);
+
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+	if (!DSA_set0_key(dsa, Y, NULL)) {
+		/* QPG attached, cleaned up by DSA_fre() */
+		DSA_free(dsa);
+		BN_free(Y);
+		return NULL;
+	}
+#endif
+
 	return dsa;
 }
 
@@ -273,11 +302,21 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
+#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
 #ifndef S_SPLINT_S
 	rsa->n = modulus;
 	rsa->e = exponent;
 #endif /* splint */
 
+#else /* OPENSSL_VERSION_NUMBER */
+	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
+		BN_free(exponent);
+		BN_free(modulus);
+		RSA_free(rsa);
+		return NULL;
+	}
+#endif
+
 	return rsa;
 }
 

src/gldns/rrdef.h

@@ -195,7 +195,7 @@ enum gldns_enum_rr_type
         GLDNS_RR_TYPE_TALINK = 58,
 	GLDNS_RR_TYPE_CDS = 59, /** RFC 7344 */
 	GLDNS_RR_TYPE_CDNSKEY = 60, /** RFC 7344 */
-	GLDNS_RR_TYPE_OPENPGPKEY = 61, /* draft-ietf-dane-openpgpkey */
+	GLDNS_RR_TYPE_OPENPGPKEY = 61, /* RFC 7929 */
 	GLDNS_RR_TYPE_CSYNC = 62, /* RFC 7477 */
 
 	GLDNS_RR_TYPE_SPF = 99, /* RFC 4408 */

src/gldns/wire2str.h

@@ -118,7 +118,7 @@ int gldns_str_print(char** str, size_t* slen, const char* format, ...)
  * @param str_len: the size of the string buffer.  If more is needed, it'll
  * 	silently truncate the output to fit in the buffer.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_pkt_buf(uint8_t* data, size_t data_len, char* str,
 	size_t str_len);
@@ -351,7 +351,7 @@ int gldns_wire2str_edns_option_code_print(char** str, size_t* str_len,
  * @param str_len: the size of the string buffer.  If more is needed, it'll
  * 	silently truncate the output to fit in the buffer.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
 	size_t str_len);
@@ -369,7 +369,7 @@ int gldns_wire2str_rr_buf(uint8_t* rr, size_t rr_len, char* str,
  * @param str_len: the size of the string buffer.  If more is needed, it'll
  * 	silently truncate the output to fit in the buffer.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
 	size_t str_len);
@@ -389,7 +389,7 @@ int gldns_wire2str_rr_unknown_buf(uint8_t* rr, size_t rr_len, char* str,
  * @param str_len: the size of the string buffer.  If more is needed, it'll
  * 	silently truncate the output to fit in the buffer.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
 	char* str, size_t str_len);
@@ -406,7 +406,7 @@ int gldns_wire2str_rr_comment_buf(uint8_t* rr, size_t rr_len, size_t dname_len,
  * 	silently truncate the output to fit in the buffer.
  * @param rrtype: rr type of the data
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
 	size_t str_len, uint16_t rrtype);
@@ -417,7 +417,7 @@ int gldns_wire2str_rdata_buf(uint8_t* rdata, size_t rdata_len, char* str,
  * @param str: the string to write to.
  * @param len: length of str.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
 
@@ -427,7 +427,7 @@ int gldns_wire2str_type_buf(uint16_t rrtype, char* str, size_t len);
  * @param str: the string to write to.
  * @param len: length of str.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
 
@@ -437,7 +437,7 @@ int gldns_wire2str_class_buf(uint16_t rrclass, char* str, size_t len);
  * @param str: the string to write to.
  * @param len: length of str.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
 
@@ -448,7 +448,7 @@ int gldns_wire2str_rcode_buf(int rcode, char* str, size_t len);
  * @param str: the string to write to.
  * @param len: length of string.
  * @return the number of characters for this element, excluding zerobyte.
- * 	Is larger than str_len if output was truncated.
+ * 	Is larger or equal than str_len if output was truncated.
  */
 int gldns_wire2str_dname_buf(uint8_t* dname, size_t dname_len, char* str,
 	size_t len);

src/pubkey-pinning.c

@@ -56,6 +56,10 @@
 #include "context.h"
 #include "util-internal.h"
 
+#ifndef X509_STORE_CTX_get0_untrusted
+#define X509_STORE_CTX_get0_untrusted(store) store->untrusted
+#endif
+
 /* we only support sha256 at the moment.  adding support for another
    digest is more complex than just adding another entry here. in
    particular, you'll probably need a match for a particular cert
@@ -314,11 +318,11 @@ _get_ssl_getdns_upstream_idx()
 {
 	static volatile int idx = -1;
 	if (idx < 0) {
-		CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE);
+		/* CRYPTO_w_lock(CRYPTO_LOCK_X509_STORE); */
 		if (idx < 0)
 			idx = SSL_get_ex_new_index(0, "associated getdns upstream",
 						   NULL,NULL,NULL);
-		CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE);
+		/* CRYPTO_w_unlock(CRYPTO_LOCK_X509_STORE); */
 	}
 	return idx;
 }
@@ -383,7 +387,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 
 	/* TODO: how do we handle raw public keys? */
 
-	for (i = 0; i < sk_X509_num(store->untrusted); i++) {
+	for (i = 0; i < sk_X509_num(X509_STORE_CTX_get0_untrusted(store)); i++) {
 		if (i > 0) {
 		/* TODO: how do we ensure that the certificates in
 		 * each stage appropriately sign the previous one?
@@ -392,7 +396,7 @@ _getdns_verify_pinset_match(const sha256_pin_t *pinset,
 			return GETDNS_RETURN_GENERIC_ERROR;
 		}
 
-		x = sk_X509_value(store->untrusted, i);
+		x = sk_X509_value(X509_STORE_CTX_get0_untrusted(store), i);
 #if defined(STUB_DEBUG) && STUB_DEBUG
 		DEBUG_STUB("%s %-35s: Name of cert: %d ",
 		           STUB_DEBUG_SETUP_TLS, __FUNCTION__, i);

src/util/val_secalgo.c

@@ -590,7 +590,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		log_err("EVP_MD_CTX_new: malloc failure");
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyInit(ctx, digest_type) == 0) {
@@ -598,7 +598,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return 0;
 	}
 	if(EVP_VerifyUpdate(ctx, (unsigned char*)gldns_buffer_begin(buf), 
@@ -607,7 +607,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 		EVP_MD_CTX_destroy(ctx);
 		EVP_PKEY_free(evp_key);
 		if(dofree) free(sigblock);
-		else if(docrypto_free) CRYPTO_free(sigblock);
+		else if(docrypto_free) OPENSSL_free(sigblock);
 		return 0;
 	}
 
@@ -621,7 +621,7 @@ _getdns_verify_canonrrset(gldns_buffer* buf, int algo, unsigned char* sigblock,
 	EVP_PKEY_free(evp_key);
 
 	if(dofree) free(sigblock);
-	else if(docrypto_free) CRYPTO_free(sigblock);
+	else if(docrypto_free) OPENSSL_free(sigblock);
 
 	if(res == 1) {
 		return 1;
@@ -1359,6 +1359,7 @@ _getdns_dnskey_algo_id_is_supported(int id)
 	}
 }
 
+#ifdef USE_DSA
 static char *
 _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
 	unsigned int sigblock_len, unsigned char* key, unsigned int keylen)
@@ -1446,6 +1447,7 @@ _verify_nettle_dsa(gldns_buffer* buf, unsigned char* sigblock,
 	else
 		return NULL;
 }
+#endif /* USE_DSA */
 
 static char *
 _verify_nettle_rsa(gldns_buffer* buf, unsigned int digest_size, char* sigblock,