mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Remove no longer needed OpenSSL shims and checks

Browse Source 
Since the minimal OpenSSL version is now OpenSSL 1.1.1, remove all kind
of OpenSSL shims and checks for functions that are now always present in
the OpenSSL libraries.

Co-authored-by: Ondřej Surý <ondrej@isc.org>
Co-authored-by: Aydın Mercan <aydin@isc.org>
This commit is contained in:
Ondřej Surý
2024-07-01 11:05:18 +02:00
parent 4d77eafd13
commit 8ccfbcfe72
14 changed files with 14 additions and 727 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bin/named/main.c
View File

@@ -590,16 +590,8 @@ printversion(bool verbose) {
printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
#endif /* ifdef __SUNPRO_C */
printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT);
#if !defined(LIBRESSL_VERSION_NUMBER) && \
OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
printf("linked to OpenSSL version: %s\n",
OpenSSL_version(OPENSSL_VERSION));
#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
* 0x10100000L */
printf("linked to OpenSSL version: %s\n",
SSLeay_version(SSLEAY_VERSION));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR,
UV_VERSION_MINOR, UV_VERSION_PATCH);
printf("linked to libuv version: %s\n", uv_version_string());

2
bin/tests/system/checkconf/tests.sh
View File

@@ -89,7 +89,7 @@ for good in good-*.conf; do
good-proxy-*doh*.conf) continue ;;
bad-proxy-*doh*.conf) continue ;;
esac
elif ! $FEATURETEST --have-openssl-cipher-suites; then
else
case $good in
good-tls-cipher-suites-*.conf) continue ;;
esac

21
bin/tests/system/cipher-suites/prereq.sh
View File

@@ -1,21 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../conf.sh
$FEATURETEST --have-openssl-cipher-suites || {
echo_i "SSL_CTX_set_ciphersuites() is required for the test."
exit 255
}
exit 0

9
bin/tests/system/feature-test.c
View File

@@ -49,7 +49,6 @@ usage(void) {
fprintf(stderr, "\t--have-geoip2\n");
fprintf(stderr, "\t--have-json-c\n");
fprintf(stderr, "\t--have-libxml2\n");
fprintf(stderr, "\t--have-openssl-cipher-suites\n");
fprintf(stderr, "\t--ipv6only=no\n");
fprintf(stderr, "\t--md5\n");
fprintf(stderr, "\t--rsasha1\n");
@@ -185,14 +184,6 @@ main(int argc, char **argv) {
#endif /* ifdef HAVE_LIBXML2 */
}
if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
return (0);
#else /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
return (1);
#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
}
if (strcmp(argv[1], "--tsan") == 0) {
#if defined(__has_feature)
#if __has_feature(thread_sanitizer)

71
configure.ac
View File

@@ -664,53 +664,6 @@ LIBS="$OPENSSL_LIBS $LIBS"
#
# Check for functions added in OpenSSL or LibreSSL
#
AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
AC_CHECK_FUNCS([BN_GENCB_new])
AC_CHECK_FUNCS([CRYPTO_zalloc])
AC_CHECK_FUNCS([ERR_get_error_all])
AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md])
AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
AC_CHECK_FUNCS([SSL_CTX_up_ref])
AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
AC_CHECK_FUNCS([SSL_CTX_up_ref])
AC_CHECK_FUNCS([SSL_SESSION_is_resumable])
AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites])
#
# Check for algorithm support in OpenSSL
#
AC_CHECK_FUNCS([EVP_DigestSignInit EVP_DigestVerifyInit], [:],
[AC_MSG_FAILURE([EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory.])])
AC_MSG_CHECKING([for ECDSA P-256 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
[[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_X9_62_prime256v1, NULL);]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])])
AC_MSG_CHECKING([for ECDSA P-384 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
[[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_secp384r1, NULL);]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])])
AC_MSG_CHECKING([for Ed25519 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
[[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);]])],
[AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519])
AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])])
AC_MSG_CHECKING([for Ed448 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
@@ -719,25 +672,11 @@ AC_COMPILE_IFELSE(
AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])])
#
# Check for OpenSSL SHA-1 support
#
AC_CHECK_FUNCS([EVP_sha1], [:],
[AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])])
#
# Check for OpenSSL SHA-2 support
#
AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:],
[AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])])
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA])
AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
AC_CHECK_FUNCS([ERR_get_error_all])
AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
AC_CHECK_FUNCS([EVP_MD_CTX_get0_md])
AC_CHECK_FUNCS([EVP_PKEY_eq])
AC_CHECK_FUNCS([SSL_CTX_set1_cert_store])
#
# Check whether FIPS mode is available and whether we should enable it

4
lib/dns/dst_api.c
View File

@@ -217,14 +217,12 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
DST_ALG_RSASHA512));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_OPENSSL_ED25519
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519],
DST_ALG_ED25519));
#endif /* ifdef HAVE_OPENSSL_ED25519 */
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448],
DST_ALG_ED448));
#endif /* ifdef HAVE_OPENSSL_ED448 */
#endif /* HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));

2
lib/dns/dst_internal.h
View File

@@ -214,10 +214,8 @@ isc_result_t
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
dst__opensslecdsa_init(struct dst_func **funcp);
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
isc_result_t
dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm);
#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI
isc_result_t
dst__gssapi_init(struct dst_func **funcp);

131
lib/dns/openssl_shim.c
View File

@@ -15,137 +15,6 @@
#include <isc/util.h>
#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
/* From OpenSSL 1.1.0 */
int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
/*
* If the fields n and e in r are NULL, the corresponding input
* parameters MUST be non-NULL for n and e. d may be
* left NULL (in case only the public key is used).
*/
if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
return (0);
}
if (n != NULL) {
BN_free(r->n);
r->n = n;
}
if (e != NULL) {
BN_free(r->e);
r->e = e;
}
if (d != NULL) {
BN_clear_free(r->d);
r->d = d;
}
return (1);
}
int
RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
/*
* If the fields p and q in r are NULL, the corresponding input
* parameters MUST be non-NULL.
*/
if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
return (0);
}
if (p != NULL) {
BN_clear_free(r->p);
r->p = p;
}
if (q != NULL) {
BN_clear_free(r->q);
r->q = q;
}
return (1);
}
int
RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
/*
* If the fields dmp1, dmq1 and iqmp in r are NULL, the
* corresponding input parameters MUST be non-NULL.
*/
if ((r->dmp1 == NULL && dmp1 == NULL) ||
(r->dmq1 == NULL && dmq1 == NULL) ||
(r->iqmp == NULL && iqmp == NULL))
{
return (0);
}
if (dmp1 != NULL) {
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
}
if (dmq1 != NULL) {
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
}
if (iqmp != NULL) {
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
}
return (1);
}
void
RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
const BIGNUM **d) {
SET_IF_NOT_NULL(n, r->n);
SET_IF_NOT_NULL(e, r->e);
SET_IF_NOT_NULL(d, r->d);
}
void
RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
SET_IF_NOT_NULL(p, r->p);
SET_IF_NOT_NULL(q, r->q);
}
void
RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp) {
SET_IF_NOT_NULL(dmp1, r->dmp1);
SET_IF_NOT_NULL(dmq1, r->dmq1);
SET_IF_NOT_NULL(iqmp, r->iqmp);
}
int
RSA_test_flags(const RSA *r, int flags) {
return (r->flags & flags);
}
#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
#if !HAVE_ECDSA_SIG_GET0
/* From OpenSSL 1.1 */
void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
SET_IF_NOT_NULL(pr, sig->r);
SET_IF_NOT_NULL(ps, sig->s);
}
int
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
if (r == NULL || s == NULL) {
return (0);
}
BN_clear_free(sig->r);
BN_clear_free(sig->s);
sig->r = r;
sig->s = s;
return (1);
}
#endif /* !HAVE_ECDSA_SIG_GET0 */
#if !HAVE_ERR_GET_ERROR_ALL
static const char err_empty_string = '\0';

68
lib/dns/openssl_shim.h
View File

@@ -28,74 +28,6 @@
#define RSA_MAX_PUBEXP_BITS 35
#endif /* ifndef RSA_MAX_PUBEXP_BITS */
#if !HAVE_BN_GENCB_NEW
/* These are new in OpenSSL 1.1.0. */
static inline BN_GENCB *
BN_GENCB_new(void) {
return (OPENSSL_malloc(sizeof(BN_GENCB)));
}
static inline void
BN_GENCB_free(BN_GENCB *cb) {
if (cb == NULL) {
return;
}
OPENSSL_free(cb);
}
static inline void *
BN_GENCB_get_arg(BN_GENCB *cb) {
return cb->arg;
}
#endif /* !HAVE_BN_GENCB_NEW */
#if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L
static inline const RSA *
EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
return (pkey->type == EVP_PKEY_RSA ? pkey->pkey.rsa : NULL);
}
#endif
#if !HAVE_EVP_PKEY_GET0_EC_KEY && OPENSSL_VERSION_NUMBER < 0x10100000L
static inline const EC_KEY *
EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) {
return (pkey->type == EVP_PKEY_EC ? pkey->pkey.ec : NULL);
}
#endif
#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int
RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
int
RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
void
RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
const BIGNUM **d);
void
RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
void
RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp);
int
RSA_test_flags(const RSA *r, int flags);
#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
#if !HAVE_ECDSA_SIG_GET0
void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
int
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
#endif /* !HAVE_ECDSA_SIG_GET0 */
#if !HAVE_ERR_GET_ERROR_ALL
unsigned long
ERR_get_error_all(const char **file, int *line, const char **func,

14
lib/dns/openssleddsa_link.c
View File

@@ -13,8 +13,6 @@
/*! \file */
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
#include <stdbool.h>
#include <openssl/err.h>
@@ -41,11 +39,9 @@
goto err; \
}
#if HAVE_OPENSSL_ED25519
#ifndef NID_ED25519
#error "Ed25519 group is not known (NID_ED25519)"
#endif /* ifndef NID_ED25519 */
#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448
#ifndef NID_ED448
@@ -60,7 +56,6 @@ typedef struct eddsa_alginfo {
static const eddsa_alginfo_t *
openssleddsa_alg_info(unsigned int key_alg) {
#if HAVE_OPENSSL_ED25519
if (key_alg == DST_ALG_ED25519) {
static const eddsa_alginfo_t ed25519_alginfo = {
.pkey_type = EVP_PKEY_ED25519,
@@ -70,7 +65,6 @@ openssleddsa_alg_info(unsigned int key_alg) {
};
return &ed25519_alginfo;
}
#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448
if (key_alg == DST_ALG_ED448) {
static const eddsa_alginfo_t ed448_alginfo = {
@@ -586,7 +580,6 @@ static unsigned char ed448_sig[] =
"\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00";
#endif
#if HAVE_OPENSSL_ED25519
static unsigned char ed25519_pub[] =
"\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1"
"\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25";
@@ -595,7 +588,6 @@ static unsigned char ed25519_sig[] =
"\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab"
"\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93"
"\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04";
#endif
static isc_result_t
check_algorithm(unsigned char algorithm) {
@@ -621,8 +613,7 @@ check_algorithm(unsigned char algorithm) {
key_len = sizeof(ed448_pub) - 1;
alginfo = openssleddsa_alg_info(algorithm);
break;
#endif
#if HAVE_OPENSSL_ED25519
#endif /* HAVE_OPENSSL_ED448 */
case DST_ALG_ED25519:
sig = ed25519_sig;
sig_len = sizeof(ed25519_sig) - 1;
@@ -630,7 +621,6 @@ check_algorithm(unsigned char algorithm) {
key_len = sizeof(ed25519_pub) - 1;
alginfo = openssleddsa_alg_info(algorithm);
break;
#endif
default:
DST_RET(ISC_R_NOTIMPLEMENTED);
}
@@ -673,5 +663,3 @@ dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) {
}
return (ISC_R_SUCCESS);
}
#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */

142
lib/isc/openssl_shim.c
View File

@@ -24,81 +24,6 @@
#include "openssl_shim.h"
#if !HAVE_CRYPTO_ZALLOC
void *
CRYPTO_zalloc(size_t num, const char *file, int line) {
void *ret = CRYPTO_malloc(num, file, line);
if (ret != NULL) {
memset(ret, 0, num);
}
return (ret);
}
#endif /* if !HAVE_CRYPTO_ZALLOC */
#if !HAVE_EVP_CIPHER_CTX_NEW
EVP_CIPHER_CTX *
EVP_CIPHER_CTX_new(void) {
EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
return (ctx);
}
#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
#if !HAVE_EVP_CIPHER_CTX_FREE
void
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {
if (ctx != NULL) {
EVP_CIPHER_CTX_cleanup(ctx);
OPENSSL_free(ctx);
}
}
#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
#if !HAVE_EVP_MD_CTX_RESET
int
EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
return (EVP_MD_CTX_cleanup(ctx));
}
#endif /* if !HAVE_EVP_MD_CTX_RESET */
#if !HAVE_SSL_READ_EX
int
SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
int rv = SSL_read(ssl, buf, num);
if (rv > 0) {
*readbytes = rv;
rv = 1;
}
return (rv);
}
#endif
#if !HAVE_SSL_PEEK_EX
int
SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
int rv = SSL_peek(ssl, buf, num);
if (rv > 0) {
*readbytes = rv;
rv = 1;
}
return (rv);
}
#endif
#if !HAVE_SSL_WRITE_EX
int
SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) {
int rv = SSL_write(ssl, buf, num);
if (rv > 0) {
*written = rv;
rv = 1;
}
return (rv);
}
#endif
#if !HAVE_BIO_READ_EX
int
BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
@@ -110,7 +35,7 @@ BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
return (rv);
}
#endif
#endif /* !HAVE_BIO_READ_EX */
#if !HAVE_BIO_WRITE_EX
int
@@ -123,76 +48,13 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) {
return (rv);
}
#endif
#if !HAVE_OPENSSL_INIT_CRYPTO
int
OPENSSL_init_crypto(uint64_t opts, const void *settings) {
(void)settings;
if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) {
ERR_load_crypto_strings();
}
if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS |
OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0)
{
OpenSSL_add_all_algorithms();
} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
OpenSSL_add_all_digests();
} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
OpenSSL_add_all_ciphers();
}
return (1);
}
#endif
#if !HAVE_OPENSSL_INIT_SSL
int
OPENSSL_init_ssl(uint64_t opts, const void *settings) {
OPENSSL_init_crypto(opts, settings);
SSL_library_init();
if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) {
SSL_load_error_strings();
}
return (1);
}
#endif
#if !HAVE_OPENSSL_CLEANUP
void
OPENSSL_cleanup(void) {
return;
}
#endif
#if !HAVE_X509_STORE_UP_REF
int
X509_STORE_up_ref(X509_STORE *store) {
return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 0);
}
#endif /* !HAVE_OPENSSL_CLEANUP */
#endif /* !HAVE_BIO_WRITE_EX */
#if !HAVE_SSL_CTX_SET1_CERT_STORE
void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
(void)X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(ctx, store);
}
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
#if !HAVE_SSL_CTX_UP_REF
int
SSL_CTX_up_ref(SSL_CTX *ctx) {
return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
}
#endif /* !HAVE_SSL_CTX_UP_REF */

101
lib/isc/openssl_shim.h
View File

@@ -20,118 +20,21 @@
#include <openssl/opensslv.h>
#include <openssl/ssl.h>
#if !HAVE_CRYPTO_ZALLOC
void *
CRYPTO_zalloc(size_t num, const char *file, int line);
#endif /* if !HAVE_CRYPTO_ZALLOC */
#if !defined(OPENSSL_zalloc)
#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__)
#endif
#if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
#define EVP_PKEY_new_raw_private_key(type, e, key, keylen) \
EVP_PKEY_new_mac_key(type, e, key, (int)(keylen))
#endif /* if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY */
#if !HAVE_EVP_CIPHER_CTX_NEW
EVP_CIPHER_CTX *
EVP_CIPHER_CTX_new(void);
#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
#if !HAVE_EVP_CIPHER_CTX_FREE
void
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
#if !HAVE_EVP_MD_CTX_NEW
#define EVP_MD_CTX_new EVP_MD_CTX_create
#endif /* if !HAVE_EVP_MD_CTX_NEW */
#if !HAVE_EVP_MD_CTX_FREE
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
#endif /* if !HAVE_EVP_MD_CTX_FREE */
#if !HAVE_EVP_MD_CTX_RESET
int
EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
#endif /* if !HAVE_EVP_MD_CTX_RESET */
#if !HAVE_EVP_MD_CTX_GET0_MD
#define EVP_MD_CTX_get0_md EVP_MD_CTX_md
#endif /* if !HAVE_EVP_MD_CTX_GET0_MD */
#if !HAVE_SSL_READ_EX
int
SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
#endif
#if !HAVE_SSL_PEEK_EX
int
SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
#endif
#if !HAVE_SSL_WRITE_EX
int
SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written);
#endif
#if !HAVE_BIO_READ_EX
int
BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes);
#endif
#endif /* !HAVE_BIO_READ_EX */
#if !HAVE_BIO_WRITE_EX
int
BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
#endif
#if !HAVE_OPENSSL_INIT_CRYPTO
#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L
#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L
#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L
#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L
#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L
#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L
int
OPENSSL_init_crypto(uint64_t opts, const void *settings);
#endif
#if !HAVE_OPENSSL_INIT_SSL
#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L
int
OPENSSL_init_ssl(uint64_t opts, const void *settings);
#endif
#if !HAVE_OPENSSL_CLEANUP
void
OPENSSL_cleanup(void);
#endif
#if !HAVE_TLS_SERVER_METHOD
#define TLS_server_method SSLv23_server_method
#endif
#if !HAVE_TLS_CLIENT_METHOD
#define TLS_client_method SSLv23_client_method
#endif
#if !HAVE_X509_STORE_UP_REF
int
X509_STORE_up_ref(X509_STORE *v);
#endif /* !HAVE_OPENSSL_CLEANUP */
#endif /* !HAVE_BIO_WRITE_EX */
#if !HAVE_SSL_CTX_SET1_CERT_STORE
void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
#if !HAVE_SSL_CTX_UP_REF
int
SSL_CTX_up_ref(SSL_CTX *store);
#endif /* !HAVE_SSL_CTX_UP_REF */

164
lib/isc/tls.c
View File

@@ -56,27 +56,6 @@
static isc_mem_t *isc__tls_mctx = NULL;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static isc_mutex_t *locks = NULL;
static int nlocks;
static void
isc__tls_lock_callback(int mode, int type, const char *file, int line) {
UNUSED(file);
UNUSED(line);
if ((mode & CRYPTO_LOCK) != 0) {
LOCK(&locks[type]);
} else {
UNLOCK(&locks[type]);
}
}
static void
isc__tls_set_thread_id(CRYPTO_THREADID *id) {
CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
}
#endif
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
/*
* This was crippled with LibreSSL, so just skip it:
@@ -163,7 +142,6 @@ isc__tls_initialize(void) {
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
0x30000000L */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG;
#if defined(OPENSSL_INIT_NO_ATEXIT)
@@ -175,28 +153,6 @@ isc__tls_initialize(void) {
#endif
RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
#else
nlocks = CRYPTO_num_locks();
locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0]));
isc_mutexblock_init(locks, nlocks);
CRYPTO_set_locking_callback(isc__tls_lock_callback);
CRYPTO_THREADID_set_callback(isc__tls_set_thread_id);
CRYPTO_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE_load_builtin_engines();
#endif
OpenSSL_add_all_algorithms();
OPENSSL_load_builtin_modules();
CONF_modules_load_file(NULL, NULL,
CONF_MFLAGS_DEFAULT_SECTION |
CONF_MFLAGS_IGNORE_MISSING_FILE);
#endif
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
@@ -208,28 +164,7 @@ isc__tls_initialize(void) {
void
isc__tls_shutdown(void) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
OPENSSL_cleanup();
#else
CONF_modules_unload(1);
OBJ_cleanup();
EVP_cleanup();
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
RAND_cleanup();
ERR_free_strings();
CRYPTO_set_locking_callback(NULL);
if (locks != NULL) {
isc_mutexblock_destroy(locks, nlocks);
isc_mem_cput(isc__tls_mctx, locks, nlocks, sizeof(locks[0]));
locks = NULL;
}
#endif
isc_mem_destroy(&isc__tls_mctx);
}
@@ -260,15 +195,12 @@ isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) {
*ptarget = src;
}
#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
/*
* Callback invoked by the SSL library whenever a new TLS pre-master secret
* needs to be logged.
*/
static void
sslkeylogfile_append(const SSL *ssl, const char *line) {
UNUSED(ssl);
sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) {
isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR,
ISC_LOG_INFO, "%s", line);
}
@@ -284,9 +216,6 @@ sslkeylogfile_init(isc_tlsctx_t *ctx) {
SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append);
}
}
#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
#define sslkeylogfile_init(ctx)
#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
isc_result_t
isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
@@ -308,12 +237,7 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
#else
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#endif
sslkeylogfile_init(ctx);
@@ -384,12 +308,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
#else
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#endif
if (ephemeral) {
const int group_nid = NID_X9_62_prime256v1;
@@ -415,27 +334,10 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
}
/* Use a named curve and uncompressed point conversion form. */
#if HAVE_EVP_PKEY_GET0_EC_KEY
EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
POINT_CONVERSION_UNCOMPRESSED);
#else
EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_conv_form(pkey->pkey.ec,
POINT_CONVERSION_UNCOMPRESSED);
#endif /* HAVE_EVP_PKEY_GET0_EC_KEY */
#if defined(SSL_CTX_set_ecdh_auto)
/*
* Using this macro is required for older versions of OpenSSL to
* automatically enable ECDH support.
*
* On later versions this function is no longer needed and is
* deprecated.
*/
(void)SSL_CTX_set_ecdh_auto(ctx, 1);
#endif /* defined(SSL_CTX_set_ecdh_auto) */
/* Cleanup */
EC_KEY_free(eckey);
@@ -494,20 +396,12 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
* Set the "not before" property 5 minutes into the past to
* accommodate with some possible clock skew across systems.
*/
#if OPENSSL_VERSION_NUMBER < 0x10101000L
X509_gmtime_adj(X509_get_notBefore(cert), -300);
#else
X509_gmtime_adj(X509_getm_notBefore(cert), -300);
#endif
/*
* We set the vailidy for 10 years.
*/
#if OPENSSL_VERSION_NUMBER < 0x10101000L
X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600);
#else
X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600);
#endif
X509_set_pubkey(cert, pkey);
@@ -784,7 +678,6 @@ isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) {
bool
isc_tls_cipher_suites_valid(const char *cipher_suites) {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
isc_tlsctx_t *tmp_ctx = NULL;
const SSL_METHOD *method = NULL;
bool result;
@@ -808,27 +701,15 @@ isc_tls_cipher_suites_valid(const char *cipher_suites) {
isc_tlsctx_free(&tmp_ctx);
return (result);
#else
UNUSED(cipher_suites);
UNREACHABLE();
#endif
}
void
isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
REQUIRE(ctx != NULL);
REQUIRE(cipher_suites != NULL);
REQUIRE(*cipher_suites != '\0');
RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1);
#else
UNUSED(ctx);
UNUSED(cipher_suites);
UNREACHABLE();
#endif
}
void
@@ -916,10 +797,8 @@ isc_tlsctx_enable_http2client_alpn(isc_tlsctx_t *ctx) {
SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN,
NGHTTP2_PROTO_ALPN_LEN);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
}
#ifndef OPENSSL_NO_NEXTPROTONEG
@@ -935,7 +814,6 @@ next_proto_cb(isc_tls_t *ssl, const unsigned char **data, unsigned int *len,
}
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int
alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen, void *arg) {
@@ -953,7 +831,6 @@ alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
return (SSL_TLSEXT_ERR_OK);
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
void
isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
@@ -962,9 +839,7 @@ isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL);
#endif // OPENSSL_NO_NEXTPROTONEG
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
}
#endif /* HAVE_LIBNGHTTP2 */
@@ -978,11 +853,9 @@ isc_tls_get_selected_alpn(isc_tls_t *tls, const unsigned char **alpn,
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_get0_next_proto_negotiated(tls, alpn, alpnlen);
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (*alpn == NULL) {
SSL_get0_alpn_selected(tls, alpn, alpnlen);
}
#endif
}
static bool
@@ -1015,13 +888,10 @@ void
isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) {
REQUIRE(ctx != NULL);
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN,
DOT_PROTO_ALPN_LEN);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
}
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int
dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
unsigned char *outlen, const unsigned char *in,
@@ -1039,15 +909,12 @@ dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
return (SSL_TLSEXT_ERR_OK);
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
void
isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) {
REQUIRE(tls != NULL);
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
}
isc_result_t
@@ -1608,33 +1475,6 @@ isc_tlsctx_client_session_cache_detach(
isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
}
static bool
ssl_session_seems_resumable(const SSL_SESSION *sess) {
#ifdef HAVE_SSL_SESSION_IS_RESUMABLE
/*
* If SSL_SESSION_is_resumable() is available, let's use that. It
* is expected to be available on OpenSSL >= 1.1.1 and its modern
* siblings.
*/
return (SSL_SESSION_is_resumable(sess) != 0);
#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
/*
* Taking into consideration that OpenSSL 1.1.0 uses opaque
* pointers for SSL_SESSION, we cannot implement a replacement for
* SSL_SESSION_is_resumable() manually. Let's use a sensible
* approximation for that, then: if there is an associated session
* ticket or session ID, then, most likely, the session is
* resumable.
*/
unsigned int session_id_len = 0;
(void)SSL_SESSION_get_id(sess, &session_id_len);
return (SSL_SESSION_has_ticket(sess) || session_id_len > 0);
#else
return (!sess->not_resumable &&
(sess->session_id_length > 0 || sess->tlsext_ticklen > 0));
#endif
}
void
isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
char *remote_peer_name, isc_tls_t *tls) {
@@ -1652,7 +1492,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
if (sess == NULL) {
ERR_clear_error();
return;
} else if (!ssl_session_seems_resumable(sess)) {
} else if (SSL_SESSION_is_resumable(sess) == 0) {
SSL_SESSION_free(sess);
return;
}

4
lib/isccfg/namedconf.c
View File

@@ -4058,11 +4058,7 @@ static cfg_clausedef_t tls_clauses[] = {
{ "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, 0 },
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "cipher-suites", &cfg_type_astring, 0 },
#else
{ "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "prefer-server-ciphers", &cfg_type_boolean, 0 },
{ "session-tickets", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }