mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-02 15:45:25 +00:00
Code Issues Releases Wiki Activity

chg: usr: require at least OpenSSL 1.1.1

Browse Source 
OpenSSL 1.1.1 or better (or equivalent LibreSSL version) is now required to compile BIND 9.

Closes #2806

Merge branch '2806-remove-ax_check_openssl' into 'main'

Closes #2806

See merge request isc-projects/bind9!9110
This commit is contained in:
Ondřej Surý
2024-08-05 10:24:23 +00:00
parent 00739e99f6 8ccfbcfe72
commit 96ccd962b7
16 changed files with 17 additions and 874 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
bin/named/main.c
View File

@@ -590,16 +590,8 @@ printversion(bool verbose) {
printf("compiled by Solaris Studio %x\n", __SUNPRO_C); printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
#endif /* ifdef __SUNPRO_C */ #endif /* ifdef __SUNPRO_C */
printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT); printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT);
#if !defined(LIBRESSL_VERSION_NUMBER) && \
OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
printf("linked to OpenSSL version: %s\n", printf("linked to OpenSSL version: %s\n",
OpenSSL_version(OPENSSL_VERSION)); OpenSSL_version(OPENSSL_VERSION));
#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
* 0x10100000L */
printf("linked to OpenSSL version: %s\n",
SSLeay_version(SSLEAY_VERSION));
#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR, printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR,
UV_VERSION_MINOR, UV_VERSION_PATCH); UV_VERSION_MINOR, UV_VERSION_PATCH);
printf("linked to libuv version: %s\n", uv_version_string()); printf("linked to libuv version: %s\n", uv_version_string());

2
bin/tests/system/checkconf/tests.sh
View File

@@ -89,7 +89,7 @@ for good in good-*.conf; do
good-proxy-*doh*.conf) continue ;; good-proxy-*doh*.conf) continue ;;
bad-proxy-*doh*.conf) continue ;; bad-proxy-*doh*.conf) continue ;;
esac esac
elif ! $FEATURETEST --have-openssl-cipher-suites; then else
case $good in case $good in
good-tls-cipher-suites-*.conf) continue ;; good-tls-cipher-suites-*.conf) continue ;;
esac esac

21
bin/tests/system/cipher-suites/prereq.sh
View File

@@ -1,21 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../conf.sh
$FEATURETEST --have-openssl-cipher-suites || {
echo_i "SSL_CTX_set_ciphersuites() is required for the test."
exit 255
}
exit 0

9
bin/tests/system/feature-test.c
View File

@@ -49,7 +49,6 @@ usage(void) {
fprintf(stderr, "\t--have-geoip2\n"); fprintf(stderr, "\t--have-geoip2\n");
fprintf(stderr, "\t--have-json-c\n"); fprintf(stderr, "\t--have-json-c\n");
fprintf(stderr, "\t--have-libxml2\n"); fprintf(stderr, "\t--have-libxml2\n");
fprintf(stderr, "\t--have-openssl-cipher-suites\n");
fprintf(stderr, "\t--ipv6only=no\n"); fprintf(stderr, "\t--ipv6only=no\n");
fprintf(stderr, "\t--md5\n"); fprintf(stderr, "\t--md5\n");
fprintf(stderr, "\t--rsasha1\n"); fprintf(stderr, "\t--rsasha1\n");
@@ -185,14 +184,6 @@ main(int argc, char **argv) {
#endif /* ifdef HAVE_LIBXML2 */ #endif /* ifdef HAVE_LIBXML2 */
} }
if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
return (0);
#else /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
return (1);
#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
}
if (strcmp(argv[1], "--tsan") == 0) { if (strcmp(argv[1], "--tsan") == 0) {
#if defined(__has_feature) #if defined(__has_feature)
#if __has_feature(thread_sanitizer) #if __has_feature(thread_sanitizer)

86
configure.ac
View File

@@ -653,75 +653,17 @@ CRYPTO=OpenSSL
# #
# OpenSSL/LibreSSL is mandatory # OpenSSL/LibreSSL is mandatory
# #
PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto], [PKG_CHECK_VERSION([OPENSSL_VERSION], [openssl])], PKG_CHECK_MODULES([OPENSSL], [libssl >= 1.1.1 libcrypto >= 1.1.1])
[AX_CHECK_OPENSSL([:], [AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])]) PKG_CHECK_VERSION([OPENSSL_VERSION], [openssl])
AX_SAVE_FLAGS([openssl]) AX_SAVE_FLAGS([openssl])
CFLAGS="$OPENSSL_CFLAGS $CFLAGS" CFLAGS="$OPENSSL_CFLAGS $CFLAGS"
LIBS="$OPENSSL_LIBS $LIBS" LIBS="$OPENSSL_LIBS $LIBS"
AC_MSG_CHECKING([for OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/opensslv.h>]],
[[#if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER < 0x1000000fL)) || \\
(defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x02070000fL))
#error OpenSSL >= 1.0.0 or LibreSSL >= 2.7.0 required
#endif
]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_FAILURE([not found])])
# #
# Check for functions added in OpenSSL or LibreSSL # Check for functions added in OpenSSL or LibreSSL
# #
AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
AC_CHECK_FUNCS([BN_GENCB_new])
AC_CHECK_FUNCS([CRYPTO_zalloc])
AC_CHECK_FUNCS([ERR_get_error_all])
AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md])
AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
AC_CHECK_FUNCS([SSL_CTX_up_ref])
AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
AC_CHECK_FUNCS([SSL_CTX_up_ref])
AC_CHECK_FUNCS([SSL_SESSION_is_resumable])
AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites])
#
# Check for algorithm support in OpenSSL
#
AC_CHECK_FUNCS([EVP_DigestSignInit EVP_DigestVerifyInit], [:],
[AC_MSG_FAILURE([EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory.])])
AC_MSG_CHECKING([for ECDSA P-256 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
[[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_X9_62_prime256v1, NULL);]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])])
AC_MSG_CHECKING([for ECDSA P-384 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
[[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_secp384r1, NULL);]])],
[AC_MSG_RESULT([yes])],
[AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])])
AC_MSG_CHECKING([for Ed25519 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
[[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);]])],
[AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519])
AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])])
AC_MSG_CHECKING([for Ed448 support]) AC_MSG_CHECKING([for Ed448 support])
AC_COMPILE_IFELSE( AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]], [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
@@ -730,25 +672,11 @@ AC_COMPILE_IFELSE(
AC_MSG_RESULT([yes])], AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])]) [AC_MSG_RESULT([no])])
# AC_CHECK_FUNCS([ERR_get_error_all])
# Check for OpenSSL SHA-1 support AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
# AC_CHECK_FUNCS([EVP_MD_CTX_get0_md])
AC_CHECK_FUNCS([EVP_sha1], [:], AC_CHECK_FUNCS([EVP_PKEY_eq])
[AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])]) AC_CHECK_FUNCS([SSL_CTX_set1_cert_store])
#
# Check for OpenSSL SHA-2 support
#
AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:],
[AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])])
#
# Check for OpenSSL 1.1.x/LibreSSL functions
#
AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA])
AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
# #
# Check whether FIPS mode is available and whether we should enable it # Check whether FIPS mode is available and whether we should enable it

2
doc/arm/platforms.inc.rst
View File

@@ -99,7 +99,7 @@ Unsupported Platforms
These are platforms on which current versions of BIND 9 are known *not* to build or run: These are platforms on which current versions of BIND 9 are known *not* to build or run:
- Platforms without at least OpenSSL 1.0.2 - Platforms without at least OpenSSL 1.1.1
- Windows - Windows
- Solaris 10 and older - Solaris 10 and older
- Platforms that do not support IPv6 Advanced Socket API (:rfc:`3542`) - Platforms that do not support IPv6 Advanced Socket API (:rfc:`3542`)

4
lib/dns/dst_api.c
View File

@@ -217,14 +217,12 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
DST_ALG_RSASHA512)); DST_ALG_RSASHA512));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256])); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384])); RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
#ifdef HAVE_OPENSSL_ED25519
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519], RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519],
DST_ALG_ED25519)); DST_ALG_ED25519));
#endif /* ifdef HAVE_OPENSSL_ED25519 */
#ifdef HAVE_OPENSSL_ED448 #ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448], RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448],
DST_ALG_ED448)); DST_ALG_ED448));
#endif /* ifdef HAVE_OPENSSL_ED448 */ #endif /* HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI #if HAVE_GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI])); RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));

2
lib/dns/dst_internal.h
View File

@@ -214,10 +214,8 @@ isc_result_t
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t isc_result_t
dst__opensslecdsa_init(struct dst_func **funcp); dst__opensslecdsa_init(struct dst_func **funcp);
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
isc_result_t isc_result_t
dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm); dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm);
#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI #if HAVE_GSSAPI
isc_result_t isc_result_t
dst__gssapi_init(struct dst_func **funcp); dst__gssapi_init(struct dst_func **funcp);

131
lib/dns/openssl_shim.c
View File

@@ -15,137 +15,6 @@
#include <isc/util.h> #include <isc/util.h>
#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
/* From OpenSSL 1.1.0 */
int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
/*
* If the fields n and e in r are NULL, the corresponding input
* parameters MUST be non-NULL for n and e. d may be
* left NULL (in case only the public key is used).
*/
if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
return (0);
}
if (n != NULL) {
BN_free(r->n);
r->n = n;
}
if (e != NULL) {
BN_free(r->e);
r->e = e;
}
if (d != NULL) {
BN_clear_free(r->d);
r->d = d;
}
return (1);
}
int
RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
/*
* If the fields p and q in r are NULL, the corresponding input
* parameters MUST be non-NULL.
*/
if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
return (0);
}
if (p != NULL) {
BN_clear_free(r->p);
r->p = p;
}
if (q != NULL) {
BN_clear_free(r->q);
r->q = q;
}
return (1);
}
int
RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
/*
* If the fields dmp1, dmq1 and iqmp in r are NULL, the
* corresponding input parameters MUST be non-NULL.
*/
if ((r->dmp1 == NULL && dmp1 == NULL) ||
(r->dmq1 == NULL && dmq1 == NULL) ||
(r->iqmp == NULL && iqmp == NULL))
{
return (0);
}
if (dmp1 != NULL) {
BN_clear_free(r->dmp1);
r->dmp1 = dmp1;
}
if (dmq1 != NULL) {
BN_clear_free(r->dmq1);
r->dmq1 = dmq1;
}
if (iqmp != NULL) {
BN_clear_free(r->iqmp);
r->iqmp = iqmp;
}
return (1);
}
void
RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
const BIGNUM **d) {
SET_IF_NOT_NULL(n, r->n);
SET_IF_NOT_NULL(e, r->e);
SET_IF_NOT_NULL(d, r->d);
}
void
RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
SET_IF_NOT_NULL(p, r->p);
SET_IF_NOT_NULL(q, r->q);
}
void
RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp) {
SET_IF_NOT_NULL(dmp1, r->dmp1);
SET_IF_NOT_NULL(dmq1, r->dmq1);
SET_IF_NOT_NULL(iqmp, r->iqmp);
}
int
RSA_test_flags(const RSA *r, int flags) {
return (r->flags & flags);
}
#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
#if !HAVE_ECDSA_SIG_GET0
/* From OpenSSL 1.1 */
void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
SET_IF_NOT_NULL(pr, sig->r);
SET_IF_NOT_NULL(ps, sig->s);
}
int
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
if (r == NULL || s == NULL) {
return (0);
}
BN_clear_free(sig->r);
BN_clear_free(sig->s);
sig->r = r;
sig->s = s;
return (1);
}
#endif /* !HAVE_ECDSA_SIG_GET0 */
#if !HAVE_ERR_GET_ERROR_ALL #if !HAVE_ERR_GET_ERROR_ALL
static const char err_empty_string = '\0'; static const char err_empty_string = '\0';

68
lib/dns/openssl_shim.h
View File

@@ -28,74 +28,6 @@
#define RSA_MAX_PUBEXP_BITS 35 #define RSA_MAX_PUBEXP_BITS 35
#endif /* ifndef RSA_MAX_PUBEXP_BITS */ #endif /* ifndef RSA_MAX_PUBEXP_BITS */
#if !HAVE_BN_GENCB_NEW
/* These are new in OpenSSL 1.1.0. */
static inline BN_GENCB *
BN_GENCB_new(void) {
return (OPENSSL_malloc(sizeof(BN_GENCB)));
}
static inline void
BN_GENCB_free(BN_GENCB *cb) {
if (cb == NULL) {
return;
}
OPENSSL_free(cb);
}
static inline void *
BN_GENCB_get_arg(BN_GENCB *cb) {
return cb->arg;
}
#endif /* !HAVE_BN_GENCB_NEW */
#if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L
static inline const RSA *
EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
return (pkey->type == EVP_PKEY_RSA ? pkey->pkey.rsa : NULL);
}
#endif
#if !HAVE_EVP_PKEY_GET0_EC_KEY && OPENSSL_VERSION_NUMBER < 0x10100000L
static inline const EC_KEY *
EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) {
return (pkey->type == EVP_PKEY_EC ? pkey->pkey.ec : NULL);
}
#endif
#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
int
RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int
RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
int
RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
void
RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
const BIGNUM **d);
void
RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
void
RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
const BIGNUM **iqmp);
int
RSA_test_flags(const RSA *r, int flags);
#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
#if !HAVE_ECDSA_SIG_GET0
void
ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
int
ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
#endif /* !HAVE_ECDSA_SIG_GET0 */
#if !HAVE_ERR_GET_ERROR_ALL #if !HAVE_ERR_GET_ERROR_ALL
unsigned long unsigned long
ERR_get_error_all(const char **file, int *line, const char **func, ERR_get_error_all(const char **file, int *line, const char **func,

14
lib/dns/openssleddsa_link.c
View File

@@ -13,8 +13,6 @@
/*! \file */ /*! \file */
#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
#include <stdbool.h> #include <stdbool.h>
#include <openssl/err.h> #include <openssl/err.h>
@@ -41,11 +39,9 @@
goto err; \ goto err; \
} }
#if HAVE_OPENSSL_ED25519
#ifndef NID_ED25519 #ifndef NID_ED25519
#error "Ed25519 group is not known (NID_ED25519)" #error "Ed25519 group is not known (NID_ED25519)"
#endif /* ifndef NID_ED25519 */ #endif /* ifndef NID_ED25519 */
#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448 #if HAVE_OPENSSL_ED448
#ifndef NID_ED448 #ifndef NID_ED448
@@ -60,7 +56,6 @@ typedef struct eddsa_alginfo {
static const eddsa_alginfo_t * static const eddsa_alginfo_t *
openssleddsa_alg_info(unsigned int key_alg) { openssleddsa_alg_info(unsigned int key_alg) {
#if HAVE_OPENSSL_ED25519
if (key_alg == DST_ALG_ED25519) { if (key_alg == DST_ALG_ED25519) {
static const eddsa_alginfo_t ed25519_alginfo = { static const eddsa_alginfo_t ed25519_alginfo = {
.pkey_type = EVP_PKEY_ED25519, .pkey_type = EVP_PKEY_ED25519,
@@ -70,7 +65,6 @@ openssleddsa_alg_info(unsigned int key_alg) {
}; };
return &ed25519_alginfo; return &ed25519_alginfo;
} }
#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448 #if HAVE_OPENSSL_ED448
if (key_alg == DST_ALG_ED448) { if (key_alg == DST_ALG_ED448) {
static const eddsa_alginfo_t ed448_alginfo = { static const eddsa_alginfo_t ed448_alginfo = {
@@ -586,7 +580,6 @@ static unsigned char ed448_sig[] =
"\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00"; "\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00";
#endif #endif
#if HAVE_OPENSSL_ED25519
static unsigned char ed25519_pub[] = static unsigned char ed25519_pub[] =
"\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1" "\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1"
"\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25"; "\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25";
@@ -595,7 +588,6 @@ static unsigned char ed25519_sig[] =
"\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab" "\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab"
"\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93" "\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93"
"\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04"; "\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04";
#endif
static isc_result_t static isc_result_t
check_algorithm(unsigned char algorithm) { check_algorithm(unsigned char algorithm) {
@@ -621,8 +613,7 @@ check_algorithm(unsigned char algorithm) {
key_len = sizeof(ed448_pub) - 1; key_len = sizeof(ed448_pub) - 1;
alginfo = openssleddsa_alg_info(algorithm); alginfo = openssleddsa_alg_info(algorithm);
break; break;
#endif #endif /* HAVE_OPENSSL_ED448 */
#if HAVE_OPENSSL_ED25519
case DST_ALG_ED25519: case DST_ALG_ED25519:
sig = ed25519_sig; sig = ed25519_sig;
sig_len = sizeof(ed25519_sig) - 1; sig_len = sizeof(ed25519_sig) - 1;
@@ -630,7 +621,6 @@ check_algorithm(unsigned char algorithm) {
key_len = sizeof(ed25519_pub) - 1; key_len = sizeof(ed25519_pub) - 1;
alginfo = openssleddsa_alg_info(algorithm); alginfo = openssleddsa_alg_info(algorithm);
break; break;
#endif
default: default:
DST_RET(ISC_R_NOTIMPLEMENTED); DST_RET(ISC_R_NOTIMPLEMENTED);
} }
@@ -673,5 +663,3 @@ dst__openssleddsa_init(dst_func_t **funcp, unsigned char algorithm) {
} }
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */

142
lib/isc/openssl_shim.c
View File

@@ -24,81 +24,6 @@
#include "openssl_shim.h" #include "openssl_shim.h"
#if !HAVE_CRYPTO_ZALLOC
void *
CRYPTO_zalloc(size_t num, const char *file, int line) {
void *ret = CRYPTO_malloc(num, file, line);
if (ret != NULL) {
memset(ret, 0, num);
}
return (ret);
}
#endif /* if !HAVE_CRYPTO_ZALLOC */
#if !HAVE_EVP_CIPHER_CTX_NEW
EVP_CIPHER_CTX *
EVP_CIPHER_CTX_new(void) {
EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
return (ctx);
}
#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
#if !HAVE_EVP_CIPHER_CTX_FREE
void
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {
if (ctx != NULL) {
EVP_CIPHER_CTX_cleanup(ctx);
OPENSSL_free(ctx);
}
}
#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
#if !HAVE_EVP_MD_CTX_RESET
int
EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
return (EVP_MD_CTX_cleanup(ctx));
}
#endif /* if !HAVE_EVP_MD_CTX_RESET */
#if !HAVE_SSL_READ_EX
int
SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
int rv = SSL_read(ssl, buf, num);
if (rv > 0) {
*readbytes = rv;
rv = 1;
}
return (rv);
}
#endif
#if !HAVE_SSL_PEEK_EX
int
SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
int rv = SSL_peek(ssl, buf, num);
if (rv > 0) {
*readbytes = rv;
rv = 1;
}
return (rv);
}
#endif
#if !HAVE_SSL_WRITE_EX
int
SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) {
int rv = SSL_write(ssl, buf, num);
if (rv > 0) {
*written = rv;
rv = 1;
}
return (rv);
}
#endif
#if !HAVE_BIO_READ_EX #if !HAVE_BIO_READ_EX
int int
BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) { BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
@@ -110,7 +35,7 @@ BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
return (rv); return (rv);
} }
#endif #endif /* !HAVE_BIO_READ_EX */
#if !HAVE_BIO_WRITE_EX #if !HAVE_BIO_WRITE_EX
int int
@@ -123,76 +48,13 @@ BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written) {
return (rv); return (rv);
} }
#endif #endif /* !HAVE_BIO_WRITE_EX */
#if !HAVE_OPENSSL_INIT_CRYPTO
int
OPENSSL_init_crypto(uint64_t opts, const void *settings) {
(void)settings;
if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) {
ERR_load_crypto_strings();
}
if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS |
OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0)
{
OpenSSL_add_all_algorithms();
} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
OpenSSL_add_all_digests();
} else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
OpenSSL_add_all_ciphers();
}
return (1);
}
#endif
#if !HAVE_OPENSSL_INIT_SSL
int
OPENSSL_init_ssl(uint64_t opts, const void *settings) {
OPENSSL_init_crypto(opts, settings);
SSL_library_init();
if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) {
SSL_load_error_strings();
}
return (1);
}
#endif
#if !HAVE_OPENSSL_CLEANUP
void
OPENSSL_cleanup(void) {
return;
}
#endif
#if !HAVE_X509_STORE_UP_REF
int
X509_STORE_up_ref(X509_STORE *store) {
return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 0);
}
#endif /* !HAVE_OPENSSL_CLEANUP */
#if !HAVE_SSL_CTX_SET1_CERT_STORE #if !HAVE_SSL_CTX_SET1_CERT_STORE
void void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) { SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
(void)X509_STORE_up_ref(store); (void)X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(ctx, store); SSL_CTX_set_cert_store(ctx, store);
} }
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */ #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
#if !HAVE_SSL_CTX_UP_REF
int
SSL_CTX_up_ref(SSL_CTX *ctx) {
return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
}
#endif /* !HAVE_SSL_CTX_UP_REF */

101
lib/isc/openssl_shim.h
View File

@@ -20,118 +20,21 @@
#include <openssl/opensslv.h> #include <openssl/opensslv.h>
#include <openssl/ssl.h> #include <openssl/ssl.h>
#if !HAVE_CRYPTO_ZALLOC
void *
CRYPTO_zalloc(size_t num, const char *file, int line);
#endif /* if !HAVE_CRYPTO_ZALLOC */
#if !defined(OPENSSL_zalloc)
#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__)
#endif
#if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
#define EVP_PKEY_new_raw_private_key(type, e, key, keylen) \
EVP_PKEY_new_mac_key(type, e, key, (int)(keylen))
#endif /* if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY */
#if !HAVE_EVP_CIPHER_CTX_NEW
EVP_CIPHER_CTX *
EVP_CIPHER_CTX_new(void);
#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
#if !HAVE_EVP_CIPHER_CTX_FREE
void
EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
#if !HAVE_EVP_MD_CTX_NEW
#define EVP_MD_CTX_new EVP_MD_CTX_create
#endif /* if !HAVE_EVP_MD_CTX_NEW */
#if !HAVE_EVP_MD_CTX_FREE
#define EVP_MD_CTX_free EVP_MD_CTX_destroy
#endif /* if !HAVE_EVP_MD_CTX_FREE */
#if !HAVE_EVP_MD_CTX_RESET
int
EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
#endif /* if !HAVE_EVP_MD_CTX_RESET */
#if !HAVE_EVP_MD_CTX_GET0_MD #if !HAVE_EVP_MD_CTX_GET0_MD
#define EVP_MD_CTX_get0_md EVP_MD_CTX_md #define EVP_MD_CTX_get0_md EVP_MD_CTX_md
#endif /* if !HAVE_EVP_MD_CTX_GET0_MD */ #endif /* if !HAVE_EVP_MD_CTX_GET0_MD */
#if !HAVE_SSL_READ_EX
int
SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
#endif
#if !HAVE_SSL_PEEK_EX
int
SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
#endif
#if !HAVE_SSL_WRITE_EX
int
SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written);
#endif
#if !HAVE_BIO_READ_EX #if !HAVE_BIO_READ_EX
int int
BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes); BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes);
#endif #endif /* !HAVE_BIO_READ_EX */
#if !HAVE_BIO_WRITE_EX #if !HAVE_BIO_WRITE_EX
int int
BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written); BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
#endif #endif /* !HAVE_BIO_WRITE_EX */
#if !HAVE_OPENSSL_INIT_CRYPTO
#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L
#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L
#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L
#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L
#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L
#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L
int
OPENSSL_init_crypto(uint64_t opts, const void *settings);
#endif
#if !HAVE_OPENSSL_INIT_SSL
#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L
int
OPENSSL_init_ssl(uint64_t opts, const void *settings);
#endif
#if !HAVE_OPENSSL_CLEANUP
void
OPENSSL_cleanup(void);
#endif
#if !HAVE_TLS_SERVER_METHOD
#define TLS_server_method SSLv23_server_method
#endif
#if !HAVE_TLS_CLIENT_METHOD
#define TLS_client_method SSLv23_client_method
#endif
#if !HAVE_X509_STORE_UP_REF
int
X509_STORE_up_ref(X509_STORE *v);
#endif /* !HAVE_OPENSSL_CLEANUP */
#if !HAVE_SSL_CTX_SET1_CERT_STORE #if !HAVE_SSL_CTX_SET1_CERT_STORE
void void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */ #endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
#if !HAVE_SSL_CTX_UP_REF
int
SSL_CTX_up_ref(SSL_CTX *store);
#endif /* !HAVE_SSL_CTX_UP_REF */

164
lib/isc/tls.c
View File

@@ -56,27 +56,6 @@
static isc_mem_t *isc__tls_mctx = NULL; static isc_mem_t *isc__tls_mctx = NULL;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static isc_mutex_t *locks = NULL;
static int nlocks;
static void
isc__tls_lock_callback(int mode, int type, const char *file, int line) {
UNUSED(file);
UNUSED(line);
if ((mode & CRYPTO_LOCK) != 0) {
LOCK(&locks[type]);
} else {
UNLOCK(&locks[type]);
}
}
static void
isc__tls_set_thread_id(CRYPTO_THREADID *id) {
CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
}
#endif
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L #if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
/* /*
* This was crippled with LibreSSL, so just skip it: * This was crippled with LibreSSL, so just skip it:
@@ -163,7 +142,6 @@ isc__tls_initialize(void) {
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \ #endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
0x30000000L */ 0x30000000L */
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN | uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG; OPENSSL_INIT_LOAD_CONFIG;
#if defined(OPENSSL_INIT_NO_ATEXIT) #if defined(OPENSSL_INIT_NO_ATEXIT)
@@ -175,28 +153,6 @@ isc__tls_initialize(void) {
#endif #endif
RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1); RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
#else
nlocks = CRYPTO_num_locks();
locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0]));
isc_mutexblock_init(locks, nlocks);
CRYPTO_set_locking_callback(isc__tls_lock_callback);
CRYPTO_THREADID_set_callback(isc__tls_set_thread_id);
CRYPTO_malloc_init();
ERR_load_crypto_strings();
SSL_load_error_strings();
SSL_library_init();
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE_load_builtin_engines();
#endif
OpenSSL_add_all_algorithms();
OPENSSL_load_builtin_modules();
CONF_modules_load_file(NULL, NULL,
CONF_MFLAGS_DEFAULT_SECTION |
CONF_MFLAGS_IGNORE_MISSING_FILE);
#endif
/* Protect ourselves against unseeded PRNG */ /* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) { if (RAND_status() != 1) {
@@ -208,28 +164,7 @@ isc__tls_initialize(void) {
void void
isc__tls_shutdown(void) { isc__tls_shutdown(void) {
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
OPENSSL_cleanup(); OPENSSL_cleanup();
#else
CONF_modules_unload(1);
OBJ_cleanup();
EVP_cleanup();
#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
ENGINE_cleanup();
#endif
CRYPTO_cleanup_all_ex_data();
ERR_remove_thread_state(NULL);
RAND_cleanup();
ERR_free_strings();
CRYPTO_set_locking_callback(NULL);
if (locks != NULL) {
isc_mutexblock_destroy(locks, nlocks);
isc_mem_cput(isc__tls_mctx, locks, nlocks, sizeof(locks[0]));
locks = NULL;
}
#endif
isc_mem_destroy(&isc__tls_mctx); isc_mem_destroy(&isc__tls_mctx);
} }
@@ -260,15 +195,12 @@ isc_tlsctx_attach(isc_tlsctx_t *src, isc_tlsctx_t **ptarget) {
*ptarget = src; *ptarget = src;
} }
#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
/* /*
* Callback invoked by the SSL library whenever a new TLS pre-master secret * Callback invoked by the SSL library whenever a new TLS pre-master secret
* needs to be logged. * needs to be logged.
*/ */
static void static void
sslkeylogfile_append(const SSL *ssl, const char *line) { sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) {
UNUSED(ssl);
isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR, isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR,
ISC_LOG_INFO, "%s", line); ISC_LOG_INFO, "%s", line);
} }
@@ -284,9 +216,6 @@ sslkeylogfile_init(isc_tlsctx_t *ctx) {
SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append); SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append);
} }
} }
#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
#define sslkeylogfile_init(ctx)
#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
isc_result_t isc_result_t
isc_tlsctx_createclient(isc_tlsctx_t **ctxp) { isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
@@ -308,12 +237,7 @@ isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS); SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
#else
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#endif
sslkeylogfile_init(ctx); sslkeylogfile_init(ctx);
@@ -384,12 +308,7 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS); SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
#else
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
#endif
if (ephemeral) { if (ephemeral) {
const int group_nid = NID_X9_62_prime256v1; const int group_nid = NID_X9_62_prime256v1;
@@ -415,27 +334,10 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
} }
/* Use a named curve and uncompressed point conversion form. */ /* Use a named curve and uncompressed point conversion form. */
#if HAVE_EVP_PKEY_GET0_EC_KEY
EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey), EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
OPENSSL_EC_NAMED_CURVE); OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey), EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
POINT_CONVERSION_UNCOMPRESSED); POINT_CONVERSION_UNCOMPRESSED);
#else
EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_conv_form(pkey->pkey.ec,
POINT_CONVERSION_UNCOMPRESSED);
#endif /* HAVE_EVP_PKEY_GET0_EC_KEY */
#if defined(SSL_CTX_set_ecdh_auto)
/*
* Using this macro is required for older versions of OpenSSL to
* automatically enable ECDH support.
*
* On later versions this function is no longer needed and is
* deprecated.
*/
(void)SSL_CTX_set_ecdh_auto(ctx, 1);
#endif /* defined(SSL_CTX_set_ecdh_auto) */
/* Cleanup */ /* Cleanup */
EC_KEY_free(eckey); EC_KEY_free(eckey);
@@ -494,20 +396,12 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile,
* Set the "not before" property 5 minutes into the past to * Set the "not before" property 5 minutes into the past to
* accommodate with some possible clock skew across systems. * accommodate with some possible clock skew across systems.
*/ */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
X509_gmtime_adj(X509_get_notBefore(cert), -300);
#else
X509_gmtime_adj(X509_getm_notBefore(cert), -300); X509_gmtime_adj(X509_getm_notBefore(cert), -300);
#endif
/* /*
* We set the vailidy for 10 years. * We set the vailidy for 10 years.
*/ */
#if OPENSSL_VERSION_NUMBER < 0x10101000L
X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600);
#else
X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600); X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600);
#endif
X509_set_pubkey(cert, pkey); X509_set_pubkey(cert, pkey);
@@ -784,7 +678,6 @@ isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) {
bool bool
isc_tls_cipher_suites_valid(const char *cipher_suites) { isc_tls_cipher_suites_valid(const char *cipher_suites) {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
isc_tlsctx_t *tmp_ctx = NULL; isc_tlsctx_t *tmp_ctx = NULL;
const SSL_METHOD *method = NULL; const SSL_METHOD *method = NULL;
bool result; bool result;
@@ -808,27 +701,15 @@ isc_tls_cipher_suites_valid(const char *cipher_suites) {
isc_tlsctx_free(&tmp_ctx); isc_tlsctx_free(&tmp_ctx);
return (result); return (result);
#else
UNUSED(cipher_suites);
UNREACHABLE();
#endif
} }
void void
isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) { isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) {
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
REQUIRE(ctx != NULL); REQUIRE(ctx != NULL);
REQUIRE(cipher_suites != NULL); REQUIRE(cipher_suites != NULL);
REQUIRE(*cipher_suites != '\0'); REQUIRE(*cipher_suites != '\0');
RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1); RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1);
#else
UNUSED(ctx);
UNUSED(cipher_suites);
UNREACHABLE();
#endif
} }
void void
@@ -916,10 +797,8 @@ isc_tlsctx_enable_http2client_alpn(isc_tlsctx_t *ctx) {
SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL); SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL);
#endif /* !OPENSSL_NO_NEXTPROTONEG */ #endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN, SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN,
NGHTTP2_PROTO_ALPN_LEN); NGHTTP2_PROTO_ALPN_LEN);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
} }
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
@@ -935,7 +814,6 @@ next_proto_cb(isc_tls_t *ssl, const unsigned char **data, unsigned int *len,
} }
#endif /* !OPENSSL_NO_NEXTPROTONEG */ #endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int static int
alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen, alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen, void *arg) { const unsigned char *in, unsigned int inlen, void *arg) {
@@ -953,7 +831,6 @@ alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
return (SSL_TLSEXT_ERR_OK); return (SSL_TLSEXT_ERR_OK);
} }
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
void void
isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) { isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
@@ -962,9 +839,7 @@ isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL); SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL);
#endif // OPENSSL_NO_NEXTPROTONEG #endif // OPENSSL_NO_NEXTPROTONEG
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL); SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
} }
#endif /* HAVE_LIBNGHTTP2 */ #endif /* HAVE_LIBNGHTTP2 */
@@ -978,11 +853,9 @@ isc_tls_get_selected_alpn(isc_tls_t *tls, const unsigned char **alpn,
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
SSL_get0_next_proto_negotiated(tls, alpn, alpnlen); SSL_get0_next_proto_negotiated(tls, alpn, alpnlen);
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (*alpn == NULL) { if (*alpn == NULL) {
SSL_get0_alpn_selected(tls, alpn, alpnlen); SSL_get0_alpn_selected(tls, alpn, alpnlen);
} }
#endif
} }
static bool static bool
@@ -1015,13 +888,10 @@ void
isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) { isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) {
REQUIRE(ctx != NULL); REQUIRE(ctx != NULL);
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN, SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN,
DOT_PROTO_ALPN_LEN); DOT_PROTO_ALPN_LEN);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
} }
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int static int
dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
unsigned char *outlen, const unsigned char *in, unsigned char *outlen, const unsigned char *in,
@@ -1039,15 +909,12 @@ dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
return (SSL_TLSEXT_ERR_OK); return (SSL_TLSEXT_ERR_OK);
} }
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
void void
isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) { isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) {
REQUIRE(tls != NULL); REQUIRE(tls != NULL);
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL); SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
} }
isc_result_t isc_result_t
@@ -1608,33 +1475,6 @@ isc_tlsctx_client_session_cache_detach(
isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache)); isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
} }
static bool
ssl_session_seems_resumable(const SSL_SESSION *sess) {
#ifdef HAVE_SSL_SESSION_IS_RESUMABLE
/*
* If SSL_SESSION_is_resumable() is available, let's use that. It
* is expected to be available on OpenSSL >= 1.1.1 and its modern
* siblings.
*/
return (SSL_SESSION_is_resumable(sess) != 0);
#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
/*
* Taking into consideration that OpenSSL 1.1.0 uses opaque
* pointers for SSL_SESSION, we cannot implement a replacement for
* SSL_SESSION_is_resumable() manually. Let's use a sensible
* approximation for that, then: if there is an associated session
* ticket or session ID, then, most likely, the session is
* resumable.
*/
unsigned int session_id_len = 0;
(void)SSL_SESSION_get_id(sess, &session_id_len);
return (SSL_SESSION_has_ticket(sess) || session_id_len > 0);
#else
return (!sess->not_resumable &&
(sess->session_id_length > 0 || sess->tlsext_ticklen > 0));
#endif
}
void void
isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache, isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
char *remote_peer_name, isc_tls_t *tls) { char *remote_peer_name, isc_tls_t *tls) {
@@ -1652,7 +1492,7 @@ isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
if (sess == NULL) { if (sess == NULL) {
ERR_clear_error(); ERR_clear_error();
return; return;
} else if (!ssl_session_seems_resumable(sess)) { } else if (SSL_SESSION_is_resumable(sess) == 0) {
SSL_SESSION_free(sess); SSL_SESSION_free(sess);
return; return;
} }

4
lib/isccfg/namedconf.c
View File

@@ -4058,11 +4058,7 @@ static cfg_clausedef_t tls_clauses[] = {
{ "dhparam-file", &cfg_type_qstring, 0 }, { "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 }, { "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, 0 }, { "ciphers", &cfg_type_astring, 0 },
#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "cipher-suites", &cfg_type_astring, 0 }, { "cipher-suites", &cfg_type_astring, 0 },
#else
{ "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
#endif
{ "prefer-server-ciphers", &cfg_type_boolean, 0 }, { "prefer-server-ciphers", &cfg_type_boolean, 0 },
{ "session-tickets", &cfg_type_boolean, 0 }, { "session-tickets", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 } { NULL, NULL, 0 }

133
m4/ax_check_openssl.m4
View File

@@ -1,133 +0,0 @@
# SPDX-License-Identifier: FSFAP
#
# ===========================================================================
# https://www.gnu.org/software/autoconf-archive/ax_check_openssl.html
# ===========================================================================
#
# SYNOPSIS
#
# AX_CHECK_OPENSSL([action-if-found[, action-if-not-found]])
#
# DESCRIPTION
#
# Look for OpenSSL in a number of default spots, or in a user-selected
# spot (via --with-openssl). Sets
#
# OPENSSL_CFLAGS to the include directives required
# OPENSSL_LIBS to the -l directives required
# OPENSSL_LDFLAGS to the -L or -R flags required
#
# and calls ACTION-IF-FOUND or ACTION-IF-NOT-FOUND appropriately
#
# This macro sets OPENSSL_CFLAGS such that source files should use the
# openssl/ directory in include directives:
#
# #include <openssl/hmac.h>
#
# LICENSE
#
# Copyright (c) 2009,2010 Zmanda Inc. <http://www.zmanda.com/>
# Copyright (c) 2009,2010 Dustin J. Mitchell <dustin@zmanda.com>
#
# Copying and distribution of this file, with or without modification, are
# permitted in any medium without royalty provided the copyright notice
# and this notice are preserved. This file is offered as-is, without any
# warranty.
#serial 11
AU_ALIAS([CHECK_SSL], [AX_CHECK_OPENSSL])
AC_DEFUN([AX_CHECK_OPENSSL], [
found=false
AC_PROG_SED
AC_ARG_WITH([openssl],
[AS_HELP_STRING([--with-openssl=DIR],
[root of the OpenSSL directory])],
[
case "$withval" in
"" | y | ye | yes | n | no)
AC_MSG_ERROR([Invalid --with-openssl value])
;;
*) ssldirs="$withval"
;;
esac
], [
# if pkg-config is installed and openssl has installed a .pc file,
# then use that information and don't search ssldirs
AC_CHECK_TOOL([PKG_CONFIG], [pkg-config])
if test x"$PKG_CONFIG" != x""; then
OPENSSL_LDFLAGS=`$PKG_CONFIG openssl --libs-only-L 2>/dev/null`
if test $? = 0; then
OPENSSL_LIBS=`$PKG_CONFIG openssl --libs-only-l 2>/dev/null`
OPENSSL_CFLAGS=`$PKG_CONFIG openssl --cflags-only-I 2>/dev/null`
OPENSSL_VERSION=`$PKG_CONFIG openssl --modversion 2>/dev/null`
found=true
fi
fi
# no such luck; use some default ssldirs
if ! $found; then
ssldirs="/usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local /usr"
fi
]
)
# note that we #include <openssl/foo.h>, so the OpenSSL headers have to be in
# an 'openssl' subdirectory
if ! $found; then
OPENSSL_CFLAGS=
for ssldir in $ssldirs; do
AC_MSG_CHECKING([for include/openssl/ssl.h in $ssldir])
if test -f "$ssldir/include/openssl/ssl.h"; then
OPENSSL_CFLAGS="-I$ssldir/include"
OPENSSL_LDFLAGS="-L$ssldir/lib"
OPENSSL_LIBS="-lssl -lcrypto"
OPENSSL_VERSION=`$SED -ne 's/.*OPENSSL_VERSION_STR[^"]*"\([^"]*\)".*/\1/p;' $ssldir/include/openssl/opensslv.h`
if test -z "$OPENSSL_VERSION"; then
OPENSSL_VERSION=`$SED -ne 's/.*OPENSSL_VERSION_TEXT[^"]*"\([^"]*\)".*/\1/p;' $ssldir/include/openssl/opensslv.h`
fi
found=true
AC_MSG_RESULT([yes])
break
else
AC_MSG_RESULT([no])
fi
done
# if the file wasn't found, well, go ahead and try the link anyway -- maybe
# it will just work!
fi
# try the preprocessor and linker with our new flags,
# being careful not to pollute the global LIBS, LDFLAGS, and CPPFLAGS
AC_MSG_CHECKING([whether compiling and linking against OpenSSL works])
echo "Trying link with OPENSSL_LDFLAGS=$OPENSSL_LDFLAGS;" \
"OPENSSL_LIBS=$OPENSSL_LIBS; OPENSSL_CFLAGS=$OPENSSL_CFLAGS" >&AS_MESSAGE_LOG_FD
save_LIBS="$LIBS"
save_LDFLAGS="$LDFLAGS"
save_CPPFLAGS="$CPPFLAGS"
LDFLAGS="$LDFLAGS $OPENSSL_LDFLAGS"
LIBS="$OPENSSL_LIBS $LIBS"
CPPFLAGS="$OPENSSL_CFLAGS $CPPFLAGS"
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([#include <openssl/ssl.h>], [SSL_new(NULL)])],
[
AC_MSG_RESULT([yes])
$1
], [
AC_MSG_RESULT([no])
$2
])
CPPFLAGS="$save_CPPFLAGS"
LDFLAGS="$save_LDFLAGS"
LIBS="$save_LIBS"
AC_SUBST([OPENSSL_CFLAGS])
AC_SUBST([OPENSSL_LIBS])
AC_SUBST([OPENSSL_LDFLAGS])
AC_SUBST([OPENSSL_VERSION])
])