[OpenWrt-Devel] [RFC PATCH ustream-ssl] openssl: support OpenSSL 1.1.x API

Rosen Penev rosenp at gmail.com
Sun May 20 17:29:18 EDT 2018 

On Sun, May 20, 2018 at 1:26 PM, Jo-Philipp Wich <jo at mein.io> wrote:
> This commit changes ustream-ssl to support OpenSSL 1.1x as backend.
>
> OpenSSL 1.1.x made the BIO and BIO_METHOD structures opaque and
> introduced new getter/setter APIs to deal with them, therfore define
> forward-compat stubs for older OpenSSL versions and change the code in
> ustream-io-openssl.c to only use the new API.
>
> The new OpenSSL version also deprecated the use of TLSv1_2_server_method()
> in favor to versionless method names, therefor use TLS_server_method() for
> version 1.1.0 and later.
>
> Finally, even the library initialization is not compatible anymore as
> version 1.1.0 deprecated SSL_library_init() and SSL_load_error_string() in
> favor to calling OPENSSL_init_ssl() instead, so adjust the ustream
> initalization to use either variant, depending on the OpenSSL version.
>
> Signed-off-by: Jo-Philipp Wich <jo at mein.io>

The other patch: https://github.com/openwrt/openwrt/pull/967

If deprecated APIs are disabled, there's this error:

/home/mangix/devstuff/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-openssl/ustream-ssl-2018-04-30-527e7002/ustream-openssl.c:
In function '__ustream_ssl_context_new':
/home/mangix/devstuff/openwrt/build_dir/target-mipsel_24kc_musl/ustream-ssl-openssl/ustream-ssl-2018-04-30-527e7002/ustream-openssl.c:59:2:
error: implicit declaration of function 'SSL_CTX_set_ecdh_auto'; did
you mean 'SSL_CTX_set_dh_auto'?
[-Werror=implicit-function-declaration]
  SSL_CTX_set_ecdh_auto(c, 1);
  ^~~~~~~~~~~~~~~~~~~~~
  SSL_CTX_set_dh_auto
cc1: all warnings being treated as errors

I suggest completely removing it. It causes issues here and with WolfSSL.

I believe the versionless server_method enables TLS 1.0 and 1.1, which
is pointless for servers. The only point to it is to keep
compatibility with outdated clients (XP, iOS < 6, Android < 4.4,
etc...). The other patch also calls
SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION) which is the
recommended way now.

> ---
>  ustream-io-openssl.c | 73 +++++++++++++++++++++++++++++++++++-----------------
>  ustream-openssl.c    | 10 +++++--
>  2 files changed, 58 insertions(+), 25 deletions(-)
>
> diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c
> index 6711055..0e45e5f 100644
> --- a/ustream-io-openssl.c
> +++ b/ustream-io-openssl.c
> @@ -23,13 +23,37 @@
>  #include "ustream-ssl.h"
>  #include "ustream-internal.h"
>
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +# define BIO_get_data(b) (b->ptr)
> +# define BIO_set_init(b, v) (b->init = v)
> +# define BIO_set_data(b, v) (b->ptr = v)
> +# define BIO_meth_set_write(m, f) (m->bwrite = f)
> +# define BIO_meth_set_read(m, f) (m->bread = f)
> +# define BIO_meth_set_puts(m, f) (m->bputs = f)
> +# define BIO_meth_set_gets(m, f) (m->bgets = f)
> +# define BIO_meth_set_ctrl(m, f) (m->ctrl = f)
> +# define BIO_meth_set_create(m, f) (m->create = f)
> +# define BIO_meth_set_destroy(m, f) (m->destroy = f)
> +
> +static BIO_METHOD *BIO_meth_new(int type, const char *name)
> +{
> +       BIO_METHOD *bm;
> +
> +       bm = calloc(1, sizeof(*bm));
> +
> +       if (bm) {
> +               bm->type = type;
> +               bm->name = name;
> +       }
> +
> +       return bm;
> +}
> +#endif
> +
>  static int
>  s_ustream_new(BIO *b)
>  {
> -       b->init = 1;
> -       b->num = 0;
> -       b->ptr = NULL;
> -       b->flags = 0;
> +       BIO_set_init(b, 1);
>         return 1;
>  }
>
> @@ -39,9 +63,8 @@ s_ustream_free(BIO *b)
>         if (!b)
>                 return 0;
>
> -       b->ptr = NULL;
> -       b->init = 0;
> -       b->flags = 0;
> +       BIO_set_init(b, 0);
> +       BIO_set_data(b, NULL);
>         return 1;
>  }
>
> @@ -55,7 +78,7 @@ s_ustream_read(BIO *b, char *buf, int len)
>         if (!buf || len <= 0)
>                 return 0;
>
> -       s = (struct ustream *)b->ptr;
> +       s = (struct ustream *)BIO_get_data(b);
>         if (!s)
>                 return 0;
>
> @@ -84,7 +107,7 @@ s_ustream_write(BIO *b, const char *buf, int len)
>         if (!buf || len <= 0)
>                 return 0;
>
> -       s = (struct ustream *)b->ptr;
> +       s = (struct ustream *)BIO_get_data(b);
>         if (!s)
>                 return 0;
>
> @@ -116,25 +139,29 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num, void *ptr)
>         };
>  }
>
> -static BIO_METHOD methods_ustream = {
> -       100 | BIO_TYPE_SOURCE_SINK,
> -       "ustream",
> -       s_ustream_write,
> -       s_ustream_read,
> -       s_ustream_puts,
> -       s_ustream_gets,
> -       s_ustream_ctrl,
> -       s_ustream_new,
> -       s_ustream_free,
> -       NULL,
> -};
> +static BIO_METHOD *methods_ustream;
>
>  static BIO *ustream_bio_new(struct ustream *s)
>  {
>         BIO *bio;
>
> -       bio = BIO_new(&methods_ustream);
> -       bio->ptr = s;
> +       if (!methods_ustream) {
> +               methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream");
> +
> +               if (!methods_ustream)
> +                       return NULL;
> +
> +               BIO_meth_set_write(methods_ustream, s_ustream_write);
> +               BIO_meth_set_read(methods_ustream, s_ustream_read);
> +               BIO_meth_set_puts(methods_ustream, s_ustream_puts);
> +               BIO_meth_set_gets(methods_ustream, s_ustream_gets);
> +               BIO_meth_set_ctrl(methods_ustream, s_ustream_ctrl);
> +               BIO_meth_set_create(methods_ustream, s_ustream_new);
> +               BIO_meth_set_destroy(methods_ustream, s_ustream_free);
> +       }
> +
> +       bio = BIO_new(methods_ustream);
> +       BIO_set_data(bio, s);
>         return bio;
>  }
>
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index eb03dab..6ea6429 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -30,16 +30,22 @@ __ustream_ssl_context_new(bool server)
>         SSL_CTX *c;
>
>         if (!_init) {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>                 SSL_load_error_strings();
>                 SSL_library_init();
> +#else
> +               OPENSSL_init_ssl(0, NULL);
> +#endif
>                 _init = true;
>         }
>
>         if (server)
> -#ifdef CYASSL_OPENSSL_H_
> +#if defined(CYASSL_OPENSSL_H_)
>                 m = SSLv23_server_method();
> -#else
> +#elif OPENSSL_VERSION_NUMBER < 0x10100000L
>                 m = TLSv1_2_server_method();
> +#else
> +               m = TLS_server_method();
>  #endif
>         else
>                 m = SSLv23_client_method();
> --
> 2.11.0
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> http://lists.infradead.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
http://lists.infradead.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list