[OpenWrt-Devel] [PATCH v2 4/4] ustream-ssl: openssl-1.1 compatibility

Rosen Penev rosenp at gmail.com
Wed May 30 23:49:52 EDT 2018 

On Wed, May 30, 2018 at 7:20 PM, Eneas U de Queiroz via openwrt-devel
<openwrt-devel at lists.openwrt.org> wrote:
> The sender domain has a DMARC Reject/Quarantine policy which disallows
> sending mailing list messages using the original "From" header.
>
> To mitigate this problem, the original message has been wrapped
> automatically by the mailing list software.
>
> ---------- Forwarded message ----------
> From: Eneas U de Queiroz <cote2004-github at yahoo.com>
> To: openwrt-devel at lists.openwrt.org
> Cc: Eneas U de Queiroz <cote2004-github at yahoo.com>
> Bcc:
> Date: Wed, 30 May 2018 23:18:37 -0300
> Subject: [PATCH v2 4/4] ustream-ssl: openssl-1.1 compatibility
> I've rewritten the patch, removing deprecated API.
>
> It is much cleaner now; ustream-io-openssl.c has no #if's, and they're
> minimized in ustream-openssl.c.
This does not apply.
>
> Signed-off-by: Eneas U de Queiroz <cote2004-github at yahoo.com>
> ---
>  openssl_bio_compat.h | 34 ++++++++++++++++++++++++++++++++++
>  ustream-io-openssl.c | 45 +++------------------------------------------
>  ustream-openssl.c    | 26 ++++++++++++--------------
>  3 files changed, 49 insertions(+), 56 deletions(-)
>  create mode 100644 openssl_bio_compat.h
>
> diff --git a/openssl_bio_compat.h b/openssl_bio_compat.h
> new file mode 100644
> index 0000000..dedc412
> --- /dev/null
> +++ b/openssl_bio_compat.h
> @@ -0,0 +1,34 @@
> +#ifndef OPENSSL_BIO_COMPAT_H
> +#define OPENSSL_BIO_COMPAT_H
> +
> +#include <openssl/opensslv.h>
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +
> +#include <openssl/bio.h>
> +#include <string.h>
> +
> +#define BIO_get_data(b) (b->ptr)
> +#define BIO_set_data(b, v) (b->ptr = v)
> +#define BIO_set_init(b, v) (b->init = v)
> +#define BIO_set_shutdown(b, v) (b->flags = v)
> +#define BIO_meth_set_write(m, f) (m->bwrite = f)
> +#define BIO_meth_set_read(m, f) (m->bread = f)
> +#define BIO_meth_set_puts(m, f) (m->bputs = f)
> +#define BIO_meth_set_gets(m, f) (m->bgets = f)
> +#define BIO_meth_set_ctrl(m, f) (m->ctrl = f)
> +#define BIO_meth_set_create(m, f) (m->create = f)
> +#define BIO_meth_set_destroy(m, f) (m->destroy = f)
> +
> +static inline BIO_METHOD *BIO_meth_new(int type, const char *name)
> +{
> +       BIO_METHOD *bm = calloc(1, sizeof(BIO_METHOD));
> +       if (bm) {
> +               bm->type = type;
> +               bm->name = name;
> +       }
> +       return bm;
> +}
> +
> +#endif /* OPENSSL_VERSION_NUMBER */
> +
> +#endif /* OPENSSL_BIO_COMPAT_H */
> diff --git a/ustream-io-openssl.c b/ustream-io-openssl.c
> index 73a2ba6..aa9f401 100644
> --- a/ustream-io-openssl.c
> +++ b/ustream-io-openssl.c
> @@ -21,21 +21,15 @@
>  #include <libubox/ustream.h>
>
>  #include "ustream-ssl.h"
> +#include "openssl_bio_compat.h"
>  #include "ustream-internal.h"
>
>  static int
>  s_ustream_new(BIO *b)
>  {
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>         BIO_set_init(b, 1);
>         BIO_set_data(b, NULL);
>         BIO_set_shutdown(b, 0);
> -#else
> -       b->init = 1;
> -       b->num = 0;
> -       b->ptr = NULL;
> -       b->flags = 0;
> -#endif
>         return 1;
>  }
>
> @@ -45,15 +39,9 @@ s_ustream_free(BIO *b)
>         if (!b)
>                 return 0;
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>         BIO_set_data(b, NULL);
>         BIO_set_init(b, 0);
>         BIO_set_shutdown(b, 0);
> -#else
> -       b->ptr = NULL;
> -       b->init = 0;
> -       b->flags = 0;
> -#endif
>         return 1;
>  }
>
> @@ -67,11 +55,7 @@ s_ustream_read(BIO *b, char *buf, int len)
>         if (!buf || len <= 0)
>                 return 0;
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>         s = (struct ustream *)BIO_get_data(b);
> -#else
> -       s = (struct ustream *)b->ptr;
> -#endif
>         if (!s)
>                 return 0;
>
> @@ -100,11 +84,7 @@ s_ustream_write(BIO *b, const char *buf, int len)
>         if (!buf || len <= 0)
>                 return 0;
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>         s = (struct ustream *)BIO_get_data(b);
> -#else
> -       s = (struct ustream *)b->ptr;
> -#endif
>         if (!s)
>                 return 0;
>
> @@ -136,29 +116,13 @@ static long s_ustream_ctrl(BIO *b, int cmd, long num, void *ptr)
>         };
>  }
>
> -#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -static BIO_METHOD methods_ustream = {
> -       100 | BIO_TYPE_SOURCE_SINK,
> -       "ustream",
> -       s_ustream_write,
> -       s_ustream_read,
> -       s_ustream_puts,
> -       s_ustream_gets,
> -       s_ustream_ctrl,
> -       s_ustream_new,
> -       s_ustream_free,
> -       NULL,
> -};
> -#endif
> -
>  static BIO *ustream_bio_new(struct ustream *s)
>  {
>         BIO *bio;
>
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
>         BIO_METHOD *methods_ustream;
>
> -       methods_ustream = BIO_meth_new(BIO_get_new_index() | BIO_TYPE_SOURCE_SINK, "ustream");
> +       methods_ustream = BIO_meth_new(100 | BIO_TYPE_SOURCE_SINK, "ustream");
>         BIO_meth_set_write(methods_ustream, s_ustream_write);
>         BIO_meth_set_read(methods_ustream, s_ustream_read);
>         BIO_meth_set_puts(methods_ustream, s_ustream_puts);
> @@ -168,10 +132,7 @@ static BIO *ustream_bio_new(struct ustream *s)
>         BIO_meth_set_destroy(methods_ustream, s_ustream_free);
>         bio = BIO_new(methods_ustream);
>         BIO_set_data(bio, s);
> -#else
> -       bio = BIO_new(&methods_ustream);
> -       bio->ptr = s;
> -#endif
> +
>         return bio;
>  }
>
> diff --git a/ustream-openssl.c b/ustream-openssl.c
> index 303b58e..c6839ea 100644
> --- a/ustream-openssl.c
> +++ b/ustream-openssl.c
> @@ -25,42 +25,40 @@
>  __hidden struct ustream_ssl_ctx *
>  __ustream_ssl_context_new(bool server)
>  {
> -       static bool _init = false;
>         const void *m;
>         SSL_CTX *c;
>
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> +       static bool _init = false;
> +
>         if (!_init) {
>                 SSL_load_error_strings();
>                 SSL_library_init();
>                 _init = true;
>         }
> +# define TLS_server_method SSLv23_server_method
> +# define TLS_client_method SSLv23_client_method
> +#endif
>
> -       if (server)
> -#ifdef CYASSL_OPENSSL_H_
> -               m = SSLv23_server_method();
> -#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
> +       if (server) {
>                 m = TLS_server_method();
> -#else
> -               m = TLSv1_2_server_method();
> -#endif
> -       else
> -#if OPENSSL_VERSION_NUMBER >= 0x10100000L
> +       } else
>                 m = TLS_client_method();
> -#else
> -               m = SSLv23_client_method();
> -#endif
>
>         c = SSL_CTX_new((void *) m);
>         if (!c)
>                 return NULL;
>
>         SSL_CTX_set_verify(c, SSL_VERIFY_NONE, NULL);
> -#if !defined(OPENSSL_NO_ECDH) && !defined(CYASSL_OPENSSL_H_)
> +       SSL_CTX_set_options (c, SSL_OP_NO_COMPRESSION); /* avoid CRIME attack */
> +#if !defined(OPENSSL_NO_ECDH) && !defined(CYASSL_OPENSSL_H_) && OPENSSL_VERSION_NUMBER < 0x10100000L
>         SSL_CTX_set_ecdh_auto(c, 1);
>  #endif
>         if (server) {
>  #if OPENSSL_VERSION_NUMBER >= 0x10100000L
>                 SSL_CTX_set_min_proto_version(c, TLS1_2_VERSION);
> +#else
> +               SSL_CTX_set_options (c, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
>  #endif
>                 SSL_CTX_set_cipher_list(c, "DEFAULT:!RC4:@STRENGTH");
>         }
> --
> 2.16.1
>
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/listinfo/openwrt-devel
>

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/listinfo/openwrt-devel

More information about the openwrt-devel mailing list