X-Git-Url: https://git.sur5r.net/?a=blobdiff_plain;f=libraries%2Flibldap%2Ftls_o.c;h=795278d30d694052c4eb71f0ada97f073940a7a9;hb=eb8f1a7247988cdde34f8d02325c4dc22d146c0d;hp=7b9cafc1e96d6b5eb82cde568fc17cb5bc3a982f;hpb=bae699bfd925327f424d4fddd852356a9b51bc8e;p=openldap
diff --git a/libraries/libldap/tls_o.c b/libraries/libldap/tls_o.c
index 7b9cafc1e9..795278d30d 100644
--- a/libraries/libldap/tls_o.c
+++ b/libraries/libldap/tls_o.c
@@ -2,7 +2,7 @@
/* $OpenLDAP$ */
/* This work is part of OpenLDAP Software .
*
- * Copyright 2008-2014 The OpenLDAP Foundation.
+ * Copyright 2008-2017 The OpenLDAP Foundation.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -47,6 +47,10 @@
#include
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+#define ASN1_STRING_data(x) ASN1_STRING_get0_data(x)
+#endif
+
typedef SSL_CTX tlso_ctx;
typedef SSL tlso_session;
@@ -57,9 +61,12 @@ static void tlso_report_error( void );
static void tlso_info_cb( const SSL *ssl, int where, int ret );
static int tlso_verify_cb( int ok, X509_STORE_CTX *ctx );
static int tlso_verify_ok( int ok, X509_STORE_CTX *ctx );
-static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
-
static int tlso_seed_PRNG( const char *randfile );
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+/*
+ * OpenSSL 1.1 API and later has new locking code
+*/
+static RSA * tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length );
#ifdef LDAP_R_COMPILE
/*
@@ -100,6 +107,11 @@ static void tlso_thr_init( void )
CRYPTO_set_id_callback( tlso_thread_self );
}
#endif /* LDAP_R_COMPILE */
+#else
+#ifdef LDAP_R_COMPILE
+static void tlso_thr_init( void ) {}
+#endif
+#endif /* OpenSSL 1.1 */
static STACK_OF(X509_NAME) *
tlso_ca_list( char * bundle, char * dir )
@@ -145,9 +157,13 @@ tlso_init( void )
(void) tlso_seed_PRNG( lo->ldo_tls_randfile );
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_digests();
+#else
+ OPENSSL_init_ssl(0, NULL);
+#endif
/* FIXME: mod_ssl does this */
X509V3_add_standard_extensions();
@@ -163,9 +179,15 @@ tlso_destroy( void )
{
struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();
+#if OPENSSL_VERSION_NUMBER < 0x10100000
EVP_cleanup();
+#if OPENSSL_VERSION_NUMBER < 0x10000000
ERR_remove_state(0);
+#else
+ ERR_remove_thread_state(NULL);
+#endif
ERR_free_strings();
+#endif
if ( lo->ldo_tls_randfile ) {
LDAP_FREE( lo->ldo_tls_randfile );
@@ -183,7 +205,10 @@ static void
tlso_ctx_ref( tls_ctx *ctx )
{
tlso_ctx *c = (tlso_ctx *)ctx;
- CRYPTO_add( &c->references, 1, CRYPTO_LOCK_SSL_CTX );
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+#define SSL_CTX_up_ref(ctx) CRYPTO_add( &(ctx->references), 1, CRYPTO_LOCK_SSL_CTX )
+#endif
+ SSL_CTX_up_ref( c );
}
static void
@@ -241,10 +266,16 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
return -1;
}
- if (lo->ldo_tls_cacertfile != NULL || lo->ldo_tls_cacertdir != NULL) {
+ if ( lo->ldo_tls_cacertfile == NULL && lo->ldo_tls_cacertdir == NULL ) {
+ if ( !SSL_CTX_set_default_verify_paths( ctx ) ) {
+ Debug( LDAP_DEBUG_ANY, "TLS: "
+ "could not use default certificate paths", 0, 0, 0 );
+ tlso_report_error();
+ return -1;
+ }
+ } else {
if ( !SSL_CTX_load_verify_locations( ctx,
- lt->lt_cacertfile, lt->lt_cacertdir ) ||
- !SSL_CTX_set_default_verify_paths( ctx ) )
+ lt->lt_cacertfile, lt->lt_cacertdir ) )
{
Debug( LDAP_DEBUG_ANY, "TLS: "
"could not load verify locations (file:`%s',dir:`%s').\n",
@@ -367,7 +398,9 @@ tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
SSL_CTX_set_verify( ctx, i,
lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW ?
tlso_verify_ok : tlso_verify_cb );
+#if OPENSSL_VERSION_NUMBER < 0x10100000
SSL_CTX_set_tmp_rsa_callback( ctx, tlso_tmp_rsa_cb );
+#endif
#ifdef HAVE_OPENSSL_CRL
if ( lo->ldo_tls_crlcheck ) {
X509_STORE *x509_s = SSL_CTX_get_cert_store( ctx );
@@ -462,8 +495,17 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
if (!x) return LDAP_INVALID_CREDENTIALS;
xn = X509_get_subject_name(x);
+#if OPENSSL_VERSION_NUMBER < 0x10100000
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
der_dn->bv_val = xn->bytes->data;
+#else
+ {
+ size_t len = 0;
+ der_dn->bv_val = NULL;
+ X509_NAME_get0_der( xn, (const unsigned char **)&der_dn->bv_val, &len );
+ der_dn->bv_len = len;
+ }
+#endif
/* Don't X509_free, the session is still using it */
return 0;
}
@@ -489,8 +531,17 @@ tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
return LDAP_INVALID_CREDENTIALS;
xn = X509_get_subject_name(x);
+#if OPENSSL_VERSION_NUMBER < 0x10100000
der_dn->bv_len = i2d_X509_NAME( xn, NULL );
der_dn->bv_val = xn->bytes->data;
+#else
+ {
+ size_t len = 0;
+ der_dn->bv_val = NULL;
+ X509_NAME_get0_der( xn, (const unsigned char **)&der_dn->bv_val, &len );
+ der_dn->bv_len = len;
+ }
+#endif
X509_free(x);
return 0;
}
@@ -630,7 +681,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
navas = X509_NAME_entry_count( xn );
for ( i=navas-1; i>=0; i-- ) {
ne = X509_NAME_get_entry( xn, i );
- if ( !OBJ_cmp( ne->object, obj )) {
+ if ( !OBJ_cmp( X509_NAME_ENTRY_get_object(ne), obj )) {
cn = X509_NAME_ENTRY_get_data( ne );
break;
}
@@ -745,12 +796,17 @@ struct tls_data {
Sockbuf_IO_Desc *sbiod;
};
+#if OPENSSL_VERSION_NUMBER < 0x10100000
+#define BIO_set_init(b, x) b->init = x
+#define BIO_set_data(b, x) b->ptr = x
+#define BIO_clear_flags(b, x) b->flags &= ~(x)
+#define BIO_get_data(b) b->ptr
+#endif
static int
tlso_bio_create( BIO *b ) {
- b->init = 1;
- b->num = 0;
- b->ptr = NULL;
- b->flags = 0;
+ BIO_set_init( b, 1 );
+ BIO_set_data( b, NULL );
+ BIO_clear_flags( b, ~0 );
return 1;
}
@@ -759,9 +815,9 @@ tlso_bio_destroy( BIO *b )
{
if ( b == NULL ) return 0;
- b->ptr = NULL; /* sb_tls_remove() will free it */
- b->init = 0;
- b->flags = 0;
+ BIO_set_data( b, NULL ); /* sb_tls_remove() will free it */
+ BIO_set_init( b, 0 );
+ BIO_clear_flags( b, ~0 );
return 1;
}
@@ -773,7 +829,7 @@ tlso_bio_read( BIO *b, char *buf, int len )
if ( buf == NULL || len <= 0 ) return 0;
- p = (struct tls_data *)b->ptr;
+ p = (struct tls_data *)BIO_get_data(b);
if ( p == NULL || p->sbiod == NULL ) {
return 0;
@@ -800,7 +856,7 @@ tlso_bio_write( BIO *b, const char *buf, int len )
if ( buf == NULL || len <= 0 ) return 0;
- p = (struct tls_data *)b->ptr;
+ p = (struct tls_data *)BIO_get_data(b);
if ( p == NULL || p->sbiod == NULL ) {
return 0;
@@ -840,7 +896,22 @@ tlso_bio_puts( BIO *b, const char *str )
{
return tlso_bio_write( b, str, strlen( str ) );
}
-
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000
+struct bio_method_st {
+ int type;
+ const char *name;
+ int (*bwrite) (BIO *, const char *, int);
+ int (*bread) (BIO *, char *, int);
+ int (*bputs) (BIO *, const char *);
+ int (*bgets) (BIO *, char *, int);
+ long (*ctrl) (BIO *, int, long, void *);
+ int (*create) (BIO *);
+ int (*destroy) (BIO *);
+ long (*callback_ctrl) (BIO *, int, bio_info_cb *);
+};
+#endif
+
static BIO_METHOD tlso_bio_method =
{
( 100 | 0x400 ), /* it's a source/sink BIO */
@@ -870,7 +941,7 @@ tlso_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
p->session = arg;
p->sbiod = sbiod;
bio = BIO_new( &tlso_bio_method );
- bio->ptr = (void *)p;
+ BIO_set_data( bio, p );
SSL_set_bio( p->session, bio, bio );
sbiod->sbiod_pvt = p;
return 0;
@@ -1100,9 +1171,9 @@ tlso_verify_cb( int ok, X509_STORE_CTX *ctx )
certerr, 0, 0 );
}
if ( sname )
- CRYPTO_free ( sname );
+ OPENSSL_free ( sname );
if ( iname )
- CRYPTO_free ( iname );
+ OPENSSL_free ( iname );
#ifdef HAVE_EBCDIC
if ( certerr ) LDAP_FREE( certerr );
#endif
@@ -1142,6 +1213,7 @@ tlso_report_error( void )
}
}
+#if OPENSSL_VERSION_NUMBER < 0x10100000
static RSA *
tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
{
@@ -1172,6 +1244,7 @@ tlso_tmp_rsa_cb( SSL *ssl, int is_export, int key_length )
}
return tmp_rsa;
}
+#endif /* OPENSSL_VERSION_NUMBER < 1.1 */
static int
tlso_seed_PRNG( const char *randfile )