From: Christos Tsantilas Date: Sat, 19 Nov 2016 13:25:15 +0000 (+1300) Subject: Bug 4599 pt3: use wrapper functions to access BIO object internals X-Git-Tag: M-staged-PR71~363 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=093deea9f0a71cfad662dc4bb22d65dea63b5cea;p=thirdparty%2Fsquid.git Bug 4599 pt3: use wrapper functions to access BIO object internals --- diff --git a/src/ssl/PeekingPeerConnector.cc b/src/ssl/PeekingPeerConnector.cc index 223034904f..53e80218bb 100644 --- a/src/ssl/PeekingPeerConnector.cc +++ b/src/ssl/PeekingPeerConnector.cc @@ -65,7 +65,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSplice() acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpServerFirst)); Security::SessionPointer session(fd_table[serverConn->fd].ssl); BIO *b = SSL_get_rbio(session.get()); - Ssl::ServerBio *srvBio = static_cast(b->ptr); + Ssl::ServerBio *srvBio = static_cast(BIO_get_data(b)); if (!srvBio->canSplice()) acl_checklist->banAction(allow_t(ACCESS_ALLOWED, Ssl::bumpSplice)); if (!srvBio->canBump()) @@ -78,7 +78,7 @@ Ssl::PeekingPeerConnector::checkForPeekAndSpliceMatched(const Ssl::BumpMode acti { Security::SessionPointer session(fd_table[serverConn->fd].ssl); BIO *b = SSL_get_rbio(session.get()); - Ssl::ServerBio *srvBio = static_cast(b->ptr); + Ssl::ServerBio *srvBio = static_cast(BIO_get_data(b)); debugs(83,5, "Will check for peek and splice on FD " << serverConn->fd); Ssl::BumpMode finalAction = action; @@ -169,14 +169,14 @@ Ssl::PeekingPeerConnector::initialize(Security::SessionPointer &serverSession) auto clientSession = fd_table[clientConn->fd].ssl.get(); Must(clientSession); BIO *bc = SSL_get_rbio(clientSession); - Ssl::ClientBio *cltBio = static_cast(bc->ptr); + Ssl::ClientBio *cltBio = static_cast(BIO_get_data(bc)); Must(cltBio); if (details && details->tlsVersion.protocol != AnyP::PROTO_NONE) { applyTlsDetailsToSSL(serverSession.get(), details, csd->sslBumpMode); // Should we allow it for all protocols? if (details->tlsVersion.protocol == AnyP::PROTO_TLS || details->tlsVersion == AnyP::ProtocolVersion(AnyP::PROTO_SSL, 3, 0)) { BIO *b = SSL_get_rbio(serverSession.get()); - Ssl::ServerBio *srvBio = static_cast(b->ptr); + Ssl::ServerBio *srvBio = static_cast(BIO_get_data(b)); // Inherite client features, like SSL version, SNI and other srvBio->setClientFeatures(details, cltBio->rBufData()); srvBio->recordInput(true); @@ -262,7 +262,7 @@ Ssl::PeekingPeerConnector::noteWantWrite() const int fd = serverConnection()->fd; Security::SessionPointer session(fd_table[fd].ssl); BIO *b = SSL_get_rbio(session.get()); - Ssl::ServerBio *srvBio = static_cast(b->ptr); + Ssl::ServerBio *srvBio = static_cast(BIO_get_data(b)); if ((srvBio->bumpMode() == Ssl::bumpPeek || srvBio->bumpMode() == Ssl::bumpStare) && srvBio->holdWrite()) { debugs(81, 3, "hold write on SSL connection on FD " << fd); @@ -279,7 +279,7 @@ Ssl::PeekingPeerConnector::noteNegotiationError(const int result, const int ssl_ const int fd = serverConnection()->fd; Security::SessionPointer session(fd_table[fd].ssl); BIO *b = SSL_get_rbio(session.get()); - Ssl::ServerBio *srvBio = static_cast(b->ptr); + Ssl::ServerBio *srvBio = static_cast(BIO_get_data(b)); // In Peek mode, the ClientHello message sent to the server. If the // server resuming a previous (spliced) SSL session with the client, diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index aad2558488..dac9d26deb 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -42,6 +42,7 @@ static int squid_bio_destroy(BIO *data); /* SSL callbacks */ static void squid_ssl_info(const SSL *ssl, int where, int ret); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) /// Initialization structure for the BIO table with /// Squid-specific methods and BIO method wrappers. static BIO_METHOD SquidMethods = { @@ -56,14 +57,30 @@ static BIO_METHOD SquidMethods = { squid_bio_destroy, NULL // squid_callback_ctrl not supported }; +#else +static BIO_METHOD *SquidMethods = NULL; +#endif BIO * Ssl::Bio::Create(const int fd, Ssl::Bio::Type type) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) if (BIO *bio = BIO_new(&SquidMethods)) { BIO_int_ctrl(bio, BIO_C_SET_FD, type, fd); return bio; } +#else + if (!SquidMethods) { + SquidMethods = BIO_meth_new(BIO_TYPE_SOCKET, "squid"); + BIO_meth_set_write(SquidMethods, squid_bio_write); + BIO_meth_set_read(SquidMethods, squid_bio_read); + BIO_meth_set_puts(SquidMethods, squid_bio_puts); + BIO_meth_set_gets(SquidMethods, NULL); + BIO_meth_set_ctrl(SquidMethods, squid_bio_ctrl); + BIO_meth_set_create(SquidMethods, squid_bio_create); + BIO_meth_set_destroy(SquidMethods, squid_bio_destroy); + } +#endif return NULL; } @@ -147,18 +164,6 @@ Ssl::Bio::stateChanged(const SSL *ssl, int where, int ret) SSL_state_string(ssl) << " (" << SSL_state_string_long(ssl) << ")"); } -bool -Ssl::ClientBio::isClientHello(int state) -{ - return ( - state == SSL3_ST_SR_CLNT_HELLO_A || - state == SSL23_ST_SR_CLNT_HELLO_A || - state == SSL23_ST_SR_CLNT_HELLO_B || - state == SSL3_ST_SR_CLNT_HELLO_B || - state == SSL3_ST_SR_CLNT_HELLO_C - ); -} - void Ssl::ClientBio::stateChanged(const SSL *ssl, int where, int ret) { @@ -509,10 +514,15 @@ Ssl::ServerBio::resumingSession() static int squid_bio_create(BIO *bi) { +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) bi->init = 0; // set when we store Bio object and socket fd (BIO_C_SET_FD) bi->num = 0; - bi->ptr = NULL; bi->flags = 0; +#else + // No need to set more, openSSL initialize BIO memory to zero. +#endif + + BIO_set_data(bi, NULL); return 1; } @@ -520,8 +530,8 @@ squid_bio_create(BIO *bi) static int squid_bio_destroy(BIO *table) { - delete static_cast(table->ptr); - table->ptr = NULL; + delete static_cast(BIO_get_data(table)); + BIO_set_data(table, NULL); return 1; } @@ -529,7 +539,7 @@ squid_bio_destroy(BIO *table) static int squid_bio_write(BIO *table, const char *buf, int size) { - Ssl::Bio *bio = static_cast(table->ptr); + Ssl::Bio *bio = static_cast(BIO_get_data(table)); assert(bio); return bio->write(buf, size, table); } @@ -538,7 +548,7 @@ squid_bio_write(BIO *table, const char *buf, int size) static int squid_bio_read(BIO *table, char *buf, int size) { - Ssl::Bio *bio = static_cast(table->ptr); + Ssl::Bio *bio = static_cast(BIO_get_data(table)); assert(bio); return bio->read(buf, size, table); } @@ -566,15 +576,15 @@ squid_bio_ctrl(BIO *table, int cmd, long arg1, void *arg2) bio = new Ssl::ServerBio(fd); else bio = new Ssl::ClientBio(fd); - assert(!table->ptr); - table->ptr = bio; - table->init = 1; + assert(!BIO_get_data(table)); + BIO_set_data(table, bio); + BIO_set_init(table, 1); return 0; } case BIO_C_GET_FD: - if (table->init) { - Ssl::Bio *bio = static_cast(table->ptr); + if (BIO_get_init(table)) { + Ssl::Bio *bio = static_cast(BIO_get_data(table)); assert(bio); if (arg2) *static_cast(arg2) = bio->fd(); @@ -588,8 +598,8 @@ squid_bio_ctrl(BIO *table, int cmd, long arg1, void *arg2) return 0; case BIO_CTRL_FLUSH: - if (table->init) { - Ssl::Bio *bio = static_cast(table->ptr); + if (BIO_get_init(table)) { + Ssl::Bio *bio = static_cast(BIO_get_data(table)); assert(bio); bio->flush(table); return 1; @@ -619,7 +629,7 @@ static void squid_ssl_info(const SSL *ssl, int where, int ret) { if (BIO *table = SSL_get_rbio(ssl)) { - if (Ssl::Bio *bio = static_cast(table->ptr)) + if (Ssl::Bio *bio = static_cast(BIO_get_data(table))) bio->stateChanged(ssl, where, ret); } } @@ -648,16 +658,16 @@ applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl cbytes[0] = (cipherId >> 8) & 0xFF; cbytes[1] = cipherId & 0xFF; cbytes[2] = 0; -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) - const SSL_METHOD *method = TLS_method(); -#else +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) const SSL_METHOD *method = SSLv23_method(); -#endif const SSL_CIPHER *c = method->get_cipher_by_char(cbytes); +#else + const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes); +#endif if (c != NULL) { if (!strCiphers.isEmpty()) strCiphers.append(":"); - strCiphers.append(c->name); + strCiphers.append(SSL_CIPHER_get_name(c)); } } if (!strCiphers.isEmpty()) diff --git a/src/ssl/bio.h b/src/ssl/bio.h index f5612aefaa..f0112fe011 100644 --- a/src/ssl/bio.h +++ b/src/ssl/bio.h @@ -89,8 +89,6 @@ public: /// by the caller. void setReadBufData(SBuf &data) {rbuf = data;} private: - /// True if the SSL state corresponds to a hello message - bool isClientHello(int state); bool holdRead_; ///< The read hold state of the bio. bool holdWrite_; ///< The write hold state of the bio. int helloSize; ///< The SSL hello message sent by client size @@ -196,5 +194,13 @@ private: void applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode); +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +// OpenSSL v1.0 bio compatibility functions +inline void *BIO_get_data(BIO *table) { return table->ptr; } +inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; } +inline int BIO_get_init(BIO *table) { return table->init; } +inline void BIO_set_init(BIO *table, int init) { table->init = init; } +#endif + #endif /* SQUID_SSL_BIO_H */ diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index 4abff40b38..6d4baa5968 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -109,7 +109,7 @@ bool Ssl::writeCertAndPrivateKeyToFile(Security::CertPointer const & cert, Ssl:: if (!pkey || !cert) return false; - Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal())); + Ssl::BIO_Pointer bio(BIO_new(BIO_s_file())); if (!bio) return false; if (!BIO_write_filename(bio.get(), const_cast(filename))) @@ -650,7 +650,7 @@ static X509 * readSslX509Certificate(char const * certFilename) { if (!certFilename) return NULL; - Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal())); + Ssl::BIO_Pointer bio(BIO_new(BIO_s_file())); if (!bio) return NULL; if (!BIO_read_filename(bio.get(), certFilename)) @@ -663,7 +663,7 @@ EVP_PKEY * Ssl::readSslPrivateKey(char const * keyFilename, pem_password_cb *pas { if (!keyFilename) return NULL; - Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal())); + Ssl::BIO_Pointer bio(BIO_new(BIO_s_file())); if (!bio) return NULL; if (!BIO_read_filename(bio.get(), keyFilename)) diff --git a/src/ssl/support.cc b/src/ssl/support.cc index b8cc4db883..e39fa25d38 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1330,7 +1330,7 @@ static X509 * readSslX509CertificatesChain(char const * certFilename, STACK_OF( { if (!certFilename) return NULL; - Ssl::BIO_Pointer bio(BIO_new(BIO_s_file_internal())); + Ssl::BIO_Pointer bio(BIO_new(BIO_s_file())); if (!bio) return NULL; if (!BIO_read_filename(bio.get(), certFilename))