From bed730c207ad9ef318d3bccb8bbfa8c07d0b5a57 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Thu, 31 Aug 2017 04:38:07 +1200 Subject: [PATCH] Add checks for OpenSSL 1.1.0f API changes (#54) --- acinclude/lib-checks.m4 | 25 +++++++++++++++++++++++++ configure.ac | 1 + src/ssl/gadgets.cc | 27 +++++++++++++++++++-------- src/ssl/gadgets.h | 5 +++++ src/ssl/support.cc | 11 ++--------- 5 files changed, 52 insertions(+), 17 deletions(-) diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index 68bf33a183..af488e4458 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -259,6 +259,31 @@ return 0; SQUID_STATE_ROLLBACK(check_const_SSL_CTX_sess_set_get_cb) ]) +dnl Checks whether the X509_get0_signature() has const arguments +AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS],[ + AH_TEMPLATE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, "Define if X509_get0_signature() accepts const parameters") + SQUID_STATE_SAVE(check_const_X509_get0_signature_args) + AC_MSG_CHECKING("whether X509_get0_signature() accepts const parameters") + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ +#include + ],[ +#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE + const ASN1_BIT_STRING *sig = nullptr; + const X509_ALGOR *sig_alg; + X509_get0_signature(&sig, &sig_alg, nullptr); +#else +#error Missing X509_get0_signature() +#endif + ]) + ],[ + AC_DEFINE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, 1) + AC_MSG_RESULT([yes]) + ],[ + AC_MSG_RESULT([no]) + ]) + SQUID_STATE_ROLLBACK(check_const_X509_get0_signature_args) +]) + dnl Try to handle TXT_DB related problems: dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version dnl 2) The IMPLEMENT_LHASH_* openSSL macros in openSSL-1.0.1 and later releases is not diff --git a/configure.ac b/configure.ac index 2968c56958..8a0d665bc1 100644 --- a/configure.ac +++ b/configure.ac @@ -1367,6 +1367,7 @@ if test "x$with_openssl" = "xyes"; then SQUID_CHECK_OPENSSL_CONST_SSL_METHOD SQUID_CHECK_OPENSSL_CONST_CRYPTO_EX_DATA SQUID_CHECK_OPENSSL_CONST_SSL_SESSION_CB_ARG + SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS SQUID_CHECK_OPENSSL_TXTDB SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK fi diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index cd7dad5b8a..c7331bac9a 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -222,14 +222,7 @@ Ssl::CertificateProperties::CertificateProperties(): static void printX509Signature(const Security::CertPointer &cert, std::string &out) { - ASN1_BIT_STRING *sig = nullptr; -#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE - X509_ALGOR *sig_alg; - X509_get0_signature(&sig, &sig_alg, cert.get()); -#else - sig = cert->signature; -#endif - + const ASN1_BIT_STRING *sig = Ssl::X509_get_signature(cert); if (sig && sig->data) { const unsigned char *s = sig->data; for (int i = 0; i < sig->length; ++i) { @@ -952,3 +945,21 @@ Ssl::CertificatesCmp(const Security::CertPointer &cert1, const Security::CertPoi return ret; } +const ASN1_BIT_STRING * +Ssl::X509_get_signature(const Security::CertPointer &cert) +{ +#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE +#if SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS + const ASN1_BIT_STRING *sig = nullptr; + const X509_ALGOR *sig_alg = nullptr; +#else + ASN1_BIT_STRING *sig = nullptr; + X509_ALGOR *sig_alg = nullptr; +#endif + X509_get0_signature(&sig, &sig_alg, cert.get()); + return sig; +#else + return cert->signature; +#endif +} + diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h index b0e7f9004e..2c084d34ec 100644 --- a/src/ssl/gadgets.h +++ b/src/ssl/gadgets.h @@ -278,6 +278,11 @@ const char *getOrganization(X509 *x509); /// \ingroup ServerProtocolSSLAPI /// \return whether both certificates exist and are the same (e.g., have identical ASN.1 images) bool CertificatesCmp(const Security::CertPointer &cert1, const Security::CertPointer &cert2); + +/// wrapper for OpenSSL X509_get0_signature() which takes care of +/// portability issues with older OpenSSL versions +const ASN1_BIT_STRING *X509_get_signature(const Security::CertPointer &); + } // namespace Ssl #endif // SQUID_SSL_GADGETS_H diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 99b73f2ef6..5e37ce1e01 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -1366,15 +1366,8 @@ bool Ssl::generateUntrustedCert(Security::CertPointer &untrustedCert, EVP_PKEY_P void Ssl::InRamCertificateDbKey(const Ssl::CertificateProperties &certProperties, SBuf &key) { bool origSignatureAsKey = false; - if (certProperties.mimicCert.get()) { - ASN1_BIT_STRING *sig = nullptr; -#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE - X509_ALGOR *sig_alg; - X509_get0_signature(&sig, &sig_alg, certProperties.mimicCert.get()); -#else - sig = certProperties.mimicCert->signature; -#endif - if (sig) { + if (certProperties.mimicCert) { + if (auto *sig = Ssl::X509_get_signature(certProperties.mimicCert)) { origSignatureAsKey = true; key.append((const char *)sig->data, sig->length); } -- 2.47.2