From: Juergen Perlinger Date: Fri, 6 Jan 2017 22:24:33 +0000 (+0100) Subject: [Bug 3363] Support for openssl-1.1.0 without compatibility modes X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e1441eb3fd817c18acd94dce9b5993323a3be43;p=thirdparty%2Fntp.git [Bug 3363] Support for openssl-1.1.0 without compatibility modes bk: 587019219aiPJd_2nQdWB-LtjVp0VA --- diff --git a/ChangeLog b/ChangeLog index 62b527bb6..e748ec746 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,7 @@ --- * [Bug 3144] NTP does not build without openSSL +* [Bug 3363] Support for openssl-1.1.0 without compatibility modes + - rework of patch set from --- (4.2.8p9) 2016/11/21 Released by Harlan Stenn diff --git a/include/libssl_compat.h b/include/libssl_compat.h index a8938a151..2a3697c55 100644 --- a/include/libssl_compat.h +++ b/include/libssl_compat.h @@ -24,6 +24,18 @@ #include "openssl/dsa.h" #include "openssl/rsa.h" +#ifndef OPENSSL_VERSION_NUMBER +#define OPENSSL_VERSION_NUMBER SSLEAY_VERSION_NUMBER +#endif + +#ifndef OPENSSL_VERSION_TEXT +#define OPENSSL_VERSION_TEXT SSLEAY_VERSION_TEXT +#endif + +#ifndef OPENSSL_VERSION +#define OPENSSL_VERSION SSLEAY_VERSION +#endif + /* ----------------------------------------------------------------- */ #if OPENSSL_VERSION_NUMBER < 0x10100000L /* ----------------------------------------------------------------- */ @@ -93,6 +105,13 @@ extern int sslshim_X509_get_signature_nid(const X509 *x); #define X509_get_signature_nid sslshim_X509_get_signature_nid +#define OpenSSL_version_num SSLeay +#define OpenSSL_version SSLeay_version +#define X509_get0_notBefore X509_get_notBefore +#define X509_getm_notBefore X509_get_notBefore +#define X509_get0_notAfter X509_get_notAfter +#define X509_getm_notAfter X509_get_notAfter + /* ----------------------------------------------------------------- */ #endif /* OPENSSL_VERSION_NUMBER < v1.1.0 */ /* ----------------------------------------------------------------- */ diff --git a/include/ntp_crypto.h b/include/ntp_crypto.h index b80100614..32134a819 100644 --- a/include/ntp_crypto.h +++ b/include/ntp_crypto.h @@ -24,6 +24,7 @@ invalidsyntax: AUTOKEY should be defined only if OPENSSL is. #endif +#include "openssl/bn.h" #include "openssl/evp.h" #include "ntp_calendar.h" /* for fields in the cert_info structure */ diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c index ef0f1c185..bebf6e175 100644 --- a/libntp/ssl_init.c +++ b/libntp/ssl_init.c @@ -13,52 +13,65 @@ #include #ifdef OPENSSL +#include "openssl/crypto.h" #include "openssl/err.h" #include "openssl/evp.h" +#include "openssl/opensslv.h" #include "libssl_compat.h" -void atexit_ssl_cleanup(void); - int ssl_init_done; +#if OPENSSL_VERSION_NUMBER < 0x10100000L + +static void +atexit_ssl_cleanup(void) +{ + if (!ssl_init_done) + return; + + ssl_init_done = FALSE; + EVP_cleanup(); + ERR_free_strings(); +} + void ssl_init(void) { init_lib(); - if (ssl_init_done) - return; - - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - atexit(&atexit_ssl_cleanup); - - ssl_init_done = TRUE; + if ( ! ssl_init_done) { + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + atexit(&atexit_ssl_cleanup); + ssl_init_done = TRUE; + } } +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ void -atexit_ssl_cleanup(void) +ssl_init(void) { - if (!ssl_init_done) - return; - - ssl_init_done = FALSE; - EVP_cleanup(); - ERR_free_strings(); + init_lib(); + ssl_init_done = TRUE; } +#endif /* OPENSSL_VERSION_NUMBER */ + void ssl_check_version(void) { - if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) { + u_long v; + + v = OpenSSL_version_num(); + if ((v ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) { msyslog(LOG_WARNING, "OpenSSL version mismatch. Built against %lx, you have %lx", - (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + (u_long)OPENSSL_VERSION_NUMBER, v); fprintf(stderr, "OpenSSL version mismatch. Built against %lx, you have %lx\n", - (u_long)OPENSSL_VERSION_NUMBER, SSLeay()); + (u_long)OPENSSL_VERSION_NUMBER, v); } INIT_SSL(); diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c index 2b9cb52e4..11d087a5a 100644 --- a/ntpd/ntp_crypto.c +++ b/ntpd/ntp_crypto.c @@ -22,11 +22,15 @@ #include "ntp_calendar.h" #include "ntp_leapsec.h" +#include "openssl/asn1.h" #include "openssl/bn.h" +#include "openssl/crypto.h" #include "openssl/err.h" #include "openssl/evp.h" +#include "openssl/opensslv.h" #include "openssl/pem.h" #include "openssl/rand.h" +#include "openssl/x509.h" #include "openssl/x509v3.h" #include "libssl_compat.h" @@ -193,7 +197,7 @@ static int crypto_gq (struct exten *, struct peer *); static int crypto_mv (struct exten *, struct peer *); static int crypto_send (struct exten *, struct value *, int); static tstamp_t crypto_time (void); -static void asn_to_calendar (ASN1_TIME *, struct calendar*); +static void asn_to_calendar (const ASN1_TIME *, struct calendar*); static struct cert_info *cert_parse (const u_char *, long, tstamp_t); static int cert_sign (struct exten *, struct value *); static struct cert_info *cert_install (struct exten *, struct peer *); @@ -2010,7 +2014,7 @@ crypto_time() static void asn_to_calendar ( - ASN1_TIME *asn1time, /* pointer to ASN1_TIME structure */ + const ASN1_TIME *asn1time, /* pointer to ASN1_TIME structure */ struct calendar *pjd /* pointer to result */ ) { @@ -3187,8 +3191,8 @@ cert_sign( serial = ASN1_INTEGER_new(); ASN1_INTEGER_set(serial, tstamp); X509_set_serialNumber(cert, serial); - X509_gmtime_adj(X509_get_notBefore(cert), 0L); - X509_gmtime_adj(X509_get_notAfter(cert), YEAR); + X509_gmtime_adj(X509_getm_notBefore(cert), 0L); + X509_gmtime_adj(X509_getm_notAfter(cert), YEAR); subj = X509_get_issuer_name(cert); X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC, hostval.ptr, strlen((const char *)hostval.ptr), -1, 0); @@ -3497,8 +3501,8 @@ cert_parse( return (NULL); } ret->issuer = estrdup(pch + 3); - asn_to_calendar(X509_get_notBefore(cert), &(ret->first)); - asn_to_calendar(X509_get_notAfter(cert), &(ret->last)); + asn_to_calendar(X509_get0_notBefore(cert), &(ret->first)); + asn_to_calendar(X509_get0_notAfter(cert), &(ret->last)); /* * Extract extension fields. These are ad hoc ripoffs of @@ -3922,7 +3926,8 @@ crypto_setup(void) RAND_seed(&seed, sizeof(l_fp)); RAND_write_file(randfile); DPRINTF(1, ("crypto_setup: OpenSSL version %lx random seed file %s bytes read %d\n", - SSLeay(), randfile, bytes)); + OpenSSL_version_num(), randfile, bytes)); + } /* diff --git a/sntp/libevent/test/regress_ssl.c b/sntp/libevent/test/regress_ssl.c index bf9b46b1e..226a2a3a7 100644 --- a/sntp/libevent/test/regress_ssl.c +++ b/sntp/libevent/test/regress_ssl.c @@ -50,13 +50,21 @@ #include "tinytest.h" #include "tinytest_macros.h" +#include #include #include +#include #include #include +#include +#include #include +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define OpenSSL_version_num SSLeay +#endif /* OPENSSL_VERSION_NUMBER */ + /* A short pre-generated key, to save the cost of doing an RSA key generation * step during the unit tests. It's only 512 bits long, and it is published * in this file, so you would have to be very foolish to consider using it in @@ -122,9 +130,15 @@ getcert(void) X509_set_subject_name(x509, name); X509_set_issuer_name(x509, name); +#if OPENSSL_VERSION_NUMBER < 0x10100000L X509_time_adj(X509_get_notBefore(x509), 0, &now); now += 3600; X509_time_adj(X509_get_notAfter(x509), 0, &now); +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ + X509_time_adj(X509_getm_notBefore(x509), 0, &now); + now += 3600; + X509_time_adj(X509_getm_notAfter(x509), 0, &now); +#endif /* OPENSSL_VERSION_NUMBER */ X509_set_pubkey(x509, key); tt_assert(0 != X509_sign(x509, key, EVP_sha1())); @@ -163,8 +177,8 @@ init_ssl(void) ERR_load_crypto_strings(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); - if (SSLeay() != OPENSSL_VERSION_NUMBER) { - TT_DECLARE("WARN", ("Version mismatch for openssl: compiled with %lx but running with %lx", (unsigned long)OPENSSL_VERSION_NUMBER, (unsigned long) SSLeay())); + if (OpenSSL_version_num() != OPENSSL_VERSION_NUMBER) { + TT_DECLARE("WARN", ("Version mismatch for openssl: compiled with %lx but running with %lx", (unsigned long)OPENSSL_VERSION_NUMBER, (unsigned long) OpenSSL_version_num())); } } @@ -302,8 +316,8 @@ regress_bufferevent_openssl(void *arg) init_ssl(); if (strstr((char*)data->setup_data, "renegotiate")) { - if (SSLeay() >= 0x10001000 && - SSLeay() < 0x1000104f) { + if (OpenSSL_version_num() >= 0x10001000 && + OpenSSL_version_num() < 0x1000104f) { /* 1.0.1 up to 1.0.1c has a bug where TLS1.1 and 1.2 * can't renegotiate with themselves. Disable. */ disable_tls_11_and_12 = 1; diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c index 66a4755df..eb2cb34f7 100644 --- a/util/ntp-keygen.c +++ b/util/ntp-keygen.c @@ -98,11 +98,15 @@ #include "ntp-keygen-opts.h" #ifdef OPENSSL +#include "openssl/asn1.h" #include "openssl/bn.h" +#include "openssl/crypto.h" #include "openssl/evp.h" #include "openssl/err.h" #include "openssl/rand.h" +#include "openssl/opensslv.h" #include "openssl/pem.h" +#include "openssl/x509.h" #include "openssl/x509v3.h" #include #include "libssl_compat.h" @@ -326,6 +330,10 @@ main( int i, cnt; char * ptr; #endif /* AUTOKEY */ +#ifdef OPENSSL + const char *sslvtext; + int sslvmatch; +#endif /* OPENSSL */ progname = argv[0]; @@ -363,12 +371,14 @@ main( argv += optct; // Just in case we care later. #ifdef OPENSSL - if (SSLeay() == SSLEAY_VERSION_NUMBER) + sslvtext = OpenSSL_version(OPENSSL_VERSION); + sslvmatch = OpenSSL_version_num() == OPENSSL_VERSION_NUMBER; + if (sslvmatch) fprintf(stderr, "Using OpenSSL version %s\n", - SSLeay_version(SSLEAY_VERSION)); + sslvtext); else fprintf(stderr, "Built against OpenSSL %s, using version %s\n", - OPENSSL_VERSION_TEXT, SSLeay_version(SSLEAY_VERSION)); + OPENSSL_VERSION_TEXT, sslvtext); #endif /* OPENSSL */ debug = OPT_VALUE_SET_DEBUG_LEVEL; @@ -464,8 +474,10 @@ main( /* * Seed random number generator and grow weeds. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); +#endif /* OPENSSL_VERSION_NUMBER */ if (!RAND_status()) { if (RAND_file_name(pathbuf, sizeof(pathbuf)) == NULL) { fprintf(stderr, "RAND_file_name %s\n", @@ -1970,8 +1982,8 @@ x509 ( ASN1_INTEGER_set(serial, (long)epoch + JAN_1970); X509_set_serialNumber(cert, serial); ASN1_INTEGER_free(serial); - X509_time_adj(X509_get_notBefore(cert), 0L, &epoch); - X509_time_adj(X509_get_notAfter(cert), lifetime * SECSPERDAY, &epoch); + X509_time_adj(X509_getm_notBefore(cert), 0L, &epoch); + X509_time_adj(X509_getm_notAfter(cert), lifetime * SECSPERDAY, &epoch); subj = X509_get_subject_name(cert); X509_NAME_add_entry_by_txt(subj, "commonName", MBSTRING_ASC, (u_char *)name, -1, -1, 0);