Commit 8c36971e authored by Tatsuhiro Tsujikawa's avatar Tatsuhiro Tsujikawa

Compile with OPENSSL_NO_DEPRECATED and fix memory leaks

parent ba1dff18
......@@ -715,8 +715,18 @@ int main(int argc, char **argv) {
act.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &act, 0);
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
/* No explicit initialization is required. */
#elif defined(OPENSSL_IS_BORINGSSL)
CRYPTO_library_init();
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
rv = parse_uri(&uri, argv[1]);
if (rv != 0) {
......
......@@ -617,8 +617,18 @@ int main(int argc, char **argv) {
act.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &act, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
/* No explicit initialization is required. */
#elif defined(OPENSSL_IS_BORINGSSL)
CRYPTO_library_init();
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
run(argv[1]);
return 0;
......
......@@ -153,14 +153,9 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
{
EVP_PKEY *ecdh;
ecdh = EVP_EC_gen("P-256");
if (!ecdh) {
errx(1, "EVP_EC_gen failed: %s", ERR_error_string(ERR_get_error(), NULL));
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EVP_PKEY_free(ecdh);
if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
errx(1, "SSL_CTX_set1_curves_list failed: %s",
ERR_error_string(ERR_get_error(), NULL));
}
#else /* !(OPENSSL_VERSION_NUMBER >= 0x30000000L) */
{
......@@ -822,8 +817,18 @@ int main(int argc, char **argv) {
act.sa_handler = SIG_IGN;
sigaction(SIGPIPE, &act, NULL);
#if OPENSSL_VERSION_NUMBER >= 0x1010000fL
/* No explicit initialization is required. */
#elif defined(OPENSSL_IS_BORINGSSL)
CRYPTO_library_init();
#else /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
OPENSSL_config(NULL);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif /* !(OPENSSL_VERSION_NUMBER >= 0x1010000fL) && \
!defined(OPENSSL_IS_BORINGSSL) */
run(argv[1], argv[2], argv[3]);
return 0;
......
......@@ -2143,22 +2143,13 @@ int HttpServer::run() {
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
#ifndef OPENSSL_NO_EC
// Disabled SSL_CTX_set_ecdh_auto, because computational cost of
// chosen curve is much higher than P-256.
// SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
// Use P-256, which is sufficiently secure at the time of this
// writing.
# if OPENSSL_3_0_0_API
auto ecdh = EVP_EC_gen("P-256");
if (ecdh == nullptr) {
std::cerr << "EC_KEY_new_by_curv_name failed: "
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
std::cerr << "SSL_CTX_set1_curves_list failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
return -1;
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EVP_PKEY_free(ecdh);
# else // !OPENSSL_3_0_0_API
# else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == nullptr) {
std::cerr << "EC_KEY_new_by_curv_name failed: "
......@@ -2167,7 +2158,7 @@ int HttpServer::run() {
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
# endif // !OPENSSL_3_0_0_API
# endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // OPENSSL_NO_EC
if (!config_->dh_param_file.empty()) {
......@@ -2191,8 +2182,11 @@ int HttpServer::run() {
return -1;
}
SSL_CTX_set_tmp_dh(ssl_ctx, dh);
EVP_PKEY_free(dh);
if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
std::cerr << "SSL_CTX_set0_tmp_dh_pkey failed: "
<< ERR_error_string(ERR_get_error(), nullptr) << std::endl;
return -1;
}
#else // !OPENSSL_3_0_0_API
auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
......
......@@ -755,7 +755,11 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
std::tie(p, last) = copy('-', p, last);
break;
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(lgsp.ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(lgsp.ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
std::tie(p, last) = copy('-', p, last);
break;
......@@ -766,7 +770,9 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
lf.type == LogFragmentType::TLS_CLIENT_FINGERPRINT_SHA256
? EVP_sha256()
: EVP_sha1());
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
if (len <= 0) {
std::tie(p, last) = copy('-', p, last);
break;
......@@ -780,7 +786,11 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
std::tie(p, last) = copy('-', p, last);
break;
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(lgsp.ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(lgsp.ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
std::tie(p, last) = copy('-', p, last);
break;
......@@ -788,7 +798,9 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
auto name = lf.type == LogFragmentType::TLS_CLIENT_ISSUER_NAME
? tls::get_x509_issuer_name(balloc, x)
: tls::get_x509_subject_name(balloc, x);
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
if (name.empty()) {
std::tie(p, last) = copy('-', p, last);
break;
......@@ -801,13 +813,19 @@ void upstream_accesslog(const std::vector<LogFragment> &lfv,
std::tie(p, last) = copy('-', p, last);
break;
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(lgsp.ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(lgsp.ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
std::tie(p, last) = copy('-', p, last);
break;
}
auto sn = tls::get_x509_serial(balloc, x);
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
if (sn.empty()) {
std::tie(p, last) = copy('-', p, last);
break;
......
......@@ -153,7 +153,11 @@ mrb_value env_get_tls_client_fingerprint_md(mrb_state *mrb, const EVP_MD *md) {
return mrb_str_new_static(mrb, "", 0);
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
return mrb_str_new_static(mrb, "", 0);
}
......@@ -161,7 +165,9 @@ mrb_value env_get_tls_client_fingerprint_md(mrb_state *mrb, const EVP_MD *md) {
// Currently the largest hash value is SHA-256, which is 32 bytes.
std::array<uint8_t, 32> buf;
auto slen = tls::get_x509_fingerprint(buf.data(), buf.size(), x, md);
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
if (slen == -1) {
mrb_raise(mrb, E_RUNTIME_ERROR, "could not compute client fingerprint");
}
......@@ -199,14 +205,20 @@ mrb_value env_get_tls_client_subject_name(mrb_state *mrb, mrb_value self) {
return mrb_str_new_static(mrb, "", 0);
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
return mrb_str_new_static(mrb, "", 0);
}
auto &balloc = downstream->get_block_allocator();
auto name = tls::get_x509_subject_name(balloc, x);
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
return mrb_str_new(mrb, name.c_str(), name.size());
}
} // namespace
......@@ -223,14 +235,20 @@ mrb_value env_get_tls_client_issuer_name(mrb_state *mrb, mrb_value self) {
return mrb_str_new_static(mrb, "", 0);
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
return mrb_str_new_static(mrb, "", 0);
}
auto &balloc = downstream->get_block_allocator();
auto name = tls::get_x509_issuer_name(balloc, x);
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
return mrb_str_new(mrb, name.c_str(), name.size());
}
} // namespace
......@@ -247,14 +265,20 @@ mrb_value env_get_tls_client_serial(mrb_state *mrb, mrb_value self) {
return mrb_str_new_static(mrb, "", 0);
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
return mrb_str_new_static(mrb, "", 0);
}
auto &balloc = downstream->get_block_allocator();
auto sn = tls::get_x509_serial(balloc, x);
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
return mrb_str_new(mrb, sn.c_str(), sn.size());
}
} // namespace
......@@ -271,16 +295,24 @@ mrb_value env_get_tls_client_not_before(mrb_state *mrb, mrb_value self) {
return mrb_fixnum_value(0);
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
return mrb_fixnum_value(0);
}
time_t t;
if (tls::get_x509_not_before(t, x) != 0) {
return mrb_fixnum_value(0);
t = 0;
}
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
return mrb_fixnum_value(t);
}
} // namespace
......@@ -297,16 +329,24 @@ mrb_value env_get_tls_client_not_after(mrb_state *mrb, mrb_value self) {
return mrb_fixnum_value(0);
}
#if OPENSSL_3_0_0_API
auto x = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto x = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!x) {
return mrb_fixnum_value(0);
}
time_t t;
if (tls::get_x509_not_after(t, x) != 0) {
return mrb_fixnum_value(0);
t = 0;
}
#if !OPENSSL_3_0_0_API
X509_free(x);
#endif // !OPENSSL_3_0_0_API
return mrb_fixnum_value(t);
}
} // namespace
......
......@@ -1031,8 +1031,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
DIE();
}
SSL_CTX_set_tmp_dh(ssl_ctx, dh);
EVP_PKEY_free(dh);
if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
LOG(FATAL) << "SSL_CTX_set0_tmp_dh_pkey failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#else // !OPENSSL_3_0_0_API
auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
if (dh == nullptr) {
......@@ -1456,8 +1459,11 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
DIE();
}
SSL_CTX_set_tmp_dh(ssl_ctx, dh);
EVP_PKEY_free(dh);
if (SSL_CTX_set0_tmp_dh_pkey(ssl_ctx, dh) != 1) {
LOG(FATAL) << "SSL_CTX_set0_tmp_dh_pkey failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# else // !OPENSSL_3_0_0_API
auto dh = PEM_read_bio_DHparams(bio, nullptr, nullptr, nullptr);
if (dh == nullptr) {
......@@ -2064,14 +2070,20 @@ int verify_hostname(X509 *cert, const StringRef &hostname,
} // namespace
int check_cert(SSL *ssl, const Address *addr, const StringRef &host) {
#if OPENSSL_3_0_0_API
auto cert = SSL_get0_peer_certificate(ssl);
#else // !OPENSSL_3_0_0_API
auto cert = SSL_get_peer_certificate(ssl);
#endif // !OPENSSL_3_0_0_API
if (!cert) {
// By the protocol definition, TLS server always sends certificate
// if it has. If certificate cannot be retrieved, authentication
// without certificate is used, such as PSK.
return 0;
}
#if !OPENSSL_3_0_0_API
auto cert_deleter = defer(X509_free, cert);
#endif // !OPENSSL_3_0_0_API
if (verify_hostname(cert, host, addr) != 0) {
LOG(ERROR) << "Certificate verification failed: hostname does not match";
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment