From 49c74fff65d23756746cab1470c67cf94b9db789 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Wed, 20 Apr 2016 03:57:38 -0400 Subject: [PATCH] [core] compile with upcoming openssl 1.1.0 release (fixes #2727) (thx falemagn) x-ref: "Won't compile with OpenSSL 1.1.0" https://redmine.lighttpd.net/issues/2727 --- NEWS | 1 + src/connections-glue.c | 6 ++++++ src/network.c | 16 ++++++++++++---- src/response.c | 3 ++- src/server.c | 6 ++++++ 5 files changed, 27 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index e1d6d62a..5d09f5ac 100644 --- a/NEWS +++ b/NEWS @@ -81,6 +81,7 @@ NEWS * [core] open fd when appending file to cq (fixes #2655) * [config] server.listen-backlog option (fixes #1825, #2116) * [core] retry tempdirs on partial write, ENOSPC (fixes #2588) + * [core] compile with upcoming openssl 1.1.0 release (fixes #2727) - 1.4.39 - 2016-01-02 * [core] fix memset_s call (fixes #2698) diff --git a/src/connections-glue.c b/src/connections-glue.c index bc67b9fd..9c2badcb 100644 --- a/src/connections-glue.c +++ b/src/connections-glue.c @@ -180,9 +180,15 @@ static int connection_handle_read_ssl(server *srv, connection *con) { while((ssl_err = ERR_get_error())) { switch (ERR_GET_REASON(ssl_err)) { case SSL_R_SSL_HANDSHAKE_FAILURE: + #ifdef SSL_R_TLSV1_ALERT_UNKNOWN_CA case SSL_R_TLSV1_ALERT_UNKNOWN_CA: + #endif + #ifdef SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN case SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN: + #endif + #ifdef SSL_R_SSLV3_ALERT_BAD_CERTIFICATE case SSL_R_SSLV3_ALERT_BAD_CERTIFICATE: + #endif if (!con->conf.log_ssl_noise) continue; break; default: diff --git a/src/network.c b/src/network.c index 6f34aef2..d8526a64 100644 --- a/src/network.c +++ b/src/network.c @@ -826,20 +826,28 @@ int network_init(server *srv) { return -1; } } else { + BIGNUM *dh_p, *dh_g; /* Default DH parameters from RFC5114 */ dh = DH_new(); if (dh == NULL) { log_error_write(srv, __FILE__, __LINE__, "s", "SSL: DH_new () failed"); return -1; } - dh->p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL); - dh->g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL); - dh->length = 160; - if ((dh->p == NULL) || (dh->g == NULL)) { + dh_p = BN_bin2bn(dh1024_p,sizeof(dh1024_p), NULL); + dh_g = BN_bin2bn(dh1024_g,sizeof(dh1024_g), NULL); + if ((dh_p == NULL) || (dh_g == NULL)) { DH_free(dh); log_error_write(srv, __FILE__, __LINE__, "s", "SSL: BN_bin2bn () failed"); return -1; } + #if OPENSSL_VERSION_NUMBER < 0x10100000L + dh->p = dh_p; + dh->g = dh_g; + dh->length = 160; + #else + DH_set0_pqg(dh, dh_p, NULL, dh_g); + DH_set_length(dh, 160); + #endif } SSL_CTX_set_tmp_dh(s->ssl_ctx,dh); SSL_CTX_set_options(s->ssl_ctx,SSL_OP_SINGLE_DH_USE); diff --git a/src/response.c b/src/response.c index 51d468ff..fc2df712 100644 --- a/src/response.c +++ b/src/response.c @@ -167,7 +167,8 @@ static void https_add_ssl_entries(connection *con) { buffer_append_string(envds->key, xobjsn); buffer_copy_string_len( envds->value, - (const char *)xe->value->data, xe->value->length + (const char *)X509_NAME_ENTRY_get_data(xe)->data, + X509_NAME_ENTRY_get_data(xe)->length ); /* pick one of the exported values as "REMOTE_USER", for example * ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID" or "SSL_CLIENT_S_DN_emailAddress" diff --git a/src/server.c b/src/server.c index 2f607ac6..3128013e 100644 --- a/src/server.c +++ b/src/server.c @@ -381,7 +381,13 @@ static void server_free(server *srv) { if (srv->ssl_is_init) { CRYPTO_cleanup_all_ex_data(); ERR_free_strings(); + #if OPENSSL_VERSION_NUMBER >= 0x10100000L + ERR_remove_thread_state(); + #elif OPENSSL_VERSION_NUMBER >= 0x10000000L + ERR_remove_thread_state(NULL); + #else ERR_remove_state(0); + #endif EVP_cleanup(); } #endif