From eec7e0cac9196351aea545d5003f0b2ea16b2e39 Mon Sep 17 00:00:00 2001 From: Oleg Moskalenko Date: Sat, 20 Aug 2016 18:49:30 -0700 Subject: [PATCH] basic OpenSSL 1.1.0 support --- src/apps/common/apputils.h | 2 +- src/apps/relay/mainrelay.c | 32 ++++++-- src/apps/relay/ns_ioalib_engine_impl.c | 10 +++ src/client/ns_turn_msg.c | 108 ++++++++++++++++++++----- 4 files changed, 123 insertions(+), 29 deletions(-) diff --git a/src/apps/common/apputils.h b/src/apps/common/apputils.h index 11a6e5d..7b16b56 100644 --- a/src/apps/common/apputils.h +++ b/src/apps/common/apputils.h @@ -90,7 +90,7 @@ extern int IS_TURN_SERVER; #endif -#if defined(TURN_NO_DTLS) || !defined(DTLS_CTRL_LISTEN) +#if (defined(TURN_NO_DTLS) || !defined(DTLS_CTRL_LISTEN)) && (OPENSSL_VERSION_NUMBER < 0x10100000L) #define DTLS_SUPPORTED 0 #define DTLSv1_2_SUPPORTED 0 diff --git a/src/apps/relay/mainrelay.c b/src/apps/relay/mainrelay.c index 5014e57..a89d441 100644 --- a/src/apps/relay/mainrelay.c +++ b/src/apps/relay/mainrelay.c @@ -2096,7 +2096,8 @@ static char some_buffer[65536]; static pthread_mutex_t mutex_buf[256]; static int mutex_buf_initialized = 0; -static void locking_function(int mode, int n, const char *file, int line) { +void coturn_locking_function(int mode, int n, const char *file, int line); +void coturn_locking_function(int mode, int n, const char *file, int line) { UNUSED_ARG(file); UNUSED_ARG(line); if(mutex_buf_initialized && (n < CRYPTO_num_locks())) { @@ -2108,12 +2109,15 @@ static void locking_function(int mode, int n, const char *file, int line) { } #if OPENSSL_VERSION_NUMBER >= 0x10000000L -static void id_function(CRYPTO_THREADID *ctid) +void coturn_id_function(CRYPTO_THREADID *ctid); +void coturn_id_function(CRYPTO_THREADID *ctid) { + UNUSED_ARG(ctid); CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self()); } #else -static unsigned long id_function(void) +unsigned long coturn_id_function(void); +unsigned long coturn_id_function(void) { return (unsigned long)pthread_self(); } @@ -2136,12 +2140,12 @@ static int THREAD_setup(void) { mutex_buf_initialized = 1; #if OPENSSL_VERSION_NUMBER >= 0x10000000L - CRYPTO_THREADID_set_callback(id_function); + CRYPTO_THREADID_set_callback(coturn_id_function); #else - CRYPTO_set_id_callback(id_function); + CRYPTO_set_id_callback(coturn_id_function); #endif - CRYPTO_set_locking_callback(locking_function); + CRYPTO_set_locking_callback(coturn_locking_function); #endif return 1; @@ -2230,9 +2234,9 @@ static void adjust_key_file_names(void) if(turn_params.dh_file[0]) adjust_key_file_name(turn_params.dh_file,"DH key",0); } - static DH *get_dh566(void) { + unsigned char dh566_p[] = { 0x36,0x53,0xA8,0x9C,0x3C,0xF1,0xD1,0x1B,0x2D,0xA2,0x64,0xDE, 0x59,0x3B,0xE3,0x8C,0x27,0x74,0xC2,0xBE,0x9B,0x6D,0x56,0xE7, @@ -2252,9 +2256,13 @@ static DH *get_dh566(void) { if ((dh = DH_new()) == NULL ) return (NULL ); +#if OPENSSL_VERSION_NUMBER < 0x10100000L dh->p = BN_bin2bn(dh566_p, sizeof(dh566_p), NULL ); dh->g = BN_bin2bn(dh566_g, sizeof(dh566_g), NULL ); if ((dh->p == NULL )|| (dh->g == NULL)){ DH_free(dh); return(NULL);} +#else + DH_set0_pqg(dh, BN_bin2bn(dh566_p, sizeof(dh566_p), NULL ), NULL, BN_bin2bn(dh566_g, sizeof(dh566_g), NULL )); +#endif return (dh); } @@ -2286,9 +2294,13 @@ static DH *get_dh1066(void) { if ((dh = DH_new()) == NULL ) return (NULL ); +#if OPENSSL_VERSION_NUMBER < 0x10100000L dh->p = BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL ); dh->g = BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL ); if ((dh->p == NULL )|| (dh->g == NULL)){ DH_free(dh); return(NULL);} +#else + DH_set0_pqg(dh, BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL ), NULL, BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL )); +#endif return (dh); } @@ -2333,9 +2345,13 @@ static DH *get_dh2066(void) { if ((dh = DH_new()) == NULL ) return (NULL ); +#if OPENSSL_VERSION_NUMBER < 0x10100000L dh->p = BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL ); dh->g = BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL ); if ((dh->p == NULL )|| (dh->g == NULL)){ DH_free(dh); return(NULL);} +#else + DH_set0_pqg(dh, BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL ), NULL, BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL )); +#endif return (dh); } @@ -2494,7 +2510,9 @@ static void set_ctx(SSL_CTX* ctx, const char *protocol) if(set_auto_curve) { #if SSL_SESSION_ECDH_AUTO_SUPPORTED +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_CTX_set_ecdh_auto(ctx,1); +#endif #endif set_auto_curve = 0; } diff --git a/src/apps/relay/ns_ioalib_engine_impl.c b/src/apps/relay/ns_ioalib_engine_impl.c index 809fa9c..060f82e 100644 --- a/src/apps/relay/ns_ioalib_engine_impl.c +++ b/src/apps/relay/ns_ioalib_engine_impl.c @@ -1419,6 +1419,7 @@ static void ssl_info_callback(SSL *ssl, int where, int ret) { UNUSED_ARG(ssl); UNUSED_ARG(where); +#if OPENSSL_VERSION_NUMBER < 0x10100000L #if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) if (0 != (where & SSL_CB_HANDSHAKE_START)) { ioa_socket_handle s = (ioa_socket_handle)SSL_get_app_data(ssl); @@ -1436,6 +1437,7 @@ static void ssl_info_callback(SSL *ssl, int where, int ret) { } } #endif +#endif } typedef void (*ssl_info_callback_t)(const SSL *ssl,int type,int val); @@ -1856,7 +1858,11 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve BIO* rbio = BIO_new_mem_buf(buffer, old_buffer_len); BIO_set_mem_eof_return(rbio, -1); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ssl->rbio = rbio; +#else + SSL_set0_rbio(ssl,rbio); +#endif int if1 = SSL_is_init_finished(ssl); @@ -1949,7 +1955,11 @@ int ssl_read(evutil_socket_t fd, SSL* ssl, ioa_network_buffer_handle nbh, int ve } BIO_free(rbio); +#if OPENSSL_VERSION_NUMBER < 0x10100000L ssl->rbio = NULL; +#else + SSL_set0_rbio(ssl,NULL); +#endif return ret; } diff --git a/src/client/ns_turn_msg.c b/src/client/ns_turn_msg.c index 8e9e952..079522b 100644 --- a/src/client/ns_turn_msg.c +++ b/src/client/ns_turn_msg.c @@ -176,37 +176,63 @@ int stun_produce_integrity_key_str(u08bits *uname, u08bits *realm, u08bits *upwd str[strl]=0; if(shatype == SHATYPE_SHA256) { -#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) unsigned int keylen = 0; +#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_MD_CTX ctx; EVP_DigestInit(&ctx,EVP_sha256()); EVP_DigestUpdate(&ctx,str,strl); EVP_DigestFinal(&ctx,key,&keylen); EVP_MD_CTX_cleanup(&ctx); +#else + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(ctx,EVP_sha256()); + EVP_DigestUpdate(ctx,str,strl); + EVP_DigestFinal(ctx,key,&keylen); + EVP_MD_CTX_free(ctx); +#endif #else fprintf(stderr,"SHA256 is not supported\n"); return -1; #endif } else if(shatype == SHATYPE_SHA384) { #if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH) +#if OPENSSL_VERSION_NUMBER < 0x10100000L unsigned int keylen = 0; EVP_MD_CTX ctx; EVP_DigestInit(&ctx,EVP_sha384()); EVP_DigestUpdate(&ctx,str,strl); EVP_DigestFinal(&ctx,key,&keylen); EVP_MD_CTX_cleanup(&ctx); +#else + unsigned int keylen = 0; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(ctx,EVP_sha384()); + EVP_DigestUpdate(ctx,str,strl); + EVP_DigestFinal(ctx,key,&keylen); + EVP_MD_CTX_free(ctx); +#endif #else fprintf(stderr,"SHA384 is not supported\n"); return -1; #endif } else if(shatype == SHATYPE_SHA512) { #if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH) +#if OPENSSL_VERSION_NUMBER < 0x10100000L unsigned int keylen = 0; EVP_MD_CTX ctx; EVP_DigestInit(&ctx,EVP_sha512()); EVP_DigestUpdate(&ctx,str,strl); EVP_DigestFinal(&ctx,key,&keylen); EVP_MD_CTX_cleanup(&ctx); +#else + unsigned int keylen = 0; + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + EVP_DigestInit(ctx,EVP_sha512()); + EVP_DigestUpdate(ctx,str,strl); + EVP_DigestFinal(ctx,key,&keylen); + EVP_MD_CTX_free(ctx); +#endif #else fprintf(stderr,"SHA512 is not supported\n"); return -1; @@ -253,6 +279,7 @@ static void generate_enc_password(const char* pwd, char *result, const unsigned result[3+PWD_SALT_SIZE+PWD_SALT_SIZE]='$'; unsigned char* out = (unsigned char*)(result+3+PWD_SALT_SIZE+PWD_SALT_SIZE+1); { +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_MD_CTX ctx; #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) EVP_DigestInit(&ctx,EVP_sha256()); @@ -268,6 +295,23 @@ static void generate_enc_password(const char* pwd, char *result, const unsigned readable_string(hash,out,keylen); } EVP_MD_CTX_cleanup(&ctx); +#else + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); +#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH) + EVP_DigestInit(ctx,EVP_sha256()); +#else + EVP_DigestInit(ctx,EVP_sha1()); +#endif + EVP_DigestUpdate(ctx,salt,PWD_SALT_SIZE); + EVP_DigestUpdate(ctx,pwd,strlen(pwd)); + { + unsigned char hash[129]; + unsigned int keylen = 0; + EVP_DigestFinal(ctx,hash,&keylen); + readable_string(hash,out,keylen); + } + EVP_MD_CTX_free(ctx); +#endif } } @@ -2400,21 +2444,26 @@ static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_toke if(!cipher) return -1; +#if OPENSSL_VERSION_NUMBER < 0x10100000L EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); + EVP_CIPHER_CTX *ctxp = &ctx; +#else + EVP_CIPHER_CTX *ctxp = EVP_CIPHER_CTX_new(); +#endif + EVP_CIPHER_CTX_init(ctxp); /* Initialize the encryption operation. */ - if(1 != EVP_EncryptInit_ex(&ctx, cipher, NULL, NULL, NULL)) + if(1 != EVP_EncryptInit_ex(ctxp, cipher, NULL, NULL, NULL)) return -1; - EVP_CIPHER_CTX_set_padding(&ctx,1); + EVP_CIPHER_CTX_set_padding(ctxp,1); /* Set IV length if default 12 bytes (96 bits) is not appropriate */ - if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, OAUTH_GCM_NONCE_SIZE, NULL)) + if(1 != EVP_CIPHER_CTX_ctrl(ctxp, EVP_CTRL_GCM_SET_IVLEN, OAUTH_GCM_NONCE_SIZE, NULL)) return -1; /* Initialize key and IV */ - if(1 != EVP_EncryptInit_ex(&ctx, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce)) + if(1 != EVP_EncryptInit_ex(ctxp, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce)) return -1; int outl=0; @@ -2423,7 +2472,7 @@ static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_toke /* Provide any AAD data. This can be called zero or more times as * required */ - if(1 != my_EVP_EncryptUpdate(&ctx, NULL, &outl, server_name, (int)sn_len)) + if(1 != my_EVP_EncryptUpdate(ctxp, NULL, &outl, server_name, (int)sn_len)) return -1; outl=0; @@ -2433,19 +2482,23 @@ static int encode_oauth_token_gcm(const u08bits *server_name, encoded_oauth_toke unsigned char *start_field = orig_field + OAUTH_GCM_NONCE_SIZE + 2; len -= OAUTH_GCM_NONCE_SIZE + 2; - if(1 != my_EVP_EncryptUpdate(&ctx, encoded_field, &outl, start_field, (int)len)) + if(1 != my_EVP_EncryptUpdate(ctxp, encoded_field, &outl, start_field, (int)len)) return -1; int tmp_outl = 0; - EVP_EncryptFinal_ex(&ctx, encoded_field + outl, &tmp_outl); + EVP_EncryptFinal_ex(ctxp, encoded_field + outl, &tmp_outl); outl += tmp_outl; - EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_GET_TAG, OAUTH_GCM_TAG_SIZE, encoded_field + outl); + EVP_CIPHER_CTX_ctrl(ctxp, EVP_CTRL_GCM_GET_TAG, OAUTH_GCM_TAG_SIZE, encoded_field + outl); outl += OAUTH_GCM_TAG_SIZE; etoken->size = 2 + OAUTH_GCM_NONCE_SIZE + outl; - EVP_CIPHER_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctxp); +#else + EVP_CIPHER_CTX_free(ctxp); +#endif return 0; } @@ -2483,10 +2536,15 @@ static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oaut return -1; } +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX *ctxp = &ctx; EVP_CIPHER_CTX ctx; - EVP_CIPHER_CTX_init(&ctx); +#else + EVP_CIPHER_CTX *ctxp = EVP_CIPHER_CTX_new(); +#endif + EVP_CIPHER_CTX_init(ctxp); /* Initialize the decryption operation. */ - if(1 != EVP_DecryptInit_ex(&ctx, cipher, NULL, NULL, NULL)) { + if(1 != EVP_DecryptInit_ex(ctxp, cipher, NULL, NULL, NULL)) { OAUTH_ERROR("%s: Cannot initialize decryption\n",__FUNCTION__); return -1; } @@ -2494,20 +2552,20 @@ static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oaut //EVP_CIPHER_CTX_set_padding(&ctx,1); /* Set IV length if default 12 bytes (96 bits) is not appropriate */ - if(1 != EVP_CIPHER_CTX_ctrl(&ctx, EVP_CTRL_GCM_SET_IVLEN, nonce_len, NULL)) { + if(1 != EVP_CIPHER_CTX_ctrl(ctxp, EVP_CTRL_GCM_SET_IVLEN, nonce_len, NULL)) { OAUTH_ERROR("%s: Cannot set nonce length\n",__FUNCTION__); return -1; } /* Initialize key and IV */ - if(1 != EVP_DecryptInit_ex(&ctx, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce)) { + if(1 != EVP_DecryptInit_ex(ctxp, NULL, NULL, (const unsigned char *)key->as_rs_key, nonce)) { OAUTH_ERROR("%s: Cannot set nonce\n",__FUNCTION__); return -1; } /* Set expected tag value. A restriction in OpenSSL 1.0.1c and earlier + * required the tag before any AAD or ciphertext */ - EVP_CIPHER_CTX_ctrl (&ctx, EVP_CTRL_GCM_SET_TAG, OAUTH_GCM_TAG_SIZE, tag); + EVP_CIPHER_CTX_ctrl (ctxp, EVP_CTRL_GCM_SET_TAG, OAUTH_GCM_TAG_SIZE, tag); int outl=0; size_t sn_len = strlen((const char*)server_name); @@ -2515,24 +2573,32 @@ static int decode_oauth_token_gcm(const u08bits *server_name, const encoded_oaut /* Provide any AAD data. This can be called zero or more times as * required */ - if(1 != my_EVP_DecryptUpdate(&ctx, NULL, &outl, server_name, (int)sn_len)) { + if(1 != my_EVP_DecryptUpdate(ctxp, NULL, &outl, server_name, (int)sn_len)) { OAUTH_ERROR("%s: Cannot decrypt update server_name: %s, len=%d\n",__FUNCTION__,server_name,(int)sn_len); return -1; } - if(1 != my_EVP_DecryptUpdate(&ctx, decoded_field, &outl, encoded_field, (int)encoded_field_size)) { + if(1 != my_EVP_DecryptUpdate(ctxp, decoded_field, &outl, encoded_field, (int)encoded_field_size)) { OAUTH_ERROR("%s: Cannot decrypt update\n",__FUNCTION__); return -1; } int tmp_outl = 0; - if(EVP_DecryptFinal_ex(&ctx, decoded_field + outl, &tmp_outl)<1) { - EVP_CIPHER_CTX_cleanup(&ctx); + if(EVP_DecryptFinal_ex(ctxp, decoded_field + outl, &tmp_outl)<1) { +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctxp); +#else + EVP_CIPHER_CTX_free(ctxp); +#endif OAUTH_ERROR("%s: token integrity check failed\n",__FUNCTION__); return -1; } outl += tmp_outl; - EVP_CIPHER_CTX_cleanup(&ctx); +#if OPENSSL_VERSION_NUMBER < 0x10100000L + EVP_CIPHER_CTX_cleanup(ctxp); +#else + EVP_CIPHER_CTX_free(ctxp); +#endif size_t len = 0;