Author: rjung
Date: Mon Apr 18 09:49:28 2016
New Revision: 1739723
URL: http://svn.apache.org/viewvc?rev=1739723&view=rev
Log:
Support for OpenSSL 1.1.0
- X509_STORE_CTX and X509_OBJECT are now opaque
This change is not yet complete. Currently I see
no API to access the CRLs in an X509_OBJECT.
I'll check the OpenSSL apps code for checking
a cert against CRLs to see, how they do it.
Probably we need to apply bigger changes to
ssl_verify_CRL().
Modified:
tomcat/native/trunk/native/include/ssl_private.h
tomcat/native/trunk/native/src/sslcontext.c
tomcat/native/trunk/native/src/sslutils.c
Modified: tomcat/native/trunk/native/include/ssl_private.h
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/include/ssl_private.h?rev=1739723&r1=1739722&r2=1739723&view=diff
==============================================================================
--- tomcat/native/trunk/native/include/ssl_private.h (original)
+++ tomcat/native/trunk/native/include/ssl_private.h Mon Apr 18 09:49:28 2016
@@ -205,19 +205,22 @@
/* OpenSSL 1.0.2 compatibility */
#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#define TLS_method SSLv23_method
-#define TLS_client_method SSLv23_client_method
-#define TLS_server_method SSLv23_server_method
-#define OPENSSL_VERSION SSLEAY_VERSION
-#define OpenSSL_version SSLeay_version
-#define OPENSSL_malloc_init CRYPTO_malloc_init
+#define OpenSSL_version SSLeay_version
+#define OpenSSL_version_num SSLeay
+#define OPENSSL_VERSION SSLEAY_VERSION
+#define OPENSSL_malloc_init CRYPTO_malloc_init
+#define BIO_get_init(x) (x->init)
+#define BIO_set_init(x,v) (x->init=v)
+#define BIO_get_data(x) (x->ptr)
+#define BIO_set_data(x,v) (x->ptr=v)
+#define BIO_set_shutdown(x,v) (x->shutdown=v)
#define X509_REVOKED_get0_serialNumber(x) x->serialNumber
-#define OpenSSL_version_num SSLeay
-#define BIO_get_init(x) (x->init)
-#define BIO_set_init(x,v) (x->init=v)
-#define BIO_get_data(x) (x->ptr)
-#define BIO_set_data(x,v) (x->ptr=v)
-#define BIO_set_shutdown(x,v) (x->shutdown=v)
+#define X509_STORE_CTX_get0_untrusted(x) (x->untrusted)
+#define X509_OBJECT_free(x) {X509_OBJECT_free_contents(obj);\
+ OPENSSL_free(obj);}
+#define TLS_method SSLv23_method
+#define TLS_client_method SSLv23_client_method
+#define TLS_server_method SSLv23_server_method
#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
#define MAX_ALPN_NPN_PROTO_SIZE 65535
Modified: tomcat/native/trunk/native/src/sslcontext.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslcontext.c?rev=1739723&r1=1739722&r2=1739723&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslcontext.c (original)
+++ tomcat/native/trunk/native/src/sslcontext.c Mon Apr 18 09:49:28 2016
@@ -1755,7 +1755,7 @@ static int SSL_cert_verify(X509_STORE_CT
// Get a stack of all certs in the chain
- STACK_OF(X509) *sk = ctx->untrusted;
+ STACK_OF(X509) *sk = X509_STORE_CTX_get0_untrusted(ctx);
int len = sk_X509_num(sk);
unsigned i;
Modified: tomcat/native/trunk/native/src/sslutils.c
URL:
http://svn.apache.org/viewvc/tomcat/native/trunk/native/src/sslutils.c?rev=1739723&r1=1739722&r2=1739723&view=diff
==============================================================================
--- tomcat/native/trunk/native/src/sslutils.c (original)
+++ tomcat/native/trunk/native/src/sslutils.c Mon Apr 18 09:49:28 2016
@@ -288,20 +288,29 @@ int SSL_CTX_use_certificate_chain(SSL_CT
}
static int ssl_X509_STORE_lookup(X509_STORE *store, int yype,
- X509_NAME *name, X509_OBJECT *obj)
+ X509_NAME *name, X509_OBJECT **obj)
{
- X509_STORE_CTX ctx;
+ X509_STORE_CTX *ctx;
int rc;
- X509_STORE_CTX_init(&ctx, store, NULL, NULL);
- rc = X509_STORE_get_by_subject(&ctx, yype, name, obj);
- X509_STORE_CTX_cleanup(&ctx);
+ ctx = X509_STORE_CTX_new();
+ X509_STORE_CTX_init(ctx, store, NULL, NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ rc = X509_STORE_get_by_subject(ctx, yype, name, *obj);
+#else
+ *obj = X509_STORE_get_X509_by_subject(ctx, yype, name);
+ if (*obj == NULL) {
+ rc = -1;
+ }
+#endif
+ X509_STORE_CTX_cleanup(ctx);
+ X509_STORE_CTX_free(ctx);
return rc;
}
static int ssl_verify_CRL(int ok, X509_STORE_CTX *ctx, tcn_ssl_conn_t *con)
{
- X509_OBJECT obj;
+ X509_OBJECT *obj;
X509_NAME *subject, *issuer;
X509 *cert;
X509_CRL *crl;
@@ -350,10 +359,14 @@ static int ssl_verify_CRL(int ok, X509_S
* Try to retrieve a CRL corresponding to the _subject_ of
* the current certificate in order to verify it's integrity.
*/
- memset((char *)&obj, 0, sizeof(obj));
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ obj = OPENSSL_malloc(sizeof (*obj));
+ memset((char *)obj, 0, sizeof(*obj));
+#endif
rc = ssl_X509_STORE_lookup(con->ctx->crl,
X509_LU_CRL, subject, &obj);
- crl = obj.data.crl;
+ /* XXX obj is now OPAQUE */
+ crl = obj->data.crl;
if ((rc > 0) && crl) {
/*
@@ -371,7 +384,7 @@ static int ssl_verify_CRL(int ok, X509_S
if (rc <= 0) {
/* TODO: Log Invalid signature on CRL */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE);
- X509_OBJECT_free_contents(&obj);
+ X509_OBJECT_free(obj);
return 0;
}
@@ -385,30 +398,34 @@ static int ssl_verify_CRL(int ok, X509_S
X509_STORE_CTX_set_error(ctx,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD);
- X509_OBJECT_free_contents(&obj);
+ X509_OBJECT_free(obj);
return 0;
}
if (i < 0) {
/* TODO: Log Found CRL is expired */
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CRL_HAS_EXPIRED);
- X509_OBJECT_free_contents(&obj);
+ X509_OBJECT_free(obj);
return 0;
}
- X509_OBJECT_free_contents(&obj);
+ X509_OBJECT_free(obj);
}
/*
* Try to retrieve a CRL corresponding to the _issuer_ of
* the current certificate in order to check for revocation.
*/
- memset((char *)&obj, 0, sizeof(obj));
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ obj = OPENSSL_malloc(sizeof (*obj));
+ memset((char *)obj, 0, sizeof(*obj));
+#endif
rc = ssl_X509_STORE_lookup(con->ctx->crl,
X509_LU_CRL, issuer, &obj);
- crl = obj.data.crl;
+ /* XXX obj is now OPAQUE */
+ crl = obj->data.crl;
if ((rc > 0) && crl) {
/*
* Check if the current certificate is revoked by this CRL
@@ -423,13 +440,13 @@ static int ssl_verify_CRL(int ok, X509_S
if (!ASN1_INTEGER_cmp(sn, X509_get_serialNumber(cert))) {
X509_STORE_CTX_set_error(ctx, X509_V_ERR_CERT_REVOKED);
- X509_OBJECT_free_contents(&obj);
+ X509_OBJECT_free(obj);
return 0;
}
}
- X509_OBJECT_free_contents(&obj);
+ X509_OBJECT_free(obj);
}
return ok;
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
