Merging upstream version 8.2404.0.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

3 files changed, 50 insertions, 43 deletions

diff --git a/runtime/net_ossl.c b/runtime/net_ossl.c
index 60e3fa2..7008731 100644
--- a/runtime/net_ossl.c
+++ b/runtime/net_ossl.c
@@ -52,6 +52,20 @@ DEFobjCurrIf(glbl)
 DEFobjCurrIf(net)
 DEFobjCurrIf(nsd_ptcp)
 
+/* Prototypes for openssl helper functions */
+void net_ossl_lastOpenSSLErrorMsg
+	(uchar *fromHost, int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
+void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
+void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
+void net_ossl_set_bio_callback(BIO *conn);
+int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
+rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
+rsRetVal net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+X509* net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+rsRetVal net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+rsRetVal net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+
+
 /*--------------------------------------MT OpenSSL helpers ------------------------------------------*/
 static MUTEX_TYPE *mutex_buf = NULL;
 static sbool openssl_initialized = 0; // Avoid multiple initialization / deinitialization
@@ -1174,9 +1188,18 @@ CODESTARTobjQueryInterface(net_ossl)
 	if(pIf->ifVersion != net_osslCURR_IF_VERSION) {/* check for current version, increment on each change */
 		ABORT_FINALIZE(RS_RET_INTERFACE_NOT_SUPPORTED);
 	}
-	pIf->Construct		= (rsRetVal(*)(net_ossl_t**)) net_osslConstruct;
-	pIf->Destruct		= (rsRetVal(*)(net_ossl_t**)) net_osslDestruct;
-	pIf->osslCtxInit	= net_ossl_osslCtxInit;
+	pIf->Construct			= (rsRetVal(*)(net_ossl_t**)) net_osslConstruct;
+	pIf->Destruct			= (rsRetVal(*)(net_ossl_t**)) net_osslDestruct;
+	pIf->osslCtxInit		= net_ossl_osslCtxInit;
+	pIf->osslChkpeername		= net_ossl_chkpeername;
+	pIf->osslPeerfingerprint	= net_ossl_peerfingerprint;
+	pIf->osslGetpeercert		= net_ossl_getpeercert;
+	pIf->osslChkpeercertvalidity	= net_ossl_chkpeercertvalidity;
+	pIf->osslApplyTlscgfcmd		= net_ossl_apply_tlscgfcmd;
+	pIf->osslSetBioCallback		= net_ossl_set_bio_callback;
+	pIf->osslSetCtxVerifyCallback	= net_ossl_set_ctx_verify_callback;
+	pIf->osslSetSslVerifyCallback	= net_ossl_set_ssl_verify_callback;
+	pIf->osslLastOpenSSLErrorMsg	= net_ossl_lastOpenSSLErrorMsg;
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	pIf->osslCtxInitCookie	= net_ossl_ctx_init_cookie;
 #endif
diff --git a/runtime/net_ossl.h b/runtime/net_ossl.h
index 6e8a61f..eef69dd 100644
--- a/runtime/net_ossl.h
+++ b/runtime/net_ossl.h
@@ -83,6 +83,17 @@ BEGINinterface(net_ossl) /* name must also be changed in ENDinterface macro! */
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L
 	rsRetVal (*osslCtxInitCookie)(net_ossl_t *pThis);
 #endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
+	// OpenSSL Helper function exports
+	rsRetVal (*osslChkpeername)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+	rsRetVal (*osslPeerfingerprint)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
+	X509* (*osslGetpeercert)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+	rsRetVal (*osslChkpeercertvalidity)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
+	rsRetVal (*osslApplyTlscgfcmd)(net_ossl_t *pThis, uchar *tlscfgcmd);
+	void (*osslSetBioCallback)(BIO *conn);
+	void (*osslSetCtxVerifyCallback)(SSL_CTX *pCtx, int flags);
+	void (*osslSetSslVerifyCallback)(SSL *pSsl, int flags);
+	void (*osslLastOpenSSLErrorMsg)(uchar *fromHost,
+		const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
 ENDinterface(net_ossl)
 
 #define net_osslCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */
@@ -134,34 +145,6 @@ void osslGlblExit(void);
 
 /*-----------------------------------------------------------------------------*/
 
-/* Prototypes for openssl helper functions */
-__attribute__((visibility("default"))) void net_ossl_lastOpenSSLErrorMsg
-	(uchar *fromHost, const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi);
-__attribute__((visibility("default"))) void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags);
-__attribute__((visibility("default"))) void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags);
-__attribute__((visibility("default"))) void net_ossl_set_bio_callback(BIO *conn);
-__attribute__((visibility("default"))) int net_ossl_verify_callback(int status, X509_STORE_CTX *store);
-__attribute__((visibility("default"))) rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd);
-__attribute__((visibility("default"))) rsRetVal
-	net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
-__attribute__((visibility("default"))) X509*
-	net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP);
-__attribute__((visibility("default"))) rsRetVal
-	net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
-__attribute__((visibility("default"))) rsRetVal
-	net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP);
-
-/*
-#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER)
-long RSYSLOG_BIO_debug_callback_ex(BIO *bio, int cmd, const char __attribute__((unused)) *argp,
-			   size_t __attribute__((unused)) len, int argi, long __attribute__((unused)) argl,
-			   int ret, size_t __attribute__((unused)) *processed);
-#else
-long RSYSLOG_BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *argp,
-			int argi, long __attribute__((unused)) argl, long ret);
-#endif
-*/
-
 /* prototypes */
 PROTOTYPEObj(net_ossl);
 
diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c
index 2d70fb6..095328b 100644
--- a/runtime/nsd_ossl.c
+++ b/runtime/nsd_ossl.c
@@ -80,7 +80,7 @@ void nsd_ossl_lastOpenSSLErrorMsg(nsd_ossl_t const *pThis, const int ret, SSL *s
 	}
 
 	// Call helper in net_ossl
-	net_ossl_lastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi);
+	net_ossl.osslLastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi);
 
 	free(fromHost);
 	errno = errno_store;
@@ -278,7 +278,8 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe
 		dbgprintf("osslInitSession: enable certificate checking (Mode=%d, VerifyDepth=%d)\n",
 			pThis->pNetOssl->authMode, pThis->DrvrVerifyDepth);
 		/* Enable certificate valid checking */
-		net_ossl_set_ssl_verify_callback(pThis->pNetOssl->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
+		net_ossl.osslSetSslVerifyCallback(pThis->pNetOssl->ssl,
+			SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT);
 		if (pThis->DrvrVerifyDepth != 0) {
 			SSL_set_verify_depth(pThis->pNetOssl->ssl, pThis->DrvrVerifyDepth);
 		}
@@ -305,7 +306,7 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe
 	dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn);
 
 	/* Set debug Callback for conn BIO as well! */
-	net_ossl_set_bio_callback(conn);
+	net_ossl.osslSetBioCallback(conn);
 
 	/* TODO: still needed? Set to NON blocking ! */
 	BIO_set_nbio( conn, 1 );
@@ -347,25 +348,25 @@ osslChkPeerAuth(nsd_ossl_t *pThis)
 	switch(pThis->pNetOssl->authMode) {
 		case OSSL_AUTH_CERTNAME:
 			/* if we check the name, we must ensure the cert is valid */
-			certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
+			certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
 			dbgprintf("osslChkPeerAuth: Check peer certname[%p]=%s\n",
 				(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
-			CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
-			CHKiRet(net_ossl_chkpeername(pThis->pNetOssl, certpeer, fromHostIP));
+			CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
+			CHKiRet(net_ossl.osslChkpeername(pThis->pNetOssl, certpeer, fromHostIP));
 			break;
 		case OSSL_AUTH_CERTFINGERPRINT:
-			certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
+			certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
 			dbgprintf("osslChkPeerAuth: Check peer fingerprint[%p]=%s\n",
 				(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
-			CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
-			CHKiRet(net_ossl_peerfingerprint(pThis->pNetOssl, certpeer, fromHostIP));
+			CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
+			CHKiRet(net_ossl.osslPeerfingerprint(pThis->pNetOssl, certpeer, fromHostIP));
 
 			break;
 		case OSSL_AUTH_CERTVALID:
-			certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
+			certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP);
 			dbgprintf("osslChkPeerAuth: Check peer valid[%p]=%s\n",
 				(void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL"));
-			CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
+			CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP));
 			break;
 		case OSSL_AUTH_CERTANON:
 			FINALIZE;
@@ -1277,7 +1278,7 @@ applyGnutlsPriorityString(nsd_ossl_t *const pThis)
 	if(pThis->gnutlsPriorityString == NULL || pThis->pNetOssl->ctx == NULL) {
 		FINALIZE;
 	} else {
-		CHKiRet(net_ossl_apply_tlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString));
+		CHKiRet(net_ossl.osslApplyTlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString));
 	}
 #endif