From 3f7feced8779dc78d903d3463f176042598ec24c Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Mon, 15 Apr 2024 18:28:51 +0200 Subject: Merging upstream version 8.2404.0. Signed-off-by: Daniel Baumann --- runtime/net_ossl.c | 29 ++++++++++++++++++++++++++--- runtime/net_ossl.h | 39 +++++++++++---------------------------- runtime/nsd_ossl.c | 25 +++++++++++++------------ 3 files changed, 50 insertions(+), 43 deletions(-) (limited to 'runtime') diff --git a/runtime/net_ossl.c b/runtime/net_ossl.c index 60e3fa2..7008731 100644 --- a/runtime/net_ossl.c +++ b/runtime/net_ossl.c @@ -52,6 +52,20 @@ DEFobjCurrIf(glbl) DEFobjCurrIf(net) DEFobjCurrIf(nsd_ptcp) +/* Prototypes for openssl helper functions */ +void net_ossl_lastOpenSSLErrorMsg + (uchar *fromHost, int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi); +void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags); +void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags); +void net_ossl_set_bio_callback(BIO *conn); +int net_ossl_verify_callback(int status, X509_STORE_CTX *store); +rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd); +rsRetVal net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); +X509* net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); +rsRetVal net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); +rsRetVal net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); + + /*--------------------------------------MT OpenSSL helpers ------------------------------------------*/ static MUTEX_TYPE *mutex_buf = NULL; static sbool openssl_initialized = 0; // Avoid multiple initialization / deinitialization @@ -1174,9 +1188,18 @@ CODESTARTobjQueryInterface(net_ossl) if(pIf->ifVersion != net_osslCURR_IF_VERSION) {/* check for current version, increment on each change */ ABORT_FINALIZE(RS_RET_INTERFACE_NOT_SUPPORTED); } - pIf->Construct = (rsRetVal(*)(net_ossl_t**)) net_osslConstruct; - pIf->Destruct = (rsRetVal(*)(net_ossl_t**)) net_osslDestruct; - pIf->osslCtxInit = net_ossl_osslCtxInit; + pIf->Construct = (rsRetVal(*)(net_ossl_t**)) net_osslConstruct; + pIf->Destruct = (rsRetVal(*)(net_ossl_t**)) net_osslDestruct; + pIf->osslCtxInit = net_ossl_osslCtxInit; + pIf->osslChkpeername = net_ossl_chkpeername; + pIf->osslPeerfingerprint = net_ossl_peerfingerprint; + pIf->osslGetpeercert = net_ossl_getpeercert; + pIf->osslChkpeercertvalidity = net_ossl_chkpeercertvalidity; + pIf->osslApplyTlscgfcmd = net_ossl_apply_tlscgfcmd; + pIf->osslSetBioCallback = net_ossl_set_bio_callback; + pIf->osslSetCtxVerifyCallback = net_ossl_set_ctx_verify_callback; + pIf->osslSetSslVerifyCallback = net_ossl_set_ssl_verify_callback; + pIf->osslLastOpenSSLErrorMsg = net_ossl_lastOpenSSLErrorMsg; #if OPENSSL_VERSION_NUMBER >= 0x10100000L pIf->osslCtxInitCookie = net_ossl_ctx_init_cookie; #endif diff --git a/runtime/net_ossl.h b/runtime/net_ossl.h index 6e8a61f..eef69dd 100644 --- a/runtime/net_ossl.h +++ b/runtime/net_ossl.h @@ -83,6 +83,17 @@ BEGINinterface(net_ossl) /* name must also be changed in ENDinterface macro! */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L rsRetVal (*osslCtxInitCookie)(net_ossl_t *pThis); #endif // OPENSSL_VERSION_NUMBER >= 0x10100000L + // OpenSSL Helper function exports + rsRetVal (*osslChkpeername)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); + rsRetVal (*osslPeerfingerprint)(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); + X509* (*osslGetpeercert)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); + rsRetVal (*osslChkpeercertvalidity)(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); + rsRetVal (*osslApplyTlscgfcmd)(net_ossl_t *pThis, uchar *tlscfgcmd); + void (*osslSetBioCallback)(BIO *conn); + void (*osslSetCtxVerifyCallback)(SSL_CTX *pCtx, int flags); + void (*osslSetSslVerifyCallback)(SSL *pSsl, int flags); + void (*osslLastOpenSSLErrorMsg)(uchar *fromHost, + const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi); ENDinterface(net_ossl) #define net_osslCURR_IF_VERSION 1 /* increment whenever you change the interface structure! */ @@ -134,34 +145,6 @@ void osslGlblExit(void); /*-----------------------------------------------------------------------------*/ -/* Prototypes for openssl helper functions */ -__attribute__((visibility("default"))) void net_ossl_lastOpenSSLErrorMsg - (uchar *fromHost, const int ret, SSL *ssl, int severity, const char* pszCallSource, const char* pszOsslApi); -__attribute__((visibility("default"))) void net_ossl_set_ssl_verify_callback(SSL *pSsl, int flags); -__attribute__((visibility("default"))) void net_ossl_set_ctx_verify_callback(SSL_CTX *pCtx, int flags); -__attribute__((visibility("default"))) void net_ossl_set_bio_callback(BIO *conn); -__attribute__((visibility("default"))) int net_ossl_verify_callback(int status, X509_STORE_CTX *store); -__attribute__((visibility("default"))) rsRetVal net_ossl_apply_tlscgfcmd(net_ossl_t *pThis, uchar *tlscfgcmd); -__attribute__((visibility("default"))) rsRetVal - net_ossl_chkpeercertvalidity(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); -__attribute__((visibility("default"))) X509* - net_ossl_getpeercert(net_ossl_t *pThis, SSL *ssl, uchar *fromHostIP); -__attribute__((visibility("default"))) rsRetVal - net_ossl_peerfingerprint(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); -__attribute__((visibility("default"))) rsRetVal - net_ossl_chkpeername(net_ossl_t *pThis, X509* certpeer, uchar *fromHostIP); - -/* -#if OPENSSL_VERSION_NUMBER >= 0x30000000L && !defined(LIBRESSL_VERSION_NUMBER) -long RSYSLOG_BIO_debug_callback_ex(BIO *bio, int cmd, const char __attribute__((unused)) *argp, - size_t __attribute__((unused)) len, int argi, long __attribute__((unused)) argl, - int ret, size_t __attribute__((unused)) *processed); -#else -long RSYSLOG_BIO_debug_callback(BIO *bio, int cmd, const char __attribute__((unused)) *argp, - int argi, long __attribute__((unused)) argl, long ret); -#endif -*/ - /* prototypes */ PROTOTYPEObj(net_ossl); diff --git a/runtime/nsd_ossl.c b/runtime/nsd_ossl.c index 2d70fb6..095328b 100644 --- a/runtime/nsd_ossl.c +++ b/runtime/nsd_ossl.c @@ -80,7 +80,7 @@ void nsd_ossl_lastOpenSSLErrorMsg(nsd_ossl_t const *pThis, const int ret, SSL *s } // Call helper in net_ossl - net_ossl_lastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi); + net_ossl.osslLastOpenSSLErrorMsg(fromHost, ret, ssl, severity, pszCallSource, pszOsslApi); free(fromHost); errno = errno_store; @@ -278,7 +278,8 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe dbgprintf("osslInitSession: enable certificate checking (Mode=%d, VerifyDepth=%d)\n", pThis->pNetOssl->authMode, pThis->DrvrVerifyDepth); /* Enable certificate valid checking */ - net_ossl_set_ssl_verify_callback(pThis->pNetOssl->ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT); + net_ossl.osslSetSslVerifyCallback(pThis->pNetOssl->ssl, + SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT); if (pThis->DrvrVerifyDepth != 0) { SSL_set_verify_depth(pThis->pNetOssl->ssl, pThis->DrvrVerifyDepth); } @@ -305,7 +306,7 @@ osslInitSession(nsd_ossl_t *pThis, osslSslState_t osslType) /* , nsd_ossl_t *pSe dbgprintf("osslInitSession: Init conn BIO[%p] done\n", (void *)conn); /* Set debug Callback for conn BIO as well! */ - net_ossl_set_bio_callback(conn); + net_ossl.osslSetBioCallback(conn); /* TODO: still needed? Set to NON blocking ! */ BIO_set_nbio( conn, 1 ); @@ -347,25 +348,25 @@ osslChkPeerAuth(nsd_ossl_t *pThis) switch(pThis->pNetOssl->authMode) { case OSSL_AUTH_CERTNAME: /* if we check the name, we must ensure the cert is valid */ - certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP); + certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP); dbgprintf("osslChkPeerAuth: Check peer certname[%p]=%s\n", (void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL")); - CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP)); - CHKiRet(net_ossl_chkpeername(pThis->pNetOssl, certpeer, fromHostIP)); + CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP)); + CHKiRet(net_ossl.osslChkpeername(pThis->pNetOssl, certpeer, fromHostIP)); break; case OSSL_AUTH_CERTFINGERPRINT: - certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP); + certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP); dbgprintf("osslChkPeerAuth: Check peer fingerprint[%p]=%s\n", (void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL")); - CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP)); - CHKiRet(net_ossl_peerfingerprint(pThis->pNetOssl, certpeer, fromHostIP)); + CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP)); + CHKiRet(net_ossl.osslPeerfingerprint(pThis->pNetOssl, certpeer, fromHostIP)); break; case OSSL_AUTH_CERTVALID: - certpeer = net_ossl_getpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP); + certpeer = net_ossl.osslGetpeercert(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP); dbgprintf("osslChkPeerAuth: Check peer valid[%p]=%s\n", (void *)pThis->pNetOssl->ssl, (certpeer != NULL ? "VALID" : "NULL")); - CHKiRet(net_ossl_chkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP)); + CHKiRet(net_ossl.osslChkpeercertvalidity(pThis->pNetOssl, pThis->pNetOssl->ssl, fromHostIP)); break; case OSSL_AUTH_CERTANON: FINALIZE; @@ -1277,7 +1278,7 @@ applyGnutlsPriorityString(nsd_ossl_t *const pThis) if(pThis->gnutlsPriorityString == NULL || pThis->pNetOssl->ctx == NULL) { FINALIZE; } else { - CHKiRet(net_ossl_apply_tlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString)); + CHKiRet(net_ossl.osslApplyTlscgfcmd(pThis->pNetOssl, pThis->gnutlsPriorityString)); } #endif -- cgit v1.2.3