openssl 1.1/1.0 support

Added support for building with earlier openssl versions, and enabled anonymous ciphers in openssl 1.1, so it maintains the same functionality as earlier openssl (even though this is dangerously insecure), so it passes all tests. Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
2025-01-18 02:29:45 +00:00 · 2018-05-25 16:10:00 -03:00 · 2018-05-25 16:10:00 -03:00 · 16598183c6
commit 16598183c6
parent 4e3c2e134e
2 changed files with 54 additions and 6 deletions
--- a/conserver/main.c
+++ b/conserver/main.c
@ -86,6 +86,41 @@ unsigned long dmallocMarkMain = 0;
 #endif

 #if HAVE_OPENSSL
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+    /* If the fields p and g in d are NULL, the corresponding input
+     * parameters MUST be non-NULL.  q may remain NULL.
+     */
+    if ((dh->p == NULL && p == NULL)
+        || (dh->g == NULL && g == NULL))
+        return 0;
+
+    if (p != NULL) {
+        BN_free(dh->p);
+        dh->p = p;
+    }
+    if (q != NULL) {
+        BN_free(dh->q);
+        dh->q = q;
+    }
+    if (g != NULL) {
+        BN_free(dh->g);
+        dh->g = g;
+    }
+
+    if (q != NULL) {
+        dh->length = BN_num_bits(q);
+    }
+
+    return 1;
+}
+#define TLS_method SSLv23_method
+#define CIPHER_SEC0
+#else
+#define CIPHER_SEC0 ":@SECLEVEL=0"
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
 SSL_CTX *ctx = (SSL_CTX *)0;
 DH *dh512 = (DH *)0;
 DH *dh1024 = (DH *)0;
@ -93,7 +128,7 @@ DH *dh2048 = (DH *)0;
 DH *dh4096 = (DH *)0;

 DH *
-DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) {
+DHFromArray(unsigned char *dh_p, size_t dh_p_size, unsigned char *dh_g, size_t dh_g_size) {
    DH *dh;
    BIGNUM *p, *g;

@ -104,7 +139,7 @@ DHFromArray(char *dh_p, size_t dh_p_size, char *dh_g, size_t dh_g_size) {

    g = BN_bin2bn(dh_g, dh_g_size, NULL);
    if (g == NULL) {
-	BN_free(p);
+	BN_free(g);
 	return (NULL);
    }

@ -301,12 +336,14 @@ SetupSSL(void)
    if (ctx == (SSL_CTX *)0) {
 	char *ciphers;
 	int verifymode;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_load_error_strings();
 	if (!SSL_library_init()) {
 	    Error("SetupSSL(): SSL_library_init() failed");
 	    Bye(EX_SOFTWARE);
 	}
-	if ((ctx = SSL_CTX_new(SSLv23_method())) == (SSL_CTX *)0) {
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+	if ((ctx = SSL_CTX_new(TLS_method())) == (SSL_CTX *)0) {
 	    Error("SetupSSL(): SSL_CTX_new() failed");
 	    Bye(EX_SOFTWARE);
 	}
@ -332,7 +369,7 @@ SetupSSL(void)
 	    }
 	    ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
 	} else {
-	    ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
+	    ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
 	}
 	if (config->sslcacertificatefile != (char *)0) {
 	    STACK_OF(X509_NAME) * cert_names;
--- a/console/console.c
+++ b/console/console.c
@ -71,6 +71,15 @@ struct winsize ws;
 #endif

 #if HAVE_OPENSSL
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#define TLS_method SSLv23_method
+#define CIPHER_SEC0
+#else
+#define CIPHER_SEC0 ":@SECLEVEL=0"
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+
 SSL_CTX *ctx = (SSL_CTX *)0;

 void
@ -78,12 +87,14 @@ SetupSSL(void)
 {
    if (ctx == (SSL_CTX *)0) {
 	char *ciphers;
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
 	SSL_load_error_strings();
 	if (!SSL_library_init()) {
 	    Error("SSL library initialization failed");
 	    Bye(EX_UNAVAILABLE);
 	}
-	if ((ctx = SSL_CTX_new(SSLv23_method())) == (SSL_CTX *)0) {
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+	if ((ctx = SSL_CTX_new(TLS_method())) == (SSL_CTX *)0) {
 	    Error("Creating SSL context failed");
 	    Bye(EX_UNAVAILABLE);
 	}
@ -123,7 +134,7 @@ SetupSSL(void)
 # if defined(REQ_SERVER_CERT)
 	    ciphers = "ALL:!LOW:!EXP:!MD5:!aNULL:@STRENGTH";
 # else
-	    ciphers = "ALL:!LOW:!EXP:!MD5:@STRENGTH";
+	    ciphers = "ALL:aNULL:!LOW:!EXP:!MD5:@STRENGTH" CIPHER_SEC0;
 # endif
 	}
 	SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, SSLVerifyCallback);