Attachment 591896 Details for Bug 695630 – libressl patch

[patch] libressl patch

openconnect-8.05-libressl.patch (text/plain), 5.44 KB, created by Philipp Ammann on 2019-10-05 12:48:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Philipp Ammann

Created: 2019-10-05 12:48:49 UTC

Size: 5.44 KB

patch

obsolete

>From 3bb2ce7a75f1a9a2138e39a469686554fcf9a6e2 Mon Sep 17 00:00:00 2001
>From: Philipp Ammann <philipp.ammann@posteo.de>
>Date: Sat, 3 Aug 2019 14:53:12 +0000
>Subject: [PATCH 1/3] LibreSSL doesn't have SSL_CIPHER_find
>
>---
> openssl-dtls.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
>diff --git a/openssl-dtls.c b/openssl-dtls.c
>index b954e2b3..71027f97 100644
>--- a/openssl-dtls.c
>+++ b/openssl-dtls.c
>@@ -315,7 +315,7 @@ static unsigned int psk_callback(SSL *ssl, const char *hint, char *identity,
> 
> #endif
> 
>-#if OPENSSL_VERSION_NUMBER < 0x10002000L
>+#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
> static const SSL_CIPHER *SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
> {
>     return ssl->method->get_cipher_by_char(ptr);
>-- 
>2.21.0
>
>
>From a51705ae0253df59d8040e390127ee0c0718f2bc Mon Sep 17 00:00:00 2001
>From: Philipp Ammann <philipp.ammann@posteo.de>
>Date: Sat, 3 Aug 2019 14:23:48 +0000
>Subject: [PATCH 2/3] Fix (non) static HMAC_CTX_* for LibreSSL 2.7+
>
>Signed-off-by: Philipp Ammann <philipp.ammann at posteo.de>
>---
> openssl-esp.c         |  5 ++++-
> tests/bad_dtls_test.c | 10 ++++++++--
> 2 files changed, 12 insertions(+), 3 deletions(-)
>
>diff --git a/openssl-esp.c b/openssl-esp.c
>index 0cb65444..ee3fbb2b 100644
>--- a/openssl-esp.c
>+++ b/openssl-esp.c
>@@ -36,7 +36,10 @@
> 				    HMAC_CTX_cleanup(c);	\
> 				    free(c); } while (0)
> 
>-static inline HMAC_CTX *HMAC_CTX_new(void)
>+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
>+static
>+#endif
>+inline HMAC_CTX *HMAC_CTX_new(void)
> {
> 	HMAC_CTX *ret = malloc(sizeof(*ret));
> 	if (ret)
>diff --git a/tests/bad_dtls_test.c b/tests/bad_dtls_test.c
>index c123c8f8..a182bd6e 100644
>--- a/tests/bad_dtls_test.c
>+++ b/tests/bad_dtls_test.c
>@@ -291,12 +291,18 @@ static EVP_MD_CTX *handshake_md5;
> static EVP_MD_CTX *handshake_sha1;
> 
> #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>-static inline HMAC_CTX *HMAC_CTX_new(void) {
>+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
>+static
>+#endif
>+inline HMAC_CTX *HMAC_CTX_new(void) {
>     HMAC_CTX *ret = malloc(sizeof(*ret));
>     HMAC_CTX_init(ret);
>     return ret;
> }
>-static inline void HMAC_CTX_free(HMAC_CTX *ctx) {
>+#if !defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
>+static
>+#endif
>+inline void HMAC_CTX_free(HMAC_CTX *ctx) {
>     HMAC_CTX_cleanup(ctx);
>     free(ctx);
> }
>-- 
>2.21.0
>
>
>From 8976b079bd3574875f80fb15fae26a433e13c147 Mon Sep 17 00:00:00 2001
>From: Philipp Ammann <philipp.ammann@posteo.de>
>Date: Sat, 5 Oct 2019 11:48:13 +0000
>Subject: [PATCH 3/3] Disable DTLS when built against LibreSSL
>
>Compilation against LibreSSL fails with
>
>  error: 'DTLS1_2_VERSION' undeclared
>
>because LibreSSL doesn't define it in openssl/dtls1.h like OpenSSL
>does. Manually defining it to the current OpenSSL value (0xFEFD) does
>allow OpenConnect to be compiled. This however doesn't magically allow
>DTLS to work with LibreSSL.
>
>This patch simply mitigates the problem and doesn't properly solve it.
>
>A cleaner version would be to unset $dtls in configure when LibreSSL is
>found. Fortunately I've never been to autohell and don't know how to
>properly do this.
>---
> cstp.c         | 2 +-
> library.c      | 2 +-
> main.c         | 4 ++--
> openssl-dtls.c | 2 +-
> 4 files changed, 5 insertions(+), 5 deletions(-)
>
>diff --git a/cstp.c b/cstp.c
>index 577805e0..70bbdd58 100644
>--- a/cstp.c
>+++ b/cstp.c
>@@ -264,7 +264,7 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
> 			       vpninfo->disable_ipv6 ? "IPv4" : "IPv6,IPv4");
> 	if (!vpninfo->disable_ipv6)
> 		buf_append(reqbuf, "X-CSTP-Full-IPv6-Capability: true\r\n");
>-#ifdef HAVE_DTLS
>+#if defined(HAVE_DTLS) && !defined(LIBRESSL_VERSION_NUMBER)
> 	if (vpninfo->dtls_state != DTLS_DISABLED) {
> 		/* The X-DTLS-Master-Secret is only used for the legacy protocol negotation
> 		 * which required the client to send explicitly the secret. In the PSK-NEGOTIATE
>diff --git a/library.c b/library.c
>index e517fdc9..2410fcda 100644
>--- a/library.c
>+++ b/library.c
>@@ -122,7 +122,7 @@ const struct vpn_proto openconnect_protos[] = {
> 		.add_http_headers = cstp_common_headers,
> 		.obtain_cookie = cstp_obtain_cookie,
> 		.udp_protocol = "DTLS",
>-#ifdef HAVE_DTLS
>+#if defined(HAVE_DTLS) && !defined(LIBRESSL_VERSION_NUMBER)
> 		.udp_setup = dtls_setup,
> 		.udp_mainloop = dtls_mainloop,
> 		.udp_close = dtls_close,
>diff --git a/main.c b/main.c
>index 19d64377..a56babb4 100644
>--- a/main.c
>+++ b/main.c
>@@ -635,7 +635,7 @@ static void print_build_opts(void)
> 		sep = comma;
> 	}
> 
>-#ifdef HAVE_DTLS
>+#if defined(HAVE_DTLS) && !defined(LIBRESSL_VERSION_NUMBER)
> 	printf("%sDTLS", sep);
> #endif
> #ifdef HAVE_ESP
>@@ -643,7 +643,7 @@ static void print_build_opts(void)
> #endif
> 	printf("\n");
> 
>-#if !defined(HAVE_DTLS) || !defined(HAVE_ESP)
>+#if !defined(HAVE_DTLS) || !defined(HAVE_ESP) || defined(LIBRESSL_VERSION_NUMBER)
> 	printf(_("WARNING: This binary lacks DTLS and/or ESP support. Performance will be impaired.\n"));
> #endif
> }
>diff --git a/openssl-dtls.c b/openssl-dtls.c
>index 71027f97..1388b096 100644
>--- a/openssl-dtls.c
>+++ b/openssl-dtls.c
>@@ -331,7 +331,7 @@ int start_dtls_handshake(struct openconnect_info *vpninfo, int dtls_fd)
> 	int dtlsver = DTLS1_BAD_VER;
> 	const char *cipher = vpninfo->dtls_cipher;
> 
>-#ifdef HAVE_DTLS12
>+#if defined(HAVE_DTLS12) && !defined(LIBRESSL_VERSION_NUMBER)
> 	/* These things should never happen unless they're supported */
> 	if (vpninfo->cisco_dtls12) {
> 		dtlsver = DTLS1_2_VERSION;
>-- 
>2.21.0
>

Actions: View | Diff

Attachments on bug 695630: 591040 | 591042 | 591044 | 591046 | 591048 | 591050 | 591052 | 591896