Attachment #451780 for bug #584298

Lines 448-454 extern char *sys_errlist[]; Link Here

(-)src/common.h.orig (-2 / +2 lines)
448	#define OPENSSL_NO_TLS1_2	448	#define OPENSSL_NO_TLS1_2
449	#endif /* OpenSSL older than 1.0.1 \|\| defined(OPENSSL_NO_TLS1) */	449	#endif /* OpenSSL older than 1.0.1 \|\| defined(OPENSSL_NO_TLS1) */
450		450
451	#if OPENSSL_VERSION_NUMBER>=0x10100000L	451	#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
452	#ifndef OPENSSL_NO_SSL2	452	#ifndef OPENSSL_NO_SSL2
453	#define OPENSSL_NO_SSL2	453	#define OPENSSL_NO_SSL2
454	#endif /* !defined(OPENSSL_NO_SSL2) */	454	#endif /* !defined(OPENSSL_NO_SSL2) */
Lines 474-480 extern char *sys_errlist[]; Link Here
474	#include <openssl/des.h>	474	#include <openssl/des.h>
475	#ifndef OPENSSL_NO_DH	475	#ifndef OPENSSL_NO_DH
476	#include <openssl/dh.h>	476	#include <openssl/dh.h>
477	#if OPENSSL_VERSION_NUMBER<0x10100000L	477	#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
478	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g);	478	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g);
479	#endif /* OpenSSL older than 1.1.0 */	479	#endif /* OpenSSL older than 1.1.0 */
480	#endif /* !defined(OPENSSL_NO_DH) */	480	#endif /* !defined(OPENSSL_NO_DH) */

Lines 366-372 NOEXPORT int ecdh_init(SERVICE_OPTIONS * Link Here

(-)src/ctx.c.orig (-1 / +1 lines)
366	/**************************************** initialize OpenSSL CONF */	366	/**************************************** initialize OpenSSL CONF */
367		367
368	NOEXPORT int conf_init(SERVICE_OPTIONS *section) {	368	NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
369	#if OPENSSL_VERSION_NUMBER>=0x10002000L	369	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
370	SSL_CONF_CTX *cctx;	370	SSL_CONF_CTX *cctx;
371	NAME_LIST *curr;	371	NAME_LIST *curr;
372	char cmd, param;	372	char cmd, param;




#endif /* OPENSSL_NO_DH */
    STUNNEL_LOCKS                           /* number of locks */
} LOCK_TYPE;
#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
typedef int STUNNEL_RWLOCK;
#else
typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
#endif
extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
#else

Lines 78-84 int ssl_init(void) { /* init SSL before Link Here

(-)src/ssl.c.orig (-1 / +1 lines)
78	}	78	}
79		79
80	#ifndef OPENSSL_NO_DH	80	#ifndef OPENSSL_NO_DH
81	#if OPENSSL_VERSION_NUMBER<0x10100000L	81	#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
82	/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0	82	/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
83	* to be linked against the older versions */	83	* to be linked against the older versions */
84	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g) {	84	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g) {





STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];

#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
#endif



#ifdef USE_PTHREAD

#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)

struct CRYPTO_dynlock_value {
    pthread_rwlock_t rwlock;

#endif
}

#if OPENSSL_VERSION_NUMBER>=0x10000000L
#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
    CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
}
#endif
#endif

int sthreads_init(void) {
    int i;

#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
    /* initialize the OpenSSL dynamic locking */
    CRYPTO_set_dynlock_create_callback(dyn_create_function);
    CRYPTO_set_dynlock_lock_callback(dyn_lock_function);

 * but it is unsupported on Windows XP (and earlier versions of Windows):
 * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */

#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)

struct CRYPTO_dynlock_value {
    CRITICAL_SECTION mutex;

int sthreads_init(void) {
    int i;

#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
    /* initialize the OpenSSL dynamic locking */
    CRYPTO_set_dynlock_create_callback(dyn_create_function);
    CRYPTO_set_dynlock_lock_callback(dyn_lock_function);




    if(section->option.verify_peer) /* verify_peer does not depend on PKI */
        return;
    if(section->option.verify_chain) {
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
        if(section->check_email || section->check_host || section->check_ip)
            return;
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
        s_log(LOG_WARNING,
            "Service [%s] uses \"verify = 2\" without subject checks",
            section->servname);
#if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
        s_log(LOG_WARNING,
            "Rebuild your stunnel against OpenSSL version 1.0.2 or higher");
#endif /* OPENSSL_VERSION_NUMBER<0x10002000L */

    }

    if(depth==0) { /* additional peer certificate checks */
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
        if(!cert_check_subject(c, callback_ctx))
            return 0; /* reject */
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */

    return 1; /* accept */
}

#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
    X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
    NAME_LIST *ptr;

    STACK_OF(X509) *sk;
    int i;
#endif
#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
    X509_OBJECT obj;
    int success;
#endif

    subject=X509_get_subject_name(cert);

#if OPENSSL_VERSION_NUMBER>=0x10000000L
#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
#endif
    /* modern API allows retrieving multiple matching certificates */

    }
#endif

#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
    /* pre-1.0.0 API only returns a single matching certificate */
    /* we also invoke it for other OpenSSL versions before 1.1.0 */
    memset((char *)&obj, 0, sizeof obj);

Return to bug 584298

Lines 650-662 typedef enum { Link Here

(-)src/prototypes.h.orig (-2 / +2 lines)
650	#endif /* OPENSSL_NO_DH */	650	#endif /* OPENSSL_NO_DH */
651	STUNNEL_LOCKS /* number of locks */	651	STUNNEL_LOCKS /* number of locks */
652	} LOCK_TYPE;	652	} LOCK_TYPE;
653	#if OPENSSL_VERSION_NUMBER < 0x10100004L	653	#if OPENSSL_VERSION_NUMBER < 0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
654	typedef int STUNNEL_RWLOCK;	654	typedef int STUNNEL_RWLOCK;
655	#else	655	#else
656	typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;	656	typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
657	#endif	657	#endif
658	extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];	658	extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
659	#if OPENSSL_VERSION_NUMBER>=0x10100004L	659	#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
660	#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)	660	#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
661	#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)	661	#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
662	#else	662	#else

Lines 45-51 Link Here

(-)src/sthreads.c.orig (-6 / +8 lines)
45		45
46	STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];	46	STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
47		47
48	#if OPENSSL_VERSION_NUMBER<0x10100004L	48	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
49	#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()	49	#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
50	#endif	50	#endif
51		51
Lines 203-209 int create_client(SOCKET ls, SOCKET s, C Link Here
203		203
204	#ifdef USE_PTHREAD	204	#ifdef USE_PTHREAD
205		205
206	#if OPENSSL_VERSION_NUMBER<0x10100004L	206	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
207		207
208	struct CRYPTO_dynlock_value {	208	struct CRYPTO_dynlock_value {
209	pthread_rwlock_t rwlock;	209	pthread_rwlock_t rwlock;
Lines 263-278 unsigned long stunnel_thread_id(void) { Link Here
263	#endif	263	#endif
264	}	264	}
265		265
266	#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L	266	#if OPENSSL_VERSION_NUMBER>=0x10000000L
		267	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
267	NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {	268	NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
268	CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());	269	CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
269	}	270	}
270	#endif	271	#endif
		272	#endif
271		273
272	int sthreads_init(void) {	274	int sthreads_init(void) {
273	int i;	275	int i;
274		276
275	#if OPENSSL_VERSION_NUMBER<0x10100004L	277	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
276	/* initialize the OpenSSL dynamic locking */	278	/* initialize the OpenSSL dynamic locking */
277	CRYPTO_set_dynlock_create_callback(dyn_create_function);	279	CRYPTO_set_dynlock_create_callback(dyn_create_function);
278	CRYPTO_set_dynlock_lock_callback(dyn_lock_function);	280	CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
Lines 345-351 int create_client(SOCKET ls, SOCKET s, C Link Here
345	* but it is unsupported on Windows XP (and earlier versions of Windows):	347	* but it is unsupported on Windows XP (and earlier versions of Windows):
346	* https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */	348	* https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */
347		349
348	#if OPENSSL_VERSION_NUMBER<0x10100004L	350	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
349		351
350	struct CRYPTO_dynlock_value {	352	struct CRYPTO_dynlock_value {
351	CRITICAL_SECTION mutex;	353	CRITICAL_SECTION mutex;
Lines 398-404 unsigned long stunnel_thread_id(void) { Link Here
398	int sthreads_init(void) {	400	int sthreads_init(void) {
399	int i;	401	int i;
400		402
401	#if OPENSSL_VERSION_NUMBER<0x10100004L	403	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
402	/* initialize the OpenSSL dynamic locking */	404	/* initialize the OpenSSL dynamic locking */
403	CRYPTO_set_dynlock_create_callback(dyn_create_function);	405	CRYPTO_set_dynlock_create_callback(dyn_create_function);
404	CRYPTO_set_dynlock_lock_callback(dyn_lock_function);	406	CRYPTO_set_dynlock_lock_callback(dyn_lock_function);

Lines 178-191 NOEXPORT void auth_warnings(SERVICE_OPTI Link Here

(-)src/verify.c.orig (-7 / +7 lines)
178	if(section->option.verify_peer) /* verify_peer does not depend on PKI */	178	if(section->option.verify_peer) /* verify_peer does not depend on PKI */
179	return;	179	return;
180	if(section->option.verify_chain) {	180	if(section->option.verify_chain) {
181	#if OPENSSL_VERSION_NUMBER>=0x10002000L	181	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
182	if(section->check_email \|\| section->check_host \|\| section->check_ip)	182	if(section->check_email \|\| section->check_host \|\| section->check_ip)
183	return;	183	return;
184	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */	184	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
185	s_log(LOG_WARNING,	185	s_log(LOG_WARNING,
186	"Service [%s] uses \"verify = 2\" without subject checks",	186	"Service [%s] uses \"verify = 2\" without subject checks",
187	section->servname);	187	section->servname);
188	#if OPENSSL_VERSION_NUMBER<0x10002000L	188	#if OPENSSL_VERSION_NUMBER<0x10002000L \|\| defined(LIBRESSL_VERSION_NUMBER)
189	s_log(LOG_WARNING,	189	s_log(LOG_WARNING,
190	"Rebuild your stunnel against OpenSSL version 1.0.2 or higher");	190	"Rebuild your stunnel against OpenSSL version 1.0.2 or higher");
191	#endif /* OPENSSL_VERSION_NUMBER<0x10002000L */	191	#endif /* OPENSSL_VERSION_NUMBER<0x10002000L */
Lines 277-283 NOEXPORT int cert_check(CLI *c, X509_STO Link Here
277	}	277	}
278		278
279	if(depth==0) { /* additional peer certificate checks */	279	if(depth==0) { /* additional peer certificate checks */
280	#if OPENSSL_VERSION_NUMBER>=0x10002000L	280	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
281	if(!cert_check_subject(c, callback_ctx))	281	if(!cert_check_subject(c, callback_ctx))
282	return 0; /* reject */	282	return 0; /* reject */
283	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */	283	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
Lines 288-294 NOEXPORT int cert_check(CLI *c, X509_STO Link Here
288	return 1; /* accept */	288	return 1; /* accept */
289	}	289	}
290		290
291	#if OPENSSL_VERSION_NUMBER>=0x10002000L	291	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
292	NOEXPORT int cert_check_subject(CLI c, X509_STORE_CTX callback_ctx) {	292	NOEXPORT int cert_check_subject(CLI c, X509_STORE_CTX callback_ctx) {
293	X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);	293	X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
294	NAME_LIST *ptr;	294	NAME_LIST *ptr;
Lines 340-346 NOEXPORT int cert_check_local(X509_STORE Link Here
340	STACK_OF(X509) *sk;	340	STACK_OF(X509) *sk;
341	int i;	341	int i;
342	#endif	342	#endif
343	#if OPENSSL_VERSION_NUMBER<0x10100000L	343	#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
344	X509_OBJECT obj;	344	X509_OBJECT obj;
345	int success;	345	int success;
346	#endif	346	#endif
Lines 349-355 NOEXPORT int cert_check_local(X509_STORE Link Here
349	subject=X509_get_subject_name(cert);	349	subject=X509_get_subject_name(cert);
350		350
351	#if OPENSSL_VERSION_NUMBER>=0x10000000L	351	#if OPENSSL_VERSION_NUMBER>=0x10000000L
352	#if OPENSSL_VERSION_NUMBER<0x10100006L	352	#if OPENSSL_VERSION_NUMBER<0x10100006L \|\| defined(LIBRESSL_VERSION_NUMBER)
353	#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs	353	#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
354	#endif	354	#endif
355	/* modern API allows retrieving multiple matching certificates */	355	/* modern API allows retrieving multiple matching certificates */
Lines 364-370 NOEXPORT int cert_check_local(X509_STORE Link Here
364	}	364	}
365	#endif	365	#endif
366		366
367	#if OPENSSL_VERSION_NUMBER<0x10100000L	367	#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
368	/* pre-1.0.0 API only returns a single matching certificate */	368	/* pre-1.0.0 API only returns a single matching certificate */
369	/* we also invoke it for other OpenSSL versions before 1.1.0 */	369	/* we also invoke it for other OpenSSL versions before 1.1.0 */
370	memset((char *)&obj, 0, sizeof obj);	370	memset((char *)&obj, 0, sizeof obj);