Attachment 451780 Details for Bug 584298 – solves the issue for version 5.34 and 5.35

[patch] solves the issue for version 5.34 and 5.35

stunnel-5.34-compat-libressl.patch (text/plain), 7.07 KB, created by Ian Moone on 2016-10-28 22:56:37 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ian Moone

Created: 2016-10-28 22:56:37 UTC

Size: 7.07 KB

patch

obsolete

>--- src/common.h.orig	2016-06-27 07:29:32 UTC
>+++ src/common.h
>@@ -448,7 +448,7 @@ extern char *sys_errlist[];
> #define OPENSSL_NO_TLS1_2
> #endif /* OpenSSL older than 1.0.1 || defined(OPENSSL_NO_TLS1) */
> 
>-#if OPENSSL_VERSION_NUMBER>=0x10100000L
>+#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
> #ifndef OPENSSL_NO_SSL2
> #define OPENSSL_NO_SSL2
> #endif /* !defined(OPENSSL_NO_SSL2) */
>@@ -474,7 +474,7 @@ extern char *sys_errlist[];
> #include <openssl/des.h>
> #ifndef OPENSSL_NO_DH
> #include <openssl/dh.h>
>-#if OPENSSL_VERSION_NUMBER<0x10100000L
>+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
> #endif /* OpenSSL older than 1.1.0 */
> #endif /* !defined(OPENSSL_NO_DH) */
>
>--- src/ctx.c.orig	2016-06-21 15:06:14 UTC
>+++ src/ctx.c
>@@ -366,7 +366,7 @@ NOEXPORT int ecdh_init(SERVICE_OPTIONS *
> /**************************************** initialize OpenSSL CONF */
> 
> NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
>-#if OPENSSL_VERSION_NUMBER>=0x10002000L
>+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
>     SSL_CONF_CTX *cctx;
>     NAME_LIST *curr;
>     char *cmd, *param;
>
>--- src/prototypes.h.orig	2016-07-05 21:27:57 UTC
>+++ src/prototypes.h
>@@ -650,13 +650,13 @@ typedef enum {
> #endif /* OPENSSL_NO_DH */
>     STUNNEL_LOCKS                           /* number of locks */
> } LOCK_TYPE;
>-#if OPENSSL_VERSION_NUMBER < 0x10100004L
>+#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
> typedef int STUNNEL_RWLOCK;
> #else
> typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
> #endif
> extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
>-#if OPENSSL_VERSION_NUMBER>=0x10100004L
>+#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
> #define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
> #define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
> #else
>
>--- src/ssl.c.orig	2016-06-02 13:43:49 UTC
>+++ src/ssl.c
>@@ -78,7 +78,7 @@ int ssl_init(void) { /* init SSL before 
> }
> 
> #ifndef OPENSSL_NO_DH
>-#if OPENSSL_VERSION_NUMBER<0x10100000L
>+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
> /* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
>  * to be linked against the older versions */
> int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) {
>
>--- src/sthreads.c.orig	2016-05-03 18:35:03 UTC
>+++ src/sthreads.c
>@@ -45,7 +45,7 @@
> 
> STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
> 
>-#if OPENSSL_VERSION_NUMBER<0x10100004L
>+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
> #define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
> #endif
> 
>@@ -203,7 +203,7 @@ int create_client(SOCKET ls, SOCKET s, C
> 
> #ifdef USE_PTHREAD
> 
>-#if OPENSSL_VERSION_NUMBER<0x10100004L
>+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
> 
> struct CRYPTO_dynlock_value {
>     pthread_rwlock_t rwlock;
>@@ -263,16 +263,18 @@ unsigned long stunnel_thread_id(void) {
> #endif
> }
> 
>-#if OPENSSL_VERSION_NUMBER>=0x10000000L && OPENSSL_VERSION_NUMBER<0x10100004L
>+#if OPENSSL_VERSION_NUMBER>=0x10000000L
>+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
> NOEXPORT void threadid_func(CRYPTO_THREADID *tid) {
>     CRYPTO_THREADID_set_numeric(tid, stunnel_thread_id());
> }
> #endif
>+#endif
> 
> int sthreads_init(void) {
>     int i;
> 
>-#if OPENSSL_VERSION_NUMBER<0x10100004L
>+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
>     /* initialize the OpenSSL dynamic locking */
>     CRYPTO_set_dynlock_create_callback(dyn_create_function);
>     CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
>@@ -345,7 +347,7 @@ int create_client(SOCKET ls, SOCKET s, C
>  * but it is unsupported on Windows XP (and earlier versions of Windows):
>  * https://msdn.microsoft.com/en-us/library/windows/desktop/aa904937%28v=vs.85%29.aspx */
> 
>-#if OPENSSL_VERSION_NUMBER<0x10100004L
>+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
> 
> struct CRYPTO_dynlock_value {
>     CRITICAL_SECTION mutex;
>@@ -398,7 +400,7 @@ unsigned long stunnel_thread_id(void) {
> int sthreads_init(void) {
>     int i;
> 
>-#if OPENSSL_VERSION_NUMBER<0x10100004L
>+#if OPENSSL_VERSION_NUMBER<0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
>     /* initialize the OpenSSL dynamic locking */
>     CRYPTO_set_dynlock_create_callback(dyn_create_function);
>     CRYPTO_set_dynlock_lock_callback(dyn_lock_function);
>
>--- src/verify.c.orig	2016-07-05 21:27:57 UTC
>+++ src/verify.c
>@@ -178,14 +178,14 @@ NOEXPORT void auth_warnings(SERVICE_OPTI
>     if(section->option.verify_peer) /* verify_peer does not depend on PKI */
>         return;
>     if(section->option.verify_chain) {
>-#if OPENSSL_VERSION_NUMBER>=0x10002000L
>+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
>         if(section->check_email || section->check_host || section->check_ip)
>             return;
> #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
>         s_log(LOG_WARNING,
>             "Service [%s] uses \"verify = 2\" without subject checks",
>             section->servname);
>-#if OPENSSL_VERSION_NUMBER<0x10002000L
>+#if OPENSSL_VERSION_NUMBER<0x10002000L || defined(LIBRESSL_VERSION_NUMBER)
>         s_log(LOG_WARNING,
>             "Rebuild your stunnel against OpenSSL version 1.0.2 or higher");
> #endif /* OPENSSL_VERSION_NUMBER<0x10002000L */
>@@ -277,7 +277,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO
>     }
> 
>     if(depth==0) { /* additional peer certificate checks */
>-#if OPENSSL_VERSION_NUMBER>=0x10002000L
>+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
>         if(!cert_check_subject(c, callback_ctx))
>             return 0; /* reject */
> #endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
>@@ -288,7 +288,7 @@ NOEXPORT int cert_check(CLI *c, X509_STO
>     return 1; /* accept */
> }
> 
>-#if OPENSSL_VERSION_NUMBER>=0x10002000L
>+#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
> NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
>     X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
>     NAME_LIST *ptr;
>@@ -340,7 +340,7 @@ NOEXPORT int cert_check_local(X509_STORE
>     STACK_OF(X509) *sk;
>     int i;
> #endif
>-#if OPENSSL_VERSION_NUMBER<0x10100000L
>+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>     X509_OBJECT obj;
>     int success;
> #endif
>@@ -349,7 +349,7 @@ NOEXPORT int cert_check_local(X509_STORE
>     subject=X509_get_subject_name(cert);
> 
> #if OPENSSL_VERSION_NUMBER>=0x10000000L
>-#if OPENSSL_VERSION_NUMBER<0x10100006L
>+#if OPENSSL_VERSION_NUMBER<0x10100006L || defined(LIBRESSL_VERSION_NUMBER)
> #define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
> #endif
>     /* modern API allows retrieving multiple matching certificates */
>@@ -364,7 +364,7 @@ NOEXPORT int cert_check_local(X509_STORE
>     }
> #endif
> 
>-#if OPENSSL_VERSION_NUMBER<0x10100000L
>+#if OPENSSL_VERSION_NUMBER<0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>     /* pre-1.0.0 API only returns a single matching certificate */
>     /* we also invoke it for other OpenSSL versions before 1.1.0 */
>     memset((char *)&obj, 0, sizeof obj);

Actions: View | Diff

Attachments on bug 584298: 435532 | 435534 | 435536 | 451780 | 461612 | 538932 | 538934 | 538936 | 538938 | 538940 | 538942 | 538944