Attachment #461612 for bug #584298

Lines 359-365 Link Here

(-)stunnel-5.30.orig/src/ctx.c (-1 / +1 lines)
359	/**************************************** initialize OpenSSL CONF */	359	/**************************************** initialize OpenSSL CONF */
360		360
361	NOEXPORT int conf_init(SERVICE_OPTIONS *section) {	361	NOEXPORT int conf_init(SERVICE_OPTIONS *section) {
362	#if OPENSSL_VERSION_NUMBER>=0x10002000L	362	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
363	SSL_CONF_CTX *cctx;	363	SSL_CONF_CTX *cctx;
364	NAME_LIST *curr;	364	NAME_LIST *curr;
365	char cmd, param;	365	char cmd, param;




NOEXPORT int verify_callback(int, X509_STORE_CTX *);
NOEXPORT int verify_checks(CLI *, int, X509_STORE_CTX *);
NOEXPORT int cert_check(CLI *, X509_STORE_CTX *, int);
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
NOEXPORT int cert_check_subject(CLI *, X509_STORE_CTX *);
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
NOEXPORT int cert_check_local(X509_STORE_CTX *);

    }

    if(depth==0) { /* additional peer certificate checks */
#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
        if(!cert_check_subject(c, callback_ctx))
            return 0; /* reject */
#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */

    return 1; /* accept */
}

#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
NOEXPORT int cert_check_subject(CLI *c, X509_STORE_CTX *callback_ctx) {
    X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
    NAME_LIST *ptr;

Lines 448-454 extern char *sys_errlist[]; Link Here

(-)a/src/common.h (-2 / +2 lines)
448	#define OPENSSL_NO_TLS1_2	448	#define OPENSSL_NO_TLS1_2
449	#endif /* OpenSSL older than 1.0.1 \|\| defined(OPENSSL_NO_TLS1) */	449	#endif /* OpenSSL older than 1.0.1 \|\| defined(OPENSSL_NO_TLS1) */
450		450
451	#if OPENSSL_VERSION_NUMBER>=0x10100000L	451	#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
452	#ifndef OPENSSL_NO_SSL2	452	#ifndef OPENSSL_NO_SSL2
453	#define OPENSSL_NO_SSL2	453	#define OPENSSL_NO_SSL2
454	#endif /* !defined(OPENSSL_NO_SSL2) */	454	#endif /* !defined(OPENSSL_NO_SSL2) */
Lines 474-480 extern char *sys_errlist[]; Link Here
474	#include <openssl/des.h>	474	#include <openssl/des.h>
475	#ifndef OPENSSL_NO_DH	475	#ifndef OPENSSL_NO_DH
476	#include <openssl/dh.h>	476	#include <openssl/dh.h>
477	#if OPENSSL_VERSION_NUMBER<0x10100000L	477	#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
478	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g);	478	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g);
479	#endif /* OpenSSL older than 1.1.0 */	479	#endif /* OpenSSL older than 1.1.0 */
480	#endif /* !defined(OPENSSL_NO_DH) */	480	#endif /* !defined(OPENSSL_NO_DH) */




#endif /* OPENSSL_NO_DH */
    STUNNEL_LOCKS                           /* number of locks */
} LOCK_TYPE;
#if OPENSSL_VERSION_NUMBER < 0x10100004L || defined(LIBRESSL_VERSION_NUMBER)
typedef int STUNNEL_RWLOCK;
#else
typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
#endif
extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
#else

Lines 50-56 NOEXPORT int add_rand_file(GLOBAL_OPTIONS , const char ); Link Here

(-)a/src/ssl.c (-2 / +2 lines)
50	int index_cli, index_opt, index_redirect, index_addr;	50	int index_cli, index_opt, index_redirect, index_addr;
51		51
52	int ssl_init(void) { /* init TLS before parsing configuration file */	52	int ssl_init(void) { /* init TLS before parsing configuration file */
53	#if OPENSSL_VERSION_NUMBER>=0x10100000L	53	#if OPENSSL_VERSION_NUMBER>=0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
54	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \|	54	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS \|
55	OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);	55	OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
56	#else	56	#else
Lines 83-89 int ssl_init(void) { /* init TLS before parsing configuration file */ Link Here
83	}	83	}
84		84
85	#ifndef OPENSSL_NO_DH	85	#ifndef OPENSSL_NO_DH
86	#if OPENSSL_VERSION_NUMBER<0x10100000L	86	#if OPENSSL_VERSION_NUMBER<0x10100000L \|\| defined(LIBRESSL_VERSION_NUMBER)
87	/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0	87	/* this is needed for dhparam.c generated with OpenSSL >= 1.1.0
88	* to be linked against the older versions */	88	* to be linked against the older versions */
89	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g) {	89	int DH_set0_pqg(DH dh, BIGNUM p, BIGNUM q, BIGNUM g) {

Lines 47-53 Link Here

(-)a/src/sthreads.c (-1 / +1 lines)
47	STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];	47	STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
48	#endif	48	#endif
49		49
50	#if OPENSSL_VERSION_NUMBER<0x10100004L	50	#if OPENSSL_VERSION_NUMBER<0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
51	#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()	51	#define CRYPTO_THREAD_lock_new() CRYPTO_get_new_dynlockid()
52	#endif	52	#endif
53		53

Lines 348-354 NOEXPORT int cert_check_local(X509_STORE_CTX *callback_ctx) { Link Here

(-)a/src/verify.c (-1 / +1 lines)
348	cert=X509_STORE_CTX_get_current_cert(callback_ctx);	348	cert=X509_STORE_CTX_get_current_cert(callback_ctx);
349	subject=X509_get_subject_name(cert);	349	subject=X509_get_subject_name(cert);
350		350
351	#if OPENSSL_VERSION_NUMBER>=0x10000000L	351	#if OPENSSL_VERSION_NUMBER>=0x10000000L && !defined(LIBRESSL_VERSION_NUMBER)
352	#if OPENSSL_VERSION_NUMBER<0x10100006L	352	#if OPENSSL_VERSION_NUMBER<0x10100006L
353	#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs	353	#define X509_STORE_CTX_get1_certs X509_STORE_get1_certs
354	#endif	354	#endif

Return to bug 584298

Lines 664-676 typedef enum { Link Here

(-)a/src/prototypes.h (-2 / +2 lines)
664	#endif /* OPENSSL_NO_DH */	664	#endif /* OPENSSL_NO_DH */
665	STUNNEL_LOCKS /* number of locks */	665	STUNNEL_LOCKS /* number of locks */
666	} LOCK_TYPE;	666	} LOCK_TYPE;
667	#if OPENSSL_VERSION_NUMBER < 0x10100004L	667	#if OPENSSL_VERSION_NUMBER < 0x10100004L \|\| defined(LIBRESSL_VERSION_NUMBER)
668	typedef int STUNNEL_RWLOCK;	668	typedef int STUNNEL_RWLOCK;
669	#else	669	#else
670	typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;	670	typedef CRYPTO_RWLOCK *STUNNEL_RWLOCK;
671	#endif	671	#endif
672	extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];	672	extern STUNNEL_RWLOCK stunnel_locks[STUNNEL_LOCKS];
673	#if OPENSSL_VERSION_NUMBER>=0x10100004L	673	#if OPENSSL_VERSION_NUMBER>=0x10100004L && !defined(LIBRESSL_VERSION_NUMBER)
674	#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)	674	#define CRYPTO_THREAD_read_unlock(type) CRYPTO_THREAD_unlock(type)
675	#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)	675	#define CRYPTO_THREAD_write_unlock(type) CRYPTO_THREAD_unlock(type)
676	#else	676	#else

Lines 51-57 Link Here

(-)stunnel-5.30.orig/src/verify.c (-3 / +3 lines)
51	NOEXPORT int verify_callback(int, X509_STORE_CTX *);	51	NOEXPORT int verify_callback(int, X509_STORE_CTX *);
52	NOEXPORT int verify_checks(CLI , int, X509_STORE_CTX );	52	NOEXPORT int verify_checks(CLI , int, X509_STORE_CTX );
53	NOEXPORT int cert_check(CLI , X509_STORE_CTX , int);	53	NOEXPORT int cert_check(CLI , X509_STORE_CTX , int);
54	#if OPENSSL_VERSION_NUMBER>=0x10002000L	54	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
55	NOEXPORT int cert_check_subject(CLI , X509_STORE_CTX );	55	NOEXPORT int cert_check_subject(CLI , X509_STORE_CTX );
56	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */	56	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
57	NOEXPORT int cert_check_local(X509_STORE_CTX *);	57	NOEXPORT int cert_check_local(X509_STORE_CTX *);
Lines 280-286 Link Here
280	}	280	}
281		281
282	if(depth==0) { /* additional peer certificate checks */	282	if(depth==0) { /* additional peer certificate checks */
283	#if OPENSSL_VERSION_NUMBER>=0x10002000L	283	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
284	if(!cert_check_subject(c, callback_ctx))	284	if(!cert_check_subject(c, callback_ctx))
285	return 0; /* reject */	285	return 0; /* reject */
286	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */	286	#endif /* OPENSSL_VERSION_NUMBER>=0x10002000L */
Lines 291-297 Link Here
291	return 1; /* accept */	291	return 1; /* accept */
292	}	292	}
293		293
294	#if OPENSSL_VERSION_NUMBER>=0x10002000L	294	#if OPENSSL_VERSION_NUMBER>=0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
295	NOEXPORT int cert_check_subject(CLI c, X509_STORE_CTX callback_ctx) {	295	NOEXPORT int cert_check_subject(CLI c, X509_STORE_CTX callback_ctx) {
296	X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);	296	X509 *cert=X509_STORE_CTX_get_current_cert(callback_ctx);
297	NAME_LIST *ptr;	297	NAME_LIST *ptr;