control: tags -1 patch
On 2016-11-07 08:39:17 [-0500], Zack Weinberg wrote:
> Nov 07 08:34:17 moxana dnssec-triggerd[20281]: Nov 07 08:34:17
> dnssec-triggerd[20281] error: could not set SSL_OP_NO_SSLv2 crypto
> error:00000000
could someone please check if the patch attached works? I am confident
but don't time todo it myself just now.
Sebastian
>From 05cd529e19d317b8bcc69f7d883873a27195b904 Mon Sep 17 00:00:00 2001
From: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
Date: Mon, 7 Nov 2016 20:59:11 +0000
Subject: [PATCH] dnssec-trigger: openssl 1.1.0 fixup
- SSL_OP_NO_SSLv2 / SSLv2 has been removed from openssl 1.1.0 and as
such it can't be tested (the way it is) if disabling it worked.
- SSL_CTX_load_verify_locations() return 1 un success and 0 on failure.
The check for the result code is bogus and has nothing to do with the
switch to openssl 1.1.0 itself
- ERR_remove_state() and friends are NOPs in current openssl 1.1.0 due
the threading model. This operations are nops therefore and do nothing
and can be removed in a later version.
Signed-off-by: Sebastian Andrzej Siewior <sebast...@breakpoint.cc>
---
riggerd/cfg.c | 2 ++
riggerd/net_help.c | 4 +++-
riggerd/riggerd.c | 2 ++
riggerd/svr.c | 2 ++
4 files changed, 9 insertions(+), 1 deletion(-)
diff --git a/riggerd/cfg.c b/riggerd/cfg.c
index 03f4f73..08b2028 100644
--- a/riggerd/cfg.c
+++ b/riggerd/cfg.c
@@ -540,9 +540,11 @@ cfg_setup_ctx_client(struct cfg* cfg, char* err, size_t errlen)
if(!ctx)
return ctx_err_ret(ctx, err, errlen,
"could not allocate SSL_CTX pointer");
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2))
return ctx_err_ret(ctx, err, errlen,
"could not set SSL_OP_NO_SSLv2");
+#endif
if(!SSL_CTX_use_certificate_file(ctx,c_cert,SSL_FILETYPE_PEM) ||
!SSL_CTX_use_PrivateKey_file(ctx,c_key,SSL_FILETYPE_PEM)
|| !SSL_CTX_check_private_key(ctx))
diff --git a/riggerd/net_help.c b/riggerd/net_help.c
index 21e79e7..b17486c 100644
--- a/riggerd/net_help.c
+++ b/riggerd/net_help.c
@@ -447,11 +447,13 @@ void* listen_sslctx_create(char* key, char* pem, char* verifypem)
return NULL;
}
/* no SSLv2 because has defects */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
SSL_CTX_free(ctx);
return NULL;
}
+#endif
if(!SSL_CTX_use_certificate_file(ctx, pem, SSL_FILETYPE_PEM)) {
log_err("error for cert file: %s", pem);
log_crypto_err("error in SSL_CTX use_certificate_file");
@@ -517,7 +519,7 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem)
}
}
if(verifypem && verifypem[0]) {
- if(!SSL_CTX_load_verify_locations(ctx, verifypem, NULL) != 1) {
+ if(SSL_CTX_load_verify_locations(ctx, verifypem, NULL) != 1) {
log_crypto_err("error in SSL_CTX verify");
SSL_CTX_free(ctx);
return NULL;
diff --git a/riggerd/riggerd.c b/riggerd/riggerd.c
index 9cb6023..2490a72 100644
--- a/riggerd/riggerd.c
+++ b/riggerd/riggerd.c
@@ -393,10 +393,12 @@ int main(int argc, char *argv[])
#ifdef HAVE_OPENSSL_CONF_H
CONF_modules_free();
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000
CRYPTO_cleanup_all_ex_data();
ERR_remove_state(0);
ERR_free_strings();
RAND_cleanup();
+#endif
#ifdef USE_WINSOCK
if(WSACleanup() != 0) {
diff --git a/riggerd/svr.c b/riggerd/svr.c
index 0b46b1d..5f232f4 100644
--- a/riggerd/svr.c
+++ b/riggerd/svr.c
@@ -162,10 +162,12 @@ static int setup_ssl_ctx(struct svr* s)
return 0;
}
/* no SSLv2 because has defects */
+#if OPENSSL_VERSION_NUMBER < 0x10100000
if(!(SSL_CTX_set_options(s->ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)){
log_crypto_err("could not set SSL_OP_NO_SSLv2");
return 0;
}
+#endif
s_cert = s->cfg->server_cert_file;
s_key = s->cfg->server_key_file;
verbose(VERB_ALGO, "setup SSL certificates");
--
2.10.2
