diff -uNr webserver-1.2.104.orig/cherokee/cryptor_libssl.c webserver-1.2.104/cherokee/cryptor_libssl.c
--- webserver-1.2.104.orig/cherokee/cryptor_libssl.c 2014-04-01 19:12:48.000000001 +0200
+++ webserver-1.2.104/cherokee/cryptor_libssl.c 2017-12-13 15:58:01.423061177 +0100
@@ -53,6 +53,8 @@
static DH *dh_param_2048 = NULL;
static DH *dh_param_4096 = NULL;
+#include "cryptor_libssl_compat.h"
+
#include "cryptor_libssl_dh_512.c"
#include "cryptor_libssl_dh_1024.c"
#include "cryptor_libssl_dh_2048.c"
@@ -238,13 +240,13 @@
/* SSL_set_SSL_CTX() only change certificates. We need to
* changes more options by hand.
*/
- SSL_set_options(ssl, SSL_CTX_get_options(ssl->ctx));
+ SSL_set_options(ssl, SSL_CTX_get_options(ctx));
if ((SSL_get_verify_mode(ssl) == SSL_VERIFY_NONE) ||
(SSL_num_renegotiations(ssl) == 0)) {
- SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ssl->ctx),
- SSL_CTX_get_verify_callback(ssl->ctx));
+ SSL_set_verify(ssl, SSL_CTX_get_verify_mode(ctx),
+ SSL_CTX_get_verify_callback(ctx));
}
return ret_ok;
@@ -790,11 +792,13 @@
}
#endif
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
/* Disable Ciphers renegotiation (CVE-2009-3555)
*/
if (cryp->session->s3) {
cryp->session->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
}
+#endif
return ret_ok;
}
@@ -1330,10 +1334,15 @@
/* Init OpenSSL
*/
- OPENSSL_config (NULL);
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ OPENSSL_config(NULL);
SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();
+#else
+ OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+#endif
/* Ensure PRNG has been seeded with enough data
*/
diff -uNr webserver-1.2.104.orig/cherokee/cryptor_libssl_compat.h webserver-1.2.104/cherokee/cryptor_libssl_compat.h
--- webserver-1.2.104.orig/cherokee/cryptor_libssl_compat.h 1970-01-01 01:00:00.000000000 +0100
+++ webserver-1.2.104/cherokee/cryptor_libssl_compat.h 2017-12-13 15:59:58.323961657 +0100
@@ -0,0 +1,36 @@
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#include <string.h>
+#include <openssl/engine.h>
+
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+ /* If the fields p and g in d are NULL, the corresponding input
+ * parameters MUST be non-NULL. q may remain NULL.
+ */
+
+ if ((dh->p == NULL && p == NULL)
+ || (dh->g == NULL && g == NULL))
+ return 0;
+
+ if (p != NULL) {
+ BN_free(dh->p);
+ dh->p = p;
+ }
+
+ if (q != NULL) {
+ BN_free(dh->q);
+ dh->q = q;
+ }
+
+ if (g != NULL) {
+ BN_free(dh->g);
+ dh->g = g;
+ }
+
+ if (q != NULL) {
+ dh->length = BN_num_bits(q);
+ }
+
+ return 1;
+}
+#endif
diff -uNr webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_1024.c webserver-1.2.104/cherokee/cryptor_libssl_dh_1024.c
--- webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_1024.c 2014-04-01 19:12:48.000000001 +0200
+++ webserver-1.2.104/cherokee/cryptor_libssl_dh_1024.c 2017-12-13 16:02:28.923256922 +0100
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh1024()
{
- static unsigned char dh1024_p[]={
+ static unsigned char dhp_1024[]={
0x85,0x08,0xFF,0x6C,0xC1,0x0C,0x23,0x55,0xC5,0xF8,0x3D,0x47,
0x6F,0x23,0x36,0xDA,0x98,0xF3,0xE4,0x56,0xCD,0xA0,0xF3,0x02,
0x18,0xB0,0xCB,0xD2,0x92,0x4B,0xDC,0x76,0x2B,0x24,0x2B,0x20,
@@ -17,16 +18,20 @@
0xF4,0xB8,0xB7,0x5B,0xEF,0x7E,0x06,0x43,0x2A,0x8E,0x33,0x69,
0x71,0x65,0x35,0xBF,0xCB,0xCD,0xB0,0x5B,
};
- static unsigned char dh1024_g[]={
+ static unsigned char dhg_1024[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
- dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_1024, sizeof (dhp_1024), NULL);
+ dhg_bn = BN_bin2bn(dhg_1024, sizeof (dhg_1024), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}
diff -uNr webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_2048.c webserver-1.2.104/cherokee/cryptor_libssl_dh_2048.c
--- webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_2048.c 2014-04-01 19:12:48.000000001 +0200
+++ webserver-1.2.104/cherokee/cryptor_libssl_dh_2048.c 2017-12-13 16:04:12.800391307 +0100
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh2048()
{
- static unsigned char dh2048_p[]={
+ static unsigned char dhp_2048[]={
0xC8,0xF1,0xD4,0x48,0xB6,0x11,0x5B,0x2B,0x9E,0x3D,0xE4,0x49,
0x0A,0xC4,0x8A,0x0B,0xFF,0xAC,0x09,0x4F,0x88,0x91,0x08,0xB8,
0x7D,0x71,0xB7,0x7D,0x87,0x44,0x09,0x70,0x15,0xFF,0x0C,0xAF,
@@ -28,16 +29,20 @@
0x7C,0x83,0xB9,0x40,0x7A,0x2E,0xA4,0x1D,0x85,0x68,0x69,0x66,
0xF8,0xAA,0x70,0x6B,
};
- static unsigned char dh2048_g[]={
+ static unsigned char dhg_2048[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh2048_p,sizeof(dh2048_p),NULL);
- dh->g=BN_bin2bn(dh2048_g,sizeof(dh2048_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_2048, sizeof (dhp_2048), NULL);
+ dhg_bn = BN_bin2bn(dhg_2048, sizeof (dhg_2048), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}
diff -uNr webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_4096.c webserver-1.2.104/cherokee/cryptor_libssl_dh_4096.c
--- webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_4096.c 2014-04-01 19:12:48.000000001 +0200
+++ webserver-1.2.104/cherokee/cryptor_libssl_dh_4096.c 2017-12-13 16:05:26.805062197 +0100
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh4096()
{
- static unsigned char dh4096_p[]={
+ static unsigned char dhp_4096[]={
0xD2,0xB2,0x5E,0x24,0x83,0x8E,0x04,0x17,0x39,0xAB,0x99,0x5A,
0xAB,0x0C,0x15,0x3C,0x95,0xE0,0xE4,0x48,0x3F,0xE4,0x22,0x48,
0xCA,0x19,0xCA,0xD0,0x9E,0xA7,0x09,0xD0,0x97,0x0F,0x31,0x49,
@@ -49,16 +50,20 @@
0xE9,0xD3,0x8C,0x4A,0x7C,0x49,0x36,0x84,0xBF,0xD0,0xE0,0x45,
0x2C,0x74,0xC9,0x6D,0x09,0xDE,0xA1,0x33,
};
- static unsigned char dh4096_g[]={
+ static unsigned char dhg_4096[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh4096_p,sizeof(dh4096_p),NULL);
- dh->g=BN_bin2bn(dh4096_g,sizeof(dh4096_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_4096, sizeof (dhp_4096), NULL);
+ dhg_bn = BN_bin2bn(dhg_4096, sizeof (dhg_4096), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
+ return(NULL);
}
return(dh);
}
diff -uNr webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_512.c webserver-1.2.104/cherokee/cryptor_libssl_dh_512.c
--- webserver-1.2.104.orig/cherokee/cryptor_libssl_dh_512.c 2014-04-01 19:12:48.000000001 +0200
+++ webserver-1.2.104/cherokee/cryptor_libssl_dh_512.c 2017-12-13 16:06:32.248886838 +0100
@@ -2,9 +2,10 @@
#ifndef HEADER_DH_H
#include <openssl/dh.h>
#endif
+
static DH *get_dh512()
{
- static unsigned char dh512_p[]={
+ static unsigned char dhp_512[]={
0xED,0x78,0x7E,0x95,0xB9,0x05,0xD5,0x00,0x38,0xC6,0x6B,0x49,
0x78,0x22,0x78,0x43,0x8D,0xCC,0xF9,0x83,0x18,0xBB,0x6E,0xFE,
0xCD,0x90,0xC3,0x84,0xA8,0x5C,0x04,0x84,0xEB,0x85,0x1D,0x5B,
@@ -12,16 +13,19 @@
0xA5,0xA7,0x10,0x7D,0x43,0x1B,0x6F,0xAD,0xA8,0xA1,0xB0,0xD3,
0xD9,0x23,0xD1,0x83,
};
- static unsigned char dh512_g[]={
+ static unsigned char dhg_512[]={
0x02,
};
DH *dh;
+ BIGNUM *dhp_bn, *dhg_bn;
if ((dh=DH_new()) == NULL) return(NULL);
- dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
- dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
- if ((dh->p == NULL) || (dh->g == NULL)) {
- DH_free(dh); return(NULL);
+ dhp_bn = BN_bin2bn(dhp_512, sizeof (dhp_512), NULL);
+ dhg_bn = BN_bin2bn(dhg_512, sizeof (dhg_512), NULL);
+ if (!DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {
+ DH_free(dh);
+ BN_free(dhp_bn);
+ BN_free(dhg_bn);
}
return(dh);
}