Add defined(LIBRESSL_VERSION_NUMBER) directives to fix signal 6 and 10 crashes: LibreSSL versions up to v2.7.4 behave like OPENSSL_VERSION_NUMBER < 0x1000200fL, beware not just OPENSSL_VERSION_NUMBER < 0x10100000L

Fix up:port af, use a different var, because utm port af is always AF_INET, and it breaks the target address af if the listening address is AF_INET6 Enable -O2 C flag, because LibreSSL is compiled with -O2 too
6 years ago · a584363f62
parent 859da0ac4c
commit a584363f62
10 changed files with 82 additions and 38 deletions
--- a/6
+++ b/6
@ -46,7 +46,7 @@
 ### Debugging

 # These flags are added to CFLAGS iff building from a git repo.
-#DEBUG_CFLAGS?=	-g
+DEBUG_CFLAGS?=	-g
 #DEBUG_CFLAGS+=	-Werror

 # Define to remove false positives when debugging memory allocation.
@ -350,8 +350,8 @@ endif
 # _FORTIFY_SOURCE requires -O on Linux
 ifeq (,$(findstring -O,$(CFLAGS)))
 # TODO: -O w/o -g is failing bufferevent_socket_connect for parent dst,
-# so either enable -O w/ -g, or disable -O w/o -g (-O2 is failing too)
-#CFLAGS+=	-O
+# so either enable -O w/ -g, or disable -O w/o -g (-O2 is failing too?)
+CFLAGS+=	-O2
 endif

 export VERSION
--- a/cachedsess.t.c
+++ b/cachedsess.t.c
@ -121,7 +121,7 @@ START_TEST(cache_dsess_03)
 }
 END_TEST

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 START_TEST(cache_dsess_04)
 {
 	SSL_SESSION *s1, *s2;
@ -162,7 +162,7 @@ cachedsess_suite(void)
 	tcase_add_test(tc, cache_dsess_01);
 	tcase_add_test(tc, cache_dsess_02);
 	tcase_add_test(tc, cache_dsess_03);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 	tcase_add_test(tc, cache_dsess_04);
 #endif
 	suite_add_tcase(s, tc);
--- a/cachefkcrt.t.c
+++ b/cachefkcrt.t.c
@ -90,7 +90,7 @@ START_TEST(cache_fkcrt_03)
 }
 END_TEST

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 START_TEST(cache_fkcrt_04)
 {
 	X509 *c1, *c2;
@ -133,7 +133,7 @@ cachefkcrt_suite(void)
 	tcase_add_test(tc, cache_fkcrt_01);
 	tcase_add_test(tc, cache_fkcrt_02);
 	tcase_add_test(tc, cache_fkcrt_03);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 	tcase_add_test(tc, cache_fkcrt_04);
 #endif
 	suite_add_tcase(s, tc);
--- a/cachessess.t.c
+++ b/cachessess.t.c
@ -122,7 +122,7 @@ START_TEST(cache_ssess_03)
 }
 END_TEST

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 START_TEST(cache_ssess_04)
 {
 	SSL_SESSION *s1, *s2;
@ -166,7 +166,7 @@ cachessess_suite(void)
 	tcase_add_test(tc, cache_ssess_01);
 	tcase_add_test(tc, cache_ssess_02);
 	tcase_add_test(tc, cache_ssess_03);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 	tcase_add_test(tc, cache_ssess_04);
 #endif
 	suite_add_tcase(s, tc);
--- a/opts.c
+++ b/opts.c
@ -189,7 +189,7 @@ void
 opts_proto_dbg_dump(opts_t *opts)
 {
 	log_dbg_printf("SSL/TLS protocol: %s%s%s%s%s%s\n",
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 #ifdef HAVE_SSLV2
 	               (opts->sslmethod == SSLv2_method) ? "ssl2" :
 #endif /* HAVE_SSLV2 */
@ -350,16 +350,16 @@ proxyspec_parse(int *argc, char **argv[], const char *natengine, proxyspec_t **o
 				// The UTM port is set/used in pf and UTM service config.
 				// @todo Need IPv6?
 				if (strstr(**argv, "up:")) {
-					af = sys_sockaddr_parse(&spec->parent_dst_addr,
+					int utm_af = sys_sockaddr_parse(&spec->parent_dst_addr,
 										&spec->parent_dst_addrlen,
 										"127.0.0.1", **argv + 3, AF_INET, EVUTIL_AI_PASSIVE);
-					if (af == -1) {
+					if (utm_af == -1) {
 						exit(EXIT_FAILURE);
 					}
-					af = sys_sockaddr_parse(&spec->child_src_addr,
+					utm_af = sys_sockaddr_parse(&spec->child_src_addr,
 										&spec->child_src_addrlen,
 										"127.0.0.1", "0", AF_INET, EVUTIL_AI_PASSIVE);
-					if (af == -1) {
+					if (utm_af == -1) {
 						exit(EXIT_FAILURE);
 					}
 					state++;
@ -842,7 +842,7 @@ opts_set_ciphers(opts_t *opts, const char *argv0, const char *optarg)
 void
 opts_force_proto(opts_t *opts, const char *argv0, const char *optarg)
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 	if (opts->sslmethod != SSLv23_method) {
 #else /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 	if (opts->sslversion) {
@ -851,7 +851,7 @@ opts_force_proto(opts_t *opts, const char *argv0, const char *optarg)
 		exit(EXIT_FAILURE);
 	}

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 #ifdef HAVE_SSLV2
 	if (!strcmp(optarg, "ssl2")) {
 		opts->sslmethod = SSLv2_method;
--- a/opts.h
+++ b/opts.h
@ -105,7 +105,7 @@ typedef struct opts {
 	char *contentlog_basedir; /* static part of logspec, for privsep srv */
 	char *masterkeylog;
 	CONST_SSL_METHOD *(*sslmethod)(void);
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 	int sslversion;
 #endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 	X509 *cacrt;
--- a/pxyconn.c
+++ b/pxyconn.c
@ -922,7 +922,7 @@ pxy_srcsslctx_create(pxy_conn_ctx_t *ctx, X509 *crt, STACK_OF(X509) *chain,

 	pxy_sslctx_setoptions(sslctx, ctx);

-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 	if (ctx->opts->sslversion) {
 		if (SSL_CTX_set_min_proto_version(sslctx, ctx->opts->sslversion) == 0 ||
 			SSL_CTX_set_max_proto_version(sslctx, ctx->opts->sslversion) == 0) {
@ -1321,7 +1321,7 @@ pxy_dstssl_create(pxy_conn_ctx_t *ctx)

 	pxy_sslctx_setoptions(sslctx, ctx);

-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 	if (ctx->opts->sslversion) {
 		if (SSL_CTX_set_min_proto_version(sslctx, ctx->opts->sslversion) == 0 ||
 			SSL_CTX_set_max_proto_version(sslctx, ctx->opts->sslversion) == 0) {
--- a/ssl.c
+++ b/ssl.c
@ -89,7 +89,7 @@ ssl_ssl_cert_get(SSL *s)
 }
 #endif /* OpenSSL 0.9.8y, 1.0.0k or 1.0.1e */

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 int
 DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
 {
@ -264,7 +264,7 @@ ssl_openssl_version(void)
 */
 static int ssl_initialized = 0;

-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 struct CRYPTO_dynlock_value {
 	pthread_mutex_t mutex;
 };
@ -372,7 +372,7 @@ ssl_init(void)
 	OpenSSL_add_all_algorithms();

 	/* thread-safety */
-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 	ssl_mutex_num = CRYPTO_num_locks();
 	ssl_mutex = malloc(ssl_mutex_num * sizeof(*ssl_mutex));
 	for (int i = 0; i < ssl_mutex_num; i++) {
@ -441,7 +441,7 @@ ssl_reinit(void)
 	if (!ssl_initialized)
 		return 0;

-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 	for (int i = 0; i < ssl_mutex_num; i++) {
 		if (pthread_mutex_init(&ssl_mutex[i], NULL)) {
 			return -1;
@ -462,11 +462,11 @@ ssl_fini(void)
 	if (!ssl_initialized)
 		return;

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 	ERR_remove_state(0); /* current thread */
 #endif

-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 	CRYPTO_set_locking_callback(NULL);
 	CRYPTO_set_dynlock_create_callback(NULL);
 	CRYPTO_set_dynlock_lock_callback(NULL);
@ -554,16 +554,16 @@ ssl_ssl_masterkey_to_str(SSL *ssl)
 	char *str = NULL;
 	int rv;
 	unsigned char *k, *r;
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 	unsigned char kbuf[48], rbuf[32];
 	k = &kbuf[0];
 	r = &rbuf[0];
 	SSL_SESSION_get_master_key(SSL_get0_session(ssl), k, sizeof(kbuf));
 	SSL_get_client_random(ssl, r, sizeof(rbuf));
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#else /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) */
 	k = ssl->session->master_key;
 	r = ssl->s3->client_random;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) */
 	rv = asprintf(&str,
 	              "CLIENT_RANDOM "
 	              "%02X%02X%02X%02X%02X%02X%02X%02X"
@ -830,11 +830,11 @@ ssl_rand(void *p, size_t sz)
 {
 	int rv;

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 	rv = RAND_pseudo_bytes((unsigned char*)p, sz);
 	if (rv == 1)
 		return 0;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) */
 	rv = RAND_bytes((unsigned char*)p, sz);
 	if (rv == 1)
 		return 0;
@ -1317,7 +1317,7 @@ ssl_key_genrsa(const int keysize)
 	EVP_PKEY *pkey;
 	RSA *rsa;

-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER)
 	BIGNUM *bn;
 	int rv;
 	rsa = RSA_new();
@ -1329,11 +1329,11 @@ ssl_key_genrsa(const int keysize)
 		RSA_free(rsa);
 		return NULL;
 	}
-#else /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#else /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) */
 	rsa = RSA_generate_key(keysize, 3, NULL, NULL);
 	if (!rsa)
 		return NULL;
-#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+#endif /* (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) */
 	pkey = EVP_PKEY_new();
 	EVP_PKEY_assign_RSA(pkey, rsa); /* does not increment refcount */
 	return pkey;
@ -1453,7 +1453,7 @@ ssl_x509_fingerprint(X509 *crt, int colons)
 void
 ssl_dh_refcount_inc(DH *dh)
 {
-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 	CRYPTO_add(&dh->references, 1, CRYPTO_LOCK_DH);
 #else /* !OPENSSL_THREADS */
 	DH_up_ref(dh);
@ -1468,7 +1468,7 @@ ssl_dh_refcount_inc(DH *dh)
 void
 ssl_key_refcount_inc(EVP_PKEY *key)
 {
-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 	CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY);
 #else /* !OPENSSL_THREADS */
 	EVP_PKEY_up_ref(key);
@ -1483,7 +1483,7 @@ ssl_key_refcount_inc(EVP_PKEY *key)
 void
 ssl_x509_refcount_inc(X509 *crt)
 {
-#if defined(OPENSSL_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER))
 	CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509);
 #else /* !OPENSSL_THREADS */
 	X509_up_ref(crt);
--- a/ssl.h
+++ b/ssl.h
@ -66,11 +66,11 @@
 /*
 * SHA0 was removed in OpenSSL 1.1.0, including OPENSSL_NO_SHA0.
 */
-#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(OPENSSL_NO_SHA0)
+#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_SHA0)
 #define OPENSSL_NO_SHA0
 #endif

-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)
 #define ASN1_STRING_get0_data(value) ASN1_STRING_data(value)
 #define SSL_is_server(ssl) (ssl->type != SSL_ST_CONNECT)
 #define X509_get_signature_nid(x509) (OBJ_obj2nid(x509->sig_alg->algorithm))
--- a/ssl.t.c
+++ b/ssl.t.c
@ -548,6 +548,8 @@ START_TEST(ssl_key_identifier_sha1_01)
 	             "extension length mismatch");
 	fail_unless(!memcmp(ASN1_STRING_get0_data(value) + 2, keyid, SSL_KEY_IDSZ),
 	            "key id mismatch");
+	EVP_PKEY_free(k);
+	X509_free(c);
 }
 END_TEST

@ -712,6 +714,40 @@ START_TEST(ssl_features_02)
 }
 END_TEST

+START_TEST(ssl_key_refcount_inc_01)
+{
+	EVP_PKEY *key;
+
+	key = ssl_key_load(TESTKEY);
+	fail_unless(!!key, "loading key failed");
+	ssl_key_refcount_inc(key);
+	ssl_key_refcount_inc(key);
+	ssl_key_refcount_inc(key);
+	EVP_PKEY_free(key);
+	/* these must not crash */
+	EVP_PKEY_free(key);
+	EVP_PKEY_free(key);
+	EVP_PKEY_free(key);
+}
+END_TEST
+
+START_TEST(ssl_x509_refcount_inc_01)
+{
+	X509 *crt;
+
+	crt = ssl_x509_load(TESTCERT);
+	fail_unless(!!crt, "loading certificate failed");
+	ssl_x509_refcount_inc(crt);
+	ssl_x509_refcount_inc(crt);
+	ssl_x509_refcount_inc(crt);
+	X509_free(crt);
+	/* these must not crash */
+	X509_free(crt);
+	X509_free(crt);
+	X509_free(crt);
+}
+END_TEST
+
 Suite *
 ssl_suite(void)
 {
@ -800,6 +836,14 @@ ssl_suite(void)
 	tcase_add_test(tc, ssl_features_02);
 	suite_add_tcase(s, tc);

+	tc = tcase_create("ssl_key_refcount_inc");
+	tcase_add_test(tc, ssl_key_refcount_inc_01);
+	suite_add_tcase(s, tc);
+
+	tc = tcase_create("ssl_x509_refcount_inc");
+	tcase_add_test(tc, ssl_x509_refcount_inc_01);
+	suite_add_tcase(s, tc);
+
 	return s;
 }