From 2ca834af4a5887675f95dbeed8e49b98de4bd2ac Mon Sep 17 00:00:00 2001 From: Ako Tulu Date: Tue, 30 Apr 2024 13:43:35 +0300 Subject: [PATCH 1/5] Implemented OpenSSL 1.1.0 TLS methods and deprecated SSLv23 ones. --- ACE/ace/SSL/SSL_Context.cpp | 23 ++++++++++++++++++++++- ACE/ace/SSL/SSL_Context.h | 20 +++++++++++++++----- 2 files changed, 37 insertions(+), 6 deletions(-) diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index 9313dc5717f9b..ec4d9c6bb7ec4 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -261,6 +261,23 @@ ACE_SSL_Context::set_mode (int mode) SSL_METHOD *method = 0; #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + switch (mode) + { + case ACE_SSL_Context::TLS_client: + method = ::TLS_server_method (); + break; + case ACE_SSL_Context::TLS_server: + method = ::TLS_client_method (); + break; + case ACE_SSL_Context::TLS: + method = ::TLS_method (); + break; + default: + method = ::TLS_method (); + break; + } +#else switch (mode) { case ACE_SSL_Context::SSLv23_client: @@ -276,7 +293,7 @@ ACE_SSL_Context::set_mode (int mode) method = ::SSLv23_method (); break; } - +#endif this->context_ = ::SSL_CTX_new (method); if (this->context_ == 0) return -1; @@ -479,7 +496,11 @@ ACE_SSL_Context::load_trusted_ca (const char* ca_file, // For TLS/SSL servers scan all certificates in ca_file and ca_dir and // list them as acceptable CAs when requesting a client certificate. +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + if (mode_ == TLS || mode_ == TLS_server) +#else if (mode_ == SSLv23 || mode_ == SSLv23_server) +#endif { // Note: The STACK_OF(X509_NAME) pointer is a copy of the pointer in // the CTX; any changes to it by way of these function calls will diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index 91903f788c30c..1f29e0962e534 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -67,7 +67,7 @@ class ACE_SSL_Export ACE_SSL_Data_File // when C library routines are passed CallBack functions pointers that are // actually C++ functions. // -// Unfortunatly you can not specify extern "C" linkage anywhere inside a class +// Unfortunately you can not specify extern "C" linkage anywhere inside a class // declaration or inside a function prototype for individual parameters. I.e: // class { extern "C" int (*callback_) (int, void *); }; // to store a function pointer as a data member of the class is illegal as is: @@ -78,7 +78,7 @@ class ACE_SSL_Export ACE_SSL_Data_File // Since we need an extern "C" function pointer as a parameter to be stored // in the class and handled by member functions, we are forced to declare // a typedef of that extern "C" function pointer that we can then use. -// Again unfortunatly you also are not allowed to simply add the extern "C" +// Again unfortunately you also are not allowed to simply add the extern "C" // to the typedef itself, instead you have to place the typedef declaration // inside an extern "C" block, thus: @@ -104,9 +104,15 @@ class ACE_SSL_Export ACE_SSL_Context enum { INVALID_METHOD = -1, +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + TLS_client, + TLS_server, + TLS +#else SSLv23_client, SSLv23_server, SSLv23 +#endif }; /// Constructor @@ -130,7 +136,11 @@ class ACE_SSL_Export ACE_SSL_Context * If the mode is not set, then the class automatically initializes * itself to the default mode. */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L + int set_mode (int mode = ACE_SSL_Context::TLS); +#else int set_mode (int mode = ACE_SSL_Context::SSLv23); +#endif int get_mode () const; @@ -268,7 +278,7 @@ class ACE_SSL_Export ACE_SSL_Context * * @doc Use this method when certificate chain verification is * required. The default server behaviour is SSL_VERIFY_NONE - * i.e. client certicates are requested for verified. This method + * i.e. client certificates are requested for verified. This method * can be used to configure server to request client certificates * and perform the certificate verification. If is set * true the client connection is rejected when certificate @@ -301,7 +311,7 @@ class ACE_SSL_Export ACE_SSL_Context /** * Set and query the default verify mode for this context, it is * inherited by all the ACE_SSL objects created using the context. - * It can be overriden on a per-ACE_SSL object. + * It can be overridden on a per-ACE_SSL object. */ void default_verify_mode (int mode); int default_verify_mode () const; @@ -309,7 +319,7 @@ class ACE_SSL_Export ACE_SSL_Context /** * Set and query the default verify callback for this context, it is * inherited by all the ACE_SSL objects created using the context. - * It can be overriden on a per-ACE_SSL object. + * It can be overridden on a per-ACE_SSL object. */ void default_verify_callback (extern_C_CallBackVerify_t); extern_C_CallBackVerify_t default_verify_callback () const; From c9de2014be2c91ef0bcb5af6d6c214b127c9b750 Mon Sep 17 00:00:00 2001 From: Ako Tulu Date: Tue, 30 Apr 2024 14:29:58 +0300 Subject: [PATCH 2/5] Added backwards compatibility for SSLv23. --- ACE/ace/SSL/SSL_Context.cpp | 25 +++++++------------------ ACE/ace/SSL/SSL_Context.h | 11 ++++------- 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index ec4d9c6bb7ec4..486cb458d122d 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -261,39 +261,28 @@ ACE_SSL_Context::set_mode (int mode) SSL_METHOD *method = 0; #endif -#if OPENSSL_VERSION_NUMBER >= 0x10100000L switch (mode) { + case ACE_SSL_Context::SSLv23_client: case ACE_SSL_Context::TLS_client: + mode = ACE_SSL_Context::TLS_client; method = ::TLS_server_method (); break; + case ACE_SSL_Context::SSLv23_server: case ACE_SSL_Context::TLS_server: + mode = ACE_SSL_Context::TLS_server; method = ::TLS_client_method (); break; + case ACE_SSL_Context::SSLv23: case ACE_SSL_Context::TLS: + mode = ACE_SSL_Context::TLS; method = ::TLS_method (); break; default: method = ::TLS_method (); break; } -#else - switch (mode) - { - case ACE_SSL_Context::SSLv23_client: - method = ::SSLv23_client_method (); - break; - case ACE_SSL_Context::SSLv23_server: - method = ::SSLv23_server_method (); - break; - case ACE_SSL_Context::SSLv23: - method = ::SSLv23_method (); - break; - default: - method = ::SSLv23_method (); - break; - } -#endif + this->context_ = ::SSL_CTX_new (method); if (this->context_ == 0) return -1; diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index 1f29e0962e534..9df6f31ee76fd 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -104,15 +104,12 @@ class ACE_SSL_Export ACE_SSL_Context enum { INVALID_METHOD = -1, -#if OPENSSL_VERSION_NUMBER >= 0x10100000L TLS_client, TLS_server, - TLS -#else - SSLv23_client, - SSLv23_server, - SSLv23 -#endif + TLS, + SSLv23_client [[deprecated("Use TLS_client instead.")]], + SSLv23_server [[deprecated("Use TLS_server instead.")]], + SSLv23 [[deprecated("Use TLS instead.")]] }; /// Constructor From e41e3c8b4eeedad61a38cdd2c2abf3175c404cb8 Mon Sep 17 00:00:00 2001 From: Ako Tulu Date: Tue, 30 Apr 2024 14:51:48 +0300 Subject: [PATCH 3/5] Improved backwards compatibility according to review. --- ACE/ace/SSL/SSL_Context.cpp | 31 +++++++++++++++++++++++-------- ACE/ace/SSL/SSL_Context.h | 2 ++ 2 files changed, 25 insertions(+), 8 deletions(-) diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index 486cb458d122d..bf7ced60bc64c 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -261,27 +261,42 @@ ACE_SSL_Context::set_mode (int mode) SSL_METHOD *method = 0; #endif +#if OPENSSL_VERSION_NUMBER >= 0x10100000L switch (mode) { case ACE_SSL_Context::SSLv23_client: case ACE_SSL_Context::TLS_client: - mode = ACE_SSL_Context::TLS_client; - method = ::TLS_server_method (); + method = ::TLS_client_method (); break; - case ACE_SSL_Context::SSLv23_server: + case ACE_SSL_Context::SSLv23_server: case ACE_SSL_Context::TLS_server: - mode = ACE_SSL_Context::TLS_server; - method = ::TLS_client_method (); + method = ::TLS_server_method (); break; - case ACE_SSL_Context::SSLv23: + case ACE_SSL_Context::SSLv23: case ACE_SSL_Context::TLS: - mode = ACE_SSL_Context::TLS; method = ::TLS_method (); break; default: method = ::TLS_method (); break; } +#else + switch (mode) + { + case ACE_SSL_Context::SSLv23_client: + method = ::SSLv23_client_method (); + break; + case ACE_SSL_Context::SSLv23_server: + method = ::SSLv23_server_method (); + break; + case ACE_SSL_Context::SSLv23: + method = ::SSLv23_method (); + break; + default: + method = ::SSLv23_method (); + break; + } +#endif this->context_ = ::SSL_CTX_new (method); if (this->context_ == 0) @@ -486,7 +501,7 @@ ACE_SSL_Context::load_trusted_ca (const char* ca_file, // For TLS/SSL servers scan all certificates in ca_file and ca_dir and // list them as acceptable CAs when requesting a client certificate. #if OPENSSL_VERSION_NUMBER >= 0x10100000L - if (mode_ == TLS || mode_ == TLS_server) + if (mode_ == TLS || mode_ == TLS_server || mode_ == SSLv23 || mode_ == SSLv23_server) #else if (mode_ == SSLv23 || mode_ == SSLv23_server) #endif diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index 9df6f31ee76fd..7d81c0f60ef41 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -104,9 +104,11 @@ class ACE_SSL_Export ACE_SSL_Context enum { INVALID_METHOD = -1, +#if OPENSSL_VERSION_NUMBER >= 0x10100000L TLS_client, TLS_server, TLS, +#endif SSLv23_client [[deprecated("Use TLS_client instead.")]], SSLv23_server [[deprecated("Use TLS_server instead.")]], SSLv23 [[deprecated("Use TLS instead.")]] From fe12cfe8dd3a1c038dd73eb64ca54145483c89c3 Mon Sep 17 00:00:00 2001 From: Ako Tulu Date: Tue, 30 Apr 2024 14:58:02 +0300 Subject: [PATCH 4/5] Fixed deprecation warning for OpenSSL version below 1.1.0. --- ACE/ace/SSL/SSL_Context.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ACE/ace/SSL/SSL_Context.h b/ACE/ace/SSL/SSL_Context.h index 7d81c0f60ef41..7a846ae02542a 100644 --- a/ACE/ace/SSL/SSL_Context.h +++ b/ACE/ace/SSL/SSL_Context.h @@ -108,10 +108,14 @@ class ACE_SSL_Export ACE_SSL_Context TLS_client, TLS_server, TLS, -#endif SSLv23_client [[deprecated("Use TLS_client instead.")]], SSLv23_server [[deprecated("Use TLS_server instead.")]], SSLv23 [[deprecated("Use TLS instead.")]] +#else + SSLv23_client, + SSLv23_server, + SSLv23 +#endif }; /// Constructor From 50033d9fa00da7ddd8543d3161ce21a40a8b7cb2 Mon Sep 17 00:00:00 2001 From: Ako Tulu Date: Tue, 30 Apr 2024 16:58:13 +0300 Subject: [PATCH 5/5] Fixed fuzz errors. --- ACE/ace/SSL/SSL_Context.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ACE/ace/SSL/SSL_Context.cpp b/ACE/ace/SSL/SSL_Context.cpp index bf7ced60bc64c..58cac3ff24aee 100644 --- a/ACE/ace/SSL/SSL_Context.cpp +++ b/ACE/ace/SSL/SSL_Context.cpp @@ -268,7 +268,7 @@ ACE_SSL_Context::set_mode (int mode) case ACE_SSL_Context::TLS_client: method = ::TLS_client_method (); break; - case ACE_SSL_Context::SSLv23_server: + case ACE_SSL_Context::SSLv23_server: case ACE_SSL_Context::TLS_server: method = ::TLS_server_method (); break;