From 29081c2fd4c951b2c166f327b145dca5212c9fca Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Fri, 7 Apr 2017 12:54:33 +0200 Subject: [PATCH 1/2] openssl_stream: remove locking initialization on OpenSSL version >=1.1 Up to version 1.0, OpenSSL required us to provide a callback which implements a locking mechanism. Due to problems in the API design though this mechanism was inherently broken, especially regarding that the locking callback cannot report errors in an obvious way. Due to this shortcoming, the locking initialization has been completely removed in OpenSSL version 1.1. As the library has also been refactored to not make any use of these callback functions, we can safely remove all initialization of the locking subsystem if compiling against OpenSSL version 1.1 or higher. This fixes a compilation error when compiling against OpenSSL version 1.1 which has been built without stubs for deprecated syntax. --- src/openssl_stream.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/openssl_stream.c b/src/openssl_stream.c index c0a9c3c37..fadff5c69 100644 --- a/src/openssl_stream.c +++ b/src/openssl_stream.c @@ -37,7 +37,7 @@ SSL_CTX *git__ssl_ctx; #define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA" -#ifdef GIT_THREADS +#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L static git_mutex *openssl_locks; @@ -70,7 +70,7 @@ static void shutdown_ssl_locking(void) git__free(openssl_locks); } -#endif /* GIT_THREADS */ +#endif /* GIT_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */ static BIO_METHOD *git_stream_bio_method; static int init_bio_method(void); @@ -146,7 +146,7 @@ int git_openssl_stream_global_init(void) int git_openssl_set_locking(void) { -#ifdef GIT_THREADS +#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L int num_locks, i; num_locks = CRYPTO_num_locks(); @@ -163,6 +163,8 @@ int git_openssl_set_locking(void) CRYPTO_set_locking_callback(openssl_locking_function); git__on_shutdown(shutdown_ssl_locking); return 0; +#elif OPENSSL_VERSION_NUMBER >= 0x10100000L + return 0; #else giterr_set(GITERR_THREAD, "libgit2 was not built with threads"); return -1; From 88520151fd7b7f814ce2ffeb5bd484e48da4f6d9 Mon Sep 17 00:00:00 2001 From: Patrick Steinhardt Date: Fri, 7 Apr 2017 13:02:50 +0200 Subject: [PATCH 2/2] openssl_stream: use new initialization function on OpenSSL version >=1.1 Previous to OpenSSL version 1.1, the user had to initialize at least the error strings as well as the SSL algorithms by himself. OpenSSL version 1.1 instead provides a new function `OPENSSL_init_ssl`, which handles initialization of all subsystems. As the new API call will by default load error strings and initialize the SSL algorithms, we can safely replace these calls when compiling against version 1.1 or later. This fixes a compiler error when compiling against OpenSSL version 1.1 which has been built without stubs for deprecated syntax. --- src/openssl_stream.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/openssl_stream.c b/src/openssl_stream.c index fadff5c69..841dcce50 100644 --- a/src/openssl_stream.c +++ b/src/openssl_stream.c @@ -103,8 +103,13 @@ int git_openssl_stream_global_init(void) ssl_opts |= SSL_OP_NO_COMPRESSION; #endif +#if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); +#else + OPENSSL_init_ssl(0, NULL); +#endif + /* * Load SSLv{2,3} and TLSv1 so that we can talk with servers * which use the SSL hellos, which are often used for