|
 |
6f6344 |
From aeec0e2cda5c440fdd3c5bea20ed7567bea540e1 Mon Sep 17 00:00:00 2001
|
|
|
6f6344 |
From: Quentin Armitage <quentin@armitage.org.uk>
|
|
|
6f6344 |
Date: Tue, 12 Mar 2019 14:58:38 +0000
|
|
|
6f6344 |
Subject: [PATCH 1/3] Fix OpenSSL init failure with OpenSSL v1.1.1
|
|
|
6f6344 |
|
|
|
6f6344 |
OpenSSL v1.1.1, but not v1.1.0h or v1.1.1b failed in SSL_CTX_new()
|
|
|
6f6344 |
if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) had previously
|
|
|
6f6344 |
been called.
|
|
|
6f6344 |
|
|
|
6f6344 |
This commit doesn't call OPENSSL_init_crypto() if doing so causes
|
|
|
6f6344 |
SSL_CTX_new() to fail.
|
|
|
6f6344 |
|
|
|
6f6344 |
Signed-off-by: Quentin Armitage <quentin@armitage.org.uk>
|
|
|
6f6344 |
---
|
|
|
6f6344 |
configure.ac | 30 ++++++++++++++++++++++++++++++
|
|
|
6f6344 |
keepalived/check/check_ssl.c | 6 ++++++
|
|
|
6f6344 |
2 files changed, 36 insertions(+)
|
|
|
6f6344 |
|
|
|
6f6344 |
diff --git a/configure.ac b/configure.ac
|
|
|
6f6344 |
index 89399ca3..504b9b92 100644
|
|
|
6f6344 |
--- a/configure.ac
|
|
|
6f6344 |
+++ b/configure.ac
|
|
|
6f6344 |
@@ -819,6 +819,36 @@ AC_CHECK_FUNCS([SSL_set0_rbio OPENSSL_init_crypto])
|
|
|
6f6344 |
# TLS_method() introduced OpenSSL v1.1.0
|
|
|
6f6344 |
AC_CHECK_FUNCS([TLS_method])
|
|
|
6f6344 |
|
|
|
6f6344 |
+# In OpenSSL v1.1.1 the call to SSL_CTX_new() fails if OPENSSL_init_crypto() has been called with
|
|
|
6f6344 |
+# OPENSSL_INIT_NO_LOAD_CONFIG. It does not fail in v1.1.0h and v1.1.1b.
|
|
|
6f6344 |
+AS_IF([test .$ac_cv_func_OPENSSL_init_crypto = .yes -a .$ac_cv_func_TLS_method = .yes],
|
|
|
6f6344 |
+ [
|
|
|
6f6344 |
+ AC_RUN_IFELSE(
|
|
|
6f6344 |
+ [AC_LANG_PROGRAM(
|
|
|
6f6344 |
+ [[#include <openssl/ssl.h>]],
|
|
|
6f6344 |
+ [[
|
|
|
6f6344 |
+ const SSL_METHOD *meth;
|
|
|
6f6344 |
+ SSL_CTX *ctx;
|
|
|
6f6344 |
+
|
|
|
6f6344 |
+ if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
|
|
|
6f6344 |
+ return 1;
|
|
|
6f6344 |
+
|
|
|
6f6344 |
+ /* Initialize SSL context */
|
|
|
6f6344 |
+ meth = TLS_method();
|
|
|
6f6344 |
+ if (!(ctx = SSL_CTX_new(meth)))
|
|
|
6f6344 |
+ return 1;
|
|
|
6f6344 |
+ return 0;
|
|
|
6f6344 |
+ ]])],
|
|
|
6f6344 |
+ [openssl_init_no_load_bug=0],
|
|
|
6f6344 |
+ [openssl_init_no_load_bug=1],
|
|
|
6f6344 |
+ [
|
|
|
6f6344 |
+ AC_MSG_WARN([Cannot determine if need to OPENSSL_init_crypto() problem. Assuming yes for safety.])
|
|
|
6f6344 |
+ openssl_init_no_load_bug=1
|
|
|
6f6344 |
+ ]
|
|
|
6f6344 |
+ )
|
|
|
6f6344 |
+ AS_IF([test $openssl_init_no_load_bug -eq 1],
|
|
|
6f6344 |
+ [AC_DEFINE([HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG], [ 1 ], [Define to 1 if OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG) bug)])])
|
|
|
6f6344 |
+ ])
|
|
|
6f6344 |
unset LIBS
|
|
|
6f6344 |
|
|
|
6f6344 |
if test $BUILD_GENHASH = No; then
|
|
|
6f6344 |
diff --git a/keepalived/check/check_ssl.c b/keepalived/check/check_ssl.c
|
|
|
6f6344 |
index 6bf6a005..2743ea87 100644
|
|
|
6f6344 |
--- a/keepalived/check/check_ssl.c
|
|
|
6f6344 |
+++ b/keepalived/check/check_ssl.c
|
|
|
6f6344 |
@@ -69,8 +69,14 @@ build_ssl_ctx(void)
|
|
|
6f6344 |
|
|
|
6f6344 |
/* Library initialization */
|
|
|
6f6344 |
#if HAVE_OPENSSL_INIT_CRYPTO
|
|
|
6f6344 |
+#ifndef HAVE_OPENSSL_INIT_NO_LOAD_CONFIG_BUG
|
|
|
6f6344 |
+ /* In OpenSSL v1.1.1 if the following is called, SSL_CTX_new() below fails.
|
|
|
6f6344 |
+ * It works in v1.1.0h and v1.1.1b.
|
|
|
6f6344 |
+ * It transpires that it works without setting NO_LOAD_CONFIG, but it is
|
|
|
6f6344 |
+ * presumably more efficient not to load it. */
|
|
|
6f6344 |
if (!OPENSSL_init_crypto(OPENSSL_INIT_NO_LOAD_CONFIG, NULL))
|
|
|
6f6344 |
log_message(LOG_INFO, "OPENSSL_init_crypto failed");
|
|
|
6f6344 |
+#endif
|
|
|
6f6344 |
#else
|
|
|
6f6344 |
SSL_library_init();
|
|
|
6f6344 |
SSL_load_error_strings();
|
|
|
6f6344 |
--
|
|
|
6f6344 |
2.20.1
|
|
|
6f6344 |
|