From 635bf5e1894701520a0791487f9331b3b265e7da Mon Sep 17 00:00:00 2001 From: Saroj Patra Date: Thu, 24 Aug 2017 07:01:15 +0100 Subject: [PATCH] Add support for building with SSL v1.1.0 --- build/Makefile.components | 9 ++- build/Makefile.kits | 75 ++++++++++++++++-- build/Makefile.pf.Linux | 13 +++- build/Makefile.sslconfig | 62 +++++++++++++-- build/configure | 11 ++- installer/bundle/bundle_skel_Linux.sh | 11 ++- installer/datafiles/Linux.data | 21 +++-- .../tools/scx_ssl_config/scxsslcert.cpp | 76 ++++++++++++++----- 8 files changed, 241 insertions(+), 37 deletions(-) diff --git a/build/Makefile.components b/build/Makefile.components index 97117451..99158cff 100644 --- a/build/Makefile.components +++ b/build/Makefile.components @@ -270,7 +270,11 @@ regex-test: $(INTERMEDIATE_DIR)/regex_test$(PF_EXE_FILE_SUFFIX) omi-preexec: $(INTERMEDIATE_DIR)/omi_preexec$(PF_EXE_FILE_SUFFIX) ifeq ($(COMBINED_PACKAGES),1) -ssl-tool: $(INTERMEDIATE_DIR)/$(OPENSSL098DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) $(INTERMEDIATE_DIR)/$(OPENSSL100DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) + ifeq ($(PF_ARCH),x64) + ssl-tool: $(INTERMEDIATE_DIR)/$(OPENSSL098DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) $(INTERMEDIATE_DIR)/$(OPENSSL100DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) $(INTERMEDIATE_DIR)/$(OPENSSL110DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) + else + ssl-tool: $(INTERMEDIATE_DIR)/$(OPENSSL098DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) $(INTERMEDIATE_DIR)/$(OPENSSL100DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) + endif else ssl-tool: $(INTERMEDIATE_DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) endif @@ -305,6 +309,9 @@ devel-deps: $(COREPROVIDERMODULE_STATICLIB_DEPFILES) $(SCXPAL_TARGET_DIR)/libscx ifeq ($(COMBINED_PACKAGES),1) $(MKPATH) $(INTERMEDIATE_DIR)/scxcore-devel/lib/$(OPENSSL098DIR) $(MKPATH) $(INTERMEDIATE_DIR)/scxcore-devel/lib/$(OPENSSL100DIR) + ifeq ($(PF_ARCH),x64) + $(MKPATH) $(INTERMEDIATE_DIR)/scxcore-devel/lib/$(OPENSSL110DIR) + endif else $(MKPATH) $(INTERMEDIATE_DIR)/scxcore-devel/lib endif diff --git a/build/Makefile.kits b/build/Makefile.kits index 58955246..ca6ac246 100644 --- a/build/Makefile.kits +++ b/build/Makefile.kits @@ -9,6 +9,10 @@ OUTPUT_PACKAGE_PREFIX= OUTPUT_PACKAGE_SPECIFICATION= IS_OPENSSL_100=$(shell openssl version | grep 1.0 | wc -l) +ifeq ($(PF_ARCH),x64) + IS_OPENSSL_110=$(shell openssl version | grep 1.1 | wc -l) +endif + ifneq ($(COMBINED_PACKAGES),1) DATAFILES = Base_SCXCore.data $(PF_DEPENDENT_DATAFILES) ifeq ($(PF_ARCH),ppc) @@ -131,6 +135,29 @@ else --DATAFILE_PATH=$(SCX_BRD)/installer/datafiles \ $(OUTPUT_PACKAGE_SPECIFICATION) \ $(DATAFILES) $(DATAFILES_R) + sudo rm -rf $(STAGING_DIR) +ifeq ($(PF_ARCH),x64) + rm -rf $(INTERMEDIATE_DIR)/110 + mkdir -p $(INTERMEDIATE_DIR)/110 + python $(SCXPAL_DIR)/installer/InstallBuilder/installbuilder.py \ + --BASE_DIR=$(SCX_BRD) \ + --TARGET_DIR=$(INTERMEDIATE_DIR)/110 \ + --INTERMEDIATE_DIR=$(SCX_BRD)/installer/intermediate \ + --STAGING_DIR=$(STAGING_DIR) \ + --OMI_DIR=$(SCXOMI_DIR) \ + --BUILD_TYPE=$(BUILD_TYPE) \ + --BUILD_CONFIGURATION=$(BUILD_CONFIGURATION) \ + --PFARCH=$(PF_ARCH) \ + --PFMAJOR=$(PF_MAJOR) \ + --PFMINOR=$(PF_MINOR) \ + --VERSION=$(SCX_BUILDVERSION_MAJOR).$(SCX_BUILDVERSION_MINOR).$(SCX_BUILDVERSION_PATCH) \ + --RELEASE=$(SCX_BUILDVERSION_BUILDNR) \ + --ULINUX_POSTFIX=/openssl_1.1.0 $(DISABLE_PORT) \ + --DATAFILE_PATH=$(SCX_BRD)/installer/datafiles \ + $(OUTPUT_PACKAGE_SPECIFICATION) \ + $(DATAFILES) $(DATAFILES_R) +endif + # Next comes DEB packages sudo rm -rf $(STAGING_DIR) @@ -171,6 +198,28 @@ else --DATAFILE_PATH=$(SCX_BRD)/installer/datafiles \ $(OUTPUT_PACKAGE_SPECIFICATION) \ $(DATAFILES) $(DATAFILES_D) + sudo rm -rf $(STAGING_DIR) +ifeq ($(PF_ARCH),x64) + python $(SCXPAL_DIR)/installer/InstallBuilder/installbuilder.py \ + --BASE_DIR=$(SCX_BRD) \ + --TARGET_DIR=$(INTERMEDIATE_DIR)/110 \ + --INTERMEDIATE_DIR=$(SCX_BRD)/installer/intermediate \ + --STAGING_DIR=$(STAGING_DIR) \ + --OMI_DIR=$(SCXOMI_DIR) \ + --BUILD_TYPE=$(BUILD_TYPE) \ + --BUILD_CONFIGURATION=$(BUILD_CONFIGURATION) \ + --PFARCH=$(PF_ARCH) \ + --PFMAJOR=$(PF_MAJOR) \ + --PFMINOR=$(PF_MINOR) \ + --VERSION=$(SCX_BUILDVERSION_MAJOR).$(SCX_BUILDVERSION_MINOR).$(SCX_BUILDVERSION_PATCH) \ + --RELEASE=$(SCX_BUILDVERSION_BUILDNR) \ + --ULINUX_POSTFIX=/openssl_1.1.0 $(DISABLE_PORT) \ + $(DPKG_LOCATION) \ + --DATAFILE_PATH=$(SCX_BRD)/installer/datafiles \ + $(OUTPUT_PACKAGE_SPECIFICATION) \ + $(DATAFILES) $(DATAFILES_D) +endif + endif @@ -208,10 +257,14 @@ ifneq ($(COMBINED_PACKAGES),1) ifeq ($(PF),Linux) ifneq ($(PF_ARCH),ppc) # Copy omi kit depending on openssl version - ifeq ($(IS_OPENSSL_100),1) - cp `find $(OMIKITS_DIR) -name omi-*ssl_100.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/ + ifeq ($(IS_OPENSSL_110),1) + cp `find $(OMIKITS_DIR) -name omi-*ssl_110.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/ else - cp `find $(OMIKITS_DIR) -name omi-*ssl_098.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/ + ifeq ($(IS_OPENSSL_100),1) + cp `find $(OMIKITS_DIR) -name omi-*ssl_100.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/ + else + cp `find $(OMIKITS_DIR) -name omi-*ssl_098.ulinux.$(PF_ARCH).$(PACKAGE_SUFFIX)` $(INTERMEDIATE_DIR)/ + endif endif endif endif @@ -244,14 +297,26 @@ else # ifneq ($(COMBINED_PACKAGES),1) # Grab the OMI bits cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_098*$(PF_ARCH).{rpm,deb} 098 cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_100*$(PF_ARCH).{rpm,deb} 100 - # Remove ssl_098 and ssl_100 from omi filename + ifeq ($(PF_ARCH),x64) + cd $(INTERMEDIATE_DIR); cp $(OMIKITS_DIR)/omi-*ssl_110*$(PF_ARCH).{rpm,deb} 110 + endif + + # Remove ssl_098, ssl_100 and ssl_110 from omi filename cd $(INTERMEDIATE_DIR)/098; mv omi-*.deb `ls omi-*.deb | sed "s/\.ssl_098\./\./g"` cd $(INTERMEDIATE_DIR)/098; mv omi-*.rpm `ls omi-*.rpm | sed "s/\.ssl_098\./\./g"` cd $(INTERMEDIATE_DIR)/100; mv omi-*.deb `ls omi-*.deb | sed "s/\.ssl_100\./\./g"` cd $(INTERMEDIATE_DIR)/100; mv omi-*.rpm `ls omi-*.rpm | sed "s/\.ssl_100\./\./g"` + ifeq ($(PF_ARCH),x64) + cd $(INTERMEDIATE_DIR)/110; mv omi-*.deb `ls omi-*.deb | sed "s/\.ssl_110\./\./g"` + cd $(INTERMEDIATE_DIR)/110; mv omi-*.rpm `ls omi-*.rpm | sed "s/\.ssl_110\./\./g"` + endif cd $(INTERMEDIATE_DIR)/100; echo `ls omi-*.deb` > omi_package_filename endif - cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar 098/*.{rpm,deb} 100/*.{rpm,deb} $(OSS_KITS) + ifeq ($(PF_ARCH),x64) + cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar 098/*.{rpm,deb} 100/*.{rpm,deb} 110/*.{rpm,deb} $(OSS_KITS) + else + cd $(INTERMEDIATE_DIR); tar cvf $(OUTPUT_PACKAGE_PREFIX).tar 098/*.{rpm,deb} 100/*.{rpm,deb} + endif ../installer/bundle/create_bundle.sh $(DISTRO_TYPE) $(INTERMEDIATE_DIR) $(OUTPUT_PACKAGE_PREFIX).tar $(OUTPUT_PACKAGE_PREFIX) `cat $(INTERMEDIATE_DIR)/100/omi_package_filename` $(DISABLE_LISTENER) cp $(INTERMEDIATE_DIR)/$(OUTPUT_PACKAGE_PREFIX).sh $(TARGET_DIR) diff --git a/build/Makefile.pf.Linux b/build/Makefile.pf.Linux index f946255b..c0471e23 100644 --- a/build/Makefile.pf.Linux +++ b/build/Makefile.pf.Linux @@ -28,7 +28,8 @@ include Makefile.gcc4 #================================================================================ # OpenSSL -# For ULINUX, we need to build against two versions of OpenSSL, 0.9.8 and 1.0.0. +# For ULINUX, on x64 platfomrs we need to build against three versions of OpenSSL: 0.9.8, 1.0.0 and 1.1.0. +# on x86 platforms we need to build against two versions of OpenSSL: 0.9.8, 1.0.0. #================================================================================ ifeq ($(COMBINED_PACKAGES),1) @@ -37,6 +38,7 @@ ifeq ($(COMBINED_PACKAGES),1) OPENSSL_SYSTEM_VERSION_FULL=$(shell openssl version | awk '{print $$2}') OPENSSL_SYSTEM_VERSION_098=$(shell echo $(OPENSSL_SYSTEM_VERSION_FULL) | grep -Eq '^0.9.8'; echo $$?) OPENSSL_SYSTEM_VERSION_100=$(shell echo $(OPENSSL_SYSTEM_VERSION_FULL) | grep -Eq '^1.0.'; echo $$?) +OPENSSL_SYSTEM_VERSION_110=$(shell echo $(OPENSSL_SYSTEM_VERSION_FULL) | grep -Eq '^1.1.'; echo $$?) ifeq ($(OPENSSL_SYSTEM_VERSION_098), 0) export OPENSSL_SYSTEM_VERSION="0.9.8" @@ -44,28 +46,37 @@ else ifeq ($(OPENSSL_SYSTEM_VERSION_100), 0) export OPENSSL_SYSTEM_VERSION="1.0.0" else +ifeq ($(OPENSSL_SYSTEM_VERSION_110), 0) +export OPENSSL_SYSTEM_VERSION="1.1.0" +else $(error Unable to determine SSL system version installed!) endif endif +endif displaySSLversion: @echo "OpenSSL system full version: $(OPENSSL_SYSTEM_VERSION_FULL)" @echo "OpenSSL system full version 098: $(OPENSSL_SYSTEM_VERSION_098)" @echo "OpenSSL system full version 100: $(OPENSSL_SYSTEM_VERSION_100)" + @echo "OpenSSL system full version 110: $(OPENSSL_SYSTEM_VERSION_110)" @echo "OpenSSL system version: $(OPENSSL_SYSTEM_VERSION)" # Now define other SSL variables for expansion/directory purposes export OPENSSL098DIR=openssl_0.9.8 export OPENSSL100DIR=openssl_1.0.0 +export OPENSSL110DIR=openssl_1.1.0 LINK_OPENSSL098=$(LINK) -L$(INTERMEDIATE_DIR)/$(OPENSSL098DIR) -L$(SCXPAL_TARGET_DIR) LINK_OPENSSL100=$(LINK) -L$(INTERMEDIATE_DIR)/$(OPENSSL100DIR) -L$(SCXPAL_TARGET_DIR) +LINK_OPENSSL110=$(LINK) -L$(INTERMEDIATE_DIR)/$(OPENSSL110DIR) -L$(SCXPAL_TARGET_DIR) LD_LIBRARY_PATH_OPENSSL098=$(OPENSSL098_LIBDIR) PKG_CONFIG_PATH_OPENSSL098=$(OPENSSL098_LIBDIR)/pkgconfig LD_LIBRARY_PATH_OPENSSL100=$(OPENSSL100_LIBDIR) PKG_CONFIG_PATH_OPENSSL100=$(OPENSSL100_LIBDIR)/pkgconfig +LD_LIBRARY_PATH_OPENSSL110=$(OPENSSL110_LIBDIR) +PKG_CONFIG_PATH_OPENSSL110=$(OPENSSL110_LIBDIR)/pkgconfig endif diff --git a/build/Makefile.sslconfig b/build/Makefile.sslconfig index bab958cf..4ad136ed 100644 --- a/build/Makefile.sslconfig +++ b/build/Makefile.sslconfig @@ -40,12 +40,18 @@ STATIC_SCXSSLCONFIG_OBJFILES_DIR=$(dir $(STATIC_SCXSSLCONFIG_OBJFILES)) STATIC_SCXSSLCONFIG_OBJFILES_NOTDIR=$(notdir $(STATIC_SCXSSLCONFIG_OBJFILES)) STATIC_SCXSSLCONFIG_OBJFILES_OPENSSL098 = $(STATIC_SCXSSLCONFIG_OBJFILES_DIR)$(OPENSSL098DIR)/$(STATIC_SCXSSLCONFIG_OBJFILES_NOTDIR) STATIC_SCXSSLCONFIG_OBJFILES_OPENSSL100 = $(STATIC_SCXSSLCONFIG_OBJFILES_DIR)$(OPENSSL100DIR)/$(STATIC_SCXSSLCONFIG_OBJFILES_NOTDIR) +ifeq ($(PF_ARCH),x64) + STATIC_SCXSSLCONFIG_OBJFILES_OPENSSL110 = $(STATIC_SCXSSLCONFIG_OBJFILES_DIR)$(OPENSSL110DIR)/$(STATIC_SCXSSLCONFIG_OBJFILES_NOTDIR) +endif # Build paths to object output for each version of OpenSSL SCXSSLCONFIG_OBJFILES_DIR = $(dir $(call src_to_obj,$(SCXSSLCONFIG_SRCFILES))) SCXSSLCONFIG_OBJFILES_NOTDIR = $(notdir $(call src_to_obj,$(SCXSSLCONFIG_SRCFILES))) SCXSSLCONFIG_OBJFILES_OPENSSL098 = $(SCXSSLCONFIG_OBJFILES_DIR)$(OPENSSL098DIR)/$(SCXSSLCONFIG_OBJFILES_NOTDIR) SCXSSLCONFIG_OBJFILES_OPENSSL100 = $(SCXSSLCONFIG_OBJFILES_DIR)$(OPENSSL100DIR)/$(SCXSSLCONFIG_OBJFILES_NOTDIR) +ifeq ($(PF_ARCH),x64) + SCXSSLCONFIG_OBJFILES_OPENSSL110 = $(SCXSSLCONFIG_OBJFILES_DIR)$(OPENSSL110DIR)/$(SCXSSLCONFIG_OBJFILES_NOTDIR) +endif endif @@ -80,21 +86,36 @@ SCXSSLCONFIG_STATICLIB_DEPS_OPENSSL = \ # Foreach XYZ in the list above, build $(INTERMEDIATE_DIR)/libXYZ.a SCXSSLCONFIG_DEPFILES=$(SCXSSLCONFIG_OBJFILES:.$(PF_OBJ_FILE_SUFFIX)=.d) $(STATIC_SCXSSLCONFIG_OBJFILES:.$(PF_OBJ_FILE_SUFFIX)=.d) -# Need two targets, one for each flavor of OpenSSL +# Need three targets, one for each flavor of OpenSSL +ifeq ($(PF_ARCH),x64) +scxsslconfig_both_targets: \ + $(INTERMEDIATE_DIR)/$(OPENSSL098DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) \ + $(INTERMEDIATE_DIR)/$(OPENSSL100DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) \ + $(INTERMEDIATE_DIR)/$(OPENSSL110DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) +else scxsslconfig_both_targets: \ $(INTERMEDIATE_DIR)/$(OPENSSL098DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) \ $(INTERMEDIATE_DIR)/$(OPENSSL100DIR)/scxsslconfig$(PF_EXE_FILE_SUFFIX) +endif + # These targets override those in the Makefile.rules file # They build code and everything downstream to order for each version of OpenSSL # Non-universal Linux builds handle these steps implicitly through suffix rules. + +ifeq ($(PF_ARCH),x64) +$(INTERMEDIATE_DIR)/source/code/shared/tools/scx_ssl_config/$(OPENSSL110DIR)/%.$(PF_OBJ_FILE_SUFFIX) : $(SCXSSLCONFIG_DIR)/%.cpp + $(MKPATH) $(@D) + $(PROFILING) $(CXX) -c $(CXXFLAGS) -Wno-long-long $(OPENSSL110_CFLAGS) $(INCLUDES) -I$( #include #include +#include #include "scxsslcert.h" #include "resourcehelper.h" @@ -319,11 +320,15 @@ struct LoadASN1 { OpenSSL_add_all_algorithms() is a macro so it could not be passed as a function pointer. */ +#if OPENSSL_VERSION_NUMBER <= 0x100fffffL // SSL 1.0.x or lower? static void SSL_OpenSSL_add_all_algorithms() { // Call to a macro OpenSSL_add_all_algorithms(); } +#else +void NoOp_Destructor(){} +#endif /*----------------------------------------------------------------------------*/ /** @@ -342,9 +347,13 @@ void SCXSSLCertificate::DoGenerate() string outfile(StrToMultibyte(m_CertPath)); string keyout(StrToMultibyte(m_KeyPath)); - ManagedResource res1(ERR_load_crypto_strings, ERR_free_strings); - ManagedResource res2(SSL_OpenSSL_add_all_algorithms, EVP_cleanup); - ManagedResource res3(ENGINE_load_builtin_engines, ENGINE_cleanup); + #if OPENSSL_VERSION_NUMBER <= 0x100fffffL // SSL 1.0.x or lower? + ManagedResource res1(ERR_load_crypto_strings, ERR_free_strings); + ManagedResource res2(SSL_OpenSSL_add_all_algorithms, EVP_cleanup); + ManagedResource res3(ENGINE_load_builtin_engines, ENGINE_cleanup); + #else + ManagedResource res1(ENGINE_load_builtin_engines, NoOp_Destructor); + #endif // Serial number is always set to "1". // This is a self-signed certificate. Serial number is unimportant. @@ -370,13 +379,40 @@ void SCXSSLCertificate::DoGenerate() } { - RSA * rsa = RSA_generate_key(newKeyLength, 0x10001, 0, 0); - if ( ! rsa ) - { - throw SCXCoreLib::SCXNULLPointerException(L"Error allocating RSA structure.", - SCXSRCLOCATION); - } - if ( ! EVP_PKEY_assign_RSA(pkey.Get(), rsa)) + int ret = 1; + + #if OPENSSL_VERSION_NUMBER < 0x0090800fL // SSL version lower than 0.9.8? It is needed for Solaris-10. + RSA * rsa = RSA_generate_key(newKeyLength, 0x10001, 0, 0); + + if ( ! rsa ) + { + throw SCXCoreLib::SCXNULLPointerException(L"Error allocating RSA structure.", + SCXSRCLOCATION); + } + + #else + + BIGNUM *bne = BN_new(); + + ret = BN_set_word(bne,RSA_F4); + + if(ret !=1){ + throw SCXNULLPointerException(L"Unable to set empty private key structure.", + SCXSRCLOCATION); + } + + RSA * rsa = RSA_new(); + + if ( ! rsa ) + { + throw SCXCoreLib::SCXNULLPointerException(L"Error allocating RSA structure.", + SCXSRCLOCATION); + } + + ret = RSA_generate_key_ex(rsa, newKeyLength, bne, NULL); + #endif + + if ( ret != 1 || ! EVP_PKEY_assign_RSA(pkey.Get(), rsa)) { // Free rsa if the assign was unsuccessful. (If it was successful, then rsa // is owned by pkey.) @@ -529,18 +565,24 @@ void SCXSSLCertificate::DoGenerate() } // Cleanup the rest of the resources that may have been allocated internally. - OBJ_cleanup(); + #if OPENSSL_VERSION_NUMBER <= 0x100fffffL // SSL 1.0.x or lower? + OBJ_cleanup(); + #endif CONF_modules_unload(1); - CRYPTO_cleanup_all_ex_data(); - ERR_remove_state(0); + #if OPENSSL_VERSION_NUMBER <= 0x100fffffL // SSL 1.0.x or lower? + CRYPTO_cleanup_all_ex_data(); + ERR_remove_state(0); + #endif } catch (SCXCoreLib::SCXException & e) { // Blunt force resource release functions. - OBJ_cleanup(); - CONF_modules_free(); - CRYPTO_cleanup_all_ex_data(); - ERR_remove_state(0); + #if OPENSSL_VERSION_NUMBER <= 0x100fffffL // SSL 1.0.x or lower? + OBJ_cleanup(); + CONF_modules_free(); + CRYPTO_cleanup_all_ex_data(); + ERR_remove_state(0); + #endif throw; }