diff options
-rw-r--r-- | accel-pppd/ctrl/sstp/sstp.c | 27 |
1 files changed, 21 insertions, 6 deletions
diff --git a/accel-pppd/ctrl/sstp/sstp.c b/accel-pppd/ctrl/sstp/sstp.c index af6bc77e..3b65103a 100644 --- a/accel-pppd/ctrl/sstp/sstp.c +++ b/accel-pppd/ctrl/sstp/sstp.c @@ -1492,10 +1492,15 @@ static int sstp_recv_msg_call_connected(struct sstp_conn_t *conn, struct sstp_ct struct { struct sstp_ctrl_hdr hdr; struct sstp_attrib_crypto_binding attr; - } __attribute__((packed)) buf, *msg = (void *)hdr; - uint8_t md[EVP_MAX_MD_SIZE], hash, *ptr; + } __attribute__((packed)) *msg = (void *)hdr; + uint8_t hash; + unsigned int len; +#ifdef CRYPTO_OPENSSL + typeof(*msg) buf; + uint8_t md[EVP_MAX_MD_SIZE], *ptr; const EVP_MD *evp; - unsigned int len, mdlen; + unsigned int mdlen; +#endif if (conf_verbose) log_ppp_info2("recv [SSTP SSTP_MSG_CALL_CONNECTED]\n"); @@ -1533,7 +1538,9 @@ static int sstp_recv_msg_call_connected(struct sstp_conn_t *conn, struct sstp_ct log_ppp_error("sstp: invalid SHA256 Cert Hash"); return sstp_abort(conn, 0); } +#ifdef CRYPTO_OPENSSL evp = EVP_sha256(); +#endif } else if (hash & CERT_HASH_PROTOCOL_SHA1) { len = SHA_DIGEST_LENGTH; if (conf_hash_sha1.len == len && @@ -1541,13 +1548,16 @@ static int sstp_recv_msg_call_connected(struct sstp_conn_t *conn, struct sstp_ct log_ppp_error("sstp: invalid SHA1 Cert Hash"); return sstp_abort(conn, 0); } +#ifdef CRYPTO_OPENSSL evp = EVP_sha1(); +#endif } else { log_ppp_error("sstp: invalid Hash Protocol 0x%02x\n", msg->attr.hash_protocol_bitmask); return sstp_abort(conn, 0); } +#ifdef CRYPTO_OPENSSL if (conn->hlak_key) { ptr = mempcpy(md, SSTP_CMK_SEED, SSTP_CMK_SEED_SIZE); *ptr++ = len; @@ -1565,6 +1575,7 @@ static int sstp_recv_msg_call_connected(struct sstp_conn_t *conn, struct sstp_ct return sstp_abort(conn, 0); } } +#endif conn->sstp_state = STATE_SERVER_CALL_CONNECTED; @@ -2328,15 +2339,17 @@ static int ssl_servername(SSL *ssl, int *al, void *arg) } #endif -#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) +#ifndef SSL_OP_NO_RENEGOTIATION +#if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) static void ssl_info_cb(const SSL *ssl, int where, int ret) { - if ((where & SSL_CB_HANDSHAKE_DONE) != 0) { + if (where & SSL_CB_HANDSHAKE_DONE) { /* disable renegotiation (CVE-2009-3555) */ ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; } } #endif +#endif static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) { @@ -2487,9 +2500,11 @@ static void ssl_load_config(struct sstp_serv_t *serv, const char *servername) log_warn("sstp: SSL server name check error: %s\n", ERR_error_string(ERR_get_error(), NULL)); #endif -#if !defined(SSL_OP_NO_RENGOTIATION) && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) +#ifndef SSL_OP_NO_RENEGOTIATION +#if OPENSSL_VERSION_NUMBER < 0x10100000L && defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS) SSL_CTX_set_info_callback(ssl_ctx, ssl_info_cb); #endif +#endif } else { /* legacy option, to be removed */ opt = conf_get_opt("sstp", "ssl"); |