walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix build with LibreSSL 2.7 

LibreSSL 2.7 added a large part of the OpenSSL 1.1 API.
 - Rename LIBRESSL_IN_USE to LIBRESSL_1_0_API (LibreSSL with
   OpenSSL 1.0 API)
 - Add LIBRESSL_1_1_API for ifdef blocks where the 1.1 API in
   LibreSSL is incomplete
 - Use OPENSSL_NO_PSK to detect missing PSK feature (not LibreSSL
   specific)

Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
This commit is contained in:
Bernard Spil 2018-03-25 19:22:46 +02:00
parent 4c3a3acf9b
commit 0bebf8e3b4
4 changed files with 52 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/nghttp.cc
View File

@ -680,9 +680,9 @@ int HttpClient::initiate_connection() {
const auto &host_string =
config.host_override.empty() ? host : config.host_override;
#if (!defined(LIBRESSL_VERSION_NUMBER) && \
#if (!(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) && \
OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(OPENSSL_IS_BORINGSSL)
defined(OPENSSL_IS_BORINGSSL)
auto param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set_hostflags(param, 0);
X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),

38
src/shrpx_config.cc
View File

@ -1222,7 +1222,7 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
auto param = StringRef{first, end};
if (util::istarts_with_l(param, "sct-dir=")) {
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
auto sct_dir =
StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
if (sct_dir.empty()) {
@ -1230,9 +1230,9 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
return -1;
}
out.sct_dir = sct_dir;
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
} else if (!param.empty()) {
LOG(ERROR) << "subcert: " << param << ": unknown keyword";
return -1;
@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector<uint8_t> &dst, const StringRef &opt,
}
} // namespace
#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
namespace {
// Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.psk_secrets. This function
@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) {
return 0;
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // !LIBRESSL_1_0_API
#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
namespace {
// Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.client.psk. This function returns
@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) {
return 0;
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // !LIBRESSL_1_0_API
// generated by gennghttpxfun.py
int option_lookup_token(const char *name, size_t namelen) {
@ -3454,19 +3454,19 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_uint_with_unit(
&config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
case SHRPX_OPTID_ECDH_CURVES:
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
return 0;
case SHRPX_OPTID_TLS_SCT_DIR:
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
return 0;
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
return parse_duration(&config->dns.timeout.cache, opt, optarg);
case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
@ -3489,23 +3489,23 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
optarg);
case SHRPX_OPTID_PSK_SECRETS:
#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
return parse_psk_secrets(config, optarg);
#else // LIBRESSL_IN_USE
#else // LIBRESSL_1_0_API
LOG(WARN)
<< opt
<< ": ignored because underlying TLS library does not support PSK";
return 0;
#endif // LIBRESSL_IN_USE
#endif // LIBRESSL_1_0_API
case SHRPX_OPTID_CLIENT_PSK_SECRETS:
#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
return parse_client_psk_secrets(config, optarg);
#else // LIBRESSL_IN_USE
#else // LIBRESSL_1_0_API
LOG(WARN)
<< opt
<< ": ignored because underlying TLS library does not support PSK";
return 0;
#endif // LIBRESSL_IN_USE
#endif // LIBRESSL_1_0_API
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
config->tls.client.no_http2_cipher_black_list =
util::strieq_l("yes", optarg);

40
src/shrpx_tls.cc
View File

@ -360,7 +360,7 @@ int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {
namespace {
SSL_SESSION *tls_session_get_cb(SSL *ssl,
#if OPENSSL_1_1_API
#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
const unsigned char *id,
#else // !OPENSSL_1_1_API
unsigned char *id,
@ -563,7 +563,7 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
} // namespace
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
#ifndef TLSEXT_TYPE_signed_certificate_timestamp
#define TLSEXT_TYPE_signed_certificate_timestamp 18
@ -653,9 +653,9 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
} // namespace
#endif // !OPENSSL_1_1_1_API
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_IN_USE
#ifndef OPENSSL_NO_PSK
namespace {
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
unsigned int max_psk_len) {
@ -679,9 +679,9 @@ unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
return static_cast<unsigned int>(secret.size());
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK
#if !LIBRESSL_IN_USE
#if OPENSSL_NO_PSK
namespace {
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
unsigned int max_identity_len, unsigned char *psk,
@ -714,7 +714,7 @@ unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
return static_cast<unsigned int>(secret.size());
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK
struct TLSProtocol {
StringRef name;
@ -792,7 +792,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
#ifndef OPENSSL_NO_EC
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
<< " failed";
@ -803,7 +803,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
#endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
#else // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
#else // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this
// writing.
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@ -814,7 +814,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
#endif // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L
#endif // OPENSSL_NO_EC
if (!tlsconf.dh_param_file.empty()) {
@ -929,7 +929,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && !LIBRESSL_1_1_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
// returns 1, which means OpenSSL internally handles it. But
// OpenSSL handles signed_certificate_timestamp extension specially,
@ -960,11 +960,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
#endif // !OPENSSL_1_1_1_API
}
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_IN_USE
#ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK
auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
@ -1112,9 +1112,9 @@ SSL_CTX *create_ssl_client_context(
#endif // HAVE_NEVERBLEED
}
#if !LIBRESSL_IN_USE
#ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK
// NPN selection callback. This is required to set SSL_CTX because
// OpenSSL does not offer SSL_set_next_proto_select_cb.
@ -1549,15 +1549,15 @@ int cert_lookup_tree_add_ssl_ctx(
SSL_CTX *ssl_ctx) {
std::array<uint8_t, NI_MAXHOST> buf;
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !defined(LIBRESSL_1_0_API) && OPENSSL_VERSION_NUMBER >= 0x10002000L
auto cert = SSL_CTX_get0_certificate(ssl_ctx);
#else // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
#else // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER <
// 0x10002000L
auto tls_ctx_data =
static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
auto cert = load_certificate(tls_ctx_data->cert_file);
auto cert_deleter = defer(X509_free, cert);
#endif // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
#endif // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER <
// 0x10002000L
auto altnames = static_cast<GENERAL_NAMES *>(
@ -1973,7 +1973,7 @@ StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
#endif /* !WORDS_BIGENDIAN */
StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
#if OPENSSL_1_1_API
#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
auto sn = X509_get0_serialNumber(x);
uint64_t r;
if (ASN1_INTEGER_get_uint64(&r, sn) != 1) {

16
src/ssl_compat.h
View File

@ -26,16 +26,22 @@
#include <openssl/opensslv.h>
#if defined(LIBRESSL_VERSION_NUMBER)
#define LIBRESSL_IN_USE 1
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
#define LIBRESSL_1_0_API 1
#define LIBRESSL_1_1_API 0
#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20700000L
#define LIBRESSL_1_0_API 0
#define LIBRESSL_1_1_API 1
#else // !defined(LIBRESSL_VERSION_NUMBER)
#define LIBRESSL_IN_USE 0
#define LIBRESSL_1_0_API 0
#define LIBRESSL_1_1_API 0
#endif // !defined(LIBRESSL_VERSION_NUMBER)
#define OPENSSL_1_1_API \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
#define OPENSSL_1_1_1_API \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L)
(!LIBRESSL_1_0_API && !LIBRESSL_1_1_API && \
OPENSSL_VERSION_NUMBER >= 0x10101000L)
#endif // OPENSSL_COMPAT_H