Define LIBRESSL_LEGACY_API and LIBRESSL_2_7_API
LIBRESSL_LEGACY_API is drop-in replacement for LIBRESSL_IN_USE. In the upcoming commits, we will add changes to support libressl 2.7.
This commit is contained in:
Tatsuhiro Tsujikawa
parent
3febaef1fa
commit
1bf69b5662
|
|
@ -1222,7 +1222,7 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
|
||||||
auto param = StringRef{first, end};
|
auto param = StringRef{first, end};
|
||||||
|
|
||||||
if (util::istarts_with_l(param, "sct-dir=")) {
|
if (util::istarts_with_l(param, "sct-dir=")) {
|
||||||
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
auto sct_dir =
|
auto sct_dir =
|
||||||
StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
|
StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
|
||||||
if (sct_dir.empty()) {
|
if (sct_dir.empty()) {
|
||||||
|
|
@ -1230,9 +1230,9 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
out.sct_dir = sct_dir;
|
out.sct_dir = sct_dir;
|
||||||
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
|
LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
|
||||||
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
} else if (!param.empty()) {
|
} else if (!param.empty()) {
|
||||||
LOG(ERROR) << "subcert: " << param << ": unknown keyword";
|
LOG(ERROR) << "subcert: " << param << ": unknown keyword";
|
||||||
return -1;
|
return -1;
|
||||||
|
|
@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector<uint8_t> &dst, const StringRef &opt,
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
namespace {
|
namespace {
|
||||||
// Reads PSK secrets from path, and parses each line. The result is
|
// Reads PSK secrets from path, and parses each line. The result is
|
||||||
// directly stored into config->tls.psk_secrets. This function
|
// directly stored into config->tls.psk_secrets. This function
|
||||||
|
|
@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
#endif // !LIBRESSL_IN_USE
|
#endif // !LIBRESSL_LEGACY_API
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
namespace {
|
namespace {
|
||||||
// Reads PSK secrets from path, and parses each line. The result is
|
// Reads PSK secrets from path, and parses each line. The result is
|
||||||
// directly stored into config->tls.client.psk. This function returns
|
// directly stored into config->tls.client.psk. This function returns
|
||||||
|
|
@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
#endif // !LIBRESSL_IN_USE
|
#endif // !LIBRESSL_LEGACY_API
|
||||||
|
|
||||||
// generated by gennghttpxfun.py
|
// generated by gennghttpxfun.py
|
||||||
int option_lookup_token(const char *name, size_t namelen) {
|
int option_lookup_token(const char *name, size_t namelen) {
|
||||||
|
|
@ -3454,19 +3454,19 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
return parse_uint_with_unit(
|
return parse_uint_with_unit(
|
||||||
&config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
|
&config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
|
||||||
case SHRPX_OPTID_ECDH_CURVES:
|
case SHRPX_OPTID_ECDH_CURVES:
|
||||||
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
|
config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
|
||||||
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
|
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
|
||||||
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_SCT_DIR:
|
case SHRPX_OPTID_TLS_SCT_DIR:
|
||||||
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
|
return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
|
||||||
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
|
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
|
||||||
return 0;
|
return 0;
|
||||||
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
|
||||||
case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
|
case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
|
||||||
return parse_duration(&config->dns.timeout.cache, opt, optarg);
|
return parse_duration(&config->dns.timeout.cache, opt, optarg);
|
||||||
case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
|
case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
|
||||||
|
|
@ -3489,23 +3489,23 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||||
return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
|
return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
|
||||||
optarg);
|
optarg);
|
||||||
case SHRPX_OPTID_PSK_SECRETS:
|
case SHRPX_OPTID_PSK_SECRETS:
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
return parse_psk_secrets(config, optarg);
|
return parse_psk_secrets(config, optarg);
|
||||||
#else // LIBRESSL_IN_USE
|
#else // LIBRESSL_LEGACY_API
|
||||||
LOG(WARN)
|
LOG(WARN)
|
||||||
<< opt
|
<< opt
|
||||||
<< ": ignored because underlying TLS library does not support PSK";
|
<< ": ignored because underlying TLS library does not support PSK";
|
||||||
return 0;
|
return 0;
|
||||||
#endif // LIBRESSL_IN_USE
|
#endif // LIBRESSL_LEGACY_API
|
||||||
case SHRPX_OPTID_CLIENT_PSK_SECRETS:
|
case SHRPX_OPTID_CLIENT_PSK_SECRETS:
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
return parse_client_psk_secrets(config, optarg);
|
return parse_client_psk_secrets(config, optarg);
|
||||||
#else // LIBRESSL_IN_USE
|
#else // LIBRESSL_LEGACY_API
|
||||||
LOG(WARN)
|
LOG(WARN)
|
||||||
<< opt
|
<< opt
|
||||||
<< ": ignored because underlying TLS library does not support PSK";
|
<< ": ignored because underlying TLS library does not support PSK";
|
||||||
return 0;
|
return 0;
|
||||||
#endif // LIBRESSL_IN_USE
|
#endif // LIBRESSL_LEGACY_API
|
||||||
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
|
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
|
||||||
config->tls.client.no_http2_cipher_black_list =
|
config->tls.client.no_http2_cipher_black_list =
|
||||||
util::strieq_l("yes", optarg);
|
util::strieq_l("yes", optarg);
|
||||||
|
|
|
||||||
|
|
@ -565,7 +565,7 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
|
||||||
} // namespace
|
} // namespace
|
||||||
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
|
|
||||||
#ifndef TLSEXT_TYPE_signed_certificate_timestamp
|
#ifndef TLSEXT_TYPE_signed_certificate_timestamp
|
||||||
#define TLSEXT_TYPE_signed_certificate_timestamp 18
|
#define TLSEXT_TYPE_signed_certificate_timestamp 18
|
||||||
|
|
@ -655,9 +655,9 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
#endif // !OPENSSL_1_1_1_API
|
#endif // !OPENSSL_1_1_1_API
|
||||||
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#endif // !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
namespace {
|
namespace {
|
||||||
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
|
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
|
||||||
unsigned int max_psk_len) {
|
unsigned int max_psk_len) {
|
||||||
|
|
@ -681,9 +681,9 @@ unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
|
||||||
return static_cast<unsigned int>(secret.size());
|
return static_cast<unsigned int>(secret.size());
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
#endif // !LIBRESSL_IN_USE
|
#endif // !LIBRESSL_LEGACY_API
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
namespace {
|
namespace {
|
||||||
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
|
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
|
||||||
unsigned int max_identity_len, unsigned char *psk,
|
unsigned int max_identity_len, unsigned char *psk,
|
||||||
|
|
@ -716,7 +716,7 @@ unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
|
||||||
return static_cast<unsigned int>(secret.size());
|
return static_cast<unsigned int>(secret.size());
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
#endif // !LIBRESSL_IN_USE
|
#endif // !LIBRESSL_LEGACY_API
|
||||||
|
|
||||||
struct TLSProtocol {
|
struct TLSProtocol {
|
||||||
StringRef name;
|
StringRef name;
|
||||||
|
|
@ -794,7 +794,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifndef OPENSSL_NO_EC
|
#ifndef OPENSSL_NO_EC
|
||||||
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
|
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
|
||||||
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
|
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
|
||||||
<< " failed";
|
<< " failed";
|
||||||
|
|
@ -805,7 +805,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
|
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
|
||||||
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
|
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
|
||||||
#endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
|
#endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
|
||||||
#else // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
|
#else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||||
// Use P-256, which is sufficiently secure at the time of this
|
// Use P-256, which is sufficiently secure at the time of this
|
||||||
// writing.
|
// writing.
|
||||||
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
||||||
|
|
@ -816,7 +816,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
}
|
}
|
||||||
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
|
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
|
||||||
EC_KEY_free(ecdh);
|
EC_KEY_free(ecdh);
|
||||||
#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
|
#endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
|
||||||
#endif // OPENSSL_NO_EC
|
#endif // OPENSSL_NO_EC
|
||||||
|
|
||||||
if (!tlsconf.dh_param_file.empty()) {
|
if (!tlsconf.dh_param_file.empty()) {
|
||||||
|
|
@ -933,7 +933,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
|
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
|
||||||
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
|
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
|
||||||
// returns 1, which means OpenSSL internally handles it. But
|
// returns 1, which means OpenSSL internally handles it. But
|
||||||
// OpenSSL handles signed_certificate_timestamp extension specially,
|
// OpenSSL handles signed_certificate_timestamp extension specially,
|
||||||
|
|
@ -964,11 +964,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
|
||||||
}
|
}
|
||||||
#endif // !OPENSSL_1_1_1_API
|
#endif // !OPENSSL_1_1_1_API
|
||||||
}
|
}
|
||||||
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
#endif // !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
|
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
|
||||||
#endif // !LIBRESSL_IN_USE
|
#endif // !LIBRESSL_LEGACY_API
|
||||||
|
|
||||||
auto tls_ctx_data = new TLSContextData();
|
auto tls_ctx_data = new TLSContextData();
|
||||||
tls_ctx_data->cert_file = cert_file;
|
tls_ctx_data->cert_file = cert_file;
|
||||||
|
|
@ -1116,9 +1116,9 @@ SSL_CTX *create_ssl_client_context(
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
}
|
}
|
||||||
|
|
||||||
#if !LIBRESSL_IN_USE
|
#if !LIBRESSL_LEGACY_API
|
||||||
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
|
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
|
||||||
#endif // !LIBRESSL_IN_USE
|
#endif // !LIBRESSL_LEGACY_API
|
||||||
|
|
||||||
// NPN selection callback. This is required to set SSL_CTX because
|
// NPN selection callback. This is required to set SSL_CTX because
|
||||||
// OpenSSL does not offer SSL_set_next_proto_select_cb.
|
// OpenSSL does not offer SSL_set_next_proto_select_cb.
|
||||||
|
|
|
||||||
|
|
@ -27,15 +27,15 @@
|
||||||
#include <openssl/opensslv.h>
|
#include <openssl/opensslv.h>
|
||||||
|
|
||||||
#if defined(LIBRESSL_VERSION_NUMBER)
|
#if defined(LIBRESSL_VERSION_NUMBER)
|
||||||
#define LIBRESSL_IN_USE 1
|
#define OPENSSL_1_1_API 0
|
||||||
|
#define OPENSSL_1_1_1_API 0
|
||||||
|
#define LIBRESSL_LEGACY_API (LIBRESSL_VERSION_NUMBER < 0x20700000L)
|
||||||
|
#define LIBRESSL_2_7_API (LIBRESSL_VERSION_NUMBER >= 0x20700000L)
|
||||||
#else // !defined(LIBRESSL_VERSION_NUMBER)
|
#else // !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
#define LIBRESSL_IN_USE 0
|
#define OPENSSL_1_1_API (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
|
||||||
|
#define OPENSSL_1_1_1_API (OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
||||||
|
#define LIBRESSL_LEGACY_API 0
|
||||||
|
#define LIBRESSL_2_7_API 0
|
||||||
#endif // !defined(LIBRESSL_VERSION_NUMBER)
|
#endif // !defined(LIBRESSL_VERSION_NUMBER)
|
||||||
|
|
||||||
#define OPENSSL_1_1_API \
|
|
||||||
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
|
|
||||||
|
|
||||||
#define OPENSSL_1_1_1_API \
|
|
||||||
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L)
|
|
||||||
|
|
||||||
#endif // OPENSSL_COMPAT_H
|
#endif // OPENSSL_COMPAT_H
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue