From 16be89f9ccba4d37e34ef03f20009a9845efeb99 Mon Sep 17 00:00:00 2001 From: Bernard Spil Date: Wed, 25 Jan 2017 18:36:54 +0100 Subject: [PATCH 1/2] nghttpx: Don't build PSK features with LibreSSL LibreSSL removed PSK Signed-off-by: Bernard Spil --- src/shrpx.cc | 6 ++++++ src/shrpx_config.cc | 10 ++++++++++ src/shrpx_ssl.cc | 8 ++++++++ 3 files changed, 24 insertions(+) diff --git a/src/shrpx.cc b/src/shrpx.cc index b636cba4..e8477e09 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -2119,6 +2119,7 @@ SSL/TLS: argument , or certificate option in configuration file. For additional certificates, use --subcert option. This option requires OpenSSL >= 1.0.2. +#if !LIBRESSL_IN_USE --psk-secrets= Read list of PSK identity and secrets from . This is used for frontend connection. The each line of input @@ -2146,6 +2147,7 @@ SSL/TLS: HTTP/2. To use those cipher suites with HTTP/2, consider to use --client-no-http2-cipher-black-list option. But be aware its implications. +#endif // !LIBRESSL_IN_USE HTTP/2 and SPDY: -c, --frontend-http2-max-concurrent-streams= @@ -3125,8 +3127,10 @@ int main(int argc, char **argv) { {SHRPX_OPT_DNS_MAX_TRY.c_str(), required_argument, &flag, 145}, {SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT.c_str(), required_argument, &flag, 146}, +#if !LIBRESSL_IN_USE {SHRPX_OPT_PSK_SECRETS.c_str(), required_argument, &flag, 147}, {SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148}, +#endif {SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument, &flag, 149}, {SHRPX_OPT_CLIENT_CIPHERS.c_str(), required_argument, &flag, 150}, @@ -3821,6 +3825,7 @@ int main(int argc, char **argv) { cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT, StringRef{optarg}); break; +#if !LIBRESSL_IN_USE case 147: // --psk-secrets cmdcfgs.emplace_back(SHRPX_OPT_PSK_SECRETS, StringRef{optarg}); @@ -3829,6 +3834,7 @@ int main(int argc, char **argv) { // --client-psk-secrets cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_PSK_SECRETS, StringRef{optarg}); break; +#endif // !LIBRESSL_IN_USE case 149: // --client-no-http2-cipher-black-list cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 56d265ca..bf5486ce 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -1199,6 +1199,7 @@ int read_tls_sct_from_dir(std::vector &dst, const StringRef &opt, } } // namespace +#if !LIBRESSL_IN_USE namespace { // Reads PSK secrets from path, and parses each line. The result is // directly stored into config->tls.psk_secrets. This function @@ -1262,7 +1263,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) { return 0; } } // namespace +#endif // !LIBRESSL_IN_USE +#if !LIBRESSL_IN_USE namespace { // Reads PSK secrets from path, and parses each line. The result is // directly stored into config->tls.client.psk. This function returns @@ -1322,6 +1325,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) { return 0; } } // namespace +#endif // !LIBRESSL_IN_USE // generated by gennghttpxfun.py int option_lookup_token(const char *name, size_t namelen) { @@ -1490,10 +1494,12 @@ int option_lookup_token(const char *name, size_t namelen) { if (util::strieq_l("ecdh-curve", name, 10)) { return SHRPX_OPTID_ECDH_CURVES; } +#if !LIBRESSL_IN_USE if (util::strieq_l("psk-secret", name, 10)) { return SHRPX_OPTID_PSK_SECRETS; } break; +#endif case 't': if (util::strieq_l("write-burs", name, 10)) { return SHRPX_OPTID_WRITE_BURST; @@ -1683,11 +1689,13 @@ int option_lookup_token(const char *name, size_t namelen) { return SHRPX_OPTID_ADD_REQUEST_HEADER; } break; +#if !LIBRESSL_IN_USE case 's': if (util::strieq_l("client-psk-secret", name, 17)) { return SHRPX_OPTID_CLIENT_PSK_SECRETS; } break; +#endif // !LIBRESSL_IN_USE case 't': if (util::strieq_l("dns-lookup-timeou", name, 17)) { return SHRPX_OPTID_DNS_LOOKUP_TIMEOUT; @@ -3283,10 +3291,12 @@ int parse_config(Config *config, int optid, const StringRef &opt, case SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT: return parse_duration(&config->conn.upstream.timeout.idle_read, opt, optarg); +#if !LIBRESSL_IN_USE case SHRPX_OPTID_PSK_SECRETS: return parse_psk_secrets(config, optarg); case SHRPX_OPTID_CLIENT_PSK_SECRETS: return parse_client_psk_secrets(config, optarg); +#endif // !LIBRESSL_IN_USE case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: config->tls.client.no_http2_cipher_black_list = util::strieq_l("yes", optarg); diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index c5df1204..29cdf781 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -525,6 +525,7 @@ int sct_parse_cb(SSL *ssl, unsigned int ext_type, const unsigned char *in, } // namespace #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_IN_USE namespace { unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { @@ -548,7 +549,9 @@ unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, return static_cast(secret.size()); } } // namespace +#endif // !LIBRESSL_IN_USE +#if !LIBRESSL_IN_USE namespace { unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out, unsigned int max_identity_len, unsigned char *psk, @@ -581,6 +584,7 @@ unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out, return (unsigned int)secret.size(); } } // namespace +#endif // !LIBRESSL_IN_USE struct TLSProtocol { StringRef name; @@ -784,7 +788,9 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, } #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_IN_USE SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); +#endif // !LIBRESSL_IN_USE auto tls_ctx_data = new TLSContextData(); tls_ctx_data->cert_file = cert_file; @@ -919,7 +925,9 @@ SSL_CTX *create_ssl_client_context( #endif // HAVE_NEVERBLEED } +#if !LIBRESSL_IN_USE SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb); +#endif // !LIBRESSL_IN_USE // NPN selection callback. This is required to set SSL_CTX because // OpenSSL does not offer SSL_set_next_proto_select_cb. From 1cc08c0a51d273afc0e7b4e11eeb0b889d154ee0 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 26 Jan 2017 20:34:58 +0900 Subject: [PATCH 2/2] nghttpx: Show warning if PSK options are used but not supported --- src/shrpx.cc | 6 ------ src/shrpx_config.cc | 20 ++++++++++++++------ 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index e8477e09..b636cba4 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -2119,7 +2119,6 @@ SSL/TLS: argument , or certificate option in configuration file. For additional certificates, use --subcert option. This option requires OpenSSL >= 1.0.2. -#if !LIBRESSL_IN_USE --psk-secrets= Read list of PSK identity and secrets from . This is used for frontend connection. The each line of input @@ -2147,7 +2146,6 @@ SSL/TLS: HTTP/2. To use those cipher suites with HTTP/2, consider to use --client-no-http2-cipher-black-list option. But be aware its implications. -#endif // !LIBRESSL_IN_USE HTTP/2 and SPDY: -c, --frontend-http2-max-concurrent-streams= @@ -3127,10 +3125,8 @@ int main(int argc, char **argv) { {SHRPX_OPT_DNS_MAX_TRY.c_str(), required_argument, &flag, 145}, {SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT.c_str(), required_argument, &flag, 146}, -#if !LIBRESSL_IN_USE {SHRPX_OPT_PSK_SECRETS.c_str(), required_argument, &flag, 147}, {SHRPX_OPT_CLIENT_PSK_SECRETS.c_str(), required_argument, &flag, 148}, -#endif {SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST.c_str(), no_argument, &flag, 149}, {SHRPX_OPT_CLIENT_CIPHERS.c_str(), required_argument, &flag, 150}, @@ -3825,7 +3821,6 @@ int main(int argc, char **argv) { cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT, StringRef{optarg}); break; -#if !LIBRESSL_IN_USE case 147: // --psk-secrets cmdcfgs.emplace_back(SHRPX_OPT_PSK_SECRETS, StringRef{optarg}); @@ -3834,7 +3829,6 @@ int main(int argc, char **argv) { // --client-psk-secrets cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_PSK_SECRETS, StringRef{optarg}); break; -#endif // !LIBRESSL_IN_USE case 149: // --client-no-http2-cipher-black-list cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index bf5486ce..6a241efa 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -1494,12 +1494,10 @@ int option_lookup_token(const char *name, size_t namelen) { if (util::strieq_l("ecdh-curve", name, 10)) { return SHRPX_OPTID_ECDH_CURVES; } -#if !LIBRESSL_IN_USE if (util::strieq_l("psk-secret", name, 10)) { return SHRPX_OPTID_PSK_SECRETS; } break; -#endif case 't': if (util::strieq_l("write-burs", name, 10)) { return SHRPX_OPTID_WRITE_BURST; @@ -1689,13 +1687,11 @@ int option_lookup_token(const char *name, size_t namelen) { return SHRPX_OPTID_ADD_REQUEST_HEADER; } break; -#if !LIBRESSL_IN_USE case 's': if (util::strieq_l("client-psk-secret", name, 17)) { return SHRPX_OPTID_CLIENT_PSK_SECRETS; } break; -#endif // !LIBRESSL_IN_USE case 't': if (util::strieq_l("dns-lookup-timeou", name, 17)) { return SHRPX_OPTID_DNS_LOOKUP_TIMEOUT; @@ -3291,12 +3287,24 @@ int parse_config(Config *config, int optid, const StringRef &opt, case SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT: return parse_duration(&config->conn.upstream.timeout.idle_read, opt, optarg); -#if !LIBRESSL_IN_USE case SHRPX_OPTID_PSK_SECRETS: +#if !LIBRESSL_IN_USE return parse_psk_secrets(config, optarg); +#else // LIBRESSL_IN_USE + LOG(WARN) + << opt + << ": ignored because underlying TLS library does not support PSK"; + return 0; +#endif // LIBRESSL_IN_USE case SHRPX_OPTID_CLIENT_PSK_SECRETS: +#if !LIBRESSL_IN_USE return parse_client_psk_secrets(config, optarg); -#endif // !LIBRESSL_IN_USE +#else // LIBRESSL_IN_USE + LOG(WARN) + << opt + << ": ignored because underlying TLS library does not support PSK"; + return 0; +#endif // LIBRESSL_IN_USE case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: config->tls.client.no_http2_cipher_black_list = util::strieq_l("yes", optarg);