diff --git a/src/nghttp.cc b/src/nghttp.cc index ca4a02a4..4f05d6c0 100644 --- a/src/nghttp.cc +++ b/src/nghttp.cc @@ -59,6 +59,7 @@ #include "base64.h" #include "tls.h" #include "template.h" +#include "ssl_compat.h" #ifndef O_BINARY #define O_BINARY (0) @@ -680,15 +681,16 @@ int HttpClient::initiate_connection() { const auto &host_string = config.host_override.empty() ? host : config.host_override; -#if (!defined(LIBRESSL_VERSION_NUMBER) && \ - OPENSSL_VERSION_NUMBER >= 0x10002000L) || \ +#if LIBRESSL_2_7_API || \ + (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) || \ defined(OPENSSL_IS_BORINGSSL) auto param = SSL_get0_param(ssl); X509_VERIFY_PARAM_set_hostflags(param, 0); X509_VERIFY_PARAM_set1_host(param, host_string.c_str(), host_string.size()); -#endif // (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= - // 0x10002000L) || defined(OPENSSL_IS_BORINGSSL) +#endif // LIBRESSL_2_7_API || (!LIBRESSL_IN_USE && + // OPENSSL_VERSION_NUMBER >= 0x10002000L) || + // defined(OPENSSL_IS_BORINGSSL) SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); if (!util::numeric_host(host_string.c_str())) { diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index e7efed2b..5964dc49 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -1222,7 +1222,7 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) { auto param = StringRef{first, end}; if (util::istarts_with_l(param, "sct-dir=")) { -#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L auto sct_dir = StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)}; if (sct_dir.empty()) { @@ -1230,9 +1230,9 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) { return -1; } out.sct_dir = sct_dir; -#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) +#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2"; -#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) +#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) } else if (!param.empty()) { LOG(ERROR) << "subcert: " << param << ": unknown keyword"; return -1; @@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector &dst, const StringRef &opt, } } // namespace -#if !LIBRESSL_IN_USE +#if !LIBRESSL_LEGACY_API namespace { // Reads PSK secrets from path, and parses each line. The result is // directly stored into config->tls.psk_secrets. This function @@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) { return 0; } } // namespace -#endif // !LIBRESSL_IN_USE +#endif // !LIBRESSL_LEGACY_API -#if !LIBRESSL_IN_USE +#if !LIBRESSL_LEGACY_API namespace { // Reads PSK secrets from path, and parses each line. The result is // directly stored into config->tls.client.psk. This function returns @@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) { return 0; } } // namespace -#endif // !LIBRESSL_IN_USE +#endif // !LIBRESSL_LEGACY_API // generated by gennghttpxfun.py int option_lookup_token(const char *name, size_t namelen) { @@ -3454,19 +3454,19 @@ int parse_config(Config *config, int optid, const StringRef &opt, return parse_uint_with_unit( &config->http2.downstream.decoder_dynamic_table_size, opt, optarg); case SHRPX_OPTID_ECDH_CURVES: -#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L config->tls.ecdh_curves = make_string_ref(config->balloc, optarg); -#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) +#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2"; -#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) +#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) return 0; case SHRPX_OPTID_TLS_SCT_DIR: -#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg); -#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) +#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2"; return 0; -#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) +#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) case SHRPX_OPTID_DNS_CACHE_TIMEOUT: return parse_duration(&config->dns.timeout.cache, opt, optarg); case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT: @@ -3489,23 +3489,23 @@ int parse_config(Config *config, int optid, const StringRef &opt, return parse_duration(&config->conn.upstream.timeout.idle_read, opt, optarg); case SHRPX_OPTID_PSK_SECRETS: -#if !LIBRESSL_IN_USE +#if !LIBRESSL_LEGACY_API return parse_psk_secrets(config, optarg); -#else // LIBRESSL_IN_USE +#else // LIBRESSL_LEGACY_API LOG(WARN) << opt << ": ignored because underlying TLS library does not support PSK"; return 0; -#endif // LIBRESSL_IN_USE +#endif // LIBRESSL_LEGACY_API case SHRPX_OPTID_CLIENT_PSK_SECRETS: -#if !LIBRESSL_IN_USE +#if !LIBRESSL_LEGACY_API return parse_client_psk_secrets(config, optarg); -#else // LIBRESSL_IN_USE +#else // LIBRESSL_LEGACY_API LOG(WARN) << opt << ": ignored because underlying TLS library does not support PSK"; return 0; -#endif // LIBRESSL_IN_USE +#endif // LIBRESSL_LEGACY_API case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: config->tls.client.no_http2_cipher_black_list = util::strieq_l("yes", optarg); diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index 31dac3c6..eafda7e9 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -44,13 +44,13 @@ using namespace nghttp2; namespace shrpx { -#if !OPENSSL_1_1_API +#if !LIBRESSL_2_7_API && !OPENSSL_1_1_API void *BIO_get_data(BIO *bio) { return bio->ptr; } void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; } void BIO_set_init(BIO *bio, int init) { bio->init = init; } -#endif // !OPENSSL_1_1_API +#endif // !LIBRESSL_2_7_API && !OPENSSL_1_1_API Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl, MemchunkPool *mcpool, ev_tstamp write_timeout, diff --git a/src/shrpx_tls.cc b/src/shrpx_tls.cc index 784de58d..9f12f37a 100644 --- a/src/shrpx_tls.cc +++ b/src/shrpx_tls.cc @@ -194,7 +194,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) { const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx); assert(!ssl_ctx_list.empty()); -#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER) && \ +#if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \ OPENSSL_VERSION_NUMBER >= 0x10002000L auto num_shared_curves = SSL_get_shared_curve(ssl, -1); @@ -238,7 +238,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) { } } } -#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER) && +#endif // !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && // OPENSSL_VERSION_NUMBER >= 0x10002000L SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]); @@ -657,7 +657,7 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type, #endif // !OPENSSL_1_1_1_API #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L -#if !LIBRESSL_IN_USE +#ifndef OPENSSL_NO_PSK namespace { unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { @@ -681,9 +681,9 @@ unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, return static_cast(secret.size()); } } // namespace -#endif // !LIBRESSL_IN_USE +#endif // !OPENSSL_NO_PSK -#if !LIBRESSL_IN_USE +#ifndef OPENSSL_NO_PSK namespace { unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out, unsigned int max_identity_len, unsigned char *psk, @@ -716,7 +716,7 @@ unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out, return static_cast(secret.size()); } } // namespace -#endif // !LIBRESSL_IN_USE +#endif // !OPENSSL_NO_PSK struct TLSProtocol { StringRef name; @@ -794,7 +794,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, } #ifndef OPENSSL_NO_EC -#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) { LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves << " failed"; @@ -805,7 +805,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, // function was deprecated in OpenSSL 1.1.0 and BoringSSL. SSL_CTX_set_ecdh_auto(ssl_ctx, 1); #endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API -#else // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L +#else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L // Use P-256, which is sufficiently secure at the time of this // writing. auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); @@ -816,7 +816,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, } SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); EC_KEY_free(ecdh); -#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L +#endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L #endif // OPENSSL_NO_EC if (!tlsconf.dh_param_file.empty()) { @@ -966,9 +966,9 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file, } #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L -#if !LIBRESSL_IN_USE +#ifndef OPENSSL_NO_PSK SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); -#endif // !LIBRESSL_IN_USE +#endif // !LIBRESSL_NO_PSK auto tls_ctx_data = new TLSContextData(); tls_ctx_data->cert_file = cert_file; @@ -1116,9 +1116,9 @@ SSL_CTX *create_ssl_client_context( #endif // HAVE_NEVERBLEED } -#if !LIBRESSL_IN_USE +#ifndef OPENSSL_NO_PSK SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb); -#endif // !LIBRESSL_IN_USE +#endif // !OPENSSL_NO_PSK // NPN selection callback. This is required to set SSL_CTX because // OpenSSL does not offer SSL_set_next_proto_select_cb. @@ -1555,16 +1555,15 @@ int cert_lookup_tree_add_ssl_ctx( SSL_CTX *ssl_ctx) { std::array buf; -#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L +#if LIBRESSL_2_7_API || \ + (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) auto cert = SSL_CTX_get0_certificate(ssl_ctx); -#else // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < - // 0x10002000L +#else // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L auto tls_ctx_data = static_cast(SSL_CTX_get_app_data(ssl_ctx)); auto cert = load_certificate(tls_ctx_data->cert_file); auto cert_deleter = defer(X509_free, cert); -#endif // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < - // 0x10002000L +#endif // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L auto altnames = static_cast( X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr)); @@ -1852,7 +1851,7 @@ int proto_version_from_string(const StringRef &v) { int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, size_t ocsp_resplen) { -#if !defined(OPENSSL_NO_OCSP) && !defined(LIBRESSL_VERSION_NUMBER) && \ +#if !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE && \ OPENSSL_VERSION_NUMBER >= 0x10002000L int rv; @@ -1925,7 +1924,7 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, if (LOG_ENABLED(INFO)) { LOG(INFO) << "OCSP verification succeeded"; } -#endif // !defined(OPENSSL_NO_OCSP) && !defined(LIBRESSL_VERSION_NUMBER) +#endif // !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE // && OPENSSL_VERSION_NUMBER >= 0x10002000L return 0; diff --git a/src/ssl_compat.h b/src/ssl_compat.h index 22077b17..777b83c9 100644 --- a/src/ssl_compat.h +++ b/src/ssl_compat.h @@ -27,15 +27,17 @@ #include #if defined(LIBRESSL_VERSION_NUMBER) +#define OPENSSL_1_1_API 0 +#define OPENSSL_1_1_1_API 0 #define LIBRESSL_IN_USE 1 +#define LIBRESSL_LEGACY_API (LIBRESSL_VERSION_NUMBER < 0x20700000L) +#define LIBRESSL_2_7_API (LIBRESSL_VERSION_NUMBER >= 0x20700000L) #else // !defined(LIBRESSL_VERSION_NUMBER) +#define OPENSSL_1_1_API (OPENSSL_VERSION_NUMBER >= 0x1010000fL) +#define OPENSSL_1_1_1_API (OPENSSL_VERSION_NUMBER >= 0x10101000L) #define LIBRESSL_IN_USE 0 +#define LIBRESSL_LEGACY_API 0 +#define LIBRESSL_2_7_API 0 #endif // !defined(LIBRESSL_VERSION_NUMBER) -#define OPENSSL_1_1_API \ - (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL) - -#define OPENSSL_1_1_1_API \ - (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L) - #endif // OPENSSL_COMPAT_H