SQUID_STATE_ROLLBACK(check_openssl_TLS_METHODS)
])
+dnl Checks whether the -lcrypto library provides various OpenSSL API functions
+AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[
+ AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists")
+ SQUID_STATE_SAVE(check_openssl_libcrypto_api)
+ AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1))
+ AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1))
+ AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1))
+ AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1))
+ AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1))
+ AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1))
+ AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1))
+ AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1))
+ SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api)
+])
+
+dnl Checks whether the -lssl library provides various OpenSSL API functions
+AC_DEFUN([SQUID_CHECK_LIBSSL_API],[
+ AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists")
+ SQUID_STATE_SAVE(check_openssl_libssl_api)
+ AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1))
+ AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1))
+ AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1))
+ SQUID_STATE_ROLLBACK(check_openssl_libssl_api)
+])
+
dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a
dnl workaround can be used instead of using the SSL_get_certificate
AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available])
# check for API functions
+ SQUID_CHECK_LIBCRYPTO_API
+ SQUID_CHECK_LIBSSL_API
SQUID_CHECK_OPENSSL_TLS_METHODS
SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate)
LIBS="$LIBS $SSLLIB"
/* SSL callbacks */
static void squid_ssl_info(const SSL *ssl, int where, int ret);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBCRYPTO_BIO_METH_NEW
+static BIO_METHOD *SquidMethods = nullptr;
+#else
/// Initialization structure for the BIO table with
/// Squid-specific methods and BIO method wrappers.
static BIO_METHOD SquidMethods = {
squid_bio_destroy,
NULL // squid_callback_ctrl not supported
};
-#else
-static BIO_METHOD *SquidMethods = NULL;
#endif
BIO *
Ssl::Bio::Create(const int fd, Security::Io::Type type)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- BIO_METHOD *useMethod = &SquidMethods;
-#else
+#if HAVE_LIBCRYPTO_BIO_METH_NEW
if (!SquidMethods) {
SquidMethods = BIO_meth_new(BIO_TYPE_SOCKET, "squid");
BIO_meth_set_write(SquidMethods, squid_bio_write);
BIO_meth_set_destroy(SquidMethods, squid_bio_destroy);
}
const BIO_METHOD *useMethod = SquidMethods;
+#else
+ BIO_METHOD *useMethod = &SquidMethods;
#endif
if (BIO *bio = BIO_new(useMethod)) {
static int
squid_bio_create(BIO *bi)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if !HAVE_LIBCRYPTO_BIO_GET_INIT
bi->init = 0; // set when we store Bio object and socket fd (BIO_C_SET_FD)
bi->num = 0;
bi->flags = 0;
cbytes[0] = (cipherId >> 8) & 0xFF;
cbytes[1] = cipherId & 0xFF;
cbytes[2] = 0;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBSSL_SSL_CIPHER_FIND
+ const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes);
+#else
const SSL_METHOD *method = SSLv23_method();
const SSL_CIPHER *c = method->get_cipher_by_char(cbytes);
-#else
- const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes);
#endif
if (c != NULL) {
if (!strCiphers.isEmpty())
void
applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if !HAVE_LIBCRYPTO_BIO_GET_INIT
// OpenSSL v1.0 bio compatibility functions
inline void *BIO_get_data(BIO *table) { return table->ptr; }
inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; }
DecipherOnly
};
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA
+ EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());
+ const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != nullptr);
+#else
const int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm);
const bool rsaPkey = (mimicAlgo == NID_rsaEncryption);
-#else
- EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());
- const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != NULL);
#endif
int added = 0;
}
}
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK
static RSA *
ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
{
static void
maybeSetupRsaCallback(Security::ContextPointer &ctx)
{
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK
debugs(83, 9, "Setting RSA key generation callback.");
SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb);
#endif
return matchX509CommonNames(cert, (void *)server, check_domain);
}
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT
static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
{
return ctx->cert;
if (ad->location->type == GEN_URI) {
xstrncpy(uri,
reinterpret_cast<const char *>(
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- ASN1_STRING_data(ad->location->d.uniformResourceIdentifier)
-#else
+#if HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA
ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier)
+#else
+ ASN1_STRING_data(ad->location->d.uniformResourceIdentifier)
#endif
),
sizeof(uri));
{
debugs(83, 2, "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates");
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- int depth = ctx->param->depth;
-#else
+#if HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH
const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
int depth = X509_VERIFY_PARAM_get_depth(param);
+#else
+ int depth = ctx->param->depth;
#endif
X509 *current = X509_STORE_CTX_get0_cert(ctx);
int i = 0;
// OpenSSL already maintains ctx->untrusted but we cannot modify
// internal OpenSSL list directly. We have to give OpenSSL our own
// list, but it must include certificates on the OpenSSL ctx->untrusted
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- STACK_OF(X509) *oldUntrusted = ctx->untrusted;
-#else
+#if HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED
STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx);
+#else
+ STACK_OF(X509) *oldUntrusted = ctx->untrusted;
#endif
STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL
X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted
int ret = X509_verify_cert(ctx);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list
-#else
+#if HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED
X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted);
+#else
+ X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list
#endif
sk_X509_free(sk); // Release sk list
return ret;
SSL_SESSION_set_timeout(session, Config.SSL.session_ttl);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- unsigned char *id = session->session_id;
- unsigned int idlen = session->session_id_length;
-#else
+#if HAVE_LIBSSL_SSL_SESSION_GET_ID
unsigned int idlen;
const unsigned char *id = SSL_SESSION_get_id(session, &idlen);
+#else
+ unsigned char *id = session->session_id;
+ unsigned int idlen = session->session_id_length;
#endif
unsigned char key[MEMMAP_SLOT_KEY_SIZE];
// Session ids are of size 32bytes. They should always fit to a
projects / thirdparty / squid.git / commitdiff
