dnl Checks whether the -lcrypto library provides various OpenSSL API functions
AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[
+ AH_TEMPLATE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, "Define to 1 if the OPENSSL_LH_strhash() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_DATA, "Define to 1 if the BIO_get_data() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists")
+ AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_UP_REF, "Define to 1 if the EVP_PKEY_up_ref() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists")
- AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_X509_UP_REF, "Define to 1 if the X509_up_ref() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_DH_UP_REF, "Define to 1 if the DH_up_ref() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, "Define to 1 if the X509_get0_signature() OpenSSL API function exists")
SQUID_STATE_SAVE(check_openssl_libcrypto_api)
LIBS="$LIBS $SSLLIB"
+ AC_CHECK_LIB(crypto, OPENSSL_LH_strhash, AC_DEFINE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, 1))
AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1))
AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1))
+ AC_CHECK_LIB(crypto, BIO_get_data, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_DATA, 1))
AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1))
AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1))
+ AC_CHECK_LIB(crypto, EVP_PKEY_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_UP_REF, 1))
AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1))
AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1))
AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1))
- AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1))
AC_CHECK_LIB(crypto, X509_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_UP_REF, 1))
AC_CHECK_LIB(crypto, X509_CRL_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, 1))
AC_CHECK_LIB(crypto, DH_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_DH_UP_REF, 1))
- AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1))
+ AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1), AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS,))
SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api)
])
dnl Checks whether the -lssl library provides various OpenSSL API functions
AC_DEFUN([SQUID_CHECK_LIBSSL_API],[
+ AH_TEMPLATE(HAVE_LIBSSL_OPENSSL_INIT_SSL, "Define to 1 if the OPENSSL_init_ssl() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists")
AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists")
SQUID_STATE_SAVE(check_openssl_libssl_api)
LIBS="$LIBS $SSLLIB"
+ AC_CHECK_LIB(ssl, OPENSSL_init_ssl, AC_DEFINE(HAVE_LIBSSL_OPENSSL_INIT_SSL, 1))
AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1))
AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1))
AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1))
#include <openssl/err.h>
],
[
+#if defined(SSLeay_add_ssl_algorithms)
SSLeay_add_ssl_algorithms();
+#endif
#if HAVE_OPENSSL_TLS_METHOD
SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
#else
#include <openssl/err.h>
],
[
+#if defined(SSLeay_add_ssl_algorithms)
SSLeay_add_ssl_algorithms();
+#endif
#if HAVE_OPENSSL_TLS_METHOD
SSL_CTX *sslContext = SSL_CTX_new(TLS_method());
#else
dnl Checks whether the X509_get0_signature() has const arguments
AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS],[
- AH_TEMPLATE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, "Define if X509_get0_signature() accepts const parameters")
+ AH_TEMPLATE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS, Define to const if X509_get0_signature() accepts const parameters; define as empty otherwise. Don't leave it undefined!)
SQUID_STATE_SAVE(check_const_X509_get0_signature_args)
AC_MSG_CHECKING("whether X509_get0_signature() accepts const parameters")
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([
#endif
])
],[
- AC_DEFINE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, 1)
+ AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS, const)
AC_MSG_RESULT([yes])
],[
+ AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS,)
AC_MSG_RESULT([no])
])
SQUID_STATE_ROLLBACK(check_const_X509_get0_signature_args)
initgroups.h \
memrchr.cc \
memrchr.h \
+ openssl.h \
osdetect.h \
psignal.h \
shm.cc \
--- /dev/null
+/*
+ * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
+ *
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
+ */
+
+/* OpenSSL API changed dramatically between 1.0.2 and 1.1.0, and
+ * compatibility was broken. Most of the structures became opaque,
+ * and access functions were created. There's no (safe) way to
+ * access the struct members any more, so the solution is to use
+ * the new API in the main code, and add the functions for older
+ * versions in compat/openssl.h.
+ * Once all the supported library versions use the new API, the shim
+ * can be dropped.
+ */
+
+#ifndef OPENSSL_COMPAT_H
+#define OPENSSL_COMPAT_H
+
+#if !USE_OPENSSL
+#error compat/openssl.h depends on USE_OPENSSL
+#endif
+
+#if HAVE_OPENSSL_ASN1_H
+#include <openssl/asn1.h>
+#endif
+#if HAVE_OPENSSL_BIO_H
+#include <openssl/bio.h>
+#endif
+#if HAVE_OPENSSL_DH_H
+#include <openssl/dh.h>
+#endif
+#if HAVE_OPENSSL_EVP_H
+#include <openssl/evp.h>
+#endif
+#if HAVE_OPENSSL_LHASH_H
+#include <openssl/lhash.h>
+#endif
+#if HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#endif
+#if HAVE_OPENSSL_X509_H
+#include <openssl/x509.h>
+#endif
+
+extern "C" {
+
+#if !HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA
+ inline const unsigned char *
+ ASN1_STRING_get0_data(const ASN1_STRING *x)
+ {
+ return x->data;
+ }
+#endif
+
+#if !HAVE_LIBCRYPTO_BIO_GET_DATA
+ inline void *
+ BIO_get_data(BIO *table)
+ {
+ return table->ptr;
+ }
+
+ inline void
+ BIO_set_data(BIO *table, void *data)
+ {
+ table->ptr = data;
+ }
+
+ inline void
+ BIO_set_init(BIO *table, int init)
+ {
+ table->init = init;
+ }
+#endif
+
+#if !HAVE_LIBCRYPTO_BIO_GET_INIT
+ inline int
+ BIO_get_init(BIO *table)
+ {
+ return table->init;
+ }
+#endif
+
+#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API
+#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API
+ inline int
+ DH_up_ref(DH *t)
+ {
+ if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH) > 1))
+ return 1;
+ return 0;
+ }
+#else
+#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0)
+#endif /* OpenSSL 1.0 CRYPTO_LOCK_DH */
+#endif /* OpenSSL 1.1 DH_up_ref */
+
+#if !HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA
+ inline RSA *
+ EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+ {
+ if (pkey->type != EVP_PKEY_RSA)
+ return nullptr;
+ return pkey->pkey.rsa;
+ }
+#endif
+
+#if !HAVE_LIBCRYPTO_EVP_PKEY_UP_REF
+#if defined(CRYPTO_LOCK_EVP_PKEY) // OpenSSL 1.0
+ inline int
+ EVP_PKEY_up_ref(EVP_PKEY *t)
+ {
+ if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_EVP_PKEY)) > 1)
+ return 1;
+ return 0;
+ }
+
+#else
+#error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0)
+#endif /* OpenSSL 1.0 CRYPTO_LOCK_EVP_PKEY */
+#endif /* OpenSSL 1.1 EVP_PKEY_up_ref */
+
+#if !HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH
+#define OPENSSL_LH_delete lh_delete
+#define OPENSSL_LH_strhash lh_strhash
+#endif
+
+#if !defined OPENSSL_VERSION
+#define OPENSSL_VERSION SSLEAY_VERSION
+#define OpenSSL_version SSLeay_version
+#endif
+
+#if !HAVE_LIBSSL_SSL_CIPHER_FIND
+ inline const SSL_CIPHER *
+ SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr)
+ {
+ return ssl->method->get_cipher_by_char(ptr);
+ }
+#endif
+
+#if !HAVE_LIBSSL_SSL_SESSION_GET_ID
+ inline const unsigned char *
+ SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len)
+ {
+ if (len)
+ *len = s->session_id_length;
+ return s->session_id;
+ }
+#endif
+
+#if !HAVE_OPENSSL_TLS_CLIENT_METHOD
+#define TLS_client_method SSLv23_client_method
+#endif
+
+#if !HAVE_OPENSSL_TLS_SERVER_METHOD
+#define TLS_server_method SSLv23_server_method
+#endif
+
+#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API
+#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API
+ inline int
+ X509_CRL_up_ref(X509_CRL *t)
+ {
+ if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL) > 1))
+ return 1;
+ return 0;
+ }
+#else
+#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0)
+#endif /* CRYPTO_LOCK_X509_CRL */
+#endif /* X509_CRL_up_ref */
+
+#if !HAVE_LIBCRYPTO_X509_GET0_SIGNATURE
+ inline void
+ X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, const X509 *x)
+ {
+ if (psig)
+ *psig = (ASN1_BIT_STRING *)&x->signature;
+ if (palg)
+ *palg = (X509_ALGOR *)&x->sig_alg;
+ }
+#endif
+
+#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT
+ inline X509 *
+ X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
+ {
+ return ctx->cert;
+ }
+#endif
+
+#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED
+ inline STACK_OF(X509) *
+ X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx)
+ {
+ return ctx->untrusted;
+ }
+
+/// Note that all of the calls in this next group were renamed, or had the new
+/// name added at the same time as X509_STORE_CTX_get0_untrusted was implemented,
+/// in all supported OpenSSL-compatible libraries
+#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain
+#define X509_getm_notAfter X509_get_notAfter
+#define X509_getm_notBefore X509_get_notBefore
+#define X509_set1_notAfter X509_set_notAfter
+#define X509_set1_notBefore X509_set_notBefore
+#endif /* !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED */
+
+#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API
+#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API
+ inline int
+ X509_up_ref(X509 *t)
+ {
+ if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509)) > 1)
+ return 1;
+ return 0;
+ }
+#else
+#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0)
+#endif /* CRYPTO_LOCK_X509 */
+#endif /* X509_up_ref */
+
+#if !HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH
+ inline int
+ X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param)
+ {
+ return param->depth;
+ }
+#endif
+
+} /* extern "C" */
+
+inline void
+SQUID_OPENSSL_init_ssl(void)
+{
+#if HAVE_LIBSSL_OPENSSL_INIT_SSL
+ // OpenSSL will properly auto-initialize itself (in Squid context).
+ // No explicit initialization is required.
+ //OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, nullptr);
+#else
+ SSL_load_error_strings();
+ SSLeay_add_ssl_algorithms();
+#endif
+}
+
+#endif /* OPENSSL_COMPAT_H */
+
## OpenSSL is default disable due to licensing issues on some OS
if test "x$with_openssl" = "xyes"; then
AC_CHECK_HEADERS( \
+ openssl/asn1.h \
openssl/bio.h \
+ openssl/bn.h \
openssl/crypto.h \
+ openssl/dh.h \
openssl/err.h \
+ openssl/evp.h \
+ openssl/lhash.h \
openssl/md5.h \
openssl/opensslv.h \
+ openssl/rsa.h \
openssl/ssl.h \
+ openssl/x509.h \
openssl/x509v3.h \
openssl/engine.h \
openssl/txt_db.h \
;;
esac
+ #
+ # If a file includes openssl headers, then it must include compat/openssl.h
+ #
+ if test "${FILENAME}" != "compat/openssl.h" && \
+ (FI=`grep "#include.*openssl/" "${FILENAME}" 2>/dev/null`; \
+ test "x${FI}" != "x") && \
+ (FI=`grep "#include \"compat/openssl\.h\"" "${FILENAME}" 2>/dev/null`; \
+ test "x${FI}" == "x"); then
+ echo "ERROR: ${FILENAME} includes openssl headers without including \"compat/openssl.h\""
+ fi
+
#
# forward.h means different things to Squid code depending on the path
# require the full path is explicit for every include
//TODO: remove, it is unconditionally defined and always used.
#define PEER_MULTICAST_SIBLINGS 1
-#if HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-
class NeighborTypeDomainList;
class PconnPool;
class PeerDigest;
if (strlen(SQUID_BUILD_INFO))
printf("%s\n",SQUID_BUILD_INFO);
#if USE_OPENSSL
- printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION));
+ printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION));
printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n");
#endif
printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS);
#include <memory>
#if USE_OPENSSL
+#include "compat/openssl.h"
#if HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
#include "base/HardFun.h"
#if USE_OPENSSL
+#include "compat/openssl.h"
#if HAVE_OPENSSL_CRYPTO_H
#include <openssl/crypto.h>
#endif
#if USE_OPENSSL
Ssl::Initialize();
-#if HAVE_OPENSSL_TLS_CLIENT_METHOD
SSL_CTX *t = SSL_CTX_new(TLS_client_method());
-#else
- SSL_CTX *t = SSL_CTX_new(SSLv23_client_method());
-#endif
if (!t) {
const auto x = ERR_get_error();
fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x));
#include "security/Session.h"
#include "SquidConfig.h"
#if USE_OPENSSL
+#include "compat/openssl.h"
#include "ssl/support.h"
-#endif
#if HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
-#if HAVE_OPENSSL_X509_H
-#include <openssl/x509.h>
#endif
Security::ServerOptions &
#if USE_OPENSSL
Ssl::Initialize();
-#if HAVE_OPENSSL_SERVER_METHOD
SSL_CTX *t = SSL_CTX_new(TLS_server_method());
-#else
- SSL_CTX *t = SSL_CTX_new(SSLv23_server_method());
-#endif
if (!t) {
const auto x = ERR_get_error();
debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x));
#include "anyp/forward.h"
#include "security/PeerOptions.h"
+#if USE_OPENSSL
+#include "compat/openssl.h"
+#if HAVE_OPENSSL_X509_H
+#include <openssl/x509.h>
+#endif
+#endif
namespace Security
{
SSL_SESSION_set_timeout(session, Config.SSL.session_ttl);
-#if HAVE_LIBSSL_SSL_SESSION_GET_ID
unsigned int idlen;
const unsigned char *id = SSL_SESSION_get_id(session, &idlen);
-#else
- unsigned char *id = session->session_id;
- unsigned int idlen = session->session_id_length;
-#endif
// XXX: the other calls [to openForReading()] do not copy the sessionId to a char buffer, does this really have to?
unsigned char key[MEMMAP_SLOT_KEY_SIZE];
// Session ids are of size 32bytes. They should always fit to a
#include <memory>
#if USE_OPENSSL
+#include "compat/openssl.h"
#if HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
data = lh_OPENSSL_STRING_delete(fieldIndex, rrow);
#else
if (LHASH *fieldIndex = db->index[db_indexes[i]])
- data = lh_delete(fieldIndex, rrow);
+ data = OPENSSL_LH_delete(fieldIndex, rrow);
#endif
if (data)
assert(data == rrow);
const char *n = a[Ssl::CertificateDb::cnlSerial];
while (*n == '0')
++n;
- return lh_strhash(n);
+ return OPENSSL_LH_strhash(n);
}
int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) {
}
unsigned long Ssl::CertificateDb::index_name_hash(const char **a) {
- return(lh_strhash(a[Ssl::CertificateDb::cnlKey]));
+ return(OPENSSL_LH_strhash(a[Ssl::CertificateDb::cnlKey]));
}
int Ssl::CertificateDb::index_name_cmp(const char **a, const char **b) {
dbSize = size(); // get the current database size
}
- ASN1_UTCTIME * tm = X509_get_notAfter(cert.get());
+ const auto tm = X509_getm_notAfter(cert.get());
row.setValue(cnlExp_date, std::string(reinterpret_cast<char *>(tm->data), tm->length).c_str());
std::unique_ptr<char, CharDeleter> subject(X509_NAME_oneline(X509_get_subject_name(cert.get()), nullptr, 0));
row.setValue(cnlName, subject.get());
#include "ssl/gadgets.h"
-#if HAVE_OPENSSL_OPENSSLV_H
-#include <openssl/opensslv.h>
-#endif
#include <string>
namespace Ssl
}
// Initialize SSL subsystem
- SSL_load_error_strings();
- SSLeay_add_ssl_algorithms();
+ SQUID_OPENSSL_init_ssl();
// process request.
for (;;) {
char request[HELPER_INPUT_BUFFER];
#include <gnutls/abstract.h>
#endif
#include <list>
-#if USE_OPENSSL && HAVE_OPENSSL_ERR_H
+#if USE_OPENSSL
+#include "compat/openssl.h"
+#if HAVE_OPENSSL_BN_H
+#include <openssl/bn.h>
+#endif
+#if HAVE_OPENSSL_ERR_H
#include <openssl/err.h>
#endif
+#if HAVE_OPENSSL_RSA_H
+#include <openssl/rsa.h>
+#endif
+#endif /* USE_OPENSSL */
#include <unordered_set>
#if USE_OPENSSL
struct sk_object ## _free_wrapper { \
void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \
}
-
-#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API
-#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API
-inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;}
-#else
-#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0)
-#endif /* CRYPTO_LOCK_X509 */
-#endif /* X509_up_ref */
-
-#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API
-#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API
-inline int X509_CRL_up_ref(X509_CRL *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL); return 0;}
-#else
-#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0)
-#endif /* CRYPTO_LOCK_X509_CRL */
-#endif /* X509_CRL_up_ref */
-#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API
-#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API
-inline int DH_up_ref(DH *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH); return 0;}
-#else
-
-#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0)
-#endif /* OpenSSL 1.0 CRYPTO_LOCK_X509_CRL */
-#endif /* OpenSSL 1.1 DH_up_ref */
-
-#if !HAVE_LIBCRYPTO_EVP_PKEY_UP_REF
-#if defined(CRYPTO_LOCK_EVP_PKEY) // OpenSSL 1.0
-inline int EVP_PKEY_up_ref(EVP_PKEY *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_EVP_PKEY); return 0;}
-#endif
-#else
-#error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0)
-#endif
-
#endif /* USE_OPENSSL */
/* flags a SSL connection can be configured with */
const char *Ssl::ErrorDetail::notbefore() const
{
if (broken_cert.get()) {
- if (ASN1_UTCTIME * tm = X509_get_notBefore(broken_cert.get())) {
+ if (const auto tm = X509_getm_notBefore(broken_cert.get())) {
static char tmpBuffer[256]; // A temporary buffer
Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer));
return tmpBuffer;
const char *Ssl::ErrorDetail::notafter() const
{
if (broken_cert.get()) {
- if (ASN1_UTCTIME * tm = X509_get_notAfter(broken_cert.get())) {
+ if (const auto tm = X509_getm_notAfter(broken_cert.get())) {
static char tmpBuffer[256]; // A temporary buffer
Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer));
return tmpBuffer;
#include "SquidTime.h"
#include "ssl/bio.h"
-#if HAVE_OPENSSL_SSL_H
-#include <openssl/ssl.h>
-#endif
-
#if _SQUID_WINDOWS_
extern int socket_read_method(int, char *, int);
extern int socket_write_method(int, const char *, int);
BIO_meth_set_create(SquidMethods, squid_bio_create);
BIO_meth_set_destroy(SquidMethods, squid_bio_destroy);
}
- const BIO_METHOD *useMethod = SquidMethods;
+ BIO_METHOD *useMethod = SquidMethods;
#else
BIO_METHOD *useMethod = &SquidMethods;
#endif
cbytes[0] = (cipherId >> 8) & 0xFF;
cbytes[1] = cipherId & 0xFF;
cbytes[2] = 0;
-#if HAVE_LIBSSL_SSL_CIPHER_FIND
- const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes);
-#else
- const SSL_METHOD *method = SSLv23_method();
- const SSL_CIPHER *c = method->get_cipher_by_char(cbytes);
-#endif
- if (c != NULL) {
+ if (const auto c = SSL_CIPHER_find(ssl, cbytes)) {
if (!strCiphers.isEmpty())
strCiphers.append(":");
strCiphers.append(SSL_CIPHER_get_name(c));
#if USE_OPENSSL
+#include "compat/openssl.h"
#include "FadingCounter.h"
#include "fd.h"
#include "MemBuf.h"
void
applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode);
-#if !HAVE_LIBCRYPTO_BIO_GET_INIT
-// OpenSSL v1.0 bio compatibility functions
-inline void *BIO_get_data(BIO *table) { return table->ptr; }
-inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; }
-inline int BIO_get_init(BIO *table) { return table->init; }
-inline void BIO_set_init(BIO *table, int init) { table->init = init; }
-#endif
-
#endif /* USE_OPENSSL */
#endif /* SQUID_SSL_BIO_H */
#include "Store.h"
#include <limits>
+#if USE_OPENSSL
+#include "compat/openssl.h"
#if HAVE_OPENSSL_SSL_H
#include <openssl/ssl.h>
#endif
+#endif
Ssl::CertificateStorageAction::CertificateStorageAction(const Mgr::Command::Pointer &aCmd)
: Mgr::Action(aCmd)
#include "base/LruMap.h"
#include "CacheManager.h"
+#include "compat/openssl.h"
#include "ip/Address.h"
#include "mgr/Action.h"
#include "mgr/Command.h"
#include "squid.h"
#include "ssl/gadgets.h"
-#include <openssl/asn1.h>
-#if HAVE_OPENSSL_X509V3_H
-#include <openssl/x509v3.h>
-#endif
-
EVP_PKEY * Ssl::createSslPrivateKey()
{
Security::PrivateKeyPointer pkey(EVP_PKEY_new());
DecipherOnly
};
-#if HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA
EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());
const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != nullptr);
-#else
- const int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm);
- const bool rsaPkey = (mimicAlgo == NID_rsaEncryption);
-#endif
int added = 0;
int nid;
// objects.
ASN1_TIME *aTime = NULL;
if (!properties.setValidBefore && properties.mimicCert.get())
- aTime = X509_get_notBefore(properties.mimicCert.get());
+ aTime = X509_getm_notBefore(properties.mimicCert.get());
if (!aTime && properties.signWithX509.get())
- aTime = X509_get_notBefore(properties.signWithX509.get());
+ aTime = X509_getm_notBefore(properties.signWithX509.get());
if (aTime) {
- if (!X509_set_notBefore(cert.get(), aTime))
+ if (!X509_set1_notBefore(cert.get(), aTime))
return false;
- } else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60))
+ } else if (!X509_gmtime_adj(X509_getm_notBefore(cert.get()), (-2)*24*60*60))
return false;
aTime = NULL;
if (!properties.setValidAfter && properties.mimicCert.get())
- aTime = X509_get_notAfter(properties.mimicCert.get());
+ aTime = X509_getm_notAfter(properties.mimicCert.get());
if (!aTime && properties.signWithX509.get())
- aTime = X509_get_notAfter(properties.signWithX509.get());
+ aTime = X509_getm_notAfter(properties.signWithX509.get());
if (aTime) {
- if (!X509_set_notAfter(cert.get(), aTime))
+ if (!X509_set1_notAfter(cert.get(), aTime))
return false;
- } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3))
+ } else if (!X509_gmtime_adj(X509_getm_notAfter(cert.get()), 60*60*24*356*3))
return false;
int addedExtensions = 0;
return false;
if (!properties.setValidBefore) {
- ASN1_TIME *aTime = X509_get_notBefore(cert);
- ASN1_TIME *bTime = X509_get_notBefore(cert2);
+ const auto aTime = X509_getm_notBefore(cert);
+ const auto bTime = X509_getm_notBefore(cert2);
if (asn1time_cmp(aTime, bTime) != 0)
return false;
- } else if (X509_cmp_current_time(X509_get_notBefore(cert)) >= 0) {
+ } else if (X509_cmp_current_time(X509_getm_notBefore(cert)) >= 0) {
// notBefore does not exist (=0) or it is in the future (>0)
return false;
}
if (!properties.setValidAfter) {
- ASN1_TIME *aTime = X509_get_notAfter(cert);
- ASN1_TIME *bTime = X509_get_notAfter(cert2);
+ const auto aTime = X509_getm_notAfter(cert);
+ const auto bTime = X509_getm_notAfter(cert2);
if (asn1time_cmp(aTime, bTime) != 0)
return false;
- } else if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0) {
+ } else if (X509_cmp_current_time(X509_getm_notAfter(cert)) <= 0) {
// notAfter does not exist (0) or it is in the past (<0)
return false;
}
const ASN1_BIT_STRING *
Ssl::X509_get_signature(const Security::CertPointer &cert)
{
-#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE
-#if SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS
- const ASN1_BIT_STRING *sig = nullptr;
- const X509_ALGOR *sig_alg = nullptr;
-#else
- ASN1_BIT_STRING *sig = nullptr;
- X509_ALGOR *sig_alg = nullptr;
-#endif
+ SQUID_CONST_X509_GET0_SIGNATURE_ARGS ASN1_BIT_STRING *sig = nullptr;
+ SQUID_CONST_X509_GET0_SIGNATURE_ARGS X509_ALGOR *sig_alg = nullptr;
+
X509_get0_signature(&sig, &sig_alg, cert.get());
return sig;
-#else
- return cert->signature;
-#endif
}
#include "security/forward.h"
#include "ssl/crtd_message.h"
+#if USE_OPENSSL
+#include "compat/openssl.h"
+#if HAVE_OPENSSL_ASN1_H
+#include <openssl/asn1.h>
+#endif
#if HAVE_OPENSSL_TXT_DB_H
#include <openssl/txt_db.h>
#endif
#if HAVE_OPENSSL_X509V3_H
#include <openssl/x509v3.h>
#endif
+#endif
#include <string>
namespace Ssl
because they are used by security_file_certgen helper.
*/
-#if SQUID_USE_CONST_SSL_METHOD
-typedef const SSL_METHOD * ContextMethod;
-#else
-typedef SSL_METHOD * ContextMethod;
-#endif
-
#if !defined(SQUID_SSL_SIGN_HASH_IF_NONE)
#define SQUID_SSL_SIGN_HASH_IF_NONE "sha256"
#endif
static RSA *
ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
{
- static RSA *rsa_512 = NULL;
- static RSA *rsa_1024 = NULL;
- RSA *rsa = NULL;
+ static RSA *rsa_512 = nullptr;
+ static RSA *rsa_1024 = nullptr;
+ static BIGNUM *e = nullptr;
+ RSA *rsa = nullptr;
int newkey = 0;
+ if (!e) {
+ e = BN_new();
+ if (!e || !BN_set_word(e, RSA_F4)) {
+ debugs(83, DBG_IMPORTANT, "ssl_temp_rsa_cb: Failed to set exponent for key " << keylen);
+ BN_free(e);
+ e = nullptr;
+ return nullptr;
+ }
+ }
+
switch (keylen) {
case 512:
if (!rsa_512) {
- rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL);
- newkey = 1;
+ rsa_512 = RSA_new();
+ if (rsa_512 && RSA_generate_key_ex(rsa_512, 512, e, nullptr)) {
+ newkey = 1;
+ } else {
+ RSA_free(rsa_512);
+ rsa_512 = nullptr;
+ }
}
rsa = rsa_512;
case 1024:
if (!rsa_1024) {
- rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL);
- newkey = 1;
+ rsa_1024 = RSA_new();
+ if (rsa_1024 && RSA_generate_key_ex(rsa_1024, 1024, e, nullptr)) {
+ newkey = 1;
+ } else {
+ RSA_free(rsa_1024);
+ rsa_1024 = nullptr;
+ }
}
rsa = rsa_1024;
return matchX509CommonNames(cert, (void *)server, check_domain);
}
-#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT
-static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
-{
- return ctx->cert;
-}
-#endif
-
/// \ingroup ServerProtocolSSLInternal
static int
ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
return;
initialized = true;
- SSL_load_error_strings();
- SSLeay_add_ssl_algorithms();
+ SQUID_OPENSSL_init_ssl();
#if HAVE_OPENSSL_ENGINE_H
if (::Config.SSL.ssl_engine) {
#endif
if (!cert)
return false;
- ASN1_TIME * time_notBefore = X509_get_notBefore(cert);
- ASN1_TIME * time_notAfter = X509_get_notAfter(cert);
+ const auto time_notBefore = X509_getm_notBefore(cert);
+ const auto time_notAfter = X509_getm_notAfter(cert);
return (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0);
}
if (ad->location->type == GEN_URI) {
xstrncpy(uri,
reinterpret_cast<const char *>(
-#if HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA
ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier)
-#else
- ASN1_STRING_data(ad->location->d.uniformResourceIdentifier)
-#endif
),
sizeof(uri));
}
{
debugs(83, 2, "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates");
-#if HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH
const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
int depth = X509_VERIFY_PARAM_get_depth(param);
-#else
- int depth = ctx->param->depth;
-#endif
X509 *current = X509_STORE_CTX_get0_cert(ctx);
int i = 0;
for (i = 0; current && (i < depth); ++i) {
// OpenSSL already maintains ctx->untrusted but we cannot modify
// internal OpenSSL list directly. We have to give OpenSSL our own
// list, but it must include certificates on the OpenSSL ctx->untrusted
-#if HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED
STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx);
-#else
- STACK_OF(X509) *oldUntrusted = ctx->untrusted;
-#endif
STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL
for (int i = 0; i < sk_X509_num(sslUntrustedStack); ++i) {
if (SquidUntrustedCerts.size() > 0)
completeIssuers(ctx, sk);
- X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted
+ X509_STORE_CTX_set0_untrusted(ctx, sk); // No locking/unlocking, just sets ctx->untrusted
int ret = X509_verify_cert(ctx);
-#if HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED
- X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted);
-#else
- X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list
-#endif
+ X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); // Set back the old untrusted list
sk_X509_free(sk); // Release sk list
return ret;
}
#include "base/CbDataList.h"
#include "comm/forward.h"
+#include "compat/openssl.h"
#include "sbuf/SBuf.h"
#include "security/forward.h"
#include "ssl/gadgets.h"
projects / thirdparty / squid.git / commitdiff
