From: Amos Jeffries <squid3@treenet.co.nz>
Date: Sat, 27 May 2017 01:03:47 +0000 (+1200)
Subject: Bug 4662 pt2: feature detect OpenSSL 1.1 API functions
X-Git-Tag: M-staged-PR71~158
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17e98f244d30babbcb122ec01c2682ded748400d;p=thirdparty%2Fsquid.git

Bug 4662 pt2: feature detect OpenSSL 1.1 API functions
---

diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4
index df131eece8..5c47f707f1 100644
--- a/acinclude/lib-checks.m4
+++ b/acinclude/lib-checks.m4
@@ -58,6 +58,40 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[
   SQUID_STATE_ROLLBACK(check_openssl_TLS_METHODS)
 ])
 
+dnl Checks whether the -lcrypto library provides various OpenSSL API functions
+AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[
+  AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists")
+  SQUID_STATE_SAVE(check_openssl_libcrypto_api)
+  AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1))
+  AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1))
+  AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1))
+  AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1))
+  AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1))
+  AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1))
+  AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1))
+  AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1))
+  SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api)
+])
+
+dnl Checks whether the -lssl library provides various OpenSSL API functions
+AC_DEFUN([SQUID_CHECK_LIBSSL_API],[
+  AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists")
+  AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists")
+  SQUID_STATE_SAVE(check_openssl_libssl_api)
+  AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1))
+  AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1))
+  AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1))
+  SQUID_STATE_ROLLBACK(check_openssl_libssl_api)
+])
+
 dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a
 dnl workaround can be used instead of using the SSL_get_certificate
 AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[
diff --git a/configure.ac b/configure.ac
index b0e07c25db..74b0fe6a72 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1325,6 +1325,8 @@ if test "x$with_openssl" = "xyes"; then
     AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available])
 
     # check for API functions
+    SQUID_CHECK_LIBCRYPTO_API
+    SQUID_CHECK_LIBSSL_API
     SQUID_CHECK_OPENSSL_TLS_METHODS
     SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate)
     LIBS="$LIBS $SSLLIB"
diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc
index f691cd918b..de03520c3c 100644
--- a/src/ssl/bio.cc
+++ b/src/ssl/bio.cc
@@ -43,7 +43,9 @@ static int squid_bio_destroy(BIO *data);
 /* SSL callbacks */
 static void squid_ssl_info(const SSL *ssl, int where, int ret);
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBCRYPTO_BIO_METH_NEW
+static BIO_METHOD *SquidMethods = nullptr;
+#else
 /// Initialization structure for the BIO table with
 /// Squid-specific methods and BIO method wrappers.
 static BIO_METHOD SquidMethods = {
@@ -58,16 +60,12 @@ static BIO_METHOD SquidMethods = {
     squid_bio_destroy,
     NULL // squid_callback_ctrl not supported
 };
-#else
-static BIO_METHOD *SquidMethods = NULL;
 #endif
 
 BIO *
 Ssl::Bio::Create(const int fd, Security::Io::Type type)
 {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-    BIO_METHOD *useMethod = &SquidMethods;
-#else
+#if HAVE_LIBCRYPTO_BIO_METH_NEW
     if (!SquidMethods) {
         SquidMethods = BIO_meth_new(BIO_TYPE_SOCKET, "squid");
         BIO_meth_set_write(SquidMethods, squid_bio_write);
@@ -79,6 +77,8 @@ Ssl::Bio::Create(const int fd, Security::Io::Type type)
         BIO_meth_set_destroy(SquidMethods, squid_bio_destroy);
     }
     const BIO_METHOD *useMethod = SquidMethods;
+#else
+    BIO_METHOD *useMethod = &SquidMethods;
 #endif
 
     if (BIO *bio = BIO_new(useMethod)) {
@@ -562,7 +562,7 @@ Ssl::ServerBio::resumingSession()
 static int
 squid_bio_create(BIO *bi)
 {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if !HAVE_LIBCRYPTO_BIO_GET_INIT
     bi->init = 0; // set when we store Bio object and socket fd (BIO_C_SET_FD)
     bi->num = 0;
     bi->flags = 0;
@@ -706,11 +706,11 @@ applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl
             cbytes[0] = (cipherId >> 8) & 0xFF;
             cbytes[1] = cipherId & 0xFF;
             cbytes[2] = 0;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBSSL_SSL_CIPHER_FIND
+            const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes);
+#else
             const SSL_METHOD *method = SSLv23_method();
             const SSL_CIPHER *c = method->get_cipher_by_char(cbytes);
-#else
-            const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes);
 #endif
             if (c != NULL) {
                 if (!strCiphers.isEmpty())
diff --git a/src/ssl/bio.h b/src/ssl/bio.h
index c99d565b74..5feeb2bc91 100644
--- a/src/ssl/bio.h
+++ b/src/ssl/bio.h
@@ -202,7 +202,7 @@ private:
 void
 applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode);
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if !HAVE_LIBCRYPTO_BIO_GET_INIT
 // OpenSSL v1.0 bio compatibility functions
 inline void *BIO_get_data(BIO *table) { return table->ptr; }
 inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; }
diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc
index 0089def552..b516e4d424 100644
--- a/src/ssl/gadgets.cc
+++ b/src/ssl/gadgets.cc
@@ -387,12 +387,12 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic
         DecipherOnly
     };
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA
+    EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());
+    const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != nullptr);
+#else
     const int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm);
     const bool rsaPkey = (mimicAlgo == NID_rsaEncryption);
-#else
-    EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get());
-    const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != NULL);
 #endif
 
     int added = 0;
diff --git a/src/ssl/support.cc b/src/ssl/support.cc
index eec48f2165..4e49261fec 100644
--- a/src/ssl/support.cc
+++ b/src/ssl/support.cc
@@ -97,7 +97,7 @@ ssl_ask_password(SSL_CTX * context, const char * prompt)
     }
 }
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK
 static RSA *
 ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
 {
@@ -152,7 +152,7 @@ ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen)
 static void
 maybeSetupRsaCallback(Security::ContextPointer &ctx)
 {
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK
     debugs(83, 9, "Setting RSA key generation callback.");
     SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb);
 #endif
@@ -236,7 +236,7 @@ bool Ssl::checkX509ServerValidity(X509 *cert, const char *server)
     return matchX509CommonNames(cert, (void *)server, check_domain);
 }
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT
 static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx)
 {
     return ctx->cert;
@@ -1068,10 +1068,10 @@ hasAuthorityInfoAccessCaIssuers(X509 *cert)
             if (ad->location->type == GEN_URI) {
                 xstrncpy(uri,
                          reinterpret_cast<const char *>(
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-                             ASN1_STRING_data(ad->location->d.uniformResourceIdentifier)
-#else
+#if HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA
                              ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier)
+#else
+                             ASN1_STRING_data(ad->location->d.uniformResourceIdentifier)
 #endif
                          ),
                          sizeof(uri));
@@ -1203,11 +1203,11 @@ completeIssuers(X509_STORE_CTX *ctx, STACK_OF(X509) *untrustedCerts)
 {
     debugs(83, 2,  "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates");
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-    int depth = ctx->param->depth;
-#else
+#if HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH
     const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
     int depth = X509_VERIFY_PARAM_get_depth(param);
+#else
+    int depth = ctx->param->depth;
 #endif
     X509 *current = X509_STORE_CTX_get0_cert(ctx);
     int i = 0;
@@ -1243,10 +1243,10 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *ctx,void *data)
     // OpenSSL already maintains ctx->untrusted but we cannot modify
     // internal OpenSSL list directly. We have to give OpenSSL our own
     // list, but it must include certificates on the OpenSSL ctx->untrusted
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-    STACK_OF(X509) *oldUntrusted = ctx->untrusted;
-#else
+#if HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED
     STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx);
+#else
+    STACK_OF(X509) *oldUntrusted = ctx->untrusted;
 #endif
     STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL
 
@@ -1262,10 +1262,10 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *ctx,void *data)
 
     X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted
     int ret = X509_verify_cert(ctx);
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-    X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list
-#else
+#if HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED
     X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted);
+#else
+    X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list
 #endif
     sk_X509_free(sk); // Release sk list
     return ret;
@@ -1391,12 +1391,12 @@ store_session_cb(SSL *ssl, SSL_SESSION *session)
 
     SSL_SESSION_set_timeout(session, Config.SSL.session_ttl);
 
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
-    unsigned char *id = session->session_id;
-    unsigned int idlen = session->session_id_length;
-#else
+#if HAVE_LIBSSL_SSL_SESSION_GET_ID
     unsigned int idlen;
     const unsigned char *id = SSL_SESSION_get_id(session, &idlen);
+#else
+    unsigned char *id = session->session_id;
+    unsigned int idlen = session->session_id_length;
 #endif
     unsigned char key[MEMMAP_SLOT_KEY_SIZE];
     // Session ids are of size 32bytes. They should always fit to a