From: Eneas Queiroz Date: Wed, 10 Oct 2018 16:45:29 +0000 (+0000) Subject: Allow compilation with minimal OpenSSL (#281) X-Git-Tag: M-staged-PR304~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=24b30fdc3d33ec1566b1c78e68bca2d7e18c1c38;p=thirdparty%2Fsquid.git Allow compilation with minimal OpenSSL (#281) Updated use of OpenSSL deprecated API, so that Squid can be compiled with OpenSSL built with the OPENSSL_NO_DEPRECATED option. Such OpenSSL builds are useful for saving storage space on embedded systems. Also added compat/openssl.h -- a centralized OpenSSL portability shim. Including it is now required before #including openssl/*.h headers. --- diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index b581c61c88..9866528390 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -61,42 +61,48 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[ dnl Checks whether the -lcrypto library provides various OpenSSL API functions AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[ + AH_TEMPLATE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, "Define to 1 if the OPENSSL_LH_strhash() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_DATA, "Define to 1 if the BIO_get_data() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_UP_REF, "Define to 1 if the EVP_PKEY_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists") - AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_UP_REF, "Define to 1 if the X509_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_DH_UP_REF, "Define to 1 if the DH_up_ref() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, "Define to 1 if the X509_get0_signature() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_libcrypto_api) LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(crypto, OPENSSL_LH_strhash, AC_DEFINE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, 1)) AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1)) AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1)) + AC_CHECK_LIB(crypto, BIO_get_data, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_DATA, 1)) AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1)) AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1)) + AC_CHECK_LIB(crypto, EVP_PKEY_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_UP_REF, 1)) AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1)) AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1)) AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1)) - AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1)) AC_CHECK_LIB(crypto, X509_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_UP_REF, 1)) AC_CHECK_LIB(crypto, X509_CRL_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, 1)) AC_CHECK_LIB(crypto, DH_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_DH_UP_REF, 1)) - AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1)) + AC_CHECK_LIB(crypto, X509_get0_signature, AC_DEFINE(HAVE_LIBCRYPTO_X509_GET0_SIGNATURE, 1), AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS,)) SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api) ]) dnl Checks whether the -lssl library provides various OpenSSL API functions AC_DEFUN([SQUID_CHECK_LIBSSL_API],[ + AH_TEMPLATE(HAVE_LIBSSL_OPENSSL_INIT_SSL, "Define to 1 if the OPENSSL_init_ssl() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_libssl_api) LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(ssl, OPENSSL_init_ssl, AC_DEFINE(HAVE_LIBSSL_OPENSSL_INIT_SSL, 1)) AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1)) AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1)) AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1)) @@ -122,7 +128,9 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ #include ], [ +#if defined(SSLeay_add_ssl_algorithms) SSLeay_add_ssl_algorithms(); +#endif #if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else @@ -153,7 +161,9 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ #include ], [ +#if defined(SSLeay_add_ssl_algorithms) SSLeay_add_ssl_algorithms(); +#endif #if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else @@ -261,7 +271,7 @@ return 0; dnl Checks whether the X509_get0_signature() has const arguments AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS],[ - AH_TEMPLATE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, "Define if X509_get0_signature() accepts const parameters") + AH_TEMPLATE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS, Define to const if X509_get0_signature() accepts const parameters; define as empty otherwise. Don't leave it undefined!) SQUID_STATE_SAVE(check_const_X509_get0_signature_args) AC_MSG_CHECKING("whether X509_get0_signature() accepts const parameters") AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ @@ -276,9 +286,10 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS],[ #endif ]) ],[ - AC_DEFINE(SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS, 1) + AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS, const) AC_MSG_RESULT([yes]) ],[ + AC_DEFINE(SQUID_CONST_X509_GET0_SIGNATURE_ARGS,) AC_MSG_RESULT([no]) ]) SQUID_STATE_ROLLBACK(check_const_X509_get0_signature_args) diff --git a/compat/Makefile.am b/compat/Makefile.am index 62252e18e3..08b100be93 100644 --- a/compat/Makefile.am +++ b/compat/Makefile.am @@ -42,6 +42,7 @@ libcompatsquid_la_SOURCES = \ initgroups.h \ memrchr.cc \ memrchr.h \ + openssl.h \ osdetect.h \ psignal.h \ shm.cc \ diff --git a/compat/openssl.h b/compat/openssl.h new file mode 100644 index 0000000000..6f03fe89a2 --- /dev/null +++ b/compat/openssl.h @@ -0,0 +1,249 @@ +/* + * Copyright (C) 1996-2018 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + */ + +/* OpenSSL API changed dramatically between 1.0.2 and 1.1.0, and + * compatibility was broken. Most of the structures became opaque, + * and access functions were created. There's no (safe) way to + * access the struct members any more, so the solution is to use + * the new API in the main code, and add the functions for older + * versions in compat/openssl.h. + * Once all the supported library versions use the new API, the shim + * can be dropped. + */ + +#ifndef OPENSSL_COMPAT_H +#define OPENSSL_COMPAT_H + +#if !USE_OPENSSL +#error compat/openssl.h depends on USE_OPENSSL +#endif + +#if HAVE_OPENSSL_ASN1_H +#include +#endif +#if HAVE_OPENSSL_BIO_H +#include +#endif +#if HAVE_OPENSSL_DH_H +#include +#endif +#if HAVE_OPENSSL_EVP_H +#include +#endif +#if HAVE_OPENSSL_LHASH_H +#include +#endif +#if HAVE_OPENSSL_SSL_H +#include +#endif +#if HAVE_OPENSSL_X509_H +#include +#endif + +extern "C" { + +#if !HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA + inline const unsigned char * + ASN1_STRING_get0_data(const ASN1_STRING *x) + { + return x->data; + } +#endif + +#if !HAVE_LIBCRYPTO_BIO_GET_DATA + inline void * + BIO_get_data(BIO *table) + { + return table->ptr; + } + + inline void + BIO_set_data(BIO *table, void *data) + { + table->ptr = data; + } + + inline void + BIO_set_init(BIO *table, int init) + { + table->init = init; + } +#endif + +#if !HAVE_LIBCRYPTO_BIO_GET_INIT + inline int + BIO_get_init(BIO *table) + { + return table->init; + } +#endif + +#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API + inline int + DH_up_ref(DH *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH) > 1)) + return 1; + return 0; + } +#else +#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0) +#endif /* OpenSSL 1.0 CRYPTO_LOCK_DH */ +#endif /* OpenSSL 1.1 DH_up_ref */ + +#if !HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA + inline RSA * + EVP_PKEY_get0_RSA(EVP_PKEY *pkey) + { + if (pkey->type != EVP_PKEY_RSA) + return nullptr; + return pkey->pkey.rsa; + } +#endif + +#if !HAVE_LIBCRYPTO_EVP_PKEY_UP_REF +#if defined(CRYPTO_LOCK_EVP_PKEY) // OpenSSL 1.0 + inline int + EVP_PKEY_up_ref(EVP_PKEY *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_EVP_PKEY)) > 1) + return 1; + return 0; + } + +#else +#error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0) +#endif /* OpenSSL 1.0 CRYPTO_LOCK_EVP_PKEY */ +#endif /* OpenSSL 1.1 EVP_PKEY_up_ref */ + +#if !HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH +#define OPENSSL_LH_delete lh_delete +#define OPENSSL_LH_strhash lh_strhash +#endif + +#if !defined OPENSSL_VERSION +#define OPENSSL_VERSION SSLEAY_VERSION +#define OpenSSL_version SSLeay_version +#endif + +#if !HAVE_LIBSSL_SSL_CIPHER_FIND + inline const SSL_CIPHER * + SSL_CIPHER_find(SSL *ssl, const unsigned char *ptr) + { + return ssl->method->get_cipher_by_char(ptr); + } +#endif + +#if !HAVE_LIBSSL_SSL_SESSION_GET_ID + inline const unsigned char * + SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) + *len = s->session_id_length; + return s->session_id; + } +#endif + +#if !HAVE_OPENSSL_TLS_CLIENT_METHOD +#define TLS_client_method SSLv23_client_method +#endif + +#if !HAVE_OPENSSL_TLS_SERVER_METHOD +#define TLS_server_method SSLv23_server_method +#endif + +#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API + inline int + X509_CRL_up_ref(X509_CRL *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL) > 1)) + return 1; + return 0; + } +#else +#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) +#endif /* CRYPTO_LOCK_X509_CRL */ +#endif /* X509_CRL_up_ref */ + +#if !HAVE_LIBCRYPTO_X509_GET0_SIGNATURE + inline void + X509_get0_signature(ASN1_BIT_STRING **psig, X509_ALGOR **palg, const X509 *x) + { + if (psig) + *psig = (ASN1_BIT_STRING *)&x->signature; + if (palg) + *palg = (X509_ALGOR *)&x->sig_alg; + } +#endif + +#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT + inline X509 * + X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) + { + return ctx->cert; + } +#endif + +#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED + inline STACK_OF(X509) * + X509_STORE_CTX_get0_untrusted(X509_STORE_CTX *ctx) + { + return ctx->untrusted; + } + +/// Note that all of the calls in this next group were renamed, or had the new +/// name added at the same time as X509_STORE_CTX_get0_untrusted was implemented, +/// in all supported OpenSSL-compatible libraries +#define X509_STORE_CTX_set0_untrusted X509_STORE_CTX_set_chain +#define X509_getm_notAfter X509_get_notAfter +#define X509_getm_notBefore X509_get_notBefore +#define X509_set1_notAfter X509_set_notAfter +#define X509_set1_notBefore X509_set_notBefore +#endif /* !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED */ + +#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API + inline int + X509_up_ref(X509 *t) + { + if (t && (CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509)) > 1) + return 1; + return 0; + } +#else +#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) +#endif /* CRYPTO_LOCK_X509 */ +#endif /* X509_up_ref */ + +#if !HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH + inline int + X509_VERIFY_PARAM_get_depth(const X509_VERIFY_PARAM *param) + { + return param->depth; + } +#endif + +} /* extern "C" */ + +inline void +SQUID_OPENSSL_init_ssl(void) +{ +#if HAVE_LIBSSL_OPENSSL_INIT_SSL + // OpenSSL will properly auto-initialize itself (in Squid context). + // No explicit initialization is required. + //OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, nullptr); +#else + SSL_load_error_strings(); + SSLeay_add_ssl_algorithms(); +#endif +} + +#endif /* OPENSSL_COMPAT_H */ + diff --git a/configure.ac b/configure.ac index c8cd9964a2..9863560ab3 100644 --- a/configure.ac +++ b/configure.ac @@ -1295,12 +1295,19 @@ AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available]) ## OpenSSL is default disable due to licensing issues on some OS if test "x$with_openssl" = "xyes"; then AC_CHECK_HEADERS( \ + openssl/asn1.h \ openssl/bio.h \ + openssl/bn.h \ openssl/crypto.h \ + openssl/dh.h \ openssl/err.h \ + openssl/evp.h \ + openssl/lhash.h \ openssl/md5.h \ openssl/opensslv.h \ + openssl/rsa.h \ openssl/ssl.h \ + openssl/x509.h \ openssl/x509v3.h \ openssl/engine.h \ openssl/txt_db.h \ diff --git a/scripts/source-maintenance.sh b/scripts/source-maintenance.sh index 98f61d8636..22520f29fd 100755 --- a/scripts/source-maintenance.sh +++ b/scripts/source-maintenance.sh @@ -115,6 +115,17 @@ for FILENAME in `git ls-files`; do ;; esac + # + # If a file includes openssl headers, then it must include compat/openssl.h + # + if test "${FILENAME}" != "compat/openssl.h" && \ + (FI=`grep "#include.*openssl/" "${FILENAME}" 2>/dev/null`; \ + test "x${FI}" != "x") && \ + (FI=`grep "#include \"compat/openssl\.h\"" "${FILENAME}" 2>/dev/null`; \ + test "x${FI}" == "x"); then + echo "ERROR: ${FILENAME} includes openssl headers without including \"compat/openssl.h\"" + fi + # # forward.h means different things to Squid code depending on the path # require the full path is explicit for every include diff --git a/src/CachePeer.h b/src/CachePeer.h index 498d7afbfd..fb38e8aca0 100644 --- a/src/CachePeer.h +++ b/src/CachePeer.h @@ -19,10 +19,6 @@ //TODO: remove, it is unconditionally defined and always used. #define PEER_MULTICAST_SIBLINGS 1 -#if HAVE_OPENSSL_SSL_H -#include -#endif - class NeighborTypeDomainList; class PconnPool; class PeerDigest; diff --git a/src/main.cc b/src/main.cc index b018b64f87..85fe8136b9 100644 --- a/src/main.cc +++ b/src/main.cc @@ -677,7 +677,7 @@ mainHandleCommandLineOption(const int optId, const char *optValue) if (strlen(SQUID_BUILD_INFO)) printf("%s\n",SQUID_BUILD_INFO); #if USE_OPENSSL - printf("\nThis binary uses %s. ", SSLeay_version(SSLEAY_VERSION)); + printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); #endif printf( "configure options: %s\n", SQUID_CONFIGURE_OPTIONS); diff --git a/src/security/Context.h b/src/security/Context.h index 3663fe6d8f..71add04829 100644 --- a/src/security/Context.h +++ b/src/security/Context.h @@ -12,6 +12,7 @@ #include #if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include #endif diff --git a/src/security/LockingPointer.h b/src/security/LockingPointer.h index cde009cbe1..058f077709 100644 --- a/src/security/LockingPointer.h +++ b/src/security/LockingPointer.h @@ -12,6 +12,7 @@ #include "base/HardFun.h" #if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_CRYPTO_H #include #endif diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index d6db76920f..c6857f478a 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -248,11 +248,7 @@ Security::PeerOptions::createBlankContext() const #if USE_OPENSSL Ssl::Initialize(); -#if HAVE_OPENSSL_TLS_CLIENT_METHOD SSL_CTX *t = SSL_CTX_new(TLS_client_method()); -#else - SSL_CTX *t = SSL_CTX_new(SSLv23_client_method()); -#endif if (!t) { const auto x = ERR_get_error(); fatalf("Failed to allocate TLS client context: %s\n", Security::ErrorString(x)); diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index bad120662f..45d33b3626 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -16,14 +16,12 @@ #include "security/Session.h" #include "SquidConfig.h" #if USE_OPENSSL +#include "compat/openssl.h" #include "ssl/support.h" -#endif #if HAVE_OPENSSL_ERR_H #include #endif -#if HAVE_OPENSSL_X509_H -#include #endif Security::ServerOptions & @@ -161,11 +159,7 @@ Security::ServerOptions::createBlankContext() const #if USE_OPENSSL Ssl::Initialize(); -#if HAVE_OPENSSL_SERVER_METHOD SSL_CTX *t = SSL_CTX_new(TLS_server_method()); -#else - SSL_CTX *t = SSL_CTX_new(SSLv23_server_method()); -#endif if (!t) { const auto x = ERR_get_error(); debugs(83, DBG_CRITICAL, "ERROR: Failed to allocate TLS server context: " << Security::ErrorString(x)); diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h index 1d1198bc40..0646b76b08 100644 --- a/src/security/ServerOptions.h +++ b/src/security/ServerOptions.h @@ -11,6 +11,12 @@ #include "anyp/forward.h" #include "security/PeerOptions.h" +#if USE_OPENSSL +#include "compat/openssl.h" +#if HAVE_OPENSSL_X509_H +#include +#endif +#endif namespace Security { diff --git a/src/security/Session.cc b/src/security/Session.cc index ab93b970c5..a56efec223 100644 --- a/src/security/Session.cc +++ b/src/security/Session.cc @@ -290,13 +290,8 @@ store_session_cb(SSL *ssl, SSL_SESSION *session) SSL_SESSION_set_timeout(session, Config.SSL.session_ttl); -#if HAVE_LIBSSL_SSL_SESSION_GET_ID unsigned int idlen; const unsigned char *id = SSL_SESSION_get_id(session, &idlen); -#else - unsigned char *id = session->session_id; - unsigned int idlen = session->session_id_length; -#endif // XXX: the other calls [to openForReading()] do not copy the sessionId to a char buffer, does this really have to? unsigned char key[MEMMAP_SLOT_KEY_SIZE]; // Session ids are of size 32bytes. They should always fit to a diff --git a/src/security/Session.h b/src/security/Session.h index 3b17a64637..19b1c9f1ec 100644 --- a/src/security/Session.h +++ b/src/security/Session.h @@ -16,6 +16,7 @@ #include #if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include #endif diff --git a/src/security/cert_generators/file/certificate_db.cc b/src/security/cert_generators/file/certificate_db.cc index a3ed84dab2..11e73088cb 100644 --- a/src/security/cert_generators/file/certificate_db.cc +++ b/src/security/cert_generators/file/certificate_db.cc @@ -216,7 +216,7 @@ void Ssl::CertificateDb::sq_TXT_DB_delete_row(TXT_DB *db, int idx) { data = lh_OPENSSL_STRING_delete(fieldIndex, rrow); #else if (LHASH *fieldIndex = db->index[db_indexes[i]]) - data = lh_delete(fieldIndex, rrow); + data = OPENSSL_LH_delete(fieldIndex, rrow); #endif if (data) assert(data == rrow); @@ -227,7 +227,7 @@ unsigned long Ssl::CertificateDb::index_serial_hash(const char **a) { const char *n = a[Ssl::CertificateDb::cnlSerial]; while (*n == '0') ++n; - return lh_strhash(n); + return OPENSSL_LH_strhash(n); } int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) { @@ -238,7 +238,7 @@ int Ssl::CertificateDb::index_serial_cmp(const char **a, const char **b) { } unsigned long Ssl::CertificateDb::index_name_hash(const char **a) { - return(lh_strhash(a[Ssl::CertificateDb::cnlKey])); + return(OPENSSL_LH_strhash(a[Ssl::CertificateDb::cnlKey])); } int Ssl::CertificateDb::index_name_cmp(const char **a, const char **b) { @@ -336,7 +336,7 @@ Ssl::CertificateDb::addCertAndPrivateKey(std::string const &useKey, const Securi dbSize = size(); // get the current database size } - ASN1_UTCTIME * tm = X509_get_notAfter(cert.get()); + const auto tm = X509_getm_notAfter(cert.get()); row.setValue(cnlExp_date, std::string(reinterpret_cast(tm->data), tm->length).c_str()); std::unique_ptr subject(X509_NAME_oneline(X509_get_subject_name(cert.get()), nullptr, 0)); row.setValue(cnlName, subject.get()); diff --git a/src/security/cert_generators/file/certificate_db.h b/src/security/cert_generators/file/certificate_db.h index f58181485e..b1882d4583 100644 --- a/src/security/cert_generators/file/certificate_db.h +++ b/src/security/cert_generators/file/certificate_db.h @@ -11,9 +11,6 @@ #include "ssl/gadgets.h" -#if HAVE_OPENSSL_OPENSSLV_H -#include -#endif #include namespace Ssl diff --git a/src/security/cert_generators/file/security_file_certgen.cc b/src/security/cert_generators/file/security_file_certgen.cc index e8a63472da..932275bc0b 100644 --- a/src/security/cert_generators/file/security_file_certgen.cc +++ b/src/security/cert_generators/file/security_file_certgen.cc @@ -325,8 +325,7 @@ int main(int argc, char *argv[]) } // Initialize SSL subsystem - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SQUID_OPENSSL_init_ssl(); // process request. for (;;) { char request[HELPER_INPUT_BUFFER]; diff --git a/src/security/forward.h b/src/security/forward.h index 666c92d826..704e44e740 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -17,9 +17,18 @@ #include #endif #include -#if USE_OPENSSL && HAVE_OPENSSL_ERR_H +#if USE_OPENSSL +#include "compat/openssl.h" +#if HAVE_OPENSSL_BN_H +#include +#endif +#if HAVE_OPENSSL_ERR_H #include #endif +#if HAVE_OPENSSL_RSA_H +#include +#endif +#endif /* USE_OPENSSL */ #include #if USE_OPENSSL @@ -30,39 +39,6 @@ struct sk_object ## _free_wrapper { \ void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \ } - -#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API -#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API -inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;} -#else -#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) -#endif /* CRYPTO_LOCK_X509 */ -#endif /* X509_up_ref */ - -#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API -#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API -inline int X509_CRL_up_ref(X509_CRL *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL); return 0;} -#else -#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) -#endif /* CRYPTO_LOCK_X509_CRL */ -#endif /* X509_CRL_up_ref */ -#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API -#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API -inline int DH_up_ref(DH *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH); return 0;} -#else - -#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0) -#endif /* OpenSSL 1.0 CRYPTO_LOCK_X509_CRL */ -#endif /* OpenSSL 1.1 DH_up_ref */ - -#if !HAVE_LIBCRYPTO_EVP_PKEY_UP_REF -#if defined(CRYPTO_LOCK_EVP_PKEY) // OpenSSL 1.0 -inline int EVP_PKEY_up_ref(EVP_PKEY *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_EVP_PKEY); return 0;} -#endif -#else -#error missing both OpenSSL API features EVP_PKEY_up_ref (v1.1) and CRYPTO_LOCK_EVP_PKEY (v1.0) -#endif - #endif /* USE_OPENSSL */ /* flags a SSL connection can be configured with */ diff --git a/src/ssl/ErrorDetail.cc b/src/ssl/ErrorDetail.cc index 22341caf8b..0f5d45efcd 100644 --- a/src/ssl/ErrorDetail.cc +++ b/src/ssl/ErrorDetail.cc @@ -490,7 +490,7 @@ const char *Ssl::ErrorDetail::ca_name() const const char *Ssl::ErrorDetail::notbefore() const { if (broken_cert.get()) { - if (ASN1_UTCTIME * tm = X509_get_notBefore(broken_cert.get())) { + if (const auto tm = X509_getm_notBefore(broken_cert.get())) { static char tmpBuffer[256]; // A temporary buffer Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); return tmpBuffer; @@ -505,7 +505,7 @@ const char *Ssl::ErrorDetail::notbefore() const const char *Ssl::ErrorDetail::notafter() const { if (broken_cert.get()) { - if (ASN1_UTCTIME * tm = X509_get_notAfter(broken_cert.get())) { + if (const auto tm = X509_getm_notAfter(broken_cert.get())) { static char tmpBuffer[256]; // A temporary buffer Ssl::asn1timeToString(tm, tmpBuffer, sizeof(tmpBuffer)); return tmpBuffer; diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index 802f5273ba..2a7fd6b47d 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -23,10 +23,6 @@ #include "SquidTime.h" #include "ssl/bio.h" -#if HAVE_OPENSSL_SSL_H -#include -#endif - #if _SQUID_WINDOWS_ extern int socket_read_method(int, char *, int); extern int socket_write_method(int, const char *, int); @@ -76,7 +72,7 @@ Ssl::Bio::Create(const int fd, Security::Io::Type type) BIO_meth_set_create(SquidMethods, squid_bio_create); BIO_meth_set_destroy(SquidMethods, squid_bio_destroy); } - const BIO_METHOD *useMethod = SquidMethods; + BIO_METHOD *useMethod = SquidMethods; #else BIO_METHOD *useMethod = &SquidMethods; #endif @@ -706,13 +702,7 @@ applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl cbytes[0] = (cipherId >> 8) & 0xFF; cbytes[1] = cipherId & 0xFF; cbytes[2] = 0; -#if HAVE_LIBSSL_SSL_CIPHER_FIND - const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes); -#else - const SSL_METHOD *method = SSLv23_method(); - const SSL_CIPHER *c = method->get_cipher_by_char(cbytes); -#endif - if (c != NULL) { + if (const auto c = SSL_CIPHER_find(ssl, cbytes)) { if (!strCiphers.isEmpty()) strCiphers.append(":"); strCiphers.append(SSL_CIPHER_get_name(c)); diff --git a/src/ssl/bio.h b/src/ssl/bio.h index fb311b0d99..13dce9ccc2 100644 --- a/src/ssl/bio.h +++ b/src/ssl/bio.h @@ -11,6 +11,7 @@ #if USE_OPENSSL +#include "compat/openssl.h" #include "FadingCounter.h" #include "fd.h" #include "MemBuf.h" @@ -204,14 +205,6 @@ private: void applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode); -#if !HAVE_LIBCRYPTO_BIO_GET_INIT -// OpenSSL v1.0 bio compatibility functions -inline void *BIO_get_data(BIO *table) { return table->ptr; } -inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; } -inline int BIO_get_init(BIO *table) { return table->init; } -inline void BIO_set_init(BIO *table, int init) { table->init = init; } -#endif - #endif /* USE_OPENSSL */ #endif /* SQUID_SSL_BIO_H */ diff --git a/src/ssl/context_storage.cc b/src/ssl/context_storage.cc index ce14ad38c0..ca735fb7bb 100644 --- a/src/ssl/context_storage.cc +++ b/src/ssl/context_storage.cc @@ -13,9 +13,12 @@ #include "Store.h" #include +#if USE_OPENSSL +#include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include #endif +#endif Ssl::CertificateStorageAction::CertificateStorageAction(const Mgr::Command::Pointer &aCmd) : Mgr::Action(aCmd) diff --git a/src/ssl/context_storage.h b/src/ssl/context_storage.h index f2d5cad6de..e5b7cf1e81 100644 --- a/src/ssl/context_storage.h +++ b/src/ssl/context_storage.h @@ -13,6 +13,7 @@ #include "base/LruMap.h" #include "CacheManager.h" +#include "compat/openssl.h" #include "ip/Address.h" #include "mgr/Action.h" #include "mgr/Command.h" diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index c091a63fe7..eb67861184 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -9,11 +9,6 @@ #include "squid.h" #include "ssl/gadgets.h" -#include -#if HAVE_OPENSSL_X509V3_H -#include -#endif - EVP_PKEY * Ssl::createSslPrivateKey() { Security::PrivateKeyPointer pkey(EVP_PKEY_new()); @@ -381,13 +376,8 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic DecipherOnly }; -#if HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get()); const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != nullptr); -#else - const int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm); - const bool rsaPkey = (mimicAlgo == NID_rsaEncryption); -#endif int added = 0; int nid; @@ -496,25 +486,25 @@ static bool buildCertificate(Security::CertPointer & cert, Ssl::CertificatePrope // objects. ASN1_TIME *aTime = NULL; if (!properties.setValidBefore && properties.mimicCert.get()) - aTime = X509_get_notBefore(properties.mimicCert.get()); + aTime = X509_getm_notBefore(properties.mimicCert.get()); if (!aTime && properties.signWithX509.get()) - aTime = X509_get_notBefore(properties.signWithX509.get()); + aTime = X509_getm_notBefore(properties.signWithX509.get()); if (aTime) { - if (!X509_set_notBefore(cert.get(), aTime)) + if (!X509_set1_notBefore(cert.get(), aTime)) return false; - } else if (!X509_gmtime_adj(X509_get_notBefore(cert.get()), (-2)*24*60*60)) + } else if (!X509_gmtime_adj(X509_getm_notBefore(cert.get()), (-2)*24*60*60)) return false; aTime = NULL; if (!properties.setValidAfter && properties.mimicCert.get()) - aTime = X509_get_notAfter(properties.mimicCert.get()); + aTime = X509_getm_notAfter(properties.mimicCert.get()); if (!aTime && properties.signWithX509.get()) - aTime = X509_get_notAfter(properties.signWithX509.get()); + aTime = X509_getm_notAfter(properties.signWithX509.get()); if (aTime) { - if (!X509_set_notAfter(cert.get(), aTime)) + if (!X509_set1_notAfter(cert.get(), aTime)) return false; - } else if (!X509_gmtime_adj(X509_get_notAfter(cert.get()), 60*60*24*356*3)) + } else if (!X509_gmtime_adj(X509_getm_notAfter(cert.get()), 60*60*24*356*3)) return false; int addedExtensions = 0; @@ -844,21 +834,21 @@ bool Ssl::certificateMatchesProperties(X509 *cert, CertificateProperties const & return false; if (!properties.setValidBefore) { - ASN1_TIME *aTime = X509_get_notBefore(cert); - ASN1_TIME *bTime = X509_get_notBefore(cert2); + const auto aTime = X509_getm_notBefore(cert); + const auto bTime = X509_getm_notBefore(cert2); if (asn1time_cmp(aTime, bTime) != 0) return false; - } else if (X509_cmp_current_time(X509_get_notBefore(cert)) >= 0) { + } else if (X509_cmp_current_time(X509_getm_notBefore(cert)) >= 0) { // notBefore does not exist (=0) or it is in the future (>0) return false; } if (!properties.setValidAfter) { - ASN1_TIME *aTime = X509_get_notAfter(cert); - ASN1_TIME *bTime = X509_get_notAfter(cert2); + const auto aTime = X509_getm_notAfter(cert); + const auto bTime = X509_getm_notAfter(cert2); if (asn1time_cmp(aTime, bTime) != 0) return false; - } else if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0) { + } else if (X509_cmp_current_time(X509_getm_notAfter(cert)) <= 0) { // notAfter does not exist (0) or it is in the past (<0) return false; } @@ -948,18 +938,10 @@ Ssl::CertificatesCmp(const Security::CertPointer &cert1, const Security::CertPoi const ASN1_BIT_STRING * Ssl::X509_get_signature(const Security::CertPointer &cert) { -#if HAVE_LIBCRYPTO_X509_GET0_SIGNATURE -#if SQUID_USE_CONST_X509_GET0_SIGNATURE_ARGS - const ASN1_BIT_STRING *sig = nullptr; - const X509_ALGOR *sig_alg = nullptr; -#else - ASN1_BIT_STRING *sig = nullptr; - X509_ALGOR *sig_alg = nullptr; -#endif + SQUID_CONST_X509_GET0_SIGNATURE_ARGS ASN1_BIT_STRING *sig = nullptr; + SQUID_CONST_X509_GET0_SIGNATURE_ARGS X509_ALGOR *sig_alg = nullptr; + X509_get0_signature(&sig, &sig_alg, cert.get()); return sig; -#else - return cert->signature; -#endif } diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h index b0e0d4b75a..323a7fe7cc 100644 --- a/src/ssl/gadgets.h +++ b/src/ssl/gadgets.h @@ -13,12 +13,18 @@ #include "security/forward.h" #include "ssl/crtd_message.h" +#if USE_OPENSSL +#include "compat/openssl.h" +#if HAVE_OPENSSL_ASN1_H +#include +#endif #if HAVE_OPENSSL_TXT_DB_H #include #endif #if HAVE_OPENSSL_X509V3_H #include #endif +#endif #include namespace Ssl @@ -29,12 +35,6 @@ namespace Ssl because they are used by security_file_certgen helper. */ -#if SQUID_USE_CONST_SSL_METHOD -typedef const SSL_METHOD * ContextMethod; -#else -typedef SSL_METHOD * ContextMethod; -#endif - #if !defined(SQUID_SSL_SIGN_HASH_IF_NONE) #define SQUID_SSL_SIGN_HASH_IF_NONE "sha256" #endif diff --git a/src/ssl/support.cc b/src/ssl/support.cc index e2cb852641..f6d4ce7aaf 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -97,18 +97,34 @@ ssl_ask_password(SSL_CTX * context, const char * prompt) static RSA * ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) { - static RSA *rsa_512 = NULL; - static RSA *rsa_1024 = NULL; - RSA *rsa = NULL; + static RSA *rsa_512 = nullptr; + static RSA *rsa_1024 = nullptr; + static BIGNUM *e = nullptr; + RSA *rsa = nullptr; int newkey = 0; + if (!e) { + e = BN_new(); + if (!e || !BN_set_word(e, RSA_F4)) { + debugs(83, DBG_IMPORTANT, "ssl_temp_rsa_cb: Failed to set exponent for key " << keylen); + BN_free(e); + e = nullptr; + return nullptr; + } + } + switch (keylen) { case 512: if (!rsa_512) { - rsa_512 = RSA_generate_key(512, RSA_F4, NULL, NULL); - newkey = 1; + rsa_512 = RSA_new(); + if (rsa_512 && RSA_generate_key_ex(rsa_512, 512, e, nullptr)) { + newkey = 1; + } else { + RSA_free(rsa_512); + rsa_512 = nullptr; + } } rsa = rsa_512; @@ -117,8 +133,13 @@ ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) case 1024: if (!rsa_1024) { - rsa_1024 = RSA_generate_key(1024, RSA_F4, NULL, NULL); - newkey = 1; + rsa_1024 = RSA_new(); + if (rsa_1024 && RSA_generate_key_ex(rsa_1024, 1024, e, nullptr)) { + newkey = 1; + } else { + RSA_free(rsa_1024); + rsa_1024 = nullptr; + } } rsa = rsa_1024; @@ -232,13 +253,6 @@ bool Ssl::checkX509ServerValidity(X509 *cert, const char *server) return matchX509CommonNames(cert, (void *)server, check_domain); } -#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT -static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) -{ - return ctx->cert; -} -#endif - /// \ingroup ServerProtocolSSLInternal static int ssl_verify_cb(int ok, X509_STORE_CTX * ctx) @@ -469,8 +483,7 @@ Ssl::Initialize(void) return; initialized = true; - SSL_load_error_strings(); - SSLeay_add_ssl_algorithms(); + SQUID_OPENSSL_init_ssl(); #if HAVE_OPENSSL_ENGINE_H if (::Config.SSL.ssl_engine) { @@ -905,8 +918,8 @@ Ssl::verifySslCertificate(Security::ContextPointer &ctx, CertificateProperties c #endif if (!cert) return false; - ASN1_TIME * time_notBefore = X509_get_notBefore(cert); - ASN1_TIME * time_notAfter = X509_get_notAfter(cert); + const auto time_notBefore = X509_getm_notBefore(cert); + const auto time_notAfter = X509_getm_notAfter(cert); return (X509_cmp_current_time(time_notBefore) < 0 && X509_cmp_current_time(time_notAfter) > 0); } @@ -949,11 +962,7 @@ hasAuthorityInfoAccessCaIssuers(X509 *cert) if (ad->location->type == GEN_URI) { xstrncpy(uri, reinterpret_cast( -#if HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier) -#else - ASN1_STRING_data(ad->location->d.uniformResourceIdentifier) -#endif ), sizeof(uri)); } @@ -1115,12 +1124,8 @@ completeIssuers(X509_STORE_CTX *ctx, STACK_OF(X509) *untrustedCerts) { debugs(83, 2, "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates"); -#if HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx); int depth = X509_VERIFY_PARAM_get_depth(param); -#else - int depth = ctx->param->depth; -#endif X509 *current = X509_STORE_CTX_get0_cert(ctx); int i = 0; for (i = 0; current && (i < depth); ++i) { @@ -1155,11 +1160,7 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *ctx,void *data) // OpenSSL already maintains ctx->untrusted but we cannot modify // internal OpenSSL list directly. We have to give OpenSSL our own // list, but it must include certificates on the OpenSSL ctx->untrusted -#if HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx); -#else - STACK_OF(X509) *oldUntrusted = ctx->untrusted; -#endif STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL for (int i = 0; i < sk_X509_num(sslUntrustedStack); ++i) { @@ -1172,13 +1173,9 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *ctx,void *data) if (SquidUntrustedCerts.size() > 0) completeIssuers(ctx, sk); - X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted + X509_STORE_CTX_set0_untrusted(ctx, sk); // No locking/unlocking, just sets ctx->untrusted int ret = X509_verify_cert(ctx); -#if HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED - X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); -#else - X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list -#endif + X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); // Set back the old untrusted list sk_X509_free(sk); // Release sk list return ret; } diff --git a/src/ssl/support.h b/src/ssl/support.h index 38c080bfb9..40dc2903af 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -15,6 +15,7 @@ #include "base/CbDataList.h" #include "comm/forward.h" +#include "compat/openssl.h" #include "sbuf/SBuf.h" #include "security/forward.h" #include "ssl/gadgets.h"