printf("compiled by Solaris Studio %x\n", __SUNPRO_C);
#endif /* ifdef __SUNPRO_C */
printf("compiled with OpenSSL version: %s\n", OPENSSL_VERSION_TEXT);
-#if !defined(LIBRESSL_VERSION_NUMBER) && \
- OPENSSL_VERSION_NUMBER >= 0x10100000L /* 1.1.0 or higher */
printf("linked to OpenSSL version: %s\n",
OpenSSL_version(OPENSSL_VERSION));
-
-#else /* if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
- * 0x10100000L */
- printf("linked to OpenSSL version: %s\n",
- SSLeay_version(SSLEAY_VERSION));
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
printf("compiled with libuv version: %d.%d.%d\n", UV_VERSION_MAJOR,
UV_VERSION_MINOR, UV_VERSION_PATCH);
printf("linked to libuv version: %s\n", uv_version_string());
good-proxy-*doh*.conf) continue ;;
bad-proxy-*doh*.conf) continue ;;
esac
- elif ! $FEATURETEST --have-openssl-cipher-suites; then
+ else
case $good in
good-tls-cipher-suites-*.conf) continue ;;
esac
+++ /dev/null
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-$FEATURETEST --have-openssl-cipher-suites || {
- echo_i "SSL_CTX_set_ciphersuites() is required for the test."
- exit 255
-}
-
-exit 0
fprintf(stderr, "\t--have-geoip2\n");
fprintf(stderr, "\t--have-json-c\n");
fprintf(stderr, "\t--have-libxml2\n");
- fprintf(stderr, "\t--have-openssl-cipher-suites\n");
fprintf(stderr, "\t--ipv6only=no\n");
fprintf(stderr, "\t--md5\n");
fprintf(stderr, "\t--rsasha1\n");
#endif /* ifdef HAVE_LIBXML2 */
}
- if (strcmp(argv[1], "--have-openssl-cipher-suites") == 0) {
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
- return (0);
-#else /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
- return (1);
-#endif /* ifdef HAVE_SSL_CTX_SET_CIPHERSUITES */
- }
-
if (strcmp(argv[1], "--tsan") == 0) {
#if defined(__has_feature)
#if __has_feature(thread_sanitizer)
#
# Check for functions added in OpenSSL or LibreSSL
#
-
-AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
-AC_CHECK_FUNCS([BN_GENCB_new])
-AC_CHECK_FUNCS([CRYPTO_zalloc])
-AC_CHECK_FUNCS([ERR_get_error_all])
-AC_CHECK_FUNCS([EVP_CIPHER_CTX_new EVP_CIPHER_CTX_free])
-AC_CHECK_FUNCS([EVP_MD_CTX_new EVP_MD_CTX_free EVP_MD_CTX_reset EVP_MD_CTX_get0_md])
-AC_CHECK_FUNCS([EVP_PKEY_new_raw_private_key EVP_PKEY_eq])
-AC_CHECK_FUNCS([OPENSSL_init_ssl OPENSSL_init_crypto OPENSSL_cleanup])
-AC_CHECK_FUNCS([SSL_CTX_set_keylog_callback])
-AC_CHECK_FUNCS([SSL_CTX_set_min_proto_version])
-AC_CHECK_FUNCS([SSL_CTX_up_ref])
-AC_CHECK_FUNCS([SSL_read_ex SSL_peek_ex SSL_write_ex])
-AC_CHECK_FUNCS([SSL_CTX_set1_cert_store X509_STORE_up_ref])
-AC_CHECK_FUNCS([SSL_CTX_up_ref])
-AC_CHECK_FUNCS([SSL_SESSION_is_resumable])
-AC_CHECK_FUNCS([SSL_CTX_set_ciphersuites])
-
-#
-# Check for algorithm support in OpenSSL
-#
-
-AC_CHECK_FUNCS([EVP_DigestSignInit EVP_DigestVerifyInit], [:],
- [AC_MSG_FAILURE([EVP_DigestSignInit/EVP_DigestVerifyInit support in OpenSSL is mandatory.])])
-
-AC_MSG_CHECKING([for ECDSA P-256 support])
-AC_COMPILE_IFELSE(
- [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
- [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_X9_62_prime256v1, NULL);]])],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_FAILURE([not found. ECDSA P-256 support in OpenSSL is mandatory.])])
-
-AC_MSG_CHECKING([for ECDSA P-384 support])
-AC_COMPILE_IFELSE(
- [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
- [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_secp384r1, NULL);]])],
- [AC_MSG_RESULT([yes])],
- [AC_MSG_FAILURE([not found. ECDSA P-384 support in OpenSSL is mandatory.])])
-
-AC_MSG_CHECKING([for Ed25519 support])
-AC_COMPILE_IFELSE(
- [AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
- [[EVP_PKEY_CTX *kctx = EVP_PKEY_CTX_new_id(NID_ED25519, NULL);]])],
- [AC_DEFINE([HAVE_OPENSSL_ED25519], [1], [define if OpenSSL supports Ed25519])
- AC_MSG_RESULT([yes])],
- [AC_MSG_RESULT([no])])
-
AC_MSG_CHECKING([for Ed448 support])
AC_COMPILE_IFELSE(
[AC_LANG_PROGRAM([[#include <openssl/evp.h>]],
AC_MSG_RESULT([yes])],
[AC_MSG_RESULT([no])])
-#
-# Check for OpenSSL SHA-1 support
-#
-AC_CHECK_FUNCS([EVP_sha1], [:],
- [AC_MSG_FAILURE([SHA-1 support in OpenSSL is mandatory.])])
-
-#
-# Check for OpenSSL SHA-2 support
-#
-AC_CHECK_FUNCS([EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512], [:],
- [AC_MSG_FAILURE([SHA-2 support in OpenSSL is mandatory.])])
-
-#
-# Check for OpenSSL 1.1.x/LibreSSL functions
-#
-AC_CHECK_FUNCS([ECDSA_SIG_get0 EVP_PKEY_get0_EC_KEY])
-AC_CHECK_FUNCS([RSA_set0_key EVP_PKEY_get0_RSA])
-
-AC_CHECK_FUNCS([TLS_server_method TLS_client_method])
+AC_CHECK_FUNCS([ERR_get_error_all])
+AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])
+AC_CHECK_FUNCS([EVP_MD_CTX_get0_md])
+AC_CHECK_FUNCS([EVP_PKEY_eq])
+AC_CHECK_FUNCS([SSL_CTX_set1_cert_store])
#
# Check whether FIPS mode is available and whether we should enable it
DST_ALG_RSASHA512));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA256]));
RETERR(dst__opensslecdsa_init(&dst_t_func[DST_ALG_ECDSA384]));
-#ifdef HAVE_OPENSSL_ED25519
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED25519],
DST_ALG_ED25519));
-#endif /* ifdef HAVE_OPENSSL_ED25519 */
#ifdef HAVE_OPENSSL_ED448
RETERR(dst__openssleddsa_init(&dst_t_func[DST_ALG_ED448],
DST_ALG_ED448));
-#endif /* ifdef HAVE_OPENSSL_ED448 */
+#endif /* HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI
RETERR(dst__gssapi_init(&dst_t_func[DST_ALG_GSSAPI]));
dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
isc_result_t
dst__opensslecdsa_init(struct dst_func **funcp);
-#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
isc_result_t
dst__openssleddsa_init(struct dst_func **funcp, unsigned char algorithm);
-#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
#if HAVE_GSSAPI
isc_result_t
dst__gssapi_init(struct dst_func **funcp);
#include <isc/util.h>
-#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
-/* From OpenSSL 1.1.0 */
-int
-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) {
- /*
- * If the fields n and e in r are NULL, the corresponding input
- * parameters MUST be non-NULL for n and e. d may be
- * left NULL (in case only the public key is used).
- */
- if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) {
- return (0);
- }
-
- if (n != NULL) {
- BN_free(r->n);
- r->n = n;
- }
- if (e != NULL) {
- BN_free(r->e);
- r->e = e;
- }
- if (d != NULL) {
- BN_clear_free(r->d);
- r->d = d;
- }
-
- return (1);
-}
-
-int
-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) {
- /*
- * If the fields p and q in r are NULL, the corresponding input
- * parameters MUST be non-NULL.
- */
- if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) {
- return (0);
- }
-
- if (p != NULL) {
- BN_clear_free(r->p);
- r->p = p;
- }
- if (q != NULL) {
- BN_clear_free(r->q);
- r->q = q;
- }
-
- return (1);
-}
-
-int
-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) {
- /*
- * If the fields dmp1, dmq1 and iqmp in r are NULL, the
- * corresponding input parameters MUST be non-NULL.
- */
- if ((r->dmp1 == NULL && dmp1 == NULL) ||
- (r->dmq1 == NULL && dmq1 == NULL) ||
- (r->iqmp == NULL && iqmp == NULL))
- {
- return (0);
- }
-
- if (dmp1 != NULL) {
- BN_clear_free(r->dmp1);
- r->dmp1 = dmp1;
- }
- if (dmq1 != NULL) {
- BN_clear_free(r->dmq1);
- r->dmq1 = dmq1;
- }
- if (iqmp != NULL) {
- BN_clear_free(r->iqmp);
- r->iqmp = iqmp;
- }
-
- return (1);
-}
-
-void
-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
- const BIGNUM **d) {
- SET_IF_NOT_NULL(n, r->n);
- SET_IF_NOT_NULL(e, r->e);
- SET_IF_NOT_NULL(d, r->d);
-}
-
-void
-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) {
- SET_IF_NOT_NULL(p, r->p);
- SET_IF_NOT_NULL(q, r->q);
-}
-
-void
-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
- const BIGNUM **iqmp) {
- SET_IF_NOT_NULL(dmp1, r->dmp1);
- SET_IF_NOT_NULL(dmq1, r->dmq1);
- SET_IF_NOT_NULL(iqmp, r->iqmp);
-}
-
-int
-RSA_test_flags(const RSA *r, int flags) {
- return (r->flags & flags);
-}
-#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
-
-#if !HAVE_ECDSA_SIG_GET0
-/* From OpenSSL 1.1 */
-void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {
- SET_IF_NOT_NULL(pr, sig->r);
- SET_IF_NOT_NULL(ps, sig->s);
-}
-
-int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) {
- if (r == NULL || s == NULL) {
- return (0);
- }
-
- BN_clear_free(sig->r);
- BN_clear_free(sig->s);
- sig->r = r;
- sig->s = s;
-
- return (1);
-}
-#endif /* !HAVE_ECDSA_SIG_GET0 */
-
#if !HAVE_ERR_GET_ERROR_ALL
static const char err_empty_string = '\0';
#define RSA_MAX_PUBEXP_BITS 35
#endif /* ifndef RSA_MAX_PUBEXP_BITS */
-#if !HAVE_BN_GENCB_NEW
-/* These are new in OpenSSL 1.1.0. */
-static inline BN_GENCB *
-BN_GENCB_new(void) {
- return (OPENSSL_malloc(sizeof(BN_GENCB)));
-}
-
-static inline void
-BN_GENCB_free(BN_GENCB *cb) {
- if (cb == NULL) {
- return;
- }
- OPENSSL_free(cb);
-}
-
-static inline void *
-BN_GENCB_get_arg(BN_GENCB *cb) {
- return cb->arg;
-}
-#endif /* !HAVE_BN_GENCB_NEW */
-
-#if !HAVE_EVP_PKEY_GET0_RSA && OPENSSL_VERSION_NUMBER < 0x10100000L
-static inline const RSA *
-EVP_PKEY_get0_RSA(const EVP_PKEY *pkey) {
- return (pkey->type == EVP_PKEY_RSA ? pkey->pkey.rsa : NULL);
-}
-#endif
-
-#if !HAVE_EVP_PKEY_GET0_EC_KEY && OPENSSL_VERSION_NUMBER < 0x10100000L
-static inline const EC_KEY *
-EVP_PKEY_get0_EC_KEY(const EVP_PKEY *pkey) {
- return (pkey->type == EVP_PKEY_EC ? pkey->pkey.ec : NULL);
-}
-#endif
-
-#if !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L
-int
-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-
-int
-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-
-int
-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-
-void
-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
- const BIGNUM **d);
-
-void
-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-
-void
-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
- const BIGNUM **iqmp);
-
-int
-RSA_test_flags(const RSA *r, int flags);
-#endif /* !HAVE_RSA_SET0_KEY && OPENSSL_VERSION_NUMBER < 0x30000000L */
-
-#if !HAVE_ECDSA_SIG_GET0
-void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-
-int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-#endif /* !HAVE_ECDSA_SIG_GET0 */
-
#if !HAVE_ERR_GET_ERROR_ALL
unsigned long
ERR_get_error_all(const char **file, int *line, const char **func,
/*! \file */
-#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
-
#include <stdbool.h>
#include <openssl/err.h>
goto err; \
}
-#if HAVE_OPENSSL_ED25519
#ifndef NID_ED25519
#error "Ed25519 group is not known (NID_ED25519)"
#endif /* ifndef NID_ED25519 */
-#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448
#ifndef NID_ED448
static const eddsa_alginfo_t *
openssleddsa_alg_info(unsigned int key_alg) {
-#if HAVE_OPENSSL_ED25519
if (key_alg == DST_ALG_ED25519) {
static const eddsa_alginfo_t ed25519_alginfo = {
.pkey_type = EVP_PKEY_ED25519,
};
return &ed25519_alginfo;
}
-#endif /* HAVE_OPENSSL_ED25519 */
#if HAVE_OPENSSL_ED448
if (key_alg == DST_ALG_ED448) {
static const eddsa_alginfo_t ed448_alginfo = {
"\xb4\xee\x3f\x0e\x2b\x35\xdd\x5a\x35\xfe\x35\x00";
#endif
-#if HAVE_OPENSSL_ED25519
static unsigned char ed25519_pub[] =
"\x66\x5c\x21\x59\xe3\xa0\x6e\xa3\x7d\x82\x7c\xf1\xe7\xa3\xdd\xaf\xd1"
"\x6d\x92\x81\xfb\x09\x0c\x7c\xfe\x6d\xf8\x87\x24\x7e\x6e\x25";
"\x38\xa3\x9c\xa3\x42\x4d\xc8\x89\xff\x84\xea\x2c\xa8\x8b\xfa\x2f\xab"
"\x75\x7c\x68\x95\xfd\xdf\x62\x60\x4e\x4d\x10\xf8\x3c\xae\xcf\x18\x93"
"\x90\x05\xa4\x54\x38\x45\x2f\x81\x71\x1e\x0f\x46\x04";
-#endif
static isc_result_t
check_algorithm(unsigned char algorithm) {
key_len = sizeof(ed448_pub) - 1;
alginfo = openssleddsa_alg_info(algorithm);
break;
-#endif
-#if HAVE_OPENSSL_ED25519
+#endif /* HAVE_OPENSSL_ED448 */
case DST_ALG_ED25519:
sig = ed25519_sig;
sig_len = sizeof(ed25519_sig) - 1;
key_len = sizeof(ed25519_pub) - 1;
alginfo = openssleddsa_alg_info(algorithm);
break;
-#endif
default:
DST_RET(ISC_R_NOTIMPLEMENTED);
}
}
return (ISC_R_SUCCESS);
}
-
-#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
#include "openssl_shim.h"
-#if !HAVE_CRYPTO_ZALLOC
-void *
-CRYPTO_zalloc(size_t num, const char *file, int line) {
- void *ret = CRYPTO_malloc(num, file, line);
- if (ret != NULL) {
- memset(ret, 0, num);
- }
- return (ret);
-}
-#endif /* if !HAVE_CRYPTO_ZALLOC */
-
-#if !HAVE_EVP_CIPHER_CTX_NEW
-EVP_CIPHER_CTX *
-EVP_CIPHER_CTX_new(void) {
- EVP_CIPHER_CTX *ctx = OPENSSL_zalloc(sizeof(*ctx));
- return (ctx);
-}
-#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
-
-#if !HAVE_EVP_CIPHER_CTX_FREE
-void
-EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx) {
- if (ctx != NULL) {
- EVP_CIPHER_CTX_cleanup(ctx);
- OPENSSL_free(ctx);
- }
-}
-#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
-
-#if !HAVE_EVP_MD_CTX_RESET
-int
-EVP_MD_CTX_reset(EVP_MD_CTX *ctx) {
- return (EVP_MD_CTX_cleanup(ctx));
-}
-#endif /* if !HAVE_EVP_MD_CTX_RESET */
-
-#if !HAVE_SSL_READ_EX
-int
-SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
- int rv = SSL_read(ssl, buf, num);
- if (rv > 0) {
- *readbytes = rv;
- rv = 1;
- }
-
- return (rv);
-}
-#endif
-
-#if !HAVE_SSL_PEEK_EX
-int
-SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes) {
- int rv = SSL_peek(ssl, buf, num);
- if (rv > 0) {
- *readbytes = rv;
- rv = 1;
- }
-
- return (rv);
-}
-#endif
-
-#if !HAVE_SSL_WRITE_EX
-int
-SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written) {
- int rv = SSL_write(ssl, buf, num);
- if (rv > 0) {
- *written = rv;
- rv = 1;
- }
-
- return (rv);
-}
-#endif
-
#if !HAVE_BIO_READ_EX
int
BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes) {
return (rv);
}
-#endif
+#endif /* !HAVE_BIO_READ_EX */
#if !HAVE_BIO_WRITE_EX
int
return (rv);
}
-#endif
-
-#if !HAVE_OPENSSL_INIT_CRYPTO
-int
-OPENSSL_init_crypto(uint64_t opts, const void *settings) {
- (void)settings;
-
- if ((opts & OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS) == 0) {
- ERR_load_crypto_strings();
- }
-
- if ((opts & (OPENSSL_INIT_NO_ADD_ALL_CIPHERS |
- OPENSSL_INIT_NO_ADD_ALL_CIPHERS)) == 0)
- {
- OpenSSL_add_all_algorithms();
- } else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
- OpenSSL_add_all_digests();
- } else if ((opts & OPENSSL_INIT_NO_ADD_ALL_CIPHERS) == 0) {
- OpenSSL_add_all_ciphers();
- }
-
- return (1);
-}
-#endif
-
-#if !HAVE_OPENSSL_INIT_SSL
-int
-OPENSSL_init_ssl(uint64_t opts, const void *settings) {
- OPENSSL_init_crypto(opts, settings);
-
- SSL_library_init();
-
- if ((opts & OPENSSL_INIT_NO_LOAD_SSL_STRINGS) == 0) {
- SSL_load_error_strings();
- }
-
- return (1);
-}
-#endif
-
-#if !HAVE_OPENSSL_CLEANUP
-void
-OPENSSL_cleanup(void) {
- return;
-}
-#endif
-
-#if !HAVE_X509_STORE_UP_REF
-
-int
-X509_STORE_up_ref(X509_STORE *store) {
- return (CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE) > 0);
-}
-
-#endif /* !HAVE_OPENSSL_CLEANUP */
+#endif /* !HAVE_BIO_WRITE_EX */
#if !HAVE_SSL_CTX_SET1_CERT_STORE
-
void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) {
(void)X509_STORE_up_ref(store);
SSL_CTX_set_cert_store(ctx, store);
}
-
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
-
-#if !HAVE_SSL_CTX_UP_REF
-int
-SSL_CTX_up_ref(SSL_CTX *ctx) {
- return (CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX) > 0);
-}
-#endif /* !HAVE_SSL_CTX_UP_REF */
#include <openssl/opensslv.h>
#include <openssl/ssl.h>
-#if !HAVE_CRYPTO_ZALLOC
-void *
-CRYPTO_zalloc(size_t num, const char *file, int line);
-#endif /* if !HAVE_CRYPTO_ZALLOC */
-
-#if !defined(OPENSSL_zalloc)
-#define OPENSSL_zalloc(num) CRYPTO_zalloc(num, __FILE__, __LINE__)
-#endif
-
-#if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY
-#define EVP_PKEY_new_raw_private_key(type, e, key, keylen) \
- EVP_PKEY_new_mac_key(type, e, key, (int)(keylen))
-#endif /* if !HAVE_EVP_PKEY_NEW_RAW_PRIVATE_KEY */
-
-#if !HAVE_EVP_CIPHER_CTX_NEW
-EVP_CIPHER_CTX *
-EVP_CIPHER_CTX_new(void);
-#endif /* if !HAVE_EVP_CIPHER_CTX_NEW */
-
-#if !HAVE_EVP_CIPHER_CTX_FREE
-void
-EVP_CIPHER_CTX_free(EVP_CIPHER_CTX *ctx);
-#endif /* if !HAVE_EVP_CIPHER_CTX_FREE */
-
-#if !HAVE_EVP_MD_CTX_NEW
-#define EVP_MD_CTX_new EVP_MD_CTX_create
-#endif /* if !HAVE_EVP_MD_CTX_NEW */
-
-#if !HAVE_EVP_MD_CTX_FREE
-#define EVP_MD_CTX_free EVP_MD_CTX_destroy
-#endif /* if !HAVE_EVP_MD_CTX_FREE */
-
-#if !HAVE_EVP_MD_CTX_RESET
-int
-EVP_MD_CTX_reset(EVP_MD_CTX *ctx);
-#endif /* if !HAVE_EVP_MD_CTX_RESET */
-
#if !HAVE_EVP_MD_CTX_GET0_MD
#define EVP_MD_CTX_get0_md EVP_MD_CTX_md
#endif /* if !HAVE_EVP_MD_CTX_GET0_MD */
-#if !HAVE_SSL_READ_EX
-int
-SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
-#endif
-
-#if !HAVE_SSL_PEEK_EX
-int
-SSL_peek_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes);
-#endif
-
-#if !HAVE_SSL_WRITE_EX
-int
-SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written);
-#endif
-
#if !HAVE_BIO_READ_EX
int
BIO_read_ex(BIO *b, void *data, size_t dlen, size_t *readbytes);
-#endif
+#endif /* !HAVE_BIO_READ_EX */
#if !HAVE_BIO_WRITE_EX
int
BIO_write_ex(BIO *b, const void *data, size_t dlen, size_t *written);
-#endif
-
-#if !HAVE_OPENSSL_INIT_CRYPTO
-
-#define OPENSSL_INIT_NO_LOAD_CRYPTO_STRINGS 0x00000001L
-#define OPENSSL_INIT_LOAD_CRYPTO_STRINGS 0x00000002L
-#define OPENSSL_INIT_ADD_ALL_CIPHERS 0x00000004L
-#define OPENSSL_INIT_ADD_ALL_DIGESTS 0x00000008L
-#define OPENSSL_INIT_NO_ADD_ALL_CIPHERS 0x00000010L
-#define OPENSSL_INIT_NO_ADD_ALL_DIGESTS 0x00000020L
-
-int
-OPENSSL_init_crypto(uint64_t opts, const void *settings);
-#endif
-
-#if !HAVE_OPENSSL_INIT_SSL
-#define OPENSSL_INIT_NO_LOAD_SSL_STRINGS 0x00100000L
-#define OPENSSL_INIT_LOAD_SSL_STRINGS 0x00200000L
-
-int
-OPENSSL_init_ssl(uint64_t opts, const void *settings);
-
-#endif
-
-#if !HAVE_OPENSSL_CLEANUP
-void
-OPENSSL_cleanup(void);
-#endif
-
-#if !HAVE_TLS_SERVER_METHOD
-#define TLS_server_method SSLv23_server_method
-#endif
-
-#if !HAVE_TLS_CLIENT_METHOD
-#define TLS_client_method SSLv23_client_method
-#endif
-
-#if !HAVE_X509_STORE_UP_REF
-int
-X509_STORE_up_ref(X509_STORE *v);
-#endif /* !HAVE_OPENSSL_CLEANUP */
+#endif /* !HAVE_BIO_WRITE_EX */
#if !HAVE_SSL_CTX_SET1_CERT_STORE
void
SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store);
#endif /* !HAVE_SSL_CTX_SET1_CERT_STORE */
-
-#if !HAVE_SSL_CTX_UP_REF
-int
-SSL_CTX_up_ref(SSL_CTX *store);
-#endif /* !HAVE_SSL_CTX_UP_REF */
static isc_mem_t *isc__tls_mctx = NULL;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-static isc_mutex_t *locks = NULL;
-static int nlocks;
-
-static void
-isc__tls_lock_callback(int mode, int type, const char *file, int line) {
- UNUSED(file);
- UNUSED(line);
- if ((mode & CRYPTO_LOCK) != 0) {
- LOCK(&locks[type]);
- } else {
- UNLOCK(&locks[type]);
- }
-}
-
-static void
-isc__tls_set_thread_id(CRYPTO_THREADID *id) {
- CRYPTO_THREADID_set_numeric(id, (unsigned long)isc_thread_self());
-}
-#endif
-
#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
/*
* This was crippled with LibreSSL, so just skip it:
#endif /* !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= \
0x30000000L */
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
uint64_t opts = OPENSSL_INIT_ENGINE_ALL_BUILTIN |
OPENSSL_INIT_LOAD_CONFIG;
#if defined(OPENSSL_INIT_NO_ATEXIT)
#endif
RUNTIME_CHECK(OPENSSL_init_ssl(opts, NULL) == 1);
-#else
- nlocks = CRYPTO_num_locks();
- locks = isc_mem_cget(isc__tls_mctx, nlocks, sizeof(locks[0]));
- isc_mutexblock_init(locks, nlocks);
- CRYPTO_set_locking_callback(isc__tls_lock_callback);
- CRYPTO_THREADID_set_callback(isc__tls_set_thread_id);
-
- CRYPTO_malloc_init();
- ERR_load_crypto_strings();
- SSL_load_error_strings();
- SSL_library_init();
-
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- ENGINE_load_builtin_engines();
-#endif
- OpenSSL_add_all_algorithms();
- OPENSSL_load_builtin_modules();
-
- CONF_modules_load_file(NULL, NULL,
- CONF_MFLAGS_DEFAULT_SECTION |
- CONF_MFLAGS_IGNORE_MISSING_FILE);
-#endif
/* Protect ourselves against unseeded PRNG */
if (RAND_status() != 1) {
void
isc__tls_shutdown(void) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
OPENSSL_cleanup();
-#else
- CONF_modules_unload(1);
- OBJ_cleanup();
- EVP_cleanup();
-#if !defined(OPENSSL_NO_ENGINE) && OPENSSL_API_LEVEL < 30000
- ENGINE_cleanup();
-#endif
- CRYPTO_cleanup_all_ex_data();
- ERR_remove_thread_state(NULL);
- RAND_cleanup();
- ERR_free_strings();
-
- CRYPTO_set_locking_callback(NULL);
-
- if (locks != NULL) {
- isc_mutexblock_destroy(locks, nlocks);
- isc_mem_cput(isc__tls_mctx, locks, nlocks, sizeof(locks[0]));
- locks = NULL;
- }
-#endif
isc_mem_destroy(&isc__tls_mctx);
}
*ptarget = src;
}
-#if HAVE_SSL_CTX_SET_KEYLOG_CALLBACK
/*
* Callback invoked by the SSL library whenever a new TLS pre-master secret
* needs to be logged.
*/
static void
-sslkeylogfile_append(const SSL *ssl, const char *line) {
- UNUSED(ssl);
-
+sslkeylogfile_append(const SSL *ssl ISC_ATTR_UNUSED, const char *line) {
isc_log_write(isc_lctx, ISC_LOGCATEGORY_SSLKEYLOG, ISC_LOGMODULE_NETMGR,
ISC_LOG_INFO, "%s", line);
}
SSL_CTX_set_keylog_callback(ctx, sslkeylogfile_append);
}
}
-#else /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
-#define sslkeylogfile_init(ctx)
-#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
isc_result_t
isc_tlsctx_createclient(isc_tlsctx_t **ctxp) {
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
-#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-#else
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-#endif
sslkeylogfile_init(ctx);
SSL_CTX_set_options(ctx, COMMON_SSL_OPTIONS);
-#if HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
-#else
- SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
- SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1);
-#endif
if (ephemeral) {
const int group_nid = NID_X9_62_prime256v1;
}
/* Use a named curve and uncompressed point conversion form. */
-#if HAVE_EVP_PKEY_GET0_EC_KEY
EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey),
OPENSSL_EC_NAMED_CURVE);
EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey),
POINT_CONVERSION_UNCOMPRESSED);
-#else
- EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE);
- EC_KEY_set_conv_form(pkey->pkey.ec,
- POINT_CONVERSION_UNCOMPRESSED);
-#endif /* HAVE_EVP_PKEY_GET0_EC_KEY */
-
-#if defined(SSL_CTX_set_ecdh_auto)
- /*
- * Using this macro is required for older versions of OpenSSL to
- * automatically enable ECDH support.
- *
- * On later versions this function is no longer needed and is
- * deprecated.
- */
- (void)SSL_CTX_set_ecdh_auto(ctx, 1);
-#endif /* defined(SSL_CTX_set_ecdh_auto) */
/* Cleanup */
EC_KEY_free(eckey);
* Set the "not before" property 5 minutes into the past to
* accommodate with some possible clock skew across systems.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- X509_gmtime_adj(X509_get_notBefore(cert), -300);
-#else
X509_gmtime_adj(X509_getm_notBefore(cert), -300);
-#endif
/*
* We set the vailidy for 10 years.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10101000L
- X509_gmtime_adj(X509_get_notAfter(cert), 3650 * 24 * 3600);
-#else
X509_gmtime_adj(X509_getm_notAfter(cert), 3650 * 24 * 3600);
-#endif
X509_set_pubkey(cert, pkey);
bool
isc_tls_cipher_suites_valid(const char *cipher_suites) {
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
isc_tlsctx_t *tmp_ctx = NULL;
const SSL_METHOD *method = NULL;
bool result;
isc_tlsctx_free(&tmp_ctx);
return (result);
-#else
- UNUSED(cipher_suites);
-
- UNREACHABLE();
-#endif
}
void
isc_tlsctx_set_cipher_suites(isc_tlsctx_t *ctx, const char *cipher_suites) {
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
REQUIRE(ctx != NULL);
REQUIRE(cipher_suites != NULL);
REQUIRE(*cipher_suites != '\0');
RUNTIME_CHECK(SSL_CTX_set_ciphersuites(ctx, cipher_suites) == 1);
-#else
- UNUSED(ctx);
- UNUSED(cipher_suites);
-
- UNREACHABLE();
-#endif
}
void
SSL_CTX_set_next_proto_select_cb(ctx, select_next_proto_cb, NULL);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ctx, (const unsigned char *)NGHTTP2_PROTO_ALPN,
NGHTTP2_PROTO_ALPN_LEN);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
}
#ifndef OPENSSL_NO_NEXTPROTONEG
}
#endif /* !OPENSSL_NO_NEXTPROTONEG */
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int
alpn_select_proto_cb(SSL *ssl, const unsigned char **out, unsigned char *outlen,
const unsigned char *in, unsigned int inlen, void *arg) {
return (SSL_TLSEXT_ERR_OK);
}
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
void
isc_tlsctx_enable_http2server_alpn(isc_tlsctx_t *tls) {
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_protos_advertised_cb(tls, next_proto_cb, NULL);
#endif // OPENSSL_NO_NEXTPROTONEG
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(tls, alpn_select_proto_cb, NULL);
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
}
#endif /* HAVE_LIBNGHTTP2 */
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_get0_next_proto_negotiated(tls, alpn, alpnlen);
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (*alpn == NULL) {
SSL_get0_alpn_selected(tls, alpn, alpnlen);
}
-#endif
}
static bool
isc_tlsctx_enable_dot_client_alpn(isc_tlsctx_t *ctx) {
REQUIRE(ctx != NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ctx, (const uint8_t *)DOT_PROTO_ALPN,
DOT_PROTO_ALPN_LEN);
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
}
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int
dot_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
unsigned char *outlen, const unsigned char *in,
return (SSL_TLSEXT_ERR_OK);
}
-#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
void
isc_tlsctx_enable_dot_server_alpn(isc_tlsctx_t *tls) {
REQUIRE(tls != NULL);
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(tls, dot_alpn_select_proto_cb, NULL);
-#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
}
isc_result_t
isc_mem_putanddetach(&cache->mctx, cache, sizeof(*cache));
}
-static bool
-ssl_session_seems_resumable(const SSL_SESSION *sess) {
-#ifdef HAVE_SSL_SESSION_IS_RESUMABLE
- /*
- * If SSL_SESSION_is_resumable() is available, let's use that. It
- * is expected to be available on OpenSSL >= 1.1.1 and its modern
- * siblings.
- */
- return (SSL_SESSION_is_resumable(sess) != 0);
-#elif (OPENSSL_VERSION_NUMBER >= 0x10100000L)
- /*
- * Taking into consideration that OpenSSL 1.1.0 uses opaque
- * pointers for SSL_SESSION, we cannot implement a replacement for
- * SSL_SESSION_is_resumable() manually. Let's use a sensible
- * approximation for that, then: if there is an associated session
- * ticket or session ID, then, most likely, the session is
- * resumable.
- */
- unsigned int session_id_len = 0;
- (void)SSL_SESSION_get_id(sess, &session_id_len);
- return (SSL_SESSION_has_ticket(sess) || session_id_len > 0);
-#else
- return (!sess->not_resumable &&
- (sess->session_id_length > 0 || sess->tlsext_ticklen > 0));
-#endif
-}
-
void
isc_tlsctx_client_session_cache_keep(isc_tlsctx_client_session_cache_t *cache,
char *remote_peer_name, isc_tls_t *tls) {
if (sess == NULL) {
ERR_clear_error();
return;
- } else if (!ssl_session_seems_resumable(sess)) {
+ } else if (SSL_SESSION_is_resumable(sess) == 0) {
SSL_SESSION_free(sess);
return;
}
{ "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, 0 },
-#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
{ "cipher-suites", &cfg_type_astring, 0 },
-#else
- { "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
-#endif
{ "prefer-server-ciphers", &cfg_type_boolean, 0 },
{ "session-tickets", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
projects / thirdparty / bind9.git / commitdiff
