From: Christos Tsantilas Date: Thu, 4 Jul 2013 04:42:07 +0000 (-0600) Subject: Bug 3297: Fix openSSL related build failures X-Git-Tag: SQUID_3_3_7~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=57d4b487b5c086341cba919024d68ec28b829f58;p=thirdparty%2Fsquid.git Bug 3297: Fix openSSL related build failures - The SSL_CTX_new in newer openSSL releases requires a const 'SSL_METHOD *' argument and in older releases requires non const 'SSL_METHD *' argument. Currently we are trying to identify openSSL version using the OPENSSL_VERSION_NUMBER macro define but we are failing to correctly identify all cases. - sk_OPENSSL_PSTRING_value is buggy in early openSSL-1.0.0? releases causing compile errors to squid. This is a Measurement Factory project --- diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index 80ef8a2931..2bf98ee0aa 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -159,6 +159,37 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ SQUID_STATE_ROLLBACK(check_SSL_get_certificate) ]) +dnl Checks whether the SSL_CTX_new and similar functions require +dnl a const 'SSL_METHOD *' argument +AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[ + AH_TEMPLATE(SQUID_USE_CONST_SSL_METHOD, "Define to 1 if the SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'") + SQUID_STATE_SAVE(check_const_SSL_METHOD) + AC_MSG_CHECKING(whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'") + + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM( + [ + #include + #include + ], + [ + const SSL_METHOD *method = NULL; + SSL_CTX *sslContext = SSL_CTX_new(method); + return (sslContext != NULL); + ]) + ], + [ + AC_DEFINE(SQUID_USE_CONST_SSL_METHOD, 1) + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + ], + []) + +SQUID_STATE_ROLLBACK(check_const_SSL_METHOD) +] +) dnl Try to handle TXT_DB related problems: dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version @@ -167,11 +198,13 @@ dnl implemented correctly and causes type conversion errors while compiling s AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[ AH_TEMPLATE(SQUID_SSLTXTDB_PSTRINGDATA, "Define to 1 if the TXT_DB uses OPENSSL_PSTRING data member") + AH_TEMPLATE(SQUID_STACKOF_PSTRINGDATA_HACK, "Define to 1 to use squid workaround for buggy versions of sk_OPENSSL_PSTRING_value") AH_TEMPLATE(SQUID_USE_SSLLHASH_HACK, "Define to 1 to use squid workaround for openssl IMPLEMENT_LHASH_* type conversion errors") SQUID_STATE_SAVE(check_TXTDB) LIBS="$LIBS $SSLLIB" + squid_cv_check_openssl_pstring="no" AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM( @@ -187,12 +220,36 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[ [ AC_DEFINE(SQUID_SSLTXTDB_PSTRINGDATA, 1) AC_MSG_RESULT([yes]) + squid_cv_check_openssl_pstring="yes" ], [ AC_MSG_RESULT([no]) ], []) + if test x"$squid_cv_check_openssl_pstring" = "xyes"; then + AC_MSG_CHECKING(whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used) + AC_COMPILE_IFELSE([ + AC_LANG_PROGRAM( + [ + #include + ], + [ + TXT_DB *db = NULL; + const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, 0)); + return (current_row != NULL); + ]) + ], + [ + AC_MSG_RESULT([no]) + ], + [ + AC_DEFINE(SQUID_STACKOF_PSTRINGDATA_HACK, 1) + AC_MSG_RESULT([yes]) + ], + []) + fi + AC_MSG_CHECKING(whether the workaround for OpenSSL IMPLEMENT_LHASH_ macros should used) AC_COMPILE_IFELSE([ AC_LANG_PROGRAM( diff --git a/configure.ac b/configure.ac index 5e1bf8ace0..3e962aeeed 100644 --- a/configure.ac +++ b/configure.ac @@ -1266,6 +1266,7 @@ AC_SUBST(SSLLIB) if test "x$with_openssl" = "xyes"; then SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS +SQUID_CHECK_OPENSSL_CONST_SSL_METHOD SQUID_CHECK_OPENSSL_TXTDB fi diff --git a/src/ssl/certificate_db.cc b/src/ssl/certificate_db.cc index 495be8fa4a..babdbe8175 100644 --- a/src/ssl/certificate_db.cc +++ b/src/ssl/certificate_db.cc @@ -167,7 +167,11 @@ void Ssl::CertificateDb::sq_TXT_DB_delete(TXT_DB *db, const char **row) #if SQUID_SSLTXTDB_PSTRINGDATA for (int i = 0; i < sk_OPENSSL_PSTRING_num(db->data); ++i) { +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db->data), i)); +#else const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, i)); +#endif #else for (int i = 0; i < sk_num(db->data); ++i) { const char ** current_row = ((const char **)sk_value(db->data, i)); @@ -517,7 +521,11 @@ bool Ssl::CertificateDb::deleteInvalidCertificate() bool removed_one = false; #if SQUID_SSLTXTDB_PSTRINGDATA for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) { +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i)); +#else const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i)); +#endif #else for (int i = 0; i < sk_num(db.get()->data); ++i) { const char ** current_row = ((const char **)sk_value(db.get()->data, i)); @@ -548,7 +556,11 @@ bool Ssl::CertificateDb::deleteOldestCertificate() return false; #if SQUID_SSLTXTDB_PSTRINGDATA +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char **row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), 0)); +#else const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0); +#endif #else const char **row = (const char **)sk_value(db.get()->data, 0); #endif @@ -565,7 +577,11 @@ bool Ssl::CertificateDb::deleteByHostname(std::string const & host) #if SQUID_SSLTXTDB_PSTRINGDATA for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) { +#if SQUID_STACKOF_PSTRINGDATA_HACK + const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i)); +#else const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i)); +#endif #else for (int i = 0; i < sk_num(db.get()->data); ++i) { const char ** current_row = ((const char **)sk_value(db.get()->data, i)); diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h index 4df8bbacef..e90ca6a0f5 100644 --- a/src/ssl/gadgets.h +++ b/src/ssl/gadgets.h @@ -26,10 +26,10 @@ namespace Ssl because they are used by ssl_crtd. */ -#if OPENSSL_VERSION_NUMBER < 0x00909000L -typedef SSL_METHOD * ContextMethod; -#else +#if SQUID_USE_CONST_SSL_METHOD typedef const SSL_METHOD * ContextMethod; +#else +typedef SSL_METHOD * ContextMethod; #endif /** diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 0611e6d38a..a8c1a1bd35 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -940,12 +940,8 @@ SSL_CTX * sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile) { int ssl_error; -#if OPENSSL_VERSION_NUMBER < 0x00909000L - SSL_METHOD *method; -#else - const SSL_METHOD *method; -#endif - SSL_CTX *sslContext; + Ssl::ContextMethod method; + SSL_CTX * sslContext; long fl = Ssl::parse_flags(flags); ssl_initialize();