From: Amos Jeffries Date: Mon, 29 May 2017 03:04:17 +0000 (+1200) Subject: Bug 4662: build errors with LibreSSL 2.4.4 X-Git-Tag: SQUID_4_0_20~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b09156a7140159344a2c22ea8867bb479f1226e6;p=thirdparty%2Fsquid.git Bug 4662: build errors with LibreSSL 2.4.4 --- diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index 41a6583335..0863b88caa 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -46,6 +46,61 @@ AC_DEFUN([SQUID_CHECK_LIBIPHLPAPI],[ SQUID_STATE_ROLLBACK(iphlpapi) ]) +dnl Checks whether the -lssl library provides OpenSSL TLS_*_method() definitions +AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[ + AH_TEMPLATE(HAVE_OPENSSL_TLS_METHOD, "Define to 1 if the TLS_method() OpenSSL API function exists") + AH_TEMPLATE(HAVE_OPENSSL_TLS_CLIENT_METHOD, "Define to 1 if the TLS_client_method() OpenSSL API function exists") + AH_TEMPLATE(HAVE_OPENSSL_TLS_SERVER_METHOD, "Define to 1 if the TLS_server_method() OpenSSL API function exists") + SQUID_STATE_SAVE(check_openssl_TLS_METHODS) + LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(ssl, TLS_method, AC_DEFINE(HAVE_OPENSSL_TLS_METHOD, 1)) + AC_CHECK_LIB(ssl, TLS_client_method, AC_DEFINE(HAVE_OPENSSL_TLS_CLIENT_METHOD, 1)) + AC_CHECK_LIB(ssl, TLS_server_method, AC_DEFINE(HAVE_OPENSSL_TLS_SERVER_METHOD, 1)) + SQUID_STATE_ROLLBACK(check_openssl_TLS_METHODS) +]) + +dnl Checks whether the -lcrypto library provides various OpenSSL API functions +AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[ + AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, "Define to 1 if the EVP_PKEY_get0_RSA() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_METH_NEW, "Define to 1 if the BIO_meth_new() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_BIO_GET_INIT, "Define to 1 if the BIO_get_init() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, "Define to 1 if the ASN1_STRING_get0_data() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, "Define to 1 if the X509_STORE_CTX_get0_cert() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, "Define to 1 if the X509_VERIFY_PARAM_get_depth() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_get0_untrusted() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, "Define to 1 if the X509_STORE_CTX_set0_untrusted() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_X509_UP_REF, "Define to 1 if the X509_up_ref() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, "Define to 1 if the X509_CRL_up_ref() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBCRYPTO_DH_UP_REF, "Define to 1 if the DH_up_ref() OpenSSL API function exists") + SQUID_STATE_SAVE(check_openssl_libcrypto_api) + LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1)) + AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1)) + AC_CHECK_LIB(crypto, BIO_get_init, AC_DEFINE(HAVE_LIBCRYPTO_BIO_GET_INIT, 1)) + AC_CHECK_LIB(crypto, ASN1_STRING_get0_data, AC_DEFINE(HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA, 1)) + AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_cert, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT, 1)) + AC_CHECK_LIB(crypto, X509_VERIFY_PARAM_get_depth, AC_DEFINE(HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH, 1)) + AC_CHECK_LIB(crypto, X509_STORE_CTX_get0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED, 1)) + AC_CHECK_LIB(crypto, X509_STORE_CTX_set0_untrusted, AC_DEFINE(HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED, 1)) + AC_CHECK_LIB(crypto, X509_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_UP_REF, 1)) + AC_CHECK_LIB(crypto, X509_CRL_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_X509_CRL_UP_REF, 1)) + AC_CHECK_LIB(crypto, DH_up_ref, AC_DEFINE(HAVE_LIBCRYPTO_DH_UP_REF, 1)) + SQUID_STATE_ROLLBACK(check_openssl_libcrypto_api) +]) + +dnl Checks whether the -lssl library provides various OpenSSL API functions +AC_DEFUN([SQUID_CHECK_LIBSSL_API],[ + AH_TEMPLATE(HAVE_LIBSSL_SSL_CIPHER_FIND, "Define to 1 if the SSL_CIPHER_find() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, "Define to 1 if the SSL_CTX_set_tmp_rsa_callback() OpenSSL API function exists") + AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_ID, "Define to 1 if the SSL_SESSION_get_id() OpenSSL API function exists") + SQUID_STATE_SAVE(check_openssl_libssl_api) + LIBS="$LIBS $SSLLIB" + AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1)) + AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1)) + AC_CHECK_LIB(ssl, SSL_SESSION_get_id, AC_DEFINE(HAVE_LIBSSL_SSL_SESSION_GET_ID, 1)) + SQUID_STATE_ROLLBACK(check_openssl_libssl_api) +]) + dnl Checks whether the OpenSSL SSL_get_certificate crashes squid and if a dnl workaround can be used instead of using the SSL_get_certificate AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ @@ -66,7 +121,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ ], [ SSLeay_add_ssl_algorithms(); -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method()); @@ -97,7 +152,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ ], [ SSLeay_add_ssl_algorithms(); -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#if HAVE_OPENSSL_TLS_METHOD SSL_CTX *sslContext = SSL_CTX_new(TLS_method()); #else SSL_CTX *sslContext = SSL_CTX_new(SSLv23_method()); @@ -153,8 +208,54 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[ []) SQUID_STATE_ROLLBACK(check_const_SSL_METHOD) -] -) +]) + +dnl Checks whether the CRYPTO_EX_DATA duplication callback for SSL_get_ex_new_index() has a const argument +AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_CRYPTO_EX_DATA],[ + AH_TEMPLATE(SQUID_USE_CONST_CRYPTO_EX_DATA_DUP, "Define to 1 if the SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'") + SQUID_STATE_SAVE(check_const_CRYPTO_EX_DATA) + AC_MSG_CHECKING(whether SSL_get_new_ex_index() dup callback accepts 'const CRYPTO_EX_DATA *'") + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ +#include + +int const_dup_func(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) { + return 0; +} + ],[ +return SSL_get_ex_new_index(0, (void*)"foo", NULL, &const_dup_func, NULL); + ]) + ],[ + AC_DEFINE(SQUID_USE_CONST_CRYPTO_EX_DATA_DUP, 1) + AC_MSG_RESULT([yes]) + ],[ + AC_MSG_RESULT([no]) + ]) + SQUID_STATE_ROLLBACK(check_const_CRYPTO_EX_DATA) +]) + +dnl Checks whether the callback for SSL_CTX_sess_set_get_cb() accepts a const ID argument +AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_SESSION_CB_ARG],[ + AH_TEMPLATE(SQUID_USE_CONST_SSL_SESSION_CBID, "Define to 1 if the SSL_CTX_sess_set_get_cb() callback accepts a const ID argument") + SQUID_STATE_SAVE(check_const_SSL_CTX_sess_set_get_cb) + AC_MSG_CHECKING(whether SSL_CTX_sess_set_get_cb() callback accepts a const ID argument") + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ +#include + +SSL_SESSION *get_session_cb(SSL *, const unsigned char *ID, int, int *) { + return NULL; +} + ],[ +SSL_CTX_sess_set_get_cb(NULL, get_session_cb); +return 0; + ]) + ],[ + AC_DEFINE(SQUID_USE_CONST_SSL_SESSION_CBID, 1) + AC_MSG_RESULT([yes]) + ],[ + AC_MSG_RESULT([no]) + ]) + SQUID_STATE_ROLLBACK(check_const_SSL_CTX_sess_set_get_cb) +]) dnl Try to handle TXT_DB related problems: dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version diff --git a/configure.ac b/configure.ac index 0441249718..1856d30a4c 100644 --- a/configure.ac +++ b/configure.ac @@ -1348,6 +1348,9 @@ if test "x$with_openssl" = "xyes"; then AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available]) # check for API functions + SQUID_CHECK_LIBCRYPTO_API + SQUID_CHECK_LIBSSL_API + SQUID_CHECK_OPENSSL_TLS_METHODS SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate) LIBS="$LIBS $SSLLIB" AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [ @@ -1362,6 +1365,8 @@ if test "x$with_openssl" = "xyes"; then SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS fi SQUID_CHECK_OPENSSL_CONST_SSL_METHOD + SQUID_CHECK_OPENSSL_CONST_CRYPTO_EX_DATA + SQUID_CHECK_OPENSSL_CONST_SSL_SESSION_CB_ARG SQUID_CHECK_OPENSSL_TXTDB SQUID_CHECK_OPENSSL_HELLO_OVERWRITE_HACK fi diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 46a43a8474..b6ed67d31e 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -248,7 +248,7 @@ Security::PeerOptions::createBlankContext() const #if USE_OPENSSL Ssl::Initialize(); -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#if HAVE_OPENSSL_TLS_CLIENT_METHOD SSL_CTX *t = SSL_CTX_new(TLS_client_method()); #else SSL_CTX *t = SSL_CTX_new(SSLv23_client_method()); diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index a40e89d525..c6030f68b1 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -92,7 +92,7 @@ Security::ServerOptions::createBlankContext() const #if USE_OPENSSL Ssl::Initialize(); -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#if HAVE_OPENSSL_SERVER_METHOD SSL_CTX *t = SSL_CTX_new(TLS_server_method()); #else SSL_CTX *t = SSL_CTX_new(SSLv23_server_method()); diff --git a/src/security/forward.h b/src/security/forward.h index f95f7b3638..6ad6b66459 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -51,9 +51,13 @@ typedef CbDataList CertErrors; #if USE_OPENSSL CtoCpp1(X509_free, X509 *) -#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 +#if !HAVE_LIBCRYPTO_X509_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_X509) // OpenSSL 1.0 API inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;} -#endif +#else +#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) +#endif /* CRYPTO_LOCK_X509 */ +#endif /* X509_up_ref */ typedef Security::LockingPointer > CertPointer; #elif USE_GNUTLS CtoCpp1(gnutls_x509_crt_deinit, gnutls_x509_crt_t) @@ -64,9 +68,13 @@ typedef void * CertPointer; #if USE_OPENSSL CtoCpp1(X509_CRL_free, X509_CRL *) -#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 +#if !HAVE_LIBCRYPTO_X509_CRL_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_X509_CRL) // OpenSSL 1.0 API inline int X509_CRL_up_ref(X509_CRL *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509_CRL); return 0;} -#endif +#else +#error missing both OpenSSL API features X509_up_ref (v1.1) and CRYPTO_LOCK_X509 (v1.0) +#endif /* CRYPTO_LOCK_X509_CRL */ +#endif /* X509_CRL_up_ref */ typedef Security::LockingPointer > CrlPointer; #elif USE_GNUTLS CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t) @@ -81,9 +89,13 @@ typedef std::list CertRevokeList; #if USE_OPENSSL CtoCpp1(DH_free, DH *); -#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 +#if !HAVE_LIBCRYPTO_DH_UP_REF // OpenSSL 1.1 API +#if defined(CRYPTO_LOCK_DH) // OpenSSL 1.0 API inline int DH_up_ref(DH *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_DH); return 0;} -#endif +#else +#error missing both OpenSSL API features DH_up_ref (v1.1) and CRYPTO_LOCK_DH (v1.0) +#endif /* OpenSSL 1.0 CRYPTO_LOCK_X509_CRL */ +#endif /* OpenSSL 1.1 DH_up_ref */ typedef Security::LockingPointer > DhePointer; #else typedef void *DhePointer; diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index f691cd918b..de03520c3c 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -43,7 +43,9 @@ static int squid_bio_destroy(BIO *data); /* SSL callbacks */ static void squid_ssl_info(const SSL *ssl, int where, int ret); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if HAVE_LIBCRYPTO_BIO_METH_NEW +static BIO_METHOD *SquidMethods = nullptr; +#else /// Initialization structure for the BIO table with /// Squid-specific methods and BIO method wrappers. static BIO_METHOD SquidMethods = { @@ -58,16 +60,12 @@ static BIO_METHOD SquidMethods = { squid_bio_destroy, NULL // squid_callback_ctrl not supported }; -#else -static BIO_METHOD *SquidMethods = NULL; #endif BIO * Ssl::Bio::Create(const int fd, Security::Io::Type type) { -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - BIO_METHOD *useMethod = &SquidMethods; -#else +#if HAVE_LIBCRYPTO_BIO_METH_NEW if (!SquidMethods) { SquidMethods = BIO_meth_new(BIO_TYPE_SOCKET, "squid"); BIO_meth_set_write(SquidMethods, squid_bio_write); @@ -79,6 +77,8 @@ Ssl::Bio::Create(const int fd, Security::Io::Type type) BIO_meth_set_destroy(SquidMethods, squid_bio_destroy); } const BIO_METHOD *useMethod = SquidMethods; +#else + BIO_METHOD *useMethod = &SquidMethods; #endif if (BIO *bio = BIO_new(useMethod)) { @@ -562,7 +562,7 @@ Ssl::ServerBio::resumingSession() static int squid_bio_create(BIO *bi) { -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if !HAVE_LIBCRYPTO_BIO_GET_INIT bi->init = 0; // set when we store Bio object and socket fd (BIO_C_SET_FD) bi->num = 0; bi->flags = 0; @@ -706,11 +706,11 @@ applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl cbytes[0] = (cipherId >> 8) & 0xFF; cbytes[1] = cipherId & 0xFF; cbytes[2] = 0; -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if HAVE_LIBSSL_SSL_CIPHER_FIND + const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes); +#else const SSL_METHOD *method = SSLv23_method(); const SSL_CIPHER *c = method->get_cipher_by_char(cbytes); -#else - const SSL_CIPHER *c = SSL_CIPHER_find(ssl, cbytes); #endif if (c != NULL) { if (!strCiphers.isEmpty()) diff --git a/src/ssl/bio.h b/src/ssl/bio.h index c99d565b74..5feeb2bc91 100644 --- a/src/ssl/bio.h +++ b/src/ssl/bio.h @@ -202,7 +202,7 @@ private: void applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if !HAVE_LIBCRYPTO_BIO_GET_INIT // OpenSSL v1.0 bio compatibility functions inline void *BIO_get_data(BIO *table) { return table->ptr; } inline void BIO_set_data(BIO *table, void *data) { table->ptr = data; } diff --git a/src/ssl/gadgets.cc b/src/ssl/gadgets.cc index 0089def552..b516e4d424 100644 --- a/src/ssl/gadgets.cc +++ b/src/ssl/gadgets.cc @@ -387,12 +387,12 @@ mimicExtensions(Security::CertPointer & cert, Security::CertPointer const &mimic DecipherOnly }; -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA + EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get()); + const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != nullptr); +#else const int mimicAlgo = OBJ_obj2nid(mimicCert.get()->cert_info->key->algor->algorithm); const bool rsaPkey = (mimicAlgo == NID_rsaEncryption); -#else - EVP_PKEY *certKey = X509_get_pubkey(mimicCert.get()); - const bool rsaPkey = (EVP_PKEY_get0_RSA(certKey) != NULL); #endif int added = 0; diff --git a/src/ssl/support.cc b/src/ssl/support.cc index eec48f2165..40b92caf8e 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -97,7 +97,7 @@ ssl_ask_password(SSL_CTX * context, const char * prompt) } } -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK static RSA * ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) { @@ -152,7 +152,7 @@ ssl_temp_rsa_cb(SSL * ssl, int anInt, int keylen) static void maybeSetupRsaCallback(Security::ContextPointer &ctx) { -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK debugs(83, 9, "Setting RSA key generation callback."); SSL_CTX_set_tmp_rsa_callback(ctx.get(), ssl_temp_rsa_cb); #endif @@ -236,7 +236,7 @@ bool Ssl::checkX509ServerValidity(X509 *cert, const char *server) return matchX509CommonNames(cert, (void *)server, check_domain); } -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +#if !HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_CERT static inline X509 *X509_STORE_CTX_get0_cert(X509_STORE_CTX *ctx) { return ctx->cert; @@ -380,7 +380,7 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx) } // "dup" function for SSL_get_ex_new_index("cert_err_check") -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) +#if SQUID_USE_CONST_CRYPTO_EX_DATA_DUP static int ssl_dupAclChecklist(CRYPTO_EX_DATA *, const CRYPTO_EX_DATA *, void *, int, long, void *) @@ -1068,10 +1068,10 @@ hasAuthorityInfoAccessCaIssuers(X509 *cert) if (ad->location->type == GEN_URI) { xstrncpy(uri, reinterpret_cast( -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - ASN1_STRING_data(ad->location->d.uniformResourceIdentifier) -#else +#if HAVE_LIBCRYPTO_ASN1_STRING_GET0_DATA ASN1_STRING_get0_data(ad->location->d.uniformResourceIdentifier) +#else + ASN1_STRING_data(ad->location->d.uniformResourceIdentifier) #endif ), sizeof(uri)); @@ -1203,11 +1203,11 @@ completeIssuers(X509_STORE_CTX *ctx, STACK_OF(X509) *untrustedCerts) { debugs(83, 2, "completing " << sk_X509_num(untrustedCerts) << " OpenSSL untrusted certs using " << SquidUntrustedCerts.size() << " configured untrusted certificates"); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - int depth = ctx->param->depth; -#else +#if HAVE_LIBCRYPTO_X509_VERIFY_PARAM_GET_DEPTH const X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx); int depth = X509_VERIFY_PARAM_get_depth(param); +#else + int depth = ctx->param->depth; #endif X509 *current = X509_STORE_CTX_get0_cert(ctx); int i = 0; @@ -1243,10 +1243,10 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *ctx,void *data) // OpenSSL already maintains ctx->untrusted but we cannot modify // internal OpenSSL list directly. We have to give OpenSSL our own // list, but it must include certificates on the OpenSSL ctx->untrusted -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - STACK_OF(X509) *oldUntrusted = ctx->untrusted; -#else +#if HAVE_LIBCRYPTO_X509_STORE_CTX_GET0_UNTRUSTED STACK_OF(X509) *oldUntrusted = X509_STORE_CTX_get0_untrusted(ctx); +#else + STACK_OF(X509) *oldUntrusted = ctx->untrusted; #endif STACK_OF(X509) *sk = sk_X509_dup(oldUntrusted); // oldUntrusted is always not NULL @@ -1262,10 +1262,10 @@ untrustedToStoreCtx_cb(X509_STORE_CTX *ctx,void *data) X509_STORE_CTX_set_chain(ctx, sk); // No locking/unlocking, just sets ctx->untrusted int ret = X509_verify_cert(ctx); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list -#else +#if HAVE_LIBCRYPTO_X509_STORE_CTX_SET0_UNTRUSTED X509_STORE_CTX_set0_untrusted(ctx, oldUntrusted); +#else + X509_STORE_CTX_set_chain(ctx, oldUntrusted); // Set back the old untrusted list #endif sk_X509_free(sk); // Release sk list return ret; @@ -1391,12 +1391,12 @@ store_session_cb(SSL *ssl, SSL_SESSION *session) SSL_SESSION_set_timeout(session, Config.SSL.session_ttl); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) - unsigned char *id = session->session_id; - unsigned int idlen = session->session_id_length; -#else +#if HAVE_LIBSSL_SSL_SESSION_GET_ID unsigned int idlen; const unsigned char *id = SSL_SESSION_get_id(session, &idlen); +#else + unsigned char *id = session->session_id; + unsigned int idlen = session->session_id_length; #endif unsigned char key[MEMMAP_SLOT_KEY_SIZE]; // Session ids are of size 32bytes. They should always fit to a @@ -1440,10 +1440,10 @@ remove_session_cb(SSL_CTX *, SSL_SESSION *sessionID) } static SSL_SESSION * -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) -get_session_cb(SSL *, unsigned char *sessionID, int len, int *copy) -#else +#if SQUID_USE_CONST_SSL_SESSION_CBID get_session_cb(SSL *, const unsigned char *sessionID, int len, int *copy) +#else +get_session_cb(SSL *, unsigned char *sessionID, int len, int *copy) #endif { if (!Ssl::SessionCache) diff --git a/src/ssl/support.h b/src/ssl/support.h index e8f566209e..a940e59156 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -83,12 +83,6 @@ bool InitServerContext(Security::ContextPointer &, AnyP::PortCfg &); /// initialize a TLS client context with OpenSSL specific settings bool InitClientContext(Security::ContextPointer &, Security::PeerOptions &, long flags); -#if defined(CRYPTO_LOCK_X509) -// portability wrapper for OpenSSL 1.0 vs 1.1 -// use Security::CertPointer instead where possible -inline int X509_up_ref(X509 *t) {if (t) CRYPTO_add(&t->references, 1, CRYPTO_LOCK_X509); return 0;} -#endif - } //namespace Ssl /// \ingroup ServerProtocolSSLAPI