From: Amos Jeffries Date: Wed, 28 Feb 2024 13:01:02 +0000 (+0000) Subject: Maintenance: update --with-gnutls detection (#1685) X-Git-Tag: SQUID_7_0_1~192 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c813943dc78aba2a707a0b49020b06ccbd43cee3;p=thirdparty%2Fsquid.git Maintenance: update --with-gnutls detection (#1685) Simplify the SQUID_CHECK_LIB_WORKS(gnutls,...) logic to use all the latest abilities of that macro --- diff --git a/configure.ac b/configure.ac index 6fc9a54165..1658fabf39 100644 --- a/configure.ac +++ b/configure.ac @@ -1077,37 +1077,17 @@ dnl Solaris10 provides MD5 natively through libmd5 AC_CHECK_LIB(md5, MD5Init, [CRYPTLIB="$CRYPTLIB -lmd5"]) AC_SUBST(CRYPTLIB) -SSLLIB="" - SQUID_AUTO_LIB(gnutls,[GnuTLS crypto],[LIBGNUTLS]) -AH_TEMPLATE(USE_GNUTLS,[GnuTLS support is available]) SQUID_CHECK_LIB_WORKS(gnutls,[ SQUID_STATE_SAVE(squid_gnutls_state) - - # User may have provided a custom location for GnuTLS. Otherwise... - CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS" - LIBS="$LIBS $LIBGNUTLS_PATH" - - # auto-detect using pkg-config PKG_CHECK_MODULES([LIBGNUTLS],[gnutls >= 3.4.0],[ - CPPFLAGS="$CPPFLAGS $LIBGNUTLS_CFLAGS" - ],[ - ## find the package without pkg-config - ## check that the library is actually new enough. - ## by testing for a 3.4.0+ function which we use - AC_CHECK_LIB(gnutls,gnutls_pcert_export_x509,[LIBGNUTLS_LIBS="-lgnutls"]) - ]) - # if any of the required headers is not found, signal we can't support gnutls - AC_CHECK_HEADERS([gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h], [], [LIBGNUTLS_LIBS=""]) - - SQUID_STATE_ROLLBACK(squid_gnutls_state) #de-pollute LIBS - - AS_IF([test "x$LIBGNUTLS_LIBS" != "x"],[ - SSLLIB="$LIBGNUTLS_PATH $LIBGNUTLS_LIBS $SSLLIB" - AC_DEFINE(USE_GNUTLS,1,[GnuTLS support is available]) - ]) + CPPFLAGS="$LIBGNUTLS_CFLAGS $CPPFLAGS" + AC_CHECK_HEADERS(gnutls/gnutls.h gnutls/x509.h gnutls/abstract.h) + ],[:]) + SQUID_STATE_ROLLBACK(squid_gnutls_state) ]) +SSLLIB="" dnl User may specify OpenSSL is needed from a non-standard location SQUID_OPTIONAL_LIB(openssl,[OpenSSL],[LIBOPENSSL]) AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available]) diff --git a/squid.dox b/squid.dox index 1554bfda72..465fe89b34 100644 --- a/squid.dox +++ b/squid.dox @@ -2066,6 +2066,7 @@ INCLUDE_FILE_PATTERNS = PREDEFINED = __cplusplus \ FOLLOW_X_FORWARDED_FOR \ FORW_VIA_DB \ + HAVE_LIBGNUTLS \ ICAP_CLIENT \ HAVE_LIBHEIMDAL_KRB5 \ LINUX_NETFILTER \ @@ -2081,7 +2082,6 @@ PREDEFINED = __cplusplus \ USE_ECAP \ USE_ERR_LOCALES \ USE_EPOLL \ - USE_GNUTLS \ USE_HEXDUMP \ USE_HTCP \ USE_HTTP_VIOLATIONS \ diff --git a/src/Makefile.am b/src/Makefile.am index 2b15ee5fbc..af55b7df7c 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -525,6 +525,7 @@ squid_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(LIBCAP_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(LIBHEIMDAL_KRB5_LIBS) \ $(SSLLIB) \ $(EPOLL_LIBS) \ @@ -1160,6 +1161,7 @@ tests_testRock_LDADD = \ $(REGEXLIB) \ $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ $(XTRA_LIBS) @@ -1336,6 +1338,7 @@ tests_testUfs_LDADD = \ $(REGEXLIB) \ $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ $(XTRA_LIBS) @@ -1499,6 +1502,7 @@ tests_testStore_LDADD= \ $(SSLLIB) \ CommCalls.o \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ $(XTRA_LIBS) @@ -1674,6 +1678,7 @@ tests_testDiskIO_LDADD = \ $(REGEXLIB) \ $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ $(XTRA_LIBS) @@ -1723,6 +1728,7 @@ tests_testACLMaxUserIP_LDADD = \ base/libbase.la \ $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(XTRA_LIBS) tests_testACLMaxUserIP_LDFLAGS = $(LIBADD_DL) @@ -1975,6 +1981,7 @@ tests_test_http_range_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(LIBCAP_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(LIBHEIMDAL_KRB5_LIBS) \ $(REGEXLIB) \ $(SSLLIB) \ @@ -2029,6 +2036,7 @@ tests_testHttp1Parser_LDADD= \ $(top_builddir)/lib/libmiscutil.la \ $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(XTRA_LIBS) tests_testHttp1Parser_LDFLAGS = $(LIBADD_DL) @@ -2131,6 +2139,7 @@ tests_testHttpReply_LDADD=\ $(top_builddir)/lib/libmiscutil.la \ $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ $(XTRA_LIBS) @@ -2360,6 +2369,7 @@ tests_testHttpRequest_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(LIBCAP_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(LIBHEIMDAL_KRB5_LIBS) \ $(REGEXLIB) \ $(SSLLIB) \ @@ -2658,6 +2668,7 @@ tests_testCacheManager_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(LIBCAP_LIBS) \ + $(LIBGNUTLS_LIBS) \ $(LIBHEIMDAL_KRB5_LIBS) \ $(REGEXLIB) \ $(SSLLIB) \ diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc index aba1bab559..590074491d 100644 --- a/src/anyp/Uri.cc +++ b/src/anyp/Uri.cc @@ -981,7 +981,7 @@ urlCheckRequest(const HttpRequest * r) return false; case AnyP::PROTO_HTTPS: -#if USE_OPENSSL || USE_GNUTLS +#if USE_OPENSSL || HAVE_LIBGNUTLS return true; #else /* diff --git a/src/cf.data.pre b/src/cf.data.pre index 76123be77b..51bb2d5a85 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -2561,7 +2561,7 @@ CONFIG_END DOC_END NAME: https_port -IFDEF: USE_GNUTLS||USE_OPENSSL +IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL TYPE: PortCfg DEFAULT: none LOC: HttpPortList @@ -3017,7 +3017,7 @@ COMMENT_START COMMENT_END NAME: tls_outgoing_options -IFDEF: USE_GNUTLS||USE_OPENSSL +IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL TYPE: securePeerOptions DEFAULT: min-version=1.0 LOC: Security::ProxyOutgoingConfig diff --git a/src/cf_gen_defines b/src/cf_gen_defines index 5b070eef1c..283c3e6ecc 100644 --- a/src/cf_gen_defines +++ b/src/cf_gen_defines @@ -26,6 +26,7 @@ BEGIN { define["FOLLOW_X_FORWARDED_FOR&&USE_DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools" define["HAVE_AUTH_MODULE_BASIC"]="--enable-auth-basic" define["HAVE_AUTH_MODULE_DIGEST"]="--enable-auth-digest" + define["HAVE_LIBGNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl" define["HAVE_MSTATS&&HAVE_GNUMALLOC_H"]="GNU Malloc with mstats()" define["ICAP_CLIENT"]="--enable-icap-client" define["SO_MARK&&USE_LIBCAP"]="Packet MARK (Linux)" @@ -36,7 +37,6 @@ BEGIN { define["USE_DELAY_POOLS"]="--enable-delay-pools" define["USE_ECAP"]="--enable-ecap" define["USE_ERR_LOCALES"]="--enable-auto-locale" - define["USE_GNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl" define["USE_HTCP"]="--enable-htcp" define["USE_HTTP_VIOLATIONS"]="--enable-http-violations" define["USE_ICMP"]="--enable-icmp" diff --git a/src/security/Certificate.cc b/src/security/Certificate.cc index cdd80c6d8e..5e97fd940d 100644 --- a/src/security/Certificate.cc +++ b/src/security/Certificate.cc @@ -39,7 +39,7 @@ Security::IssuerName(Certificate &cert) } out.append(name.get()); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS gnutls_x509_dn_t issuer; auto x = gnutls_x509_crt_get_issuer(&cert, &issuer); if (x != GNUTLS_E_SUCCESS) { @@ -79,7 +79,7 @@ Security::SubjectName(Certificate &cert) } out.append(name.get()); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS gnutls_x509_dn_t subject; auto x = gnutls_x509_crt_get_subject(&cert, &subject); if (x != GNUTLS_E_SUCCESS) { @@ -115,7 +115,7 @@ Security::IssuedBy(Certificate &cert, Certificate &issuer) debugs(83, DBG_PARSE_NOTE(3), issuer << " did not sign " << cert << ":" << Debug::Extra << "X509_check_issued() result: " << X509_verify_cert_error_string(result) << " (" << result << ")" << Ssl::ReportAndForgetErrors); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS const auto result = gnutls_x509_crt_check_issuer(&cert, &issuer); if (result == 1) return true; diff --git a/src/security/Context.h b/src/security/Context.h index 5f879e8a32..8ef6343cf0 100644 --- a/src/security/Context.h +++ b/src/security/Context.h @@ -17,7 +17,7 @@ #include #endif -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS #if HAVE_GNUTLS_GNUTLS_H #include #endif @@ -28,7 +28,7 @@ namespace Security { #if USE_OPENSSL typedef std::shared_ptr ContextPointer; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS typedef std::shared_ptr ContextPointer; #else diff --git a/src/security/ErrorDetail.cc b/src/security/ErrorDetail.cc index 2884abb492..66fbb5b4d1 100644 --- a/src/security/ErrorDetail.cc +++ b/src/security/ErrorDetail.cc @@ -20,7 +20,7 @@ #if USE_OPENSSL #include "ssl/ErrorDetailManager.h" -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS #if HAVE_GNUTLS_GNUTLS_H #include #endif @@ -478,7 +478,7 @@ Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const int anIoEr ioErrorNo = anIoErrorNo; } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const LibErrorCode aLibErrorNo, const int aSysErrorNo): ErrorDetail(anErrorCode, aSysErrorNo) { @@ -508,7 +508,7 @@ Security::ErrorDetail::brief() const // TODO: Log ERR_error_string_n() instead, despite length, whitespace? // Example: `error:1408F09C:SSL routines:ssl3_get_record:http request`. os << "+TLS_LIB_ERR=" << asHex(lib_error_no).upperCase(); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS os << '+' << gnutls_strerror_name(lib_error_no); #endif } diff --git a/src/security/ErrorDetail.h b/src/security/ErrorDetail.h index fb121d0ed2..ca89673309 100644 --- a/src/security/ErrorDetail.h +++ b/src/security/ErrorDetail.h @@ -52,7 +52,7 @@ public: /// \param anIoErrorNo TLS I/O function outcome; \see ErrorDetail::ioErrorNo /// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo ErrorDetail(ErrorCode anErrorCode, int anIoErrorNo, int aSysErrorNo); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS /// Details (or starts detailing) a non-validation failure. /// \param anLibErrorNo TLS function outcome; \see ErrorDetail::lib_error_no /// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo diff --git a/src/security/Io.cc b/src/security/Io.cc index fb5eea4ac6..de5564d635 100644 --- a/src/security/Io.cc +++ b/src/security/Io.cc @@ -146,7 +146,7 @@ Security::Handshake(Comm::Connection &transport, const ErrorCode topError, Fun i return ioResult; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS if (callResult == GNUTLS_E_SUCCESS) { // TODO: Avoid gnutls_*() calls if debugging is off. const auto desc = gnutls_session_get_desc(connection); @@ -199,7 +199,7 @@ Security::Accept(Comm::Connection &transport) return Handshake(transport, SQUID_TLS_ERR_ACCEPT, [] (ConnectionPointer tlsConn) { #if USE_OPENSSL return SSL_accept(tlsConn); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS return gnutls_handshake(tlsConn); #else return sizeof(tlsConn); // the value is unused; should be unreachable @@ -214,7 +214,7 @@ Security::Connect(Comm::Connection &transport) return Handshake(transport, SQUID_TLS_ERR_CONNECT, [] (ConnectionPointer tlsConn) { #if USE_OPENSSL return SSL_connect(tlsConn); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS return gnutls_handshake(tlsConn); #else return sizeof(tlsConn); // the value is unused; should be unreachable diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc index 0ffd51b5aa..e2d4119a23 100644 --- a/src/security/KeyData.cc +++ b/src/security/KeyData.cc @@ -87,7 +87,7 @@ Security::KeyData::loadCertificates() Debug::Extra << "problem: " << CurrentException); } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS const char *certFilename = certFile.c_str(); gnutls_datum_t data; Security::LibErrorCode x = gnutls_load_file(certFilename, &data); @@ -152,7 +152,7 @@ Security::KeyData::loadX509PrivateKeyFromFile() pkey.reset(); } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS const char *keyFilename = privateKeyFile.c_str(); gnutls_datum_t data; if (gnutls_load_file(keyFilename, &data) == GNUTLS_E_SUCCESS) { diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index 44a18dc45a..62bc08d046 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -167,7 +167,7 @@ Security::PeerOptions::updateTlsVersionLimits() add.append(":NO_TLSv1_1"); if (v > 2) add.append(":NO_TLSv1_2"); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS if (v > 0) add.append(":-VERS-TLS1.0"); if (v > 1) @@ -198,28 +198,28 @@ Security::PeerOptions::updateTlsVersionLimits() case 3: #if USE_OPENSSL add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3"; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 4: #if USE_OPENSSL add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3"; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 5: #if USE_OPENSSL add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3"; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 6: #if USE_OPENSSL add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3"; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"; #endif break; @@ -251,7 +251,7 @@ Security::PeerOptions::createBlankContext() const } ctx = convertContextFromRawPtr(t); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // Initialize for X.509 certificate exchange gnutls_certificate_credentials_t t; if (const auto x = gnutls_certificate_allocate_credentials(&t)) { @@ -522,7 +522,7 @@ Security::PeerOptions::parseOptions() #endif parsedOptions = op; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS if (str.isEmpty()) { parsedOptions.reset(); return; @@ -636,7 +636,7 @@ Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) parseOptions(); #if USE_OPENSSL SSL_CTX_set_options(ctx.get(), parsedOptions); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // NP: GnuTLS uses 'priorities' which are set only per-session instead. (void)ctx; #else @@ -678,7 +678,7 @@ loadSystemTrustedCa(Security::ContextPointer &ctx) if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0) return Security::ErrorString(ERR_get_error()); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS auto x = gnutls_certificate_set_x509_system_trust(ctx.get()); if (x < 0) return Security::ErrorString(x); @@ -706,7 +706,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx) debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " << i << ": " << Security::ErrorString(x)); } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS const auto x = gnutls_certificate_set_x509_trust_file(ctx.get(), i.c_str(), GNUTLS_X509_FMT_PEM); if (x < 0) { debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " << @@ -762,7 +762,7 @@ Security::PeerOptions::updateContextTrust(Security::ContextPointer &ctx) Security::ErrorString(ERR_get_error())); } #endif -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // Modern GnuTLS versions trust intermediate CA certificates by default. (void)ctx; #else @@ -779,7 +779,7 @@ Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s) // XXX: Options already set before (via the context) are not cleared! SSL_set_options(s.get(), parsedOptions); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS LibErrorCode x; SBuf errMsg; if (!parsedOptions) { diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index 7aed44e5bd..e78081d36e 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -115,7 +115,7 @@ protected: debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p); SSL_CTX_free(p); }); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS debugs(83, 5, "gnutls_certificate_credentials construct, this=" << (void*)ctx); return Security::ContextPointer(ctx, [](gnutls_certificate_credentials_t p) { debugs(83, 5, "gnutls_certificate_credentials destruct, this=" << (void*)p); diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index 2118058edd..a9a58555d2 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -173,7 +173,7 @@ Security::ServerOptions::createBlankContext() const } ctx = convertContextFromRawPtr(t); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // Initialize for X.509 certificate exchange gnutls_certificate_credentials_t t; if (const auto x = gnutls_certificate_allocate_credentials(&t)) { @@ -249,7 +249,7 @@ Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &) } } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS for (auto &keys : certs) { gnutls_x509_crt_t crt = keys.cert.get(); gnutls_x509_privkey_t xkey = keys.pkey.get(); @@ -302,7 +302,7 @@ Security::ServerOptions::createSigningContexts(const AnyP::PortCfg &port) #if USE_OPENSSL Ssl::generateUntrustedCert(untrustedSigningCa.cert, untrustedSigningCa.pkey, signingCa.cert, signingCa.pkey); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // TODO: implement for GnuTLS. Just a warning for now since generate is implicitly on for all crypto builds. signingCa.cert.reset(); signingCa.pkey.reset(); diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h index a321cbb0fc..d74a887407 100644 --- a/src/security/ServerOptions.h +++ b/src/security/ServerOptions.h @@ -73,7 +73,7 @@ public: #if USE_OPENSSL bool generateHostCertificates = true; ///< dynamically make host cert -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // TODO: GnuTLS does implement TLS server connections so the cert // generate vs static choice can be reached in the code now. // But this feature is not fully working implemented so must not diff --git a/src/security/Session.cc b/src/security/Session.cc index f09f95b882..0741687367 100644 --- a/src/security/Session.cc +++ b/src/security/Session.cc @@ -28,7 +28,7 @@ static Ipc::MemMap *SessionCache = nullptr; static const char *SessionCacheName = "tls_session_cache"; #endif -#if USE_OPENSSL || USE_GNUTLS +#if USE_OPENSSL || HAVE_LIBGNUTLS static int tls_read_method(int fd, char *buf, int len) { @@ -37,7 +37,7 @@ tls_read_method(int fd, char *buf, int len) #if USE_OPENSSL int i = SSL_read(session, buf, len); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS int i = gnutls_record_recv(session, buf, len); #endif @@ -48,7 +48,7 @@ tls_read_method(int fd, char *buf, int len) #if USE_OPENSSL if (i > 0 && SSL_pending(session) > 0) { -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS if (i > 0 && gnutls_record_check_pending(session) > 0) { #endif debugs(83, 2, "TLS FD " << fd << " is pending"); @@ -74,7 +74,7 @@ tls_write_method(int fd, const char *buf, int len) #if USE_OPENSSL int i = SSL_write(session, buf, len); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS int i = gnutls_record_send(session, buf, len); #endif @@ -106,7 +106,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer return false; } -#if USE_OPENSSL || USE_GNUTLS +#if USE_OPENSSL || HAVE_LIBGNUTLS const char *errAction = "with no TLS/SSL library"; Security::LibErrorCode errCode = 0; @@ -117,7 +117,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer errAction = "failed to allocate handle"; debugs(83, DBG_IMPORTANT, "ERROR: TLS failure: " << errAction << ": " << Security::ErrorString(errCode)); } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS gnutls_session_t tmp; errCode = gnutls_init(&tmp, static_cast(type) | GNUTLS_NONBLOCK); Security::SessionPointer session(tmp, [](gnutls_session_t p) { @@ -130,7 +130,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer errAction = "failed to initialize session"; debugs(83, DBG_IMPORTANT, "ERROR: TLS failure: " << errAction << ": " << Security::ErrorString(errCode)); } -#endif /* USE_GNUTLS */ +#endif /* HAVE_LIBGNUTLS */ if (session) { const int fd = conn->fd; @@ -139,7 +139,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer // without BIO, we would call SSL_set_fd(ssl.get(), fd) instead if (BIO *bio = Ssl::Bio::Create(fd, type)) { Ssl::Bio::Link(session.get(), bio); // cannot fail -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS errCode = gnutls_credentials_set(session.get(), GNUTLS_CRD_CERTIFICATE, ctx.get()); if (errCode == GNUTLS_E_SUCCESS) { @@ -149,7 +149,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer // this does the equivalent of SSL_set_fd() for now. gnutls_transport_set_int(session.get(), fd); gnutls_handshake_set_timeout(session.get(), GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT); -#endif /* USE_GNUTLS */ +#endif /* HAVE_LIBGNUTLS */ debugs(83, 5, "link FD " << fd << " to TLS session=" << (void*)session.get()); @@ -163,7 +163,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer errCode = ERR_get_error(); errAction = "failed to initialize I/O"; (void)opts; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS errAction = "failed to assign credentials"; #endif } @@ -175,7 +175,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer (void)opts; (void)type; (void)squidCtx; -#endif /* USE_OPENSSL || USE_GNUTLS */ +#endif /* USE_OPENSSL || HAVE_LIBGNUTLS */ return false; } @@ -202,7 +202,7 @@ Security::SessionSendGoodbye(const Security::SessionPointer &s) if (s) { #if USE_OPENSSL SSL_shutdown(s.get()); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS gnutls_bye(s.get(), GNUTLS_SHUT_RDWR); #endif } @@ -214,7 +214,7 @@ Security::SessionIsResumed(const Security::SessionPointer &s) bool result = false; #if USE_OPENSSL result = SSL_session_reused(s.get()) == 1; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS result = gnutls_session_is_resumed(s.get()) != 0; #endif debugs(83, 7, "session=" << (void*)s.get() << ", query? answer: " << (result ? 'T' : 'F') ); @@ -228,7 +228,7 @@ Security::MaybeGetSessionResumeData(const Security::SessionPointer &s, Security: #if USE_OPENSSL // nil is valid for SSL_get1_session(), it cannot fail. data.reset(SSL_get1_session(s.get())); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS gnutls_datum_t *tmp = nullptr; const auto x = gnutls_session_get_data2(s.get(), tmp); if (x != GNUTLS_E_SUCCESS) { @@ -252,7 +252,7 @@ Security::SetSessionResumeData(const Security::SessionPointer &s, const Security debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() << " resume error: " << Security::ErrorString(ssl_error)); } -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS const auto x = gnutls_session_set_data(s.get(), data->data, data->size); if (x != GNUTLS_E_SUCCESS) { debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() << diff --git a/src/security/Session.h b/src/security/Session.h index 127f87a76f..28c48fa67d 100644 --- a/src/security/Session.h +++ b/src/security/Session.h @@ -23,7 +23,7 @@ #endif #endif -#if USE_GNUTLS +#if HAVE_LIBGNUTLS #if HAVE_GNUTLS_GNUTLS_H #include #endif @@ -50,7 +50,7 @@ typedef std::shared_ptr SessionPointer; typedef std::unique_ptr> SessionStatePointer; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // to be finalized when it is actually needed/used struct Connection {}; diff --git a/src/security/forward.h b/src/security/forward.h index 10cf9b3afa..107723d946 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -14,9 +14,11 @@ #include "base/ToCpp.h" #include "security/LockingPointer.h" -#if USE_GNUTLS && HAVE_GNUTLS_ABSTRACT_H +#if HAVE_LIBGNUTLS +#if HAVE_GNUTLS_ABSTRACT_H #include #endif +#endif /* HAVE_LIBGNUTLS */ #include #include #include @@ -57,7 +59,7 @@ #define SSL_FLAG_VERIFY_CRL_ALL (1<<6) #define SSL_FLAG_CONDITIONAL_AUTH (1<<7) -#if !USE_OPENSSL && !USE_GNUTLS +#if !USE_OPENSSL && !HAVE_LIBGNUTLS /// A helper type to keep all three possible underlying types of the /// Security::Certificate typedef below inside global namespace, so that /// argument-dependent lookup for operator "<<" (Certificate) works inside @@ -75,7 +77,7 @@ typedef CbDataList CertErrors; #if USE_OPENSSL typedef X509 Certificate; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS typedef struct gnutls_x509_crt_int Certificate; #else typedef struct notls_x509 Certificate; @@ -84,7 +86,7 @@ typedef struct notls_x509 Certificate; #if USE_OPENSSL CtoCpp1(X509_free, X509 *); typedef Security::LockingPointer > CertPointer; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS typedef std::shared_ptr CertPointer; #else typedef std::shared_ptr CertPointer; @@ -93,7 +95,7 @@ typedef std::shared_ptr CertPointer; #if USE_OPENSSL CtoCpp1(X509_CRL_free, X509_CRL *); typedef Security::LockingPointer > CrlPointer; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS CtoCpp1(gnutls_x509_crl_deinit, gnutls_x509_crl_t); typedef Security::LockingPointer CrlPointer; #else @@ -107,7 +109,7 @@ typedef std::list CertRevokeList; #if USE_OPENSSL CtoCpp1(EVP_PKEY_free, EVP_PKEY *) using PrivateKeyPointer = Security::LockingPointer>; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS using PrivateKeyPointer = std::shared_ptr; #else using PrivateKeyPointer = std::shared_ptr; @@ -120,7 +122,7 @@ typedef Security::LockingPointer #else using DhePointer = PrivateKeyPointer; #endif -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS using DhePointer = void *; #else using DhePointer = void *; @@ -137,7 +139,7 @@ typedef int ErrorCode; /// `openssl errstr` expands these numbers into human-friendlier strings like /// `error:1408F09C:SSL routines:ssl3_get_record:http request` typedef unsigned long LibErrorCode; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS /// the result of an API function like gnutls_handshake() (e.g., /// GNUTLS_E_WARNING_ALERT_RECEIVED) typedef int LibErrorCode; @@ -150,7 +152,7 @@ typedef int LibErrorCode; inline const char *ErrorString(const LibErrorCode code) { #if USE_OPENSSL return ERR_error_string(code, nullptr); -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS return gnutls_strerror(code); #else (void)code; @@ -168,7 +170,7 @@ enum Type { #if USE_OPENSSL BIO_TO_CLIENT = 6000, BIO_TO_SERVER -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS // NP: this is odd looking but correct. // 'to-client' means we are a server, and vice versa. BIO_TO_CLIENT = GNUTLS_SERVER, @@ -190,7 +192,7 @@ class KeyLog; #if USE_OPENSSL using ParsedOptions = uint64_t; -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS typedef std::shared_ptr ParsedOptions; #else class ParsedOptions {}; // we never parse/use TLS options in this case diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index e6871e0296..c4d3accab9 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -63,7 +63,7 @@ void Security::KeyLogger::maybeLog(const Connection &, const Acl::ChecklistFille Security::ErrorDetail::ErrorDetail(ErrorCode, const CertPointer &, const CertPointer &, const char *) STUB #if USE_OPENSSL Security::ErrorDetail::ErrorDetail(ErrorCode, int, int) STUB -#elif USE_GNUTLS +#elif HAVE_LIBGNUTLS Security::ErrorDetail::ErrorDetail(ErrorCode, LibErrorCode, int) STUB #endif void Security::ErrorDetail::setPeerCertificate(const CertPointer &) STUB