Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix build with LibreSSL 2.7 #1153

Closed
wants to merge 1 commit into from
Closed

Fix build with LibreSSL 2.7 #1153

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/nghttp.cc
View file
Open in desktop
Expand Up @@ -680,9 +680,9 @@ int HttpClient::initiate_connection() {
const auto &host_string =
config.host_override.empty() ? host : config.host_override;

#if (!defined(LIBRESSL_VERSION_NUMBER) && \
#if (!(defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L) && \
OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(OPENSSL_IS_BORINGSSL)
defined(OPENSSL_IS_BORINGSSL)
auto param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set_hostflags(param, 0);
X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),
Expand Down
38 changes: 19 additions & 19 deletions src/shrpx_config.cc
View file
Open in desktop
Expand Up @@ -1222,17 +1222,17 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
auto param = StringRef{first, end};

if (util::istarts_with_l(param, "sct-dir=")) {
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
auto sct_dir =
StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
if (sct_dir.empty()) {
LOG(ERROR) << "subcert: " << param << ": empty sct-dir";
return -1;
}
out.sct_dir = sct_dir;
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
} else if (!param.empty()) {
LOG(ERROR) << "subcert: " << param << ": unknown keyword";
return -1;
Expand Down Expand Up @@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector<uint8_t> &dst, const StringRef &opt,
}
} // namespace

#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
namespace {
// Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.psk_secrets. This function
Expand Down Expand Up @@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) {
return 0;
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // !LIBRESSL_1_0_API

#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
namespace {
// Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.client.psk. This function returns
Expand Down Expand Up @@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) {
return 0;
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // !LIBRESSL_1_0_API

// generated by gennghttpxfun.py
int option_lookup_token(const char *name, size_t namelen) {
Expand Down Expand Up @@ -3454,19 +3454,19 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_uint_with_unit(
&config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
case SHRPX_OPTID_ECDH_CURVES:
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
return 0;
case SHRPX_OPTID_TLS_SCT_DIR:
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
#else // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#else // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
return 0;
#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // !(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
return parse_duration(&config->dns.timeout.cache, opt, optarg);
case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
Expand All @@ -3489,23 +3489,23 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
optarg);
case SHRPX_OPTID_PSK_SECRETS:
#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
return parse_psk_secrets(config, optarg);
#else // LIBRESSL_IN_USE
#else // LIBRESSL_1_0_API
LOG(WARN)
<< opt
<< ": ignored because underlying TLS library does not support PSK";
return 0;
#endif // LIBRESSL_IN_USE
#endif // LIBRESSL_1_0_API
case SHRPX_OPTID_CLIENT_PSK_SECRETS:
#if !LIBRESSL_IN_USE
#if !LIBRESSL_1_0_API
return parse_client_psk_secrets(config, optarg);
#else // LIBRESSL_IN_USE
#else // LIBRESSL_1_0_API
LOG(WARN)
<< opt
<< ": ignored because underlying TLS library does not support PSK";
return 0;
#endif // LIBRESSL_IN_USE
#endif // LIBRESSL_1_0_API
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
config->tls.client.no_http2_cipher_black_list =
util::strieq_l("yes", optarg);
Expand Down
40 changes: 20 additions & 20 deletions src/shrpx_tls.cc
View file
Open in desktop
Expand Up @@ -360,7 +360,7 @@ int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {

namespace {
SSL_SESSION *tls_session_get_cb(SSL *ssl,
#if OPENSSL_1_1_API
#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
const unsigned char *id,
#else // !OPENSSL_1_1_API
unsigned char *id,
Expand Down Expand Up @@ -563,7 +563,7 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
} // namespace
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L

#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L

#ifndef TLSEXT_TYPE_signed_certificate_timestamp
#define TLSEXT_TYPE_signed_certificate_timestamp 18
Expand Down Expand Up @@ -653,9 +653,9 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
} // namespace

#endif // !OPENSSL_1_1_1_API
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L

#if !LIBRESSL_IN_USE
#ifndef OPENSSL_NO_PSK
namespace {
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
unsigned int max_psk_len) {
Expand All @@ -679,9 +679,9 @@ unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
return static_cast<unsigned int>(secret.size());
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK

#if !LIBRESSL_IN_USE
#if OPENSSL_NO_PSK
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be #ifndef OPENSSL_NO_PSK

namespace {
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
unsigned int max_identity_len, unsigned char *psk,
Expand Down Expand Up @@ -714,7 +714,7 @@ unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
return static_cast<unsigned int>(secret.size());
}
} // namespace
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK

struct TLSProtocol {
StringRef name;
Expand Down Expand Up @@ -792,7 +792,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}

#ifndef OPENSSL_NO_EC
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
<< " failed";
Expand All @@ -803,7 +803,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
#endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
#else // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
#else // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this
// writing.
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
Expand All @@ -814,7 +814,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
#endif // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L
#endif // OPENSSL_NO_EC

if (!tlsconf.dh_param_file.empty()) {
Expand Down Expand Up @@ -929,7 +929,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr);
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L

#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_1_0_API && !LIBRESSL_1_1_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
// returns 1, which means OpenSSL internally handles it. But
// OpenSSL handles signed_certificate_timestamp extension specially,
Expand Down Expand Up @@ -960,11 +960,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
}
#endif // !OPENSSL_1_1_1_API
}
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L

#if !LIBRESSL_IN_USE
#ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK

auto tls_ctx_data = new TLSContextData();
tls_ctx_data->cert_file = cert_file;
Expand Down Expand Up @@ -1112,9 +1112,9 @@ SSL_CTX *create_ssl_client_context(
#endif // HAVE_NEVERBLEED
}

#if !LIBRESSL_IN_USE
#ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
#endif // !LIBRESSL_IN_USE
#endif // OPENSSL_NO_PSK

// NPN selection callback. This is required to set SSL_CTX because
// OpenSSL does not offer SSL_set_next_proto_select_cb.
Expand Down Expand Up @@ -1549,15 +1549,15 @@ int cert_lookup_tree_add_ssl_ctx(
SSL_CTX *ssl_ctx) {
std::array<uint8_t, NI_MAXHOST> buf;

#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !defined(LIBRESSL_1_0_API) && OPENSSL_VERSION_NUMBER >= 0x10002000L
auto cert = SSL_CTX_get0_certificate(ssl_ctx);
#else // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
#else // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER <
// 0x10002000L
auto tls_ctx_data =
static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
auto cert = load_certificate(tls_ctx_data->cert_file);
auto cert_deleter = defer(X509_free, cert);
#endif // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
#endif // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER <
// 0x10002000L

auto altnames = static_cast<GENERAL_NAMES *>(
Expand Down Expand Up @@ -1973,7 +1973,7 @@ StringRef get_x509_issuer_name(BlockAllocator &balloc, X509 *x) {
#endif /* !WORDS_BIGENDIAN */

StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) {
#if OPENSSL_1_1_API
#if OPENSSL_1_1_API && !LIBRESSL_1_1_API
auto sn = X509_get0_serialNumber(x);
uint64_t r;
if (ASN1_INTEGER_get_uint64(&r, sn) != 1) {
Expand Down
16 changes: 11 additions & 5 deletions src/ssl_compat.h
View file
Open in desktop
Expand Up @@ -26,16 +26,22 @@

#include <openssl/opensslv.h>

#if defined(LIBRESSL_VERSION_NUMBER)
#define LIBRESSL_IN_USE 1
#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L
#define LIBRESSL_1_0_API 1
#define LIBRESSL_1_1_API 0
#elif defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20700000L
#define LIBRESSL_1_0_API 0
#define LIBRESSL_1_1_API 1
#else // !defined(LIBRESSL_VERSION_NUMBER)
#define LIBRESSL_IN_USE 0
#define LIBRESSL_1_0_API 0
#define LIBRESSL_1_1_API 0
#endif // !defined(LIBRESSL_VERSION_NUMBER)

#define OPENSSL_1_1_API \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
(!LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x1010000fL)

#define OPENSSL_1_1_1_API \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L)
(!LIBRESSL_1_0_API && !LIBRESSL_1_1_API && \
OPENSSL_VERSION_NUMBER >= 0x10101000L)

#endif // OPENSSL_COMPAT_H