Line 0
Link Here
|
|
|
1 |
--- src/shrpx_tls.cc.orig 2018-03-25 12:28:55 UTC |
2 |
+++ src/shrpx_tls.cc |
3 |
@@ -360,7 +360,7 @@ int tls_session_new_cb(SSL *ssl, SSL_SES |
4 |
|
5 |
namespace { |
6 |
SSL_SESSION *tls_session_get_cb(SSL *ssl, |
7 |
-#if OPENSSL_1_1_API |
8 |
+#if OPENSSL_1_1_API && !LIBRESSL_1_1_API |
9 |
const unsigned char *id, |
10 |
#else // !OPENSSL_1_1_API |
11 |
unsigned char *id, |
12 |
@@ -563,7 +563,7 @@ int alpn_select_proto_cb(SSL *ssl, const |
13 |
} // namespace |
14 |
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L |
15 |
|
16 |
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L |
17 |
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L |
18 |
|
19 |
#ifndef TLSEXT_TYPE_signed_certificate_timestamp |
20 |
#define TLSEXT_TYPE_signed_certificate_timestamp 18 |
21 |
@@ -653,9 +653,9 @@ int legacy_sct_parse_cb(SSL *ssl, unsign |
22 |
} // namespace |
23 |
|
24 |
#endif // !OPENSSL_1_1_1_API |
25 |
-#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L |
26 |
+#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L |
27 |
|
28 |
-#if !LIBRESSL_IN_USE |
29 |
+#ifndef OPENSSL_NO_PSK |
30 |
namespace { |
31 |
unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, |
32 |
unsigned int max_psk_len) { |
33 |
@@ -679,9 +679,9 @@ unsigned int psk_server_cb(SSL *ssl, con |
34 |
return static_cast<unsigned int>(secret.size()); |
35 |
} |
36 |
} // namespace |
37 |
-#endif // !LIBRESSL_IN_USE |
38 |
+#endif // !OPENSSL_NO_PSK |
39 |
|
40 |
-#if !LIBRESSL_IN_USE |
41 |
+#ifndef OPENSSL_NO_PSK |
42 |
namespace { |
43 |
unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out, |
44 |
unsigned int max_identity_len, unsigned char *psk, |
45 |
@@ -714,7 +714,7 @@ unsigned int psk_client_cb(SSL *ssl, con |
46 |
return static_cast<unsigned int>(secret.size()); |
47 |
} |
48 |
} // namespace |
49 |
-#endif // !LIBRESSL_IN_USE |
50 |
+#endif // !OPENSSL_NO_PSK |
51 |
|
52 |
struct TLSProtocol { |
53 |
StringRef name; |
54 |
@@ -792,7 +792,7 @@ SSL_CTX *create_ssl_context(const char * |
55 |
} |
56 |
|
57 |
#ifndef OPENSSL_NO_EC |
58 |
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L |
59 |
+#if !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L |
60 |
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) { |
61 |
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves |
62 |
<< " failed"; |
63 |
@@ -803,7 +803,7 @@ SSL_CTX *create_ssl_context(const char * |
64 |
// function was deprecated in OpenSSL 1.1.0 and BoringSSL. |
65 |
SSL_CTX_set_ecdh_auto(ssl_ctx, 1); |
66 |
#endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API |
67 |
-#else // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L |
68 |
+#else // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L |
69 |
// Use P-256, which is sufficiently secure at the time of this |
70 |
// writing. |
71 |
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
72 |
@@ -814,7 +814,7 @@ SSL_CTX *create_ssl_context(const char * |
73 |
} |
74 |
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh); |
75 |
EC_KEY_free(ecdh); |
76 |
-#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L |
77 |
+#endif // LIBRESSL_1_0_API || OPENSSL_VERSION_NUBMER < 0x10002000L |
78 |
#endif // OPENSSL_NO_EC |
79 |
|
80 |
if (!tlsconf.dh_param_file.empty()) { |
81 |
@@ -931,7 +931,7 @@ SSL_CTX *create_ssl_context(const char * |
82 |
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, nullptr); |
83 |
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L |
84 |
|
85 |
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L |
86 |
+#if !LIBRESSL_1_0_API && !LIBRESSL_1_1_API && OPENSSL_VERSION_NUMBER >= 0x10002000L |
87 |
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp) |
88 |
// returns 1, which means OpenSSL internally handles it. But |
89 |
// OpenSSL handles signed_certificate_timestamp extension specially, |
90 |
@@ -962,11 +962,11 @@ SSL_CTX *create_ssl_context(const char * |
91 |
} |
92 |
#endif // !OPENSSL_1_1_1_API |
93 |
} |
94 |
-#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L |
95 |
+#endif // !LIBRESSL_1_0_API && OPENSSL_VERSION_NUMBER >= 0x10002000L |
96 |
|
97 |
-#if !LIBRESSL_IN_USE |
98 |
+#ifndef OPENSSL_NO_PSK |
99 |
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); |
100 |
-#endif // !LIBRESSL_IN_USE |
101 |
+#endif // !OPENSSL_NO_PSK |
102 |
|
103 |
auto tls_ctx_data = new TLSContextData(); |
104 |
tls_ctx_data->cert_file = cert_file; |
105 |
@@ -1114,9 +1114,9 @@ SSL_CTX *create_ssl_client_context( |
106 |
#endif // HAVE_NEVERBLEED |
107 |
} |
108 |
|
109 |
-#if !LIBRESSL_IN_USE |
110 |
+#ifndef OPENSSL_NO_PSK |
111 |
SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb); |
112 |
-#endif // !LIBRESSL_IN_USE |
113 |
+#endif // !OPENSSL_NO_PSK |
114 |
|
115 |
// NPN selection callback. This is required to set SSL_CTX because |
116 |
// OpenSSL does not offer SSL_set_next_proto_select_cb. |
117 |
@@ -1553,15 +1553,15 @@ int cert_lookup_tree_add_ssl_ctx( |
118 |
SSL_CTX *ssl_ctx) { |
119 |
std::array<uint8_t, NI_MAXHOST> buf; |
120 |
|
121 |
-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L |
122 |
+#if !defined(LIBRESSL_1_0_API) && OPENSSL_VERSION_NUMBER >= 0x10002000L |
123 |
auto cert = SSL_CTX_get0_certificate(ssl_ctx); |
124 |
-#else // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < |
125 |
+#else // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER < |
126 |
// 0x10002000L |
127 |
auto tls_ctx_data = |
128 |
static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx)); |
129 |
auto cert = load_certificate(tls_ctx_data->cert_file); |
130 |
auto cert_deleter = defer(X509_free, cert); |
131 |
-#endif // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER < |
132 |
+#endif // defined(LIBRESSL_1_0_API) || OPENSSL_VERSION_NUMBER < |
133 |
// 0x10002000L |
134 |
|
135 |
auto altnames = static_cast<GENERAL_NAMES *>( |
136 |
@@ -1977,7 +1977,7 @@ StringRef get_x509_issuer_name(BlockAllo |
137 |
#endif /* !WORDS_BIGENDIAN */ |
138 |
|
139 |
StringRef get_x509_serial(BlockAllocator &balloc, X509 *x) { |
140 |
-#if OPENSSL_1_1_API |
141 |
+#if OPENSSL_1_1_API && !LIBRESSL_1_1_API |
142 |
auto sn = X509_get0_serialNumber(x); |
143 |
uint64_t r; |
144 |
if (ASN1_INTEGER_get_uint64(&r, sn) != 1) { |