nghttp2/nghttp2
1
0
Fork 0
mirror of https://github.com/nghttp2/nghttp2.git synced 2025-12-07 18:48:54 +08:00
Code Issues Projects Releases Wiki Activity

Drop old OpenSSL support

Browse Source 
Drop old OpenSSL support and require OpenSSL >= 1.1.1.  For Libressl,
the reasonably recent versions are required.
This commit is contained in:
Tatsuhiro Tsujikawa
2023-12-20 23:04:30 +09:00
parent 35d76d2278
commit 841d602fc8
18 changed files with 106 additions and 449 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README.rst
View File

@@ -66,15 +66,12 @@ To build and run the application programs (``nghttp``, ``nghttpd``,
``nghttpx`` and ``h2load``) in the ``src`` directory, the following packages ``nghttpx`` and ``h2load``) in the ``src`` directory, the following packages
are required: are required:
* OpenSSL >= 1.0.1 * OpenSSL >= 1.1.1; or LibreSSL >= 3.8.1; or aws-lc >= 1.19.0; or
BoringSSL
* libev >= 4.11 * libev >= 4.11
* zlib >= 1.2.3 * zlib >= 1.2.3
* libc-ares >= 1.7.5 * libc-ares >= 1.7.5
ALPN support requires OpenSSL >= 1.0.2 (released 22 January 2015).
LibreSSL >= 2.2.0 can be used instead of OpenSSL, but OpenSSL has more
features than LibreSSL at the time of this writing.
To enable ``-a`` option (getting linked assets from the downloaded To enable ``-a`` option (getting linked assets from the downloaded
resource) in ``nghttp``, the following package is required: resource) in ``nghttp``, the following package is required:
@@ -118,16 +115,17 @@ required:
* bison * bison
nghttpx supports `neverbleed <https://github.com/h2o/neverbleed>`_, nghttpx supports `neverbleed <https://github.com/h2o/neverbleed>`_,
privilege separation engine for OpenSSL / LibreSSL. In short, it privilege separation engine for OpenSSL. In short, it minimizes the
minimizes the risk of private key leakage when serious bug like risk of private key leakage when serious bug like Heartbleed is
Heartbleed is exploited. The neverbleed is disabled by default. To exploited. The neverbleed is disabled by default. To enable it, use
enable it, use ``--with-neverbleed`` configure option. ``--with-neverbleed`` configure option.
To enable the experimental HTTP/3 support for h2load and nghttpx, the To enable the experimental HTTP/3 support for h2load and nghttpx, the
following libraries are required: following libraries are required:
* `OpenSSL with QUIC support * `OpenSSL with QUIC support
<https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or <https://github.com/quictls/openssl/tree/OpenSSL_1_1_1w+quic>`_; or
LibreSSL (does not support 0RTT); or aws-lc; or
`BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit `BoringSSL <https://boringssl.googlesource.com/boringssl/>`_ (commit
6ca49385b168f47a50e7172d82a590b218f55e4d) 6ca49385b168f47a50e7172d82a590b218f55e4d)
* `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.0.0 * `ngtcp2 <https://github.com/ngtcp2/ngtcp2>`_ >= 1.0.0

2
configure.ac
View File

@@ -447,7 +447,7 @@ fi
# openssl (for src) # openssl (for src)
have_openssl=no have_openssl=no
if test "x${request_openssl}" != "xno"; then if test "x${request_openssl}" != "xno"; then
PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.0.1], PKG_CHECK_MODULES([OPENSSL], [openssl >= 1.1.1],
[have_openssl=yes], [have_openssl=no]) [have_openssl=yes], [have_openssl=no])
if test "x${have_openssl}" = "xno"; then if test "x${have_openssl}" = "xno"; then
AC_MSG_NOTICE($OPENSSL_PKG_ERRORS) AC_MSG_NOTICE($OPENSSL_PKG_ERRORS)

13
src/HttpServer.cc
View File

@@ -2157,23 +2157,12 @@ int HttpServer::run() {
SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER); SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_SERVER);
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) { if (SSL_CTX_set1_curves_list(ssl_ctx, "P-256") != 1) {
std::cerr << "SSL_CTX_set1_curves_list failed: " std::cerr << "SSL_CTX_set1_curves_list failed: "
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
return -1; return -1;
} }
# else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) #endif // OPENSSL_NO_EC
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == nullptr) {
std::cerr << "EC_KEY_new_by_curv_name failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
return -1;
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
# endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
#endif // OPENSSL_NO_EC
if (!config_->dh_param_file.empty()) { if (!config_->dh_param_file.empty()) {
// Read DH parameters from file // Read DH parameters from file

21
src/h2load.cc
View File

@@ -87,7 +87,6 @@ bool recorded(const std::chrono::steady_clock::time_point &t) {
} }
} // namespace } // namespace
#if OPENSSL_1_1_1_API
namespace { namespace {
std::ofstream keylog_file; std::ofstream keylog_file;
void keylog_callback(const SSL *ssl, const char *line) { void keylog_callback(const SSL *ssl, const char *line) {
@@ -96,7 +95,6 @@ void keylog_callback(const SSL *ssl, const char *line) {
keylog_file.flush(); keylog_file.flush();
} }
} // namespace } // namespace
#endif // OPENSSL_1_1_1_API
Config::Config() Config::Config()
: ciphers(tls::DEFAULT_CIPHER_LIST), : ciphers(tls::DEFAULT_CIPHER_LIST),
@@ -2347,12 +2345,6 @@ Options:
} // namespace } // namespace
int main(int argc, char **argv) { int main(int argc, char **argv) {
tls::libssl_init();
#ifndef NOTHREADS
tls::LibsslGlobalLock lock;
#endif // NOTHREADS
std::string datafile; std::string datafile;
std::string logfile; std::string logfile;
std::string qlog_base; std::string qlog_base;
@@ -2979,26 +2971,19 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, config.tls13_ciphers.c_str()) == 0) { if (SSL_CTX_set_ciphersuites(ssl_ctx, config.tls13_ciphers.c_str()) == 0) {
std::cerr << "SSL_CTX_set_ciphersuites with " << config.tls13_ciphers std::cerr << "SSL_CTX_set_ciphersuites with " << config.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr) << " failed: " << ERR_error_string(ERR_get_error(), nullptr)
<< std::endl; << std::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
#if OPENSSL_1_1_1_API
if (SSL_CTX_set1_groups_list(ssl_ctx, config.groups.c_str()) != 1) { if (SSL_CTX_set1_groups_list(ssl_ctx, config.groups.c_str()) != 1) {
std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl; std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl;
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
#else // !OPENSSL_1_1_1_API
if (SSL_CTX_set1_curves_list(ssl_ctx, config.groups.c_str()) != 1) {
std::cerr << "SSL_CTX_set1_curves_list failed" << std::endl;
exit(EXIT_FAILURE);
}
#endif // !OPENSSL_1_1_1_API
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb, SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,
@@ -3014,7 +2999,6 @@ int main(int argc, char **argv) {
SSL_CTX_set_alpn_protos(ssl_ctx, proto_list.data(), proto_list.size()); SSL_CTX_set_alpn_protos(ssl_ctx, proto_list.data(), proto_list.size());
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#if OPENSSL_1_1_1_API
auto keylog_filename = getenv("SSLKEYLOGFILE"); auto keylog_filename = getenv("SSLKEYLOGFILE");
if (keylog_filename) { if (keylog_filename) {
keylog_file.open(keylog_filename, std::ios_base::app); keylog_file.open(keylog_filename, std::ios_base::app);
@@ -3022,7 +3006,6 @@ int main(int argc, char **argv) {
SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback); SSL_CTX_set_keylog_callback(ssl_ctx, keylog_callback);
} }
} }
#endif // OPENSSL_1_1_1_API
std::string user_agent = "h2load nghttp2/" NGHTTP2_VERSION; std::string user_agent = "h2load nghttp2/" NGHTTP2_VERSION;
Headers shared_nva; Headers shared_nva;

8
src/nghttp.cc
View File

@@ -697,16 +697,10 @@ int HttpClient::initiate_connection() {
const auto &host_string = const auto &host_string =
config.host_override.empty() ? host : config.host_override; config.host_override.empty() ? host : config.host_override;
#if LIBRESSL_2_7_API || \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) || \
defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto param = SSL_get0_param(ssl); auto param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set_hostflags(param, 0); X509_VERIFY_PARAM_set_hostflags(param, 0);
X509_VERIFY_PARAM_set1_host(param, host_string.c_str(), X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),
host_string.size()); host_string.size());
#endif // LIBRESSL_2_7_API || (!LIBRESSL_IN_USE &&
// OPENSSL_VERSION_NUMBER >= 0x10002000L) ||
// defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb); SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);
if (!util::numeric_host(host_string.c_str())) { if (!util::numeric_host(host_string.c_str())) {
@@ -2795,8 +2789,6 @@ Options:
} // namespace } // namespace
int main(int argc, char **argv) { int main(int argc, char **argv) {
tls::libssl_init();
bool color = false; bool color = false;
while (1) { while (1) {
static int flag = 0; static int flag = 0;

6
src/nghttpd.cc
View File

@@ -193,12 +193,6 @@ Options:
} // namespace } // namespace
int main(int argc, char **argv) { int main(int argc, char **argv) {
tls::libssl_init();
#ifndef NOTHREADS
tls::LibsslGlobalLock lock;
#endif // NOTHREADS
Config config; Config config;
bool color = false; bool color = false;
auto mime_types_file_set_manually = false; auto mime_types_file_set_manually = false;

2
src/shrpx-unittest.cc
View File

@@ -55,8 +55,6 @@ int main(int argc, char *argv[]) {
CU_pSuite pSuite = nullptr; CU_pSuite pSuite = nullptr;
unsigned int num_tests_failed; unsigned int num_tests_failed;
nghttp2::tls::libssl_init();
shrpx::create_config(); shrpx::create_config();
// initialize the CUnit test registry // initialize the CUnit test registry

10
src/shrpx.cc
View File

@@ -1992,11 +1992,7 @@ void fill_default_config(Config *config) {
tlsconf.max_proto_version = tlsconf.max_proto_version =
tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION); tls::proto_version_from_string(DEFAULT_TLS_MAX_PROTO_VERSION);
tlsconf.max_early_data = 16_k; tlsconf.max_early_data = 16_k;
#if OPENSSL_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521"); tlsconf.ecdh_curves = StringRef::from_lit("X25519:P-256:P-384:P-521");
#else // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
tlsconf.ecdh_curves = StringRef::from_lit("P-256:P-384:P-521");
#endif // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto &httpconf = config->http; auto &httpconf = config->http;
httpconf.server_name = StringRef::from_lit("nghttpx"); httpconf.server_name = StringRef::from_lit("nghttpx");
@@ -4059,16 +4055,10 @@ int main(int argc, char **argv) {
int rv; int rv;
std::array<char, STRERROR_BUFSIZE> errbuf; std::array<char, STRERROR_BUFSIZE> errbuf;
nghttp2::tls::libssl_init();
#ifdef HAVE_LIBBPF #ifdef HAVE_LIBBPF
libbpf_set_strict_mode(LIBBPF_STRICT_ALL); libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
#endif // HAVE_LIBBPF #endif // HAVE_LIBBPF
#ifndef NOTHREADS
nghttp2::tls::LibsslGlobalLock lock;
#endif // NOTHREADS
Log::set_severity_level(NOTICE); Log::set_severity_level(NOTICE);
create_config(); create_config();
fill_default_config(mod_config()); fill_default_config(mod_config());

43
src/shrpx_config.cc
View File

@@ -1510,7 +1510,7 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
auto param = StringRef{first, end}; auto param = StringRef{first, end};
if (util::istarts_with_l(param, "sct-dir=")) { if (util::istarts_with_l(param, "sct-dir=")) {
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto sct_dir = auto sct_dir =
StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)}; StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
if (sct_dir.empty()) { if (sct_dir.empty()) {
@@ -1518,9 +1518,10 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
return -1; return -1;
} }
out.sct_dir = sct_dir; out.sct_dir = sct_dir;
#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) #else // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_BORINGSSL
LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2"; LOG(WARN) << "subcert: sct-dir is ignored because underlying TLS library "
#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) "does not support SCT";
#endif // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_BORINGSSL
} else if (!param.empty()) { } else if (!param.empty()) {
LOG(ERROR) << "subcert: " << param << ": unknown keyword"; LOG(ERROR) << "subcert: " << param << ": unknown keyword";
return -1; return -1;
@@ -1652,7 +1653,7 @@ int read_tls_sct_from_dir(std::vector<uint8_t> &dst, const StringRef &opt,
} }
} // namespace } // namespace
#if !LIBRESSL_LEGACY_API #ifndef OPENSSL_NO_PSK
namespace { namespace {
// Reads PSK secrets from path, and parses each line. The result is // Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.psk_secrets. This function // directly stored into config->tls.psk_secrets. This function
@@ -1716,9 +1717,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) {
return 0; return 0;
} }
} // namespace } // namespace
#endif // !LIBRESSL_LEGACY_API #endif // !OPENSSL_NO_PSK
#if !LIBRESSL_LEGACY_API #ifndef OPENSSL_NO_PSK
namespace { namespace {
// Reads PSK secrets from path, and parses each line. The result is // Reads PSK secrets from path, and parses each line. The result is
// directly stored into config->tls.client.psk. This function returns // directly stored into config->tls.client.psk. This function returns
@@ -1778,7 +1779,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) {
return 0; return 0;
} }
} // namespace } // namespace
#endif // !LIBRESSL_LEGACY_API #endif // !OPENSSL_NO_PSK
// generated by gennghttpxfun.py // generated by gennghttpxfun.py
int option_lookup_token(const char *name, size_t namelen) { int option_lookup_token(const char *name, size_t namelen) {
@@ -3874,19 +3875,17 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_uint_with_unit( return parse_uint_with_unit(
&config->http2.downstream.decoder_dynamic_table_size, opt, optarg); &config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
case SHRPX_OPTID_ECDH_CURVES: case SHRPX_OPTID_ECDH_CURVES:
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
config->tls.ecdh_curves = make_string_ref(config->balloc, optarg); config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
return 0; return 0;
case SHRPX_OPTID_TLS_SCT_DIR: case SHRPX_OPTID_TLS_SCT_DIR:
#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg); return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
#else // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) #else // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_BORINGSSL
LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2"; LOG(WARN)
<< opt
<< ": ignored because underlying TLS library does not support SCT";
return 0; return 0;
#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L) #endif // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_BORINGSSL
case SHRPX_OPTID_DNS_CACHE_TIMEOUT: case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
return parse_duration(&config->dns.timeout.cache, opt, optarg); return parse_duration(&config->dns.timeout.cache, opt, optarg);
case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT: case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
@@ -3909,23 +3908,23 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return parse_duration(&config->conn.upstream.timeout.idle_read, opt, return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
optarg); optarg);
case SHRPX_OPTID_PSK_SECRETS: case SHRPX_OPTID_PSK_SECRETS:
#if !LIBRESSL_LEGACY_API #ifndef OPENSSL_NO_PSK
return parse_psk_secrets(config, optarg); return parse_psk_secrets(config, optarg);
#else // LIBRESSL_LEGACY_API #else // OPENSSL_NO_PSK
LOG(WARN) LOG(WARN)
<< opt << opt
<< ": ignored because underlying TLS library does not support PSK"; << ": ignored because underlying TLS library does not support PSK";
return 0; return 0;
#endif // LIBRESSL_LEGACY_API #endif // OPENSSL_NO_PSK
case SHRPX_OPTID_CLIENT_PSK_SECRETS: case SHRPX_OPTID_CLIENT_PSK_SECRETS:
#if !LIBRESSL_LEGACY_API #ifndef OPENSSL_NO_PSK
return parse_client_psk_secrets(config, optarg); return parse_client_psk_secrets(config, optarg);
#else // LIBRESSL_LEGACY_API #else // OPENSSL_NO_PSK
LOG(WARN) LOG(WARN)
<< opt << opt
<< ": ignored because underlying TLS library does not support PSK"; << ": ignored because underlying TLS library does not support PSK";
return 0; return 0;
#endif // LIBRESSL_LEGACY_API #endif // OPENSSL_NO_PSK
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
LOG(WARN) << opt << ": deprecated. Use " LOG(WARN) << opt << ": deprecated. Use "
<< SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead."; << SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";

68
src/shrpx_connection.cc
View File

@@ -45,14 +45,6 @@ using namespace std::chrono_literals;
namespace shrpx { namespace shrpx {
#if !LIBRESSL_3_5_API && !LIBRESSL_2_7_API && !OPENSSL_1_1_API
void *BIO_get_data(BIO *bio) { return bio->ptr; }
void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }
void BIO_set_init(BIO *bio, int init) { bio->init = init; }
#endif // !LIBRESSL_3_5_API && !LIBRESSL_2_7_API && !OPENSSL_1_1_API
Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl, Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl,
MemchunkPool *mcpool, ev_tstamp write_timeout, MemchunkPool *mcpool, ev_tstamp write_timeout,
ev_tstamp read_timeout, ev_tstamp read_timeout,
@@ -263,14 +255,8 @@ long shrpx_bio_ctrl(BIO *b, int cmd, long num, void *ptr) {
namespace { namespace {
int shrpx_bio_create(BIO *b) { int shrpx_bio_create(BIO *b) {
#if OPENSSL_1_1_API || LIBRESSL_3_5_API
BIO_set_init(b, 1); BIO_set_init(b, 1);
#else // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
b->init = 1;
b->num = 0;
b->ptr = nullptr;
b->flags = 0;
#endif // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
return 1; return 1;
} }
} // namespace } // namespace
@@ -281,18 +267,10 @@ int shrpx_bio_destroy(BIO *b) {
return 0; return 0;
} }
#if !OPENSSL_1_1_API && !LIBRESSL_3_5_API
b->ptr = nullptr;
b->init = 0;
b->flags = 0;
#endif // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
return 1; return 1;
} }
} // namespace } // namespace
#if OPENSSL_1_1_API || LIBRESSL_3_5_API
BIO_METHOD *create_bio_method() { BIO_METHOD *create_bio_method() {
auto meth = BIO_meth_new(BIO_TYPE_FD, "nghttpx-bio"); auto meth = BIO_meth_new(BIO_TYPE_FD, "nghttpx-bio");
BIO_meth_set_write(meth, shrpx_bio_write); BIO_meth_set_write(meth, shrpx_bio_write);
@@ -306,20 +284,6 @@ BIO_METHOD *create_bio_method() {
return meth; return meth;
} }
#else // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
BIO_METHOD *create_bio_method() {
static auto meth = new BIO_METHOD{
BIO_TYPE_FD, "nghttpx-bio", shrpx_bio_write,
shrpx_bio_read, shrpx_bio_puts, shrpx_bio_gets,
shrpx_bio_ctrl, shrpx_bio_create, shrpx_bio_destroy,
};
return meth;
}
#endif // !OPENSSL_1_1_API && !LIBRESSL_3_5_API
void Connection::set_ssl(SSL *ssl) { void Connection::set_ssl(SSL *ssl) {
tls.ssl = ssl; tls.ssl = ssl;
@@ -407,7 +371,7 @@ int Connection::tls_handshake() {
ERR_clear_error(); ERR_clear_error();
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
if (!tls.server_handshake || tls.early_data_finish) { if (!tls.server_handshake || tls.early_data_finish) {
rv = SSL_do_handshake(tls.ssl); rv = SSL_do_handshake(tls.ssl);
} else { } else {
@@ -458,9 +422,9 @@ int Connection::tls_handshake() {
} }
} }
} }
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #else // !NGHTTP2_GENUINE_OPENSSL
rv = SSL_do_handshake(tls.ssl); rv = SSL_do_handshake(tls.ssl);
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #endif // !NGHTTP2_GENUINE_OPENSSL
if (rv <= 0) { if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv); auto err = SSL_get_error(tls.ssl, rv);
@@ -611,14 +575,14 @@ int Connection::tls_handshake_simple() {
} }
int rv; int rv;
#if OPENSSL_1_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto &tlsconf = get_config()->tls; auto &tlsconf = get_config()->tls;
std::array<uint8_t, 16_k> buf; std::array<uint8_t, 16_k> buf;
#endif // OPENSSL_1_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_BORINGSSL
ERR_clear_error(); ERR_clear_error();
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
if (!tls.server_handshake || tls.early_data_finish) { if (!tls.server_handshake || tls.early_data_finish) {
rv = SSL_do_handshake(tls.ssl); rv = SSL_do_handshake(tls.ssl);
} else { } else {
@@ -663,9 +627,9 @@ int Connection::tls_handshake_simple() {
} }
} }
} }
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #else // !NGHTTP2_GENUINE_OPENSSL
rv = SSL_do_handshake(tls.ssl); rv = SSL_do_handshake(tls.ssl);
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #endif // !NGHTTP2_GENUINE_OPENSSL
if (rv <= 0) { if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv); auto err = SSL_get_error(tls.ssl, rv);
@@ -932,7 +896,7 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
ERR_clear_error(); ERR_clear_error();
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
int rv; int rv;
if (SSL_is_init_finished(tls.ssl)) { if (SSL_is_init_finished(tls.ssl)) {
rv = SSL_write(tls.ssl, data, len); rv = SSL_write(tls.ssl, data, len);
@@ -944,9 +908,9 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
rv = nwrite; rv = nwrite;
} }
} }
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #else // !NGHTTP2_GENUINE_OPENSSL
auto rv = SSL_write(tls.ssl, data, len); auto rv = SSL_write(tls.ssl, data, len);
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #endif // !NGHTTP2_GENUINE_OPENSSL
if (rv <= 0) { if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv); auto err = SSL_get_error(tls.ssl, rv);
@@ -996,11 +960,11 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
ssize_t Connection::read_tls(void *data, size_t len) { ssize_t Connection::read_tls(void *data, size_t len) {
ERR_clear_error(); ERR_clear_error();
#if OPENSSL_1_1_1_API #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (tls.earlybuf.rleft()) { if (tls.earlybuf.rleft()) {
return tls.earlybuf.remove(data, len); return tls.earlybuf.remove(data, len);
} }
#endif // OPENSSL_1_1_1_API #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_BORINGSSL
// SSL_read requires the same arguments (buf pointer and its // SSL_read requires the same arguments (buf pointer and its
// length) on SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE. // length) on SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE.
@@ -1023,7 +987,7 @@ ssize_t Connection::read_tls(void *data, size_t len) {
auto via_bio = auto via_bio =
tls.server_handshake && !tlsconf.session_cache.memcached.host.empty(); tls.server_handshake && !tlsconf.session_cache.memcached.host.empty();
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
if (!tls.early_data_finish) { if (!tls.early_data_finish) {
// TLSv1.3 handshake is still going on. // TLSv1.3 handshake is still going on.
size_t nread; size_t nread;
@@ -1067,7 +1031,7 @@ ssize_t Connection::read_tls(void *data, size_t len) {
return nread; return nread;
} }
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL
auto rv = SSL_read(tls.ssl, data, len); auto rv = SSL_read(tls.ssl, data, len);

4
src/shrpx_http2_downstream_connection.cc
View File

@@ -349,13 +349,13 @@ int Http2DownstreamConnection::push_request_headers() {
auto upstream = downstream_->get_upstream(); auto upstream = downstream_->get_upstream();
auto handler = upstream->get_client_handler(); auto handler = upstream->get_client_handler();
#if OPENSSL_1_1_1_API #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto conn = handler->get_connection(); auto conn = handler->get_connection();
if (conn->tls.ssl && !SSL_is_init_finished(conn->tls.ssl)) { if (conn->tls.ssl && !SSL_is_init_finished(conn->tls.ssl)) {
nva.push_back(http2::make_nv_ll("early-data", "1")); nva.push_back(http2::make_nv_ll("early-data", "1"));
} }
#endif // OPENSSL_1_1_1_API #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_BORINGSSL
auto fwd = auto fwd =
fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED); fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);

4
src/shrpx_http_downstream_connection.cc
View File

@@ -596,13 +596,13 @@ int HttpDownstreamConnection::push_request_headers() {
auto upstream = downstream_->get_upstream(); auto upstream = downstream_->get_upstream();
auto handler = upstream->get_client_handler(); auto handler = upstream->get_client_handler();
#if OPENSSL_1_1_1_API #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
auto conn = handler->get_connection(); auto conn = handler->get_connection();
if (conn->tls.ssl && !SSL_is_init_finished(conn->tls.ssl)) { if (conn->tls.ssl && !SSL_is_init_finished(conn->tls.ssl)) {
buf->append("Early-Data: 1\r\n"); buf->append("Early-Data: 1\r\n");
} }
#endif // OPENSSL_1_1_1_API #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_BORINGSSL
auto fwd = auto fwd =
fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED); fwdconf.strip_incoming ? nullptr : req.fs.header(http2::HD_FORWARDED);

10
src/shrpx_quic_connection_handler.cc
View File

@@ -391,9 +391,9 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
return nullptr; return nullptr;
} }
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
assert(SSL_is_quic(ssl)); assert(SSL_is_quic(ssl));
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL
SSL_set_accept_state(ssl); SSL_set_accept_state(ssl);
@@ -401,11 +401,11 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
auto &quicconf = config->quic; auto &quicconf = config->quic;
if (quicconf.upstream.early_data) { if (quicconf.upstream.early_data) {
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
SSL_set_quic_early_data_enabled(ssl, 1); SSL_set_quic_early_data_enabled(ssl, 1);
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
SSL_set_early_data_enabled(ssl, 1); SSL_set_early_data_enabled(ssl, 1);
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
} }
// Disable TLS session ticket if we don't have working ticket // Disable TLS session ticket if we don't have working ticket

217
src/shrpx_tls.cc
View File

@@ -96,14 +96,6 @@ namespace shrpx {
namespace tls { namespace tls {
#if !OPENSSL_1_1_API
namespace {
const unsigned char *ASN1_STRING_get0_data(ASN1_STRING *x) {
return ASN1_STRING_data(x);
}
} // namespace
#endif // !OPENSSL_1_1_API
#ifndef OPENSSL_NO_NEXTPROTONEG #ifndef OPENSSL_NO_NEXTPROTONEG
namespace { namespace {
int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
@@ -231,8 +223,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
assert(!ssl_ctx_list.empty()); assert(!ssl_ctx_list.empty());
#if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && \ #ifdef NGHTTP2_GENUINE_OPENSSL
OPENSSL_VERSION_NUMBER >= 0x10002000L
auto num_sigalgs = auto num_sigalgs =
SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr); SSL_get_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr);
@@ -274,12 +265,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
for (auto ssl_ctx : ssl_ctx_list) { for (auto ssl_ctx : ssl_ctx_list) {
auto cert = SSL_CTX_get0_certificate(ssl_ctx); auto cert = SSL_CTX_get0_certificate(ssl_ctx);
# if OPENSSL_1_1_API
auto pubkey = X509_get0_pubkey(cert); auto pubkey = X509_get0_pubkey(cert);
# else // !OPENSSL_1_1_API
auto pubkey = X509_get_pubkey(cert);
# endif // !OPENSSL_1_1_API
if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) { if (EVP_PKEY_base_id(pubkey) != EVP_PKEY_EC) {
continue; continue;
@@ -296,13 +282,8 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
SSL_set_SSL_CTX(ssl, ssl_ctx); SSL_set_SSL_CTX(ssl, ssl_ctx);
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
# else // !OPENSSL_3_0_0_API # else // !OPENSSL_3_0_0_API
# if OPENSSL_1_1_API
auto eckey = EVP_PKEY_get0_EC_KEY(pubkey); auto eckey = EVP_PKEY_get0_EC_KEY(pubkey);
# else // !OPENSSL_1_1_API
auto eckey = EVP_PKEY_get1_EC_KEY(pubkey);
# endif // !OPENSSL_1_1_API
if (eckey == nullptr) { if (eckey == nullptr) {
continue; continue;
} }
@@ -310,20 +291,14 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
auto ecgroup = EC_KEY_get0_group(eckey); auto ecgroup = EC_KEY_get0_group(eckey);
auto cert_curve = EC_GROUP_get_curve_name(ecgroup); auto cert_curve = EC_GROUP_get_curve_name(ecgroup);
# if !OPENSSL_1_1_API
EC_KEY_free(eckey);
EVP_PKEY_free(pubkey);
# endif // !OPENSSL_1_1_API
if (shared_curve == cert_curve) { if (shared_curve == cert_curve) {
SSL_set_SSL_CTX(ssl, ssl_ctx); SSL_set_SSL_CTX(ssl, ssl_ctx);
return SSL_TLSEXT_ERR_OK; return SSL_TLSEXT_ERR_OK;
} }
# endif // !OPENSSL_3_0_0_API # endif // !OPENSSL_3_0_0_API
} }
} }
#endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE && #endif // NGHTTP2_GENUINE_OPENSSL
// OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]); SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
@@ -447,13 +422,8 @@ int tls_session_new_cb(SSL *ssl, SSL_SESSION *session) {
} // namespace } // namespace
namespace { namespace {
SSL_SESSION *tls_session_get_cb(SSL *ssl, SSL_SESSION *tls_session_get_cb(SSL *ssl, const unsigned char *id, int idlen,
#if OPENSSL_1_1_API || LIBRESSL_2_7_API int *copy) {
const unsigned char *id,
#else // !(OPENSSL_1_1_API || LIBRESSL_2_7_API)
unsigned char *id,
#endif // !(OPENSSL_1_1_API || LIBRESSL_2_7_API)
int idlen, int *copy) {
auto conn = static_cast<Connection *>(SSL_get_app_data(ssl)); auto conn = static_cast<Connection *>(SSL_get_app_data(ssl));
auto handler = static_cast<ClientHandler *>(conn->data); auto handler = static_cast<ClientHandler *>(conn->data);
auto worker = handler->get_worker(); auto worker = handler->get_worker();
@@ -708,7 +678,6 @@ int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#ifdef ENABLE_HTTP3 #ifdef ENABLE_HTTP3
# if OPENSSL_VERSION_NUMBER >= 0x10002000L
namespace { namespace {
int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out, int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
unsigned char *outlen, const unsigned char *in, unsigned char *outlen, const unsigned char *in,
@@ -738,16 +707,9 @@ int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
return SSL_TLSEXT_ERR_ALERT_FATAL; return SSL_TLSEXT_ERR_ALERT_FATAL;
} }
} // namespace } // namespace
# endif // OPENSSL_VERSION_NUMBER >= 0x10002000L #endif // ENABLE_HTTP3
#endif // ENABLE_HTTP3
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
# ifndef TLSEXT_TYPE_signed_certificate_timestamp
# define TLSEXT_TYPE_signed_certificate_timestamp 18
# endif // !TLSEXT_TYPE_signed_certificate_timestamp
#ifdef NGHTTP2_GENUINE_OPENSSL
namespace { namespace {
int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context, int sct_add_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
const unsigned char **out, size_t *outlen, X509 *x, const unsigned char **out, size_t *outlen, X509 *x,
@@ -806,34 +768,7 @@ int sct_parse_cb(SSL *ssl, unsigned int ext_type, unsigned int context,
} }
} // namespace } // namespace
# if !OPENSSL_1_1_1_API #endif // NGHTTP2_GENUINE_OPENSSL
namespace {
int legacy_sct_add_cb(SSL *ssl, unsigned int ext_type,
const unsigned char **out, size_t *outlen, int *al,
void *add_arg) {
return sct_add_cb(ssl, ext_type, 0, out, outlen, nullptr, 0, al, add_arg);
}
} // namespace
namespace {
void legacy_sct_free_cb(SSL *ssl, unsigned int ext_type,
const unsigned char *out, void *add_arg) {
sct_free_cb(ssl, ext_type, 0, out, add_arg);
}
} // namespace
namespace {
int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
const unsigned char *in, size_t inlen, int *al,
void *parse_arg) {
return sct_parse_cb(ssl, ext_type, 0, in, inlen, nullptr, 0, al, parse_arg);
}
} // namespace
# endif // !OPENSSL_1_1_1_API
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L &&
// !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
namespace { namespace {
@@ -942,7 +877,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_SINGLE_DH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE SSL_OP_CIPHER_SERVER_PREFERENCE
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
// The reason for disabling built-in anti-replay in // The reason for disabling built-in anti-replay in
// OpenSSL is that it only works if client gets back // OpenSSL is that it only works if client gets back
// to the same server. The freshness check // to the same server. The freshness check
@@ -950,7 +885,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
// https://tools.ietf.org/html/rfc8446#section-8.3 // https://tools.ietf.org/html/rfc8446#section-8.3
// is still performed. // is still performed.
| SSL_OP_NO_ANTI_REPLAY | SSL_OP_NO_ANTI_REPLAY
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL
; ;
auto config = mod_config(); auto config = mod_config();
@@ -987,39 +922,21 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
DIE(); DIE();
} }
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) { if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
#ifndef OPENSSL_NO_EC #ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) { if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
<< " failed"; << " failed";
DIE(); DIE();
} }
# if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API #endif // OPENSSL_NO_EC
// It looks like we need this function call for OpenSSL 1.0.2. This
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
# endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this
// writing.
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == nullptr) {
LOG(FATAL) << "EC_KEY_new_by_curv_name failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
# endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
#endif // OPENSSL_NO_EC
if (!tlsconf.dh_param_file.empty()) { if (!tlsconf.dh_param_file.empty()) {
// Read DH parameters from file // Read DH parameters from file
@@ -1165,14 +1082,12 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data); SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \ #ifdef NGHTTP2_GENUINE_OPENSSL
!defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp) // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
// returns 1, which means OpenSSL internally handles it. But // returns 1, which means OpenSSL internally handles it. But
// OpenSSL handles signed_certificate_timestamp extension specially, // OpenSSL handles signed_certificate_timestamp extension specially,
// and it lets custom handler to process the extension. // and it lets custom handler to process the extension.
if (!sct_data.empty()) { if (!sct_data.empty()) {
# if OPENSSL_1_1_1_API
// It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
// required here. sct_parse_cb is called without // required here. sct_parse_cb is called without
// SSL_EXT_CLIENT_HELLO being set. But the passed context value // SSL_EXT_CLIENT_HELLO being set. But the passed context value
@@ -1186,16 +1101,6 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
# else // !OPENSSL_1_1_1_API
if (SSL_CTX_add_server_custom_ext(
ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
legacy_sct_add_cb, legacy_sct_free_cb, nullptr, legacy_sct_parse_cb,
nullptr) != 1) {
LOG(FATAL) << "SSL_CTX_add_server_custom_ext failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# endif // !OPENSSL_1_1_1_API
} }
#elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls_ctx_data->sct_data.empty() && if (!tls_ctx_data->sct_data.empty() &&
@@ -1206,15 +1111,15 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
#endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_OPENSSL_IS_BORINGSSL
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #ifdef NGHTTP2_GENUINE_OPENSSL
if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) { if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
LOG(FATAL) << "SSL_CTX_set_max_early_data failed: " LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
@@ -1243,14 +1148,14 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_DH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE SSL_OP_CIPHER_SERVER_PREFERENCE
# if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # ifdef NGHTTP2_GENUINE_OPENSSL
// The reason for disabling built-in anti-replay in OpenSSL is // The reason for disabling built-in anti-replay in OpenSSL is
// that it only works if client gets back to the same server. // that it only works if client gets back to the same server.
// The freshness check described in // The freshness check described in
// https://tools.ietf.org/html/rfc8446#section-8.3 is still // https://tools.ietf.org/html/rfc8446#section-8.3 is still
// performed. // performed.
| SSL_OP_NO_ANTI_REPLAY | SSL_OP_NO_ANTI_REPLAY
# endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # endif // NGHTTP2_GENUINE_OPENSSL
; ;
auto config = mod_config(); auto config = mod_config();
@@ -1283,39 +1188,21 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
DIE(); DIE();
} }
# if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) { if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
# endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
# ifndef OPENSSL_NO_EC # ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) { if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
<< " failed"; << " failed";
DIE(); DIE();
} }
# if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API # endif // OPENSSL_NO_EC
// It looks like we need this function call for OpenSSL 1.0.2. This
// function was deprecated in OpenSSL 1.1.0 and BoringSSL.
SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
# endif // !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
# else // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
// Use P-256, which is sufficiently secure at the time of this
// writing.
auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
if (ecdh == nullptr) {
LOG(FATAL) << "EC_KEY_new_by_curv_name failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
EC_KEY_free(ecdh);
# endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
# endif // OPENSSL_NO_EC
if (!tlsconf.dh_param_file.empty()) { if (!tlsconf.dh_param_file.empty()) {
// Read DH parameters from file // Read DH parameters from file
@@ -1452,14 +1339,12 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data); SSL_CTX_set_app_data(ssl_ctx, tls_ctx_data);
# if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \ # ifdef NGHTTP2_GENUINE_OPENSSL
!defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
// SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp) // SSL_extension_supported(TLSEXT_TYPE_signed_certificate_timestamp)
// returns 1, which means OpenSSL internally handles it. But // returns 1, which means OpenSSL internally handles it. But
// OpenSSL handles signed_certificate_timestamp extension specially, // OpenSSL handles signed_certificate_timestamp extension specially,
// and it lets custom handler to process the extension. // and it lets custom handler to process the extension.
if (!sct_data.empty()) { if (!sct_data.empty()) {
# if OPENSSL_1_1_1_API
// It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is // It is not entirely clear to me that SSL_EXT_CLIENT_HELLO is
// required here. sct_parse_cb is called without // required here. sct_parse_cb is called without
// SSL_EXT_CLIENT_HELLO being set. But the passed context value // SSL_EXT_CLIENT_HELLO being set. But the passed context value
@@ -1473,16 +1358,6 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
# else // !OPENSSL_1_1_1_API
if (SSL_CTX_add_server_custom_ext(
ssl_ctx, TLSEXT_TYPE_signed_certificate_timestamp,
legacy_sct_add_cb, legacy_sct_free_cb, nullptr, legacy_sct_parse_cb,
nullptr) != 1) {
LOG(FATAL) << "SSL_CTX_add_server_custom_ext failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
# endif // !OPENSSL_1_1_1_API
} }
# elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (!tls_ctx_data->sct_data.empty() && if (!tls_ctx_data->sct_data.empty() &&
@@ -1493,9 +1368,9 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
# endif // defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # endif // NGHTTP2_OPENSSL_IS_BORINGSSL
# if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # ifdef NGHTTP2_GENUINE_OPENSSL
auto &quicconf = config->quic; auto &quicconf = config->quic;
if (quicconf.upstream.early_data && if (quicconf.upstream.early_data &&
@@ -1505,7 +1380,7 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
<< ERR_error_string(ERR_get_error(), nullptr); << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
# endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) # endif // NGHTTP2_GENUINE_OPENSSL
# ifndef OPENSSL_NO_PSK # ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb); SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
@@ -1607,14 +1482,14 @@ SSL_CTX *create_ssl_client_context(
DIE(); DIE();
} }
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) == if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
0) { 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr); << " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE(); DIE();
} }
#endif // OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #endif // NGHTTP2_GENUINE_OPENSSL || NGHTTP2_OPENSSL_IS_LIBRESSL
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS); SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
@@ -2116,16 +1991,7 @@ int cert_lookup_tree_add_ssl_ctx(
SSL_CTX *ssl_ctx) { SSL_CTX *ssl_ctx) {
std::array<uint8_t, NI_MAXHOST> buf; std::array<uint8_t, NI_MAXHOST> buf;
#if LIBRESSL_2_7_API || \
(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
auto cert = SSL_CTX_get0_certificate(ssl_ctx); auto cert = SSL_CTX_get0_certificate(ssl_ctx);
#else // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
auto tls_ctx_data =
static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
auto cert = load_certificate(tls_ctx_data->cert_file);
auto cert_deleter = defer(X509_free, cert);
#endif // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
auto altnames = static_cast<GENERAL_NAMES *>( auto altnames = static_cast<GENERAL_NAMES *>(
X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr)); X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
if (altnames) { if (altnames) {
@@ -2474,9 +2340,7 @@ int proto_version_from_string(const StringRef &v) {
int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp, int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
size_t ocsp_resplen) { size_t ocsp_resplen) {
#ifndef OPENSSL_NO_OCSP
#if !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE && \
OPENSSL_VERSION_NUMBER >= 0x10002000L
int rv; int rv;
STACK_OF(X509) * chain_certs; STACK_OF(X509) * chain_certs;
@@ -2522,11 +2386,7 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
return -1; return -1;
} }
# if OPENSSL_1_1_API
auto certid = OCSP_SINGLERESP_get0_id(sresp); auto certid = OCSP_SINGLERESP_get0_id(sresp);
# else // !OPENSSL_1_1_API
auto certid = sresp->certId;
# endif // !OPENSSL_1_1_API
assert(certid != nullptr); assert(certid != nullptr);
ASN1_INTEGER *serial; ASN1_INTEGER *serial;
@@ -2553,8 +2413,7 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
if (LOG_ENABLED(INFO)) { if (LOG_ENABLED(INFO)) {
LOG(INFO) << "OCSP verification succeeded"; LOG(INFO) << "OCSP verification succeeded";
} }
#endif // !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE #endif // !OPENSSL_NO_OCSP
// && OPENSSL_VERSION_NUMBER >= 0x10002000L
return 0; return 0;
} }
@@ -2620,7 +2479,7 @@ namespace {
int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) { int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
int rv; int rv;
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
struct tm tm; struct tm tm;
rv = ASN1_TIME_to_tm(at, &tm); rv = ASN1_TIME_to_tm(at, &tm);
if (rv != 1) { if (rv != 1) {
@@ -2628,7 +2487,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
} }
t = nghttp2_timegm(&tm); t = nghttp2_timegm(&tm);
#else // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #else // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
auto b = BIO_new(BIO_s_mem()); auto b = BIO_new(BIO_s_mem());
if (!b) { if (!b) {
return -1; return -1;
@@ -2654,18 +2513,14 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
} }
t = tt; t = tt;
#endif // !(OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)) #endif // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
return 0; return 0;
} }
} // namespace } // namespace
int get_x509_not_before(time_t &t, X509 *x) { int get_x509_not_before(time_t &t, X509 *x) {
#if OPENSSL_1_1_API
auto at = X509_get0_notBefore(x); auto at = X509_get0_notBefore(x);
#else // !OPENSSL_1_1_API
auto at = X509_get_notBefore(x);
#endif // !OPENSSL_1_1_API
if (!at) { if (!at) {
return -1; return -1;
} }
@@ -2674,11 +2529,7 @@ int get_x509_not_before(time_t &t, X509 *x) {
} }
int get_x509_not_after(time_t &t, X509 *x) { int get_x509_not_after(time_t &t, X509 *x) {
#if OPENSSL_1_1_API
auto at = X509_get0_notAfter(x); auto at = X509_get0_notAfter(x);
#else // !OPENSSL_1_1_API
auto at = X509_get_notAfter(x);
#endif // !OPENSSL_1_1_API
if (!at) { if (!at) {
return -1; return -1;
} }

27
src/ssl_compat.h
View File

@@ -27,25 +27,22 @@
# include <openssl/opensslv.h> # include <openssl/opensslv.h>
# ifdef LIBRESSL_VERSION_NUMBER # ifdef LIBRESSL_VERSION_NUMBER
# define OPENSSL_1_1_API 0 # define NGHTTP2_OPENSSL_IS_LIBRESSL
# define OPENSSL_1_1_1_API 0
# define OPENSSL_3_0_0_API 0
# define LIBRESSL_IN_USE 1
# define LIBRESSL_LEGACY_API (LIBRESSL_VERSION_NUMBER < 0x20700000L)
# define LIBRESSL_2_7_API (LIBRESSL_VERSION_NUMBER >= 0x20700000L)
# define LIBRESSL_3_5_API (LIBRESSL_VERSION_NUMBER >= 0x30500000L)
# else // !LIBRESSL_VERSION_NUMBER
# define OPENSSL_1_1_API (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
# define OPENSSL_1_1_1_API (OPENSSL_VERSION_NUMBER >= 0x10101000L)
# define OPENSSL_3_0_0_API (OPENSSL_VERSION_NUMBER >= 0x30000000L)
# define LIBRESSL_IN_USE 0
# define LIBRESSL_LEGACY_API 0
# define LIBRESSL_2_7_API 0
# define LIBRESSL_3_5_API 0
# endif // !LIBRESSL_VERSION_NUMBER # endif // !LIBRESSL_VERSION_NUMBER
# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) # if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
# define NGHTTP2_OPENSSL_IS_BORINGSSL # define NGHTTP2_OPENSSL_IS_BORINGSSL
# endif // OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC # endif // OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC
# if !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) && \
!defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
# define NGHTTP2_GENUINE_OPENSSL
# endif // !NGHTTP2_OPENSSL_IS_BORINGSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
# ifdef NGHTTP2_GENUINE_OPENSSL
# define OPENSSL_3_0_0_API (OPENSSL_VERSION_NUMBER >= 0x30000000L)
# else // !NGHTTP2_GENUINE_OPENSSL
# define OPENSSL_3_0_0_API 0
# endif // !NGHTTP2_GENUINE_OPENSSL
#endif // OPENSSL_COMPAT_H #endif // OPENSSL_COMPAT_H

76
src/tls.cc
View File

@@ -38,42 +38,6 @@ namespace nghttp2 {
namespace tls { namespace tls {
#if OPENSSL_1_1_API
// CRYPTO_LOCK is deprecated as of OpenSSL 1.1.0
LibsslGlobalLock::LibsslGlobalLock() {}
#else // !OPENSSL_1_1_API
namespace {
std::mutex *ssl_global_locks;
} // namespace
namespace {
void ssl_locking_cb(int mode, int type, const char *file, int line) {
if (mode & CRYPTO_LOCK) {
ssl_global_locks[type].lock();
} else {
ssl_global_locks[type].unlock();
}
}
} // namespace
LibsslGlobalLock::LibsslGlobalLock() {
if (ssl_global_locks) {
std::cerr << "OpenSSL global lock has been already set" << std::endl;
assert(0);
}
ssl_global_locks = new std::mutex[CRYPTO_num_locks()];
// CRYPTO_set_id_callback(ssl_thread_id); OpenSSL manual says that
// if threadid_func is not specified using
// CRYPTO_THREADID_set_callback(), then default implementation is
// used. We use this default one.
CRYPTO_set_locking_callback(ssl_locking_cb);
}
#endif // !OPENSSL_1_1_API
const char *get_tls_protocol(SSL *ssl) { const char *get_tls_protocol(SSL *ssl) {
switch (SSL_version(ssl)) { switch (SSL_version(ssl)) {
case SSL2_VERSION: case SSL2_VERSION:
@@ -148,52 +112,12 @@ bool check_http2_requirement(SSL *ssl) {
return check_http2_tls_version(ssl) && !check_http2_cipher_block_list(ssl); return check_http2_tls_version(ssl) && !check_http2_cipher_block_list(ssl);
} }
void libssl_init() {
#if OPENSSL_1_1_API
// No explicit initialization is required.
#elif defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
CRYPTO_library_init();
#else // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
OPENSSL_config(nullptr);
SSL_load_error_strings();
SSL_library_init();
OpenSSL_add_all_algorithms();
#endif // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
}
int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max) { int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max) {
#if OPENSSL_1_1_API || defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_min_proto_version(ssl_ctx, min) != 1 || if (SSL_CTX_set_min_proto_version(ssl_ctx, min) != 1 ||
SSL_CTX_set_max_proto_version(ssl_ctx, max) != 1) { SSL_CTX_set_max_proto_version(ssl_ctx, max) != 1) {
return -1; return -1;
} }
return 0; return 0;
#else // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
long int opts = 0;
// TODO We depends on the ordering of protocol version macro in
// OpenSSL.
if (min > TLS1_VERSION) {
opts |= SSL_OP_NO_TLSv1;
}
if (min > TLS1_1_VERSION) {
opts |= SSL_OP_NO_TLSv1_1;
}
if (min > TLS1_2_VERSION) {
opts |= SSL_OP_NO_TLSv1_2;
}
if (max < TLS1_2_VERSION) {
opts |= SSL_OP_NO_TLSv1_2;
}
if (max < TLS1_1_VERSION) {
opts |= SSL_OP_NO_TLSv1_1;
}
SSL_CTX_set_options(ssl_ctx, opts);
return 0;
#endif // !OPENSSL_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL)
} }
} // namespace tls } // namespace tls

18
src/tls.h
View File

@@ -37,15 +37,6 @@ namespace nghttp2 {
namespace tls { namespace tls {
// Acquire OpenSSL global lock to share SSL_CTX across multiple
// threads. The constructor acquires lock and destructor unlocks.
class LibsslGlobalLock {
public:
LibsslGlobalLock();
LibsslGlobalLock(const LibsslGlobalLock &) = delete;
LibsslGlobalLock &operator=(const LibsslGlobalLock &) = delete;
};
// Recommended general purpose "Intermediate compatibility" cipher // Recommended general purpose "Intermediate compatibility" cipher
// suites for TLSv1.2 by mozilla. // suites for TLSv1.2 by mozilla.
// //
@@ -61,11 +52,11 @@ constexpr char DEFAULT_CIPHER_LIST[] =
// //
// https://wiki.mozilla.org/Security/Server_Side_TLS // https://wiki.mozilla.org/Security/Server_Side_TLS
constexpr char DEFAULT_TLS13_CIPHER_LIST[] = constexpr char DEFAULT_TLS13_CIPHER_LIST[] =
#if OPENSSL_1_1_1_API && !defined(NGHTTP2_OPENSSL_IS_BORINGSSL) #if defined(NGHTTP2_GENUINE_OPENSSL) || defined(NGHTTP2_OPENSSL_IS_LIBRESSL)
"TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256" "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
#else #else // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
"" ""
#endif #endif // !NGHTTP2_GENUINE_OPENSSL && !NGHTTP2_OPENSSL_IS_LIBRESSL
; ;
constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION; constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;
@@ -102,9 +93,6 @@ bool check_http2_cipher_block_list(SSL *ssl);
// described in RFC 7540. // described in RFC 7540.
bool check_http2_requirement(SSL *ssl); bool check_http2_requirement(SSL *ssl);
// Initializes OpenSSL library
void libssl_init();
// Sets TLS min and max versions to |ssl_ctx|. This function returns // Sets TLS min and max versions to |ssl_ctx|. This function returns
// 0 if it succeeds, or -1. // 0 if it succeeds, or -1.
int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max); int ssl_ctx_set_proto_versions(SSL_CTX *ssl_ctx, int min, int max);

10
src/util.cc
View File

@@ -1531,16 +1531,6 @@ uint32_t hash32(const StringRef &s) {
return h; return h;
} }
#if !OPENSSL_1_1_API
namespace {
EVP_MD_CTX *EVP_MD_CTX_new(void) { return EVP_MD_CTX_create(); }
} // namespace
namespace {
void EVP_MD_CTX_free(EVP_MD_CTX *ctx) { EVP_MD_CTX_destroy(ctx); }
} // namespace
#endif // !OPENSSL_1_1_API
namespace { namespace {
int message_digest(uint8_t *res, const EVP_MD *meth, const StringRef &s) { int message_digest(uint8_t *res, const EVP_MD *meth, const StringRef &s) {
int rv; int rv;