Merge pull request #1162 from nghttp2/libressl

Libressl

Merge pull request #1162 from nghttp2/libressl
Libressl
e04de48e · Tatsuhiro Tsujikawa · GitHub · 3febaef1 · 00964642 · e04de48e
Unverified Commit e04de48e authored Apr 14, 2018 by Tatsuhiro Tsujikawa Committed by GitHub Apr 14, 2018
5 changed files
--- a/src/nghttp.cc
+++ b/src/nghttp.cc
@@ -59,6 +59,7 @@
 #include "base64.h"
 #include "tls.h"
 #include "template.h"
+#include "ssl_compat.h"

 #ifndef O_BINARY
 #define O_BINARY (0)
@@ -680,15 +681,16 @@ int HttpClient::initiate_connection() {
      const auto &host_string =
          config.host_override.empty() ? host : config.host_override;

-#if (!defined(LIBRESSL_VERSION_NUMBER) &&                                      \
-     OPENSSL_VERSION_NUMBER >= 0x10002000L) ||                                 \
+#if LIBRESSL_2_7_API ||                                                        \
+    (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L) ||             \
    defined(OPENSSL_IS_BORINGSSL)
      auto param = SSL_get0_param(ssl);
      X509_VERIFY_PARAM_set_hostflags(param, 0);
      X509_VERIFY_PARAM_set1_host(param, host_string.c_str(),
                                  host_string.size());
-#endif // (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >=
-       // 0x10002000L) || defined(OPENSSL_IS_BORINGSSL)
+#endif // LIBRESSL_2_7_API || (!LIBRESSL_IN_USE &&
+       // OPENSSL_VERSION_NUMBER >= 0x10002000L) ||
+       // defined(OPENSSL_IS_BORINGSSL)
      SSL_set_verify(ssl, SSL_VERIFY_PEER, verify_cb);

      if (!util::numeric_host(host_string.c_str())) {

--- a/src/shrpx_config.cc
+++ b/src/shrpx_config.cc
@@ -1222,7 +1222,7 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
    auto param = StringRef{first, end};

    if (util::istarts_with_l(param, "sct-dir=")) {
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
      auto sct_dir =
          StringRef{std::begin(param) + str_size("sct-dir="), std::end(param)};
      if (sct_dir.empty()) {
@@ -1230,9 +1230,9 @@ int parse_subcert_params(SubcertParams &out, const StringRef &src_params) {
        return -1;
      }
      out.sct_dir = sct_dir;
-#else  // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#else  // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
      LOG(WARN) << "subcert: sct-dir requires OpenSSL >= 1.0.2";
-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
    } else if (!param.empty()) {
      LOG(ERROR) << "subcert: " << param << ": unknown keyword";
      return -1;
@@ -1364,7 +1364,7 @@ int read_tls_sct_from_dir(std::vector<uint8_t> &dst, const StringRef &opt,
 }
 } // namespace

-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_LEGACY_API
 namespace {
 // Reads PSK secrets from path, and parses each line.  The result is
 // directly stored into config->tls.psk_secrets.  This function
@@ -1428,9 +1428,9 @@ int parse_psk_secrets(Config *config, const StringRef &path) {
  return 0;
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !LIBRESSL_LEGACY_API

-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_LEGACY_API
 namespace {
 // Reads PSK secrets from path, and parses each line.  The result is
 // directly stored into config->tls.client.psk.  This function returns
@@ -1490,7 +1490,7 @@ int parse_client_psk_secrets(Config *config, const StringRef &path) {
  return 0;
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !LIBRESSL_LEGACY_API

 // generated by gennghttpxfun.py
 int option_lookup_token(const char *name, size_t namelen) {
@@ -3454,19 +3454,19 @@ int parse_config(Config *config, int optid, const StringRef &opt,
    return parse_uint_with_unit(
        &config->http2.downstream.decoder_dynamic_table_size, opt, optarg);
  case SHRPX_OPTID_ECDH_CURVES:
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
    config->tls.ecdh_curves = make_string_ref(config->balloc, optarg);
-#else  // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#else  // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
    LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
    return 0;
  case SHRPX_OPTID_TLS_SCT_DIR:
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
    return read_tls_sct_from_dir(config->tls.sct_data, opt, optarg);
-#else  // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#else  // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
    LOG(WARN) << opt << ": This option requires OpenSSL >= 1.0.2";
    return 0;
-#endif // !(!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
+#endif // !(!LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L)
  case SHRPX_OPTID_DNS_CACHE_TIMEOUT:
    return parse_duration(&config->dns.timeout.cache, opt, optarg);
  case SHRPX_OPTID_DNS_LOOKUP_TIMEOUT:
@@ -3489,23 +3489,23 @@ int parse_config(Config *config, int optid, const StringRef &opt,
    return parse_duration(&config->conn.upstream.timeout.idle_read, opt,
                          optarg);
  case SHRPX_OPTID_PSK_SECRETS:
-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_LEGACY_API
    return parse_psk_secrets(config, optarg);
-#else  // LIBRESSL_IN_USE
+#else  // LIBRESSL_LEGACY_API
    LOG(WARN)
        << opt
        << ": ignored because underlying TLS library does not support PSK";
    return 0;
-#endif // LIBRESSL_IN_USE
+#endif // LIBRESSL_LEGACY_API
  case SHRPX_OPTID_CLIENT_PSK_SECRETS:
-#if !LIBRESSL_IN_USE
+#if !LIBRESSL_LEGACY_API
    return parse_client_psk_secrets(config, optarg);
-#else  // LIBRESSL_IN_USE
+#else  // LIBRESSL_LEGACY_API
    LOG(WARN)
        << opt
        << ": ignored because underlying TLS library does not support PSK";
    return 0;
-#endif // LIBRESSL_IN_USE
+#endif // LIBRESSL_LEGACY_API
  case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
    config->tls.client.no_http2_cipher_black_list =
        util::strieq_l("yes", optarg);

--- a/src/shrpx_connection.cc
+++ b/src/shrpx_connection.cc
@@ -44,13 +44,13 @@ using namespace nghttp2;

 namespace shrpx {

-#if !OPENSSL_1_1_API
+#if !LIBRESSL_2_7_API && !OPENSSL_1_1_API

 void *BIO_get_data(BIO *bio) { return bio->ptr; }
 void BIO_set_data(BIO *bio, void *ptr) { bio->ptr = ptr; }
 void BIO_set_init(BIO *bio, int init) { bio->init = init; }

-#endif // !OPENSSL_1_1_API
+#endif // !LIBRESSL_2_7_API && !OPENSSL_1_1_API

 Connection::Connection(struct ev_loop *loop, int fd, SSL *ssl,
                       MemchunkPool *mcpool, ev_tstamp write_timeout,

--- a/src/shrpx_tls.cc
+++ b/src/shrpx_tls.cc
@@ -194,7 +194,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
  const auto &ssl_ctx_list = conn_handler->get_indexed_ssl_ctx(idx);
  assert(!ssl_ctx_list.empty());

-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER) &&     \
+#if !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&                      \
    OPENSSL_VERSION_NUMBER >= 0x10002000L
  auto num_shared_curves = SSL_get_shared_curve(ssl, -1);

@@ -238,7 +238,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
      }
    }
  }
-#endif // !defined(OPENSSL_IS_BORINGSSL) && !defined(LIBRESSL_VERSION_NUMBER) &&
+#endif // !defined(OPENSSL_IS_BORINGSSL) && !LIBRESSL_IN_USE &&
       // OPENSSL_VERSION_NUMBER >= 0x10002000L

  SSL_set_SSL_CTX(ssl, ssl_ctx_list[0]);
@@ -657,7 +657,7 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
 #endif // !OPENSSL_1_1_1_API
 #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L

-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
 namespace {
 unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
                           unsigned int max_psk_len) {
@@ -681,9 +681,9 @@ unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk,
  return static_cast<unsigned int>(secret.size());
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK

-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
 namespace {
 unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
                           unsigned int max_identity_len, unsigned char *psk,
@@ -716,7 +716,7 @@ unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity_out,
  return static_cast<unsigned int>(secret.size());
 }
 } // namespace
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK

 struct TLSProtocol {
  StringRef name;
@@ -794,7 +794,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  }

 #ifndef OPENSSL_NO_EC
-#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
  if (SSL_CTX_set1_curves_list(ssl_ctx, tlsconf.ecdh_curves.c_str()) != 1) {
    LOG(FATAL) << "SSL_CTX_set1_curves_list " << tlsconf.ecdh_curves
               << " failed";
@@ -805,7 +805,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  // function was deprecated in OpenSSL 1.1.0 and BoringSSL.
  SSL_CTX_set_ecdh_auto(ssl_ctx, 1);
 #endif // !defined(OPENSSL_IS_BORINGSSL) && !OPENSSL_1_1_API
-#else  // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
+#else  // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
  // Use P-256, which is sufficiently secure at the time of this
  // writing.
  auto ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
@@ -816,7 +816,7 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  }
  SSL_CTX_set_tmp_ecdh(ssl_ctx, ecdh);
  EC_KEY_free(ecdh);
-#endif // LIBRESSL_IN_USE || OPENSSL_VERSION_NUBMER < 0x10002000L
+#endif // LIBRESSL_LEGACY_API || OPENSSL_VERSION_NUBMER < 0x10002000L
 #endif // OPENSSL_NO_EC

  if (!tlsconf.dh_param_file.empty()) {
@@ -966,9 +966,9 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
  }
 #endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L

-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
  SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
-#endif // !LIBRESSL_IN_USE
+#endif // !LIBRESSL_NO_PSK

  auto tls_ctx_data = new TLSContextData();
  tls_ctx_data->cert_file = cert_file;
@@ -1116,9 +1116,9 @@ SSL_CTX *create_ssl_client_context(
 #endif // HAVE_NEVERBLEED
  }

-#if !LIBRESSL_IN_USE
+#ifndef OPENSSL_NO_PSK
  SSL_CTX_set_psk_client_callback(ssl_ctx, psk_client_cb);
-#endif // !LIBRESSL_IN_USE
+#endif // !OPENSSL_NO_PSK

  // NPN selection callback.  This is required to set SSL_CTX because
  // OpenSSL does not offer SSL_set_next_proto_select_cb.
@@ -1555,16 +1555,15 @@ int cert_lookup_tree_add_ssl_ctx(
    SSL_CTX *ssl_ctx) {
  std::array<uint8_t, NI_MAXHOST> buf;

-#if !defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10002000L
+#if LIBRESSL_2_7_API ||                                                        \
+    (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L)
  auto cert = SSL_CTX_get0_certificate(ssl_ctx);
-#else  // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
-  // 0x10002000L
+#else  // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L
  auto tls_ctx_data =
      static_cast<TLSContextData *>(SSL_CTX_get_app_data(ssl_ctx));
  auto cert = load_certificate(tls_ctx_data->cert_file);
  auto cert_deleter = defer(X509_free, cert);
-#endif // defined(LIBRESSL_VERSION_NUMBER) || OPENSSL_VERSION_NUMBER <
-       // 0x10002000L
+#endif // !LIBRESSL_2_7_API && OPENSSL_VERSION_NUMBER < 0x10002000L

  auto altnames = static_cast<GENERAL_NAMES *>(
      X509_get_ext_d2i(cert, NID_subject_alt_name, nullptr, nullptr));
@@ -1852,7 +1851,7 @@ int proto_version_from_string(const StringRef &v) {
 int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
                         size_t ocsp_resplen) {

-#if !defined(OPENSSL_NO_OCSP) && !defined(LIBRESSL_VERSION_NUMBER) &&          \
+#if !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE &&                           \
    OPENSSL_VERSION_NUMBER >= 0x10002000L
  int rv;

@@ -1925,7 +1924,7 @@ int verify_ocsp_response(SSL_CTX *ssl_ctx, const uint8_t *ocsp_resp,
  if (LOG_ENABLED(INFO)) {
    LOG(INFO) << "OCSP verification succeeded";
  }
-#endif // !defined(OPENSSL_NO_OCSP) && !defined(LIBRESSL_VERSION_NUMBER)
+#endif // !defined(OPENSSL_NO_OCSP) && !LIBRESSL_IN_USE
       // && OPENSSL_VERSION_NUMBER >= 0x10002000L

  return 0;

--- a/src/ssl_compat.h
+++ b/src/ssl_compat.h
@@ -27,15 +27,17 @@
 #include <openssl/opensslv.h>

 #if defined(LIBRESSL_VERSION_NUMBER)
+#define OPENSSL_1_1_API 0
+#define OPENSSL_1_1_1_API 0
 #define LIBRESSL_IN_USE 1
+#define LIBRESSL_LEGACY_API (LIBRESSL_VERSION_NUMBER < 0x20700000L)
+#define LIBRESSL_2_7_API (LIBRESSL_VERSION_NUMBER >= 0x20700000L)
 #else // !defined(LIBRESSL_VERSION_NUMBER)
+#define OPENSSL_1_1_API (OPENSSL_VERSION_NUMBER >= 0x1010000fL)
+#define OPENSSL_1_1_1_API (OPENSSL_VERSION_NUMBER >= 0x10101000L)
 #define LIBRESSL_IN_USE 0
+#define LIBRESSL_LEGACY_API 0
+#define LIBRESSL_2_7_API 0
 #endif // !defined(LIBRESSL_VERSION_NUMBER)

-#define OPENSSL_1_1_API                                                        \
-  (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x1010000fL)
-
-#define OPENSSL_1_1_1_API                                                      \
-  (!LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10101000L)
-
 #endif // OPENSSL_COMPAT_H