RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2025-03-05 19:10:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUILD: enable several LibreSSL hacks, including

Browse Source 
SSL_SESSION_get0_id_context is introduced in LibreSSL-2.7.0
async operations are not supported by LibreSSL
early data is not supported by LibreSSL
packet_length is removed from SSL struct in LibreSSL
This commit is contained in:
Ilya Shipitsin 2019-05-05 23:27:54 +05:00 committed by Willy Tarreau
parent 70e0224987
commit 54832b97c6
4 changed files with 26 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/proto/openssl-compat.h
View File

@ -89,9 +89,9 @@ static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned cha
} }
#endif #endif
#if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || defined(LIBRESSL_VERSION_NUMBER) #if (OPENSSL_VERSION_NUMBER < 0x1010000fL) || (defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL))
/* /*
* Functions introduced in OpenSSL 1.1.0 and not yet present in LibreSSL * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0
*/ */
static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length) static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length)

2
include/proto/ssl_sock.h
View File

@ -85,7 +85,7 @@ SSL_CTX *ssl_sock_get_generated_cert(unsigned int key, struct bind_conf *bind_co
int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf); int ssl_sock_set_generated_cert(SSL_CTX *ctx, unsigned int key, struct bind_conf *bind_conf);
unsigned int ssl_sock_generated_cert_key(const void *data, size_t len); unsigned int ssl_sock_generated_cert_key(const void *data, size_t len);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
void ssl_async_fd_handler(int fd); void ssl_async_fd_handler(int fd);
void ssl_async_fd_free(int fd); void ssl_async_fd_free(int fd);
#endif #endif

2
src/cli.c
View File

@ -1002,7 +1002,7 @@ static int cli_io_handler_show_fd(struct appctx *appctx)
(fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" : (fdt.iocb == poller_pipe_io_handler) ? "poller_pipe_io_handler" :
(fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" : (fdt.iocb == mworker_accept_wrapper) ? "mworker_accept_wrapper" :
#ifdef USE_OPENSSL #ifdef USE_OPENSSL
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
(fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" : (fdt.iocb == ssl_async_fd_free) ? "ssl_async_fd_free" :
(fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" : (fdt.iocb == ssl_async_fd_handler) ? "ssl_async_fd_handler" :
#endif #endif

44
src/ssl_sock.c
View File

@ -57,7 +57,7 @@
#include <openssl/engine.h> #include <openssl/engine.h>
#endif #endif
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
#include <openssl/async.h> #include <openssl/async.h>
#endif #endif
@ -575,7 +575,7 @@ fail_get:
} }
#endif #endif
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
/* /*
* openssl async fd handler * openssl async fd handler
*/ */
@ -2297,7 +2297,7 @@ static void ssl_sock_switchctx_set(SSL *ssl, SSL_CTX *ctx)
SSL_set_SSL_CTX(ssl, ctx); SSL_set_SSL_CTX(ssl, ctx);
} }
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL) #if ((OPENSSL_VERSION_NUMBER >= 0x10101000L) || defined(OPENSSL_IS_BORINGSSL)) && !defined(LIBRESSL_VERSION_NUMBER)
static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv) static int ssl_sock_switchctx_err_cbk(SSL *ssl, int *al, void *priv)
{ {
@ -4029,7 +4029,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
SSL_CTX_set_options(ctx, options); SSL_CTX_set_options(ctx, options);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
if (global_ssl.async) if (global_ssl.async)
mode |= SSL_MODE_ASYNC; mode |= SSL_MODE_ASYNC;
#endif #endif
@ -4041,7 +4041,7 @@ ssl_sock_initial_ctx(struct bind_conf *bind_conf)
#ifdef OPENSSL_IS_BORINGSSL #ifdef OPENSSL_IS_BORINGSSL
SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk); SSL_CTX_set_select_certificate_cb(ctx, ssl_sock_switchctx_cbk);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk); SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_err_cbk);
#elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) #elif (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
if (bind_conf->ssl_conf.early_data) { if (bind_conf->ssl_conf.early_data) {
SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY); SSL_CTX_set_options(ctx, SSL_OP_NO_ANTI_REPLAY);
SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite); SSL_CTX_set_max_early_data(ctx, global.tune.bufsize - global.tune.maxrewrite);
@ -4817,7 +4817,7 @@ int ssl_sock_prepare_srv_ctx(struct server *srv)
options |= SSL_OP_NO_TICKET; options |= SSL_OP_NO_TICKET;
SSL_CTX_set_options(ctx, options); SSL_CTX_set_options(ctx, options);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
if (global_ssl.async) if (global_ssl.async)
mode |= SSL_MODE_ASYNC; mode |= SSL_MODE_ASYNC;
#endif #endif
@ -5370,7 +5370,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
if (!conn->xprt_ctx) if (!conn->xprt_ctx)
goto out_error; goto out_error;
#if OPENSSL_VERSION_NUMBER >= 0x10101000L #if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined (LIBRESSL_VERSION_NUMBER)
/* /*
* Check if we have early data. If we do, we have to read them * Check if we have early data. If we do, we have to read them
* before SSL_do_handshake() is called, And there's no way to * before SSL_do_handshake() is called, And there's no way to
@ -5427,7 +5427,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
fd_cant_recv(conn->handle.fd); fd_cant_recv(conn->handle.fd);
return 0; return 0;
} }
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
else if (ret == SSL_ERROR_WANT_ASYNC) { else if (ret == SSL_ERROR_WANT_ASYNC) {
ssl_async_process_fds(conn, ctx->ssl); ssl_async_process_fds(conn, ctx->ssl);
return 0; return 0;
@ -5446,7 +5446,7 @@ int ssl_sock_handshake(struct connection *conn, unsigned int flag)
OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl); OSSL_HANDSHAKE_STATE state = SSL_get_state((SSL *)ctx->ssl);
empty_handshake = state == TLS_ST_BEFORE; empty_handshake = state == TLS_ST_BEFORE;
#else #else
empty_handshake = !ctx->ssl->packet_length; empty_handshake = SSL_state((SSL *)ctx->ssl) == SSL_ST_BEFORE;
#endif #endif
if (empty_handshake) { if (empty_handshake) {
if (!errno) { if (!errno) {
@ -5511,7 +5511,7 @@ check_error:
fd_cant_recv(conn->handle.fd); fd_cant_recv(conn->handle.fd);
return 0; return 0;
} }
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
else if (ret == SSL_ERROR_WANT_ASYNC) { else if (ret == SSL_ERROR_WANT_ASYNC) {
ssl_async_process_fds(conn, ctx->ssl); ssl_async_process_fds(conn, ctx->ssl);
return 0; return 0;
@ -5530,7 +5530,7 @@ check_error:
OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl); OSSL_HANDSHAKE_STATE state = SSL_get_state(ctx->ssl);
empty_handshake = state == TLS_ST_BEFORE; empty_handshake = state == TLS_ST_BEFORE;
#else #else
empty_handshake = !ctx->ssl->packet_length; empty_handshake = SSL_state((SSL *)ctx->ssl) == SSL_ST_BEFORE;
#endif #endif
if (empty_handshake) { if (empty_handshake) {
if (!errno) { if (!errno) {
@ -5570,7 +5570,7 @@ check_error:
goto out_error; goto out_error;
} }
} }
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
else { else {
/* /*
* If the server refused the early data, we have to send a * If the server refused the early data, we have to send a
@ -5589,7 +5589,7 @@ check_error:
reneg_ok: reneg_ok:
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
/* ASYNC engine API doesn't support moving read/write /* ASYNC engine API doesn't support moving read/write
* buffers. So we disable ASYNC mode right after * buffers. So we disable ASYNC mode right after
* the handshake to avoid buffer oveflows. * the handshake to avoid buffer oveflows.
@ -5698,7 +5698,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
continue; continue;
} }
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined(LIBRESSL_VERSION_NUMBER)
if (conn->flags & CO_FL_EARLY_SSL_HS) { if (conn->flags & CO_FL_EARLY_SSL_HS) {
size_t read_length; size_t read_length;
@ -5750,7 +5750,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
/* handshake is running, and it needs to enable write */ /* handshake is running, and it needs to enable write */
conn->flags |= CO_FL_SSL_WAIT_HS; conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_send(conn); __conn_sock_want_send(conn);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
/* Async mode can be re-enabled, because we're leaving data state.*/ /* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async) if (global_ssl.async)
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
@ -5762,7 +5762,7 @@ static size_t ssl_sock_to_buf(struct connection *conn, void *xprt_ctx, struct bu
/* handshake is running, and it may need to re-enable read */ /* handshake is running, and it may need to re-enable read */
conn->flags |= CO_FL_SSL_WAIT_HS; conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_recv(conn); __conn_sock_want_recv(conn);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
/* Async mode can be re-enabled, because we're leaving data state.*/ /* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async) if (global_ssl.async)
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
@ -5839,7 +5839,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
* in which case we accept to do it once again. * in which case we accept to do it once again.
*/ */
while (count) { while (count) {
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER)
size_t written_data; size_t written_data;
#endif #endif
@ -5860,7 +5860,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED; ctx->xprt_st |= SSL_SOCK_SEND_UNLIMITED;
} }
#if (OPENSSL_VERSION_NUMBER >= 0x10101000L) #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) && !defined (LIBRESSL_VERSION_NUMBER)
if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) { if (!SSL_is_init_finished(ctx->ssl) && conn_is_back(conn)) {
unsigned int max_early; unsigned int max_early;
@ -5912,7 +5912,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
/* handshake is running, and it may need to re-enable write */ /* handshake is running, and it may need to re-enable write */
conn->flags |= CO_FL_SSL_WAIT_HS; conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_send(conn); __conn_sock_want_send(conn);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
/* Async mode can be re-enabled, because we're leaving data state.*/ /* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async) if (global_ssl.async)
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
@ -5927,7 +5927,7 @@ static size_t ssl_sock_from_buf(struct connection *conn, void *xprt_ctx, const s
/* handshake is running, and it needs to enable read */ /* handshake is running, and it needs to enable read */
conn->flags |= CO_FL_SSL_WAIT_HS; conn->flags |= CO_FL_SSL_WAIT_HS;
__conn_sock_want_recv(conn); __conn_sock_want_recv(conn);
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
/* Async mode can be re-enabled, because we're leaving data state.*/ /* Async mode can be re-enabled, because we're leaving data state.*/
if (global_ssl.async) if (global_ssl.async)
SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC); SSL_set_mode(ctx->ssl, SSL_MODE_ASYNC);
@ -5955,7 +5955,7 @@ static void ssl_sock_close(struct connection *conn, void *xprt_ctx) {
struct ssl_sock_ctx *ctx = xprt_ctx; struct ssl_sock_ctx *ctx = xprt_ctx;
if (ctx) { if (ctx) {
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
if (global_ssl.async) { if (global_ssl.async) {
OSSL_ASYNC_FD all_fd[32], afd; OSSL_ASYNC_FD all_fd[32], afd;
size_t num_all_fds = 0; size_t num_all_fds = 0;
@ -8765,7 +8765,7 @@ static int ssl_parse_global_ssl_async(char **args, int section_type, struct prox
struct proxy *defpx, const char *file, int line, struct proxy *defpx, const char *file, int line,
char **err) char **err)
{ {
#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
global_ssl.async = 1; global_ssl.async = 1;
global.ssl_used_async_engines = nb_engines; global.ssl_used_async_engines = nb_engines;
return 0; return 0;