Repository: trafficserver Updated Branches: refs/heads/master fddd7c743 -> 2dbdd9c26
TS-3380: Add configure time constant to enable openssl 1.0.2 changes to compile with libressl Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/2dbdd9c2 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/2dbdd9c2 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/2dbdd9c2 Branch: refs/heads/master Commit: 2dbdd9c266a2ed663116ec275c686d7ae809dfd7 Parents: fddd7c7 Author: shinrich <shinr...@yahoo-inc.com> Authored: Mon Feb 9 17:59:05 2015 -0600 Committer: shinrich <shinr...@yahoo-inc.com> Committed: Mon Feb 9 18:11:42 2015 -0600 ---------------------------------------------------------------------- CHANGES | 2 + build/crypto.m4 | 83 +++++++++++++++++++++++++++++++++++++++++- configure.ac | 8 ++++ iocore/net/SSLInternal.cc | 7 ++++ iocore/net/SSLUtils.cc | 4 +- lib/ts/ink_config.h.in | 2 + 6 files changed, 103 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/CHANGES ---------------------------------------------------------------------- diff --git a/CHANGES b/CHANGES index a23d522..4a80d57 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ -*- coding: utf-8 -*- Changes with Apache Traffic Server 5.3.0 + *) [TS-3380] Fix the detection of new openssl calls to enable compilation against libressl. + *) [TS-3364] Add command line config validation support to traffic_server *) [TS-3377] Fix bad file descriptor handling that caused disks in http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/build/crypto.m4 ---------------------------------------------------------------------- diff --git a/build/crypto.m4 b/build/crypto.m4 index 32276a2..2c83793 100644 --- a/build/crypto.m4 +++ b/build/crypto.m4 @@ -89,7 +89,12 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [ enable_tls_sni=yes TS_ADDTO(LIBS, [$OPENSSL_LIBS]) - AC_CHECK_HEADERS(openssl/tls1.h openssl/ssl.h openssl/ts.h) + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h) + AC_CHECK_HEADERS(openssl/tls1.h, [], [], +[ #ifdef HEADER_SSL_H +#include <openssl/tls1.h> +#endif ]) + # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a # macro, so AC_CHECK_FUNCS is not going to do the business. AC_MSG_CHECKING([for SSL_CTX_set_tlsext_servername_callback]) @@ -122,3 +127,79 @@ AC_DEFUN([TS_CHECK_CRYPTO_SNI], [ TS_ARG_ENABLE_VAR([use], [tls-sni]) AC_SUBST(use_tls_sni) ]) + +AC_DEFUN([TS_CHECK_CRYPTO_CERT_CB], [ + _cert_saved_LIBS=$LIBS + enable_cert_cb=yes + + TS_ADDTO(LIBS, [$OPENSSL_LIBS]) + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h) + + # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a + # macro, so AC_CHECK_FUNCS is not going to do the business. + AC_MSG_CHECKING([for SSL_CTX_set_cert_cb]) + AC_LINK_IFELSE( + [ + AC_LANG_PROGRAM([[ +#if HAVE_OPENSSL_SSL_H +#include <openssl/ssl.h> +#endif +#if HAVE_OPENSSL_TLS1_H +#include <openssl/tls1.h> +#endif + ]], + [[SSL_CTX_set_cert_cb(NULL, NULL, NULL);]]) + ], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + enable_cert_cb=no + ]) + + LIBS=$_cert_saved_LIBS + + AC_MSG_CHECKING(whether to enable Certificate callback support) + AC_MSG_RESULT([$enable_cert_cb]) + TS_ARG_ENABLE_VAR([use], [cert-cb]) + AC_SUBST(use_cert_cb) +]) + +AC_DEFUN([TS_CHECK_CRYPTO_SET_RBIO], [ + _rbio_saved_LIBS=$LIBS + enable_set_rbio=yes + + TS_ADDTO(LIBS, [$OPENSSL_LIBS]) + AC_CHECK_HEADERS(openssl/ssl.h openssl/ts.h) + + # We are looking for SSL_CTX_set_tlsext_servername_callback, but it's a + # macro, so AC_CHECK_FUNCS is not going to do the business. + AC_MSG_CHECKING([for SSL_set_rbio]) + AC_LINK_IFELSE( + [ + AC_LANG_PROGRAM([[ +#if HAVE_OPENSSL_SSL_H +#include <openssl/ssl.h> +#endif +#if HAVE_OPENSSL_TLS1_H +#include <openssl/tls1.h> +#endif + ]], + [[SSL_set_rbio(NULL, NULL);]]) + ], + [ + AC_MSG_RESULT([yes]) + ], + [ + AC_MSG_RESULT([no]) + enable_set_rbio=no + ]) + + LIBS=$_rbio_saved_LIBS + + AC_MSG_CHECKING(whether to enable set rbio) + AC_MSG_RESULT([$enable_set_rbio]) + TS_ARG_ENABLE_VAR([use], [set-rbio]) + AC_SUBST(use_set_rbio) +]) http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/configure.ac ---------------------------------------------------------------------- diff --git a/configure.ac b/configure.ac index 63071f7..3001043 100644 --- a/configure.ac +++ b/configure.ac @@ -1120,6 +1120,14 @@ TS_CHECK_CRYPTO_EC_KEYS # Check for ServerNameIndication TLS extension support. TS_CHECK_CRYPTO_SNI +# +# Check for the presense of the certificate callback in the ssl library +TS_CHECK_CRYPTO_CERT_CB + +# +# Check for SSL_set_rbio call +TS_CHECK_CRYPTO_SET_RBIO + # # Check for zlib presence and usability TS_CHECK_ZLIB http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/iocore/net/SSLInternal.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLInternal.cc b/iocore/net/SSLInternal.cc index b6d657a..bccf2b5 100644 --- a/iocore/net/SSLInternal.cc +++ b/iocore/net/SSLInternal.cc @@ -21,6 +21,11 @@ See the License for the specific language governing permissions and limitations under the License. */ +#include <ink_config.h> +#if TS_USE_SET_RBIO +// No need to do anything, this version of openssl provides the SSL_set_rbio function +#else + #ifdef OPENSSL_NO_SSL_INTERN #undef OPENSSL_NO_SSL_INTERN #endif @@ -37,3 +42,5 @@ SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio) } sslvc->ssl->rbio = rbio; } + +#endif http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index f0265c6..638b7ab 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -333,7 +333,7 @@ done: // Use the certificate callback for openssl 1.0.2 and greater // otherwise use the SNI callback -#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#if TS_USE_CERT_CB /** * Called before either the server or the client certificate is used * Return 1 on success, 0 on error, or -1 to pause @@ -1677,7 +1677,7 @@ static void ssl_set_handshake_callbacks(SSL_CTX *ctx) { #if TS_USE_TLS_SNI // Make sure the callbacks are set -#if OPENSSL_VERSION_NUMBER >= 0x1000200fL +#if TS_USE_CERT_CB SSL_CTX_set_cert_cb(ctx, ssl_cert_callback, NULL); #else SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_callback); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/2dbdd9c2/lib/ts/ink_config.h.in ---------------------------------------------------------------------- diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in index 9f07825..68364dd 100644 --- a/lib/ts/ink_config.h.in +++ b/lib/ts/ink_config.h.in @@ -70,6 +70,8 @@ #define TS_USE_TLS_NPN @use_tls_npn@ #define TS_USE_TLS_ALPN @use_tls_alpn@ #define TS_USE_TLS_SNI @use_tls_sni@ +#define TS_USE_CERT_CB @use_cert_cb@ +#define TS_USE_SET_RBIO @use_set_rbio@ #define TS_USE_TLS_ECKEY @use_tls_eckey@ #define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@ #define TS_USE_INTERIM_CACHE @has_interim_cache@