blob: cb9caa3e9f73c343973c3d73ad788a83c344598b [file] [log] [blame]
Willy Tarreau55994562019-05-09 14:52:44 +02001#ifndef _COMMON_OPENSSL_COMPAT_H
2#define _COMMON_OPENSSL_COMPAT_H
Willy Tarreauc125cef2019-05-10 09:58:43 +02003#ifdef USE_OPENSSL
Willy Tarreau8d164dc2019-05-10 09:35:00 +02004
5#include <openssl/bn.h>
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +02006#include <openssl/crypto.h>
7#include <openssl/ssl.h>
8#include <openssl/x509.h>
9#include <openssl/x509v3.h>
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020010#include <openssl/err.h>
11#include <openssl/rand.h>
Willy Tarreau8d164dc2019-05-10 09:35:00 +020012#include <openssl/hmac.h>
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020013#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP)
14#include <openssl/ocsp.h>
15#endif
16#ifndef OPENSSL_NO_DH
17#include <openssl/dh.h>
18#endif
Willy Tarreau8d164dc2019-05-10 09:35:00 +020019#ifndef OPENSSL_NO_ENGINE
20#include <openssl/engine.h>
21#endif
22
23#if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER)
24#include <openssl/async.h>
25#endif
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020026
Willy Tarreau1d158ab2019-05-09 13:41:45 +020027#if defined(LIBRESSL_VERSION_NUMBER)
28/* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus
29 * systematically breaking when some code is written for a specific version
30 * of OpenSSL. Let's make it appear like what it really is and deal with
31 * extra features with ORs and not with AND NOT.
32 */
33#define HA_OPENSSL_VERSION_NUMBER 0x1000107fL
34#else /* this is for a real OpenSSL or a truly compatible derivative */
Willy Tarreau9a1ab082019-05-09 13:26:41 +020035#define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER
Willy Tarreau1d158ab2019-05-09 13:41:45 +020036#endif
Willy Tarreau9a1ab082019-05-09 13:26:41 +020037
Willy Tarreau9356dac2019-05-10 09:22:53 +020038#ifndef OPENSSL_VERSION
39#define OPENSSL_VERSION SSLEAY_VERSION
40#define OpenSSL_version(x) SSLeay_version(x)
41#define OpenSSL_version_num SSLeay
42#endif
43
Willy Tarreau9a1ab082019-05-09 13:26:41 +020044#if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL)
Willy Tarreau80ebacf2016-11-24 20:07:11 +010045/* Functions present in OpenSSL 0.9.8, older not tested */
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020046static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length)
47{
48 *sid_length = sess->session_id_length;
49 return sess->session_id;
50}
51
52static inline X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc)
53{
54 return sk_X509_NAME_ENTRY_value(name->entries, loc);
55}
56
57static inline ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne)
58{
59 return ne->object;
60}
61
62static inline ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne)
63{
64 return ne->value;
65}
66
67static inline int ASN1_STRING_length(const ASN1_STRING *x)
68{
69 return x->length;
70}
71
72static inline int X509_NAME_entry_count(X509_NAME *name)
73{
74 return sk_X509_NAME_ENTRY_num(name->entries)
75}
76
Willy Tarreau80ebacf2016-11-24 20:07:11 +010077static inline void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, const void **ppval, const X509_ALGOR *algor)
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020078{
Willy Tarreau80ebacf2016-11-24 20:07:11 +010079 *paobj = algor->algorithm;
80}
81
82#endif // OpenSSL < 0.9.8
83
84
Willy Tarreau9a1ab082019-05-09 13:26:41 +020085#if (HA_OPENSSL_VERSION_NUMBER < 0x1000000fL)
Willy Tarreau2b3205b2017-01-19 17:04:02 +010086/* Functions introduced in OpenSSL 1.0.0 */
Willy Tarreau80ebacf2016-11-24 20:07:11 +010087static inline int EVP_PKEY_base_id(const EVP_PKEY *pkey)
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020088{
Willy Tarreau80ebacf2016-11-24 20:07:11 +010089 return EVP_PKEY_type(pkey->type);
90}
91
92/* minimal implementation based on the fact that the only known call place
93 * doesn't make use of other arguments.
94 */
95static inline int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, X509_ALGOR **pa, X509_PUBKEY *pub)
96{
97 *ppkalg = pub->algor->algorithm;
98 return 1;
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +020099}
100
101#ifndef X509_get_X509_PUBKEY
102#define X509_get_X509_PUBKEY(x) ((x)->cert_info->key
103#endif
104
105#endif
106
Willy Tarreau9a1ab082019-05-09 13:26:41 +0200107#if (HA_OPENSSL_VERSION_NUMBER < 0x1000100fL)
Willy Tarreau2b3205b2017-01-19 17:04:02 +0100108/*
109 * Functions introduced in OpenSSL 1.0.1
110 */
111static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len)
112{
113 s->sid_ctx_length = sid_ctx_len;
114 memcpy(s->sid_ctx, sid_ctx, sid_ctx_len);
115 return 1;
116}
117#endif
118
William Lallemand89f58072019-10-23 19:40:28 +0200119
William Lallemand705e0882019-10-23 23:15:46 +0200120#if (HA_OPENSSL_VERSION_NUMBER < 0x1000200fL) && (LIBRESSL_VERSION_NUMBER < 0x2070500fL)
William Lallemand89f58072019-10-23 19:40:28 +0200121/* introduced in openssl 1.0.2 */
122
123static inline STACK_OF(X509) *X509_chain_up_ref(STACK_OF(X509) *chain)
124{
125 STACK_OF(X509) *ret;
126 int i;
127
128 if ((ret = sk_X509_dup(chain)) == NULL)
129 return NULL;
130 for (i = 0; i < sk_X509_num(ret); i++) {
131 X509 *x = sk_X509_value(ret, i);
132 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
133 }
134 return ret;
135}
136
137#endif
138
Emmanuel Hocdetd4f9a602019-10-24 11:32:47 +0200139#ifdef OPENSSL_IS_BORINGSSL
140/*
141 * Functions missing in BoringSSL
142 */
143
144static inline X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a)
145{
146 if (a == NULL || a->type != X509_LU_CRL) {
147 return NULL;
148 }
149 return a->data.crl;
150}
151#endif
152
Willy Tarreau1d158ab2019-05-09 13:41:45 +0200153#if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200154/*
Ilya Shipitsin54832b92019-05-05 23:27:54 +0500155 * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200156 */
157
Emmanuel Hocdete9a100e2019-12-02 11:41:23 +0100158static inline STACK_OF(X509_OBJECT) *X509_STORE_get0_objects(X509_STORE *st)
159{
160 return st->objs;
161}
162
163static inline int X509_OBJECT_get_type(const X509_OBJECT *a)
164{
165 return a->type;
166}
167
168static inline X509 *X509_OBJECT_get0_X509(const X509_OBJECT *a)
169{
170 if (a == NULL || a->type != X509_LU_X509) {
171 return NULL;
172 }
173 return a->data.x509;
174}
175
176static inline X509_CRL *X509_OBJECT_get0_X509_CRL(const X509_OBJECT *a)
177{
178 if (a == NULL || a->type != X509_LU_CRL) {
179 return NULL;
180 }
181 return a->data.crl;
182}
183
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200184static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length)
185{
186 *sid_ctx_length = sess->sid_ctx_length;
187 return sess->sid_ctx;
188}
189
190static inline int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, unsigned int sid_len)
191{
192 s->session_id_length = sid_len;
193 memcpy(s->session_id, sid, sid_len);
194 return 1;
195}
196
Emmanuel Hocdet019f9b12017-10-02 17:12:06 +0200197static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x)
198{
199 return x->cert_info->signature;
200}
201
Emmanuel Hocdetfdec7892017-01-13 17:48:18 +0100202#if (!defined OPENSSL_NO_OCSP)
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200203static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single)
204{
205 return single->certId;
206}
Emmanuel Hocdetfdec7892017-01-13 17:48:18 +0100207#endif
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200208
209static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx)
210{
211 return ctx->default_passwd_callback;
212}
213
214static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx)
215{
216 return ctx->default_passwd_callback_userdata;
217}
218
219#ifndef OPENSSL_NO_DH
220static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
221{
222 /* Implements only the bare necessities for HAProxy */
223 dh->p = p;
224 dh->g = g;
225 return 1;
226}
227#endif
228
229static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
230{
231 return x->data;
232}
233
William Lallemand89f58072019-10-23 19:40:28 +0200234static inline void X509_up_ref(X509 *x)
235{
236 CRYPTO_add(&x->references, 1, CRYPTO_LOCK_X509);
237}
238
239static inline void EVP_PKEY_up_ref(EVP_PKEY *pkey)
240{
241 CRYPTO_add(&pkey->references, 1, CRYPTO_LOCK_EVP_PKEY);
242}
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200243#endif
244
Willy Tarreau1d158ab2019-05-09 13:41:45 +0200245#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL)
Dirkjan Bussink1866d6d2016-08-29 13:26:37 +0200246#define __OPENSSL_110_CONST__ const
247#else
248#define __OPENSSL_110_CONST__
249#endif
250
Willy Tarreaua4fb8ed2017-01-19 16:50:25 +0100251/* ERR_remove_state() was deprecated in 1.0.0 in favor of
252 * ERR_remove_thread_state(), which was in turn deprecated in
253 * 1.1.0 and does nothing anymore. Let's simply silently kill
254 * it.
255 */
Willy Tarreau9a1ab082019-05-09 13:26:41 +0200256#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL)
Willy Tarreaua4fb8ed2017-01-19 16:50:25 +0100257#undef ERR_remove_state
258#define ERR_remove_state(x)
259#endif
260
Willy Tarreau77d88da2017-01-19 17:10:54 +0100261
262/* RAND_pseudo_bytes() is deprecated in 1.1.0 in favor of RAND_bytes(). Note
263 * that the return codes differ, but it happens that the only use case (ticket
264 * key update) was already wrong, considering a non-cryptographic random as a
265 * failure.
266 */
Willy Tarreau9a1ab082019-05-09 13:26:41 +0200267#if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL)
Willy Tarreau77d88da2017-01-19 17:10:54 +0100268#undef RAND_pseudo_bytes
269#define RAND_pseudo_bytes(x,y) RAND_bytes(x,y)
270#endif
271
Emmanuel Hocdet8c2ddc22017-07-19 16:04:05 +0200272
273/* Signature from RFC 5246, missing in openssl < 1.0.1 */
274#ifndef TLSEXT_signature_anonymous
275#define TLSEXT_signature_anonymous 0
276#define TLSEXT_signature_rsa 1
277#define TLSEXT_signature_dsa 2
278#define TLSEXT_signature_ecdsa 3
279#endif
280
Rosen Penevb3814c22019-12-19 12:54:13 -0800281#if ((HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL)) ||\
282 defined(OPENSSL_IS_BORINGSSL)
Willy Tarreau9356dac2019-05-10 09:22:53 +0200283#define X509_getm_notBefore X509_get_notBefore
284#define X509_getm_notAfter X509_get_notAfter
285#endif
286
Ilya Shipitsin056c6292020-01-18 18:42:45 +0500287#if !defined(EVP_CTRL_AEAD_SET_IVLEN)
Willy Tarreau9356dac2019-05-10 09:22:53 +0200288#define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN
Ilya Shipitsin056c6292020-01-18 18:42:45 +0500289#endif
290
291#if !defined(EVP_CTRL_AEAD_SET_TAG)
Willy Tarreau9356dac2019-05-10 09:22:53 +0200292#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
293#endif
294
295/* Supported hash function for TLS tickets */
296#ifdef OPENSSL_NO_SHA256
297#define TLS_TICKET_HASH_FUNCT EVP_sha1
298#else
299#define TLS_TICKET_HASH_FUNCT EVP_sha256
300#endif /* OPENSSL_NO_SHA256 */
301
Willy Tarreau366a6982019-05-11 17:09:44 +0200302#ifndef SSL_OP_CIPHER_SERVER_PREFERENCE /* needs OpenSSL >= 0.9.7 */
303#define SSL_OP_CIPHER_SERVER_PREFERENCE 0
304#endif
305
306#ifndef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION /* needs OpenSSL >= 0.9.7 */
307#define SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION 0
308#define SSL_renegotiate_pending(arg) 0
309#endif
310
311#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 0.9.8 */
312#define SSL_OP_SINGLE_ECDH_USE 0
313#endif
314
315#ifndef SSL_OP_NO_TICKET /* needs OpenSSL >= 0.9.8 */
316#define SSL_OP_NO_TICKET 0
317#endif
318
319#ifndef SSL_OP_NO_COMPRESSION /* needs OpenSSL >= 0.9.9 */
320#define SSL_OP_NO_COMPRESSION 0
321#endif
322
323#ifdef OPENSSL_NO_SSL3 /* SSLv3 support removed */
324#undef SSL_OP_NO_SSLv3
325#define SSL_OP_NO_SSLv3 0
326#endif
327
328#ifndef SSL_OP_NO_TLSv1_1 /* needs OpenSSL >= 1.0.1 */
329#define SSL_OP_NO_TLSv1_1 0
330#endif
331
332#ifndef SSL_OP_NO_TLSv1_2 /* needs OpenSSL >= 1.0.1 */
333#define SSL_OP_NO_TLSv1_2 0
334#endif
335
336#ifndef SSL_OP_NO_TLSv1_3 /* needs OpenSSL >= 1.1.1 */
337#define SSL_OP_NO_TLSv1_3 0
338#endif
339
340#ifndef SSL_OP_SINGLE_DH_USE /* needs OpenSSL >= 0.9.6 */
341#define SSL_OP_SINGLE_DH_USE 0
342#endif
343
344#ifndef SSL_OP_SINGLE_ECDH_USE /* needs OpenSSL >= 1.0.0 */
345#define SSL_OP_SINGLE_ECDH_USE 0
346#endif
347
348#ifndef SSL_MODE_RELEASE_BUFFERS /* needs OpenSSL >= 1.0.0 */
349#define SSL_MODE_RELEASE_BUFFERS 0
350#endif
351
352#ifndef SSL_MODE_SMALL_BUFFERS /* needs small_records.patch */
353#define SSL_MODE_SMALL_BUFFERS 0
354#endif
355
356#ifndef SSL_OP_PRIORITIZE_CHACHA /* needs OpenSSL >= 1.1.1 */
357#define SSL_OP_PRIORITIZE_CHACHA 0
358#endif
359
Willy Tarreau11b16712019-05-11 17:02:04 +0200360#ifndef SSL_CTRL_GET_EXTRA_CHAIN_CERTS
361#define SSL_CTX_get_extra_chain_certs(ctx, chain) do { *(chain) = (ctx)->extra_certs; } while (0)
362#endif
363
Willy Tarreau295d6142019-05-11 17:34:03 +0200364#if HA_OPENSSL_VERSION_NUMBER < 0x10100000L
365#define BIO_get_data(b) (b)->ptr
366#define BIO_set_data(b, v) do { (b)->ptr = (v); } while (0)
367#define BIO_set_init(b, v) do { (b)->init = (v); } while (0)
368
369#define BIO_meth_free(m) free(m)
370#define BIO_meth_new(type, name) calloc(1, sizeof(BIO_METHOD))
371#define BIO_meth_set_gets(m, f) do { (m)->bgets = (f); } while (0)
372#define BIO_meth_set_puts(m, f) do { (m)->bputs = (f); } while (0)
373#define BIO_meth_set_read(m, f) do { (m)->bread = (f); } while (0)
374#define BIO_meth_set_write(m, f) do { (m)->bwrite = (f); } while (0)
375#define BIO_meth_set_create(m, f) do { (m)->create = (f); } while (0)
376#define BIO_meth_set_ctrl(m, f) do { (m)->ctrl = (f); } while (0)
377#define BIO_meth_set_destroy(m, f) do { (m)->destroy = (f); } while (0)
378#endif
379
Lukas Tribusa26d1e12019-12-20 18:47:18 +0100380#ifndef SSL_CTX_set_ecdh_auto
381#define SSL_CTX_set_ecdh_auto(dummy, onoff) ((onoff) != 0)
382#endif
383
Willy Tarreauc125cef2019-05-10 09:58:43 +0200384#endif /* USE_OPENSSL */
Willy Tarreau55994562019-05-09 14:52:44 +0200385#endif /* _COMMON_OPENSSL_COMPAT_H */