Willy Tarreau | 5599456 | 2019-05-09 14:52:44 +0200 | [diff] [blame] | 1 | #ifndef _COMMON_OPENSSL_COMPAT_H |
| 2 | #define _COMMON_OPENSSL_COMPAT_H |
Willy Tarreau | c125cef | 2019-05-10 09:58:43 +0200 | [diff] [blame] | 3 | #ifdef USE_OPENSSL |
Willy Tarreau | 8d164dc | 2019-05-10 09:35:00 +0200 | [diff] [blame] | 4 | |
| 5 | #include <openssl/bn.h> |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 6 | #include <openssl/crypto.h> |
| 7 | #include <openssl/ssl.h> |
| 8 | #include <openssl/x509.h> |
| 9 | #include <openssl/x509v3.h> |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 10 | #include <openssl/err.h> |
| 11 | #include <openssl/rand.h> |
Willy Tarreau | 8d164dc | 2019-05-10 09:35:00 +0200 | [diff] [blame] | 12 | #include <openssl/hmac.h> |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 13 | #if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined OPENSSL_NO_OCSP) |
| 14 | #include <openssl/ocsp.h> |
| 15 | #endif |
| 16 | #ifndef OPENSSL_NO_DH |
| 17 | #include <openssl/dh.h> |
| 18 | #endif |
Willy Tarreau | 8d164dc | 2019-05-10 09:35:00 +0200 | [diff] [blame] | 19 | #ifndef OPENSSL_NO_ENGINE |
| 20 | #include <openssl/engine.h> |
| 21 | #endif |
| 22 | |
| 23 | #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL) && !defined(OPENSSL_NO_ASYNC) && !defined(LIBRESSL_VERSION_NUMBER) |
| 24 | #include <openssl/async.h> |
| 25 | #endif |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 26 | |
Willy Tarreau | 1d158ab | 2019-05-09 13:41:45 +0200 | [diff] [blame] | 27 | #if defined(LIBRESSL_VERSION_NUMBER) |
| 28 | /* LibreSSL is a fork of OpenSSL 1.0.1g but pretends to be 2.0.0, thus |
| 29 | * systematically breaking when some code is written for a specific version |
| 30 | * of OpenSSL. Let's make it appear like what it really is and deal with |
| 31 | * extra features with ORs and not with AND NOT. |
| 32 | */ |
| 33 | #define HA_OPENSSL_VERSION_NUMBER 0x1000107fL |
| 34 | #else /* this is for a real OpenSSL or a truly compatible derivative */ |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 35 | #define HA_OPENSSL_VERSION_NUMBER OPENSSL_VERSION_NUMBER |
Willy Tarreau | 1d158ab | 2019-05-09 13:41:45 +0200 | [diff] [blame] | 36 | #endif |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 37 | |
Willy Tarreau | 9356dac | 2019-05-10 09:22:53 +0200 | [diff] [blame] | 38 | #ifndef OPENSSL_VERSION |
| 39 | #define OPENSSL_VERSION SSLEAY_VERSION |
| 40 | #define OpenSSL_version(x) SSLeay_version(x) |
| 41 | #define OpenSSL_version_num SSLeay |
| 42 | #endif |
| 43 | |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 44 | #if (HA_OPENSSL_VERSION_NUMBER < 0x0090800fL) |
Willy Tarreau | 80ebacf | 2016-11-24 20:07:11 +0100 | [diff] [blame] | 45 | /* Functions present in OpenSSL 0.9.8, older not tested */ |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 46 | static inline const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *sess, unsigned int *sid_length) |
| 47 | { |
| 48 | *sid_length = sess->session_id_length; |
| 49 | return sess->session_id; |
| 50 | } |
| 51 | |
| 52 | static inline X509_NAME_ENTRY *X509_NAME_get_entry(const X509_NAME *name, int loc) |
| 53 | { |
| 54 | return sk_X509_NAME_ENTRY_value(name->entries, loc); |
| 55 | } |
| 56 | |
| 57 | static inline ASN1_OBJECT *X509_NAME_ENTRY_get_object(const X509_NAME_ENTRY *ne) |
| 58 | { |
| 59 | return ne->object; |
| 60 | } |
| 61 | |
| 62 | static inline ASN1_STRING *X509_NAME_ENTRY_get_data(const X509_NAME_ENTRY *ne) |
| 63 | { |
| 64 | return ne->value; |
| 65 | } |
| 66 | |
| 67 | static inline int ASN1_STRING_length(const ASN1_STRING *x) |
| 68 | { |
| 69 | return x->length; |
| 70 | } |
| 71 | |
| 72 | static inline int X509_NAME_entry_count(X509_NAME *name) |
| 73 | { |
| 74 | return sk_X509_NAME_ENTRY_num(name->entries) |
| 75 | } |
| 76 | |
Willy Tarreau | 80ebacf | 2016-11-24 20:07:11 +0100 | [diff] [blame] | 77 | static inline void X509_ALGOR_get0(ASN1_OBJECT **paobj, int *pptype, const void **ppval, const X509_ALGOR *algor) |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 78 | { |
Willy Tarreau | 80ebacf | 2016-11-24 20:07:11 +0100 | [diff] [blame] | 79 | *paobj = algor->algorithm; |
| 80 | } |
| 81 | |
| 82 | #endif // OpenSSL < 0.9.8 |
| 83 | |
| 84 | |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 85 | #if (HA_OPENSSL_VERSION_NUMBER < 0x1000000fL) |
Willy Tarreau | 2b3205b | 2017-01-19 17:04:02 +0100 | [diff] [blame] | 86 | /* Functions introduced in OpenSSL 1.0.0 */ |
Willy Tarreau | 80ebacf | 2016-11-24 20:07:11 +0100 | [diff] [blame] | 87 | static inline int EVP_PKEY_base_id(const EVP_PKEY *pkey) |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 88 | { |
Willy Tarreau | 80ebacf | 2016-11-24 20:07:11 +0100 | [diff] [blame] | 89 | return EVP_PKEY_type(pkey->type); |
| 90 | } |
| 91 | |
| 92 | /* minimal implementation based on the fact that the only known call place |
| 93 | * doesn't make use of other arguments. |
| 94 | */ |
| 95 | static inline int X509_PUBKEY_get0_param(ASN1_OBJECT **ppkalg, const unsigned char **pk, int *ppklen, X509_ALGOR **pa, X509_PUBKEY *pub) |
| 96 | { |
| 97 | *ppkalg = pub->algor->algorithm; |
| 98 | return 1; |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 99 | } |
| 100 | |
| 101 | #ifndef X509_get_X509_PUBKEY |
| 102 | #define X509_get_X509_PUBKEY(x) ((x)->cert_info->key |
| 103 | #endif |
| 104 | |
| 105 | #endif |
| 106 | |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 107 | #if (HA_OPENSSL_VERSION_NUMBER < 0x1000100fL) |
Willy Tarreau | 2b3205b | 2017-01-19 17:04:02 +0100 | [diff] [blame] | 108 | /* |
| 109 | * Functions introduced in OpenSSL 1.0.1 |
| 110 | */ |
| 111 | static inline int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx, unsigned int sid_ctx_len) |
| 112 | { |
| 113 | s->sid_ctx_length = sid_ctx_len; |
| 114 | memcpy(s->sid_ctx, sid_ctx, sid_ctx_len); |
| 115 | return 1; |
| 116 | } |
| 117 | #endif |
| 118 | |
Willy Tarreau | 1d158ab | 2019-05-09 13:41:45 +0200 | [diff] [blame] | 119 | #if (HA_OPENSSL_VERSION_NUMBER < 0x1010000fL) && (LIBRESSL_VERSION_NUMBER < 0x2070000fL) |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 120 | /* |
Ilya Shipitsin | 54832b9 | 2019-05-05 23:27:54 +0500 | [diff] [blame] | 121 | * Functions introduced in OpenSSL 1.1.0 and in LibreSSL 2.7.0 |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 122 | */ |
| 123 | |
| 124 | static inline const unsigned char *SSL_SESSION_get0_id_context(const SSL_SESSION *sess, unsigned int *sid_ctx_length) |
| 125 | { |
| 126 | *sid_ctx_length = sess->sid_ctx_length; |
| 127 | return sess->sid_ctx; |
| 128 | } |
| 129 | |
| 130 | static inline int SSL_SESSION_set1_id(SSL_SESSION *s, const unsigned char *sid, unsigned int sid_len) |
| 131 | { |
| 132 | s->session_id_length = sid_len; |
| 133 | memcpy(s->session_id, sid, sid_len); |
| 134 | return 1; |
| 135 | } |
| 136 | |
Emmanuel Hocdet | 019f9b1 | 2017-10-02 17:12:06 +0200 | [diff] [blame] | 137 | static inline X509_ALGOR *X509_get0_tbs_sigalg(const X509 *x) |
| 138 | { |
| 139 | return x->cert_info->signature; |
| 140 | } |
| 141 | |
Emmanuel Hocdet | fdec789 | 2017-01-13 17:48:18 +0100 | [diff] [blame] | 142 | #if (!defined OPENSSL_NO_OCSP) |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 143 | static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const OCSP_SINGLERESP *single) |
| 144 | { |
| 145 | return single->certId; |
| 146 | } |
Emmanuel Hocdet | fdec789 | 2017-01-13 17:48:18 +0100 | [diff] [blame] | 147 | #endif |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 148 | |
| 149 | static inline pem_password_cb *SSL_CTX_get_default_passwd_cb(SSL_CTX *ctx) |
| 150 | { |
| 151 | return ctx->default_passwd_callback; |
| 152 | } |
| 153 | |
| 154 | static inline void *SSL_CTX_get_default_passwd_cb_userdata(SSL_CTX *ctx) |
| 155 | { |
| 156 | return ctx->default_passwd_callback_userdata; |
| 157 | } |
| 158 | |
| 159 | #ifndef OPENSSL_NO_DH |
| 160 | static inline int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) |
| 161 | { |
| 162 | /* Implements only the bare necessities for HAProxy */ |
| 163 | dh->p = p; |
| 164 | dh->g = g; |
| 165 | return 1; |
| 166 | } |
| 167 | #endif |
| 168 | |
| 169 | static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) |
| 170 | { |
| 171 | return x->data; |
| 172 | } |
| 173 | |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 174 | #endif |
| 175 | |
Willy Tarreau | 1d158ab | 2019-05-09 13:41:45 +0200 | [diff] [blame] | 176 | #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) || (LIBRESSL_VERSION_NUMBER >= 0x2070200fL) |
Dirkjan Bussink | 1866d6d | 2016-08-29 13:26:37 +0200 | [diff] [blame] | 177 | #define __OPENSSL_110_CONST__ const |
| 178 | #else |
| 179 | #define __OPENSSL_110_CONST__ |
| 180 | #endif |
| 181 | |
Emmanuel Hocdet | fdec789 | 2017-01-13 17:48:18 +0100 | [diff] [blame] | 182 | #ifdef OPENSSL_IS_BORINGSSL |
Emmanuel Hocdet | fdec789 | 2017-01-13 17:48:18 +0100 | [diff] [blame] | 183 | |
| 184 | static inline int EVP_PKEY_base_id(EVP_PKEY *pkey) |
| 185 | { |
| 186 | return EVP_PKEY_type(pkey->type); |
| 187 | } |
| 188 | #endif |
| 189 | |
Willy Tarreau | a4fb8ed | 2017-01-19 16:50:25 +0100 | [diff] [blame] | 190 | /* ERR_remove_state() was deprecated in 1.0.0 in favor of |
| 191 | * ERR_remove_thread_state(), which was in turn deprecated in |
| 192 | * 1.1.0 and does nothing anymore. Let's simply silently kill |
| 193 | * it. |
| 194 | */ |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 195 | #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) |
Willy Tarreau | a4fb8ed | 2017-01-19 16:50:25 +0100 | [diff] [blame] | 196 | #undef ERR_remove_state |
| 197 | #define ERR_remove_state(x) |
| 198 | #endif |
| 199 | |
Willy Tarreau | 77d88da | 2017-01-19 17:10:54 +0100 | [diff] [blame] | 200 | |
| 201 | /* RAND_pseudo_bytes() is deprecated in 1.1.0 in favor of RAND_bytes(). Note |
| 202 | * that the return codes differ, but it happens that the only use case (ticket |
| 203 | * key update) was already wrong, considering a non-cryptographic random as a |
| 204 | * failure. |
| 205 | */ |
Willy Tarreau | 9a1ab08 | 2019-05-09 13:26:41 +0200 | [diff] [blame] | 206 | #if (HA_OPENSSL_VERSION_NUMBER >= 0x1010000fL) |
Willy Tarreau | 77d88da | 2017-01-19 17:10:54 +0100 | [diff] [blame] | 207 | #undef RAND_pseudo_bytes |
| 208 | #define RAND_pseudo_bytes(x,y) RAND_bytes(x,y) |
| 209 | #endif |
| 210 | |
Emmanuel Hocdet | 8c2ddc2 | 2017-07-19 16:04:05 +0200 | [diff] [blame] | 211 | |
| 212 | /* Signature from RFC 5246, missing in openssl < 1.0.1 */ |
| 213 | #ifndef TLSEXT_signature_anonymous |
| 214 | #define TLSEXT_signature_anonymous 0 |
| 215 | #define TLSEXT_signature_rsa 1 |
| 216 | #define TLSEXT_signature_dsa 2 |
| 217 | #define TLSEXT_signature_ecdsa 3 |
| 218 | #endif |
| 219 | |
Willy Tarreau | 9356dac | 2019-05-10 09:22:53 +0200 | [diff] [blame] | 220 | #if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (LIBRESSL_VERSION_NUMBER < 0x20700000L) |
| 221 | #define X509_getm_notBefore X509_get_notBefore |
| 222 | #define X509_getm_notAfter X509_get_notAfter |
| 223 | #endif |
| 224 | |
| 225 | #if (OPENSSL_VERSION_NUMBER < 0x1010000fL || defined LIBRESSL_VERSION_NUMBER) |
| 226 | #define EVP_CTRL_AEAD_SET_IVLEN EVP_CTRL_GCM_SET_IVLEN |
| 227 | #define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG |
| 228 | #endif |
| 229 | |
| 230 | /* Supported hash function for TLS tickets */ |
| 231 | #ifdef OPENSSL_NO_SHA256 |
| 232 | #define TLS_TICKET_HASH_FUNCT EVP_sha1 |
| 233 | #else |
| 234 | #define TLS_TICKET_HASH_FUNCT EVP_sha256 |
| 235 | #endif /* OPENSSL_NO_SHA256 */ |
| 236 | |
Willy Tarreau | c125cef | 2019-05-10 09:58:43 +0200 | [diff] [blame] | 237 | #endif /* USE_OPENSSL */ |
Willy Tarreau | 5599456 | 2019-05-09 14:52:44 +0200 | [diff] [blame] | 238 | #endif /* _COMMON_OPENSSL_COMPAT_H */ |