You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2018/07/05 17:06:02 UTC
[trafficserver] 03/06: Fixes detection of OpenSSL's OCSP APIs
This is an automated email from the ASF dual-hosted git repository.
bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 11226a88fa4fd4b3741631238a6831f884b8014c
Author: Randall Meyer <ra...@yahoo.com>
AuthorDate: Mon Jul 2 11:54:46 2018 -0700
Fixes detection of OpenSSL's OCSP APIs
OCSP_sendreq_new is a function, not a macro. Need to perform
configure-time checks for OCSP-related functions
This was broken with e80389f9e0120ced282d459f81e843c8f2fda71d
(cherry picked from commit 4d83742716693181fff2664facba2a3cab57218b)
---
build/crypto.m4 | 15 +++++++++++++++
configure.ac | 3 +++
iocore/net/OCSPStapling.cc | 4 ++--
iocore/net/P_OCSPStapling.h | 9 ++++-----
iocore/net/SSLNetProcessor.cc | 9 +++++----
iocore/net/SSLUtils.cc | 12 ++++++------
lib/ts/ink_config.h.in | 1 +
src/traffic_layout/info.cc | 1 +
src/traffic_server/InkAPI.cc | 2 +-
9 files changed, 38 insertions(+), 18 deletions(-)
diff --git a/build/crypto.m4 b/build/crypto.m4
index a8ae5aa..cbb1b53 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -211,3 +211,18 @@ AC_DEFUN([TS_CHECK_CRYPTO_DH_GET_2048_256], [
TS_ARG_ENABLE_VAR([use], [dh_get_2048_256])
AC_SUBST(use_dh_get_2048_256)
])
+
+AC_DEFUN([TS_CHECK_CRYPTO_OCSP], [
+ _ocsp_saved_LIBS=$LIBS
+
+ TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+ AC_CHECK_HEADERS(openssl/ocsp.h)
+ AC_CHECK_FUNCS(OCSP_sendreq_new OCSP_REQ_CTX_add1_header OCSP_REQ_CTX_set1_req, [enable_tls_ocsp=yes], [enable_tls_ocsp=no])
+
+ LIBS=$_ocsp_saved_LIBS
+
+ AC_MSG_CHECKING(whether OCSP is supported)
+ AC_MSG_RESULT([$enable_tls_ocsp])
+ TS_ARG_ENABLE_VAR([use], [tls-ocsp])
+ AC_SUBST(use_tls_ocsp)
+])
diff --git a/configure.ac b/configure.ac
index 578e39b..a69743e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1184,6 +1184,9 @@ TS_CHECK_CRYPTO_SET_RBIO
# Check for DH_get_2048_256
TS_CHECK_CRYPTO_DH_GET_2048_256
+# Check for OCSP
+TS_CHECK_CRYPTO_OCSP
+
saved_LIBS="$LIBS"
TS_ADDTO([LIBS], ["$OPENSSL_LIBS"])
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 7f95137..56ea7c8 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -20,7 +20,7 @@
*/
#include "P_OCSPStapling.h"
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
#include <openssl/ssl.h>
#include <openssl/ocsp.h>
@@ -474,4 +474,4 @@ ssl_callback_ocsp_stapling(SSL *ssl)
}
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index 007cc91..fc303c9 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -21,13 +21,12 @@
#pragma once
-#include <openssl/ssl.h>
+#include "ts/ink_config.h"
-#ifdef OCSP_sendreq_new
-#define HAVE_OPENSSL_OCSP_STAPLING 1
-#endif
+#if TS_USE_TLS_OCSP
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
void ssl_stapling_ex_init();
bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname);
void ocsp_update();
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index 5273110..c56c1d9 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -35,7 +35,8 @@
SSLNetProcessor ssl_NetProcessor;
NetProcessor &sslNetProcessor = ssl_NetProcessor;
SNIActionPerformer sni_action_performer;
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+
+#ifdef TS_USE_TLS_OCSP
struct OCSPContinuation : public Continuation {
int
mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */)
@@ -47,7 +48,7 @@ struct OCSPContinuation : public Continuation {
OCSPContinuation() : Continuation(new_ProxyMutex()) { SET_HANDLER(&OCSPContinuation::mainEvent); }
};
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
void
SSLNetProcessor::cleanup()
@@ -74,12 +75,12 @@ SSLNetProcessor::start(int, size_t stacksize)
// Initialize SSL statistics. This depends on an initial set of certificates being loaded above.
SSLInitializeStatistics();
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
EventType ET_OCSP = eventProcessor.spawn_event_threads("ET_OCSP", 1, stacksize);
eventProcessor.schedule_every(new OCSPContinuation(), HRTIME_SECONDS(SSLConfigParams::ssl_ocsp_update_period), ET_OCSP);
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
// We have removed the difference between ET_SSL threads and ET_NET threads,
// So just keep on chugging
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 3ac3329..3d3fe3f 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -946,9 +946,9 @@ SSLInitializeLibrary()
}
#endif
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
ssl_stapling_ex_init();
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
// Reserve an application data index so that we can attach
// the SSLNetVConnection to the SSL session.
@@ -1850,7 +1850,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
SSL_CTX_set_alpn_select_cb(ctx, SSLNetVConnection::select_next_protocol, nullptr);
#endif /* TS_USE_TLS_ALPN */
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
Debug("ssl", "SSL OCSP Stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
@@ -1861,7 +1861,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config *sslMu
if (SSLConfigParams::ssl_ocsp_enabled) {
Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support it");
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
if (SSLConfigParams::init_ssl_ctx_cb) {
SSLConfigParams::init_ssl_ctx_cb(ctx, true);
@@ -1956,7 +1956,7 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
}
#endif
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (SSLConfigParams::ssl_ocsp_enabled) {
Debug("ssl", "SSL OCSP Stapling is enabled");
SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
@@ -1972,7 +1972,7 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup, cons
if (SSLConfigParams::ssl_ocsp_enabled) {
Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support it");
}
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
// Insert additional mappings. Note that this maps multiple keys to the same value, so when
// this code is updated to reconfigure the SSL certificates, it will need some sort of
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 664bd3b..f4b491b 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -79,6 +79,7 @@
#define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
#define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
#define TS_USE_SSLV3_CLIENT @use_sslv3_client@
+#define TS_USE_TLS_OCSP @use_tls_ocsp@
#define TS_HAS_SO_PEERCRED @has_so_peercred@
diff --git a/src/traffic_layout/info.cc b/src/traffic_layout/info.cc
index 590afef..5304706 100644
--- a/src/traffic_layout/info.cc
+++ b/src/traffic_layout/info.cc
@@ -97,6 +97,7 @@ produce_features(bool json)
print_feature("TS_USE_LINUX_NATIVE_AIO", TS_USE_LINUX_NATIVE_AIO, json);
print_feature("TS_HAS_SO_PEERCRED", TS_HAS_SO_PEERCRED, json);
print_feature("TS_USE_REMOTE_UNWINDING", TS_USE_REMOTE_UNWINDING, json);
+ print_feature("TS_USE_TLS_OCSP", TS_USE_TLS_OCSP, json);
print_feature("SIZEOF_VOIDP", SIZEOF_VOIDP, json);
print_feature("TS_IP_TRANSPARENT", TS_IP_TRANSPARENT, json);
print_feature("TS_HAS_128BIT_CAS", TS_HAS_128BIT_CAS, json);
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 8b656b1..19213df 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9195,7 +9195,7 @@ TSSslServerContextCreate(TSSslX509 cert, const char *certname)
SSLConfigParams *config = SSLConfig::acquire();
if (config != nullptr) {
ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
if (ret && SSLConfigParams::ssl_ocsp_enabled && cert && certname) {
if (SSL_CTX_set_tlsext_status_cb(reinterpret_cast<SSL_CTX *>(ret), ssl_callback_ocsp_stapling)) {
if (!ssl_stapling_init_cert(reinterpret_cast<SSL_CTX *>(ret), reinterpret_cast<X509 *>(cert), certname)) {