trafficserver-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bc...@apache.org
Subject [trafficserver] 03/06: Fixes detection of OpenSSL's OCSP APIs
Date Thu, 05 Jul 2018 17:06:02 GMT
This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git

commit 11226a88fa4fd4b3741631238a6831f884b8014c
Author: Randall Meyer <randallmeyer@yahoo.com>
AuthorDate: Mon Jul 2 11:54:46 2018 -0700

    Fixes detection of OpenSSL's OCSP APIs
    
    OCSP_sendreq_new is a function, not a macro. Need to perform
    configure-time checks for OCSP-related functions
    
    This was broken with e80389f9e0120ced282d459f81e843c8f2fda71d
    
    (cherry picked from commit 4d83742716693181fff2664facba2a3cab57218b)
---
 build/crypto.m4               | 15 +++++++++++++++
 configure.ac                  |  3 +++
 iocore/net/OCSPStapling.cc    |  4 ++--
 iocore/net/P_OCSPStapling.h   |  9 ++++-----
 iocore/net/SSLNetProcessor.cc |  9 +++++----
 iocore/net/SSLUtils.cc        | 12 ++++++------
 lib/ts/ink_config.h.in        |  1 +
 src/traffic_layout/info.cc    |  1 +
 src/traffic_server/InkAPI.cc  |  2 +-
 9 files changed, 38 insertions(+), 18 deletions(-)

diff --git a/build/crypto.m4 b/build/crypto.m4
index a8ae5aa..cbb1b53 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -211,3 +211,18 @@ AC_DEFUN([TS_CHECK_CRYPTO_DH_GET_2048_256], [
   TS_ARG_ENABLE_VAR([use], [dh_get_2048_256])
   AC_SUBST(use_dh_get_2048_256)
 ])
+
+AC_DEFUN([TS_CHECK_CRYPTO_OCSP], [
+  _ocsp_saved_LIBS=$LIBS
+
+  TS_ADDTO(LIBS, [$OPENSSL_LIBS])
+  AC_CHECK_HEADERS(openssl/ocsp.h)
+  AC_CHECK_FUNCS(OCSP_sendreq_new OCSP_REQ_CTX_add1_header OCSP_REQ_CTX_set1_req, [enable_tls_ocsp=yes],
[enable_tls_ocsp=no])
+
+  LIBS=$_ocsp_saved_LIBS
+
+  AC_MSG_CHECKING(whether OCSP is supported)
+  AC_MSG_RESULT([$enable_tls_ocsp])
+  TS_ARG_ENABLE_VAR([use], [tls-ocsp])
+  AC_SUBST(use_tls_ocsp)
+])
diff --git a/configure.ac b/configure.ac
index 578e39b..a69743e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1184,6 +1184,9 @@ TS_CHECK_CRYPTO_SET_RBIO
 # Check for DH_get_2048_256
 TS_CHECK_CRYPTO_DH_GET_2048_256
 
+# Check for OCSP
+TS_CHECK_CRYPTO_OCSP
+
 saved_LIBS="$LIBS"
 TS_ADDTO([LIBS], ["$OPENSSL_LIBS"])
 
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 7f95137..56ea7c8 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -20,7 +20,7 @@
  */
 
 #include "P_OCSPStapling.h"
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
 
 #include <openssl/ssl.h>
 #include <openssl/ocsp.h>
@@ -474,4 +474,4 @@ ssl_callback_ocsp_stapling(SSL *ssl)
   }
 }
 
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index 007cc91..fc303c9 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -21,13 +21,12 @@
 
 #pragma once
 
-#include <openssl/ssl.h>
+#include "ts/ink_config.h"
 
-#ifdef OCSP_sendreq_new
-#define HAVE_OPENSSL_OCSP_STAPLING 1
-#endif
+#if TS_USE_TLS_OCSP
+#include <openssl/ssl.h>
+#include <openssl/ocsp.h>
 
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
 void ssl_stapling_ex_init();
 bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname);
 void ocsp_update();
diff --git a/iocore/net/SSLNetProcessor.cc b/iocore/net/SSLNetProcessor.cc
index 5273110..c56c1d9 100644
--- a/iocore/net/SSLNetProcessor.cc
+++ b/iocore/net/SSLNetProcessor.cc
@@ -35,7 +35,8 @@
 SSLNetProcessor ssl_NetProcessor;
 NetProcessor &sslNetProcessor = ssl_NetProcessor;
 SNIActionPerformer sni_action_performer;
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+
+#ifdef TS_USE_TLS_OCSP
 struct OCSPContinuation : public Continuation {
   int
   mainEvent(int /* event ATS_UNUSED */, Event * /* e ATS_UNUSED */)
@@ -47,7 +48,7 @@ struct OCSPContinuation : public Continuation {
 
   OCSPContinuation() : Continuation(new_ProxyMutex()) { SET_HANDLER(&OCSPContinuation::mainEvent);
}
 };
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
 
 void
 SSLNetProcessor::cleanup()
@@ -74,12 +75,12 @@ SSLNetProcessor::start(int, size_t stacksize)
   // Initialize SSL statistics. This depends on an initial set of certificates being loaded
above.
   SSLInitializeStatistics();
 
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
   if (SSLConfigParams::ssl_ocsp_enabled) {
     EventType ET_OCSP = eventProcessor.spawn_event_threads("ET_OCSP", 1, stacksize);
     eventProcessor.schedule_every(new OCSPContinuation(), HRTIME_SECONDS(SSLConfigParams::ssl_ocsp_update_period),
ET_OCSP);
   }
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
 
   // We have removed the difference between ET_SSL threads and ET_NET threads,
   // So just keep on chugging
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 3ac3329..3d3fe3f 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -946,9 +946,9 @@ SSLInitializeLibrary()
   }
 #endif
 
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
   ssl_stapling_ex_init();
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
 
   // Reserve an application data index so that we can attach
   // the SSLNetVConnection to the SSL session.
@@ -1850,7 +1850,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config
*sslMu
   SSL_CTX_set_alpn_select_cb(ctx, SSLNetVConnection::select_next_protocol, nullptr);
 #endif /* TS_USE_TLS_ALPN */
 
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
   if (SSLConfigParams::ssl_ocsp_enabled) {
     Debug("ssl", "SSL OCSP Stapling is enabled");
     SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
@@ -1861,7 +1861,7 @@ SSLInitServerContext(const SSLConfigParams *params, const ssl_user_config
*sslMu
   if (SSLConfigParams::ssl_ocsp_enabled) {
     Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support
it");
   }
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
 
   if (SSLConfigParams::init_ssl_ctx_cb) {
     SSLConfigParams::init_ssl_ctx_cb(ctx, true);
@@ -1956,7 +1956,7 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup,
cons
   }
 #endif
 
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
   if (SSLConfigParams::ssl_ocsp_enabled) {
     Debug("ssl", "SSL OCSP Stapling is enabled");
     SSL_CTX_set_tlsext_status_cb(ctx, ssl_callback_ocsp_stapling);
@@ -1972,7 +1972,7 @@ ssl_store_ssl_context(const SSLConfigParams *params, SSLCertLookup *lookup,
cons
   if (SSLConfigParams::ssl_ocsp_enabled) {
     Warning("failed to enable SSL OCSP Stapling; this version of OpenSSL does not support
it");
   }
-#endif /* HAVE_OPENSSL_OCSP_STAPLING */
+#endif /* TS_USE_TLS_OCSP */
 
   // Insert additional mappings. Note that this maps multiple keys to the same value, so
when
   // this code is updated to reconfigure the SSL certificates, it will need some sort of
diff --git a/lib/ts/ink_config.h.in b/lib/ts/ink_config.h.in
index 664bd3b..f4b491b 100644
--- a/lib/ts/ink_config.h.in
+++ b/lib/ts/ink_config.h.in
@@ -79,6 +79,7 @@
 #define TS_USE_LINUX_NATIVE_AIO @use_linux_native_aio@
 #define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@
 #define TS_USE_SSLV3_CLIENT @use_sslv3_client@
+#define TS_USE_TLS_OCSP @use_tls_ocsp@
 
 #define TS_HAS_SO_PEERCRED @has_so_peercred@
 
diff --git a/src/traffic_layout/info.cc b/src/traffic_layout/info.cc
index 590afef..5304706 100644
--- a/src/traffic_layout/info.cc
+++ b/src/traffic_layout/info.cc
@@ -97,6 +97,7 @@ produce_features(bool json)
   print_feature("TS_USE_LINUX_NATIVE_AIO", TS_USE_LINUX_NATIVE_AIO, json);
   print_feature("TS_HAS_SO_PEERCRED", TS_HAS_SO_PEERCRED, json);
   print_feature("TS_USE_REMOTE_UNWINDING", TS_USE_REMOTE_UNWINDING, json);
+  print_feature("TS_USE_TLS_OCSP", TS_USE_TLS_OCSP, json);
   print_feature("SIZEOF_VOIDP", SIZEOF_VOIDP, json);
   print_feature("TS_IP_TRANSPARENT", TS_IP_TRANSPARENT, json);
   print_feature("TS_HAS_128BIT_CAS", TS_HAS_128BIT_CAS, json);
diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc
index 8b656b1..19213df 100644
--- a/src/traffic_server/InkAPI.cc
+++ b/src/traffic_server/InkAPI.cc
@@ -9195,7 +9195,7 @@ TSSslServerContextCreate(TSSslX509 cert, const char *certname)
   SSLConfigParams *config = SSLConfig::acquire();
   if (config != nullptr) {
     ret = reinterpret_cast<TSSslContext>(SSLCreateServerContext(config));
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
+#ifdef TS_USE_TLS_OCSP
     if (ret && SSLConfigParams::ssl_ocsp_enabled && cert && certname)
{
       if (SSL_CTX_set_tlsext_status_cb(reinterpret_cast<SSL_CTX *>(ret), ssl_callback_ocsp_stapling))
{
         if (!ssl_stapling_init_cert(reinterpret_cast<SSL_CTX *>(ret), reinterpret_cast<X509
*>(cert), certname)) {


Mime
View raw message