diff --git a/acinclude/lib-checks.m4 b/acinclude/lib-checks.m4 index b5d132d239b..58a0615da8a 100644 --- a/acinclude/lib-checks.m4 +++ b/acinclude/lib-checks.m4 @@ -32,7 +32,6 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TLS_METHODS],[ AH_TEMPLATE(HAVE_OPENSSL_TLS_CLIENT_METHOD, "Define to 1 if the TLS_client_method() OpenSSL API function exists") AH_TEMPLATE(HAVE_OPENSSL_TLS_SERVER_METHOD, "Define to 1 if the TLS_server_method() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_TLS_METHODS) - LIBS="$LIBS $SSLLIB" AC_CHECK_LIB(ssl, TLS_method, AC_DEFINE(HAVE_OPENSSL_TLS_METHOD, 1)) AC_CHECK_LIB(ssl, TLS_client_method, AC_DEFINE(HAVE_OPENSSL_TLS_CLIENT_METHOD, 1)) AC_CHECK_LIB(ssl, TLS_server_method, AC_DEFINE(HAVE_OPENSSL_TLS_SERVER_METHOD, 1)) @@ -60,7 +59,6 @@ AC_DEFUN([SQUID_CHECK_LIBCRYPTO_API],[ AH_TEMPLATE(HAVE_SSL_GET0_PARAM, "Define to 1 of the SSL_get0_param() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBCRYPTO_EVP_PKEY_GET_DEFAULT_DIGEST_NAME, "Define to 1 if the EVP_PKEY_get_default_digest_name() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_libcrypto_api) - LIBS="$LIBS $SSLLIB" AC_CHECK_LIB(crypto, OPENSSL_LH_strhash, AC_DEFINE(HAVE_LIBCRYPTO_OPENSSL_LH_STRHASH, 1)) AC_CHECK_LIB(crypto, EVP_PKEY_get0_RSA, AC_DEFINE(HAVE_LIBCRYPTO_EVP_PKEY_GET0_RSA, 1)) AC_CHECK_LIB(crypto, BIO_meth_new, AC_DEFINE(HAVE_LIBCRYPTO_BIO_METH_NEW, 1)) @@ -91,7 +89,6 @@ AC_DEFUN([SQUID_CHECK_LIBSSL_API],[ AH_TEMPLATE(HAVE_LIBSSL_SSL_GET_CLIENT_RANDOM, "Define to 1 if the SSL_get_client_random() OpenSSL API function exists") AH_TEMPLATE(HAVE_LIBSSL_SSL_SESSION_GET_MASTER_KEY, "Define to 1 if the SSL_SESSION_get_master_key() OpenSSL API function exists") SQUID_STATE_SAVE(check_openssl_libssl_api) - LIBS="$LIBS $SSLLIB" AC_CHECK_LIB(ssl, OPENSSL_init_ssl, AC_DEFINE(HAVE_LIBSSL_OPENSSL_INIT_SSL, 1)) AC_CHECK_LIB(ssl, SSL_CIPHER_find, AC_DEFINE(HAVE_LIBSSL_SSL_CIPHER_FIND, 1)) AC_CHECK_LIB(ssl, SSL_CTX_set_tmp_rsa_callback, AC_DEFINE(HAVE_LIBSSL_SSL_CTX_SET_TMP_RSA_CALLBACK, 1)) @@ -107,8 +104,7 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS],[ AH_TEMPLATE(SQUID_SSLGETCERTIFICATE_BUGGY, "Define to 1 if the SSL_get_certificate crashes squid") AH_TEMPLATE(SQUID_USE_SSLGETCERTIFICATE_HACK, "Define to 1 to use squid workaround for SSL_get_certificate") SQUID_STATE_SAVE(check_SSL_get_certificate) - LIBS="$SSLLIB $LIBS" - AS_IF([test "x$SSLLIBDIR" != "x"],[LIBS="$LIBS -Wl,-rpath -Wl,$SSLLIBDIR"]) + AS_IF([test "x$LIBOPENSSL_PATH" != "x"],[LIBS="$LIBS -Wl,-rpath -Wl,$LIBOPENSSL_PATH"]) AC_MSG_CHECKING(whether the SSL_get_certificate is buggy) AC_RUN_IFELSE([ @@ -297,7 +293,6 @@ AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[ SQUID_STATE_SAVE(check_TXTDB) - LIBS="$LIBS $SSLLIB" squid_cv_check_openssl_pstring="no" AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([ diff --git a/acinclude/squid-util.m4 b/acinclude/squid-util.m4 index 4fa9c695ef1..31d1eb4a498 100644 --- a/acinclude/squid-util.m4 +++ b/acinclude/squid-util.m4 @@ -263,19 +263,6 @@ AC_DEFUN([SQUID_AUTO_LIB],[ ]) ]) ]) -dnl same as SQUID_AUTO_LIB but for default-disabled libraries -AC_DEFUN([SQUID_OPTIONAL_LIB],[ - AC_ARG_WITH([$1],AS_HELP_STRING([--with-$1],[Compile with the $2 library.]),[ - AS_CASE(["$withval"],[yes|no],,[ - AS_IF([test ! -d "$withval"],AC_MSG_ERROR([--with-$1 path does not point to a directory])) - m4_translit([with_$1], [-+.], [___])=yes - AS_IF([test -d "$withval/lib64"],[$3_PATH="$$3_PATH -L$withval/lib64"]) - AS_IF([test -d "$withval/lib"],[$3_PATH="$$3_PATH -L$withval/lib"]) - AS_IF([test -d "$withval/include"],[$3_CFLAGS="$$3_CFLAGS -I$withval/include"]) - ]) - ]) - AS_IF([test "x$withval" = "x"],[m4_translit([with_$1], [-+.], [___])=no]) -]) AC_DEFUN([SQUID_EMBED_BUILD_INFO],[ AC_ARG_ENABLE([build-info], diff --git a/compat/Makefile.am b/compat/Makefile.am index 14ed0e493f6..6829e3eee52 100644 --- a/compat/Makefile.am +++ b/compat/Makefile.am @@ -17,7 +17,7 @@ include $(top_srcdir)/src/Common.am COMPAT_SSL_ALL_SOURCES = \ openssl.h -if ENABLE_SSL +if ENABLE_LIBOPENSSL COMPAT_SSL_SOURCES = $(COMPAT_SSL_ALL_SOURCES) else COMPAT_SSL_SOURCES = diff --git a/compat/openssl.h b/compat/openssl.h index d7299c7d486..bcd97a67976 100644 --- a/compat/openssl.h +++ b/compat/openssl.h @@ -19,8 +19,8 @@ #ifndef SQUID_COMPAT_OPENSSL_H #define SQUID_COMPAT_OPENSSL_H -#if !USE_OPENSSL -#error compat/openssl.h depends on USE_OPENSSL +#if !HAVE_LIBOPENSSL +#error compat/openssl.h depends on HAVE_LIBOPENSSL #endif #include diff --git a/configure.ac b/configure.ac index 90c036e0df8..32441e10cc2 100644 --- a/configure.ac +++ b/configure.ac @@ -1056,43 +1056,10 @@ SQUID_CHECK_LIB_WORKS(gnutls,[ ],[:]) ]) -SSLLIB="" -dnl User may specify OpenSSL is needed from a non-standard location -SQUID_OPTIONAL_LIB(openssl,[OpenSSL],[LIBOPENSSL]) -AH_TEMPLATE(USE_OPENSSL,[OpenSSL support is available]) -## OpenSSL is default disable due to licensing issues on some OS -AS_IF([test "x$with_openssl" = "xyes"],[ - CPPFLAGS="$LIBOPENSSL_CFLAGS $CPPFLAGS" - AC_CHECK_HEADERS( \ - openssl/asn1.h \ - openssl/bio.h \ - openssl/bn.h \ - openssl/crypto.h \ - openssl/decoder.h \ - openssl/dh.h \ - openssl/err.h \ - openssl/evp.h \ - openssl/lhash.h \ - openssl/md5.h \ - openssl/opensslv.h \ - openssl/rsa.h \ - openssl/ssl.h \ - openssl/x509.h \ - openssl/x509v3.h \ - openssl/engine.h \ - openssl/txt_db.h \ - openssl/pem.h \ - ) - - # User may have provided a custom location for OpenSSL. Otherwise... - SQUID_STATE_SAVE(squid_openssl_state) +SQUID_AUTO_LIB(openssl,[OpenSSL],[LIBOPENSSL]) +SQUID_CHECK_LIB_WORKS(openssl,[ LIBS="$LIBS $LIBOPENSSL_PATH" - - # auto-detect using pkg-config - PKG_CHECK_MODULES([LIBOPENSSL],[openssl],,[ - ## For some OS pkg-config is broken or unavailable. - ## Detect libraries the hard way. - + PKG_CHECK_MODULES([LIBOPENSSL],[openssl >= 3],[:],[ # Windows MinGW has some special libraries ... AS_IF([test "x$squid_host_os" = "xmingw"],[ LIBOPENSSL_LIBS='-lssleay32 -leay32 -lgdi32 $LIBOPENSSL_LIBS' @@ -1107,19 +1074,35 @@ AS_IF([test "x$with_openssl" = "xyes"],[ ],$LIBOPENSSL_LIBS) ]) - SQUID_STATE_ROLLBACK(squid_openssl_state) #de-pollute LIBS - AS_IF([test "x$LIBOPENSSL_LIBS" != "x"],[ CXXFLAGS="$LIBOPENSSL_CFLAGS $CXXFLAGS" - SSLLIB="$LIBOPENSSL_PATH $LIBOPENSSL_LIBS $SSLLIB" - AC_DEFINE(USE_OPENSSL,1,[OpenSSL support is available]) + LIBS="$LIBS $LIBOPENSSL_LIBS" + AC_CHECK_HEADERS( \ + openssl/asn1.h \ + openssl/bio.h \ + openssl/bn.h \ + openssl/crypto.h \ + openssl/decoder.h \ + openssl/dh.h \ + openssl/err.h \ + openssl/evp.h \ + openssl/lhash.h \ + openssl/md5.h \ + openssl/opensslv.h \ + openssl/rsa.h \ + openssl/ssl.h \ + openssl/x509.h \ + openssl/x509v3.h \ + openssl/engine.h \ + openssl/txt_db.h \ + openssl/pem.h \ + ) # check for API functions SQUID_CHECK_LIBCRYPTO_API SQUID_CHECK_LIBSSL_API SQUID_CHECK_OPENSSL_TLS_METHODS SQUID_STATE_SAVE(check_SSL_CTX_get0_certificate) - LIBS="$LIBS $SSLLIB" AC_CHECK_LIB(ssl, SSL_CTX_get0_certificate, [ AC_DEFINE(HAVE_SSL_CTX_GET0_CERTIFICATE, 1, [SSL_CTX_get0_certificate is available]) ], [ @@ -1135,11 +1118,7 @@ AS_IF([test "x$with_openssl" = "xyes"],[ SQUID_CHECK_OPENSSL_CONST_X509_GET0_SIGNATURE_ARGS SQUID_CHECK_OPENSSL_TXTDB ]) - AS_IF([test "x$SSLLIB" = "x"],[AC_MSG_ERROR([Required OpenSSL library not found])]) ]) -AC_MSG_NOTICE([OpenSSL library support: ${with_openssl:=no} ${LIBOPENSSL_PATH} ${LIBOPENSSL_LIBS}]) -AM_CONDITIONAL(ENABLE_SSL,[ test "x$with_openssl" = "xyes" ]) -AC_SUBST(SSLLIB) # Kerberos support libraries: MIT SQUID_AUTO_LIB(mit-krb5,[MIT Kerberos],[LIBMIT_KRB5]) diff --git a/squid.dox b/squid.dox index 19f0a39baaf..f40c7ee683d 100644 --- a/squid.dox +++ b/squid.dox @@ -2070,6 +2070,7 @@ PREDEFINED = __cplusplus \ ICAP_CLIENT \ HAVE_LIBHEIMDAL_KRB5 \ HAVE_LIBMIT_KRB5 \ + HAVE_LIBOPENSSL \ LINUX_NETFILTER \ SQUID_SNMP \ USE_ADAPTATION \ @@ -2090,14 +2091,12 @@ PREDEFINED = __cplusplus \ USE_IPV6 \ USE_KQUEUE \ USE_LOADABLE_MODULES \ - USE_OPENSSL \ USE_POLL \ USE_QOS_TOS \ USE_SELECT \ USE_SOLARIS_KRB5 \ USE_SQUID_EUI \ USE_SSL_CRTD \ - USE_OPENSSL \ USE_UNLINKD \ USE_WCCP \ USE_WCCPv2 \ diff --git a/src/AccessLogEntry.h b/src/AccessLogEntry.h index 419b13621b3..cfa41e369e3 100644 --- a/src/AccessLogEntry.h +++ b/src/AccessLogEntry.h @@ -27,7 +27,7 @@ #if ICAP_CLIENT #include "adaptation/icap/Elements.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/gadgets.h" #include "ssl/support.h" #endif @@ -124,7 +124,7 @@ class AccessLogEntry: public CodeContext const char *opcode = nullptr; } htcp; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// logging information specific to the SSL protocol class SslDetails { @@ -155,7 +155,7 @@ class AccessLogEntry: public CodeContext struct timeval start_time; ///< The time the master transaction started struct timeval trTime; ///< The response time const char *extuser = nullptr; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL const char *ssluser = nullptr; Security::CertPointer sslClientCert; ///< cert received from the client #endif diff --git a/src/AclRegs.cc b/src/AclRegs.cc index 31927beda3c..ab48d29fe7e 100644 --- a/src/AclRegs.cc +++ b/src/AclRegs.cc @@ -21,7 +21,7 @@ #include "acl/Arp.h" #include "acl/Eui64.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/AtStep.h" #include "acl/AtStepData.h" #endif @@ -72,7 +72,7 @@ #include "acl/SourceIp.h" #include "acl/SquidError.h" #include "acl/SquidErrorData.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/Certificate.h" #include "acl/CertificateData.h" #include "acl/ServerName.h" @@ -80,7 +80,7 @@ #include "acl/SslErrorData.h" #endif #include "acl/StringData.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/ServerCertificate.h" #endif #include "acl/Tag.h" @@ -245,7 +245,7 @@ Acl::Init() RegisterMaker("client_connection_mark", [](TypeName)->Node* { return new ConnMark; }); // XXX: Add name parameter to ctor #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL RegisterMaker("ssl_error", [](TypeName name)->Node* { return new FinalizedParameterizedNode(name, new ACLSslErrorData); }); RegisterMaker("user_cert", [](TypeName name)->Node* { return new FinalizedParameterizedNode(name, new ACLCertificateData(Ssl::GetX509UserAttribute, "*")); }); diff --git a/src/ClientRequestContext.h b/src/ClientRequestContext.h index 835122b7a7d..762a6519d23 100644 --- a/src/ClientRequestContext.h +++ b/src/ClientRequestContext.h @@ -48,7 +48,7 @@ class ClientRequestContext : public RefCountable #if USE_ADAPTATION void adaptationAccessCheck(); #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /** * Initiates and start the acl checklist to check if the CONNECT * request must be bumped. @@ -75,7 +75,7 @@ class ClientRequestContext : public RefCountable bool no_cache_done = false; bool interpreted_req_hdrs = false; bool toClientMarkingDone = false; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool sslBumpCheckDone = false; #endif diff --git a/src/FwdState.cc b/src/FwdState.cc index 62c33a67f84..75b9f8f6732 100644 --- a/src/FwdState.cc +++ b/src/FwdState.cc @@ -56,7 +56,7 @@ #include "Store.h" #include "StoreClient.h" #include "urn.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/cert_validate_message.h" #include "ssl/Config.h" #include "ssl/helper.h" @@ -281,7 +281,7 @@ FwdState::completed() updateAleWithFinalError(); errorAppendEntry(entry, err); err = nullptr; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (request->flags.sslPeek && request->clientConnectionManager.valid()) { CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, ConnStateData::httpsPeeked, ConnStateData::PinnedIdleContext(Comm::ConnectionPointer(nullptr), request)); @@ -999,7 +999,7 @@ FwdState::secureConnectionToPeer(const Comm::ConnectionPointer &conn) const auto callback = asyncCallback(17, 4, FwdState::connectedToPeer, this); const auto sslNegotiationTimeout = connectingTimeout(conn); Security::PeerConnector *connector = nullptr; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (request->flags.sslPeek) connector = new Ssl::PeekingPeerConnector(requestPointer, conn, clientConn, callback, al, sslNegotiationTimeout); else @@ -1234,7 +1234,7 @@ FwdState::dispatch() } #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (request->flags.sslPeek) { // we were just asked to peek at the server, and we did that CallJobHere1(17, 4, request->clientConnectionManager, ConnStateData, diff --git a/src/FwdState.h b/src/FwdState.h index 1427b928ebb..620895bf1ed 100644 --- a/src/FwdState.h +++ b/src/FwdState.h @@ -23,7 +23,7 @@ #include "PeerSelectState.h" #include "ResolvedPeers.h" #include "security/forward.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif diff --git a/src/HttpHeader.cc b/src/HttpHeader.cc index 3f5db81ad55..d399c668f7a 100644 --- a/src/HttpHeader.cc +++ b/src/HttpHeader.cc @@ -84,7 +84,7 @@ static std::array HttpHeaderStats = {{ #endif HttpHeaderStat(/*hoRequest*/ "request", &RequestHeadersMask), HttpHeaderStat(/*hoReply*/ "reply", &ReplyHeadersMask) -#if USE_OPENSSL +#if HAVE_LIBOPENSSL , HttpHeaderStat(/*hoErrorDetail*/ "error detail templates", nullptr) #endif /* hoEnd */ diff --git a/src/HttpHeader.h b/src/HttpHeader.h index b0e5d6ba5ab..23059118329 100644 --- a/src/HttpHeader.h +++ b/src/HttpHeader.h @@ -35,7 +35,7 @@ typedef enum { #endif hoRequest, hoReply, -#if USE_OPENSSL +#if HAVE_LIBOPENSSL hoErrorDetail, #endif hoEnd diff --git a/src/Makefile.am b/src/Makefile.am index 4480764023d..ba761177370 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -57,7 +57,7 @@ SUBDIRS += \ mgr SSL_LIBS= -if ENABLE_SSL +if ENABLE_LIBOPENSSL SUBDIRS += ssl SSL_LIBS += \ ssl/libsslsquid.la \ @@ -545,7 +545,6 @@ squid_LDADD = \ $(LIBCAP_LIBS) \ $(LIBGNUTLS_LIBS) \ $(LIBHEIMDAL_KRB5_LIBS) \ - $(SSLLIB) \ $(EPOLL_LIBS) \ $(MINGW_LIBS) \ $(LIBSYSTEMD_LIBS) \ @@ -554,6 +553,7 @@ squid_LDADD = \ $(LIBMIT_KRB5_LIBS) \ $(LIBNETFILTER_CONNTRACK_LIBS) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(LIBPSAPI_LIBS) \ $(XTRA_LIBS) @@ -1155,11 +1155,11 @@ tests_testRock_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(REGEXLIB) \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testRock_LDFLAGS = $(AM_CPPFLAGS) $(LIBADD_DL) else @@ -1332,11 +1332,11 @@ tests_testUfs_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(REGEXLIB) \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testUfs_LDFLAGS = $(LIBADD_DL) else @@ -1496,12 +1496,12 @@ tests_testStore_LDADD= \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(REGEXLIB) \ - $(SSLLIB) \ CommCalls.o \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testStore_LDFLAGS = $(LIBADD_DL) @@ -1672,11 +1672,11 @@ tests_testDiskIO_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ $(REGEXLIB) \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testDiskIO_LDFLAGS = $(LIBADD_DL) @@ -1722,10 +1722,10 @@ tests_testACLMaxUserIP_LDADD = \ parser/libparser.la \ sbuf/libsbuf.la \ base/libbase.la \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testACLMaxUserIP_LDFLAGS = $(LIBADD_DL) else @@ -1815,10 +1815,10 @@ tests_testHttp1Parser_LDADD= \ ip/libip.la \ sbuf/libsbuf.la \ $(top_builddir)/lib/libmiscutil.la \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testHttp1Parser_LDFLAGS = $(LIBADD_DL) @@ -1920,11 +1920,11 @@ tests_testHttpReply_LDADD=\ $(top_builddir)/lib/libmisccontainers.la \ $(top_builddir)/lib/libmiscencoding.la \ $(top_builddir)/lib/libmiscutil.la \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBGNUTLS_LIBS) \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testHttpReply_LDFLAGS = $(LIBADD_DL) @@ -1990,7 +1990,7 @@ tests_testHttpRequest_LDADD = \ $(LIBGNUTLS_LIBS) \ $(LIBNETFILTER_CONNTRACK_LIBS) \ $(LIBNETTLE_LIBS) \ - $(SSLLIB) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) tests_testHttpRequest_LDFLAGS = $(LIBADD_DL) @@ -2282,7 +2282,6 @@ tests_testCacheManager_LDADD = \ $(LIBGNUTLS_LIBS) \ $(LIBHEIMDAL_KRB5_LIBS) \ $(REGEXLIB) \ - $(SSLLIB) \ $(LIBCPPUNIT_LIBS) \ $(LIBSYSTEMD_LIBS) \ $(COMPAT_LIB) \ @@ -2290,6 +2289,7 @@ tests_testCacheManager_LDADD = \ $(LIBMIT_KRB5_LIBS) \ $(LIBNETFILTER_CONNTRACK_LIBS) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(LIBPSAPI_LIBS) \ $(XTRA_LIBS) tests_testCacheManager_LDFLAGS = $(LIBADD_DL) diff --git a/src/SquidConfig.h b/src/SquidConfig.h index a36067f48ef..9a57c033836 100644 --- a/src/SquidConfig.h +++ b/src/SquidConfig.h @@ -25,7 +25,7 @@ #include "Notes.h" #include "security/Context.h" #include "security/forward.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif #include "store/Disk.h" @@ -34,7 +34,7 @@ #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL class sslproxy_cert_sign; class sslproxy_cert_adapt; #endif @@ -206,7 +206,7 @@ class SquidConfig #endif char *diskd; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL char *ssl_password; #endif @@ -337,7 +337,7 @@ class SquidConfig int hostStrictVerify; int client_dst_passthru; int dns_mdns; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool logTlsServerHelloDetails; #endif } onoff; @@ -384,7 +384,7 @@ class SquidConfig acl_access *htcp_clr; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL acl_access *ssl_bump; #endif #if FOLLOW_X_FORWARDED_FOR @@ -481,7 +481,7 @@ class SquidConfig int rebuild_chunk_percentage; } digest; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL struct { int unclean_shutdown; @@ -507,7 +507,7 @@ class SquidConfig // TODO: Remove when FuturePeerContext above becomes PeerContext /// \deprecated Legacy storage. Use defaultPeerContext instead. Security::ContextPointer *sslContext_; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL char *foreignIntermediateCertsPath; acl_access *cert_error; sslproxy_cert_sign *cert_sign; diff --git a/src/XactionStep.h b/src/XactionStep.h index 9b9693ce7ac..f36abacebc3 100644 --- a/src/XactionStep.h +++ b/src/XactionStep.h @@ -13,7 +13,7 @@ enum class XactionStep { enumBegin_ = 0, // for WholeEnum iteration unknown = enumBegin_, generatingConnect, -#if USE_OPENSSL +#if HAVE_LIBOPENSSL tlsBump1, tlsBump2, tlsBump3, diff --git a/src/acl/AtStep.cc b/src/acl/AtStep.cc index 7a7d6be1ad8..64373eba9f3 100644 --- a/src/acl/AtStep.cc +++ b/src/acl/AtStep.cc @@ -12,7 +12,7 @@ #include "acl/FilledChecklist.h" #include "client_side.h" #include "http/Stream.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ServerBump.h" #endif @@ -21,7 +21,7 @@ Acl::AtStepCheck::match(ACLChecklist * const ch) { const auto checklist = Filled(ch); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // We use step1 for all these very different cases: // - The transaction is not subject to ssl_bump rules (if any). // - No ssl_bump action has matched yet. @@ -37,7 +37,7 @@ Acl::AtStepCheck::match(ACLChecklist * const ch) if (data->match(currentSslBumpStep)) return 1; -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL if (data->match(XactionStep::generatingConnect)) { if (!checklist->request) diff --git a/src/acl/AtStepData.cc b/src/acl/AtStepData.cc index b0bb62b6207..1df60607c8f 100644 --- a/src/acl/AtStepData.cc +++ b/src/acl/AtStepData.cc @@ -25,7 +25,7 @@ StepName(const XactionStep xstep) static const char *StepNames[static_cast(XactionStep::enumEnd_)] = { "[unknown step]" ,"GeneratingCONNECT" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL ,"SslBump1" ,"SslBump2" ,"SslBump3" diff --git a/src/acl/Certificate.cc b/src/acl/Certificate.cc index fc0191dcc75..fb065986af5 100644 --- a/src/acl/Certificate.cc +++ b/src/acl/Certificate.cc @@ -13,7 +13,7 @@ /* MS Visual Studio Projects are monolithic, so we need the following * #if to exclude the SSL code from compile process when not needed. */ -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/Certificate.h" #include "acl/FilledChecklist.h" @@ -34,5 +34,5 @@ Acl::ClientCertificateCheck::match(ACLChecklist * const ch) return res; } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ diff --git a/src/acl/Makefile.am b/src/acl/Makefile.am index cc61b334ecc..62414f4ad5d 100644 --- a/src/acl/Makefile.am +++ b/src/acl/Makefile.am @@ -172,7 +172,7 @@ SSL_ACLS = \ SslErrorData.cc \ SslErrorData.h -if ENABLE_SSL +if ENABLE_LIBOPENSSL libacls_la_SOURCES += $(SSL_ACLS) else EXCLUDE_FROM_HDR_TESTING += $(SSL_ACLS) diff --git a/src/acl/ServerCertificate.cc b/src/acl/ServerCertificate.cc index c9b7f82f84b..ac0843e050e 100644 --- a/src/acl/ServerCertificate.cc +++ b/src/acl/ServerCertificate.cc @@ -8,7 +8,7 @@ #include "squid.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/FilledChecklist.h" #include "acl/ServerCertificate.h" @@ -37,5 +37,5 @@ Acl::ServerCertificateCheck::match(ACLChecklist * const ch) return data->match(cert.get()); } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ diff --git a/src/adaptation/ServiceConfig.cc b/src/adaptation/ServiceConfig.cc index 65192a85d3c..48e1653d3d1 100644 --- a/src/adaptation/ServiceConfig.cc +++ b/src/adaptation/ServiceConfig.cc @@ -144,7 +144,7 @@ Adaptation::ServiceConfig::parse() grokked = grokBool(encrypt, name, value); connectionEncryption.configure(encrypt); } else if (strncmp(name, "ssl", 3) == 0 || strncmp(name, "tls-", 4) == 0) { -#if !USE_OPENSSL +#if !HAVE_LIBOPENSSL debugs(3, DBG_PARSE_NOTE(DBG_IMPORTANT), "WARNING: adaptation option '" << name << "' requires --with-openssl. ICAP service option ignored."); #else // name prefix is "ssl" or "tls-" @@ -246,7 +246,7 @@ Adaptation::ServiceConfig::grokUri(const char *value) } host.assign(s, len); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (secure.sslDomain.isEmpty()) secure.sslDomain.assign(host.rawBuf(), host.size()); #endif diff --git a/src/adaptation/icap/History.h b/src/adaptation/icap/History.h index 4d6081d0b7d..ed2d84e07d5 100644 --- a/src/adaptation/icap/History.h +++ b/src/adaptation/icap/History.h @@ -36,7 +36,7 @@ class History: public RefCountable /// \param[out] total time taken for all ICAP processing void processingTime(struct timeval &total) const; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL String ssluser; ///< the username from SSL #endif LogTags logType; ///< the squid request status (TCP_MISS etc) diff --git a/src/adaptation/icap/ModXact.cc b/src/adaptation/icap/ModXact.cc index 5f23e52395c..b7994ceca9b 100644 --- a/src/adaptation/icap/ModXact.cc +++ b/src/adaptation/icap/ModXact.cc @@ -1337,7 +1337,7 @@ void Adaptation::Icap::ModXact::finalizeLogInfo() // XXX: This reply (and other ALE members!) may have been needed earlier. al.reply = adapted_reply_; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (h->ssluser.size()) al.cache.ssluser = h->ssluser.termedBuf(); #endif diff --git a/src/adaptation/icap/Xaction.cc b/src/adaptation/icap/Xaction.cc index 997042eb00a..c819e1601ce 100644 --- a/src/adaptation/icap/Xaction.cc +++ b/src/adaptation/icap/Xaction.cc @@ -685,7 +685,7 @@ Ssl::IcapPeerConnector::initialize(Security::SessionPointer &serverSession) return false; assert(!icapService->cfg().secure.sslDomain.isEmpty()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL SBuf *host = new SBuf(icapService->cfg().secure.sslDomain); SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host); setClientSNI(serverSession.get(), host->c_str()); diff --git a/src/anyp/PortCfg.cc b/src/anyp/PortCfg.cc index abe0a583850..ff14c884eba 100644 --- a/src/anyp/PortCfg.cc +++ b/src/anyp/PortCfg.cc @@ -12,7 +12,7 @@ #include "comm.h" #include "fatal.h" #include "security/PeerOptions.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif diff --git a/src/anyp/Uri.cc b/src/anyp/Uri.cc index 8eae3429a63..d59367ce68c 100644 --- a/src/anyp/Uri.cc +++ b/src/anyp/Uri.cc @@ -1045,7 +1045,7 @@ urlCheckRequest(const HttpRequest * r) return false; case AnyP::PROTO_HTTPS: -#if USE_OPENSSL || HAVE_LIBGNUTLS +#if HAVE_LIBOPENSSL || HAVE_LIBGNUTLS return true; #else /* diff --git a/src/auth/basic/NCSA/Makefile.am b/src/auth/basic/NCSA/Makefile.am index 08ea7bf21a0..f6cb6d11eac 100644 --- a/src/auth/basic/NCSA/Makefile.am +++ b/src/auth/basic/NCSA/Makefile.am @@ -20,6 +20,6 @@ basic_ncsa_auth_LDADD= \ $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(CRYPTLIB) \ - $(SSLLIB) \ $(XTRA_LIBS) diff --git a/src/auth/basic/RADIUS/Makefile.am b/src/auth/basic/RADIUS/Makefile.am index c98169a9716..0b7046097ea 100644 --- a/src/auth/basic/RADIUS/Makefile.am +++ b/src/auth/basic/RADIUS/Makefile.am @@ -22,5 +22,5 @@ basic_radius_auth_LDADD= \ $(top_builddir)/src/base/libbase.la \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ - $(SSLLIB) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) diff --git a/src/auth/digest/LDAP/Makefile.am b/src/auth/digest/LDAP/Makefile.am index 173e576dc76..f9d20e3b3b0 100644 --- a/src/auth/digest/LDAP/Makefile.am +++ b/src/auth/digest/LDAP/Makefile.am @@ -20,8 +20,8 @@ digest_ldap_auth_LDADD= \ $(COMPAT_LIB) \ $(LIBLDAP_LIBS) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(CRYPTLIB) \ - $(SSLLIB) \ $(XTRA_LIBS) EXTRA_DIST= required.m4 diff --git a/src/auth/digest/eDirectory/Makefile.am b/src/auth/digest/eDirectory/Makefile.am index 9ea8896e9fc..2bf0677157f 100644 --- a/src/auth/digest/eDirectory/Makefile.am +++ b/src/auth/digest/eDirectory/Makefile.am @@ -22,8 +22,8 @@ digest_edirectory_auth_LDADD = \ $(COMPAT_LIB) \ $(LIBLDAP_LIBS) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(CRYPTLIB) \ - $(SSLLIB) \ $(XTRA_LIBS) EXTRA_DIST= required.m4 diff --git a/src/auth/digest/file/Makefile.am b/src/auth/digest/file/Makefile.am index 26fd6233bf4..af5df370a61 100644 --- a/src/auth/digest/file/Makefile.am +++ b/src/auth/digest/file/Makefile.am @@ -21,8 +21,8 @@ digest_file_auth_LDADD = \ $(top_builddir)/lib/libmiscencoding.la \ $(COMPAT_LIB) \ $(LIBNETTLE_LIBS) \ + $(LIBOPENSSL_LIBS) \ $(CRYPTLIB) \ - $(SSLLIB) \ $(XTRA_LIBS) EXTRA_DIST= \ diff --git a/src/cache_cf.cc b/src/cache_cf.cc index 4942f479bd2..4e960d7cadb 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -85,7 +85,7 @@ #if USE_ECAP #include "adaptation/ecap/Config.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/Config.h" #include "ssl/support.h" #endif @@ -110,7 +110,7 @@ #include #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/gadgets.h" #endif @@ -218,7 +218,7 @@ static void parsePortCfg(AnyP::PortCfgPointer *, const char *protocol); static void dump_PortCfg(StoreEntry *, const char *, const AnyP::PortCfgPointer &); #define free_PortCfg(h) *(h)=NULL -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static void parse_sslproxy_cert_sign(sslproxy_cert_sign **cert_sign); static void dump_sslproxy_cert_sign(StoreEntry *entry, const char *name, sslproxy_cert_sign *cert_sign); static void free_sslproxy_cert_sign(sslproxy_cert_sign **cert_sign); @@ -228,7 +228,7 @@ static void free_sslproxy_cert_adapt(sslproxy_cert_adapt **cert_adapt); static void parse_sslproxy_ssl_bump(acl_access **ssl_bump); static void dump_sslproxy_ssl_bump(StoreEntry *entry, const char *name, acl_access *ssl_bump); static void free_sslproxy_ssl_bump(acl_access **ssl_bump); -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ static void parse_ftp_epsv(acl_access **ftp_epsv); static void dump_ftp_epsv(StoreEntry *entry, const char *name, acl_access *ftp_epsv); @@ -940,7 +940,7 @@ configDoConfigure(void) Config2.effectiveGroupID = grp->gr_gid; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (Config.ssl_client.foreignIntermediateCertsPath) Ssl::loadSquidUntrusted(Config.ssl_client.foreignIntermediateCertsPath); #endif @@ -951,13 +951,13 @@ configDoConfigure(void) const auto rawSslContext = Security::ProxyOutgoingConfig().createClientContext(false); Config.ssl_client.sslContext_ = rawSslContext ? new Security::ContextPointer(rawSslContext) : nullptr; if (!Config.ssl_client.sslContext_) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL fatal("ERROR: Could not initialize https:// proxy context"); #else debugs(3, DBG_IMPORTANT, "ERROR: proxying https:// currently still requires --with-openssl"); #endif } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::useSquidUntrusted(Config.ssl_client.sslContext_->get()); #endif Config.ssl_client.defaultPeerContext = new Security::FuturePeerContext(Security::ProxyOutgoingConfig(), *Config.ssl_client.sslContext_); @@ -2330,7 +2330,7 @@ parse_peer(CachePeers **peers) p->domain = xstrdup(token + 13); } else if (strncmp(token, "ssl", 3) == 0) { -#if !USE_OPENSSL +#if !HAVE_LIBOPENSSL debugs(0, DBG_CRITICAL, "WARNING: cache_peer option '" << token << "' requires --with-openssl"); #else p->secure.parse(token+3); @@ -3632,7 +3632,7 @@ parse_port_option(AnyP::PortCfgPointer &s, char *token) ++t; s->tcp_keepalive.timeout = xatoui(t); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL } else if (strcmp(token, "sslBump") == 0) { debugs(3, DBG_PARSE_NOTE(1), "WARNING: '" << token << "' is deprecated " << "in " << cfg_directive << ". Use 'ssl-bump' instead."); @@ -3742,7 +3742,7 @@ parsePortCfg(AnyP::PortCfgPointer *head, const char *optionName) if (s->transport.protocol == AnyP::PROTO_HTTPS) { s->secure.encryptTransport = true; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /* ssl-bump on https_port configuration requires either tproxy or intercept, and vice versa */ const bool hijacked = s->flags.isIntercepted(); if (s->flags.tunnelSslBumping && !hijacked) { @@ -3878,7 +3878,7 @@ dump_generic_port(StoreEntry * e, const char *n, const AnyP::PortCfgPointer &s) } } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (s->flags.tunnelSslBumping) storeAppendPrintf(e, " ssl-bump"); #endif @@ -3905,7 +3905,7 @@ configFreeMemory(void) Config.ssl_client.defaultPeerContext = nullptr; delete Config.ssl_client.sslContext_; Config.ssl_client.sslContext_ = nullptr; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::unloadSquidUntrusted(); #endif } @@ -4237,7 +4237,7 @@ static void free_icap_service_failure_limit(Adaptation::Icap::Config *cfg) } #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static void parse_sslproxy_cert_adapt(sslproxy_cert_adapt **cert_adapt) { auto *al = ConfigParser::NextToken(); diff --git a/src/cf.data.pre b/src/cf.data.pre index 51c90a376e8..9c674fabf0c 100644 --- a/src/cf.data.pre +++ b/src/cf.data.pre @@ -1102,7 +1102,7 @@ DOC_END NAME: acl TYPE: acl LOC: Config.namedAcls -IF USE_OPENSSL +IF HAVE_LIBOPENSSL DEFAULT: ssl::certHasExpired ssl_error X509_V_ERR_CERT_HAS_EXPIRED DEFAULT: ssl::certNotYetValid ssl_error X509_V_ERR_CERT_NOT_YET_VALID DEFAULT: ssl::certDomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH @@ -1561,14 +1561,14 @@ ENDIF # match against the current request processing step [fast] # Valid steps are: # GeneratingCONNECT: Generating HTTP CONNECT request headers -IF USE_OPENSSL +IF HAVE_LIBOPENSSL # The following ssl_bump processing steps are recognized: # SslBump1: After getting TCP-level and HTTP CONNECT info. # SslBump2: After getting SSL Client Hello info. # SslBump3: After getting SSL Server Hello info. ENDIF -IF USE_OPENSSL +IF HAVE_LIBOPENSSL acl aclname ssl_error errorname # match against SSL certificate validation error [fast] # @@ -2572,7 +2572,7 @@ CONFIG_END DOC_END NAME: https_port -IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL +IFDEF: HAVE_LIBGNUTLS||HAVE_LIBOPENSSL TYPE: PortCfg DEFAULT: none LOC: HttpPortList @@ -3034,7 +3034,7 @@ COMMENT_START COMMENT_END NAME: tls_outgoing_options -IFDEF: HAVE_LIBGNUTLS||USE_OPENSSL +IFDEF: HAVE_LIBGNUTLS||HAVE_LIBOPENSSL TYPE: securePeerOptions DEFAULT: min-version=1.0 LOC: Security::ProxyOutgoingConfig() @@ -3129,7 +3129,7 @@ COMMENT_START COMMENT_END NAME: ssl_unclean_shutdown -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL TYPE: onoff DEFAULT: off LOC: Config.SSL.unclean_shutdown @@ -3139,7 +3139,7 @@ DOC_START DOC_END NAME: ssl_engine -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL TYPE: string LOC: Config.SSL.ssl_engine DEFAULT: none @@ -3151,7 +3151,7 @@ DOC_START DOC_END NAME: sslproxy_session_ttl -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: 300 LOC: Config.SSL.session_ttl TYPE: int @@ -3160,7 +3160,7 @@ DOC_START DOC_END NAME: sslproxy_session_cache_size -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: 2 MB LOC: Config.SSL.sessionCacheSize TYPE: b_size_t @@ -3169,7 +3169,7 @@ DOC_START DOC_END NAME: sslproxy_foreign_intermediate_certs -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none LOC: Config.ssl_client.foreignIntermediateCertsPath TYPE: string @@ -3189,7 +3189,7 @@ DOC_START DOC_END NAME: sslproxy_cert_sign_hash -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none LOC: Config.SSL.certSignHash TYPE: string @@ -3207,7 +3207,7 @@ DOC_START DOC_END NAME: ssl_bump -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL TYPE: sslproxy_ssl_bump LOC: Config.accessList.ssl_bump DEFAULT_DOC: Become a TCP tunnel without decrypting proxied traffic. @@ -3295,7 +3295,7 @@ DOC_START DOC_END NAME: sslproxy_cert_error -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none DEFAULT_DOC: Server certificate errors terminate the transaction. LOC: Config.ssl_client.cert_error @@ -3330,7 +3330,7 @@ DOC_START DOC_END NAME: sslproxy_cert_sign -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none POSTSCRIPTUM: signUntrusted ssl::certUntrusted POSTSCRIPTUM: signSelf ssl::certSelfSigned @@ -3376,7 +3376,7 @@ DOC_START DOC_END NAME: sslproxy_cert_adapt -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none TYPE: sslproxy_cert_adapt LOC: Config.ssl_client.cert_adapt @@ -3419,7 +3419,7 @@ DOC_START DOC_END NAME: sslpassword_program -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none LOC: Config.Program.ssl_password TYPE: string @@ -3503,7 +3503,7 @@ DOC_END NAME: sslcrtvalidator_program TYPE: eol -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: none LOC: Ssl::TheConfig.ssl_crt_validator DOC_START @@ -3534,7 +3534,7 @@ DOC_END NAME: sslcrtvalidator_children TYPE: HelperChildConfig -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DEFAULT: 32 startup=5 idle=1 concurrency=1 LOC: Ssl::TheConfig.ssl_crt_validator_Children DOC_START @@ -5657,7 +5657,7 @@ NAME: tls_key_log TYPE: Security::KeyLog* DEFAULT: none LOC: Config.Log.tlsKeys -IFDEF: USE_OPENSSL +IFDEF: HAVE_LIBOPENSSL DOC_START Configures whether and where Squid records pre-master secret and related encryption details for TLS connections accepted or established diff --git a/src/cf_gen_defines b/src/cf_gen_defines index 8aa971af77f..6631b057fb5 100644 --- a/src/cf_gen_defines +++ b/src/cf_gen_defines @@ -27,7 +27,8 @@ BEGIN { define["HAVE_AUTH_MODULE_BASIC"]="--enable-auth-basic" define["HAVE_AUTH_MODULE_DIGEST"]="--enable-auth-digest" define["HAVE_LIBCAP&&SO_MARK"]="--with-cap and Packet MARK (Linux)" - define["HAVE_LIBGNUTLS||USE_OPENSSL"]="--with-gnutls or --with-openssl" + define["HAVE_LIBGNUTLS||HAVE_LIBOPENSSL"]="--with-gnutls or --with-openssl" + define["HAVE_LIBOPENSSL"]="--with-openssl" define["HAVE_MSTATS&&HAVE_GNUMALLOC_H"]="GNU Malloc with mstats()" define["ICAP_CLIENT"]="--enable-icap-client" define["SQUID_SNMP"]="--enable-snmp" @@ -41,7 +42,6 @@ BEGIN { define["USE_HTTP_VIOLATIONS"]="--enable-http-violations" define["USE_ICMP"]="--enable-icmp" define["USE_LOADABLE_MODULES"]="--enable-shared" - define["USE_OPENSSL"]="--with-openssl" define["USE_QOS_TOS"]="--enable-zph-qos" define["USE_SQUID_EUI"]="--enable-eui" define["USE_SSL_CRTD"]="--enable-ssl-crtd" diff --git a/src/client_side.cc b/src/client_side.cc index 3c78c62e5c2..aa0900ef8ce 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -127,7 +127,7 @@ #include "ClientInfo.h" #include "MessageDelayPools.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/bio.h" #include "ssl/context_storage.h" #include "ssl/gadgets.h" @@ -412,7 +412,7 @@ ClientHttpRequest::logRequest() if (request) prepareLogWithRequestDetails(request, al); -#if USE_OPENSSL && 0 +#if HAVE_LIBOPENSSL && 0 /* This is broken. Fails if the connection has been closed. Needs * to snarf the ssl details some place earlier.. @@ -659,7 +659,7 @@ ConnStateData::~ConnStateData() delete bodyParser; // TODO: pool -#if USE_OPENSSL +#if HAVE_LIBOPENSSL delete sslServerBump; #endif } @@ -1201,7 +1201,7 @@ ConnStateData::prepareTlsSwitchingURL(const Http1::RequestParserPointer &hp) return nullptr; /* already in good shape */ char *uri = buildUrlFromHost(this, hp); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!uri) { Must(tlsConnectPort); Must(!tlsConnectHostOrIp.isEmpty()); @@ -1439,7 +1439,7 @@ ConnStateData::quitAfterError(HttpRequest *request) debugs(33,4, "Will close after error: " << clientConnection); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool ConnStateData::serveDelayedError(Http::Stream *context) { ClientHttpRequest *http = context->http; @@ -1515,7 +1515,7 @@ bool ConnStateData::serveDelayedError(Http::Stream *context) return false; } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL /// initiate tunneling if possible or return false otherwise bool @@ -1646,7 +1646,7 @@ clientProcessRequest(ConnStateData *conn, const Http1::RequestParserPointer &hp, conn->flags.readMore = false; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (conn->switchedToHttps() && conn->serveDelayedError(context)) { clientProcessRequestFinished(conn, request); return; @@ -1734,7 +1734,7 @@ ConnStateData::concurrentRequestQueueFilled() const // default to the configured pipeline size. // add 1 because the head of pipeline is counted in concurrent requests and not prefetch queue -#if USE_OPENSSL +#if HAVE_LIBOPENSSL const int internalRequest = (transparent() && sslBumpMode == Ssl::bumpSplice) ? 1 : 0; #else const int internalRequest = 0; @@ -1873,7 +1873,7 @@ ConnStateData::parseRequests() extendLifetime(); context->registerWithConn(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (switchedToHttps()) parsedBumpedRequestCount++; #endif @@ -1910,7 +1910,7 @@ ConnStateData::parseRequests() void ConnStateData::afterClientRead() { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (parsingTlsHandshake) { parseTlsHandshake(); return; @@ -2112,7 +2112,7 @@ ConnStateData::lifetimeTimeout(const CommTimeoutCbParams &io) ConnStateData::ConnStateData(const MasterXaction::Pointer &xact) : AsyncJob("ConnStateData"), // kids overwrite Server(xact) -#if USE_OPENSSL +#if HAVE_LIBOPENSSL , tlsParser(Security::HandshakeParser::fromClient) #endif { @@ -2222,7 +2222,7 @@ ConnStateData::acceptTls() { const auto handshakeResult = Security::Accept(*clientConnection); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // log ASAP, even if the handshake has not completed (or failed) const auto fd = clientConnection->fd; assert(fd >= 0); @@ -2305,7 +2305,7 @@ clientNegotiateSSL(int fd, void *data) Security::SessionPointer session(fd_table[fd].ssl); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (Security::SessionIsResumed(session)) { debugs(83, 2, "Session " << SSL_get_session(session.get()) << " reused on FD " << fd << " (" << fd_table[fd].ipaddr << @@ -2357,7 +2357,7 @@ clientNegotiateSSL(int fd, void *data) // Connection established. Retrieve TLS connection parameters for logging. conn->clientConnection->tlsNegotiations()->retrieveNegotiatedInfo(session); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL X509 *client_cert = SSL_get_peer_certificate(session.get()); if (client_cert) { @@ -2405,7 +2405,7 @@ httpsEstablish(ConnStateData *connState, const Security::ContextPointer &ctx) Comm::SetSelect(details->fd, COMM_SELECT_READ, clientNegotiateSSL, connState, 0); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /** * A callback function to use with the ACLFilledChecklist callback. */ @@ -2466,7 +2466,7 @@ void ConnStateData::postHttpsAccept() { if (port->flags.tunnelSslBumping) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL debugs(33, 5, "accept transparent connection: " << clientConnection); if (!Config.accessList.ssl_bump) { @@ -2517,7 +2517,7 @@ ConnStateData::postHttpsAccept() } } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL void ConnStateData::sslCrtdHandleReplyWrapper(void *data, const Helper::Reply &reply) { @@ -3084,7 +3084,7 @@ ConnStateData::httpsPeeked(PinnedIdleContext pic) getSslContextStart(); } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ bool ConnStateData::initiateTunneledRequest(HttpRequest::Pointer const &cause, const char *reason, const SBuf &payload) @@ -3101,7 +3101,7 @@ ConnStateData::initiateTunneledRequest(HttpRequest::Pointer const &cause, const } else if (cause) { connectHost = cause->url.hostOrIp(); connectPort = cause->url.port(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL } else if (!tlsConnectHostOrIp.isEmpty()) { connectHost = tlsConnectHostOrIp; connectPort = tlsConnectPort; @@ -3142,7 +3142,7 @@ ConnStateData::fakeAConnectRequest(const char *reason, const SBuf &payload) assert(transparent()); const unsigned short connectPort = clientConnection->local.port(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!tlsClientSni_.isEmpty()) connectHost.assign(tlsClientSni_); else @@ -3255,7 +3255,7 @@ clientHttpConnectionsOpen(void) continue; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (s->flags.tunnelSslBumping) { if (!Config.accessList.ssl_bump) { debugs(33, DBG_IMPORTANT, "WARNING: No ssl_bump configured. Disabling ssl-bump on " << scheme << "_port " << s->s); @@ -3507,7 +3507,7 @@ ConnStateData::fillConnectionLevelDetails(ACLFilledChecklist &checklist) const checklist.my_addr = clientConnection->local; // TODO: or port->s? } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!checklist.sslErrors && sslServerBump) checklist.sslErrors = sslServerBump->sslErrors(); #endif @@ -3761,7 +3761,7 @@ ConnStateData::stopPinnedConnectionMonitoring() } } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool ConnStateData::handleIdleClientPinnedTlsRead() { @@ -3814,7 +3814,7 @@ ConnStateData::clientPinnedConnectionRead(const CommIoCbParams &io) Must(pinning.serverConnection == io.conn); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (handleIdleClientPinnedTlsRead()) return; #endif @@ -3924,7 +3924,7 @@ ConnStateData::terminateAll(const Error &rawError, const LogTagsErrors <e) // error details, but that context may leave unparsed bytes behind. // Consume them to stop checkLogging() from logging them again later. const auto intputToConsume = -#if USE_OPENSSL +#if HAVE_LIBOPENSSL parsingTlsHandshake ? "TLS handshake" : // more specific than CONNECT #endif bodyPipe ? "HTTP request body" : @@ -3982,7 +3982,7 @@ ConnStateData::shouldPreserveClientData() const if (port->transport.protocol == AnyP::PROTO_FTP) return false; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (parsingTlsHandshake) return true; diff --git a/src/client_side.h b/src/client_side.h index bbf779bd5d9..f8c452f7d89 100644 --- a/src/client_side.h +++ b/src/client_side.h @@ -28,7 +28,7 @@ #include "auth/UserRequest.h" #endif #include "security/KeyLogger.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "security/forward.h" #include "security/Handshake.h" #include "ssl/support.h" @@ -45,7 +45,7 @@ class HttpHdrRangeSpec; class MasterXaction; typedef RefCount MasterXactionPointer; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL namespace Ssl { class ServerBump; @@ -254,7 +254,7 @@ class ConnStateData: /// the second part of old httpsAccept, waiting for future HttpsServer home void postHttpsAccept(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Initializes and starts a peek-and-splice negotiation with the SSL client void startPeekAndSplice(); @@ -394,7 +394,7 @@ class ConnStateData: void startPinnedConnectionMonitoring(); void clientPinnedConnectionRead(const CommIoCbParams &io); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Handles a ready-for-reading TLS squid-to-server connection that /// we thought was idle. /// \return false if and only if the connection should be closed. @@ -453,7 +453,7 @@ class ConnStateData: bool parseProxyProtocolHeader(); bool proxyProtocolError(const char *reason); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// \returns a pointer to the matching cached TLS context or nil Security::ContextPointer getTlsContextFromCache(const SBuf &cacheKey, const Ssl::CertificateProperties &certProperties); @@ -474,7 +474,7 @@ class ConnStateData: Auth::UserRequest::Pointer auth_; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool switchedToHttps_ = false; bool parsingTlsHandshake = false; ///< whether we are getting/parsing TLS Hello bytes /// The number of parsed HTTP requests headers on a bumped client connection diff --git a/src/client_side_request.cc b/src/client_side_request.cc index 507f53d32ba..1eab8cca463 100644 --- a/src/client_side_request.cc +++ b/src/client_side_request.cc @@ -70,7 +70,7 @@ #include "adaptation/icap/History.h" #endif #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ServerBump.h" #include "ssl/support.h" #endif @@ -91,7 +91,7 @@ CBDATA_CLASS_INIT(ClientRequestContext); /* Local functions */ /* other */ static void clientAccessCheckDoneWrapper(Acl::Answer, void *); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static void sslBumpAccessCheckDoneWrapper(Acl::Answer, void *); #endif static int clientHierarchical(ClientHttpRequest * http); @@ -136,7 +136,7 @@ ClientHttpRequest::ClientHttpRequest(ConnStateData * aConn) : al->proxyProtocolHeader = aConn->proxyProtocolHeader(); al->updateError(aConn->bareError); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (aConn->clientConnection != nullptr && aConn->clientConnection->isOpen()) { if (auto ssl = fd_table[aConn->clientConnection->fd].ssl.get()) al->cache.sslClientCert.resetWithoutLocking(SSL_get_peer_certificate(ssl)); @@ -670,7 +670,7 @@ ClientHttpRequest::noteAdaptationAclCheckDone(Adaptation::ServiceGroupPointer g) Adaptation::Icap::History::Pointer ih = request->icapHistory(); if (ih != nullptr) { if (getConn() != nullptr && getConn()->clientConnection != nullptr) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (getConn()->clientConnection->isOpen()) { ih->ssluser = sslGetUserEmail(fd_table[getConn()->clientConnection->fd].ssl.get()); } @@ -1201,7 +1201,7 @@ ClientRequestContext::checkNoCacheDone(const Acl::Answer &answer) http->doCallouts(); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool ClientRequestContext::sslBumpAccessCheck() { @@ -1317,7 +1317,7 @@ ClientHttpRequest::processRequest() const bool untouchedConnect = request->method == Http::METHOD_CONNECT && !redirect.status; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (untouchedConnect && sslBumpNeeded()) { assert(!request->flags.forceTunnel); sslBumpStart(); @@ -1348,7 +1348,7 @@ ClientHttpRequest::httpStart() clientStreamRead(node, this, node->readBuffer); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL void ClientHttpRequest::sslBumpNeed(Ssl::BumpMode mode) @@ -1669,7 +1669,7 @@ ClientHttpRequest::doCallouts() } } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // Even with calloutContext->error, we call sslBumpAccessCheck() to decide // whether SslBump applies to this transaction. If it applies, we will // attempt to bump the client to serve the error. @@ -1686,7 +1686,7 @@ ClientHttpRequest::doCallouts() SBuf storeUriBuf(request->storeId()); const char *storeUri = storeUriBuf.c_str(); StoreEntry *e = storeCreateEntry(storeUri, storeUri, request->flags, request->method); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (sslBumpNeeded()) { // We have to serve an error, so bump the client first. sslBumpNeed(Ssl::bumpClientFirst); diff --git a/src/client_side_request.h b/src/client_side_request.h index f8609b85be8..055856544ad 100644 --- a/src/client_side_request.h +++ b/src/client_side_request.h @@ -189,7 +189,7 @@ class ClientHttpRequest StoreEntry *loggingEntry_ = nullptr; ConnStateData * conn_ = nullptr; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL public: /// returns raw sslBump mode value Ssl::BumpMode sslBumpNeed() const { return sslBumpNeed_; } diff --git a/src/comm.cc b/src/comm.cc index cafd6a9f7c9..c433d7a198a 100644 --- a/src/comm.cc +++ b/src/comm.cc @@ -40,7 +40,7 @@ #include "StoreIOBuffer.h" #include "tools.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif @@ -105,7 +105,7 @@ static void comm_empty_os_read_buffers(int fd) { #if _SQUID_LINUX_ -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // Bug 4146: SSL-Bump BIO does not release sockets on close. if (fd_table[fd].ssl) return; diff --git a/src/errorpage.cc b/src/errorpage.cc index 2569d3b3ca5..ef70609af95 100644 --- a/src/errorpage.cc +++ b/src/errorpage.cc @@ -37,7 +37,7 @@ #if USE_AUTH #include "auth/UserRequest.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ErrorDetailManager.h" #endif @@ -314,7 +314,7 @@ errorInitialize(void) error_stylesheet.appendf("%s",tmpl.text()); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::errorDetailInitialize(); #endif } @@ -338,7 +338,7 @@ errorClean(void) error_page_count = 0; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::errorDetailClean(); #endif } diff --git a/src/external_acl.cc b/src/external_acl.cc index cfa1adff061..6fe88ab98b0 100644 --- a/src/external_acl.cc +++ b/src/external_acl.cc @@ -34,7 +34,7 @@ #include "Store.h" #include "tools.h" #include "wordlist.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ServerBump.h" #include "ssl/support.h" #endif @@ -278,7 +278,7 @@ parse_externalAclHelper(external_acl ** list) (*fmt)->quote = a->quote; // compatibility for old tokens incompatible with Format::Token syntax -#if USE_OPENSSL // do not bother unless we have to. +#if HAVE_LIBOPENSSL // do not bother unless we have to. if (strncmp(token, "%USER_CERT_", 11) == 0) { (*fmt)->type = Format::LFT_EXT_ACL_USER_CERT; (*fmt)->data.string = xstrdup(token + 11); diff --git a/src/format/ByteCode.h b/src/format/ByteCode.h index 442f77d29e6..3fcd99a276c 100644 --- a/src/format/ByteCode.h +++ b/src/format/ByteCode.h @@ -217,7 +217,7 @@ typedef enum { #endif LFT_CREDENTIALS, -#if USE_OPENSSL +#if HAVE_LIBOPENSSL LFT_SSL_BUMP_MODE, LFT_SSL_USER_CERT_SUBJECT, LFT_SSL_USER_CERT_ISSUER, @@ -241,7 +241,7 @@ typedef enum { LFT_MASTER_XACTION, // TODO assign better bytecode names and Token strings for these -#if USE_OPENSSL +#if HAVE_LIBOPENSSL LFT_EXT_ACL_USER_CERT_RAW, LFT_EXT_ACL_USER_CERTCHAIN_RAW, LFT_EXT_ACL_USER_CERT, diff --git a/src/format/Format.cc b/src/format/Format.cc index 445a20712f3..9ebb2764ba0 100644 --- a/src/format/Format.cc +++ b/src/format/Format.cc @@ -29,7 +29,7 @@ #include "security/NegotiationHistory.h" #include "Store.h" #include "tools.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ErrorDetail.h" #include "ssl/ServerBump.h" #endif @@ -951,7 +951,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS } if (!out) out = strOrNull(al->getExtUser()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!out) out = strOrNull(al->cache.ssluser); #endif @@ -1225,7 +1225,7 @@ Format::Format::assemble(MemBuf &mb, const AccessLogEntry::Pointer &al, int logS dooff = 1; break; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL case LFT_SSL_BUMP_MODE: { const Ssl::BumpMode mode = static_cast(al->ssl.bumpMode); // for Ssl::bumpEnd, Ssl::bumpMode() returns NULL and we log '-' diff --git a/src/format/Token.cc b/src/format/Token.cc index 36b6a351562..d82c8d1fdb1 100644 --- a/src/format/Token.cc +++ b/src/format/Token.cc @@ -174,7 +174,7 @@ static TokenTableEntry TokenTableMisc[] = { TokenTableEntry("SRC", LFT_CLIENT_IP_ADDRESS), // keep after longer SRC* tokens TokenTableEntry("TAG", LFT_TAG), TokenTableEntry("URI", LFT_CLIENT_REQ_URI), -#if USE_OPENSSL +#if HAVE_LIBOPENSSL TokenTableEntry("USER_CERTCHAIN", LFT_EXT_ACL_USER_CERTCHAIN_RAW), TokenTableEntry("USER_CERT", LFT_EXT_ACL_USER_CERT_RAW), #endif @@ -226,7 +226,7 @@ static TokenTableEntry TokenTableIcap[] = { }; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // TLS/SSL (tls:: or ssl::) tokens static TokenTableEntry TokenTableSsl[] = { TokenTableEntry("bump_mode", LFT_SSL_BUMP_MODE), @@ -262,7 +262,7 @@ Format::Token::Init() #if ICAP_CLIENT TheConfig.registerTokens(SBuf("icap"),::Format::TokenTableIcap); #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL TheConfig.registerTokens(SBuf("tls"),::Format::TokenTableSsl); TheConfig.registerTokens(SBuf("ssl"),::Format::TokenTableSsl); #endif @@ -715,7 +715,7 @@ Format::Token::parse(const char *def, Quoting *quoting) break; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL case LFT_TLS_SERVER_NEGOTIATED_VERSION: case LFT_TLS_SERVER_RECEIVED_HELLO_VERSION: case LFT_TLS_SERVER_SUPPORTED_VERSION: diff --git a/src/icmp/Makefile.am b/src/icmp/Makefile.am index be03b3f59be..97493b6d545 100644 --- a/src/icmp/Makefile.am +++ b/src/icmp/Makefile.am @@ -63,7 +63,7 @@ pinger_LDADD=\ $(top_builddir)/src/mem/libminimal.la \ $(LIBCAP_LIBS) \ $(COMPAT_LIB) \ - $(SSLLIB) \ + $(LIBOPENSSL_LIBS) \ $(XTRA_LIBS) CLEANFILES += $(COPIED_SOURCE) diff --git a/src/log/FormatSquidIcap.cc b/src/log/FormatSquidIcap.cc index 2c8283dfd05..69e92b03663 100644 --- a/src/log/FormatSquidIcap.cc +++ b/src/log/FormatSquidIcap.cc @@ -35,7 +35,7 @@ Log::Format::SquidIcap(const AccessLogEntry::Pointer &al, Logfile * logfile) if (!user) user = ::Format::QuoteUrlEncodeUsername(al->getExtUser()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!user) user = ::Format::QuoteUrlEncodeUsername(al->cache.ssluser); #endif diff --git a/src/log/FormatSquidNative.cc b/src/log/FormatSquidNative.cc index ab3d0eaee82..c874df8235e 100644 --- a/src/log/FormatSquidNative.cc +++ b/src/log/FormatSquidNative.cc @@ -33,7 +33,7 @@ Log::Format::SquidNative(const AccessLogEntry::Pointer &al, Logfile * logfile) if (!user) user = ::Format::QuoteUrlEncodeUsername(al->getExtUser()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!user) user = ::Format::QuoteUrlEncodeUsername(al->cache.ssluser); #endif diff --git a/src/main.cc b/src/main.cc index c9ad17f905d..9e81428c0a2 100644 --- a/src/main.cc +++ b/src/main.cc @@ -96,7 +96,7 @@ #if USE_LOADABLE_MODULES #include "LoadableModules.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/context_storage.h" #include "ssl/helper.h" #endif @@ -635,7 +635,7 @@ mainHandleCommandLineOption(const int optId, const char *optValue) printf("Service Name: " SQUIDSBUFPH "\n", SQUIDSBUFPRINT(service_name)); if (strlen(SQUID_BUILD_INFO)) printf("%s\n",SQUID_BUILD_INFO); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL printf("\nThis binary uses %s. ", OpenSSL_version(OPENSSL_VERSION)); #if OPENSSL_VERSION_MAJOR < 3 printf("For legal restrictions on distribution see https://www.openssl.org/source/license.html\n\n"); @@ -810,7 +810,7 @@ mainReconfigureStart(void) // Initiate asynchronous closing sequence serverConnectionsClose(); icpClosePorts(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::TheGlobalContextStorage().reconfigureStart(); #endif #if USE_AUTH @@ -910,7 +910,7 @@ mainReconfigureFinish(void *) #if USE_SSL_CRTD Ssl::Helper::Reconfigure(); #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::CertValidationHelper::Reconfigure(); #endif @@ -1095,7 +1095,7 @@ mainInitialize(void) Ssl::Helper::Init(); #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::CertValidationHelper::Init(); #endif @@ -1396,7 +1396,7 @@ RegisterModules() #if USE_HTCP CallRunnerRegistrator(HtcpRr); #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL CallRunnerRegistrator(sslBumpCfgRr); #endif @@ -2010,7 +2010,7 @@ SquidShutdown() #if USE_SSL_CRTD Ssl::Helper::Shutdown(); #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::CertValidationHelper::Shutdown(); #endif redirectShutdown(); diff --git a/src/redirect.cc b/src/redirect.cc index 14a10271477..c3e59cfc7ca 100644 --- a/src/redirect.cc +++ b/src/redirect.cc @@ -32,7 +32,7 @@ #if USE_AUTH #include "auth/UserRequest.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif diff --git a/src/security/BlindPeerConnector.cc b/src/security/BlindPeerConnector.cc index 2e2edcccce0..89056a50c60 100644 --- a/src/security/BlindPeerConnector.cc +++ b/src/security/BlindPeerConnector.cc @@ -45,7 +45,7 @@ Security::BlindPeerConnector::initialize(Security::SessionPointer &serverSession // NP: domain may be a raw-IP but it is now always set assert(!peer->secure.sslDomain.isEmpty()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // const loss is okay here, ssl_ex_index_server is only read and not assigned a destructor SBuf *host = new SBuf(peer->secure.sslDomain); SSL_set_ex_data(serverSession.get(), ssl_ex_index_server, host); diff --git a/src/security/Certificate.cc b/src/security/Certificate.cc index a85296efd0f..4761a47e9e8 100644 --- a/src/security/Certificate.cc +++ b/src/security/Certificate.cc @@ -11,7 +11,7 @@ #include "sbuf/SBuf.h" #include "security/Certificate.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/gadgets.h" #endif @@ -29,7 +29,7 @@ Security::IssuerName(Certificate &cert) { SBuf out; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::ForgetErrors(); const auto name = Ssl::OneLineSummary(*X509_get_issuer_name(&cert)); if (!name) { @@ -69,7 +69,7 @@ Security::SubjectName(Certificate &cert) { SBuf out; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::ForgetErrors(); const auto name = Ssl::OneLineSummary(*X509_get_subject_name(&cert)); if (!name) { @@ -107,7 +107,7 @@ Security::SubjectName(Certificate &cert) bool Security::IssuedBy(Certificate &cert, Certificate &issuer) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::ForgetErrors(); const auto result = X509_check_issued(&issuer, &cert); if (result == X509_V_OK) diff --git a/src/security/CommunicationSecrets.cc b/src/security/CommunicationSecrets.cc index 4d1b64a1300..230b90d70d7 100644 --- a/src/security/CommunicationSecrets.cc +++ b/src/security/CommunicationSecrets.cc @@ -18,7 +18,7 @@ Security::CommunicationSecrets::CommunicationSecrets(const Connection &sconn) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL getClientRandom(sconn); if (const auto session = SSL_get_session(&sconn)) { @@ -96,7 +96,7 @@ Security::CommunicationSecrets::record(std::ostream &os) const { } } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Clears the given secret if it is likely to contain no secret information. /// When asked for a secret too early, OpenSSL (successfully!) returns a copy of /// the secret _storage_ (filled with zeros) rather than an actual secret. @@ -154,5 +154,5 @@ Security::CommunicationSecrets::getMasterKey(const Session &session) IgnorePlaceholder(key); } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ diff --git a/src/security/CommunicationSecrets.h b/src/security/CommunicationSecrets.h index 344b4a7ceaf..d7ea90cdc91 100644 --- a/src/security/CommunicationSecrets.h +++ b/src/security/CommunicationSecrets.h @@ -36,7 +36,7 @@ class CommunicationSecrets void record(std::ostream &) const; private: -#if USE_OPENSSL +#if HAVE_LIBOPENSSL void getClientRandom(const Connection &sconn); void getSessionId(const Session &session); void getMasterKey(const Session &session); diff --git a/src/security/Context.h b/src/security/Context.h index a2b87782639..5bb559415d3 100644 --- a/src/security/Context.h +++ b/src/security/Context.h @@ -11,7 +11,7 @@ #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include @@ -25,7 +25,7 @@ namespace Security { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL typedef std::shared_ptr ContextPointer; #elif HAVE_LIBGNUTLS diff --git a/src/security/ErrorDetail.cc b/src/security/ErrorDetail.cc index afe9fd2e0eb..3b047cdbc9b 100644 --- a/src/security/ErrorDetail.cc +++ b/src/security/ErrorDetail.cc @@ -18,7 +18,7 @@ #include "security/Io.h" #include "util.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ErrorDetailManager.h" #elif HAVE_LIBGNUTLS #if HAVE_GNUTLS_GNUTLS_H @@ -48,7 +48,7 @@ static const ErrorCodeNames TheErrorCodeNames = { { SQUID_X509_V_ERR_DOMAIN_MISMATCH, "SQUID_X509_V_ERR_DOMAIN_MISMATCH" }, -#if USE_OPENSSL +#if HAVE_LIBOPENSSL { X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT, "X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT" }, @@ -401,7 +401,7 @@ static const ErrorCodeNames TheErrorCodeNames = { SSL_ERROR_NONE, "SSL_ERROR_NONE" }, -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL }; } // namespace Security @@ -450,7 +450,7 @@ Security::ErrorDetail::ErrorDetail(const ErrorCode err, const int aSysErrorNo): // have a useful errno or a zero errno. sysErrorNo(aSysErrorNo) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Extract and remember errors stored internally by the TLS library. if ((lib_error_no = ERR_get_error())) { debugs(83, 7, "got 0x" << asHex(lib_error_no)); @@ -471,7 +471,7 @@ Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const CertPointe broken_cert = broken; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Security::ErrorDetail::ErrorDetail(const ErrorCode anErrorCode, const int anIoErrorNo, const int aSysErrorNo): ErrorDetail(anErrorCode, aSysErrorNo) { @@ -504,7 +504,7 @@ Security::ErrorDetail::brief() const printErrorCode(os); if (lib_error_no) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // TODO: Log ERR_error_string_n() instead, despite length, whitespace? // Example: `error:1408F09C:SSL routines:ssl3_get_record:http request`. os << "+TLS_LIB_ERR=" << asHex(lib_error_no).upperCase(); @@ -513,7 +513,7 @@ Security::ErrorDetail::brief() const #endif } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // TODO: Consider logging long but human-friendly names (e.g., // SSL_ERROR_SYSCALL). if (ioErrorNo) @@ -534,7 +534,7 @@ SBuf Security::ErrorDetail::verbose(const HttpRequestPointer &request) const { std::optional customFormat; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (const auto errorDetail = Ssl::ErrorDetailsManager::GetInstance().findDetail(error_no, request)) { detailEntry = *errorDetail; customFormat = detailEntry->detail; @@ -577,7 +577,7 @@ Security::ErrorDetail::printSubject(std::ostream &os) const os << "[Not available]"; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// prints X.509 names extracted using Ssl::HasMatchingSubjectName() class CommonNamesPrinter: public Ssl::GeneralNameMatcher { @@ -625,20 +625,20 @@ CommonNamesPrinter::itemStream() const return os_; } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL /// a list of the broken certificates CN and alternate names void Security::ErrorDetail::printCommonName(std::ostream &os) const { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (const auto cert = certificateToReport()) { CommonNamesPrinter printer(os); (void)Ssl::HasMatchingSubjectName(*cert, printer); if (printer.printed) return; } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL os << "[Not available]"; } @@ -662,7 +662,7 @@ Security::ErrorDetail::printCaName(std::ostream &os) const void Security::ErrorDetail::printNotBefore(std::ostream &os) const { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (const auto cert = certificateToReport()) { if (const auto tm = X509_getm_notBefore(cert)) { // TODO: Add and use an ASN1_TIME printing operator instead. @@ -672,7 +672,7 @@ Security::ErrorDetail::printNotBefore(std::ostream &os) const return; } } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL os << "[Not available]"; } @@ -680,7 +680,7 @@ Security::ErrorDetail::printNotBefore(std::ostream &os) const void Security::ErrorDetail::printNotAfter(std::ostream &os) const { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (const auto cert = certificateToReport()) { if (const auto tm = X509_getm_notAfter(cert)) { // XXX: Reduce code duplication. @@ -690,7 +690,7 @@ Security::ErrorDetail::printNotAfter(std::ostream &os) const return; } } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL os << "[Not available]"; } @@ -698,7 +698,7 @@ Security::ErrorDetail::printNotAfter(std::ostream &os) const void Security::ErrorDetail::printErrorCode(std::ostream &os) const { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // try detailEntry first because it is faster if (detailEntry) { os << detailEntry->name; @@ -717,7 +717,7 @@ Security::ErrorDetail::printErrorDescription(std::ostream &os) const return; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (detailEntry) { os << detailEntry->descr; return; diff --git a/src/security/ErrorDetail.h b/src/security/ErrorDetail.h index b027ca80b34..930c7206b64 100644 --- a/src/security/ErrorDetail.h +++ b/src/security/ErrorDetail.h @@ -15,11 +15,11 @@ #include "security/forward.h" #include "SquidString.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/ErrorDetailManager.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include #endif @@ -50,7 +50,7 @@ class ErrorDetail: public ::ErrorDetail /// (rather than leaf) certificate fails validation. ErrorDetail(ErrorCode err_no, const CertPointer &peer, const CertPointer &broken, const char *aReason = nullptr); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Details (or starts detailing) a non-validation failure. /// \param anIoErrorNo TLS I/O function outcome; \see ErrorDetail::ioErrorNo /// \param aSysErrorNo saved errno(3); \see ErrorDetail::sysErrorNo @@ -114,7 +114,7 @@ class ErrorDetail: public ::ErrorDetail /// errno(3); system call failure code or zero int sysErrorNo = 0; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// OpenSSL-specific (first-level or intermediate) TLS I/O operation result /// reported by SSL_get_error(3SSL) (e.g., SSL_ERROR_SYSCALL) or zero. /// Unlike lib_error_no, this error is mostly meant for I/O control and has diff --git a/src/security/Handshake.cc b/src/security/Handshake.cc index 78f1be8c23a..90a51667dc6 100644 --- a/src/security/Handshake.cc +++ b/src/security/Handshake.cc @@ -12,7 +12,7 @@ #include "base/IoManip.h" #include "sbuf/Stream.h" #include "security/Handshake.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif @@ -665,7 +665,7 @@ static Security::Extensions Security::SupportedExtensions() { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // optimize lookup speed by reserving the number of values x3, approximately Security::Extensions extensions(64); diff --git a/src/security/Io.cc b/src/security/Io.cc index ea5aeb87c56..14a7c048662 100644 --- a/src/security/Io.cc +++ b/src/security/Io.cc @@ -69,7 +69,7 @@ Security::IoResult::printWithExtras(std::ostream &os) const void Security::ForgetErrors() { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::ForgetErrors(); #endif } @@ -102,7 +102,7 @@ Security::Handshake(Comm::Connection &transport, const ErrorCode topError, Fun i debugs(83, 5, callResult << '/' << xerrno << " for TLS connection " << static_cast(connection) << " over " << transport); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (callResult > 0) return IoResult(IoResult::ioSuccess); @@ -208,7 +208,7 @@ Security::IoResult Security::Accept(Comm::Connection &transport) { return Handshake(transport, SQUID_TLS_ERR_ACCEPT, [] (ConnectionPointer tlsConn) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL return SSL_accept(tlsConn); #elif HAVE_LIBGNUTLS return gnutls_handshake(tlsConn); @@ -223,7 +223,7 @@ Security::IoResult Security::Connect(Comm::Connection &transport) { return Handshake(transport, SQUID_TLS_ERR_CONNECT, [] (ConnectionPointer tlsConn) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL return SSL_connect(tlsConn); #elif HAVE_LIBGNUTLS return gnutls_handshake(tlsConn); diff --git a/src/security/KeyData.cc b/src/security/KeyData.cc index 94261326ae0..0f67051d14e 100644 --- a/src/security/KeyData.cc +++ b/src/security/KeyData.cc @@ -25,7 +25,7 @@ Security::KeyData::loadCertificates() debugs(83, 2, "from " << certFile); cert.reset(); // paranoid: ensure cert is unset -#if USE_OPENSSL +#if HAVE_LIBOPENSSL const char *certFilename = certFile.c_str(); Ssl::BIO_Pointer bio(BIO_new(BIO_s_file())); if (!bio || !BIO_read_filename(bio.get(), certFilename)) { @@ -140,7 +140,7 @@ Security::KeyData::loadX509PrivateKeyFromFile() { debugs(83, 2, "from " << privateKeyFile); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL const char *keyFilename = privateKeyFile.c_str(); // XXX: Ssl::AskPasswordCb needs SSL_CTX_set_default_passwd_cb_userdata() // so this may not fully work iff Config.Program.ssl_password is set. diff --git a/src/security/LockingPointer.h b/src/security/LockingPointer.h index e7881039d9a..97ab56d4be4 100644 --- a/src/security/LockingPointer.h +++ b/src/security/LockingPointer.h @@ -14,7 +14,7 @@ #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #if HAVE_OPENSSL_CRYPTO_H #include @@ -28,7 +28,7 @@ sk_object ## _pop_free(a, freefunction); \ } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ namespace Security { diff --git a/src/security/NegotiationHistory.cc b/src/security/NegotiationHistory.cc index 926960e4fe4..e21e97eaa87 100644 --- a/src/security/NegotiationHistory.cc +++ b/src/security/NegotiationHistory.cc @@ -10,13 +10,13 @@ #include "MemBuf.h" #include "security/NegotiationHistory.h" #include "SquidConfig.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/bio.h" #include "ssl/support.h" #endif Security::NegotiationHistory::NegotiationHistory() -#if USE_OPENSSL +#if HAVE_LIBOPENSSL : cipher(nullptr) #endif { @@ -33,7 +33,7 @@ Security::NegotiationHistory::printTlsVersion(AnyP::ProtocolVersion const &v) co return buf; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static AnyP::ProtocolVersion toProtocolVersion(const int v) { @@ -71,7 +71,7 @@ toProtocolVersion(const int v) void Security::NegotiationHistory::retrieveNegotiatedInfo(const Security::SessionPointer &session) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if ((cipher = SSL_get_current_cipher(session.get()))) { // Set the negotiated version only if the cipher negotiated // else probably the negotiation is not completed and version @@ -103,7 +103,7 @@ Security::NegotiationHistory::retrieveParsedInfo(Security::TlsDetails::Pointer c const char * Security::NegotiationHistory::cipherName() const { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!cipher) return nullptr; diff --git a/src/security/NegotiationHistory.h b/src/security/NegotiationHistory.h index 844cdfbd609..fe274021c9e 100644 --- a/src/security/NegotiationHistory.h +++ b/src/security/NegotiationHistory.h @@ -40,7 +40,7 @@ class NegotiationHistory AnyP::ProtocolVersion helloVersion_; ///< The TLS version of the hello message AnyP::ProtocolVersion supportedVersion_; ///< The maximum supported TLS version AnyP::ProtocolVersion version_; ///< The negotiated TLS version -#if USE_OPENSSL +#if HAVE_LIBOPENSSL const SSL_CIPHER *cipher; ///< The negotiated cipher #endif }; diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc index 811d264d6d7..f6912f5da33 100644 --- a/src/security/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -28,7 +28,7 @@ #include "security/NegotiationHistory.h" #include "security/PeerConnector.h" #include "SquidConfig.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/bio.h" #include "ssl/cert_validate_message.h" #include "ssl/Config.h" @@ -95,7 +95,7 @@ Security::PeerConnector::fillChecklist(ACLFilledChecklist &checklist) const checklist.syncAle(request.getRaw(), nullptr); // checklist.fd(fd); XXX: need client FD here -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!checklist.serverCert) { if (const auto session = fd_table[serverConnection()->fd].ssl.get()) checklist.serverCert.resetWithoutLocking(SSL_get_peer_certificate(session)); @@ -159,7 +159,7 @@ Security::PeerConnector::initialize(Security::SessionPointer &serverSession) serverSession = fd_table[serverConnection()->fd].ssl; debugs(83, 5, serverConnection() << ", session=" << (void*)serverSession.get()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // If CertValidation Helper used do not lookup checklist for errors, // but keep a list of errors to send it to CertValidator if (!Ssl::TheConfig.ssl_crt_validator) { @@ -200,7 +200,7 @@ Security::PeerConnector::recordNegotiationDetails() // retrieve TLS server negotiated information if any serverConnection()->tlsNegotiations()->retrieveNegotiatedInfo(session); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // retrieve TLS parsed extra info BIO *b = SSL_get_rbio(session.get()); Ssl::ServerBio *bio = static_cast(BIO_get_data(b)); @@ -220,7 +220,7 @@ Security::PeerConnector::negotiate() const auto result = Security::Connect(*serverConnection()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL auto &sconn = *fd_table[fd].ssl; // log ASAP, even if the handshake has not completed (or failed) @@ -288,7 +288,7 @@ Security::PeerConnector::handleNegotiationResult(const Security::IoResult &resul bool Security::PeerConnector::sslFinalized() { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (Ssl::TheConfig.ssl_crt_validator && useCertValidator_) { Must(Comm::IsConnOpen(serverConnection())); const int fd = serverConnection()->fd; @@ -329,7 +329,7 @@ Security::PeerConnector::sslFinalized() return true; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL void Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointer &validationResponse) { @@ -377,7 +377,7 @@ Security::PeerConnector::sslCrtvdHandleReply(Ssl::CertValidationResponse::Pointe } #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Checks errors in the cert. validator response against sslproxy_cert_error. /// The first honored error, if any, is returned via errDetails parameter. /// The method returns all seen errors except SSL_ERROR_NONE as Security::CertErrors. @@ -601,7 +601,7 @@ Security::PeerConnector::status() const return buf.content(); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// the number of concurrent PeerConnector jobs waiting for us unsigned int Security::PeerConnector::certDownloadNestingLevel() const @@ -762,5 +762,4 @@ Security::PeerConnector::resumeNegotiation() handleNegotiationResult(*lastError); } -#endif //USE_OPENSSL - +#endif /* HAVE_LIBOPENSSL */ diff --git a/src/security/PeerConnector.h b/src/security/PeerConnector.h index f0b0fd2a97a..8eacefb6506 100644 --- a/src/security/PeerConnector.h +++ b/src/security/PeerConnector.h @@ -19,7 +19,7 @@ #include "security/EncryptorAnswer.h" #include "security/forward.h" #include "security/KeyLogger.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif @@ -100,7 +100,7 @@ class PeerConnector: virtual public AsyncJob, public Acl::ChecklistFiller /// Whether TLS negotiation has been paused and not yet resumed bool isSuspended() const { return static_cast(suspendedError_); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// Suspends TLS negotiation to download the missing certificates /// \param lastError an error to handle when resuming negotiations void suspendNegotiation(const Security::IoResult &lastError); @@ -173,7 +173,7 @@ class PeerConnector: virtual public AsyncJob, public Acl::ChecklistFiller PeerConnector(const PeerConnector &); // not implemented PeerConnector &operator =(const PeerConnector &); // not implemented -#if USE_OPENSSL +#if HAVE_LIBOPENSSL unsigned int certDownloadNestingLevel() const; /// Process response from cert validator helper @@ -205,7 +205,7 @@ class PeerConnector: virtual public AsyncJob, public Acl::ChecklistFiller std::queue urlsOfMissingCerts; unsigned int certsDownloads; ///< the number of downloaded missing certificates -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// successfully downloaded intermediate certificates (omitted by the peer) Ssl::X509_STACK_Pointer downloadedCerts; #endif diff --git a/src/security/PeerOptions.cc b/src/security/PeerOptions.cc index fe42948e240..d2be8ae85dc 100644 --- a/src/security/PeerOptions.cc +++ b/src/security/PeerOptions.cc @@ -15,7 +15,7 @@ #include "Parsing.h" #include "security/PeerOptions.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif @@ -74,7 +74,7 @@ Security::PeerOptions::parse(const char *token) caFiles.emplace_back(SBuf(token + 7)); } else if (strncmp(token, "capath=", 7) == 0) { caDir = SBuf(token + 7); -#if !USE_OPENSSL +#if !HAVE_LIBOPENSSL debugs(3, DBG_PARSE_NOTE(1), "WARNING: capath= option requires --with-openssl."); #endif } else if (strncmp(token, "crlfile=", 8) == 0) { @@ -165,7 +165,7 @@ Security::PeerOptions::updateTlsVersionLimits() // only account for TLS here - SSL versions are handled by options= parameter // avoid affecting options= parameter in cachemgr config report SBuf add; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (v > 0) add.append(":NO_TLSv1"); if (v > 1) @@ -201,28 +201,28 @@ Security::PeerOptions::updateTlsVersionLimits() const char *add = nullptr; switch (sslVersion) { case 3: -#if USE_OPENSSL +#if HAVE_LIBOPENSSL add = ":NO_TLSv1:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3"; #elif HAVE_LIBGNUTLS add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 4: -#if USE_OPENSSL +#if HAVE_LIBOPENSSL add = ":NO_SSLv3:NO_TLSv1_1:NO_TLSv1_2:NO_TLSv1_3"; #elif HAVE_LIBGNUTLS add = ":+VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 5: -#if USE_OPENSSL +#if HAVE_LIBOPENSSL add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_2:NO_TLSv1_3"; #elif HAVE_LIBGNUTLS add = ":-VERS-TLS1.0:+VERS-TLS1.1:-VERS-TLS1.2:-VERS-TLS1.3"; #endif break; case 6: -#if USE_OPENSSL +#if HAVE_LIBOPENSSL add = ":NO_SSLv3:NO_TLSv1:NO_TLSv1_1:NO_TLSv1_3"; #elif HAVE_LIBGNUTLS add = ":-VERS-TLS1.0:-VERS-TLS1.1:-VERS-TLS1.3"; @@ -246,7 +246,7 @@ Security::ContextPointer Security::PeerOptions::createBlankContext() const { Security::ContextPointer ctx; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::Initialize(); SSL_CTX *t = SSL_CTX_new(TLS_client_method()); @@ -281,7 +281,7 @@ Security::PeerOptions::createClientContext(bool setOptions) if (t) { if (setOptions) updateContextOptions(t); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // XXX: temporary performance regression. c_str() data copies and prevents this being a const method Ssl::InitClientContext(t, *this, parsedFlags); #endif @@ -294,7 +294,7 @@ Security::PeerOptions::createClientContext(bool setOptions) return t; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// set of options we can parse and what they map to static struct ssl_option { const char *name; @@ -437,7 +437,7 @@ static struct ssl_option { nullptr, 0 } }; -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ /** * Pre-parse TLS options= parameter to be applied when the TLS objects created. @@ -458,7 +458,7 @@ Security::PeerOptions::parseOptions() str.append(sslOptions); str.append(tlsMinOptions); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL ::Parser::Tokenizer tok(str); ParsedOptions op = 0; @@ -621,7 +621,7 @@ Security::PeerOptions::loadCrlFile() if (crlFile.isEmpty()) return; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL BIO *in = BIO_new_file(crlFile.c_str(), "r"); if (!in) { debugs(83, 2, "WARNING: Failed to open CRL file " << crlFile); @@ -639,7 +639,7 @@ void Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) { parseOptions(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL SSL_CTX_set_options(ctx.get(), parsedOptions); #elif HAVE_LIBGNUTLS // NP: GnuTLS uses 'priorities' which are set only per-session instead. @@ -649,7 +649,7 @@ Security::PeerOptions::updateContextOptions(Security::ContextPointer &ctx) #endif } -#if USE_OPENSSL && defined(TLSEXT_TYPE_next_proto_neg) +#if HAVE_LIBOPENSSL && defined(TLSEXT_TYPE_next_proto_neg) // Dummy next_proto_neg callback static int ssl_next_proto_cb(SSL *, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void * /* arg */) @@ -666,7 +666,7 @@ Security::PeerOptions::updateContextNpn(Security::ContextPointer &ctx) if (!flags.tlsNpn) return; -#if USE_OPENSSL && defined(TLSEXT_TYPE_next_proto_neg) +#if HAVE_LIBOPENSSL && defined(TLSEXT_TYPE_next_proto_neg) SSL_CTX_set_next_proto_select_cb(ctx.get(), &ssl_next_proto_cb, nullptr); #else // NOTE: GnuTLS does not support the obsolete NPN extension. @@ -679,7 +679,7 @@ static const char * loadSystemTrustedCa(Security::ContextPointer &ctx) { debugs(83, 8, "Setting default system Trusted CA. ctx=" << (void*)ctx.get()); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (SSL_CTX_set_default_verify_paths(ctx.get()) == 0) return Security::ErrorString(ERR_get_error()); @@ -696,7 +696,7 @@ void Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx) { debugs(83, 8, "Setting CA certificate locations."); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (const char *path = caDir.isEmpty() ? nullptr : caDir.c_str()) { if (!SSL_CTX_load_verify_locations(ctx.get(), nullptr, path)) { const auto x = ERR_get_error(); @@ -705,7 +705,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx) } #endif for (auto i : caFiles) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!SSL_CTX_load_verify_locations(ctx.get(), i.c_str(), nullptr)) { const auto x = ERR_get_error(); debugs(83, DBG_IMPORTANT, "WARNING: Ignoring error setting CA certificate location " << @@ -731,7 +731,7 @@ Security::PeerOptions::updateContextCa(Security::ContextPointer &ctx) void Security::PeerOptions::updateContextCrl(Security::ContextPointer &ctx) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool verifyCrl = false; X509_STORE *st = SSL_CTX_get_cert_store(ctx.get()); if (parsedCrl.size()) { @@ -750,15 +750,15 @@ Security::PeerOptions::updateContextCrl(Security::ContextPointer &ctx) X509_STORE_set_flags(st, X509_V_FLAG_CRL_CHECK); #endif -#else /* USE_OPENSSL */ +#else /* HAVE_LIBOPENSSL */ (void)ctx; -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ } void Security::PeerOptions::updateContextTrust(Security::ContextPointer &ctx) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #if defined(X509_V_FLAG_PARTIAL_CHAIN) const auto st = SSL_CTX_get_cert_store(ctx.get()); assert(st); @@ -779,7 +779,7 @@ void Security::PeerOptions::updateSessionOptions(Security::SessionPointer &s) { parseOptions(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL debugs(83, 5, "set OpenSSL options for session=" << s << ", parsedOptions=" << parsedOptions); // XXX: Options already set before (via the context) are not cleared! SSL_set_options(s.get(), parsedOptions); diff --git a/src/security/PeerOptions.h b/src/security/PeerOptions.h index d1d9140ddf0..696f27175ca 100644 --- a/src/security/PeerOptions.h +++ b/src/security/PeerOptions.h @@ -109,7 +109,7 @@ class PeerOptions protected: template Security::ContextPointer convertContextFromRawPtr(T ctx) const { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL debugs(83, 5, "SSL_CTX construct, this=" << (void*)ctx); return ContextPointer(ctx, [](SSL_CTX *p) { debugs(83, 5, "SSL_CTX destruct, this=" << (void*)p); diff --git a/src/security/ServerOptions.cc b/src/security/ServerOptions.cc index 8039663660c..68c1feb3ca9 100644 --- a/src/security/ServerOptions.cc +++ b/src/security/ServerOptions.cc @@ -17,7 +17,7 @@ #include "security/ServerOptions.h" #include "security/Session.h" #include "SquidConfig.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #include "ssl/support.h" @@ -40,7 +40,7 @@ Security::ServerOptions::operator =(const Security::ServerOptions &old) { dhParamsFile = old.dhParamsFile; eecdhCurve = old.eecdhCurve; parsedDhParams = old.parsedDhParams; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (auto *stk = SSL_dup_CA_list(old.clientCaStack.get())) clientCaStack = Security::ServerOptions::X509_NAME_STACK_Pointer(stk); else @@ -119,7 +119,7 @@ Security::ServerOptions::parse(const char *token) generateHostCertificates = false; } else if (strncmp(token, "context=", 8) == 0) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL staticContextSessionId = SBuf(token+8); // to hide its arguably sensitive value, do not print token in these debugs if (staticContextSessionId.length() > SSL_MAX_SSL_SESSION_ID_LENGTH) { @@ -163,7 +163,7 @@ Security::ContextPointer Security::ServerOptions::createBlankContext() const { Security::ContextPointer ctx; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::Initialize(); SSL_CTX *t = SSL_CTX_new(TLS_server_method()); @@ -218,7 +218,7 @@ Security::ServerOptions::createStaticServerContext(AnyP::PortCfg &) Security::ContextPointer t(createBlankContext()); if (t) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (certs.size() > 1) { // NOTE: calling SSL_CTX_use_certificate() repeatedly _replaces_ the previous cert details. // so we cannot use it and support multiple server certificates with OpenSSL. @@ -300,7 +300,7 @@ Security::ServerOptions::createSigningContexts(const AnyP::PortCfg &port) if (!signingCa.pkey) debugs(3, DBG_IMPORTANT, "No TLS private key configured for " << portType << "_port " << port.s); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Ssl::generateUntrustedCert(untrustedSigningCa.cert, untrustedSigningCa.pkey, signingCa.cert, signingCa.pkey); #elif HAVE_LIBGNUTLS // TODO: implement for GnuTLS. Just a warning for now since generate is implicitly on for all crypto builds. @@ -340,7 +340,7 @@ Security::ServerOptions::loadClientCaFile() if (clientCaFile.isEmpty()) return true; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL auto *stk = SSL_load_client_CA_file(clientCaFile.c_str()); clientCaStack = Security::ServerOptions::X509_NAME_STACK_Pointer(stk); #endif @@ -367,7 +367,7 @@ Security::ServerOptions::loadDhParams() // public and private components have the correct mathematical // relationship". See EVP_PKEY_check(). -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #if OPENSSL_VERSION_MAJOR < 3 DH *dhp = nullptr; if (FILE *in = fopen(dhParamsFile.c_str(), "r")) { @@ -450,7 +450,7 @@ Security::ServerOptions::loadDhParams() return; } #endif -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL } bool @@ -459,7 +459,7 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx) updateContextOptions(ctx); updateContextSessionId(ctx); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (parsedFlags & SSL_FLAG_NO_SESSION_REUSE) { SSL_CTX_set_session_cache_mode(ctx.get(), SSL_SESS_CACHE_OFF); } @@ -485,7 +485,7 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx) updateContextCa(ctx); updateContextClientCa(ctx); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL SSL_CTX_set_mode(ctx.get(), SSL_MODE_NO_AUTO_CHAIN); if (parsedFlags & SSL_FLAG_DONT_VERIFY_DOMAIN) SSL_CTX_set_ex_data(ctx.get(), ssl_ctx_ex_index_dont_verify_domain, (void *) -1); @@ -498,7 +498,7 @@ Security::ServerOptions::updateContextConfig(Security::ContextPointer &ctx) void Security::ServerOptions::updateContextClientCa(Security::ContextPointer &ctx) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (clientCaStack) { ERR_clear_error(); if (STACK_OF(X509_NAME) *clientca = SSL_dup_CA_list(clientCaStack.get())) { @@ -529,7 +529,7 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) if (!eecdhCurve.isEmpty()) { debugs(83, 9, "Setting Ephemeral ECDH curve to " << eecdhCurve << "."); -#if USE_OPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) +#if HAVE_LIBOPENSSL && OPENSSL_VERSION_NUMBER >= 0x0090800fL && !defined(OPENSSL_NO_ECDH) Ssl::ForgetErrors(); @@ -568,7 +568,7 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) } // set DH parameters into the server context -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (parsedDhParams) { #if OPENSSL_VERSION_MAJOR < 3 if (SSL_CTX_set_tmp_dh(ctx.get(), parsedDhParams.get()) != 1) { @@ -586,13 +586,13 @@ Security::ServerOptions::updateContextEecdh(Security::ContextPointer &ctx) } #endif // OPENSSL_VERSION_MAJOR } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL } void Security::ServerOptions::updateContextSessionId(Security::ContextPointer &ctx) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!staticContextSessionId.isEmpty()) SSL_CTX_set_session_id_context(ctx.get(), reinterpret_cast(staticContextSessionId.rawContent()), staticContextSessionId.length()); #else diff --git a/src/security/ServerOptions.h b/src/security/ServerOptions.h index 9525ea381a1..1b186b4a6b2 100644 --- a/src/security/ServerOptions.h +++ b/src/security/ServerOptions.h @@ -11,7 +11,7 @@ #include "anyp/forward.h" #include "security/PeerOptions.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #if HAVE_OPENSSL_X509_H #include @@ -25,7 +25,7 @@ namespace Security class ServerOptions : public PeerOptions { public: -#if USE_OPENSSL +#if HAVE_LIBOPENSSL sk_dtor_wrapper(sk_X509_NAME, STACK_OF(X509_NAME) *, X509_NAME_free); typedef std::unique_ptr X509_NAME_STACK_Pointer; #endif @@ -71,7 +71,7 @@ class ServerOptions : public PeerOptions Security::ContextPointer staticContext; SBuf staticContextSessionId; ///< "session id context" for staticContext -#if USE_OPENSSL +#if HAVE_LIBOPENSSL bool generateHostCertificates = true; ///< dynamically make host cert #elif HAVE_LIBGNUTLS // TODO: GnuTLS does implement TLS server connections so the cert @@ -105,7 +105,7 @@ class ServerOptions : public PeerOptions private: SBuf clientCaFile; ///< name of file to load client CAs from -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// CA certificate(s) to use when verifying client certificates X509_NAME_STACK_Pointer clientCaStack; #else diff --git a/src/security/Session.cc b/src/security/Session.cc index 755c5be9c24..5ab630c8571 100644 --- a/src/security/Session.cc +++ b/src/security/Session.cc @@ -25,12 +25,12 @@ #define SSL_SESSION_ID_SIZE 32 #define SSL_SESSION_MAX_SIZE 10*1024 -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static Ipc::MemMap *SessionCache = nullptr; static const char *SessionCacheName = "tls_session_cache"; #endif -#if USE_OPENSSL || HAVE_LIBGNUTLS +#if HAVE_LIBOPENSSL || HAVE_LIBGNUTLS static int tls_read_method(int fd, char *buf, int len) { @@ -39,7 +39,7 @@ tls_read_method(int fd, char *buf, int len) Security::PrepForIo(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL int i = SSL_read(session, buf, len); const auto savedErrno = errno; // zero if SSL_read() does not set it @@ -63,7 +63,7 @@ tls_read_method(int fd, char *buf, int len) (void)VALGRIND_MAKE_MEM_DEFINED(buf, i); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (i > 0 && SSL_pending(session) > 0) { #elif HAVE_LIBGNUTLS if (i > 0 && gnutls_record_check_pending(session) > 0) { @@ -82,7 +82,7 @@ tls_write_method(int fd, const char *buf, int len) auto session = fd_table[fd].ssl.get(); debugs(83, 5, "started for session=" << static_cast(session) << " FD " << fd << " buf.len=" << len); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!SSL_is_init_finished(session)) { debugs(83, 3, "FD " << fd << " is not in TLS init_finished state"); errno = ENOTCONN; @@ -92,7 +92,7 @@ tls_write_method(int fd, const char *buf, int len) Security::PrepForIo(); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL int i = SSL_write(session, buf, len); const auto savedErrno = errno; // zero if SSL_write() does not set it @@ -118,7 +118,7 @@ tls_write_method(int fd, const char *buf, int len) } #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Security::SessionPointer Security::NewSessionObject(const Security::ContextPointer &ctx) { @@ -139,11 +139,11 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer return false; } -#if USE_OPENSSL || HAVE_LIBGNUTLS +#if HAVE_LIBOPENSSL || HAVE_LIBGNUTLS const char *errAction = "with no TLS/SSL library"; Security::LibErrorCode errCode = 0; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Security::SessionPointer session(Security::NewSessionObject(ctx)); if (!session) { errCode = ERR_get_error(); @@ -168,7 +168,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer if (session) { const int fd = conn->fd; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // without BIO, we would call SSL_set_fd(ssl.get(), fd) instead if (BIO *bio = Ssl::Bio::Create(fd, type)) { Ssl::Bio::Link(session.get(), bio); // cannot fail @@ -192,7 +192,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer return true; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL errCode = ERR_get_error(); errAction = "failed to initialize I/O"; (void)opts; @@ -208,7 +208,7 @@ CreateSession(const Security::ContextPointer &ctx, const Comm::ConnectionPointer (void)opts; (void)type; (void)squidCtx; -#endif /* USE_OPENSSL || HAVE_LIBGNUTLS */ +#endif /* HAVE_LIBOPENSSL || HAVE_LIBGNUTLS */ return false; } @@ -234,7 +234,7 @@ Security::SessionSendGoodbye(const Security::SessionPointer &s) { debugs(83, 5, "session=" << (void*)s.get()); if (s) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL SSL_shutdown(s.get()); #elif HAVE_LIBGNUTLS gnutls_bye(s.get(), GNUTLS_SHUT_RDWR); @@ -246,7 +246,7 @@ bool Security::SessionIsResumed(const Security::SessionPointer &s) { bool result = false; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL result = SSL_session_reused(s.get()) == 1; #elif HAVE_LIBGNUTLS result = gnutls_session_is_resumed(s.get()) != 0; @@ -259,7 +259,7 @@ void Security::MaybeGetSessionResumeData(const Security::SessionPointer &s, Security::SessionStatePointer &data) { if (!SessionIsResumed(s)) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // nil is valid for SSL_get1_session(), it cannot fail. data.reset(SSL_get1_session(s.get())); #elif HAVE_LIBGNUTLS @@ -280,7 +280,7 @@ void Security::SetSessionResumeData(const Security::SessionPointer &s, const Security::SessionStatePointer &data) { if (data) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!SSL_set_session(s.get(), data.get())) { const auto ssl_error = ERR_get_error(); debugs(83, 3, "session=" << (void*)s.get() << " data=" << (void*)data.get() << @@ -315,7 +315,7 @@ isTlsServer() return false; } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static int store_session_cb(SSL *, SSL_SESSION *session) { @@ -415,9 +415,9 @@ Security::SetSessionCacheCallbacks(Security::ContextPointer &ctx) SSL_CTX_sess_set_get_cb(ctx.get(), get_session_cb); } } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ -#if USE_OPENSSL +#if HAVE_LIBOPENSSL static void initializeSessionCache() { @@ -462,7 +462,7 @@ DefineRunnerRegistrator(SharedSessionCacheRr); void SharedSessionCacheRr::useConfig() { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (SessionCache || !isTlsServer()) // no need to configure SSL_SESSION* cache. return; @@ -477,7 +477,7 @@ SharedSessionCacheRr::create() if (!isTlsServer()) // no need to configure SSL_SESSION* cache. return; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (int items = Config.SSL.sessionCacheSize / sizeof(Ipc::MemMap::Slot)) owner = Ipc::MemMap::Init(SessionCacheName, items); #endif diff --git a/src/security/Session.h b/src/security/Session.h index deda8830435..767f50d56c2 100644 --- a/src/security/Session.h +++ b/src/security/Session.h @@ -16,7 +16,7 @@ #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include @@ -45,7 +45,7 @@ class PeerOptions; /// On errors, emits DBG_IMPORTANT with details and returns false. bool CreateServerSession(const Security::ContextPointer &, const Comm::ConnectionPointer &, Security::PeerOptions &, const char *squidCtx); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL typedef SSL Connection; using Session = SSL_SESSION; @@ -99,7 +99,7 @@ void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::Sessi /// Needs to be done before using the SessionPointer for a handshake. void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &); -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // TODO: remove from public API. It is only public because of Security::ServerOptions::updateContextConfig /// Setup the given TLS context with callbacks used to manage the session cache void SetSessionCacheCallbacks(Security::ContextPointer &); diff --git a/src/security/cert_generators/file/Makefile.am b/src/security/cert_generators/file/Makefile.am index 6668018c775..a569c5a79db 100644 --- a/src/security/cert_generators/file/Makefile.am +++ b/src/security/cert_generators/file/Makefile.am @@ -33,6 +33,5 @@ security_file_certgen_LDADD = \ $(top_builddir)/src/anyp/libanyp.la \ $(top_builddir)/src/base/libbase.la \ $(top_builddir)/src/time/libtime.la \ - $(SSLLIB) \ - $(COMPAT_LIB) - + $(COMPAT_LIB) \ + $(LIBOPENSSL_LIBS) diff --git a/src/security/forward.h b/src/security/forward.h index 14e02e25aa4..1634cf0a200 100644 --- a/src/security/forward.h +++ b/src/security/forward.h @@ -22,7 +22,7 @@ #include #include #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #if HAVE_OPENSSL_BN_H #include @@ -36,10 +36,10 @@ #if HAVE_OPENSSL_X509_H #include #endif -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // Macro to be used to define the C++ wrapper functor of the sk_*_pop_free // OpenSSL family of functions. The C++ functor is suffixed with the _free_wrapper // extension @@ -47,7 +47,7 @@ struct sk_object ## _free_wrapper { \ void operator()(argument_type a) { sk_object ## _pop_free(a, freefunction); } \ } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ /* flags a SSL connection can be configured with */ #define SSL_FLAG_NO_DEFAULT_CA (1<<0) @@ -59,7 +59,7 @@ #define SSL_FLAG_VERIFY_CRL_ALL (1<<6) #define SSL_FLAG_CONDITIONAL_AUTH (1<<7) -#if !USE_OPENSSL && !HAVE_LIBGNUTLS +#if !HAVE_LIBOPENSSL && !HAVE_LIBGNUTLS /// A helper type to keep all three possible underlying types of the /// Security::Certificate typedef below inside global namespace, so that /// argument-dependent lookup for operator "<<" (Certificate) works inside @@ -75,7 +75,7 @@ class CertError; /// Holds a list of X.509 certificate errors typedef CbDataList CertErrors; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL typedef X509 Certificate; #elif HAVE_LIBGNUTLS typedef struct gnutls_x509_crt_int Certificate; @@ -83,7 +83,7 @@ typedef struct gnutls_x509_crt_int Certificate; typedef struct notls_x509 Certificate; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL CtoCpp1(X509_free, X509 *); typedef Security::LockingPointer > CertPointer; #elif HAVE_LIBGNUTLS @@ -92,7 +92,7 @@ typedef std::shared_ptr CertPointer; typedef std::shared_ptr CertPointer; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL CtoCpp1(X509_CRL_free, X509_CRL *); typedef Security::LockingPointer > CrlPointer; #elif HAVE_LIBGNUTLS @@ -106,7 +106,7 @@ typedef std::list CertList; typedef std::list CertRevokeList; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL CtoCpp1(EVP_PKEY_free, EVP_PKEY *) using PrivateKeyPointer = Security::LockingPointer>; #elif HAVE_LIBGNUTLS @@ -115,7 +115,7 @@ using PrivateKeyPointer = std::shared_ptr; using PrivateKeyPointer = std::shared_ptr; #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #if OPENSSL_VERSION_MAJOR < 3 CtoCpp1(DH_free, DH *); typedef Security::LockingPointer > DhePointer; @@ -134,7 +134,7 @@ class EncryptorAnswer; typedef int ErrorCode; /// TLS library-reported non-validation error -#if USE_OPENSSL +#if HAVE_LIBOPENSSL /// the result of the first ERR_get_error(3SSL) call after a library call; /// `openssl errstr` expands these numbers into human-friendlier strings like /// `error:1408F09C:SSL routines:ssl3_get_record:http request` @@ -150,7 +150,7 @@ typedef int LibErrorCode; /// converts numeric LibErrorCode into a human-friendlier string inline const char *ErrorString(const LibErrorCode code) { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL return ERR_error_string(code, nullptr); #elif HAVE_LIBGNUTLS return gnutls_strerror(code); @@ -167,7 +167,7 @@ typedef std::unordered_set Errors; namespace Io { enum Type { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL BIO_TO_CLIENT = 6000, BIO_TO_SERVER #elif HAVE_LIBGNUTLS @@ -190,7 +190,7 @@ class CommunicationSecrets; class KeyData; class KeyLog; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL using ParsedOptions = uint64_t; #elif HAVE_LIBGNUTLS typedef std::shared_ptr ParsedOptions; diff --git a/src/ssl/PeekingPeerConnector.h b/src/ssl/PeekingPeerConnector.h index 9546c832570..cd54b02fd4d 100644 --- a/src/ssl/PeekingPeerConnector.h +++ b/src/ssl/PeekingPeerConnector.h @@ -11,7 +11,7 @@ #include "security/PeerConnector.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL namespace Ssl { @@ -74,6 +74,6 @@ class PeekingPeerConnector: public Security::PeerConnector { } // namespace Ssl -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ #endif /* SQUID_SRC_SSL_PEEKINGPEERCONNECTOR_H */ diff --git a/src/ssl/ProxyCerts.h b/src/ssl/ProxyCerts.h index f616ad3f7dc..f7d9755c89e 100644 --- a/src/ssl/ProxyCerts.h +++ b/src/ssl/ProxyCerts.h @@ -9,7 +9,7 @@ #ifndef SQUID_SRC_SSL_PROXYCERTS_H #define SQUID_SRC_SSL_PROXYCERTS_H -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/forward.h" #include "acl/Gadgets.h" #include "ssl/gadgets.h" diff --git a/src/ssl/bio.cc b/src/ssl/bio.cc index 00cbd7f927a..b59d374585e 100644 --- a/src/ssl/bio.cc +++ b/src/ssl/bio.cc @@ -13,7 +13,7 @@ #include "ssl/support.h" /* support.cc says this is needed */ -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "base/Raw.h" #include "comm.h" @@ -628,5 +628,5 @@ applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl #endif } -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL diff --git a/src/ssl/bio.h b/src/ssl/bio.h index 6872fa00268..6c1ca28e88f 100644 --- a/src/ssl/bio.h +++ b/src/ssl/bio.h @@ -9,7 +9,7 @@ #ifndef SQUID_SRC_SSL_BIO_H #define SQUID_SRC_SSL_BIO_H -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #include "FadingCounter.h" @@ -200,6 +200,6 @@ class ServerBio: public Bio void applyTlsDetailsToSSL(SSL *ssl, Security::TlsDetails::Pointer const &details, Ssl::BumpMode bumpMode); -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ #endif /* SQUID_SRC_SSL_BIO_H */ diff --git a/src/ssl/context_storage.cc b/src/ssl/context_storage.cc index e1e2b121c15..0cf27d5f4c0 100644 --- a/src/ssl/context_storage.cc +++ b/src/ssl/context_storage.cc @@ -13,7 +13,7 @@ #include "Store.h" #include -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "compat/openssl.h" #if HAVE_OPENSSL_SSL_H #include diff --git a/src/ssl/context_storage.h b/src/ssl/context_storage.h index a7c8cc009b2..db5b9bbcdea 100644 --- a/src/ssl/context_storage.h +++ b/src/ssl/context_storage.h @@ -9,7 +9,7 @@ #ifndef SQUID_SRC_SSL_CONTEXT_STORAGE_H #define SQUID_SRC_SSL_CONTEXT_STORAGE_H -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "base/ClpMap.h" #include "CacheManager.h" @@ -76,7 +76,7 @@ class GlobalContextStorage /// Global cache for store all SSL server certificates. GlobalContextStorage &TheGlobalContextStorage(); } //namespace Ssl -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL #endif /* SQUID_SRC_SSL_CONTEXT_STORAGE_H */ diff --git a/src/ssl/gadgets.h b/src/ssl/gadgets.h index e0c60c3a351..fff5cb3571a 100644 --- a/src/ssl/gadgets.h +++ b/src/ssl/gadgets.h @@ -9,7 +9,7 @@ #ifndef SQUID_SRC_SSL_GADGETS_H #define SQUID_SRC_SSL_GADGETS_H -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "anyp/forward.h" #include "base/HardFun.h" @@ -308,6 +308,6 @@ const ASN1_BIT_STRING *X509_get_signature(const Security::CertPointer &); } // namespace Ssl -#endif // USE_OPENSSL +#endif // HAVE_LIBOPENSSL #endif /* SQUID_SRC_SSL_GADGETS_H */ diff --git a/src/ssl/helper.h b/src/ssl/helper.h index e01e6829844..45dfd9e2a04 100644 --- a/src/ssl/helper.h +++ b/src/ssl/helper.h @@ -9,7 +9,7 @@ #ifndef SQUID_SRC_SSL_HELPER_H #define SQUID_SRC_SSL_HELPER_H -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "base/AsyncJobCalls.h" #include "base/ClpMap.h" @@ -61,6 +61,6 @@ class CertValidationHelper } //namespace Ssl -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ #endif /* SQUID_SRC_SSL_HELPER_H */ diff --git a/src/ssl/support.cc b/src/ssl/support.cc index 6d7c61ab4a9..182fee37eed 100644 --- a/src/ssl/support.cc +++ b/src/ssl/support.cc @@ -13,7 +13,7 @@ /* MS Visual Studio Projects are monolithic, so we need the following * #if to exclude the SSL code from compile process when not needed. */ -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "acl/FilledChecklist.h" #include "anyp/Host.h" @@ -1595,5 +1595,5 @@ BIO *Ssl::BIO_new_SBuf(SBuf *buf) return bio; } -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ diff --git a/src/ssl/support.h b/src/ssl/support.h index 88c9465603b..22145ab5eae 100644 --- a/src/ssl/support.h +++ b/src/ssl/support.h @@ -11,7 +11,7 @@ #ifndef SQUID_SRC_SSL_SUPPORT_H #define SQUID_SRC_SSL_SUPPORT_H -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "anyp/forward.h" #include "base/CbDataList.h" @@ -420,6 +420,6 @@ int SSL_set_fd(SSL *ssl, int fd) #endif /* _SQUID_WINDOWS_ */ -#endif /* USE_OPENSSL */ +#endif /* HAVE_LIBOPENSSL */ #endif /* SQUID_SRC_SSL_SUPPORT_H */ diff --git a/src/stat.cc b/src/stat.cc index d713c050456..5e3aac64924 100644 --- a/src/stat.cc +++ b/src/stat.cc @@ -53,7 +53,7 @@ #if USE_DELAY_POOLS #include "DelayId.h" #endif -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/support.h" #endif @@ -1821,7 +1821,7 @@ statClientRequests(StoreEntry * s) p = http->request->extacl_user.termedBuf(); } -#if USE_OPENSSL +#if HAVE_LIBOPENSSL if (!p && conn != nullptr && Comm::IsConnOpen(conn->clientConnection)) p = sslGetUserEmail(fd_table[conn->clientConnection->fd].ssl.get()); #endif diff --git a/src/tests/stub_client_side.cc b/src/tests/stub_client_side.cc index 0421f060aba..9f6db317b50 100644 --- a/src/tests/stub_client_side.cc +++ b/src/tests/stub_client_side.cc @@ -42,7 +42,7 @@ void ConnStateData::swanSong() STUB void ConnStateData::quitAfterError(HttpRequest *) STUB NotePairs::Pointer ConnStateData::notes() STUB_RETVAL(NotePairs::Pointer()) void ConnStateData::fillConnectionLevelDetails(ACLFilledChecklist &) const STUB -#if USE_OPENSSL +#if HAVE_LIBOPENSSL void ConnStateData::httpsPeeked(PinnedIdleContext) STUB void ConnStateData::getSslContextStart() STUB void ConnStateData::getSslContextDone(Security::ContextPointer &) STUB diff --git a/src/tests/stub_liblog.cc b/src/tests/stub_liblog.cc index cd971198b20..061bb42a542 100644 --- a/src/tests/stub_liblog.cc +++ b/src/tests/stub_liblog.cc @@ -19,7 +19,7 @@ AccessLogEntry::~AccessLogEntry() {STUB} void AccessLogEntry::getLogClientIp(char *, size_t) const STUB SBuf AccessLogEntry::getLogMethod() const STUB_RETVAL(SBuf()) -#if USE_OPENSSL +#if HAVE_LIBOPENSSL AccessLogEntry::SslDetails::SslDetails() {STUB} #endif */ diff --git a/src/tests/stub_libsecurity.cc b/src/tests/stub_libsecurity.cc index 86989daab7f..e48c7eaa334 100644 --- a/src/tests/stub_libsecurity.cc +++ b/src/tests/stub_libsecurity.cc @@ -64,7 +64,7 @@ void Security::KeyLogger::maybeLog(const Connection &, const Acl::ChecklistFille #include "security/ErrorDetail.h" Security::ErrorDetail::ErrorDetail(ErrorCode, const CertPointer &, const CertPointer &, const char *) STUB -#if USE_OPENSSL +#if HAVE_LIBOPENSSL Security::ErrorDetail::ErrorDetail(ErrorCode, int, int) STUB #elif HAVE_LIBGNUTLS Security::ErrorDetail::ErrorDetail(ErrorCode, LibErrorCode, int) STUB @@ -116,7 +116,7 @@ EncryptorAnswer &PeerConnector::answer() STUB_RETREF(EncryptorAnswer) Security::PeerOptions &Security::ProxyOutgoingConfig() STUB_RETREF(Security::PeerOptions) Security::PeerOptions::PeerOptions() { -#if USE_OPENSSL +#if HAVE_LIBOPENSSL parsedOptions = 0; #endif STUB_NOP @@ -156,7 +156,7 @@ void SessionSendGoodbye(const Security::SessionPointer &) STUB bool SessionIsResumed(const Security::SessionPointer &) STUB_RETVAL(false) void MaybeGetSessionResumeData(const Security::SessionPointer &, Security::SessionStatePointer &) STUB void SetSessionResumeData(const Security::SessionPointer &, const Security::SessionStatePointer &) STUB -#if USE_OPENSSL +#if HAVE_LIBOPENSSL void SetSessionCacheCallbacks(Security::ContextPointer &) STUB Security::SessionPointer NewSessionObject(const Security::ContextPointer &) STUB_RETVAL(nullptr) #endif diff --git a/src/tests/stub_libsslsquid.cc b/src/tests/stub_libsslsquid.cc index 4ed2fb59cc7..d535408bae8 100644 --- a/src/tests/stub_libsslsquid.cc +++ b/src/tests/stub_libsslsquid.cc @@ -8,7 +8,7 @@ #include "squid.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "fatal.h" #include "sbuf/Algorithms.h" diff --git a/src/tunnel.cc b/src/tunnel.cc index 5da201b6bd6..41b5b40f2de 100644 --- a/src/tunnel.cc +++ b/src/tunnel.cc @@ -45,7 +45,7 @@ #include "security/BlindPeerConnector.h" #include "SquidConfig.h" #include "StatCounters.h" -#if USE_OPENSSL +#if HAVE_LIBOPENSSL #include "ssl/bio.h" #include "ssl/ServerBump.h" #endif @@ -110,7 +110,7 @@ class TunnelStateData: public PeerSelectionInitiator // have already responded to that CONNECT before tunnel.cc started. if (request && request->flags.forceTunnel) return false; -#if USE_OPENSSL +#if HAVE_LIBOPENSSL // We are bumping and we had already send "OK CONNECTED" if (http.valid() && http->getConn() && http->getConn()->serverBump() && http->getConn()->serverBump()->at(XactionStep::tlsBump2, XactionStep::tlsBump3)) return false; diff --git a/test-suite/buildtests/layer-04-everything-no-openssl.opts b/test-suite/buildtests/layer-04-everything-no-openssl.opts new file mode 100644 index 00000000000..5d3dcba9279 --- /dev/null +++ b/test-suite/buildtests/layer-04-everything-no-openssl.opts @@ -0,0 +1,17 @@ +## Copyright (C) 1996-2026 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +srcdir=`dirname $0` + +# Everything is supposed to work when OpenSSL is not available. +. $srcdir/buildtests/layer-02-maximus.opts + +DISTCHECK_CONFIGURE_FLAGS=` + echo "$DISTCHECK_CONFIGURE_FLAGS" | + sed -e 's/with-openssl/without-openssl/g' \ + -e 's/enable-ssl-crtd/disable-ssl-crtd/g' +`