diff --git a/extra/testproxy/sslproxy.conf b/extra/testproxy/sslproxy.conf index 33a24ff..f603e80 100644 --- a/extra/testproxy/sslproxy.conf +++ b/extra/testproxy/sslproxy.conf @@ -1,4 +1,4 @@ -# TestProxy test configuration for sslproxy v0.6.0 +# TestProxy test configuration for sslproxy v0.7.0 # Global options #User _sslproxy @@ -10,7 +10,7 @@ Debug yes DebugLevel 4 #OpenFilesLimit 1024 #LeafCerts /etc/sslproxy/leaf.key -#LeafKeyRSABits 1024 +#LeafKeyRSABits 2048 #OpenSSLEngine cloudhsm #TargetCertDir /etc/sslproxy/target #WriteGenCertsDir /var/log/sslproxy diff --git a/ssl.c b/ssl.c index b47a0cf..2085154 100644 --- a/ssl.c +++ b/ssl.c @@ -92,7 +92,7 @@ ssl_ssl_cert_get(SSL *s) } #endif /* OpenSSL 0.9.8y, 1.0.0k or 1.0.1e */ -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L) int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) { @@ -269,7 +269,7 @@ ssl_openssl_version(void) */ static int ssl_initialized = 0; -#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) struct CRYPTO_dynlock_value { pthread_mutex_t mutex; }; @@ -368,7 +368,7 @@ ssl_init(void) return 0; /* general initialization */ -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20701000L) OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG #ifndef OPENSSL_NO_ENGINE |OPENSSL_INIT_ENGINE_ALL_BUILTIN @@ -385,12 +385,12 @@ ssl_init(void) #endif /* PURIFY */ SSL_load_error_strings(); OpenSSL_add_all_algorithms(); -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L) OPENSSL_config(NULL); #endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ /* thread-safety */ -#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) ssl_mutex_num = CRYPTO_num_locks(); ssl_mutex = malloc(ssl_mutex_num * sizeof(*ssl_mutex)); for (int i = 0; i < ssl_mutex_num; i++) { @@ -459,7 +459,7 @@ ssl_reinit(void) if (!ssl_initialized) return 0; -#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) for (int i = 0; i < ssl_mutex_num; i++) { if (pthread_mutex_init(&ssl_mutex[i], NULL)) { return -1; @@ -480,12 +480,12 @@ ssl_fini(void) if (!ssl_initialized) return; -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L) ERR_remove_state(0); /* current thread */ #endif #if defined(OPENSSL_THREADS) && \ - ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) + ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) CRYPTO_set_locking_callback(NULL); CRYPTO_set_dynlock_create_callback(NULL); CRYPTO_set_dynlock_lock_callback(NULL); @@ -600,7 +600,7 @@ ssl_ssl_masterkey_to_str(SSL *ssl) char *str = NULL; int rv; unsigned char *k, *r; -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20701000L) unsigned char kbuf[48], rbuf[32]; k = &kbuf[0]; r = &rbuf[0]; @@ -876,7 +876,7 @@ ssl_rand(void *p, size_t sz) { int rv; -#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L) rv = RAND_pseudo_bytes((unsigned char*)p, sz); if (rv == 1) return 0; @@ -1366,7 +1366,7 @@ ssl_key_genrsa(const int keysize) EVP_PKEY *pkey; RSA *rsa; -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L) BIGNUM *bn; int rv; rsa = RSA_new(); @@ -1502,7 +1502,7 @@ ssl_x509_fingerprint(X509 *crt, int colons) void ssl_dh_refcount_inc(DH *dh) { -#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) CRYPTO_add(&dh->references, 1, CRYPTO_LOCK_DH); #else /* !OPENSSL_THREADS */ DH_up_ref(dh); @@ -1517,7 +1517,7 @@ ssl_dh_refcount_inc(DH *dh) void ssl_key_refcount_inc(EVP_PKEY *key) { -#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) CRYPTO_add(&key->references, 1, CRYPTO_LOCK_EVP_PKEY); #else /* !OPENSSL_THREADS */ EVP_PKEY_up_ref(key); @@ -1532,7 +1532,7 @@ ssl_key_refcount_inc(EVP_PKEY *key) void ssl_x509_refcount_inc(X509 *crt) { -#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || defined(LIBRESSL_VERSION_NUMBER)) +#if defined(OPENSSL_THREADS) && ((OPENSSL_VERSION_NUMBER < 0x10100000L) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20701000L)) CRYPTO_add(&crt->references, 1, CRYPTO_LOCK_X509); #else /* !OPENSSL_THREADS */ X509_up_ref(crt); diff --git a/ssl.h b/ssl.h index 9f9a58a..4ba2dd7 100644 --- a/ssl.h +++ b/ssl.h @@ -74,8 +74,12 @@ /* * SHA0 was removed in OpenSSL 1.1.0, including OPENSSL_NO_SHA0. + * @attention We have to use '&& !defined(LIBRESSL_VERSION_NUMBER)' + * in similar if conditions in compiler directives, + * because OPENSSL_VERSION_NUMBER in LibreSSL is always 0x20000000L, + * hence OPENSSL_VERSION_NUMBER >= 0x10100000L condition is always satisfied */ -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_NO_SHA0) +#if ((OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)) || (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x20030001L)) && !defined(OPENSSL_NO_SHA0) #define OPENSSL_NO_SHA0 #endif diff --git a/sslproxy.conf b/sslproxy.conf index ac83dbb..0948576 100644 --- a/sslproxy.conf +++ b/sslproxy.conf @@ -301,6 +301,6 @@ ProxySpec { UserTimeout 300 UserAuthURL https://192.168.0.1/userdblogin.php ValidateProto yes - # Proxyspec specific passites are appended to the cloned global passites + # Proxyspec specific passsites are appended to the cloned global passsites PassSite example2.com }