Commit ede63b99ce5f080e32865918eab0d59083505ee7
2018-04-03T11:45:00
streams: openssl: unify version checks into single define By now, we have several locations where we are checking the version of OpenSSL to determine whether we can use the new "modern" API or need to use the pre-1.1 legacy API. As we have multiple implementations of OpenSSL with the rather recent libressl implementation, these checks need to honor versions of both implementations, which is rather tedious. Instead, we can just check once for the correct versions and define `OPENSSL_LEGACY_API` in case we cannot use the modern API.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77
diff --git a/src/streams/openssl.c b/src/streams/openssl.c
index 4b71050..31c0824 100644
--- a/src/streams/openssl.c
+++ b/src/streams/openssl.c
@@ -38,15 +38,18 @@ SSL_CTX *git__ssl_ctx;
#define GIT_SSL_DEFAULT_CIPHERS "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA"
+#if (defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER < 0x10100000L) || \
+ (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+# define OPENSSL_LEGACY_API
+#endif
+
/*
* OpenSSL 1.1 made BIO opaque so we have to use functions to interact with it
* which do not exist in previous versions. We define these inline functions so
* we can program against the interface instead of littering the implementation
* with ifdefs.
*/
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
-
+#if defined(OPENSSL_LEGACY_API)
static BIO_METHOD* BIO_meth_new(int type, const char *name)
{
BIO_METHOD *meth = git__calloc(1, sizeof(BIO_METHOD));
@@ -134,10 +137,7 @@ static const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x)
return ASN1_STRING_data((ASN1_STRING *)x);
}
-#endif
-
-#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
-
+# if defined(GIT_THREADS)
static git_mutex *openssl_locks;
static void openssl_locking_function(
@@ -168,8 +168,8 @@ static void shutdown_ssl_locking(void)
git_mutex_free(&openssl_locks[i]);
git__free(openssl_locks);
}
-
-#endif /* GIT_THREADS && OPENSSL_VERSION_NUMBER < 0x10100000L */
+# endif /* GIT_THREADS */
+#endif /* OPENSSL_LEGACY_API */
static BIO_METHOD *git_stream_bio_method;
static int init_bio_method(void);
@@ -202,8 +202,7 @@ int git_openssl_stream_global_init(void)
ssl_opts |= SSL_OP_NO_COMPRESSION;
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || \
- (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x20700000L)
+#if defined(OPENSSL_LEGACY_API)
SSL_load_error_strings();
OpenSSL_add_ssl_algorithms();
#else
@@ -258,7 +257,7 @@ static void threadid_cb(CRYPTO_THREADID *threadid)
int git_openssl_set_locking(void)
{
-#if defined(GIT_THREADS) && OPENSSL_VERSION_NUMBER < 0x10100000L
+#if defined(GIT_THREADS) && defined(OPENSSL_LEGACY_API)
int num_locks, i;
CRYPTO_THREADID_set_callback(threadid_cb);
@@ -277,7 +276,7 @@ int git_openssl_set_locking(void)
CRYPTO_set_locking_callback(openssl_locking_function);
git__on_shutdown(shutdown_ssl_locking);
return 0;
-#elif OPENSSL_VERSION_NUMBER >= 0x10100000L
+#elif !defined(OPENSSL_LEGACY_API)
return 0;
#else
giterr_set(GITERR_THREAD, "libgit2 was not built with threads");