------------------------------------------------------------
revno: 12585
revision-id: squid3@treenet.co.nz-20130704044207-g88vxd85lzwmn93h
parent: squid3@treenet.co.nz-20130704044034-geszs38xi18c3rjo
fixes bug(s): http://bugs.squid-cache.org/show_bug.cgi?id=3297 http://bugs.squid-cache.org/show_bug.cgi?id=3759
author: Christos Tsantilas <chtsanti@users.sourceforge.net>
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: 3.3
timestamp: Wed 2013-07-03 22:42:07 -0600
message:
  Bug 3297: Fix openSSL related build failures
  
  - The SSL_CTX_new in newer openSSL releases requires a const
  'SSL_METHOD *' argument and in older releases requires non const
  'SSL_METHD *' argument. Currently we are trying to identify openSSL
  version using the OPENSSL_VERSION_NUMBER macro define but we are failing
  to correctly identify all cases.
  
  - sk_OPENSSL_PSTRING_value is buggy in early openSSL-1.0.0? releases
  causing compile errors to squid.
  
  This is a Measurement Factory project
------------------------------------------------------------
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: squid3@treenet.co.nz-20130704044207-g88vxd85lzwmn93h
# target_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# testament_sha1: b927f4a91d352335f819b0f2fa34d9669a74f12f
# timestamp: 2013-07-04 04:57:41 +0000
# source_branch: http://bzr.squid-cache.org/bzr/squid3/3.3
# base_revision_id: squid3@treenet.co.nz-20130704044034-\
#   geszs38xi18c3rjo
# 
# Begin patch
=== modified file 'acinclude/lib-checks.m4'
--- acinclude/lib-checks.m4	2013-05-19 03:12:36 +0000
+++ acinclude/lib-checks.m4	2013-07-04 04:42:07 +0000
@@ -159,6 +159,37 @@
 SQUID_STATE_ROLLBACK(check_SSL_get_certificate)
 ])
 
+dnl Checks whether the  SSL_CTX_new and similar functions require 
+dnl a const 'SSL_METHOD *' argument
+AC_DEFUN([SQUID_CHECK_OPENSSL_CONST_SSL_METHOD],[
+  AH_TEMPLATE(SQUID_USE_CONST_SSL_METHOD, "Define to 1 if the SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'")
+  SQUID_STATE_SAVE(check_const_SSL_METHOD)
+  AC_MSG_CHECKING(whether SSL_CTX_new and similar openSSL API functions require 'const SSL_METHOD *'")
+
+  AC_COMPILE_IFELSE([
+  AC_LANG_PROGRAM(
+    [
+     #include <openssl/ssl.h>
+     #include <openssl/err.h>
+    ],
+    [
+       const SSL_METHOD *method = NULL;
+       SSL_CTX *sslContext = SSL_CTX_new(method);
+       return (sslContext != NULL);
+    ])
+  ],
+  [
+   AC_DEFINE(SQUID_USE_CONST_SSL_METHOD, 1)
+   AC_MSG_RESULT([yes])
+  ],
+  [
+   AC_MSG_RESULT([no])
+  ],
+  [])
+
+SQUID_STATE_ROLLBACK(check_const_SSL_METHOD)
+]
+)
 
 dnl Try to handle TXT_DB related  problems:
 dnl 1) The type of TXT_DB::data member changed in openSSL-1.0.1 version
@@ -167,11 +198,13 @@
 
 AC_DEFUN([SQUID_CHECK_OPENSSL_TXTDB],[
   AH_TEMPLATE(SQUID_SSLTXTDB_PSTRINGDATA, "Define to 1 if the TXT_DB uses OPENSSL_PSTRING data member")
+  AH_TEMPLATE(SQUID_STACKOF_PSTRINGDATA_HACK, "Define to 1 to use squid workaround for buggy versions of sk_OPENSSL_PSTRING_value")
   AH_TEMPLATE(SQUID_USE_SSLLHASH_HACK, "Define to 1 to use squid workaround for openssl IMPLEMENT_LHASH_* type conversion errors")
 
   SQUID_STATE_SAVE(check_TXTDB)
 
   LIBS="$LIBS $SSLLIB"
+  squid_cv_check_openssl_pstring="no"
   AC_MSG_CHECKING(whether the TXT_DB use OPENSSL_PSTRING data member)
   AC_COMPILE_IFELSE([
   AC_LANG_PROGRAM(
@@ -187,12 +220,36 @@
   [
    AC_DEFINE(SQUID_SSLTXTDB_PSTRINGDATA, 1)
    AC_MSG_RESULT([yes])
+   squid_cv_check_openssl_pstring="yes"
   ],
   [
    AC_MSG_RESULT([no])
   ],
   [])
 
+  if test x"$squid_cv_check_openssl_pstring" = "xyes"; then
+     AC_MSG_CHECKING(whether the squid workaround for buggy versions of sk_OPENSSL_PSTRING_value should used)
+     AC_COMPILE_IFELSE([
+     AC_LANG_PROGRAM(
+       [
+        #include <openssl/txt_db.h>
+       ],
+       [
+       TXT_DB *db = NULL;
+       const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, 0));
+       return (current_row != NULL);
+       ])
+     ],
+     [
+      AC_MSG_RESULT([no])
+     ],
+     [
+      AC_DEFINE(SQUID_STACKOF_PSTRINGDATA_HACK, 1)
+      AC_MSG_RESULT([yes])
+     ],
+     [])
+  fi
+
   AC_MSG_CHECKING(whether the workaround for OpenSSL IMPLEMENT_LHASH_  macros should used)
   AC_COMPILE_IFELSE([
   AC_LANG_PROGRAM(

=== modified file 'configure.ac'
--- configure.ac	2013-07-04 04:40:34 +0000
+++ configure.ac	2013-07-04 04:42:07 +0000
@@ -1266,6 +1266,7 @@
 
 if test "x$with_openssl" = "xyes"; then
 SQUID_CHECK_OPENSSL_GETCERTIFICATE_WORKS
+SQUID_CHECK_OPENSSL_CONST_SSL_METHOD
 SQUID_CHECK_OPENSSL_TXTDB
 fi
 

=== modified file 'src/ssl/certificate_db.cc'
--- src/ssl/certificate_db.cc	2013-05-19 03:12:36 +0000
+++ src/ssl/certificate_db.cc	2013-07-04 04:42:07 +0000
@@ -167,7 +167,11 @@
 
 #if SQUID_SSLTXTDB_PSTRINGDATA
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db->data); ++i) {
+#if SQUID_STACKOF_PSTRINGDATA_HACK
+        const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db->data), i));
+#else
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db->data, i));
+#endif
 #else
     for (int i = 0; i < sk_num(db->data); ++i) {
         const char ** current_row = ((const char **)sk_value(db->data, i));
@@ -517,7 +521,11 @@
     bool removed_one = false;
 #if SQUID_SSLTXTDB_PSTRINGDATA
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) {
+#if SQUID_STACKOF_PSTRINGDATA_HACK
+        const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i));
+#else
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
+#endif
 #else
     for (int i = 0; i < sk_num(db.get()->data); ++i) {
         const char ** current_row = ((const char **)sk_value(db.get()->data, i));
@@ -548,7 +556,11 @@
         return false;
 
 #if SQUID_SSLTXTDB_PSTRINGDATA
+#if SQUID_STACKOF_PSTRINGDATA_HACK
+    const char **row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), 0));
+#else
     const char **row = (const char **)sk_OPENSSL_PSTRING_value(db.get()->data, 0);
+#endif
 #else
     const char **row = (const char **)sk_value(db.get()->data, 0);
 #endif
@@ -565,7 +577,11 @@
 
 #if SQUID_SSLTXTDB_PSTRINGDATA
     for (int i = 0; i < sk_OPENSSL_PSTRING_num(db.get()->data); ++i) {
+#if SQUID_STACKOF_PSTRINGDATA_HACK
+        const char ** current_row = ((const char **)sk_value(CHECKED_STACK_OF(OPENSSL_PSTRING, db.get()->data), i));
+#else
         const char ** current_row = ((const char **)sk_OPENSSL_PSTRING_value(db.get()->data, i));
+#endif
 #else
     for (int i = 0; i < sk_num(db.get()->data); ++i) {
         const char ** current_row = ((const char **)sk_value(db.get()->data, i));

=== modified file 'src/ssl/gadgets.h'
--- src/ssl/gadgets.h	2012-09-06 13:12:26 +0000
+++ src/ssl/gadgets.h	2013-07-04 04:42:07 +0000
@@ -26,10 +26,10 @@
  because they are used by ssl_crtd.
  */
 
-#if OPENSSL_VERSION_NUMBER < 0x00909000L
+#if SQUID_USE_CONST_SSL_METHOD
+typedef const SSL_METHOD * ContextMethod;
+#else
 typedef SSL_METHOD * ContextMethod;
-#else
-typedef const SSL_METHOD * ContextMethod;
 #endif
 
 /**

=== modified file 'src/ssl/support.cc'
--- src/ssl/support.cc	2013-06-02 16:01:18 +0000
+++ src/ssl/support.cc	2013-07-04 04:42:07 +0000
@@ -940,12 +940,8 @@
 sslCreateClientContext(const char *certfile, const char *keyfile, int version, const char *cipher, const char *options, const char *flags, const char *CAfile, const char *CApath, const char *CRLfile)
 {
     int ssl_error;
-#if OPENSSL_VERSION_NUMBER < 0x00909000L
-    SSL_METHOD *method;
-#else
-    const SSL_METHOD *method;
-#endif
-    SSL_CTX *sslContext;
+    Ssl::ContextMethod method;
+    SSL_CTX * sslContext;
     long fl = Ssl::parse_flags(flags);
 
     ssl_initialize();