You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2014/11/10 20:31:42 UTC
trafficserver git commit: TS-3024: build with OPENSSL_NO_SSL_INTERN
Repository: trafficserver
Updated Branches:
refs/heads/master 8a980c0b9 -> f1a144df2
TS-3024: build with OPENSSL_NO_SSL_INTERN
Add in the -DOPENSSL_NO_SSL_INTERN flag for compiling and isolate
exceptions in SSLInternal.cc. This closes #138.
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f1a144df
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f1a144df
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f1a144df
Branch: refs/heads/master
Commit: f1a144df2e5a3f81e3fe11187d3bcb7e8e0f44e5
Parents: 8a980c0
Author: shinrich <sh...@network-geographics.com>
Authored: Fri Nov 7 09:05:10 2014 -0600
Committer: James Peach <jp...@apache.org>
Committed: Mon Nov 10 11:31:36 2014 -0800
----------------------------------------------------------------------
CHANGES | 5 ++++-
build/crypto.m4 | 1 +
iocore/net/Makefile.am | 1 +
iocore/net/OCSPStapling.cc | 5 ++++-
iocore/net/SSLInternal.cc | 35 +++++++++++++++++++++++++++++++++++
iocore/net/SSLNetVConnection.cc | 8 ++++++--
6 files changed, 51 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 6bde89f..db9959c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,10 @@
-*- coding: utf-8 -*-
Changes with Apache Traffic Server 5.2.0
- *) [TS-1175]: Replace LogBuffer's new/delete buffer alloc with ioBufAllocator
+ *) [TS-3024] Build with OPENSSL_NO_SSL_INTERN
+ Author: Susan Hinrichs <sh...@network-geographics.com>
+
+ *) [TS-1175] Replace LogBuffer's new/delete buffer alloc with ioBufAllocator
*) [TS-1432] Adding TSMutexDestroy API
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index f8ad19f..32276a2 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -34,6 +34,7 @@ AC_DEFUN([TS_CHECK_CRYPTO], [
if test "x${enable_crypto}" = "xyes"; then
TS_ADDTO(LDFLAGS, [$OPENSSL_LDFLAGS])
TS_ADDTO(CPPFLAGS, [$OPENSSL_INCLUDES])
+ TS_ADDTO(CPPFLAGS, [-DOPENSSL_NO_SSL_INTERN])
fi
dnl add checks for other varieties of ssl here
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/Makefile.am
----------------------------------------------------------------------
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index da7a476..a053e67 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -90,6 +90,7 @@ libinknet_a_SOURCES = \
SSLCertLookup.cc \
SSLSessionCache.cc \
SSLConfig.cc \
+ SSLInternal.cc \
SSLNetAccept.cc \
SSLNetProcessor.cc \
SSLNetVConnection.cc \
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/OCSPStapling.cc
----------------------------------------------------------------------
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 51212a7..79e6781 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -392,7 +392,10 @@ ssl_callback_ocsp_stapling(SSL *ssl)
certinfo *cinf = NULL;
time_t current_time;
- cinf = stapling_get_cert_info(ssl->ctx);
+ // Assume SSL_get_SSL_CTX() is the same as reaching into the ssl structure
+ // Using the official call, to avoid leaking internal openssl knowledge
+ // originally was, cinf = stapling_get_cert_info(ssl->ctx);
+ cinf = stapling_get_cert_info(SSL_get_SSL_CTX(ssl));
if (cinf == NULL) {
Debug("ssl", "ssl_callback_ocsp_stapling: fail to get certificate information");
return SSL_TLSEXT_ERR_NOACK;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/SSLInternal.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLInternal.cc b/iocore/net/SSLInternal.cc
new file mode 100644
index 0000000..2589df6
--- /dev/null
+++ b/iocore/net/SSLInternal.cc
@@ -0,0 +1,35 @@
+/** @file
+
+ Functions that break the no internal pact with openssl. We
+ explicitly undefine OPENSSL_NO_SSL_INTERN in this file.
+
+ @section license License
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ */
+#ifdef OPENSSL_NO_SSL_INTERN
+#undef OPENSSL_NO_SSL_INTERN
+#endif
+
+#include <openssl/ssl.h>
+#include "P_Net.h"
+#include "P_SSLNetVConnection.h"
+
+void
+SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio) {
+ sslvc->ssl->rbio = rbio;
+}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index c334733..0db4896 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -27,6 +27,10 @@
#include "P_SSLUtils.h"
#include "InkAPIInternal.h" // Added to include the ssl_hook definitions
+// Defined in SSLInternal.c, should probably make a separate include
+// file for this at some point
+void SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio);
+
#define SSL_READ_ERROR_NONE 0
#define SSL_READ_ERROR 1
#define SSL_READ_READY 2
@@ -369,7 +373,7 @@ SSLNetVConnection::read_raw_data()
// inserted buffer bios to be freed and then reinserted.
//BIO *wbio = SSL_get_wbio(this->ssl);
//SSL_set_bio(this->ssl, rbio, wbio);
- this->ssl->rbio = rbio;
+ SSL_set_rbio(this, rbio);
return r;
}
@@ -529,7 +533,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread)
// assigns the read bio. Originally I was getting and
// resetting the same write bio, but that caused the
// inserted buffer bios to be freed and then reinserted.
- this->ssl->rbio = rbio;
+ SSL_set_rbio(this, rbio);
//BIO *wbio = SSL_get_wbio(this->ssl);
//SSL_set_bio(this->ssl, rbio, wbio);
}