You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by jp...@apache.org on 2014/11/10 20:31:42 UTC

trafficserver git commit: TS-3024: build with OPENSSL_NO_SSL_INTERN

Repository: trafficserver
Updated Branches:
  refs/heads/master 8a980c0b9 -> f1a144df2


TS-3024: build with OPENSSL_NO_SSL_INTERN

Add in the -DOPENSSL_NO_SSL_INTERN flag for compiling and isolate
exceptions in SSLInternal.cc. This closes #138.


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f1a144df
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f1a144df
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f1a144df

Branch: refs/heads/master
Commit: f1a144df2e5a3f81e3fe11187d3bcb7e8e0f44e5
Parents: 8a980c0
Author: shinrich <sh...@network-geographics.com>
Authored: Fri Nov 7 09:05:10 2014 -0600
Committer: James Peach <jp...@apache.org>
Committed: Mon Nov 10 11:31:36 2014 -0800

----------------------------------------------------------------------
 CHANGES                         |  5 ++++-
 build/crypto.m4                 |  1 +
 iocore/net/Makefile.am          |  1 +
 iocore/net/OCSPStapling.cc      |  5 ++++-
 iocore/net/SSLInternal.cc       | 35 +++++++++++++++++++++++++++++++++++
 iocore/net/SSLNetVConnection.cc |  8 ++++++--
 6 files changed, 51 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 6bde89f..db9959c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,7 +1,10 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.2.0
 
-  *) [TS-1175]: Replace LogBuffer's new/delete buffer alloc with ioBufAllocator
+  *) [TS-3024] Build with OPENSSL_NO_SSL_INTERN
+   Author: Susan Hinrichs <sh...@network-geographics.com>
+
+  *) [TS-1175] Replace LogBuffer's new/delete buffer alloc with ioBufAllocator
 
   *) [TS-1432] Adding TSMutexDestroy API
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/build/crypto.m4
----------------------------------------------------------------------
diff --git a/build/crypto.m4 b/build/crypto.m4
index f8ad19f..32276a2 100644
--- a/build/crypto.m4
+++ b/build/crypto.m4
@@ -34,6 +34,7 @@ AC_DEFUN([TS_CHECK_CRYPTO], [
   if test "x${enable_crypto}" = "xyes"; then
     TS_ADDTO(LDFLAGS, [$OPENSSL_LDFLAGS])
     TS_ADDTO(CPPFLAGS, [$OPENSSL_INCLUDES])
+    TS_ADDTO(CPPFLAGS, [-DOPENSSL_NO_SSL_INTERN])
   fi
 
   dnl add checks for other varieties of ssl here

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/Makefile.am
----------------------------------------------------------------------
diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am
index da7a476..a053e67 100644
--- a/iocore/net/Makefile.am
+++ b/iocore/net/Makefile.am
@@ -90,6 +90,7 @@ libinknet_a_SOURCES = \
   SSLCertLookup.cc \
   SSLSessionCache.cc \
   SSLConfig.cc \
+  SSLInternal.cc \
   SSLNetAccept.cc \
   SSLNetProcessor.cc \
   SSLNetVConnection.cc \

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/OCSPStapling.cc
----------------------------------------------------------------------
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 51212a7..79e6781 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -392,7 +392,10 @@ ssl_callback_ocsp_stapling(SSL *ssl)
   certinfo *cinf = NULL;
   time_t current_time;
 
-  cinf = stapling_get_cert_info(ssl->ctx);
+  // Assume SSL_get_SSL_CTX() is the same as reaching into the ssl structure
+  // Using the official call, to avoid leaking internal openssl knowledge
+  // originally was, cinf = stapling_get_cert_info(ssl->ctx);
+  cinf = stapling_get_cert_info(SSL_get_SSL_CTX(ssl));
   if (cinf == NULL) {
     Debug("ssl", "ssl_callback_ocsp_stapling: fail to get certificate information");
     return SSL_TLSEXT_ERR_NOACK;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/SSLInternal.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLInternal.cc b/iocore/net/SSLInternal.cc
new file mode 100644
index 0000000..2589df6
--- /dev/null
+++ b/iocore/net/SSLInternal.cc
@@ -0,0 +1,35 @@
+/** @file
+
+  Functions that break the no internal pact with openssl.  We
+  explicitly undefine OPENSSL_NO_SSL_INTERN in this file.
+
+  @section license License
+
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+ */
+#ifdef OPENSSL_NO_SSL_INTERN
+#undef OPENSSL_NO_SSL_INTERN
+#endif
+
+#include <openssl/ssl.h>
+#include "P_Net.h"
+#include "P_SSLNetVConnection.h"
+
+void
+SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio) {
+  sslvc->ssl->rbio = rbio;
+}

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f1a144df/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index c334733..0db4896 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -27,6 +27,10 @@
 #include "P_SSLUtils.h"
 #include "InkAPIInternal.h"	// Added to include the ssl_hook definitions
 
+// Defined in SSLInternal.c, should probably make a separate include
+// file for this at some point
+void SSL_set_rbio(SSLNetVConnection *sslvc, BIO *rbio);
+
 #define SSL_READ_ERROR_NONE	  0
 #define SSL_READ_ERROR		  1
 #define SSL_READ_READY		  2
@@ -369,7 +373,7 @@ SSLNetVConnection::read_raw_data()
   // inserted buffer bios to be freed and then reinserted.
   //BIO *wbio = SSL_get_wbio(this->ssl);
   //SSL_set_bio(this->ssl, rbio, wbio);
-  this->ssl->rbio = rbio;
+  SSL_set_rbio(this, rbio);
  
   return r;
 }
@@ -529,7 +533,7 @@ SSLNetVConnection::net_read_io(NetHandler *nh, EThread *lthread)
         // assigns the read bio.  Originally I was getting and
         // resetting the same write bio, but that caused the 
         // inserted buffer bios to be freed and then reinserted.
-        this->ssl->rbio = rbio;
+        SSL_set_rbio(this, rbio);
         //BIO *wbio = SSL_get_wbio(this->ssl);
         //SSL_set_bio(this->ssl, rbio, wbio);
       }