You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2016/01/05 20:19:41 UTC

trafficserver git commit: TS-4088: Add support for BoringSSL

Repository: trafficserver
Updated Branches:
  refs/heads/master 7bd0b79e9 -> de05b781e


TS-4088: Add support for BoringSSL

This closes #386


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/de05b781
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/de05b781
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/de05b781

Branch: refs/heads/master
Commit: de05b781e5da2fe7526be571e0938b8531108b08
Parents: 7bd0b79
Author: Bryan Call <bc...@apache.org>
Authored: Tue Jan 5 10:41:50 2016 -0800
Committer: Bryan Call <bc...@apache.org>
Committed: Tue Jan 5 10:43:59 2016 -0800

----------------------------------------------------------------------
 iocore/net/OCSPStapling.cc      |  6 +++---
 iocore/net/P_OCSPStapling.h     |  1 +
 iocore/net/P_SSLClientUtils.h   |  6 +++++-
 iocore/net/P_SSLUtils.h         |  8 ++++----
 iocore/net/SSLNetVConnection.cc |  5 +++++
 iocore/net/SSLUtils.cc          | 14 ++++++++++++--
 lib/ts/X509HostnameValidator.cc |  4 +++-
 7 files changed, 33 insertions(+), 11 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/OCSPStapling.cc
----------------------------------------------------------------------
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 67e7fe6..87c356a 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -19,14 +19,14 @@
   limitations under the License.
  */
 
-#include <openssl/ocsp.h>
 #include "P_OCSPStapling.h"
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+
+#include <openssl/ocsp.h>
 #include "P_Net.h"
 #include "P_SSLConfig.h"
 #include "P_SSLUtils.h"
 
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
-
 // Maxiumum OCSP stapling response size.
 // This should be the response for a single certificate and will typically include the responder certificate chain,
 // so 10K should be more than enough.

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_OCSPStapling.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index ddb8425..e93516e 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -24,6 +24,7 @@
 
 #include <openssl/ssl.h>
 
+// TODO: This should be moved to autoconf
 #ifdef sk_OPENSSL_STRING_pop
 #ifdef SSL_CTX_set_tlsext_status_cb
 #define HAVE_OPENSSL_OCSP_STAPLING 1

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_SSLClientUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLClientUtils.h b/iocore/net/P_SSLClientUtils.h
index 0b94df4..542cf11 100644
--- a/iocore/net/P_SSLClientUtils.h
+++ b/iocore/net/P_SSLClientUtils.h
@@ -27,9 +27,13 @@
 #include "P_SSLUtils.h"
 #include "P_SSLConfig.h"
 
-#include <openssl/opensslconf.h>
 #include <openssl/ssl.h>
 
+// BoringSSL does not have this include file
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/opensslconf.h>
+#endif
+
 // Create and initialize a SSL client context.
 SSL_CTX *SSLInitClientContext(const struct SSLConfigParams *param);
 

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_SSLUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index cc58e58..f890190 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -27,12 +27,12 @@
 #include "P_SSLClientUtils.h"
 
 #define OPENSSL_THREAD_DEFINES
-#include <openssl/opensslconf.h>
-#include <openssl/ssl.h>
 
-#if !defined(OPENSSL_THREADS)
-#error Traffic Server requires a OpenSSL library that support threads
+// BoringSSL does not have this include file
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/opensslconf.h>
 #endif
+#include <openssl/ssl.h>
 
 struct SSLConfigParams;
 struct SSLCertLookup;

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 0b3af46..7199efa 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -39,6 +39,11 @@
 void SSL_set_rbio(SSL *ssl, BIO *rbio);
 #endif
 
+// This is missing from BoringSSL
+#ifndef BIO_eof
+#define BIO_eof(b) (int) BIO_ctrl(b, BIO_CTRL_EOF, 0, NULL)
+#endif
+
 #define SSL_READ_ERROR_NONE 0
 #define SSL_READ_ERROR 1
 #define SSL_READ_READY 2

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 4cccff8..0231a15 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -794,7 +794,10 @@ void
 SSLInitializeLibrary()
 {
   if (!open_ssl_initialized) {
+// BoringSSL does not have the memory functions
+#ifndef OPENSSL_IS_BORINGSSL
     CRYPTO_set_mem_functions(ats_malloc, ats_realloc, ats_free);
+#endif
 
     SSL_load_error_strings();
     SSL_library_init();
@@ -972,8 +975,9 @@ SSLInitializeStatistics()
   ssl = SSL_new(ctx);
   ciphers = SSL_get_ciphers(ssl);
 
-  for (int index = 0; index < sk_SSL_CIPHER_num(ciphers); index++) {
-    SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, index);
+  // BoringSSL has sk_SSL_CIPHER_num() return a size_t (well, sk_num() is)
+  for (int index = 0; index < static_cast<int>(sk_SSL_CIPHER_num(ciphers)); index++) {
+    SSL_CIPHER *cipher = const_cast<SSL_CIPHER *>(sk_SSL_CIPHER_value(ciphers, index));
     const char *cipherName = SSL_CIPHER_get_name(cipher);
     std::string statName = "proxy.process.ssl.cipher.user_agent." + std::string(cipherName);
 
@@ -1617,7 +1621,13 @@ ssl_callback_info(const SSL *ssl, int where, int ret)
       SSLConfigParams::ssl_allow_client_renegotiation == false) {
     int state = SSL_get_state(ssl);
 
+// TODO: ifdef can be removed in the future
+// Support for SSL23 only if we have it
+#ifdef SSL23_ST_SR_CLNT_HELLO_A
     if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) {
+#else
+    if (state == SSL3_ST_SR_CLNT_HELLO_A) {
+#endif
       netvc->setSSLClientRenegotiationAbort(true);
       Debug("ssl", "ssl_callback_info trying to renegotiate from the client");
     }

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/lib/ts/X509HostnameValidator.cc
----------------------------------------------------------------------
diff --git a/lib/ts/X509HostnameValidator.cc b/lib/ts/X509HostnameValidator.cc
index 18cf94f..7a7f646 100644
--- a/lib/ts/X509HostnameValidator.cc
+++ b/lib/ts/X509HostnameValidator.cc
@@ -23,6 +23,7 @@
 
 #include <memory.h>
 #include <strings.h>
+#include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
@@ -225,7 +226,8 @@ validate_hostname(X509 *x, const unsigned char *hostname, bool is_ip, char **pee
   // Check SANs for a match.
   gens = (GENERAL_NAMES *)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
   if (gens) {
-    for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+    // BoringSSL has sk_GENERAL_NAME_num() return size_t.
+    for (i = 0; i < static_cast<int>(sk_GENERAL_NAME_num(gens)); i++) {
       GENERAL_NAME *gen;
       ASN1_STRING *cstr;
       gen = sk_GENERAL_NAME_value(gens, i);