You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficserver.apache.org by bc...@apache.org on 2016/01/05 20:19:41 UTC
trafficserver git commit: TS-4088: Add support for BoringSSL
Repository: trafficserver
Updated Branches:
refs/heads/master 7bd0b79e9 -> de05b781e
TS-4088: Add support for BoringSSL
This closes #386
Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/de05b781
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/de05b781
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/de05b781
Branch: refs/heads/master
Commit: de05b781e5da2fe7526be571e0938b8531108b08
Parents: 7bd0b79
Author: Bryan Call <bc...@apache.org>
Authored: Tue Jan 5 10:41:50 2016 -0800
Committer: Bryan Call <bc...@apache.org>
Committed: Tue Jan 5 10:43:59 2016 -0800
----------------------------------------------------------------------
iocore/net/OCSPStapling.cc | 6 +++---
iocore/net/P_OCSPStapling.h | 1 +
iocore/net/P_SSLClientUtils.h | 6 +++++-
iocore/net/P_SSLUtils.h | 8 ++++----
iocore/net/SSLNetVConnection.cc | 5 +++++
iocore/net/SSLUtils.cc | 14 ++++++++++++--
lib/ts/X509HostnameValidator.cc | 4 +++-
7 files changed, 33 insertions(+), 11 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/OCSPStapling.cc
----------------------------------------------------------------------
diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc
index 67e7fe6..87c356a 100644
--- a/iocore/net/OCSPStapling.cc
+++ b/iocore/net/OCSPStapling.cc
@@ -19,14 +19,14 @@
limitations under the License.
*/
-#include <openssl/ocsp.h>
#include "P_OCSPStapling.h"
+#ifdef HAVE_OPENSSL_OCSP_STAPLING
+
+#include <openssl/ocsp.h>
#include "P_Net.h"
#include "P_SSLConfig.h"
#include "P_SSLUtils.h"
-#ifdef HAVE_OPENSSL_OCSP_STAPLING
-
// Maxiumum OCSP stapling response size.
// This should be the response for a single certificate and will typically include the responder certificate chain,
// so 10K should be more than enough.
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_OCSPStapling.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h
index ddb8425..e93516e 100644
--- a/iocore/net/P_OCSPStapling.h
+++ b/iocore/net/P_OCSPStapling.h
@@ -24,6 +24,7 @@
#include <openssl/ssl.h>
+// TODO: This should be moved to autoconf
#ifdef sk_OPENSSL_STRING_pop
#ifdef SSL_CTX_set_tlsext_status_cb
#define HAVE_OPENSSL_OCSP_STAPLING 1
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_SSLClientUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLClientUtils.h b/iocore/net/P_SSLClientUtils.h
index 0b94df4..542cf11 100644
--- a/iocore/net/P_SSLClientUtils.h
+++ b/iocore/net/P_SSLClientUtils.h
@@ -27,9 +27,13 @@
#include "P_SSLUtils.h"
#include "P_SSLConfig.h"
-#include <openssl/opensslconf.h>
#include <openssl/ssl.h>
+// BoringSSL does not have this include file
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/opensslconf.h>
+#endif
+
// Create and initialize a SSL client context.
SSL_CTX *SSLInitClientContext(const struct SSLConfigParams *param);
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_SSLUtils.h
----------------------------------------------------------------------
diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h
index cc58e58..f890190 100644
--- a/iocore/net/P_SSLUtils.h
+++ b/iocore/net/P_SSLUtils.h
@@ -27,12 +27,12 @@
#include "P_SSLClientUtils.h"
#define OPENSSL_THREAD_DEFINES
-#include <openssl/opensslconf.h>
-#include <openssl/ssl.h>
-#if !defined(OPENSSL_THREADS)
-#error Traffic Server requires a OpenSSL library that support threads
+// BoringSSL does not have this include file
+#ifndef OPENSSL_IS_BORINGSSL
+#include <openssl/opensslconf.h>
#endif
+#include <openssl/ssl.h>
struct SSLConfigParams;
struct SSLCertLookup;
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/SSLNetVConnection.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc
index 0b3af46..7199efa 100644
--- a/iocore/net/SSLNetVConnection.cc
+++ b/iocore/net/SSLNetVConnection.cc
@@ -39,6 +39,11 @@
void SSL_set_rbio(SSL *ssl, BIO *rbio);
#endif
+// This is missing from BoringSSL
+#ifndef BIO_eof
+#define BIO_eof(b) (int) BIO_ctrl(b, BIO_CTRL_EOF, 0, NULL)
+#endif
+
#define SSL_READ_ERROR_NONE 0
#define SSL_READ_ERROR 1
#define SSL_READ_READY 2
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/SSLUtils.cc
----------------------------------------------------------------------
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 4cccff8..0231a15 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -794,7 +794,10 @@ void
SSLInitializeLibrary()
{
if (!open_ssl_initialized) {
+// BoringSSL does not have the memory functions
+#ifndef OPENSSL_IS_BORINGSSL
CRYPTO_set_mem_functions(ats_malloc, ats_realloc, ats_free);
+#endif
SSL_load_error_strings();
SSL_library_init();
@@ -972,8 +975,9 @@ SSLInitializeStatistics()
ssl = SSL_new(ctx);
ciphers = SSL_get_ciphers(ssl);
- for (int index = 0; index < sk_SSL_CIPHER_num(ciphers); index++) {
- SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, index);
+ // BoringSSL has sk_SSL_CIPHER_num() return a size_t (well, sk_num() is)
+ for (int index = 0; index < static_cast<int>(sk_SSL_CIPHER_num(ciphers)); index++) {
+ SSL_CIPHER *cipher = const_cast<SSL_CIPHER *>(sk_SSL_CIPHER_value(ciphers, index));
const char *cipherName = SSL_CIPHER_get_name(cipher);
std::string statName = "proxy.process.ssl.cipher.user_agent." + std::string(cipherName);
@@ -1617,7 +1621,13 @@ ssl_callback_info(const SSL *ssl, int where, int ret)
SSLConfigParams::ssl_allow_client_renegotiation == false) {
int state = SSL_get_state(ssl);
+// TODO: ifdef can be removed in the future
+// Support for SSL23 only if we have it
+#ifdef SSL23_ST_SR_CLNT_HELLO_A
if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) {
+#else
+ if (state == SSL3_ST_SR_CLNT_HELLO_A) {
+#endif
netvc->setSSLClientRenegotiationAbort(true);
Debug("ssl", "ssl_callback_info trying to renegotiate from the client");
}
http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/lib/ts/X509HostnameValidator.cc
----------------------------------------------------------------------
diff --git a/lib/ts/X509HostnameValidator.cc b/lib/ts/X509HostnameValidator.cc
index 18cf94f..7a7f646 100644
--- a/lib/ts/X509HostnameValidator.cc
+++ b/lib/ts/X509HostnameValidator.cc
@@ -23,6 +23,7 @@
#include <memory.h>
#include <strings.h>
+#include <openssl/crypto.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
@@ -225,7 +226,8 @@ validate_hostname(X509 *x, const unsigned char *hostname, bool is_ip, char **pee
// Check SANs for a match.
gens = (GENERAL_NAMES *)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
if (gens) {
- for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
+ // BoringSSL has sk_GENERAL_NAME_num() return size_t.
+ for (i = 0; i < static_cast<int>(sk_GENERAL_NAME_num(gens)); i++) {
GENERAL_NAME *gen;
ASN1_STRING *cstr;
gen = sk_GENERAL_NAME_value(gens, i);