Repository: trafficserver Updated Branches: refs/heads/master 7bd0b79e9 -> de05b781e
TS-4088: Add support for BoringSSL This closes #386 Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/de05b781 Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/de05b781 Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/de05b781 Branch: refs/heads/master Commit: de05b781e5da2fe7526be571e0938b8531108b08 Parents: 7bd0b79 Author: Bryan Call <[email protected]> Authored: Tue Jan 5 10:41:50 2016 -0800 Committer: Bryan Call <[email protected]> Committed: Tue Jan 5 10:43:59 2016 -0800 ---------------------------------------------------------------------- iocore/net/OCSPStapling.cc | 6 +++--- iocore/net/P_OCSPStapling.h | 1 + iocore/net/P_SSLClientUtils.h | 6 +++++- iocore/net/P_SSLUtils.h | 8 ++++---- iocore/net/SSLNetVConnection.cc | 5 +++++ iocore/net/SSLUtils.cc | 14 ++++++++++++-- lib/ts/X509HostnameValidator.cc | 4 +++- 7 files changed, 33 insertions(+), 11 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/OCSPStapling.cc ---------------------------------------------------------------------- diff --git a/iocore/net/OCSPStapling.cc b/iocore/net/OCSPStapling.cc index 67e7fe6..87c356a 100644 --- a/iocore/net/OCSPStapling.cc +++ b/iocore/net/OCSPStapling.cc @@ -19,14 +19,14 @@ limitations under the License. */ -#include <openssl/ocsp.h> #include "P_OCSPStapling.h" +#ifdef HAVE_OPENSSL_OCSP_STAPLING + +#include <openssl/ocsp.h> #include "P_Net.h" #include "P_SSLConfig.h" #include "P_SSLUtils.h" -#ifdef HAVE_OPENSSL_OCSP_STAPLING - // Maxiumum OCSP stapling response size. // This should be the response for a single certificate and will typically include the responder certificate chain, // so 10K should be more than enough. http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_OCSPStapling.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_OCSPStapling.h b/iocore/net/P_OCSPStapling.h index ddb8425..e93516e 100644 --- a/iocore/net/P_OCSPStapling.h +++ b/iocore/net/P_OCSPStapling.h @@ -24,6 +24,7 @@ #include <openssl/ssl.h> +// TODO: This should be moved to autoconf #ifdef sk_OPENSSL_STRING_pop #ifdef SSL_CTX_set_tlsext_status_cb #define HAVE_OPENSSL_OCSP_STAPLING 1 http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_SSLClientUtils.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLClientUtils.h b/iocore/net/P_SSLClientUtils.h index 0b94df4..542cf11 100644 --- a/iocore/net/P_SSLClientUtils.h +++ b/iocore/net/P_SSLClientUtils.h @@ -27,9 +27,13 @@ #include "P_SSLUtils.h" #include "P_SSLConfig.h" -#include <openssl/opensslconf.h> #include <openssl/ssl.h> +// BoringSSL does not have this include file +#ifndef OPENSSL_IS_BORINGSSL +#include <openssl/opensslconf.h> +#endif + // Create and initialize a SSL client context. SSL_CTX *SSLInitClientContext(const struct SSLConfigParams *param); http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/P_SSLUtils.h ---------------------------------------------------------------------- diff --git a/iocore/net/P_SSLUtils.h b/iocore/net/P_SSLUtils.h index cc58e58..f890190 100644 --- a/iocore/net/P_SSLUtils.h +++ b/iocore/net/P_SSLUtils.h @@ -27,12 +27,12 @@ #include "P_SSLClientUtils.h" #define OPENSSL_THREAD_DEFINES -#include <openssl/opensslconf.h> -#include <openssl/ssl.h> -#if !defined(OPENSSL_THREADS) -#error Traffic Server requires a OpenSSL library that support threads +// BoringSSL does not have this include file +#ifndef OPENSSL_IS_BORINGSSL +#include <openssl/opensslconf.h> #endif +#include <openssl/ssl.h> struct SSLConfigParams; struct SSLCertLookup; http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/SSLNetVConnection.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 0b3af46..7199efa 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -39,6 +39,11 @@ void SSL_set_rbio(SSL *ssl, BIO *rbio); #endif +// This is missing from BoringSSL +#ifndef BIO_eof +#define BIO_eof(b) (int) BIO_ctrl(b, BIO_CTRL_EOF, 0, NULL) +#endif + #define SSL_READ_ERROR_NONE 0 #define SSL_READ_ERROR 1 #define SSL_READ_READY 2 http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/iocore/net/SSLUtils.cc ---------------------------------------------------------------------- diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc index 4cccff8..0231a15 100644 --- a/iocore/net/SSLUtils.cc +++ b/iocore/net/SSLUtils.cc @@ -794,7 +794,10 @@ void SSLInitializeLibrary() { if (!open_ssl_initialized) { +// BoringSSL does not have the memory functions +#ifndef OPENSSL_IS_BORINGSSL CRYPTO_set_mem_functions(ats_malloc, ats_realloc, ats_free); +#endif SSL_load_error_strings(); SSL_library_init(); @@ -972,8 +975,9 @@ SSLInitializeStatistics() ssl = SSL_new(ctx); ciphers = SSL_get_ciphers(ssl); - for (int index = 0; index < sk_SSL_CIPHER_num(ciphers); index++) { - SSL_CIPHER *cipher = sk_SSL_CIPHER_value(ciphers, index); + // BoringSSL has sk_SSL_CIPHER_num() return a size_t (well, sk_num() is) + for (int index = 0; index < static_cast<int>(sk_SSL_CIPHER_num(ciphers)); index++) { + SSL_CIPHER *cipher = const_cast<SSL_CIPHER *>(sk_SSL_CIPHER_value(ciphers, index)); const char *cipherName = SSL_CIPHER_get_name(cipher); std::string statName = "proxy.process.ssl.cipher.user_agent." + std::string(cipherName); @@ -1617,7 +1621,13 @@ ssl_callback_info(const SSL *ssl, int where, int ret) SSLConfigParams::ssl_allow_client_renegotiation == false) { int state = SSL_get_state(ssl); +// TODO: ifdef can be removed in the future +// Support for SSL23 only if we have it +#ifdef SSL23_ST_SR_CLNT_HELLO_A if (state == SSL3_ST_SR_CLNT_HELLO_A || state == SSL23_ST_SR_CLNT_HELLO_A) { +#else + if (state == SSL3_ST_SR_CLNT_HELLO_A) { +#endif netvc->setSSLClientRenegotiationAbort(true); Debug("ssl", "ssl_callback_info trying to renegotiate from the client"); } http://git-wip-us.apache.org/repos/asf/trafficserver/blob/de05b781/lib/ts/X509HostnameValidator.cc ---------------------------------------------------------------------- diff --git a/lib/ts/X509HostnameValidator.cc b/lib/ts/X509HostnameValidator.cc index 18cf94f..7a7f646 100644 --- a/lib/ts/X509HostnameValidator.cc +++ b/lib/ts/X509HostnameValidator.cc @@ -23,6 +23,7 @@ #include <memory.h> #include <strings.h> +#include <openssl/crypto.h> #include <openssl/x509.h> #include <openssl/x509v3.h> @@ -225,7 +226,8 @@ validate_hostname(X509 *x, const unsigned char *hostname, bool is_ip, char **pee // Check SANs for a match. gens = (GENERAL_NAMES *)X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL); if (gens) { - for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { + // BoringSSL has sk_GENERAL_NAME_num() return size_t. + for (i = 0; i < static_cast<int>(sk_GENERAL_NAME_num(gens)); i++) { GENERAL_NAME *gen; ASN1_STRING *cstr; gen = sk_GENERAL_NAME_value(gens, i);
