This is an automated email from the ASF dual-hosted git repository. cmcfarlen pushed a commit to branch 10.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
commit 875ac45935570b3aa9f133a8d8a86d8653bf7cc2 Author: Masakazu Kitajo <[email protected]> AuthorDate: Fri Aug 2 11:20:20 2024 -0600 Reduce the number of checks for BoringSSL (#11637) - Removed one unnecessary check - Added HAVE_NATIVE_DUAL_CERT_SUPPORT (cherry picked from commit af6657d1cfda88c8f60120ea71b2ab94a8f60b77) --- CMakeLists.txt | 5 +++++ include/tscore/ink_config.h.cmake.in | 1 + src/iocore/net/OCSPStapling.cc | 9 +++------ src/iocore/net/P_OCSPStapling.h | 6 ------ src/iocore/net/SSLUtils.cc | 6 +++--- 5 files changed, 12 insertions(+), 15 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 34db385ce6..48a3e00a0c 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -506,6 +506,11 @@ else() set(TS_HAS_TLS_EARLY_DATA FALSE) endif() +check_source_compiles( + C "#include <openssl/ssl.h> + void main() { int x = SSL_CTRL_GET_EXTRA_CHAIN_CERTS; }" HAVE_NATIVE_DUAL_CERT_SUPPORT +) + set(CMAKE_REQUIRED_INCLUDES netinet/in.h netinet/tcp.h) check_type_size("struct tcp_info" STRUCT_TCP_INFO) unset(CMAKE_REQUIRED_INCLUDES) diff --git a/include/tscore/ink_config.h.cmake.in b/include/tscore/ink_config.h.cmake.in index 9f86c61eb6..a448d89514 100644 --- a/include/tscore/ink_config.h.cmake.in +++ b/include/tscore/ink_config.h.cmake.in @@ -88,6 +88,7 @@ #cmakedefine HAVE_BIO_METH_GET_DESTROY 1 #cmakedefine HAVE_HMAC_CTX_NEW 1 #cmakedefine HAVE_MD5_INIT 1 +#cmakedefine HAVE_NATIVE_DUAL_CERT_SUPPORT 1 #cmakedefine HAVE_STRUCT_TCP_INFO 1 #cmakedefine HAVE_STRUCT_TCP_INFO_TCPI_TOTAL_RETRANS 1 diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc index fe7766796f..8b0f84802d 100644 --- a/src/iocore/net/OCSPStapling.cc +++ b/src/iocore/net/OCSPStapling.cc @@ -26,6 +26,7 @@ #include <openssl/asn1.h> #include <openssl/asn1t.h> +#include "tscore/ink_config.h" #include "tscore/ink_memory.h" #include "tscore/Encoding.h" #include "tscore/ink_base64.h" @@ -1267,7 +1268,7 @@ ocsp_update() SSLCertificateConfig::scoped_config certLookup; Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data"); -#ifndef OPENSSL_IS_BORINGSSL +#ifdef HAVE_NATIVE_DUAL_CERT_SUPPORT const SSLCertContextType ctxTypes[] = {SSLCertContextType::GENERIC}; #else const SSLCertContextType ctxTypes[] = {SSLCertContextType::RSA, SSLCertContextType::EC}; @@ -1309,11 +1310,7 @@ ocsp_update() // RFC 6066 Section-8: Certificate Status Request int -#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) -ssl_callback_ocsp_stapling(SSL *ssl) -#else ssl_callback_ocsp_stapling(SSL *ssl, void *) -#endif { // Assume SSL_get_SSL_CTX() is the same as reaching into the ssl structure // Using the official call, to avoid leaking internal openssl knowledge @@ -1337,7 +1334,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *) } certinfo *cinf = nullptr; -#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +#if HAVE_NATIVE_DUAL_CERT_SUPPORT certinfo_map::iterator iter = map->find(cert); if (iter != map->end()) { cinf = iter->second; diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h index 8caf132c97..9ca65e4578 100644 --- a/src/iocore/net/P_OCSPStapling.h +++ b/src/iocore/net/P_OCSPStapling.h @@ -21,16 +21,10 @@ #pragma once -#include "tscore/ink_config.h" - #include <openssl/ssl.h> void ssl_stapling_ex_init(); bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname, const char *rsp_file); void ocsp_update(); -#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) -int ssl_callback_ocsp_stapling(SSL *); -#else int ssl_callback_ocsp_stapling(SSL *, void *); -#endif diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc index 699cd17c6a..02669cea2f 100644 --- a/src/iocore/net/SSLUtils.cc +++ b/src/iocore/net/SSLUtils.cc @@ -396,7 +396,7 @@ ssl_cert_callback(SSL *ssl, [[maybe_unused]] void *arg) } SSLCertContextType ctxType = SSLCertContextType::GENERIC; -#ifdef OPENSSL_IS_BORINGSSL +#ifndef HAVE_NATIVE_DUAL_CERT_SUPPORT if (arg != nullptr) { const SSL_CLIENT_HELLO *client_hello = (const SSL_CLIENT_HELLO *)arg; const bool client_ecdsa_capable = BoringSSLUtils::isClientEcdsaCapable(client_hello); @@ -1216,7 +1216,7 @@ SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS bool generate_default_ctx = data.cert_names_list.empty(); if (!generate_default_ctx) { -#ifdef OPENSSL_IS_BORINGSSL +#ifndef HAVE_NATIVE_DUAL_CERT_SUPPORT for (auto const &name : data.cert_names_list) { cert_names.emplace_back(std::vector({name})); } @@ -2235,7 +2235,7 @@ SSLMultiCertConfigLoader::load_certs_and_cross_reference_names( } if (certType != nullptr) { -#ifdef OPENSSL_IS_BORINGSSL +#ifndef HAVE_NATIVE_DUAL_CERT_SUPPORT std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)> public_key(X509_get_pubkey(cert), &EVP_PKEY_free); int pkey_id = EVP_PKEY_id(public_key.get());
