Re: [PATCH 2/4] BUILD: ssl: disable OCSP when using boringssl

2017-01-03 Thread Igor Pav 
tried compile 1.7.1 with boringssl, but seems not work, error like below:

In file included from src/ssl_sock.c:87:0:
include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_CERTID’
 static inline const OCSP_CERTID *OCSP_SINGLERESP_get0_id(const
OCSP_SINGLERESP *single)
 ^
include/proto/openssl-compat.h:107:1: error: unknown type name ‘OCSP_SINGLERESP’
include/proto/openssl-compat.h: In function ‘OCSP_SINGLERESP_get0_id’:
include/proto/openssl-compat.h:109:15: error: request for member
‘certId’ in something not a structure or union
  return single->certId;
   ^
src/ssl_sock.c: In function ‘ssl_sock_bind_verifycbk’:
src/ssl_sock.c:1070:4: warning: implicit declaration of function
‘ssl_sock_dump_errors’ [-Wimplicit-function-declaration]
ssl_sock_dump_errors(conn);
^
src/ssl_sock.c: In function ‘ssl_sock_do_create_cert’:
src/ssl_sock.c:1241:3: warning: implicit declaration of function
‘X509V3_EXT_conf’ [-Wimplicit-function-declaration]
   if (!(ext = X509V3_EXT_conf(NULL, , x509v3_ext_names[i],
x509v3_ext_values[i])))
   ^
src/ssl_sock.c:1241:13: warning: assignment makes pointer from integer
without a cast [enabled by default]
   if (!(ext = X509V3_EXT_conf(NULL, , x509v3_ext_names[i],
x509v3_ext_values[i])))
 ^
src/ssl_sock.c:1252:2: warning: implicit declaration of function
‘EVP_PKEY_base_id’ [-Wimplicit-function-declaration]
  key_type = EVP_PKEY_base_id(capkey);
  ^
src/ssl_sock.c:1264:3: warning: implicit declaration of function
‘EVP_PKEY_get_default_digest_nid’ [-Wimplicit-function-declaration]
   if (EVP_PKEY_get_default_digest_nid(capkey, ) <= 0)
   ^
src/ssl_sock.c: In function ‘ssl_sock_prepare_ctx’:
src/ssl_sock.c:2720:3: warning: implicit declaration of function
‘SSL_CTX_set_ssl_version’ [-Wimplicit-function-declaration]
   SSL_CTX_set_ssl_version(ctx, SSLv3_server_method());
   ^
src/ssl_sock.c:2786:46: error: ‘ssl_tlsext_ticket_key_cb’ undeclared
(first use in this function)
   if (!SSL_CTX_set_tlsext_ticket_key_cb(ctx, ssl_tlsext_ticket_key_cb)) {
  ^
src/ssl_sock.c:2786:46: note: each undeclared identifier is reported
only once for each function it appears in
src/ssl_sock.c:2820:13: warning: assignment discards ‘const’ qualifier
from pointer target type [enabled by default]
  cipher = sk_SSL_CIPHER_value(ciphers, idx);
 ^
src/ssl_sock.c:2874:2: warning: passing argument 2 of
‘SSL_CTX_set_tlsext_servername_callback’ from incompatible pointer
type [enabled by default]
  SSL_CTX_set_tlsext_servername_callback(ctx, ssl_sock_switchctx_cbk);
  ^
In file included from src/ssl_sock.c:43:0:
/build/boringssl/include/openssl/ssl.h:2357:20: note: expected ‘int
(*)(struct SSL *, int *, void *)’ but argument is of type ‘int
(*)(struct SSL *, int *, struct bind_conf *)’
 OPENSSL_EXPORT int SSL_CTX_set_tlsext_servername_callback(
^
src/ssl_sock.c: In function ‘ssl_sock_handshake’:
src/ssl_sock.c:3531:48: error: ‘SSL’ has no member named ‘packet_length’
  empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
^
src/ssl_sock.c:3609:46: error: ‘SSL’ has no member named ‘packet_length’
empty_handshake = !((SSL *)conn->xprt_ctx)->packet_length;
  ^
make: *** [src/ssl_sock.o] Error 1

On Mon, Aug 18, 2014 at 6:56 AM, Lukas Tribus  wrote:
> Google's boringssl doesn't currently support OCSP, so
> disable it if detected.
>
> OCSP support may be reintroduced as per:
> https://code.google.com/p/chromium/issues/detail?id=398677
>
> In that case we can simply revert this commit.
>
> Signed-off-by: Lukas Tribus 
> ---
>  include/proto/ssl_sock.h | 2 +-
>  src/dumpstats.c  | 2 +-
>  src/ssl_sock.c   | 6 +++---
>  3 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
> index 3e111cd..6362953 100644
> --- a/include/proto/ssl_sock.h
> +++ b/include/proto/ssl_sock.h
> @@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
>  int ssl_sock_get_cert_used(struct connection *conn);
>  int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk 
> *out);
>  unsigned int ssl_sock_get_verify_result(struct connection *conn);
> -#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
> +#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB && !defined 
> OPENSSL_IS_BORINGSSL)
>  int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
>  #endif
>
> diff --git a/src/dumpstats.c b/src/dumpstats.c
> index 5365042..3855e09 100644
> --- a/src/dumpstats.c
> +++ b/src/dumpstats.c
> @@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct 
> stream_interface *si, char *line)
>  #ifdef USE_OPENSSL
> else if (strcmp(args[1], "ssl") == 0) {
> if (strcmp(args[2], "ocsp-response") == 0) {
> -#ifdef

[PATCH 2/4] BUILD: ssl: disable OCSP when using boringssl

2014-08-17 Thread Lukas Tribus 
Google's boringssl doesn't currently support OCSP, so
disable it if detected.

OCSP support may be reintroduced as per:
https://code.google.com/p/chromium/issues/detail?id=398677

In that case we can simply revert this commit.

Signed-off-by: Lukas Tribus luky...@hotmail.com
---
 include/proto/ssl_sock.h | 2 +-
 src/dumpstats.c  | 2 +-
 src/ssl_sock.c   | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/include/proto/ssl_sock.h b/include/proto/ssl_sock.h
index 3e111cd..6362953 100644
--- a/include/proto/ssl_sock.h
+++ b/include/proto/ssl_sock.h
@@ -54,7 +54,7 @@ char *ssl_sock_get_version(struct connection *conn);
 int ssl_sock_get_cert_used(struct connection *conn);
 int ssl_sock_get_remote_common_name(struct connection *conn, struct chunk 
*out);
 unsigned int ssl_sock_get_verify_result(struct connection *conn);
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB  !defined 
OPENSSL_IS_BORINGSSL)
 int ssl_sock_update_ocsp_response(struct chunk *ocsp_response, char **err);
 #endif
 
diff --git a/src/dumpstats.c b/src/dumpstats.c
index 5365042..3855e09 100644
--- a/src/dumpstats.c
+++ b/src/dumpstats.c
@@ -1794,7 +1794,7 @@ static int stats_sock_parse_request(struct 
stream_interface *si, char *line)
 #ifdef USE_OPENSSL
else if (strcmp(args[1], ssl) == 0) {
if (strcmp(args[2], ocsp-response) == 0) {
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB  !defined 
OPENSSL_IS_BORINGSSL)
char *err = NULL;
 
/* Expect one parameter: the new response in 
base64 encoding */
diff --git a/src/ssl_sock.c b/src/ssl_sock.c
index cf8adc7..e53e3bd 100644
--- a/src/ssl_sock.c
+++ b/src/ssl_sock.c
@@ -44,7 +44,7 @@
 #include openssl/x509.h
 #include openssl/err.h
 #include openssl/rand.h
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB  !defined 
OPENSSL_IS_BORINGSSL)
 #include openssl/ocsp.h
 #endif
 
@@ -112,7 +112,7 @@ static DH *local_dh_4096 = NULL;
 static DH *local_dh_8192 = NULL;
 #endif /* OPENSSL_NO_DH */
 
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB  !defined 
OPENSSL_IS_BORINGSSL)
 struct certificate_ocsp {
struct ebmb_node key;
unsigned char key_data[OCSP_MAX_CERTID_ASN1_LENGTH];
@@ -1282,7 +1282,7 @@ static int ssl_sock_load_cert_file(const char *path, 
struct bind_conf *bind_conf
}
 #endif
 
-#ifdef SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB
+#if (defined SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB  !defined 
OPENSSL_IS_BORINGSSL)
ret = ssl_sock_load_ocsp(ctx, path);
if (ret  0) {
if (err)
-- 
1.9.1