openssl: remove most BoringSSL #ifdefs.

As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640
This commit is contained in:
David Benjamin 2016-02-08 23:19:31 -05:00 committed by Daniel Stenberg
parent 674b57e76b
commit 39c803cba2
8 changed files with 19 additions and 72 deletions

View File

@ -1631,8 +1631,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
dnl Older versions of Cyassl (some time before 2.9.4) don't have
dnl SSL_get_shutdown (but this check won't actually detect it there
dnl as it's a macro that needs the header files be included)
dnl BoringSSL didn't have DES_set_odd_parity for a while but now it is
dnl back again.
AC_CHECK_FUNCS( RAND_status \
RAND_screen \
@ -1640,8 +1638,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
ENGINE_cleanup \
CRYPTO_cleanup_all_ex_data \
SSL_get_shutdown \
SSLv2_client_method \
DES_set_odd_parity )
SSLv2_client_method )
AC_MSG_CHECKING([for BoringSSL])
AC_COMPILE_IFELSE([

View File

@ -457,6 +457,7 @@ Glen A Johnson Jr.
Glen Nakamura
Glen Scott
Glenn Sheridan
Google Inc.
Gordon Marler
Gorilla Maguila
Grant Erickson

View File

@ -228,12 +228,6 @@
This is present in OpenSSL versions after 0.9.6b */
#define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1
/* Define if you have the 'DES_set_odd_parity' function when using OpenSSL/
BoringSSL */
#if defined(USE_OPENSSL) || defined(HAVE_BORINGSSL)
#define HAVE_DES_SET_ODD_PARITY 1
#endif
/* Define if you have the select function. */
#define HAVE_SELECT 1

View File

@ -22,7 +22,7 @@
#include "curl_setup.h"
#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY)
#if defined(USE_NTLM) && !defined(USE_OPENSSL)
#include "curl_des.h"
@ -60,4 +60,4 @@ void Curl_des_set_odd_parity(unsigned char *bytes, size_t len)
}
}
#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */
#endif /* USE_NTLM && !USE_OPENSSL */

View File

@ -24,11 +24,11 @@
#include "curl_setup.h"
#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY)
#if defined(USE_NTLM) && !defined(USE_OPENSSL)
/* Applies odd parity to the given byte array */
void Curl_des_set_odd_parity(unsigned char *bytes, size_t length);
#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */
#endif /* USE_NTLM && !USE_OPENSSL */
#endif /* HEADER_CURL_DES_H */

View File

@ -143,14 +143,10 @@ static void setup_des_key(const unsigned char *key_56,
DES_cblock key;
/* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, (char *) key);
extend_key_56_to_64(key_56, (char *) &key);
/* Set the key parity to odd */
#ifndef HAVE_DES_SET_ODD_PARITY /* older boringssl */
Curl_des_set_odd_parity((unsigned char *) &key, sizeof(key));
#else
DES_set_odd_parity(&key);
#endif
/* Set the key */
DES_set_key(&key, ks);

View File

@ -628,13 +628,9 @@ int netware_init(void);
defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
#ifdef HAVE_BORINGSSL /* BoringSSL is not NTLM capable */
#undef USE_NTLM
#else
#define USE_NTLM
#endif
#endif
#endif
/* non-configure builds may define CURL_WANTS_CA_BUNDLE_ENV */
#if defined(CURL_WANTS_CA_BUNDLE_ENV) && !defined(CURL_CA_BUNDLE)

View File

@ -68,7 +68,7 @@
#include <openssl/pkcs12.h>
#endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_IS_BORINGSSL)
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
#include <openssl/ocsp.h>
#endif
@ -83,21 +83,8 @@
#error "OPENSSL_VERSION_NUMBER not defined"
#endif
#if !defined(OPENSSL_IS_BORINGSSL)
/* ENGINE_load_private_key() takes four arguments */
#define HAVE_ENGINE_LOAD_FOUR_ARGS
#if defined(HAVE_OPENSSL_ENGINE_H)
#include <openssl/ui.h>
#else
/* ENGINE_load_private_key() takes three arguments */
#undef HAVE_ENGINE_LOAD_FOUR_ARGS
#endif
#if defined(HAVE_OPENSSL_PKCS12_H) && !defined(OPENSSL_IS_BORINGSSL)
/* OpenSSL has PKCS 12 support, BoringSSL does not */
#define HAVE_PKCS12_SUPPORT
#else
/* OpenSSL does not have PKCS12 support */
#undef HAVE_PKCS12_SUPPORT
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
@ -106,10 +93,7 @@
#define SSL_METHOD_QUAL
#endif
#ifdef OPENSSL_IS_BORINGSSL
/* BoringSSL has no ERR_remove_state() */
#define ERR_remove_state(x)
#elif (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#define HAVE_ERR_REMOVE_THREAD_STATE 1
#endif
@ -131,17 +115,8 @@
#define HAVE_X509_GET0_SIGNATURE 1
#endif
#if defined(OPENSSL_IS_BORINGSSL)
#define NO_RAND_SEED 1
/* In BoringSSL OpenSSL_add_all_algorithms does nothing */
#define OpenSSL_add_all_algorithms()
/* BoringSSL does not have CONF_modules_load_file, CONF_modules_free */
#define CONF_modules_load_file(a,b,c)
#define CONF_modules_free()
#endif
#if (OPENSSL_VERSION_NUMBER < 0x0090808fL) || defined(OPENSSL_IS_BORINGSSL)
/* not present in BoringSSL or older OpenSSL */
#if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
/* not present in older OpenSSL */
#define OPENSSL_load_builtin_modules(x)
#endif
@ -175,7 +150,6 @@ static int passwd_callback(char *buf, int num, int encrypting,
* pass in an argument that is never used.
*/
#ifndef NO_RAND_SEED
#ifdef HAVE_RAND_STATUS
#define seed_enough(x) rand_enough()
static bool rand_enough(void)
@ -272,11 +246,6 @@ static void Curl_ossl_seed(struct SessionHandle *data)
ssl_seeded = TRUE;
}
}
#else
/* BoringSSL needs no seeding */
#define Curl_ossl_seed(x)
#endif
#ifndef SSL_FILETYPE_ENGINE
#define SSL_FILETYPE_ENGINE 42
@ -299,7 +268,7 @@ static int do_file_type(const char *type)
return -1;
}
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS)
#if defined(HAVE_OPENSSL_ENGINE_H)
/*
* Supply default password to the engine user interface conversation.
* The password is passed by OpenSSL engine from ENGINE_load_private_key()
@ -449,7 +418,7 @@ int cert_stuff(struct connectdata *conn,
case SSL_FILETYPE_PKCS12:
{
#ifdef HAVE_PKCS12_SUPPORT
#ifdef HAVE_OPENSSL_PKCS12_H
FILE *f;
PKCS12 *p12;
EVP_PKEY *pri;
@ -565,7 +534,6 @@ int cert_stuff(struct connectdata *conn,
{ /* XXXX still needs some work */
EVP_PKEY *priv_key = NULL;
if(data->state.engine) {
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_METHOD *ui_method =
UI_create_method((char *)"cURL user interface");
if(!ui_method) {
@ -576,17 +544,12 @@ int cert_stuff(struct connectdata *conn,
UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
UI_method_set_reader(ui_method, ssl_ui_reader);
UI_method_set_writer(ui_method, ssl_ui_writer);
#endif
/* the typecast below was added to please mingw32 */
priv_key = (EVP_PKEY *)
ENGINE_load_private_key(data->state.engine, key_file,
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
ui_method,
#endif
data->set.str[STRING_KEY_PASSWD]);
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_destroy_method(ui_method);
#endif
if(!priv_key) {
failf(data, "failed to load private key from crypto engine");
return 0;
@ -1228,7 +1191,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct connectdata *conn,
struct ssl_connect_data *connssl)
{
@ -1670,7 +1633,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2:
/* it will be handled later with the context options */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
!defined(LIBRESSL_VERSION_NUMBER)
req_method = TLS_client_method();
#else
req_method = SSLv23_client_method();
@ -2033,7 +1996,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(OPENSSL_NO_OCSP)
if(data->set.ssl.verifystatus)
SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
#endif
@ -2639,7 +2602,7 @@ static CURLcode servercert(struct connectdata *conn,
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(OPENSSL_NO_OCSP)
if(data->set.ssl.verifystatus) {
result = verifystatus(conn, connssl);
if(result) {
@ -3055,7 +3018,7 @@ void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
bool Curl_ossl_cert_status_request(void)
{
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL)
!defined(OPENSSL_NO_OCSP)
return TRUE;
#else
return FALSE;