1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 15:48:49 -05:00

openssl: remove most BoringSSL #ifdefs.

As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:

- BoringSSL provides no-op stubs for compatibility which replaces most
  #ifdefs.

- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
  the compatibility codepath.

- With a small tweak to an extend_key_56_to_64 call, the NTLM code
  builds fine.

- Switch OCSP-related #ifdefs to the more generally useful
  OPENSSL_NO_OCSP.

The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)

This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)

Closes #640
This commit is contained in:
David Benjamin 2016-02-08 23:19:31 -05:00 committed by Daniel Stenberg
parent 674b57e76b
commit 39c803cba2
8 changed files with 19 additions and 72 deletions

View File

@ -1631,8 +1631,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
dnl Older versions of Cyassl (some time before 2.9.4) don't have dnl Older versions of Cyassl (some time before 2.9.4) don't have
dnl SSL_get_shutdown (but this check won't actually detect it there dnl SSL_get_shutdown (but this check won't actually detect it there
dnl as it's a macro that needs the header files be included) dnl as it's a macro that needs the header files be included)
dnl BoringSSL didn't have DES_set_odd_parity for a while but now it is
dnl back again.
AC_CHECK_FUNCS( RAND_status \ AC_CHECK_FUNCS( RAND_status \
RAND_screen \ RAND_screen \
@ -1640,8 +1638,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then
ENGINE_cleanup \ ENGINE_cleanup \
CRYPTO_cleanup_all_ex_data \ CRYPTO_cleanup_all_ex_data \
SSL_get_shutdown \ SSL_get_shutdown \
SSLv2_client_method \ SSLv2_client_method )
DES_set_odd_parity )
AC_MSG_CHECKING([for BoringSSL]) AC_MSG_CHECKING([for BoringSSL])
AC_COMPILE_IFELSE([ AC_COMPILE_IFELSE([

View File

@ -457,6 +457,7 @@ Glen A Johnson Jr.
Glen Nakamura Glen Nakamura
Glen Scott Glen Scott
Glenn Sheridan Glenn Sheridan
Google Inc.
Gordon Marler Gordon Marler
Gorilla Maguila Gorilla Maguila
Grant Erickson Grant Erickson

View File

@ -228,12 +228,6 @@
This is present in OpenSSL versions after 0.9.6b */ This is present in OpenSSL versions after 0.9.6b */
#define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1 #define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1
/* Define if you have the 'DES_set_odd_parity' function when using OpenSSL/
BoringSSL */
#if defined(USE_OPENSSL) || defined(HAVE_BORINGSSL)
#define HAVE_DES_SET_ODD_PARITY 1
#endif
/* Define if you have the select function. */ /* Define if you have the select function. */
#define HAVE_SELECT 1 #define HAVE_SELECT 1

View File

@ -22,7 +22,7 @@
#include "curl_setup.h" #include "curl_setup.h"
#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY) #if defined(USE_NTLM) && !defined(USE_OPENSSL)
#include "curl_des.h" #include "curl_des.h"
@ -60,4 +60,4 @@ void Curl_des_set_odd_parity(unsigned char *bytes, size_t len)
} }
} }
#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */ #endif /* USE_NTLM && !USE_OPENSSL */

View File

@ -24,11 +24,11 @@
#include "curl_setup.h" #include "curl_setup.h"
#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY) #if defined(USE_NTLM) && !defined(USE_OPENSSL)
/* Applies odd parity to the given byte array */ /* Applies odd parity to the given byte array */
void Curl_des_set_odd_parity(unsigned char *bytes, size_t length); void Curl_des_set_odd_parity(unsigned char *bytes, size_t length);
#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */ #endif /* USE_NTLM && !USE_OPENSSL */
#endif /* HEADER_CURL_DES_H */ #endif /* HEADER_CURL_DES_H */

View File

@ -143,14 +143,10 @@ static void setup_des_key(const unsigned char *key_56,
DES_cblock key; DES_cblock key;
/* Expand the 56-bit key to 64-bits */ /* Expand the 56-bit key to 64-bits */
extend_key_56_to_64(key_56, (char *) key); extend_key_56_to_64(key_56, (char *) &key);
/* Set the key parity to odd */ /* Set the key parity to odd */
#ifndef HAVE_DES_SET_ODD_PARITY /* older boringssl */
Curl_des_set_odd_parity((unsigned char *) &key, sizeof(key));
#else
DES_set_odd_parity(&key); DES_set_odd_parity(&key);
#endif
/* Set the key */ /* Set the key */
DES_set_key(&key, ks); DES_set_key(&key, ks);

View File

@ -628,13 +628,9 @@ int netware_init(void);
defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \ defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
#ifdef HAVE_BORINGSSL /* BoringSSL is not NTLM capable */
#undef USE_NTLM
#else
#define USE_NTLM #define USE_NTLM
#endif #endif
#endif #endif
#endif
/* non-configure builds may define CURL_WANTS_CA_BUNDLE_ENV */ /* non-configure builds may define CURL_WANTS_CA_BUNDLE_ENV */
#if defined(CURL_WANTS_CA_BUNDLE_ENV) && !defined(CURL_CA_BUNDLE) #if defined(CURL_WANTS_CA_BUNDLE_ENV) && !defined(CURL_CA_BUNDLE)

View File

@ -68,7 +68,7 @@
#include <openssl/pkcs12.h> #include <openssl/pkcs12.h>
#endif #endif
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_IS_BORINGSSL) #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
#include <openssl/ocsp.h> #include <openssl/ocsp.h>
#endif #endif
@ -83,21 +83,8 @@
#error "OPENSSL_VERSION_NUMBER not defined" #error "OPENSSL_VERSION_NUMBER not defined"
#endif #endif
#if !defined(OPENSSL_IS_BORINGSSL) #if defined(HAVE_OPENSSL_ENGINE_H)
/* ENGINE_load_private_key() takes four arguments */
#define HAVE_ENGINE_LOAD_FOUR_ARGS
#include <openssl/ui.h> #include <openssl/ui.h>
#else
/* ENGINE_load_private_key() takes three arguments */
#undef HAVE_ENGINE_LOAD_FOUR_ARGS
#endif
#if defined(HAVE_OPENSSL_PKCS12_H) && !defined(OPENSSL_IS_BORINGSSL)
/* OpenSSL has PKCS 12 support, BoringSSL does not */
#define HAVE_PKCS12_SUPPORT
#else
/* OpenSSL does not have PKCS12 support */
#undef HAVE_PKCS12_SUPPORT
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x00909000L #if OPENSSL_VERSION_NUMBER >= 0x00909000L
@ -106,10 +93,7 @@
#define SSL_METHOD_QUAL #define SSL_METHOD_QUAL
#endif #endif
#ifdef OPENSSL_IS_BORINGSSL #if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
/* BoringSSL has no ERR_remove_state() */
#define ERR_remove_state(x)
#elif (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#define HAVE_ERR_REMOVE_THREAD_STATE 1 #define HAVE_ERR_REMOVE_THREAD_STATE 1
#endif #endif
@ -131,17 +115,8 @@
#define HAVE_X509_GET0_SIGNATURE 1 #define HAVE_X509_GET0_SIGNATURE 1
#endif #endif
#if defined(OPENSSL_IS_BORINGSSL) #if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
#define NO_RAND_SEED 1 /* not present in older OpenSSL */
/* In BoringSSL OpenSSL_add_all_algorithms does nothing */
#define OpenSSL_add_all_algorithms()
/* BoringSSL does not have CONF_modules_load_file, CONF_modules_free */
#define CONF_modules_load_file(a,b,c)
#define CONF_modules_free()
#endif
#if (OPENSSL_VERSION_NUMBER < 0x0090808fL) || defined(OPENSSL_IS_BORINGSSL)
/* not present in BoringSSL or older OpenSSL */
#define OPENSSL_load_builtin_modules(x) #define OPENSSL_load_builtin_modules(x)
#endif #endif
@ -175,7 +150,6 @@ static int passwd_callback(char *buf, int num, int encrypting,
* pass in an argument that is never used. * pass in an argument that is never used.
*/ */
#ifndef NO_RAND_SEED
#ifdef HAVE_RAND_STATUS #ifdef HAVE_RAND_STATUS
#define seed_enough(x) rand_enough() #define seed_enough(x) rand_enough()
static bool rand_enough(void) static bool rand_enough(void)
@ -272,11 +246,6 @@ static void Curl_ossl_seed(struct SessionHandle *data)
ssl_seeded = TRUE; ssl_seeded = TRUE;
} }
} }
#else
/* BoringSSL needs no seeding */
#define Curl_ossl_seed(x)
#endif
#ifndef SSL_FILETYPE_ENGINE #ifndef SSL_FILETYPE_ENGINE
#define SSL_FILETYPE_ENGINE 42 #define SSL_FILETYPE_ENGINE 42
@ -299,7 +268,7 @@ static int do_file_type(const char *type)
return -1; return -1;
} }
#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS) #if defined(HAVE_OPENSSL_ENGINE_H)
/* /*
* Supply default password to the engine user interface conversation. * Supply default password to the engine user interface conversation.
* The password is passed by OpenSSL engine from ENGINE_load_private_key() * The password is passed by OpenSSL engine from ENGINE_load_private_key()
@ -449,7 +418,7 @@ int cert_stuff(struct connectdata *conn,
case SSL_FILETYPE_PKCS12: case SSL_FILETYPE_PKCS12:
{ {
#ifdef HAVE_PKCS12_SUPPORT #ifdef HAVE_OPENSSL_PKCS12_H
FILE *f; FILE *f;
PKCS12 *p12; PKCS12 *p12;
EVP_PKEY *pri; EVP_PKEY *pri;
@ -565,7 +534,6 @@ int cert_stuff(struct connectdata *conn,
{ /* XXXX still needs some work */ { /* XXXX still needs some work */
EVP_PKEY *priv_key = NULL; EVP_PKEY *priv_key = NULL;
if(data->state.engine) { if(data->state.engine) {
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_METHOD *ui_method = UI_METHOD *ui_method =
UI_create_method((char *)"cURL user interface"); UI_create_method((char *)"cURL user interface");
if(!ui_method) { if(!ui_method) {
@ -576,17 +544,12 @@ int cert_stuff(struct connectdata *conn,
UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL())); UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
UI_method_set_reader(ui_method, ssl_ui_reader); UI_method_set_reader(ui_method, ssl_ui_reader);
UI_method_set_writer(ui_method, ssl_ui_writer); UI_method_set_writer(ui_method, ssl_ui_writer);
#endif
/* the typecast below was added to please mingw32 */ /* the typecast below was added to please mingw32 */
priv_key = (EVP_PKEY *) priv_key = (EVP_PKEY *)
ENGINE_load_private_key(data->state.engine, key_file, ENGINE_load_private_key(data->state.engine, key_file,
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
ui_method, ui_method,
#endif
data->set.str[STRING_KEY_PASSWD]); data->set.str[STRING_KEY_PASSWD]);
#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_destroy_method(ui_method); UI_destroy_method(ui_method);
#endif
if(!priv_key) { if(!priv_key) {
failf(data, "failed to load private key from crypto engine"); failf(data, "failed to load private key from crypto engine");
return 0; return 0;
@ -1228,7 +1191,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
} }
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct connectdata *conn, static CURLcode verifystatus(struct connectdata *conn,
struct ssl_connect_data *connssl) struct ssl_connect_data *connssl)
{ {
@ -1670,7 +1633,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
case CURL_SSLVERSION_TLSv1_2: case CURL_SSLVERSION_TLSv1_2:
/* it will be handled later with the context options */ /* it will be handled later with the context options */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
!defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) !defined(LIBRESSL_VERSION_NUMBER)
req_method = TLS_client_method(); req_method = TLS_client_method();
#else #else
req_method = SSLv23_client_method(); req_method = SSLv23_client_method();
@ -2033,7 +1996,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
} }
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_NO_OCSP)
if(data->set.ssl.verifystatus) if(data->set.ssl.verifystatus)
SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp); SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
#endif #endif
@ -2639,7 +2602,7 @@ static CURLcode servercert(struct connectdata *conn,
} }
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_NO_OCSP)
if(data->set.ssl.verifystatus) { if(data->set.ssl.verifystatus) {
result = verifystatus(conn, connssl); result = verifystatus(conn, connssl);
if(result) { if(result) {
@ -3055,7 +3018,7 @@ void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
bool Curl_ossl_cert_status_request(void) bool Curl_ossl_cert_status_request(void)
{ {
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
!defined(OPENSSL_IS_BORINGSSL) !defined(OPENSSL_NO_OCSP)
return TRUE; return TRUE;
#else #else
return FALSE; return FALSE;