Message ID | 20140919172807.DB887E0650@agl-b.sfo.corp.google.com |
---|---|
State | Superseded |
Headers | show |
On Thu, Sep 18, 2014 at 06:40:03PM -0700, Adam Langley wrote: > BoringSSL is Google's cleanup of OpenSSL and an attempt to unify > Chromium, Android and internal codebases around a single OpenSSL. > > As part of moving Android to BoringSSL, the wpa_supplicant maintainers > in Android requested that I upstream the change. I've worked to reduce > the size of the patch a lot but I'm afraid that it still contains a > number of #ifdefs. Thanks! This looks mostly reasonable. Could you please read the top level CONTRIBUTIONS file (*) and provide Signed-off-by: line for the patch so that I can apply this? (*) http://w1.fi/cgit/hostap/plain/CONTRIBUTIONS > One change worth noting (which I didn't #ifdef) is the switch from the > deprecated ERR_remove_state to ERR_remove_thread_state. I think this is > generally applicable because upstream have deprecated it, but it does > require OpenSSL 1.0.0 or greater (i.e. not 0.9.8). I'm still trying to support 0.9.8, so this will need to be made to use suitable #ifdef or maybe the cleanest options would be to just do something like this as a backwards compatibility wrapper: #if OPENSSL_VERSION_NUMBER < 0x10000000L #define ERR_remove_thread_state(tid) ERR_remove_state(0) #endif > diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c > @@ -38,14 +38,20 @@ > -#ifdef SSL_F_SSL_SET_SESSION_TICKET_EXT > -#ifdef SSL_OP_NO_TICKET > +#if (defined(SSL_F_SSL_SET_SESSION_TICKET_EXT) && defined(SSL_OP_NO_TICKET)) ||\ > + defined(OPENSSL_IS_BORINGSSL) I guess this is because of SSL_F_SSL_SET_SESSION_TICKET_EXT not being defined in BoringSSL. This could be cleaner to convert to OPENSSL_VERSION_NUMBER >= 0x10000000L (or something similar.. I don't remember why I ended up using SSL_F_SSL_SET_SESSION_TICKET_EXT instead.. the early days (well, years..) of EAP-FAST support was somewhat of a mess with OpenSSL).
On Sun, Sep 28, 2014 at 10:31 AM, Jouni Malinen <j@w1.fi> wrote: > Thanks! This looks mostly reasonable. Could you please read the top > level CONTRIBUTIONS file (*) and provide Signed-off-by: line for the > patch so that I can apply this? Done. > I'm still trying to support 0.9.8, so this will need to be made to use > suitable #ifdef or maybe the cleanest options would be to just do > something like this as a backwards compatibility wrapper: > > #if OPENSSL_VERSION_NUMBER < 0x10000000L > #define ERR_remove_thread_state(tid) ERR_remove_state(0) > #endif Done. > I guess this is because of SSL_F_SSL_SET_SESSION_TICKET_EXT not being > defined in BoringSSL. This could be cleaner to convert to > OPENSSL_VERSION_NUMBER >= 0x10000000L (or something similar.. I don't > remember why I ended up using SSL_F_SSL_SET_SESSION_TICKET_EXT instead.. > the early days (well, years..) of EAP-FAST support was somewhat of a > mess with OpenSSL). I check when each of these defines was added to OpenSSL: SSL_OP_NO_TICKET - bbfc6ac0 (Sat Aug 11 2007) SSL_F_SSL_SET_SESSION_TICKET_EXT - 12bf56c0 (Sat Nov 15 2008) Thus I believe that 1.0.0 was the first release that included them and have updated the #if accordingly. Will resend the patch in a second. Thanks! Cheers AGL
diff --git a/src/crypto/crypto_openssl.c b/src/crypto/crypto_openssl.c index 8876ebf..da4d5ef 100644 --- a/src/crypto/crypto_openssl.c +++ b/src/crypto/crypto_openssl.c @@ -40,7 +40,7 @@ static BIGNUM * get_group5_prime(void) { -#if OPENSSL_VERSION_NUMBER < 0x00908000 +#if OPENSSL_VERSION_NUMBER < 0x00908000 || defined(OPENSSL_IS_BORINGSSL) static const unsigned char RFC3526_PRIME_1536[] = { 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xC9,0x0F,0xDA,0xA2, 0x21,0x68,0xC2,0x34,0xC4,0xC6,0x62,0x8B,0x80,0xDC,0x1C,0xD1, @@ -199,8 +199,10 @@ static const EVP_CIPHER * aes_get_evp_cipher(size_t keylen) switch (keylen) { case 16: return EVP_aes_128_ecb(); +#if !defined(OPENSSL_IS_BORINGSSL) case 24: return EVP_aes_192_ecb(); +#endif case 32: return EVP_aes_256_ecb(); } @@ -378,9 +380,11 @@ struct crypto_cipher * crypto_cipher_init(enum crypto_cipher_alg alg, case 16: cipher = EVP_aes_128_cbc(); break; +#if !defined(OPENSSL_IS_BORINGSSL) case 24: cipher = EVP_aes_192_cbc(); break; +#endif case 32: cipher = EVP_aes_256_cbc(); break; diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index d2d6600..6db3755 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -38,14 +38,20 @@ #define OPENSSL_SUPPORTS_CTX_APP_DATA #endif -#ifdef SSL_F_SSL_SET_SESSION_TICKET_EXT -#ifdef SSL_OP_NO_TICKET +#if (defined(SSL_F_SSL_SET_SESSION_TICKET_EXT) && defined(SSL_OP_NO_TICKET)) ||\ + defined(OPENSSL_IS_BORINGSSL) /* * Session ticket override patch was merged into OpenSSL 0.9.9 tree on * 2008-11-15. This version uses a bit different API compared to the old patch. */ #define CONFIG_OPENSSL_TICKET_OVERRIDE #endif + +#if defined(OPENSSL_IS_BORINGSSL) +/* stack_index_t is the return type of OpenSSL's sk_XXX_num() functions. */ +typedef size_t stack_index_t; +#else +typedef int stack_index_t; #endif #ifdef SSL_set_tlsext_status_type @@ -853,7 +859,7 @@ void tls_deinit(void *ssl_ctx) ENGINE_cleanup(); #endif /* OPENSSL_NO_ENGINE */ CRYPTO_cleanup_all_ex_data(); - ERR_remove_state(0); + ERR_remove_thread_state(NULL); ERR_free_strings(); EVP_cleanup(); os_free(tls_global->ocsp_stapling_response); @@ -1102,7 +1108,8 @@ static int tls_match_altsubject_component(X509 *cert, int type, { GENERAL_NAME *gen; void *ext; - int i, found = 0; + int found = 0; + stack_index_t i; ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); @@ -1639,7 +1646,7 @@ static int tls_connection_ca_cert(void *_ssl_ctx, struct tls_connection *conn, if (ca_cert && os_strncmp("keystore://", ca_cert, 11) == 0) { BIO *bio = BIO_from_keystore(&ca_cert[11]); STACK_OF(X509_INFO) *stack = NULL; - int i; + stack_index_t i; if (bio) { stack = PEM_X509_INFO_read_bio(bio, NULL, NULL, NULL); diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index fdcff7f..d62303b 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -106,9 +106,11 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, case 21: nid = NID_secp521r1; break; +#if !defined(OPENSSL_IS_BORINGSSL) case 25: nid = NID_X9_62_prime192v1; break; +#endif case 26: nid = NID_secp224r1; break;