From f0d2c9f94bbc08b22633f1a20a9ee1982c50d208 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Tue, 29 Sep 2015 23:31:50 +0900 Subject: [PATCH] Compile with BoringSSL Compile with BoringSSL except for neverbleed and libnghttp2_asio. The former uses ENGINE and RSA_METHOD, and they are quite different between OpenSSL and BoringSSL. The latter uses boost::asio, which calls OpenSSL functions deleted in BoringSSL. --- examples/Makefile.am | 3 ++- examples/client.c | 7 +++++-- examples/libevent-client.c | 6 ++++-- examples/libevent-server.c | 7 +++++-- src/HttpServer.cc | 18 +++--------------- src/h2load.cc | 24 +++++------------------- src/nghttp.cc | 23 ++++------------------- src/nghttpd.cc | 6 ++---- src/shrpx-unittest.cc | 7 ++----- src/shrpx.cc | 8 ++------ src/shrpx_connection.cc | 6 +----- src/shrpx_connection_handler.cc | 4 ++++ src/shrpx_ssl.cc | 4 ++++ src/ssl.cc | 8 ++++++++ src/ssl.h | 3 +++ 15 files changed, 54 insertions(+), 80 deletions(-) diff --git a/examples/Makefile.am b/examples/Makefile.am index 5bcf2d10..e2dad1d6 100644 --- a/examples/Makefile.am +++ b/examples/Makefile.am @@ -36,7 +36,8 @@ AM_CPPFLAGS = \ LDADD = $(top_builddir)/lib/libnghttp2.la \ $(top_builddir)/third-party/libhttp-parser.la \ @LIBEVENT_OPENSSL_LIBS@ \ - @OPENSSL_LIBS@ + @OPENSSL_LIBS@ \ + @APPLDFLAGS@ noinst_PROGRAMS = client libevent-client libevent-server deflate diff --git a/examples/client.c b/examples/client.c index 29bca5ba..09bf7593 100644 --- a/examples/client.c +++ b/examples/client.c @@ -53,6 +53,8 @@ #include #include #include +#include +#include #include @@ -692,10 +694,11 @@ int main(int argc, char **argv) { act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, 0); +#ifndef OPENSSL_IS_BORINGSSL + OPENSSL_config(NULL); +#endif /* OPENSSL_IS_BORINGSSL */ SSL_load_error_strings(); SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(NULL); rv = parse_uri(&uri, argv[1]); if (rv != 0) { diff --git a/examples/libevent-client.c b/examples/libevent-client.c index c3363070..7061e78b 100644 --- a/examples/libevent-client.c +++ b/examples/libevent-client.c @@ -52,6 +52,7 @@ char *strndup(const char *s, size_t size); #include #endif #include +#include #include #include @@ -568,10 +569,11 @@ int main(int argc, char **argv) { act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, NULL); +#ifndef OPENSSL_IS_BORINGSSL + OPENSSL_config(NULL); +#endif /* OPENSSL_IS_BORINGSSL */ SSL_load_error_strings(); SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(NULL); run(argv[1]); return 0; diff --git a/examples/libevent-server.c b/examples/libevent-server.c index cc82a1c5..3a9ddfbc 100644 --- a/examples/libevent-server.c +++ b/examples/libevent-server.c @@ -59,6 +59,8 @@ #ifndef __sgi #include #endif +#include +#include #include #include @@ -738,10 +740,11 @@ int main(int argc, char **argv) { act.sa_handler = SIG_IGN; sigaction(SIGPIPE, &act, NULL); +#ifndef OPENSSL_IS_BORINGSSL + OPENSSL_config(NULL); +#endif /* OPENSSL_IS_BORINGSSL */ SSL_load_error_strings(); SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(NULL); run(argv[1], argv[2], argv[3]); return 0; diff --git a/src/HttpServer.cc b/src/HttpServer.cc index 491890b4..f3d17d24 100644 --- a/src/HttpServer.cc +++ b/src/HttpServer.cc @@ -539,11 +539,7 @@ int Http2Handler::tls_handshake() { auto rv = SSL_do_handshake(ssl_); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl_, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -588,11 +584,7 @@ int Http2Handler::read_tls() { for (;;) { auto rv = SSL_read(ssl_, buf.data(), buf.size()); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl_, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -634,11 +626,7 @@ int Http2Handler::write_tls() { if (wb_.rleft() > 0) { auto rv = SSL_write(ssl_, wb_.pos, wb_.rleft()); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl_, rv); switch (err) { case SSL_ERROR_WANT_READ: diff --git a/src/h2load.cc b/src/h2load.cc index fa2b671d..cffca894 100644 --- a/src/h2load.cc +++ b/src/h2load.cc @@ -810,11 +810,7 @@ int Client::tls_handshake() { auto rv = SSL_do_handshake(ssl); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -848,11 +844,7 @@ int Client::read_tls() { for (;;) { auto rv = SSL_read(ssl, buf, sizeof(buf)); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -878,11 +870,7 @@ int Client::write_tls() { if (wb.rleft() > 0) { auto rv = SSL_write(ssl, wb.pos, wb.rleft()); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -1423,13 +1411,11 @@ Options: } // namespace int main(int argc, char **argv) { + ssl::libssl_init(); + #ifndef NOTHREADS ssl::LibsslGlobalLock lock; #endif // NOTHREADS - SSL_load_error_strings(); - SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(nullptr); std::string datafile; bool nreqs_set_manually = false; diff --git a/src/nghttp.cc b/src/nghttp.cc index 7e5dc7c2..f8c0e576 100644 --- a/src/nghttp.cc +++ b/src/nghttp.cc @@ -1110,11 +1110,7 @@ int HttpClient::tls_handshake() { auto rv = SSL_do_handshake(ssl); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -1152,11 +1148,7 @@ int HttpClient::read_tls() { for (;;) { auto rv = SSL_read(ssl, buf.data(), buf.size()); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -1184,11 +1176,7 @@ int HttpClient::write_tls() { if (wb.rleft() > 0) { auto rv = SSL_write(ssl, wb.pos, wb.rleft()); - if (rv == 0) { - return -1; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: @@ -2475,10 +2463,7 @@ Options: } // namespace int main(int argc, char **argv) { - SSL_load_error_strings(); - SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(nullptr); + ssl::libssl_init(); bool color = false; while (1) { diff --git a/src/nghttpd.cc b/src/nghttpd.cc index 7f11efd5..d0fddcb2 100644 --- a/src/nghttpd.cc +++ b/src/nghttpd.cc @@ -172,13 +172,11 @@ Options: } // namespace int main(int argc, char **argv) { + ssl::libssl_init(); + #ifndef NOTHREADS ssl::LibsslGlobalLock lock; #endif // NOTHREADS - SSL_load_error_strings(); - SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(nullptr); Config config; bool color = false; diff --git a/src/shrpx-unittest.cc b/src/shrpx-unittest.cc index 45009089..b51c242f 100644 --- a/src/shrpx-unittest.cc +++ b/src/shrpx-unittest.cc @@ -29,8 +29,6 @@ #include #include #include -#include -#include // include test cases' include files here #include "shrpx_ssl_test.h" #include "shrpx_downstream_test.h" @@ -41,6 +39,7 @@ #include "buffer_test.h" #include "memchunk_test.h" #include "shrpx_config.h" +#include "ssl.h" static int init_suite1(void) { return 0; } @@ -50,9 +49,7 @@ int main(int argc, char *argv[]) { CU_pSuite pSuite = NULL; unsigned int num_tests_failed; - OpenSSL_add_all_algorithms(); - SSL_load_error_strings(); - SSL_library_init(); + nghttp2::ssl::libssl_init(); shrpx::create_config(); diff --git a/src/shrpx.cc b/src/shrpx.cc index 6795e4f2..b80786b6 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -1633,15 +1633,11 @@ Misc: } // namespace int main(int argc, char **argv) { + nghttp2::ssl::libssl_init(); + #ifndef NOTHREADS nghttp2::ssl::LibsslGlobalLock lock; #endif // NOTHREADS - // Initialize OpenSSL before parsing options because we create - // SSL_CTX there. - SSL_load_error_strings(); - SSL_library_init(); - OpenSSL_add_all_algorithms(); - OPENSSL_config(nullptr); Log::set_severity_level(NOTICE); create_config(); diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index 1a197e45..0ed80f57 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -538,11 +538,7 @@ ssize_t Connection::write_tls(const void *data, size_t len) { auto rv = SSL_write(tls.ssl, data, len); - if (rv == 0) { - return SHRPX_ERR_NETWORK; - } - - if (rv < 0) { + if (rv <= 0) { auto err = SSL_get_error(tls.ssl, rv); switch (err) { case SSL_ERROR_WANT_READ: diff --git a/src/shrpx_connection_handler.cc b/src/shrpx_connection_handler.cc index 9b432b1e..76e1edc6 100644 --- a/src/shrpx_connection_handler.cc +++ b/src/shrpx_connection_handler.cc @@ -599,11 +599,15 @@ void ConnectionHandler::handle_ocsp_complete() { << " finished successfully"; } +#ifndef OPENSSL_IS_BORINGSSL { std::lock_guard g(tls_ctx_data->mu); tls_ctx_data->ocsp_data = std::make_shared>(std::move(ocsp_.resp)); } +#else // OPENSSL_IS_BORINGSSL + SSL_CTX_set_ocsp_response(ssl_ctx, ocsp_.resp.data(), ocsp_.resp.size()); +#endif // OPENSSL_IS_BORINGSSL ++ocsp_.next; proceed_next_cert_ocsp(); diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index a37b5199..5d72cbbf 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -153,6 +153,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) { } } // namespace +#ifndef OPENSSL_IS_BORINGSSL namespace { std::shared_ptr> get_ocsp_data(TLSContextData *tls_ctx_data) { @@ -187,6 +188,7 @@ int ocsp_resp_cb(SSL *ssl, void *arg) { return SSL_TLSEXT_ERR_OK; } } // namespace +#endif // OPENSSL_IS_BORINGSSL constexpr char MEMCACHED_SESSION_CACHE_KEY_PREFIX[] = "nghttpx:tls-session-cache:"; @@ -604,7 +606,9 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file } SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback); SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb); +#ifndef OPENSSL_IS_BORINGSSL SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb); +#endif // OPENSSL_IS_BORINGSSL SSL_CTX_set_info_callback(ssl_ctx, info_callback); // NPN advertisement diff --git a/src/ssl.cc b/src/ssl.cc index 7aecafd3..15f020f2 100644 --- a/src/ssl.cc +++ b/src/ssl.cc @@ -695,6 +695,14 @@ bool check_http2_requirement(SSL *ssl) { return true; } +void libssl_init() { +#ifndef OPENSSL_IS_BORINGSSL + OPENSSL_config(nullptr); +#endif // OPENSSL_IS_BORINGSSL + SSL_load_error_strings(); + SSL_library_init(); +} + } // namespace ssl } // namespace nghttp2 diff --git a/src/ssl.h b/src/ssl.h index ddebd907..d73f543d 100644 --- a/src/ssl.h +++ b/src/ssl.h @@ -67,6 +67,9 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl); // described in RFC 7540. bool check_http2_requirement(SSL *ssl); +// Initializes OpenSSL library +void libssl_init(); + } // namespace ssl } // namespace nghttp2