Compile with BoringSSL

Compile with BoringSSL except for neverbleed and libnghttp2_asio.  The
former uses ENGINE and RSA_METHOD, and they are quite different
between OpenSSL and BoringSSL.  The latter uses boost::asio, which
calls OpenSSL functions deleted in BoringSSL.

examples/Makefile.am

@@ -36,7 +36,8 @@ AM_CPPFLAGS = \
 LDADD = $(top_builddir)/lib/libnghttp2.la \
 	$(top_builddir)/third-party/libhttp-parser.la \
 	@LIBEVENT_OPENSSL_LIBS@ \
-	@OPENSSL_LIBS@
+	@OPENSSL_LIBS@ \
+	@APPLDFLAGS@
 
 noinst_PROGRAMS = client libevent-client libevent-server deflate
 

examples/client.c

@@ -53,6 +53,8 @@
 #include <signal.h>
 #include <stdio.h>
 #include <assert.h>
+#include <string.h>
+#include <errno.h>
 
 #include <nghttp2/nghttp2.h>
 
@@ -692,10 +694,11 @@ int main(int argc, char **argv) {
   act.sa_handler = SIG_IGN;
   sigaction(SIGPIPE, &act, 0);
 
+#ifndef OPENSSL_IS_BORINGSSL
+  OPENSSL_config(NULL);
+#endif /* OPENSSL_IS_BORINGSSL */
   SSL_load_error_strings();
   SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(NULL);
 
   rv = parse_uri(&uri, argv[1]);
   if (rv != 0) {

examples/libevent-client.c

@@ -52,6 +52,7 @@ char *strndup(const char *s, size_t size);
 #include <err.h>
 #endif
 #include <signal.h>
+#include <string.h>
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -568,10 +569,11 @@ int main(int argc, char **argv) {
   act.sa_handler = SIG_IGN;
   sigaction(SIGPIPE, &act, NULL);
 
+#ifndef OPENSSL_IS_BORINGSSL
+  OPENSSL_config(NULL);
+#endif /* OPENSSL_IS_BORINGSSL */
   SSL_load_error_strings();
   SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(NULL);
 
   run(argv[1]);
   return 0;

examples/libevent-server.c

@@ -59,6 +59,8 @@
 #ifndef __sgi
 #include <err.h>
 #endif
+#include <string.h>
+#include <errno.h>
 
 #include <openssl/ssl.h>
 #include <openssl/err.h>
@@ -738,10 +740,11 @@ int main(int argc, char **argv) {
   act.sa_handler = SIG_IGN;
   sigaction(SIGPIPE, &act, NULL);
 
+#ifndef OPENSSL_IS_BORINGSSL
+  OPENSSL_config(NULL);
+#endif /* OPENSSL_IS_BORINGSSL */
   SSL_load_error_strings();
   SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(NULL);
 
   run(argv[1], argv[2], argv[3]);
   return 0;

src/HttpServer.cc

@@ -539,11 +539,7 @@ int Http2Handler::tls_handshake() {
 
   auto rv = SSL_do_handshake(ssl_);
 
-  if (rv == 0) {
-    return -1;
-  }
-
-  if (rv < 0) {
+  if (rv <= 0) {
     auto err = SSL_get_error(ssl_, rv);
     switch (err) {
     case SSL_ERROR_WANT_READ:
@@ -588,11 +584,7 @@ int Http2Handler::read_tls() {
   for (;;) {
     auto rv = SSL_read(ssl_, buf.data(), buf.size());
 
-    if (rv == 0) {
-      return -1;
-    }
-
-    if (rv < 0) {
+    if (rv <= 0) {
       auto err = SSL_get_error(ssl_, rv);
       switch (err) {
       case SSL_ERROR_WANT_READ:
@@ -634,11 +626,7 @@ int Http2Handler::write_tls() {
     if (wb_.rleft() > 0) {
       auto rv = SSL_write(ssl_, wb_.pos, wb_.rleft());
 
-      if (rv == 0) {
-        return -1;
-      }
-
-      if (rv < 0) {
+      if (rv <= 0) {
         auto err = SSL_get_error(ssl_, rv);
         switch (err) {
         case SSL_ERROR_WANT_READ:

src/h2load.cc

@@ -810,11 +810,7 @@ int Client::tls_handshake() {
 
   auto rv = SSL_do_handshake(ssl);
 
-  if (rv == 0) {
-    return -1;
-  }
-
-  if (rv < 0) {
+  if (rv <= 0) {
     auto err = SSL_get_error(ssl, rv);
     switch (err) {
     case SSL_ERROR_WANT_READ:
@@ -848,11 +844,7 @@ int Client::read_tls() {
   for (;;) {
     auto rv = SSL_read(ssl, buf, sizeof(buf));
 
-    if (rv == 0) {
-      return -1;
-    }
-
-    if (rv < 0) {
+    if (rv <= 0) {
       auto err = SSL_get_error(ssl, rv);
       switch (err) {
       case SSL_ERROR_WANT_READ:
@@ -878,11 +870,7 @@ int Client::write_tls() {
     if (wb.rleft() > 0) {
       auto rv = SSL_write(ssl, wb.pos, wb.rleft());
 
-      if (rv == 0) {
-        return -1;
-      }
-
-      if (rv < 0) {
+      if (rv <= 0) {
         auto err = SSL_get_error(ssl, rv);
         switch (err) {
         case SSL_ERROR_WANT_READ:
@@ -1423,13 +1411,11 @@ Options:
 } // namespace
 
 int main(int argc, char **argv) {
+  ssl::libssl_init();
+
 #ifndef NOTHREADS
   ssl::LibsslGlobalLock lock;
 #endif // NOTHREADS
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(nullptr);
 
   std::string datafile;
   bool nreqs_set_manually = false;

src/nghttp.cc

@@ -1110,11 +1110,7 @@ int HttpClient::tls_handshake() {
 
   auto rv = SSL_do_handshake(ssl);
 
-  if (rv == 0) {
-    return -1;
-  }
-
-  if (rv < 0) {
+  if (rv <= 0) {
     auto err = SSL_get_error(ssl, rv);
     switch (err) {
     case SSL_ERROR_WANT_READ:
@@ -1152,11 +1148,7 @@ int HttpClient::read_tls() {
   for (;;) {
     auto rv = SSL_read(ssl, buf.data(), buf.size());
 
-    if (rv == 0) {
-      return -1;
-    }
-
-    if (rv < 0) {
+    if (rv <= 0) {
       auto err = SSL_get_error(ssl, rv);
       switch (err) {
       case SSL_ERROR_WANT_READ:
@@ -1184,11 +1176,7 @@ int HttpClient::write_tls() {
     if (wb.rleft() > 0) {
       auto rv = SSL_write(ssl, wb.pos, wb.rleft());
 
-      if (rv == 0) {
-        return -1;
-      }
-
-      if (rv < 0) {
+      if (rv <= 0) {
         auto err = SSL_get_error(ssl, rv);
         switch (err) {
         case SSL_ERROR_WANT_READ:
@@ -2475,10 +2463,7 @@ Options:
 } // namespace
 
 int main(int argc, char **argv) {
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(nullptr);
+  ssl::libssl_init();
 
   bool color = false;
   while (1) {

src/nghttpd.cc

@@ -172,13 +172,11 @@ Options:
 } // namespace
 
 int main(int argc, char **argv) {
+  ssl::libssl_init();
+
 #ifndef NOTHREADS
   ssl::LibsslGlobalLock lock;
 #endif // NOTHREADS
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(nullptr);
 
   Config config;
   bool color = false;

src/shrpx-unittest.cc

@@ -29,8 +29,6 @@
 #include <stdio.h>
 #include <string.h>
 #include <CUnit/Basic.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
 // include test cases' include files here
 #include "shrpx_ssl_test.h"
 #include "shrpx_downstream_test.h"
@@ -41,6 +39,7 @@
 #include "buffer_test.h"
 #include "memchunk_test.h"
 #include "shrpx_config.h"
+#include "ssl.h"
 
 static int init_suite1(void) { return 0; }
 
@@ -50,9 +49,7 @@ int main(int argc, char *argv[]) {
   CU_pSuite pSuite = NULL;
   unsigned int num_tests_failed;
 
-  OpenSSL_add_all_algorithms();
-  SSL_load_error_strings();
-  SSL_library_init();
+  nghttp2::ssl::libssl_init();
 
   shrpx::create_config();
 

src/shrpx.cc

@@ -1633,15 +1633,11 @@ Misc:
 } // namespace
 
 int main(int argc, char **argv) {
+  nghttp2::ssl::libssl_init();
+
 #ifndef NOTHREADS
   nghttp2::ssl::LibsslGlobalLock lock;
 #endif // NOTHREADS
-  // Initialize OpenSSL before parsing options because we create
-  // SSL_CTX there.
-  SSL_load_error_strings();
-  SSL_library_init();
-  OpenSSL_add_all_algorithms();
-  OPENSSL_config(nullptr);
 
   Log::set_severity_level(NOTICE);
   create_config();

src/shrpx_connection.cc

@@ -538,11 +538,7 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
 
   auto rv = SSL_write(tls.ssl, data, len);
 
-  if (rv == 0) {
-    return SHRPX_ERR_NETWORK;
-  }
-
-  if (rv < 0) {
+  if (rv <= 0) {
     auto err = SSL_get_error(tls.ssl, rv);
     switch (err) {
     case SSL_ERROR_WANT_READ:

src/shrpx_connection_handler.cc

@@ -599,11 +599,15 @@ void ConnectionHandler::handle_ocsp_complete() {
               << " finished successfully";
   }
 
+#ifndef OPENSSL_IS_BORINGSSL
   {
     std::lock_guard<std::mutex> g(tls_ctx_data->mu);
     tls_ctx_data->ocsp_data =
         std::make_shared<std::vector<uint8_t>>(std::move(ocsp_.resp));
   }
+#else  // OPENSSL_IS_BORINGSSL
+  SSL_CTX_set_ocsp_response(ssl_ctx, ocsp_.resp.data(), ocsp_.resp.size());
+#endif // OPENSSL_IS_BORINGSSL
 
   ++ocsp_.next;
   proceed_next_cert_ocsp();

src/shrpx_ssl.cc

@@ -153,6 +153,7 @@ int servername_callback(SSL *ssl, int *al, void *arg) {
 }
 } // namespace
 
+#ifndef OPENSSL_IS_BORINGSSL
 namespace {
 std::shared_ptr<std::vector<uint8_t>>
 get_ocsp_data(TLSContextData *tls_ctx_data) {
@@ -187,6 +188,7 @@ int ocsp_resp_cb(SSL *ssl, void *arg) {
   return SSL_TLSEXT_ERR_OK;
 }
 } // namespace
+#endif // OPENSSL_IS_BORINGSSL
 
 constexpr char MEMCACHED_SESSION_CACHE_KEY_PREFIX[] =
     "nghttpx:tls-session-cache:";
@@ -604,7 +606,9 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
   }
   SSL_CTX_set_tlsext_servername_callback(ssl_ctx, servername_callback);
   SSL_CTX_set_tlsext_ticket_key_cb(ssl_ctx, ticket_key_cb);
+#ifndef OPENSSL_IS_BORINGSSL
   SSL_CTX_set_tlsext_status_cb(ssl_ctx, ocsp_resp_cb);
+#endif // OPENSSL_IS_BORINGSSL
   SSL_CTX_set_info_callback(ssl_ctx, info_callback);
 
   // NPN advertisement

src/ssl.cc

@@ -695,6 +695,14 @@ bool check_http2_requirement(SSL *ssl) {
   return true;
 }
 
+void libssl_init() {
+#ifndef OPENSSL_IS_BORINGSSL
+  OPENSSL_config(nullptr);
+#endif // OPENSSL_IS_BORINGSSL
+  SSL_load_error_strings();
+  SSL_library_init();
+}
+
 } // namespace ssl
 
 } // namespace nghttp2

src/ssl.h

@@ -67,6 +67,9 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl);
 //    described in RFC 7540.
 bool check_http2_requirement(SSL *ssl);
 
+// Initializes OpenSSL library
+void libssl_init();
+
 } // namespace ssl
 
 } // namespace nghttp2