From 39c803cba216b91ff8233f6d5585468f8662d1c4 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Mon, 8 Feb 2016 23:19:31 -0500 Subject: openssl: remove most BoringSSL #ifdefs. As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of BoringSSL #ifdefs in cURL should be unnecessary: - BoringSSL provides no-op stubs for compatibility which replaces most #ifdefs. - DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove the compatibility codepath. - With a small tweak to an extend_key_56_to_64 call, the NTLM code builds fine. - Switch OCSP-related #ifdefs to the more generally useful OPENSSL_NO_OCSP. The only #ifdefs which remain are Curl_ossl_version and the #undefs to work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves that to the consumer. The in-header workaround makes things sensitive to include order.) This change errs on the side of removing conditionals despite many of the restored codepaths being no-ops. (BoringSSL generally adds no-op compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are bad enough!) Closes #640 --- configure.ac | 5 +---- docs/THANKS | 1 + lib/config-win32.h | 6 ------ lib/curl_des.c | 4 ++-- lib/curl_des.h | 4 ++-- lib/curl_ntlm_core.c | 6 +----- lib/curl_setup.h | 4 ---- lib/vtls/openssl.c | 61 +++++++++++----------------------------------------- 8 files changed, 19 insertions(+), 72 deletions(-) diff --git a/configure.ac b/configure.ac index 3b4139328..7af4a80a1 100644 --- a/configure.ac +++ b/configure.ac @@ -1631,8 +1631,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then dnl Older versions of Cyassl (some time before 2.9.4) don't have dnl SSL_get_shutdown (but this check won't actually detect it there dnl as it's a macro that needs the header files be included) - dnl BoringSSL didn't have DES_set_odd_parity for a while but now it is - dnl back again. AC_CHECK_FUNCS( RAND_status \ RAND_screen \ @@ -1640,8 +1638,7 @@ if test "$curl_ssl_msg" = "$init_ssl_msg" && test X"$OPT_SSL" != Xno; then ENGINE_cleanup \ CRYPTO_cleanup_all_ex_data \ SSL_get_shutdown \ - SSLv2_client_method \ - DES_set_odd_parity ) + SSLv2_client_method ) AC_MSG_CHECKING([for BoringSSL]) AC_COMPILE_IFELSE([ diff --git a/docs/THANKS b/docs/THANKS index c8350897e..12e442fbd 100644 --- a/docs/THANKS +++ b/docs/THANKS @@ -457,6 +457,7 @@ Glen A Johnson Jr. Glen Nakamura Glen Scott Glenn Sheridan +Google Inc. Gordon Marler Gorilla Maguila Grant Erickson diff --git a/lib/config-win32.h b/lib/config-win32.h index 3920e1fc9..269e6dbbf 100644 --- a/lib/config-win32.h +++ b/lib/config-win32.h @@ -228,12 +228,6 @@ This is present in OpenSSL versions after 0.9.6b */ #define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1 -/* Define if you have the 'DES_set_odd_parity' function when using OpenSSL/ - BoringSSL */ -#if defined(USE_OPENSSL) || defined(HAVE_BORINGSSL) -#define HAVE_DES_SET_ODD_PARITY 1 -#endif - /* Define if you have the select function. */ #define HAVE_SELECT 1 diff --git a/lib/curl_des.c b/lib/curl_des.c index 3c7e529a7..421c9f768 100644 --- a/lib/curl_des.c +++ b/lib/curl_des.c @@ -22,7 +22,7 @@ #include "curl_setup.h" -#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY) +#if defined(USE_NTLM) && !defined(USE_OPENSSL) #include "curl_des.h" @@ -60,4 +60,4 @@ void Curl_des_set_odd_parity(unsigned char *bytes, size_t len) } } -#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */ +#endif /* USE_NTLM && !USE_OPENSSL */ diff --git a/lib/curl_des.h b/lib/curl_des.h index 632c38432..129060ff7 100644 --- a/lib/curl_des.h +++ b/lib/curl_des.h @@ -24,11 +24,11 @@ #include "curl_setup.h" -#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY) +#if defined(USE_NTLM) && !defined(USE_OPENSSL) /* Applies odd parity to the given byte array */ void Curl_des_set_odd_parity(unsigned char *bytes, size_t length); -#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */ +#endif /* USE_NTLM && !USE_OPENSSL */ #endif /* HEADER_CURL_DES_H */ diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c index fe976c97c..e79d1f64f 100644 --- a/lib/curl_ntlm_core.c +++ b/lib/curl_ntlm_core.c @@ -143,14 +143,10 @@ static void setup_des_key(const unsigned char *key_56, DES_cblock key; /* Expand the 56-bit key to 64-bits */ - extend_key_56_to_64(key_56, (char *) key); + extend_key_56_to_64(key_56, (char *) &key); /* Set the key parity to odd */ -#ifndef HAVE_DES_SET_ODD_PARITY /* older boringssl */ - Curl_des_set_odd_parity((unsigned char *) &key, sizeof(key)); -#else DES_set_odd_parity(&key); -#endif /* Set the key */ DES_set_key(&key, ks); diff --git a/lib/curl_setup.h b/lib/curl_setup.h index 33ad12919..516327345 100644 --- a/lib/curl_setup.h +++ b/lib/curl_setup.h @@ -628,13 +628,9 @@ int netware_init(void); defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \ defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO) -#ifdef HAVE_BORINGSSL /* BoringSSL is not NTLM capable */ -#undef USE_NTLM -#else #define USE_NTLM #endif #endif -#endif /* non-configure builds may define CURL_WANTS_CA_BUNDLE_ENV */ #if defined(CURL_WANTS_CA_BUNDLE_ENV) && !defined(CURL_CA_BUNDLE) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index b36c6a611..b4f62e606 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -68,7 +68,7 @@ #include #endif -#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_IS_BORINGSSL) +#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) #include #endif @@ -83,21 +83,8 @@ #error "OPENSSL_VERSION_NUMBER not defined" #endif -#if !defined(OPENSSL_IS_BORINGSSL) -/* ENGINE_load_private_key() takes four arguments */ -#define HAVE_ENGINE_LOAD_FOUR_ARGS +#if defined(HAVE_OPENSSL_ENGINE_H) #include -#else -/* ENGINE_load_private_key() takes three arguments */ -#undef HAVE_ENGINE_LOAD_FOUR_ARGS -#endif - -#if defined(HAVE_OPENSSL_PKCS12_H) && !defined(OPENSSL_IS_BORINGSSL) -/* OpenSSL has PKCS 12 support, BoringSSL does not */ -#define HAVE_PKCS12_SUPPORT -#else -/* OpenSSL does not have PKCS12 support */ -#undef HAVE_PKCS12_SUPPORT #endif #if OPENSSL_VERSION_NUMBER >= 0x00909000L @@ -106,10 +93,7 @@ #define SSL_METHOD_QUAL #endif -#ifdef OPENSSL_IS_BORINGSSL -/* BoringSSL has no ERR_remove_state() */ -#define ERR_remove_state(x) -#elif (OPENSSL_VERSION_NUMBER >= 0x10000000L) +#if (OPENSSL_VERSION_NUMBER >= 0x10000000L) #define HAVE_ERR_REMOVE_THREAD_STATE 1 #endif @@ -131,17 +115,8 @@ #define HAVE_X509_GET0_SIGNATURE 1 #endif -#if defined(OPENSSL_IS_BORINGSSL) -#define NO_RAND_SEED 1 -/* In BoringSSL OpenSSL_add_all_algorithms does nothing */ -#define OpenSSL_add_all_algorithms() -/* BoringSSL does not have CONF_modules_load_file, CONF_modules_free */ -#define CONF_modules_load_file(a,b,c) -#define CONF_modules_free() -#endif - -#if (OPENSSL_VERSION_NUMBER < 0x0090808fL) || defined(OPENSSL_IS_BORINGSSL) -/* not present in BoringSSL or older OpenSSL */ +#if (OPENSSL_VERSION_NUMBER < 0x0090808fL) +/* not present in older OpenSSL */ #define OPENSSL_load_builtin_modules(x) #endif @@ -175,7 +150,6 @@ static int passwd_callback(char *buf, int num, int encrypting, * pass in an argument that is never used. */ -#ifndef NO_RAND_SEED #ifdef HAVE_RAND_STATUS #define seed_enough(x) rand_enough() static bool rand_enough(void) @@ -272,11 +246,6 @@ static void Curl_ossl_seed(struct SessionHandle *data) ssl_seeded = TRUE; } } -#else -/* BoringSSL needs no seeding */ -#define Curl_ossl_seed(x) -#endif - #ifndef SSL_FILETYPE_ENGINE #define SSL_FILETYPE_ENGINE 42 @@ -299,7 +268,7 @@ static int do_file_type(const char *type) return -1; } -#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS) +#if defined(HAVE_OPENSSL_ENGINE_H) /* * Supply default password to the engine user interface conversation. * The password is passed by OpenSSL engine from ENGINE_load_private_key() @@ -449,7 +418,7 @@ int cert_stuff(struct connectdata *conn, case SSL_FILETYPE_PKCS12: { -#ifdef HAVE_PKCS12_SUPPORT +#ifdef HAVE_OPENSSL_PKCS12_H FILE *f; PKCS12 *p12; EVP_PKEY *pri; @@ -565,7 +534,6 @@ int cert_stuff(struct connectdata *conn, { /* XXXX still needs some work */ EVP_PKEY *priv_key = NULL; if(data->state.engine) { -#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS UI_METHOD *ui_method = UI_create_method((char *)"cURL user interface"); if(!ui_method) { @@ -576,17 +544,12 @@ int cert_stuff(struct connectdata *conn, UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL())); UI_method_set_reader(ui_method, ssl_ui_reader); UI_method_set_writer(ui_method, ssl_ui_writer); -#endif /* the typecast below was added to please mingw32 */ priv_key = (EVP_PKEY *) ENGINE_load_private_key(data->state.engine, key_file, -#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS ui_method, -#endif data->set.str[STRING_KEY_PASSWD]); -#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS UI_destroy_method(ui_method); -#endif if(!priv_key) { failf(data, "failed to load private key from crypto engine"); return 0; @@ -1228,7 +1191,7 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert) } #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_IS_BORINGSSL) + !defined(OPENSSL_NO_OCSP) static CURLcode verifystatus(struct connectdata *conn, struct ssl_connect_data *connssl) { @@ -1670,7 +1633,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) case CURL_SSLVERSION_TLSv1_2: /* it will be handled later with the context options */ #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ - !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL) + !defined(LIBRESSL_VERSION_NUMBER) req_method = TLS_client_method(); #else req_method = SSLv23_client_method(); @@ -2033,7 +1996,7 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) } #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_IS_BORINGSSL) + !defined(OPENSSL_NO_OCSP) if(data->set.ssl.verifystatus) SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp); #endif @@ -2639,7 +2602,7 @@ static CURLcode servercert(struct connectdata *conn, } #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_IS_BORINGSSL) + !defined(OPENSSL_NO_OCSP) if(data->set.ssl.verifystatus) { result = verifystatus(conn, connssl); if(result) { @@ -3055,7 +3018,7 @@ void Curl_ossl_sha256sum(const unsigned char *tmp, /* input */ bool Curl_ossl_cert_status_request(void) { #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \ - !defined(OPENSSL_IS_BORINGSSL) + !defined(OPENSSL_NO_OCSP) return TRUE; #else return FALSE; -- cgit v1.2.3