Support building with OpenSSL 1.1.0 and BoringSSL

Summary: More work to get wangle compiling. wangle/facebook/http pulls in proxygen libs and that's another pain altogether, so this only makes the rest of wangle build with 1.1.0 and BoringSSL Depends on D4406876 Reviewed By: ngoyal Differential Revision: D4767060 fbshipit-source-id: bd6bc6959d04028c84360e434f6bbdb2cde2faac

Support building with OpenSSL 1.1.0 and BoringSSL
Summary: More work to get wangle compiling. wangle/facebook/http pulls in proxygen libs and that's another pain altogether, so this only makes the rest of wangle build with 1.1.0 and BoringSSL Depends on D4406876 Reviewed By: ngoyal Differential Revision: D4767060 fbshipit-source-id: bd6bc6959d04028c84360e434f6bbdb2cde2faac
cff341f9 · Anirudh Ramachandran · Facebook Github Bot · 95c8e072 · cff341f9 · cff341f9
Commit cff341f9 authored Apr 03, 2017 by Anirudh Ramachandran Committed by Facebook Github Bot Apr 03, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 48 additions and 1 deletion

folly/portability/OpenSSL.cpp folly/portability/OpenSSL.cpp +43 -1

folly/portability/OpenSSL.h folly/portability/OpenSSL.h +5 -0

No files found.
--- a/folly/portability/OpenSSL.cpp
+++ b/folly/portability/OpenSSL.cpp
@@ -26,7 +26,7 @@ namespace ssl {

 #else
 ////////////////////////////////////////////////////////////////////////////////
-// APIs needed in BoringSSL and OpenSSL != 1.1.0 (1.0.2, 1.0.1, 1.0.0...)
+// APIs needed in BoringSSL and OpenSSL < 1.1.0 (i.e., 1.0.2, 1.0.1, 1.0.0, etc)
 ////////////////////////////////////////////////////////////////////////////////
 void BIO_meth_free(BIO_METHOD* biom) {
  OPENSSL_free((void*)biom);
@@ -74,6 +74,48 @@ void HMAC_CTX_free(HMAC_CTX* ctx) {
  }
 }

+int SSL_SESSION_has_ticket(const SSL_SESSION* s) {
+  return (s->tlsext_ticklen > 0) ? 1 : 0;
+}
+
+unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION* s) {
+  return s->tlsext_tick_lifetime_hint;
+}
+
+// This is taken from OpenSSL 1.1.0
+int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) {
+  /* If the fields p and g in d are NULL, the corresponding input
+   * parameters MUST be non-NULL.  q may remain NULL.
+   */
+  if (dh == nullptr || (dh->p == nullptr && p == nullptr) ||
+      (dh->g == nullptr && g == nullptr)) {
+    return 0;
+  }
+
+  if (p != nullptr) {
+    BN_free(dh->p);
+    dh->p = p;
+  }
+  if (q != nullptr) {
+    BN_free(dh->q);
+    dh->q = q;
+  }
+  if (g != nullptr) {
+    BN_free(dh->g);
+    dh->g = g;
+  }
+
+  // In OpenSSL 1.1.0, DH_set0_pqg also sets
+  //   dh->length = BN_num_bits(q)
+  // With OpenSSL 1.0.2, the output of openssl dhparam -C 2048 doesn't set
+  // the length field. So as far as the compat lib is concerned, this wrapper
+  // mimics the functionality of OpenSSL 1.0.2
+  // Note: BoringSSL doesn't even have a length field anymore, just something
+  // called 'priv_length'. Let's not mess with that for now.
+
+  return 1;
+}
+
 #ifdef OPENSSL_IS_BORINGSSL
 ////////////////////////////////////////////////////////////////////////////////
 // APIs needed in BoringSSL only

--- a/folly/portability/OpenSSL.h
+++ b/folly/portability/OpenSSL.h
@@ -28,6 +28,7 @@
 // This must come before the OpenSSL includes.
 #include <folly/portability/Windows.h>

+#include <openssl/dh.h>
 #include <openssl/evp.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
@@ -91,6 +92,10 @@ void EVP_MD_CTX_free(EVP_MD_CTX* ctx);
 HMAC_CTX* HMAC_CTX_new(void);
 void HMAC_CTX_free(HMAC_CTX* ctx);

+unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION* s);
+int SSL_SESSION_has_ticket(const SSL_SESSION*);
+int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g);
+
 #ifdef OPENSSL_IS_BORINGSSL
 ////////////////////////////////////////////////////////////////////////////////
 // APIs needed in BoringSSL only