Commit 0b609244 authored by Tatsuhiro Tsujikawa's avatar Tatsuhiro Tsujikawa

src: Compile with boringssl for non-http3 build

parent fa7a916e
......@@ -2845,19 +2845,26 @@ int main(int argc, char **argv) {
exit(EXIT_FAILURE);
}
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, config.tls13_ciphers.c_str()) == 0) {
std::cerr << "SSL_CTX_set_ciphersuites with " << config.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr)
<< std::endl;
exit(EXIT_FAILURE);
}
#endif // OPENSSL_1_1_1_API
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set1_groups_list(ssl_ctx, config.groups.c_str()) != 1) {
std::cerr << "SSL_CTX_set1_groups_list failed" << std::endl;
exit(EXIT_FAILURE);
}
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
if (SSL_CTX_set1_curves_list(ssl_ctx, config.groups.c_str()) != 1) {
std::cerr << "SSL_CTX_set1_curves_list failed" << std::endl;
exit(EXIT_FAILURE);
}
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_proto_select_cb(ssl_ctx, client_select_next_proto_cb,
......
......@@ -397,7 +397,7 @@ int Connection::tls_handshake() {
ERR_clear_error();
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (!tls.server_handshake || tls.early_data_finish) {
rv = SSL_do_handshake(tls.ssl);
} else {
......@@ -449,9 +449,9 @@ int Connection::tls_handshake() {
}
}
}
#else // !OPENSSL_1_1_1_API
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
rv = SSL_do_handshake(tls.ssl);
#endif // !OPENSSL_1_1_1_API
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv);
......@@ -698,7 +698,7 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
ERR_clear_error();
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
int rv;
if (SSL_is_init_finished(tls.ssl)) {
rv = SSL_write(tls.ssl, data, len);
......@@ -710,9 +710,9 @@ ssize_t Connection::write_tls(const void *data, size_t len) {
rv = nwrite;
}
}
#else // !OPENSSL_1_1_1_API
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
auto rv = SSL_write(tls.ssl, data, len);
#endif // !OPENSSL_1_1_1_API
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
if (rv <= 0) {
auto err = SSL_get_error(tls.ssl, rv);
......@@ -772,7 +772,7 @@ ssize_t Connection::read_tls(void *data, size_t len) {
tls.last_readlen = 0;
}
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (!tls.early_data_finish) {
// TLSv1.3 handshake is still going on.
size_t nread;
......@@ -811,7 +811,7 @@ ssize_t Connection::read_tls(void *data, size_t len) {
}
return nread;
}
#endif // OPENSSL_1_1_1_API
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
auto rv = SSL_read(tls.ssl, data, len);
......
......@@ -731,7 +731,8 @@ int quic_alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
# endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // ENABLE_HTTP3
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#if !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L && \
!defined(OPENSSL_IS_BORINGSSL)
# ifndef TLSEXT_TYPE_signed_certificate_timestamp
# define TLSEXT_TYPE_signed_certificate_timestamp 18
......@@ -821,7 +822,8 @@ int legacy_sct_parse_cb(SSL *ssl, unsigned int ext_type,
} // namespace
# endif // !OPENSSL_1_1_1_API
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L &&
// !defined(OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_PSK
namespace {
......@@ -931,14 +933,14 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION | SSL_OP_SINGLE_ECDH_USE |
SSL_OP_SINGLE_DH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
// The reason for disabling built-in anti-replay in OpenSSL is
// that it only works if client gets back to the same server.
// The freshness check described in
// https://tools.ietf.org/html/rfc8446#section-8.3 is still
// performed.
| SSL_OP_NO_ANTI_REPLAY
#endif // OPENSSL_1_1_1_API
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
;
auto config = mod_config();
......@@ -969,13 +971,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
DIE();
}
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.tls13_ciphers.c_str()) == 0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_EC
# if !LIBRESSL_LEGACY_API && OPENSSL_VERSION_NUMBER >= 0x10002000L
......@@ -1172,13 +1174,13 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file,
#endif // !LIBRESSL_IN_USE && OPENSSL_VERSION_NUMBER >= 0x10002000L &&
// !defined(OPENSSL_IS_BORINGSSL)
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_max_early_data(ssl_ctx, tlsconf.max_early_data) != 1) {
LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
<< ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
#ifndef OPENSSL_NO_PSK
SSL_CTX_set_psk_server_callback(ssl_ctx, psk_server_cb);
......@@ -1616,14 +1618,14 @@ SSL_CTX *create_ssl_client_context(
DIE();
}
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
if (SSL_CTX_set_ciphersuites(ssl_ctx, tlsconf.client.tls13_ciphers.c_str()) ==
0) {
LOG(FATAL) << "SSL_CTX_set_ciphersuites " << tlsconf.client.tls13_ciphers
<< " failed: " << ERR_error_string(ERR_get_error(), nullptr);
DIE();
}
#endif // OPENSSL_1_1_1_API
#endif // OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
......@@ -2625,7 +2627,7 @@ namespace {
int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
int rv;
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
struct tm tm;
rv = ASN1_TIME_to_tm(at, &tm);
if (rv != 1) {
......@@ -2633,7 +2635,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
}
t = nghttp2_timegm(&tm);
#else // !OPENSSL_1_1_1_API
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
auto b = BIO_new(BIO_s_mem());
if (!b) {
return -1;
......@@ -2659,7 +2661,7 @@ int time_t_from_asn1_time(time_t &t, const ASN1_TIME *at) {
}
t = tt;
#endif // !OPENSSL_1_1_1_API
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
return 0;
}
......
......@@ -57,11 +57,11 @@ constexpr char DEFAULT_CIPHER_LIST[] =
"AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
constexpr char DEFAULT_TLS13_CIPHER_LIST[] =
#if OPENSSL_1_1_1_API
#if OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL)
TLS_DEFAULT_CIPHERSUITES
#else // !OPENSSL_1_1_1_API
#else // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
""
#endif // !OPENSSL_1_1_1_API
#endif // !(OPENSSL_1_1_1_API && !defined(OPENSSL_IS_BORINGSSL))
;
constexpr auto NGHTTP2_TLS_MIN_VERSION = TLS1_VERSION;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment