From cff341f907bce289559edb3600ba13c65e336acf Mon Sep 17 00:00:00 2001 From: Anirudh Ramachandran Date: Mon, 3 Apr 2017 23:30:01 -0700 Subject: [PATCH] Support building with OpenSSL 1.1.0 and BoringSSL Summary: More work to get wangle compiling. wangle/facebook/http pulls in proxygen libs and that's another pain altogether, so this only makes the rest of wangle build with 1.1.0 and BoringSSL Depends on D4406876 Reviewed By: ngoyal Differential Revision: D4767060 fbshipit-source-id: bd6bc6959d04028c84360e434f6bbdb2cde2faac --- folly/portability/OpenSSL.cpp | 44 ++++++++++++++++++++++++++++++++++- folly/portability/OpenSSL.h | 5 ++++ 2 files changed, 48 insertions(+), 1 deletion(-) diff --git a/folly/portability/OpenSSL.cpp b/folly/portability/OpenSSL.cpp index 04512f64..6c1f66dc 100644 --- a/folly/portability/OpenSSL.cpp +++ b/folly/portability/OpenSSL.cpp @@ -26,7 +26,7 @@ namespace ssl { #else //////////////////////////////////////////////////////////////////////////////// -// APIs needed in BoringSSL and OpenSSL != 1.1.0 (1.0.2, 1.0.1, 1.0.0...) +// APIs needed in BoringSSL and OpenSSL < 1.1.0 (i.e., 1.0.2, 1.0.1, 1.0.0, etc) //////////////////////////////////////////////////////////////////////////////// void BIO_meth_free(BIO_METHOD* biom) { OPENSSL_free((void*)biom); @@ -74,6 +74,48 @@ void HMAC_CTX_free(HMAC_CTX* ctx) { } } +int SSL_SESSION_has_ticket(const SSL_SESSION* s) { + return (s->tlsext_ticklen > 0) ? 1 : 0; +} + +unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION* s) { + return s->tlsext_tick_lifetime_hint; +} + +// This is taken from OpenSSL 1.1.0 +int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) { + /* If the fields p and g in d are NULL, the corresponding input + * parameters MUST be non-NULL. q may remain NULL. + */ + if (dh == nullptr || (dh->p == nullptr && p == nullptr) || + (dh->g == nullptr && g == nullptr)) { + return 0; + } + + if (p != nullptr) { + BN_free(dh->p); + dh->p = p; + } + if (q != nullptr) { + BN_free(dh->q); + dh->q = q; + } + if (g != nullptr) { + BN_free(dh->g); + dh->g = g; + } + + // In OpenSSL 1.1.0, DH_set0_pqg also sets + // dh->length = BN_num_bits(q) + // With OpenSSL 1.0.2, the output of openssl dhparam -C 2048 doesn't set + // the length field. So as far as the compat lib is concerned, this wrapper + // mimics the functionality of OpenSSL 1.0.2 + // Note: BoringSSL doesn't even have a length field anymore, just something + // called 'priv_length'. Let's not mess with that for now. + + return 1; +} + #ifdef OPENSSL_IS_BORINGSSL //////////////////////////////////////////////////////////////////////////////// // APIs needed in BoringSSL only diff --git a/folly/portability/OpenSSL.h b/folly/portability/OpenSSL.h index dc6ac483..d105dc47 100644 --- a/folly/portability/OpenSSL.h +++ b/folly/portability/OpenSSL.h @@ -28,6 +28,7 @@ // This must come before the OpenSSL includes. #include +#include #include #include #include @@ -91,6 +92,10 @@ void EVP_MD_CTX_free(EVP_MD_CTX* ctx); HMAC_CTX* HMAC_CTX_new(void); void HMAC_CTX_free(HMAC_CTX* ctx); +unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION* s); +int SSL_SESSION_has_ticket(const SSL_SESSION*); +int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g); + #ifdef OPENSSL_IS_BORINGSSL //////////////////////////////////////////////////////////////////////////////// // APIs needed in BoringSSL only -- 2.34.1