[PATCH 2 of 2] SSL: let it build against BoringSSL

Maxim Dounin mdounin at mdounin.ru
Tue Jul 29 22:15:34 UTC 2014


Hello!

On Mon, Jul 28, 2014 at 04:03:36PM -0700, Piotr Sikora wrote:

> # HG changeset patch
> # User Piotr Sikora <piotr at cloudflare.com>
> # Date 1406575677 25200
> #      Mon Jul 28 12:27:57 2014 -0700
> # Node ID e3086fd5e59335f4f3f165ee74c094a7aca2aeb3
> # Parent  bb74dfefeec04aae5a3a86ace2df45d03f691ded
> SSL: let it build against BoringSSL.
> 
> This change adds support for using BoringSSL as a drop-in replacement
> for OpenSSL without adding support for any of the BoringSSL-specific
> features.
> 
> The #ifndefs around SSL_CTX_set_tmp_rsa_callback() aren't strictly
> necessary, since that function still exists in BoringSSL as a no-op,
> but they clearly mark the unsupported feature.

I think that it's better idea to preserve the common code rather 
than to add unneded #ifndef's.

> 
> Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
> 
> diff -r bb74dfefeec0 -r e3086fd5e593 src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c	Mon Jul 28 12:27:57 2014 -0700
> +++ b/src/event/ngx_event_openssl.c	Mon Jul 28 12:27:57 2014 -0700
> @@ -106,7 +106,9 @@ int  ngx_ssl_stapling_index;
>  ngx_int_t
>  ngx_ssl_init(ngx_log_t *log)
>  {
> +#ifndef OPENSSL_IS_BORINGSSL
>      OPENSSL_config(NULL);
> +#endif
>  
>      SSL_library_init();
>      SSL_load_error_strings();
> @@ -217,7 +219,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
>      SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
>  #endif
>  
> +#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
>      SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
> +#endif
> +
>      SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
>      SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
>  

No objections to these two changes.

> @@ -382,8 +387,13 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
>          if (--tries) {
>              n = ERR_peek_error();
>  
> +#ifdef OPENSSL_IS_BORINGSSL
> +            if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
> +                && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
> +#else
>              if (ERR_GET_LIB(n) == ERR_LIB_EVP
>                  && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
> +#endif
>              {
>                  ERR_clear_error();
>                  SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);

This one scares me though.  In particular, because BoringSSL 
managed to move various EVP_* functions to CIPHER library, and 
this looks strange.  I also wonder how many similar changes are 
unnoticed because they don't break build...

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list