[PATCH 2 of 2] SSL: let it build against BoringSSL

Piotr Sikora piotr at cloudflare.com
Mon Jul 28 23:03:36 UTC 2014 

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1406575677 25200
#      Mon Jul 28 12:27:57 2014 -0700
# Node ID e3086fd5e59335f4f3f165ee74c094a7aca2aeb3
# Parent  bb74dfefeec04aae5a3a86ace2df45d03f691ded
SSL: let it build against BoringSSL.

This change adds support for using BoringSSL as a drop-in replacement
for OpenSSL without adding support for any of the BoringSSL-specific
features.

The #ifndefs around SSL_CTX_set_tmp_rsa_callback() aren't strictly
necessary, since that function still exists in BoringSSL as a no-op,
but they clearly mark the unsupported feature.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r bb74dfefeec0 -r e3086fd5e593 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.c	Mon Jul 28 12:27:57 2014 -0700
@@ -106,7 +106,9 @@ int  ngx_ssl_stapling_index;
 ngx_int_t
 ngx_ssl_init(ngx_log_t *log)
 {
+#ifndef OPENSSL_IS_BORINGSSL
     OPENSSL_config(NULL);
+#endif
 
     SSL_library_init();
     SSL_load_error_strings();
@@ -217,7 +219,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
     SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
 #endif
 
+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
     SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
+#endif
+
     SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
     SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);
 
@@ -382,8 +387,13 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
         if (--tries) {
             n = ERR_peek_error();
 
+#ifdef OPENSSL_IS_BORINGSSL
+            if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
+                && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
+#else
             if (ERR_GET_LIB(n) == ERR_LIB_EVP
                 && ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+#endif
             {
                 ERR_clear_error();
                 SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
@@ -646,6 +656,8 @@ ngx_ssl_info_callback(const ngx_ssl_conn
 }
 
 
+#ifndef OPENSSL_IS_BORINGSSL
+
 RSA *
 ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
     int key_length)
@@ -667,6 +679,8 @@ ngx_ssl_rsa512_key_callback(ngx_ssl_conn
     return key;
 }
 
+#endif
+
 
 ngx_array_t *
 ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file)
diff -r bb74dfefeec0 -r e3086fd5e593 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.h	Mon Jul 28 12:27:57 2014 -0700
@@ -133,8 +133,10 @@ ngx_int_t ngx_ssl_stapling(ngx_conf_t *c
     ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
+#ifndef OPENSSL_IS_BORINGSSL
 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
     int key_length);
+#endif
 ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
diff -r bb74dfefeec0 -r e3086fd5e593 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
@@ -715,8 +715,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
+#ifndef OPENSSL_IS_BORINGSSL
     /* a temporary 512-bit RSA key is required for export versions of MSIE */
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif
 
     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
         return NGX_CONF_ERROR;
diff -r bb74dfefeec0 -r e3086fd5e593 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c	Mon Jul 28 12:27:57 2014 -0700
@@ -334,7 +334,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, 
         SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
     }
 
+#ifndef OPENSSL_IS_BORINGSSL
     SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif
 
     if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
         return NGX_CONF_ERROR;

More information about the nginx-devel mailing list