Welcome! Log In Create A New Profile

Advanced

[PATCH 1 of 2] SSL: let it build against BoringSSL

Previous Message Next Message
Forum List Message List New Topic Print View
Piotr Sikora
July 30, 2014 07:48AM
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1406719935 25200
# Wed Jul 30 04:32:15 2014 -0700
# Node ID 3a647f0d5104612c7fa5c9cc1245057a4c0a3dc2
# Parent 4d092aa2f4637ce50284d2accd99a8e91aae2b4c
SSL: let it build against BoringSSL.

This change adds support for using BoringSSL as a drop-in replacement
for OpenSSL without adding support for any of the BoringSSL-specific
features.

The #ifndefs around SSL_CTX_set_tmp_rsa_callback() aren't strictly
necessary, since that function still exists in BoringSSL as a no-op,
but they clearly mark the unsupported feature.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r 4d092aa2f463 -r 3a647f0d5104 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Mon Jul 28 12:27:57 2014 -0700
+++ b/src/event/ngx_event_openssl.c Wed Jul 30 04:32:15 2014 -0700
@@ -106,7 +106,9 @@ int ngx_ssl_stapling_index;
ngx_int_t
ngx_ssl_init(ngx_log_t *log)
{
+#ifndef OPENSSL_IS_BORINGSSL
OPENSSL_config(NULL);
+#endif

SSL_library_init();
SSL_load_error_strings();
@@ -217,7 +219,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_
SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING);
#endif

+#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG
SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG);
+#endif
+
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG);
SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG);

@@ -382,8 +387,13 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_
if (--tries) {
n = ERR_peek_error();

+#ifdef OPENSSL_IS_BORINGSSL
+ if (ERR_GET_LIB(n) == ERR_LIB_CIPHER
+ && ERR_GET_REASON(n) == CIPHER_R_BAD_DECRYPT)
+#else
if (ERR_GET_LIB(n) == ERR_LIB_EVP
&& ERR_GET_REASON(n) == EVP_R_BAD_DECRYPT)
+#endif
{
ERR_clear_error();
SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd);
diff -r 4d092aa2f463 -r 3a647f0d5104 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Mon Jul 28 12:27:57 2014 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Jul 30 04:32:15 2014 -0700
@@ -715,8 +715,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

+#ifndef OPENSSL_IS_BORINGSSL
/* a temporary 512-bit RSA key is required for export versions of MSIE */
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif

if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;
diff -r 4d092aa2f463 -r 3a647f0d5104 src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Mon Jul 28 12:27:57 2014 -0700
+++ b/src/mail/ngx_mail_ssl_module.c Wed Jul 30 04:32:15 2014 -0700
@@ -334,7 +334,9 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
}

+#ifndef OPENSSL_IS_BORINGSSL
SSL_CTX_set_tmp_rsa_callback(conf->ssl.ctx, ngx_ssl_rsa512_key_callback);
+#endif

if (ngx_ssl_dhparam(cf, &conf->ssl, &conf->dhparam) != NGX_OK) {
return NGX_CONF_ERROR;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH 0 of 2] SSL: let it build against BorginSSL and LibreSSL (take #2)

Piotr Sikora 593 July 30, 2014 07:48AM

[PATCH 2 of 2] SSL: let it build against LibreSSL

Piotr Sikora 236 July 30, 2014 07:48AM

[PATCH 1 of 2] SSL: let it build against BoringSSL

Piotr Sikora 306 July 30, 2014 07:48AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 171
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready