openssl: remove most BoringSSL #ifdefs.
As of https://boringssl-review.googlesource.com/#/c/6980/, almost all of
BoringSSL #ifdefs in cURL should be unnecessary:
- BoringSSL provides no-op stubs for compatibility which replaces most
#ifdefs.
- DES_set_odd_parity has been in BoringSSL for nearly a year now. Remove
the compatibility codepath.
- With a small tweak to an extend_key_56_to_64 call, the NTLM code
builds fine.
- Switch OCSP-related #ifdefs to the more generally useful
OPENSSL_NO_OCSP.
The only #ifdefs which remain are Curl_ossl_version and the #undefs to
work around OpenSSL and wincrypt.h name conflicts. (BoringSSL leaves
that to the consumer. The in-header workaround makes things sensitive to
include order.)
This change errs on the side of removing conditionals despite many of
the restored codepaths being no-ops. (BoringSSL generally adds no-op
compatibility stubs when possible. OPENSSL_VERSION_NUMBER #ifdefs are
bad enough!)
Closes #640
diff --git a/configure.ac b/configure.ac
index 3b41393..7af4a80 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1631,8 +1631,6 @@
dnl Older versions of Cyassl (some time before 2.9.4) don't have
dnl SSL_get_shutdown (but this check won't actually detect it there
dnl as it's a macro that needs the header files be included)
- dnl BoringSSL didn't have DES_set_odd_parity for a while but now it is
- dnl back again.
AC_CHECK_FUNCS( RAND_status \
RAND_screen \
@@ -1640,8 +1638,7 @@
ENGINE_cleanup \
CRYPTO_cleanup_all_ex_data \
SSL_get_shutdown \
- SSLv2_client_method \
- DES_set_odd_parity )
+ SSLv2_client_method )
AC_MSG_CHECKING([for BoringSSL])
AC_COMPILE_IFELSE([
diff --git a/docs/THANKS b/docs/THANKS
index c835089..12e442f 100644
--- a/docs/THANKS
+++ b/docs/THANKS
@@ -457,6 +457,7 @@
Glen Nakamura
Glen Scott
Glenn Sheridan
+Google Inc.
Gordon Marler
Gorilla Maguila
Grant Erickson
diff --git a/lib/config-win32.h b/lib/config-win32.h
index 3920e1f..269e6db 100644
--- a/lib/config-win32.h
+++ b/lib/config-win32.h
@@ -228,12 +228,6 @@
This is present in OpenSSL versions after 0.9.6b */
#define HAVE_CRYPTO_CLEANUP_ALL_EX_DATA 1
-/* Define if you have the 'DES_set_odd_parity' function when using OpenSSL/
- BoringSSL */
-#if defined(USE_OPENSSL) || defined(HAVE_BORINGSSL)
-#define HAVE_DES_SET_ODD_PARITY 1
-#endif
-
/* Define if you have the select function. */
#define HAVE_SELECT 1
diff --git a/lib/curl_des.c b/lib/curl_des.c
index 3c7e529..421c9f7 100644
--- a/lib/curl_des.c
+++ b/lib/curl_des.c
@@ -22,7 +22,7 @@
#include "curl_setup.h"
-#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY)
+#if defined(USE_NTLM) && !defined(USE_OPENSSL)
#include "curl_des.h"
@@ -60,4 +60,4 @@
}
}
-#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */
+#endif /* USE_NTLM && !USE_OPENSSL */
diff --git a/lib/curl_des.h b/lib/curl_des.h
index 632c384..129060f 100644
--- a/lib/curl_des.h
+++ b/lib/curl_des.h
@@ -24,11 +24,11 @@
#include "curl_setup.h"
-#if defined(USE_NTLM) && !defined(HAVE_DES_SET_ODD_PARITY)
+#if defined(USE_NTLM) && !defined(USE_OPENSSL)
/* Applies odd parity to the given byte array */
void Curl_des_set_odd_parity(unsigned char *bytes, size_t length);
-#endif /* USE_NTLM && !HAVE_DES_SET_ODD_PARITY */
+#endif /* USE_NTLM && !USE_OPENSSL */
#endif /* HEADER_CURL_DES_H */
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index fe976c9..e79d1f6 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -143,14 +143,10 @@
DES_cblock key;
/* Expand the 56-bit key to 64-bits */
- extend_key_56_to_64(key_56, (char *) key);
+ extend_key_56_to_64(key_56, (char *) &key);
/* Set the key parity to odd */
-#ifndef HAVE_DES_SET_ODD_PARITY /* older boringssl */
- Curl_des_set_odd_parity((unsigned char *) &key, sizeof(key));
-#else
DES_set_odd_parity(&key);
-#endif
/* Set the key */
DES_set_key(&key, ks);
diff --git a/lib/curl_setup.h b/lib/curl_setup.h
index 33ad129..5163273 100644
--- a/lib/curl_setup.h
+++ b/lib/curl_setup.h
@@ -628,13 +628,9 @@
defined(USE_GNUTLS) || defined(USE_NSS) || defined(USE_DARWINSSL) || \
defined(USE_OS400CRYPTO) || defined(USE_WIN32_CRYPTO)
-#ifdef HAVE_BORINGSSL /* BoringSSL is not NTLM capable */
-#undef USE_NTLM
-#else
#define USE_NTLM
#endif
#endif
-#endif
/* non-configure builds may define CURL_WANTS_CA_BUNDLE_ENV */
#if defined(CURL_WANTS_CA_BUNDLE_ENV) && !defined(CURL_CA_BUNDLE)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index b36c6a6..b4f62e6 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -68,7 +68,7 @@
#include <openssl/pkcs12.h>
#endif
-#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_IS_BORINGSSL)
+#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP)
#include <openssl/ocsp.h>
#endif
@@ -83,21 +83,8 @@
#error "OPENSSL_VERSION_NUMBER not defined"
#endif
-#if !defined(OPENSSL_IS_BORINGSSL)
-/* ENGINE_load_private_key() takes four arguments */
-#define HAVE_ENGINE_LOAD_FOUR_ARGS
+#if defined(HAVE_OPENSSL_ENGINE_H)
#include <openssl/ui.h>
-#else
-/* ENGINE_load_private_key() takes three arguments */
-#undef HAVE_ENGINE_LOAD_FOUR_ARGS
-#endif
-
-#if defined(HAVE_OPENSSL_PKCS12_H) && !defined(OPENSSL_IS_BORINGSSL)
-/* OpenSSL has PKCS 12 support, BoringSSL does not */
-#define HAVE_PKCS12_SUPPORT
-#else
-/* OpenSSL does not have PKCS12 support */
-#undef HAVE_PKCS12_SUPPORT
#endif
#if OPENSSL_VERSION_NUMBER >= 0x00909000L
@@ -106,10 +93,7 @@
#define SSL_METHOD_QUAL
#endif
-#ifdef OPENSSL_IS_BORINGSSL
-/* BoringSSL has no ERR_remove_state() */
-#define ERR_remove_state(x)
-#elif (OPENSSL_VERSION_NUMBER >= 0x10000000L)
+#if (OPENSSL_VERSION_NUMBER >= 0x10000000L)
#define HAVE_ERR_REMOVE_THREAD_STATE 1
#endif
@@ -131,17 +115,8 @@
#define HAVE_X509_GET0_SIGNATURE 1
#endif
-#if defined(OPENSSL_IS_BORINGSSL)
-#define NO_RAND_SEED 1
-/* In BoringSSL OpenSSL_add_all_algorithms does nothing */
-#define OpenSSL_add_all_algorithms()
-/* BoringSSL does not have CONF_modules_load_file, CONF_modules_free */
-#define CONF_modules_load_file(a,b,c)
-#define CONF_modules_free()
-#endif
-
-#if (OPENSSL_VERSION_NUMBER < 0x0090808fL) || defined(OPENSSL_IS_BORINGSSL)
-/* not present in BoringSSL or older OpenSSL */
+#if (OPENSSL_VERSION_NUMBER < 0x0090808fL)
+/* not present in older OpenSSL */
#define OPENSSL_load_builtin_modules(x)
#endif
@@ -175,7 +150,6 @@
* pass in an argument that is never used.
*/
-#ifndef NO_RAND_SEED
#ifdef HAVE_RAND_STATUS
#define seed_enough(x) rand_enough()
static bool rand_enough(void)
@@ -272,11 +246,6 @@
ssl_seeded = TRUE;
}
}
-#else
-/* BoringSSL needs no seeding */
-#define Curl_ossl_seed(x)
-#endif
-
#ifndef SSL_FILETYPE_ENGINE
#define SSL_FILETYPE_ENGINE 42
@@ -299,7 +268,7 @@
return -1;
}
-#if defined(HAVE_OPENSSL_ENGINE_H) && defined(HAVE_ENGINE_LOAD_FOUR_ARGS)
+#if defined(HAVE_OPENSSL_ENGINE_H)
/*
* Supply default password to the engine user interface conversation.
* The password is passed by OpenSSL engine from ENGINE_load_private_key()
@@ -449,7 +418,7 @@
case SSL_FILETYPE_PKCS12:
{
-#ifdef HAVE_PKCS12_SUPPORT
+#ifdef HAVE_OPENSSL_PKCS12_H
FILE *f;
PKCS12 *p12;
EVP_PKEY *pri;
@@ -565,7 +534,6 @@
{ /* XXXX still needs some work */
EVP_PKEY *priv_key = NULL;
if(data->state.engine) {
-#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_METHOD *ui_method =
UI_create_method((char *)"cURL user interface");
if(!ui_method) {
@@ -576,17 +544,12 @@
UI_method_set_closer(ui_method, UI_method_get_closer(UI_OpenSSL()));
UI_method_set_reader(ui_method, ssl_ui_reader);
UI_method_set_writer(ui_method, ssl_ui_writer);
-#endif
/* the typecast below was added to please mingw32 */
priv_key = (EVP_PKEY *)
ENGINE_load_private_key(data->state.engine, key_file,
-#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
ui_method,
-#endif
data->set.str[STRING_KEY_PASSWD]);
-#ifdef HAVE_ENGINE_LOAD_FOUR_ARGS
UI_destroy_method(ui_method);
-#endif
if(!priv_key) {
failf(data, "failed to load private key from crypto engine");
return 0;
@@ -1228,7 +1191,7 @@
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
- !defined(OPENSSL_IS_BORINGSSL)
+ !defined(OPENSSL_NO_OCSP)
static CURLcode verifystatus(struct connectdata *conn,
struct ssl_connect_data *connssl)
{
@@ -1670,7 +1633,7 @@
case CURL_SSLVERSION_TLSv1_2:
/* it will be handled later with the context options */
#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \
- !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
+ !defined(LIBRESSL_VERSION_NUMBER)
req_method = TLS_client_method();
#else
req_method = SSLv23_client_method();
@@ -2033,7 +1996,7 @@
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
- !defined(OPENSSL_IS_BORINGSSL)
+ !defined(OPENSSL_NO_OCSP)
if(data->set.ssl.verifystatus)
SSL_set_tlsext_status_type(connssl->handle, TLSEXT_STATUSTYPE_ocsp);
#endif
@@ -2639,7 +2602,7 @@
}
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
- !defined(OPENSSL_IS_BORINGSSL)
+ !defined(OPENSSL_NO_OCSP)
if(data->set.ssl.verifystatus) {
result = verifystatus(conn, connssl);
if(result) {
@@ -3055,7 +3018,7 @@
bool Curl_ossl_cert_status_request(void)
{
#if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_TLSEXT) && \
- !defined(OPENSSL_IS_BORINGSSL)
+ !defined(OPENSSL_NO_OCSP)
return TRUE;
#else
return FALSE;
