(trafficserver) branch master updated: Reduce the number of checks for BoringSSL (#11637)

Fri, 02 Aug 2024 10:20:31 -0700 

This is an automated email from the ASF dual-hosted git repository.

maskit pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
     new af6657d1cf Reduce the number of checks for BoringSSL (#11637)
af6657d1cf is described below

commit af6657d1cfda88c8f60120ea71b2ab94a8f60b77
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Fri Aug 2 11:20:20 2024 -0600

    Reduce the number of checks for BoringSSL (#11637)
    
    - Removed one unnecessary check
    - Added HAVE_NATIVE_DUAL_CERT_SUPPORT
---
 CMakeLists.txt                       | 5 +++++
 include/tscore/ink_config.h.cmake.in | 1 +
 src/iocore/net/OCSPStapling.cc       | 9 +++------
 src/iocore/net/P_OCSPStapling.h      | 6 ------
 src/iocore/net/SSLUtils.cc           | 6 +++---
 5 files changed, 12 insertions(+), 15 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index a9d4549e77..b6960d4f65 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -506,6 +506,11 @@ else()
   set(TS_HAS_TLS_EARLY_DATA FALSE)
 endif()
 
+check_source_compiles(
+  C "#include <openssl/ssl.h>
+  void main() { int x = SSL_CTRL_GET_EXTRA_CHAIN_CERTS; }" 
HAVE_NATIVE_DUAL_CERT_SUPPORT
+)
+
 set(CMAKE_REQUIRED_INCLUDES netinet/in.h netinet/tcp.h)
 check_type_size("struct tcp_info" STRUCT_TCP_INFO)
 unset(CMAKE_REQUIRED_INCLUDES)
diff --git a/include/tscore/ink_config.h.cmake.in 
b/include/tscore/ink_config.h.cmake.in
index fff47a7f63..745ad0e61f 100644
--- a/include/tscore/ink_config.h.cmake.in
+++ b/include/tscore/ink_config.h.cmake.in
@@ -87,6 +87,7 @@
 #cmakedefine HAVE_BIO_METH_GET_CREATE 1
 #cmakedefine HAVE_BIO_METH_GET_DESTROY 1
 #cmakedefine HAVE_MD5_INIT 1
+#cmakedefine HAVE_NATIVE_DUAL_CERT_SUPPORT 1
 
 #cmakedefine HAVE_STRUCT_TCP_INFO 1
 #cmakedefine HAVE_STRUCT_TCP_INFO_TCPI_TOTAL_RETRANS 1
diff --git a/src/iocore/net/OCSPStapling.cc b/src/iocore/net/OCSPStapling.cc
index fe7766796f..8b0f84802d 100644
--- a/src/iocore/net/OCSPStapling.cc
+++ b/src/iocore/net/OCSPStapling.cc
@@ -26,6 +26,7 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 
+#include "tscore/ink_config.h"
 #include "tscore/ink_memory.h"
 #include "tscore/Encoding.h"
 #include "tscore/ink_base64.h"
@@ -1267,7 +1268,7 @@ ocsp_update()
   SSLCertificateConfig::scoped_config certLookup;
 
   Dbg(dbg_ctl_ssl_ocsp, "updating OCSP data");
-#ifndef OPENSSL_IS_BORINGSSL
+#ifdef HAVE_NATIVE_DUAL_CERT_SUPPORT
   const SSLCertContextType ctxTypes[] = {SSLCertContextType::GENERIC};
 #else
   const SSLCertContextType ctxTypes[] = {SSLCertContextType::RSA, 
SSLCertContextType::EC};
@@ -1309,11 +1310,7 @@ ocsp_update()
 
 // RFC 6066 Section-8: Certificate Status Request
 int
-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
-ssl_callback_ocsp_stapling(SSL *ssl)
-#else
 ssl_callback_ocsp_stapling(SSL *ssl, void *)
-#endif
 {
   // Assume SSL_get_SSL_CTX() is the same as reaching into the ssl structure
   // Using the official call, to avoid leaking internal openssl knowledge
@@ -1337,7 +1334,7 @@ ssl_callback_ocsp_stapling(SSL *ssl, void *)
   }
 
   certinfo *cinf = nullptr;
-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
+#if HAVE_NATIVE_DUAL_CERT_SUPPORT
   certinfo_map::iterator iter = map->find(cert);
   if (iter != map->end()) {
     cinf = iter->second;
diff --git a/src/iocore/net/P_OCSPStapling.h b/src/iocore/net/P_OCSPStapling.h
index 8caf132c97..9ca65e4578 100644
--- a/src/iocore/net/P_OCSPStapling.h
+++ b/src/iocore/net/P_OCSPStapling.h
@@ -21,16 +21,10 @@
 
 #pragma once
 
-#include "tscore/ink_config.h"
-
 #include <openssl/ssl.h>
 
 void ssl_stapling_ex_init();
 bool ssl_stapling_init_cert(SSL_CTX *ctx, X509 *cert, const char *certname, 
const char *rsp_file);
 void ocsp_update();
 
-#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC)
-int ssl_callback_ocsp_stapling(SSL *);
-#else
 int ssl_callback_ocsp_stapling(SSL *, void *);
-#endif
diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
index dc17849934..6ca3cc23cb 100644
--- a/src/iocore/net/SSLUtils.cc
+++ b/src/iocore/net/SSLUtils.cc
@@ -397,7 +397,7 @@ ssl_cert_callback(SSL *ssl, [[maybe_unused]] void *arg)
   }
 
   SSLCertContextType ctxType = SSLCertContextType::GENERIC;
-#ifdef OPENSSL_IS_BORINGSSL
+#ifndef HAVE_NATIVE_DUAL_CERT_SUPPORT
   if (arg != nullptr) {
     const SSL_CLIENT_HELLO *client_hello         = (const SSL_CLIENT_HELLO 
*)arg;
     const bool              client_ecdsa_capable = 
BoringSSLUtils::isClientEcdsaCapable(client_hello);
@@ -1217,7 +1217,7 @@ 
SSLMultiCertConfigLoader::init_server_ssl_ctx(CertLoadData const &data, const SS
 
   bool generate_default_ctx = data.cert_names_list.empty();
   if (!generate_default_ctx) {
-#ifdef OPENSSL_IS_BORINGSSL
+#ifndef HAVE_NATIVE_DUAL_CERT_SUPPORT
     for (auto const &name : data.cert_names_list) {
       cert_names.emplace_back(std::vector({name}));
     }
@@ -2236,7 +2236,7 @@ 
SSLMultiCertConfigLoader::load_certs_and_cross_reference_names(
     }
 
     if (certType != nullptr) {
-#ifdef OPENSSL_IS_BORINGSSL
+#ifndef HAVE_NATIVE_DUAL_CERT_SUPPORT
       std::unique_ptr<EVP_PKEY, decltype(&EVP_PKEY_free)> 
public_key(X509_get_pubkey(cert), &EVP_PKEY_free);
       int                                                 pkey_id = 
EVP_PKEY_id(public_key.get());

Reply via email to