Reduce the number of checks for BoringSSL (#11643)

* Reduce the number of checks for BoringSSL - Added HAVE_CRYPTO_SET_EX_DATA - Added HAVE_CRYPTO_EX_UNUSED - Added HAVE_CRYPTO_EX_DUP_TYPE1 - Fixed the check for HAVE_NATIVE_DUAL_CERT_SUPPORT - Removed unnecessary checks * Update the documentation about session_ticket.number All libraries we support have the feature to set the number
apache · Aug 5, 2024 · ee305e4 · ee305e4
1 parent da07dd7
commit ee305e4
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 18 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -458,6 +458,7 @@ check_symbol_exists(BIO_set_ex_data "openssl/bio.h" HAVE_BIO_SET_EX_DATA)
 check_symbol_exists(BIO_meth_get_ctrl "openssl/bio.h" HAVE_BIO_METH_GET_CTRL)
 check_symbol_exists(BIO_meth_get_create "openssl/bio.h" HAVE_BIO_METH_GET_CREATE)
 check_symbol_exists(BIO_meth_get_destroy "openssl/bio.h" HAVE_BIO_METH_GET_DESTROY)
+check_symbol_exists(CRYPTO_set_ex_data "openssl/bio.h" HAVE_CRYPTO_SET_EX_DATA)
 check_symbol_exists(DH_get_2048_256 "openssl/dh.h" TS_USE_GET_DH_2048_256)
 check_symbol_exists(OPENSSL_NO_TLS_3 "openssl/ssl.h" TS_NO_USE_TLS12)
 check_symbol_exists(SSL_CTX_set_client_hello_cb "openssl/ssl.h" HAVE_SSL_CTX_SET_CLIENT_HELLO_CB)
@@ -508,7 +509,22 @@ endif()
 
 check_source_compiles(
   C "#include <openssl/ssl.h>
-  void main() { int x = SSL_CTRL_GET_EXTRA_CHAIN_CERTS; }" HAVE_NATIVE_DUAL_CERT_SUPPORT
+  int main() { int x = SSL_CTRL_GET_EXTRA_CHAIN_CERTS; return 0; }" HAVE_NATIVE_DUAL_CERT_SUPPORT
+)
+check_source_compiles(
+  C "#include <openssl/ex_data.h>
+  int main() { CRYPTO_EX_unused x; return 0; }" HAVE_CRYPTO_EX_UNUSED
+)
+check_cxx_source_compiles(
+  "#include <openssl/crypto.h>
+  #if __has_include(<openssl/ex_data.h>)
+  #include <openssl/ex_data.h>
+  #endif
+  int main() {
+  CRYPTO_EX_dup *cb = [] (CRYPTO_EX_DATA *to, const CRYPTO_EX_DATA *from, void **from_d, int idx, long argl, void *argp) -> int { return 0; };
+  return 0;
+  }"
+  HAVE_CRYPTO_EX_DUP_TYPE1
 )
 
 set(CMAKE_REQUIRED_INCLUDES netinet/in.h netinet/tcp.h)

diff --git a/doc/admin-guide/files/records.yaml.en.rst b/doc/admin-guide/files/records.yaml.en.rst
@@ -3926,7 +3926,6 @@ SSL Termination
   multiple requests over concurrent TLS connections as per RFC 8446 clients SHOULDN'T reuse TLS Tickets.
 
   For more information see https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_num_tickets.html
-  [Requires OpenSSL v1.1.1 and higher]
 
 .. ts:cv:: CONFIG proxy.config.ssl.hsts_max_age INT -1
    :overridable:

diff --git a/include/iocore/net/SSLTypes.h b/include/iocore/net/SSLTypes.h
@@ -42,7 +42,7 @@ enum class SSLCertContextType {
   EC       ///< EC-based Context
 };
 
-#ifndef OPENSSL_IS_BORINGSSL
+#if HAVE_SSL_GET_SHARED_CURVE
 using ssl_curve_id = int;
 #else
 using ssl_curve_id = uint16_t;

diff --git a/include/tscore/ink_config.h.cmake.in b/include/tscore/ink_config.h.cmake.in
@@ -86,8 +86,11 @@
 #cmakedefine HAVE_BIO_METH_GET_CTRL 1
 #cmakedefine HAVE_BIO_METH_GET_CREATE 1
 #cmakedefine HAVE_BIO_METH_GET_DESTROY 1
+#cmakedefine HAVE_CRYPTO_SET_EX_DATA 1
 #cmakedefine HAVE_MD5_INIT 1
 #cmakedefine HAVE_NATIVE_DUAL_CERT_SUPPORT 1
+#cmakedefine HAVE_CRYPTO_EX_UNUSED 1
+#cmakedefine HAVE_CRYPTO_EX_DUP_TYPE1 1
 
 #cmakedefine HAVE_STRUCT_TCP_INFO 1
 #cmakedefine HAVE_STRUCT_TCP_INFO_TCPI_TOTAL_RETRANS 1

diff --git a/src/iocore/net/BIO_fastopen.cc b/src/iocore/net/BIO_fastopen.cc
@@ -30,14 +30,6 @@
 
 #include "BIO_fastopen.h"
 
-#if defined(BORINGLIKE)
-#error
-#elif defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC)
-#define BORINGLIKE 1
-#else
-#define BORINGLIKE 0
-#endif
-
 namespace
 {
 
@@ -61,7 +53,7 @@ class ExData
   }
 
 private:
-#if BORINGLIKE
+#if HAVE_CRYPTO_EX_UNUSED
   static constexpr CRYPTO_EX_unused *_new{nullptr};
 #else
   static void
@@ -71,7 +63,7 @@ class ExData
   }
 #endif
 
-#if BORINGLIKE
+#if !HAVE_CRYPTO_SET_EX_DATA
   static void
   _free(void * /* parent */, void * /* ptr */, CRYPTO_EX_DATA * /* ad */, int /* idx_ */, long /* argl */, void * /* argp */)
   {
@@ -84,7 +76,7 @@ class ExData
   }
 #endif
 
-#if BORINGLIKE || (OPENSSL_VERSION_MAJOR >= 3)
+#if HAVE_CRYPTO_EX_DUP_TYPE1
   using _Type_from_d = void **;
 #else
   using _Type_from_d = void *;

diff --git a/src/iocore/net/SSLUtils.cc b/src/iocore/net/SSLUtils.cc
@@ -1452,19 +1452,16 @@ SSLMultiCertConfigLoader::_set_verify_path(SSL_CTX *ctx, const SSLMultiCertConfi
 bool
 SSLMultiCertConfigLoader::_setup_session_ticket(SSL_CTX *ctx, const SSLMultiCertConfigParams *sslMultCertSettings)
 {
-#if defined(SSL_OP_NO_TICKET)
   // Session tickets are enabled by default. Disable if explicitly requested.
   if (sslMultCertSettings->session_ticket_enabled == 0) {
     SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
     Dbg(dbg_ctl_ssl_load, "ssl session ticket is disabled");
   }
-#endif
-#if defined(TLS1_3_VERSION) && !defined(LIBRESSL_VERSION_NUMBER) && !defined(OPENSSL_IS_BORINGSSL)
+
   if (!(this->_params->ssl_ctx_options & SSL_OP_NO_TLSv1_3)) {
     SSL_CTX_set_num_tickets(ctx, sslMultCertSettings->session_ticket_number);
     Dbg(dbg_ctl_ssl_load, "ssl session ticket number set to %d", sslMultCertSettings->session_ticket_number);
   }
-#endif
   return true;
 }