diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c index 1c8190fad..3fd9d3d4f 100644 --- a/pjlib/src/pj/ssl_sock_ossl.c +++ b/pjlib/src/pj/ssl_sock_ossl.c @@ -80,6 +80,18 @@ # define USING_LIBRESSL 0 #endif +#if defined(OPENSSL_IS_BORINGSSL) +# define USING_BORINGSSL 1 + +# define TLSEXT_nid_unknown 0x1000000 + +#undef SSL_CTRL_SET_ECDH_AUTO +# define SSL_CTRL_SET_ECDH_AUTO 94 + +#else +# define USING_BORINGSSL 0 +#endif + #if !USING_LIBRESSL && !defined(OPENSSL_NO_EC) \ && OPENSSL_VERSION_NUMBER >= 0x1000200fL @@ -394,7 +406,11 @@ static pj_str_t ssl_strerror(pj_status_t status, ssl_err -= PJ_SSL_ERRNO_START; l = ssl_err / MAX_OSSL_ERR_REASON; r = ssl_err % MAX_OSSL_ERR_REASON; +#if USING_BORINGSSL + ssl_err = ERR_PACK(l, r); +#else ssl_err = ERR_PACK(l, 0, r); +#endif } #if defined(PJ_HAS_ERROR_STRING) && (PJ_HAS_ERROR_STRING != 0) @@ -717,7 +733,11 @@ static pj_status_t init_openssl(void) } ssl_cipher_num = n; +#if USING_BORINGSSL + ssl_sess = SSL_SESSION_new(ctx); +#else ssl_sess = SSL_SESSION_new(); +#endif SSL_set_session(ssl, ssl_sess); #if !USING_LIBRESSL && !defined(OPENSSL_NO_EC) \ @@ -725,7 +745,12 @@ static pj_status_t init_openssl(void) #if OPENSSL_VERSION_NUMBER >= 0x1010100fL ssl_curves_num = EC_get_builtin_curves(NULL, 0); #else + +#if USING_BORINGSSL + ssl_curves_num = SSL_get_curve_id(ssl); +#else ssl_curves_num = SSL_get_shared_curve(ssl,-1); +#endif if (ssl_curves_num > PJ_ARRAY_SIZE(ssl_curves)) ssl_curves_num = PJ_ARRAY_SIZE(ssl_curves); @@ -770,7 +795,11 @@ static pj_status_t init_openssl(void) OPENSSL_free(curves); #else for (i = 0; i < ssl_curves_num; i++) { +#if USING_BORINGSSL + nid = SSL_get_curve_id(ssl); +#else nid = SSL_get_shared_curve(ssl, i); +#endif if (nid & TLSEXT_nid_unknown) { cname = "curve unknown"; @@ -987,10 +1016,19 @@ static pj_ssl_sock_t *ssl_alloc(pj_pool_t *pool) return (pj_ssl_sock_t *)PJ_POOL_ZALLOC_T(pool, ossl_sock_t); } +#if !USING_BORINGSSL + static int xname_cmp(const X509_NAME * const *a, const X509_NAME * const *b) { return X509_NAME_cmp(*a, *b); } +#else + +static int xname_cmp(const X509_NAME **a, const X509_NAME **b) { + return X509_NAME_cmp(*a, *b); +} + +#endif /* Initialize OpenSSL context for the ssock */ static pj_status_t init_ossl_ctx(pj_ssl_sock_t *ssock) @@ -1377,12 +1415,16 @@ static pj_status_t init_ossl_ctx(pj_ssl_sock_t *ssock) pj_memcpy(p, "rsa", CERT_TYPE_LEN); } +#if USING_BORINGSSL + if (SSL_CTX_set_mode(ctx, SSL_CTRL_SET_ECDH_AUTO)) { +#else #ifndef SSL_CTRL_SET_ECDH_AUTO #define SSL_CTRL_SET_ECDH_AUTO 94 #endif /* SSL_CTX_set_ecdh_auto(ctx,on) requires OpenSSL 1.0.2 which wraps: */ if (SSL_CTX_ctrl(ctx, SSL_CTRL_SET_ECDH_AUTO, 1, NULL)) { +#endif PJ_LOG(4,(ssock->pool->obj_name, "SSL ECDH initialized " "(automatic), faster PFS ciphers enabled")); #if !defined(OPENSSL_NO_ECDH) && OPENSSL_VERSION_NUMBER >= 0x10000000L && \ @@ -1441,7 +1483,11 @@ static pj_status_t init_ossl_ctx(pj_ssl_sock_t *ssock) if ((xn = X509_NAME_dup(xn)) == NULL ) break; +#if !USING_BORINGSSL if (sk_X509_NAME_find(sk, xn) >= 0) { +#else + if (sk_X509_NAME_find(sk, NULL, xn) >= 0) { +#endif X509_NAME_free(xn); } else { sk_X509_NAME_push(sk, xn); @@ -1753,6 +1799,7 @@ static pj_status_t set_sigalgs(pj_ssl_sock_t *ssock) int ret; if (ssock->param.sigalgs.ptr && ssock->param.sigalgs.slen) { +#if !USING_BORINGSSL if (ssock->is_server) { ret = SSL_set1_client_sigalgs_list(ossock->ossl_ssl, ssock->param.sigalgs.ptr); @@ -1760,6 +1807,10 @@ static pj_status_t set_sigalgs(pj_ssl_sock_t *ssock) ret = SSL_set1_sigalgs_list(ossock->ossl_ssl, ssock->param.sigalgs.ptr); } +#else + ret = SSL_set1_sigalgs_list(ossock->ossl_ssl, + ssock->param.sigalgs.ptr); +#endif if (ret < 1) return GET_SSL_STATUS(ssock);