From 170a4b383f8d4e2f18e6d23dbd6679ab73a07303 Mon Sep 17 00:00:00 2001 From: David Benjamin Date: Wed, 30 Jan 2019 09:46:16 -0600 Subject: [PATCH] Trim unnecessary OpenSSL/BoringSSL ifdefs. Now that WebRTC requires OpenSSL 1.1.0 as minimum, some bits can be removed. The simpler versioning API is shared between BoringSSL and OpenSSL 1.1.0, and there are some remnants of the threading callbacks that can be removed. Bug: none Change-Id: I2078ca9c444b1f1efa9e4b235eb4e6037865d8fb Reviewed-on: https://webrtc-review.googlesource.com/c/120261 Commit-Queue: David Benjamin Reviewed-by: Karl Wiberg Reviewed-by: Benjamin Wright Cr-Commit-Position: refs/heads/master@{#26475} --- rtc_base/openssl_adapter.cc | 41 +----------------- rtc_base/openssl_stream_adapter.cc | 67 +++--------------------------- 2 files changed, 8 insertions(+), 100 deletions(-) diff --git a/rtc_base/openssl_adapter.cc b/rtc_base/openssl_adapter.cc index dd2152ecaa..388b9a0051 100644 --- a/rtc_base/openssl_adapter.cc +++ b/rtc_base/openssl_adapter.cc @@ -31,34 +31,6 @@ #include "rtc_base/string_encode.h" #include "rtc_base/thread.h" -#ifndef OPENSSL_IS_BORINGSSL - -// TODO(benwright): Use a nicer abstraction for mutex. - -#if defined(WEBRTC_WIN) -#define MUTEX_TYPE HANDLE -#define MUTEX_SETUP(x) (x) = CreateMutex(nullptr, FALSE, nullptr) -#define MUTEX_CLEANUP(x) CloseHandle(x) -#define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE) -#define MUTEX_UNLOCK(x) ReleaseMutex(x) -#define THREAD_ID GetCurrentThreadId() -#elif defined(WEBRTC_POSIX) -#define MUTEX_TYPE pthread_mutex_t -#define MUTEX_SETUP(x) pthread_mutex_init(&(x), nullptr) -#define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x)) -#define MUTEX_LOCK(x) pthread_mutex_lock(&(x)) -#define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x)) -#define THREAD_ID pthread_self() -#else -#error You must define mutex operations appropriate for your platform! -#endif - -struct CRYPTO_dynlock_value { - MUTEX_TYPE mutex; -}; - -#endif // #ifndef OPENSSL_IS_BORINGSSL - ////////////////////////////////////////////////////////////////////// // SocketBIO ////////////////////////////////////////////////////////////////////// @@ -881,17 +853,8 @@ int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) { } SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) { - // Use (D)TLS 1.2. - // Note: BoringSSL supports a range of versions by setting max/min version - // (Default V1.0 to V1.2). However (D)TLSv1_2_client_method functions used - // below in OpenSSL only support V1.2. - SSL_CTX* ctx = nullptr; -#ifdef OPENSSL_IS_BORINGSSL - ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method()); -#else - ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLSv1_2_client_method() - : TLSv1_2_client_method()); -#endif // OPENSSL_IS_BORINGSSL + SSL_CTX* ctx = + SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method()); if (ctx == nullptr) { unsigned long error = ERR_get_error(); // NOLINT: type used by OpenSSL. RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"' diff --git a/rtc_base/openssl_stream_adapter.cc b/rtc_base/openssl_stream_adapter.cc index 0245976fa6..bbb2dce395 100644 --- a/rtc_base/openssl_stream_adapter.cc +++ b/rtc_base/openssl_stream_adapter.cc @@ -819,20 +819,6 @@ int OpenSSLStreamAdapter::BeginSSL() { SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); -#if !defined(OPENSSL_IS_BORINGSSL) - // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot - // negotiate them when acting as the server. Use NIST's P-256 which is - // commonly supported. BoringSSL doesn't need explicit configuration and has - // a reasonable default set. - EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); - if (ecdh == nullptr) { - return -1; - } - SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE); - SSL_set_tmp_ecdh(ssl_, ecdh); - EC_KEY_free(ecdh); -#endif - // Do the connect return ContinueSSL(); } @@ -966,57 +952,14 @@ void OpenSSLStreamAdapter::OnMessage(Message* msg) { } SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { - SSL_CTX* ctx = nullptr; - -#ifdef OPENSSL_IS_BORINGSSL - ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method()); -// Version limiting for BoringSSL will be done below. -#else - const SSL_METHOD* method; - switch (ssl_max_version_) { - case SSL_PROTOCOL_TLS_10: - case SSL_PROTOCOL_TLS_11: - // OpenSSL doesn't support setting min/max versions, so we always use - // (D)TLS 1.0 if a max. version below the max. available is requested. - if (ssl_mode_ == SSL_MODE_DTLS) { - if (role_ == SSL_CLIENT) { - method = DTLSv1_client_method(); - } else { - method = DTLSv1_server_method(); - } - } else { - if (role_ == SSL_CLIENT) { - method = TLSv1_client_method(); - } else { - method = TLSv1_server_method(); - } - } - break; - case SSL_PROTOCOL_TLS_12: - default: - if (ssl_mode_ == SSL_MODE_DTLS) { - if (role_ == SSL_CLIENT) { - method = DTLS_client_method(); - } else { - method = DTLS_server_method(); - } - } else { - if (role_ == SSL_CLIENT) { - method = TLS_client_method(); - } else { - method = TLS_server_method(); - } - } - break; - } - ctx = SSL_CTX_new(method); -#endif // OPENSSL_IS_BORINGSSL - + SSL_CTX* ctx = + SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method()); if (ctx == nullptr) { return nullptr; } -#ifdef OPENSSL_IS_BORINGSSL + // TODO(https://bugs.webrtc.org/10261): Evaluate and drop (D)TLS 1.0 and 1.1 + // support by default. SSL_CTX_set_min_proto_version( ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION); switch (ssl_max_version_) { @@ -1034,6 +977,8 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() { ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION); break; } +#ifdef OPENSSL_IS_BORINGSSL + // SSL_CTX_set_current_time_cb is only supported in BoringSSL. if (g_use_time_callback_for_testing) { SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting); }