From: Viktor Szakats Date: Fri, 22 Aug 2025 14:24:26 +0000 (+0200) Subject: openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro X-Git-Tag: curl-8_16_0~114 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0be7f382dc90ed8f3c305fbd8e2dd0f17c781285;p=thirdparty%2Fcurl.git openssl: add and use `HAVE_BORINGSSL_LIKE` internal macro To cover the common case of guarding for both BoringSSL and AWS-LC. Cherry-picked from #18330 Closes #18358 --- diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 3df1a769bc..2b03254014 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -90,11 +90,9 @@ #define USE_ECH_OPENSSL #endif -#ifdef USE_ECH_OPENSSL -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) -# include -# endif -#endif /* USE_ECH_OPENSSL */ +#if defined(USE_ECH_OPENSSL) && !defined(HAVE_BORINGSSL_LIKE) +#include +#endif #ifndef OPENSSL_NO_OCSP #include @@ -216,7 +214,7 @@ static void ossl_provider_cleanup(struct Curl_easy *data); #define OSSL_PACKAGE "OpenSSL" #endif -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#ifdef HAVE_BORINGSSL_LIKE typedef size_t numcert_t; #else typedef int numcert_t; @@ -246,13 +244,11 @@ typedef int numcert_t; #define HAVE_RANDOM_INIT_BY_DEFAULT 1 #endif -#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ - !defined(OPENSSL_IS_BORINGSSL) && \ - !defined(OPENSSL_IS_AWSLC) +#if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && !defined(HAVE_BORINGSSL_LIKE) #define HAVE_OPENSSL_VERSION #endif -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#ifdef HAVE_BORINGSSL_LIKE typedef uint32_t sslerr_t; #else typedef unsigned long sslerr_t; @@ -936,7 +932,7 @@ static char *ossl_strerror(unsigned long error, char *buf, size_t size) *buf = '\0'; } -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#ifdef HAVE_BORINGSSL_LIKE ERR_error_string_n((uint32_t)error, buf, size); #else ERR_error_string_n(error, buf, size); @@ -2376,7 +2372,7 @@ static CURLcode ossl_verifyhost(struct Curl_easy *data, altnames = X509_get_ext_d2i(server_cert, NID_subject_alt_name, NULL, NULL); if(altnames) { -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#ifdef HAVE_BORINGSSL_LIKE size_t numalts; size_t i; #else @@ -2895,9 +2891,7 @@ ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx) long curl_ssl_version_max; /* convert curl min SSL version option to OpenSSL constant */ -#if (defined(OPENSSL_IS_BORINGSSL) || \ - defined(OPENSSL_IS_AWSLC) || \ - defined(LIBRESSL_VERSION_NUMBER)) +#if defined(HAVE_BORINGSSL_LIKE) || defined(LIBRESSL_VERSION_NUMBER) uint16_t ossl_ssl_version_min = 0; uint16_t ossl_ssl_version_max = 0; #else @@ -2974,7 +2968,7 @@ ossl_set_ssl_version_min_max(struct Curl_cfilter *cf, SSL_CTX *ctx) } #endif -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#ifdef HAVE_BORINGSSL_LIKE typedef uint32_t ctx_option_t; #elif defined(HAVE_OPENSSL3) typedef uint64_t ctx_option_t; @@ -3781,14 +3775,14 @@ static CURLcode ossl_init_ech(struct ossl_ctx *octx, if(data->set.tls_ech & CURLECH_GREASE) { infof(data, "ECH: will GREASE ClientHello"); -# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +# ifdef HAVE_BORINGSSL_LIKE SSL_set_enable_ech_grease(octx->ssl, 1); # else SSL_set_options(octx->ssl, SSL_OP_ECH_GREASE); # endif } else if(data->set.tls_ech & CURLECH_CLA_CFG) { -# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +# ifdef HAVE_BORINGSSL_LIKE /* have to do base64 decode here for BoringSSL */ const char *b64 = data->set.str[STRING_ECH_CONFIG]; @@ -3869,7 +3863,7 @@ static CURLcode ossl_init_ech(struct ossl_ctx *octx, Curl_resolv_unlink(data, &dns); } } -# if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +# ifdef HAVE_BORINGSSL_LIKE if(trying_ech_now && outername) { infof(data, "ECH: setting public_name not supported with BoringSSL"); return CURLE_SSL_CONNECT_ERROR; @@ -3886,7 +3880,7 @@ static CURLcode ossl_init_ech(struct ossl_ctx *octx, return CURLE_SSL_CONNECT_ERROR; } } -# endif /* OPENSSL_IS_BORINGSSL || OPENSSL_IS_AWSLC */ +# endif /* HAVE_BORINGSSL_LIKE */ if(trying_ech_now && SSL_set_min_proto_version(octx->ssl, TLS1_3_VERSION) != 1) { infof(data, "ECH: cannot force TLSv1.3 [ERROR]"); @@ -4211,7 +4205,7 @@ CURLcode Curl_ossl_ctx_init(struct ossl_ctx *octx, { const char *curves = conn_config->curves; if(curves) { -#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#ifdef HAVE_BORINGSSL_LIKE #define OSSL_CURVE_CAST(x) (x) #else #define OSSL_CURVE_CAST(x) (char *)CURL_UNCONST(x) @@ -4434,7 +4428,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, CURLcode result = CURLE_OK; size_t rcl = 0; int rv = 1; -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +# ifndef HAVE_BORINGSSL_LIKE char *inner = NULL; unsigned char *rcs = NULL; char *outer = NULL; @@ -4449,7 +4443,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, /* nothing to trace if not doing ECH */ if(!ECH_ENABLED(data)) return; -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +# ifndef HAVE_BORINGSSL_LIKE rv = SSL_ech_get1_retry_config(ssl, &rcs, &rcl); # else SSL_get0_ech_retry_configs(ssl, &rcs, &rcl); @@ -4464,7 +4458,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, if(!result && b64str) { infof(data, "ECH: retry_configs %s", b64str); free(b64str); -#if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +#ifndef HAVE_BORINGSSL_LIKE rv = SSL_ech_get1_status(ssl, &inner, &outer); infof(data, "ECH: retry_configs for %s from %s, %d %d", inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); @@ -4480,7 +4474,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, SSL* ssl, } else infof(data, "ECH: no retry_configs (rv = %d)", rv); -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +# ifndef HAVE_BORINGSSL_LIKE OPENSSL_free((void *)rcs); # endif return; @@ -4599,7 +4593,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, #endif #ifdef USE_ECH_OPENSSL else if((lib == ERR_LIB_SSL) && -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +# ifndef HAVE_BORINGSSL_LIKE (reason == SSL_R_ECH_REQUIRED)) { # else (reason == SSL_R_ECH_REJECTED)) { @@ -4645,7 +4639,7 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, Curl_ossl_report_handshake(data, octx); #ifdef USE_ECH_OPENSSL -# if !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +# ifndef HAVE_BORINGSSL_LIKE if(ECH_ENABLED(data)) { char *inner = NULL, *outer = NULL; const char *status = NULL; @@ -4703,8 +4697,8 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, else { infof(data, "ECH: result: status is not attempted"); } -# endif /* !OPENSSL_IS_BORINGSSL && !OPENSSL_IS_AWSLC */ -#endif /* USE_ECH_OPENSSL */ +# endif /* !HAVE_BORINGSSL_LIKE */ +#endif /* USE_ECH_OPENSSL */ #ifdef HAS_ALPN_OPENSSL /* Sets data and len to negotiated protocol, len is 0 if no protocol was @@ -4784,9 +4778,7 @@ static CURLcode ossl_pkp_pin_peer_pubkey(struct Curl_easy *data, X509* cert, #if (OPENSSL_VERSION_NUMBER >= 0x10100000L) && \ !(defined(LIBRESSL_VERSION_NUMBER) && \ LIBRESSL_VERSION_NUMBER < 0x3060000fL) && \ - !defined(OPENSSL_IS_BORINGSSL) && \ - !defined(OPENSSL_IS_AWSLC) && \ - !defined(CURL_DISABLE_VERBOSE_STRINGS) + !defined(HAVE_BORINGSSL_LIKE) && !defined(CURL_DISABLE_VERBOSE_STRINGS) static void infof_certstack(struct Curl_easy *data, const SSL *ssl) { STACK_OF(X509) *certstack; diff --git a/lib/vtls/openssl.h b/lib/vtls/openssl.h index b084a48c5b..ace55ab4d1 100644 --- a/lib/vtls/openssl.h +++ b/lib/vtls/openssl.h @@ -41,6 +41,10 @@ #define HAVE_OPENSSL3 /* non-fork OpenSSL 3.x or later */ #endif +#if defined(OPENSSL_IS_BORINGSSL) || defined(OPENSSL_IS_AWSLC) +#define HAVE_BORINGSSL_LIKE +#endif + /* * Whether SSL_CTX_set_keylog_callback is available. * OpenSSL: supported since 1.1.1 https://github.com/openssl/openssl/pull/2287 @@ -55,8 +59,7 @@ /* Check for OpenSSL 1.1.1 which has early data support. */ #undef HAVE_OPENSSL_EARLYDATA -#if defined(TLS1_3_VERSION) && \ - !defined(OPENSSL_IS_BORINGSSL) && !defined(OPENSSL_IS_AWSLC) +#if defined(TLS1_3_VERSION) && !defined(HAVE_BORINGSSL_LIKE) #define HAVE_OPENSSL_EARLYDATA #endif