From 727544fd347f16d9a3394923359244e0abe37aa7 Mon Sep 17 00:00:00 2001 From: Bernard Spil Date: Sat, 11 Feb 2017 21:18:50 +0100 Subject: [PATCH 1/3] Fix build issue with LibreSSL LibreSSL defines OPENSSL_VERSION_NUMBER as 0x20000000L though being forked from 1.0.1f LibreSSL defines LIBRESSL_VERSION_NUMBER --- cpp/log/cert.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/log/cert.cc b/cpp/log/cert.cc index b221e7845..c6f297630 100644 --- a/cpp/log/cert.cc +++ b/cpp/log/cert.cc @@ -31,7 +31,7 @@ using util::StatusOr; using util::error::Code; -#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(OPENSSL_IS_BORINGSSL) +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) // Backport from 1.0.2-beta3. static int i2d_re_X509_tbs(X509* x, unsigned char** pp) { x->cert_info->enc.modified = 1; @@ -39,7 +39,7 @@ static int i2d_re_X509_tbs(X509* x, unsigned char** pp) { } #endif -#if OPENSSL_VERSION_NUMBER < 0x10002000L +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) static int X509_get_signature_nid(const X509* x) { return OBJ_obj2nid(x->sig_alg->algorithm); } From 4ae89637d959c119eb3c6204c54201b4ef9a46fc Mon Sep 17 00:00:00 2001 From: Bernard Spil Date: Sat, 11 Feb 2017 21:54:38 +0100 Subject: [PATCH 2/3] Fix CMS detection for LibreSSL - Neither BoringSSL nor LibreSSL support CMS - Add test to detect LibreSSL - Create new knob for OPENSSL_NO_CMS - Use OPENSSL_NO_CMS knob for disabling cms_verifier building --- Makefile.am | 13 +++---------- configure.ac | 19 ++++++++++++++++--- 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/Makefile.am b/Makefile.am index 19264a38b..a11744ea2 100644 --- a/Makefile.am +++ b/Makefile.am @@ -11,8 +11,6 @@ AM_CXXFLAGS = \ -fno-exceptions BUILT_SOURCES = \ - cpp/gmock-all.cc \ - cpp/gtest-all.cc \ cpp/monitoring/prometheus/metrics.pb.cc \ cpp/monitoring/prometheus/metrics.pb.h \ proto/ct.pb.cc \ @@ -112,7 +110,7 @@ TESTS = \ cpp/util/sync_task_test \ cpp/util/task_test -if !OPENSSL_IS_BORINGSSL +if !OPENSSL_NO_CMS TESTS += cpp/log/cms_verifier_test endif @@ -131,9 +129,6 @@ endif cpp/gtest-all.cc: $(GTEST_DIR)/src/gtest-all.cc $(AM_V_at)cp $^ $@ -cpp/gmock-all.cc: $(GMOCK_DIR)/src/gmock-all.cc - $(AM_V_at)cp $^ $@ - test/testdata/urlfetcher_test_certs/localhost-key.pem: test/create_url_fetcher_test_certs.sh $(AM_V_GEN)test/create_url_fetcher_test_certs.sh @@ -217,7 +212,7 @@ cpp_libcore_a_SOURCES = \ proto/ct.pb.cc \ proto/ct.pb.h -if !OPENSSL_IS_BORINGSSL +if !OPENSSL_NO_CMS cpp_libcore_a_SOURCES += cpp/log/cms_verifier.cc endif @@ -226,8 +221,6 @@ cpp_libtest_a_CPPFLAGS = \ -I$(GTEST_DIR) \ $(AM_CPPFLAGS) cpp_libtest_a_SOURCES = \ - cpp/gmock-all.cc \ - cpp/gtest-all.cc \ cpp/util/testing.cc cpp_server_ct_mirror_LDADD = \ @@ -907,7 +900,7 @@ cpp_log_cert_test_SOURCES = \ cpp/log/cert_test.cc \ cpp/util/util.cc -if !OPENSSL_IS_BORINGSSL +if !OPENSSL_NO_CMS cpp_log_cms_verifier_test_LDADD = \ cpp/libcore.a \ cpp/libtest.a \ diff --git a/configure.ac b/configure.ac index 8b243ff94..cf4adba45 100644 --- a/configure.ac +++ b/configure.ac @@ -84,9 +84,7 @@ AC_CHECK_HEADER([gtest/gtest.h],, [missing_gtest=1]) AS_VAR_APPEND([CPPFLAGS], [" -I$GMOCK_DIR/include"]) AC_CHECK_HEADER([gmock/gmock.h],, [missing_gmock=1]) AS_VAR_APPEND([CPPFLAGS], [" -I$GTEST_DIR"]) -AC_CHECK_HEADER([$GTEST_DIR/src/gtest-all.cc],, [missing_gtest=1]) AS_VAR_APPEND([CPPFLAGS], [" -I$GMOCK_DIR"]) -AC_CHECK_HEADER([$GMOCK_DIR/src/gmock-all.cc],, [missing_gmock=1]) CPPFLAGS="$saved_CPPFLAGS" AS_IF([test -n "$missing_gtest"], [AC_MSG_ERROR([could not find a working Google Test])]) @@ -106,7 +104,7 @@ AC_SEARCH_LIBS([clock_gettime], [rt],,, [$save_LIBS]) AC_MSG_CHECKING([checking for gflags library]) LIBS="-lgflags $LIBS" -AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[google::ParseCommandLineFlags(NULL, NULL, true)]])], [have_gflags=yes], [have_gflags=no]) +AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[gflags::ParseCommandLineFlags(NULL, NULL, true)]])], [have_gflags=yes], [have_gflags=no]) AC_MSG_RESULT([$have_gflags]) AS_IF([test "x$have_gflags" = "xno"], [AC_MSG_ERROR([gflags library could not be found])]) @@ -118,6 +116,9 @@ AC_MSG_RESULT([$have_glog]) AS_IF([test "x$have_glog" = "xno"], [AC_MSG_ERROR([glog library could not be found])]) +# Required for "make check" to build. +LIBS="$LIBS -lgtest -lgmock" + save_LIBS="$LIBS" AS_UNSET([LIBS]) AC_SEARCH_LIBS([snappy_compress], [snappy],,, [$save_LIBS]) @@ -146,6 +147,17 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], [AC_MSG_RESULT([yes]); openssl_is_boringssl=1], [AC_MSG_RESULT([no])]) +AC_MSG_CHECKING([for LibreSSL]) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[ + #ifndef LIBRESSL_VERSION_NUMBER + # error not LibreSSL + #endif + ]]) + ], + [AC_MSG_RESULT([yes]); openssl_is_libressl=1], + [AC_MSG_RESULT([no])]) + save_LIBS="$LIBS" AS_UNSET([LIBS]) AC_SEARCH_LIBS([event_base_dispatch], [event],, [missing_libevent=1], @@ -212,6 +224,7 @@ AM_CONDITIONAL([HAVE_ANT], [test -n "$ANT"]) AM_CONDITIONAL([HAVE_LDNS], [test -z "$missing_ldns"]) AM_CONDITIONAL([HAVE_OBJECTHASH], [test -z "$missing_objecthash"]) AM_CONDITIONAL([OPENSSL_IS_BORINGSSL], [test -n "$openssl_is_boringssl"]) +AM_CONDITIONAL([OPENSSL_NO_CMS], [test -z "$openssl_is_boringssl" -o -z "$openssl_is_boringssl"]) AC_DEFINE_UNQUOTED([TEST_SRCDIR], ["$srcdir"], [Top of the source directory, for tests.]) AC_SUBST([INSTALL_DIR]) AC_CONFIG_FILES([Makefile]) From 6d523639e74af80627ef5b7a819c2a7bc36f53d9 Mon Sep 17 00:00:00 2001 From: Bernard Spil Date: Sat, 11 Feb 2017 22:13:39 +0100 Subject: [PATCH 3/3] More LibreSSL / OPENSSL_VERSION_NUMBER fixes --- cpp/client/ct.cc | 2 +- cpp/client/ssl_client.cc | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/client/ct.cc b/cpp/client/ct.cc index 03cdbba4e..962536958 100644 --- a/cpp/client/ct.cc +++ b/cpp/client/ct.cc @@ -530,7 +530,7 @@ static void ProofToExtensionData() { << " for writing:" << strerror(errno); // Work around broken PEM_write() declaration in older OpenSSL versions. -#if OPENSSL_VERSION_NUMBER < 0x10002000L +#if OPENSSL_VERSION_NUMBER < 0x10002000L || defined(LIBRESSL_VERSION_NUMBER) PEM_write(out, const_cast(kPEMLabel), const_cast(""), const_cast(reinterpret_cast( extension_data_out.str().data())), diff --git a/cpp/client/ssl_client.cc b/cpp/client/ssl_client.cc index 39c7a9443..e31928c27 100644 --- a/cpp/client/ssl_client.cc +++ b/cpp/client/ssl_client.cc @@ -88,7 +88,7 @@ SSLClient::SSLClient(const string& server, const string& port, SSL_CTX_set_cert_verify_callback(ctx_.get(), &VerifyCallback, &verify_args_); -#if OPENSSL_VERSION_NUMBER >= 0x10002000L +#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER) SSL_CTX_add_client_custom_ext(ctx_.get(), CT_EXTENSION_TYPE, NULL, NULL, NULL, ExtensionCallback, &verify_args_); #else