Work with boringssl

Work with boringssl

Author: AlCutter

.travis.yml

@@ -14,13 +14,15 @@ addons:
     sources: &common_sources
       - ubuntu-toolchain-r-test
       - llvm-toolchain-precise-3.6
+      - kalakris-cmake
     packages: &common_packages
       - autoconf
       - automake
       - build-essential
       - python-dev
       - libstdc++-4.9-dev
       - tcl8.5
+      - cmake
 
 matrix:
   include:
@@ -74,6 +76,7 @@ before_install:
  - echo "leak:InitModule" > ${HOME}/lsan.supp
  - echo "leak:SetExitLoopHandler" >> ${HOME}/lsan.supp
  - echo "leak:masterelection_test" >> ${HOME}/lsan.supp
+ - if [ "${CLEAR_CACHE}" != "" ]; then echo "Clearing cache"; rm -fr ${TRAVIS_BUILD_DIR}/../ct ${TRAVIS_BUILD_DIR}/../install ${HOME}/.ccache; fi
  - mkdir -p ${INSTALL_DIR}/include ${INSTALL_DIR}/lib ${INSTALL_DIR}/java
  - echo "INSTALL_DIR=${INSTALL_DIR}"
  - mkdir -p $GOPATH/src/github.com/google

DEPS

@@ -1,4 +1,17 @@
+vars = {
+     # Change this variable to the name of one of the alterniative SSL
+     # implementations below.
+     # If you change this in an existing client, you should probably rm -fr
+     # all the deps and rebuild everything from scratch.
+     "ssl_impl":         "openssl",
+
+     # SSL implementation alternatives:
+     "openssl": 				 "https://github.com/openssl/openssl.git@OpenSSL_1_0_2d",
+     "boringssl":        "https://boringssl.googlesource.com/boringssl.git@2661"
+}
+
 deps = {
+     Var("ssl_impl"):    Var(Var("ssl_impl")),
      "gflags":  	 			 "https://github.com/gflags/gflags.git@v2.1.2",
      "glog":             "https://github.com/benlaurie/glog.git@0.3.4-fix",
      "googlemock": 			 "https://github.com/google/googlemock.git@release-1.7.0",
@@ -11,7 +24,6 @@ deps = {
      "libevhtp": 				 "https://github.com/ellzey/libevhtp.git@a89d9b3f9fdf2ebef41893b3d5e4466f4b0ecfda",
      "certificate-transparency/third_party/objecthash":
                          "https://github.com/benlaurie/objecthash.git@798f66bd8c5313da226aa7a60c114147910a7407",
-     "openssl": 				 "https://github.com/openssl/openssl.git@OpenSSL_1_0_2d",
      "protobuf":         "https://github.com/google/protobuf.git@v2.6.1",
      "protobuf/gtest":   "https://github.com/google/googletest.git@release-1.7.0",
      "libsnappy":        "https://github.com/google/snappy.git@1.1.3",
@@ -58,6 +70,7 @@ else:
 
 num_cores = multiprocessing.cpu_count()
 
+print("Building with %s", Var("ssl_impl"))
 print("Using make %s with %d jobs" % (make, num_cores))
 
 here = os.getcwd()
@@ -74,9 +87,9 @@ hooks = [
         "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_tcmalloc" ],
     },
     {
-        "name": "openssl",
-        "pattern": "^openssl/",
-        "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_openssl" ],
+        "name": "ssl",
+        "pattern": Var("ssl_impl") + "/",
+        "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_" + Var("ssl_impl") ],
     },
     {
         "name": "libevent",
@@ -103,11 +116,6 @@ hooks = [
         "pattern": "^protobuf/",
         "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_protobuf" ],
     },
-    {
-        "name": "ldns",
-        "pattern": "^ldns/",
-        "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_ldns" ],
-    },
     {
         "name": "sqlite3",
         "pattern": "^sqlite3/",
@@ -137,11 +145,23 @@ hooks = [
         "name": "objecthash",
         "pattern": "^certificate-transparency/third_party/objecthash/",
         "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_objecthash" ],
-    },
-    # Do this last
+    }]
+
+# Currently only Openssl is supported for building the DNS server due to LDNS's dependency.
+if Var("ssl_impl") == 'openssl':
+  hooks.append(
+      {
+          "name": "ldns",
+          "pattern": "^ldns/",
+          "action": [ make, "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_ldns" ],
+      })
+else:
+  print("NOT building DNS server since we're using BoringSSL.")
+
+# Do this last
+hooks.append(
     {
         "name": "ct",
         "pattern": "^certificate-transparency/",
         "action": [ make, "-j", str(num_cores), "-f", os.path.join(here, "certificate-transparency/build.gclient"), "_configure-ct" ],
-    }
-]
+    })

Makefile.am

@@ -73,7 +73,6 @@ TESTS = \
 	cpp/log/cert_submission_handler_test \
 	cpp/log/cert_test \
 	cpp/log/cluster_state_controller_test \
-	cpp/log/cms_verifier_test \
 	cpp/log/ct_extensions_test \
 	cpp/log/database_large_test \
 	cpp/log/database_test \
@@ -109,6 +108,10 @@ TESTS = \
 	cpp/util/sync_task_test \
 	cpp/util/task_test
 
+if !OPENSSL_IS_BORINGSSL
+TESTS += cpp/log/cms_verifier_test
+endif
+
 all-local:
 	$(MAKE) -C python
 
@@ -141,7 +144,6 @@ cpp_libcore_a_SOURCES = \
 	cpp/log/cert_checker.cc \
 	cpp/log/cert_submission_handler.cc \
 	cpp/log/cluster_state_controller_cert.cc \
-	cpp/log/cms_verifier.cc \
 	cpp/log/ct_extensions.cc \
 	cpp/log/database.cc \
 	cpp/log/etcd_consistent_store_cert.cc \
@@ -210,6 +212,10 @@ cpp_libcore_a_SOURCES = \
 	proto/ct.pb.cc \
 	proto/ct.pb.h
 
+if !OPENSSL_IS_BORINGSSL
+cpp_libcore_a_SOURCES += cpp/log/cms_verifier.cc
+endif
+
 cpp_libtest_a_CPPFLAGS = \
 	-I$(GMOCK_DIR) \
 	-I$(GTEST_DIR) \
@@ -902,6 +908,7 @@ cpp_log_cert_test_SOURCES = \
 	cpp/log/cert_test.cc \
 	cpp/util/util.cc
 
+if !OPENSSL_IS_BORINGSSL
 cpp_log_cms_verifier_test_LDADD = \
 	cpp/libcore.a \
 	cpp/libtest.a \
@@ -910,6 +917,7 @@ cpp_log_cms_verifier_test_LDADD = \
 cpp_log_cms_verifier_test_SOURCES = \
 	cpp/log/cms_verifier_test.cc \
 	cpp/util/util.cc
+endif
 
 cpp_log_ct_extensions_test_LDADD = \
 	cpp/libcore.a \

build.gclient

@@ -5,7 +5,7 @@ export INSTALL_DIR
 PKG_CONFIG_PATH=$(shell pwd)/install/lib/pkgconfig
 export PKG_CONFIG_PATH
 
-PHONY: libunwind tcmalloc objecthash openssl protobuf libevent libevhtp gflags glog ldns sqlite3 leveldb json-c configure-ct
+PHONY: libunwind tcmalloc objecthash borginssl openssl protobuf libevent libevhtp gflags glog ldns sqlite3 leveldb json-c configure-ct
 
 all: configure-ct
 
@@ -25,6 +25,9 @@ _icu4c:
 _objecthash:
 	$(MAKE) -C certificate-transparency/third_party/objecthash -f `pwd`/certificate-transparency/build/Makefile.objecthash
 
+_boringssl:
+	$(MAKE) -C boringssl -f `pwd`/certificate-transparency/build/Makefile.boringssl
+
 _openssl:
 	$(MAKE) -C openssl -f `pwd`/certificate-transparency/build/Makefile.openssl
 	cd openssl && git checkout -- apps/progs.h crypto/bn/bn_prime.h

build/Makefile.boringssl

@@ -0,0 +1,12 @@
+all: make
+
+make: build/Makefile
+	cd build && $(MAKE) && \
+	cp -rv ../include $(INSTALL_DIR) && \
+	cp crypto/libcrypto.a ssl/libssl.a $(INSTALL_DIR)/lib
+
+build/Makefile: build
+	cd build && cmake -DBUILD_SHARED_LIBS=FALSE -DCMAKE_CXX_FLAGS:STRING=-fPIC -DCMAKE_C_FLAGS:STRING=-fPIC -DCMAKE_INSTALL_PREFIX=$(INSTALL_DIR) ..
+
+build:
+	mkdir -p build

build/Makefile.libevent

@@ -5,6 +5,7 @@ endif
 ifeq ($(UNAME),Darwin)
 EXTRA_LDFLAGS="-ldl"
 endif
+EXTRA_LDFLAGS+="-lpthread"
 
 all: Makefile
 	$(MAKE)

build/Makefile.libevhtp

@@ -6,12 +6,16 @@ Makefile: CMakeLists.txt
 	cmake \
 		-DBUILD_SHARED_LIBS=FALSE \
 		-DCMAKE_INSTALL_PREFIX:STRING=$(INSTALL_DIR) \
-		-DLIBEVENT_LIBRARY_DIRS:STRING=$(INSTALL_DIR)/include \
+		-DLIBEVENT_INCLUDE_DIRS:STRING=$(INSTALL_DIR)/include \
+		-DLIBEVENT_LIBRARY_DIRS:STRING=$(INSTALL_DIR)/lib \
 		-DLIBEVENT_LIBRARY:STRING=$(INSTALL_DIR)/lib/libevent.a \
 		-DLIBEVENT_PTHREADS_LIBRARY:STRING=$(INSTALL_DIR)/lib/libevent-pthreads.a \
 		-DLIBEVENT_CORE_LIBRARY:STRING=$(INSTALL_DIR)/lib/libevent-core.a \
 		-DLIBEVENT_EXTRA_LIBRARY:STRING=$(INSTALL_DIR)/lib/libevent-extra.a \
 		-DLIBEVENT_OPENSSL_LIBRARY:STRING=$(INSTALL_DIR)/lib/libevent-openssl.a \
+		-DOPENSSL_INCLUDE_DIR:PATH=$(INSTALL_DIR)/include \
+		-DOPENSSL_CRYPTO_LIBRARY:FILEPATH=$(INSTALL_DIR)/lib/libcrypto.a \
+		-DOPENSSL_SSL_LIBRARY:FILEPATH=$(INSTALL_DIR)/lib/libssl.a \
 		-DEVHTP_DISABLE_REGEX:STRING=ON \
 		-DCMAKE_C_FLAGS:STRING=-fPIC .
 

configure.ac

@@ -134,6 +134,22 @@ AC_SEARCH_LIBS([SSL_CTX_new], [ssl],, [missing_openssl=1], [$save_LIBS])
 AS_IF([test -n "$missing_openssl"],
       [AC_MSG_ERROR([could not find the OpenSSL libraries])])
 
+AC_MSG_CHECKING([for BoringSSL])
+AC_COMPILE_IFELSE([
+                   AC_LANG_PROGRAM([[
+                                    #include <openssl/base.h>
+                                    ]],[[
+                                        #ifndef OPENSSL_IS_BORINGSSL
+                                        #error not boringssl
+                                        #endif
+                                        ]])
+                   ],[
+                      AC_MSG_RESULT([yes])
+					  openssl_is_boringssl=1
+                      ],[
+                         AC_MSG_RESULT([no])
+                         ])
+
 save_LIBS="$LIBS"
 AS_UNSET([LIBS])
 AC_SEARCH_LIBS([event_base_dispatch], [event],, [missing_libevent=1],
@@ -198,6 +214,7 @@ AC_CHECK_FUNCS([alarm gettimeofday memset mkdir select socket strdup strerror st
 
 AM_CONDITIONAL([HAVE_ANT], [test -n "$ANT"])
 AM_CONDITIONAL([HAVE_LDNS], [test -z "$missing_ldns"])
+AM_CONDITIONAL([OPENSSL_IS_BORINGSSL], [test -n "$openssl_is_boringssl"])
 AC_DEFINE_UNQUOTED([TEST_SRCDIR], ["$srcdir"], [Top of the source directory, for tests.])
 AC_SUBST([INSTALL_DIR])
 AC_CONFIG_FILES([Makefile])

cpp/client/ct.cc

@@ -405,7 +405,8 @@ static void MakeCert() {
 
   // Set signature algorithm
   // FIXME: is there an opaque way to get the algorithm structure?
-  x->cert_info->signature->algorithm = OBJ_nid2obj(NID_sha1WithRSAEncryption);
+  // FIXME: Sort out const/non-const OpenssL/BoringSSL mismatch.
+  x->cert_info->signature->algorithm = const_cast<ASN1_OBJECT*>(OBJ_nid2obj(NID_sha1WithRSAEncryption));
   x->cert_info->signature->parameter = NULL;
 
   // Set the start date to now

cpp/log/cert_test.cc

@@ -489,7 +489,8 @@ TEST_F(CertTest, SignatureAlgorithmMatches) {
 
 TEST_F(CertTest, IllegalSignatureAlgorithmParameter) {
   Cert cert(kIllegalSigAlgParameterCertString);
-  #if defined(OPENSSL_IS_BORINGSSL) && defined(BORINGSSL_201603)
+  #if defined(OPENSSL_IS_BORINGSSL) && \
+              (defined(BORINGSSL_201603) || defined(BORINGSSL_201512))
   EXPECT_FALSE(cert.IsLoaded());
   #else
   EXPECT_TRUE(cert.IsLoaded());