Trim unnecessary OpenSSL/BoringSSL ifdefs.

Now that WebRTC requires OpenSSL 1.1.0 as minimum, some bits can be removed. The simpler versioning API is shared between BoringSSL and OpenSSL 1.1.0, and there are some remnants of the threading callbacks that can be removed. Bug: none Change-Id: I2078ca9c444b1f1efa9e4b235eb4e6037865d8fb Reviewed-on: https://webrtc-review.googlesource.com/c/120261 Commit-Queue: David Benjamin <davidben@webrtc.org> Reviewed-by: Karl Wiberg <kwiberg@webrtc.org> Reviewed-by: Benjamin Wright <benwright@webrtc.org> Cr-Commit-Position: refs/heads/master@{#26475}
2019-01-30 09:46:16 -06:00
parent 71f94c93a6
commit 170a4b383f
2 changed files with 8 additions and 100 deletions
--- a/rtc_base/openssl_adapter.cc
+++ b/rtc_base/openssl_adapter.cc
@ -31,34 +31,6 @@
 #include "rtc_base/string_encode.h"
 #include "rtc_base/thread.h"
 #ifndef OPENSSL_IS_BORINGSSL
 // TODO(benwright): Use a nicer abstraction for mutex.
 #if defined(WEBRTC_WIN)
 #define MUTEX_TYPE HANDLE
 #define MUTEX_SETUP(x) (x) = CreateMutex(nullptr, FALSE, nullptr)
 #define MUTEX_CLEANUP(x) CloseHandle(x)
 #define MUTEX_LOCK(x) WaitForSingleObject((x), INFINITE)
 #define MUTEX_UNLOCK(x) ReleaseMutex(x)
 #define THREAD_ID GetCurrentThreadId()
 #elif defined(WEBRTC_POSIX)
 #define MUTEX_TYPE pthread_mutex_t
 #define MUTEX_SETUP(x) pthread_mutex_init(&(x), nullptr)
 #define MUTEX_CLEANUP(x) pthread_mutex_destroy(&(x))
 #define MUTEX_LOCK(x) pthread_mutex_lock(&(x))
 #define MUTEX_UNLOCK(x) pthread_mutex_unlock(&(x))
 #define THREAD_ID pthread_self()
 #else
 #error You must define mutex operations appropriate for your platform!
 #endif
 struct CRYPTO_dynlock_value {
  MUTEX_TYPE mutex;
 };
 #endif  // #ifndef OPENSSL_IS_BORINGSSL
 //////////////////////////////////////////////////////////////////////
 // SocketBIO
 //////////////////////////////////////////////////////////////////////
@ -881,17 +853,8 @@ int OpenSSLAdapter::NewSSLSessionCallback(SSL* ssl, SSL_SESSION* session) {
 }
 SSL_CTX* OpenSSLAdapter::CreateContext(SSLMode mode, bool enable_cache) {
-  // Use (D)TLS 1.2.
+  SSL_CTX* ctx =
-  // Note: BoringSSL supports a range of versions by setting max/min version
+      SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
  // (Default V1.0 to V1.2). However (D)TLSv1_2_client_method functions used
  // below in OpenSSL only support V1.2.
  SSL_CTX* ctx = nullptr;
 #ifdef OPENSSL_IS_BORINGSSL
  ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
 #else
  ctx = SSL_CTX_new(mode == SSL_MODE_DTLS ? DTLSv1_2_client_method()
                                          : TLSv1_2_client_method());
 #endif  // OPENSSL_IS_BORINGSSL
  if (ctx == nullptr) {
    unsigned long error = ERR_get_error();  // NOLINT: type used by OpenSSL.
    RTC_LOG(LS_WARNING) << "SSL_CTX creation failed: " << '"'
--- a/rtc_base/openssl_stream_adapter.cc
+++ b/rtc_base/openssl_stream_adapter.cc
@ -819,20 +819,6 @@ int OpenSSLStreamAdapter::BeginSSL() {
  SSL_set_mode(ssl_, SSL_MODE_ENABLE_PARTIAL_WRITE |
                         SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 #if !defined(OPENSSL_IS_BORINGSSL)
  // Specify an ECDH group for ECDHE ciphers, otherwise OpenSSL cannot
  // negotiate them when acting as the server. Use NIST's P-256 which is
  // commonly supported. BoringSSL doesn't need explicit configuration and has
  // a reasonable default set.
  EC_KEY* ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
  if (ecdh == nullptr) {
    return -1;
  }
  SSL_set_options(ssl_, SSL_OP_SINGLE_ECDH_USE);
  SSL_set_tmp_ecdh(ssl_, ecdh);
  EC_KEY_free(ecdh);
 #endif
  // Do the connect
  return ContinueSSL();
 }
@ -966,57 +952,14 @@ void OpenSSLStreamAdapter::OnMessage(Message* msg) {
 }
 SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
-  SSL_CTX* ctx = nullptr;
+  SSL_CTX* ctx =
-
+      SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
 #ifdef OPENSSL_IS_BORINGSSL
  ctx = SSL_CTX_new(ssl_mode_ == SSL_MODE_DTLS ? DTLS_method() : TLS_method());
 // Version limiting for BoringSSL will be done below.
 #else
  const SSL_METHOD* method;
  switch (ssl_max_version_) {
    case SSL_PROTOCOL_TLS_10:
    case SSL_PROTOCOL_TLS_11:
      // OpenSSL doesn't support setting min/max versions, so we always use
      // (D)TLS 1.0 if a max. version below the max. available is requested.
      if (ssl_mode_ == SSL_MODE_DTLS) {
        if (role_ == SSL_CLIENT) {
          method = DTLSv1_client_method();
        } else {
          method = DTLSv1_server_method();
        }
      } else {
        if (role_ == SSL_CLIENT) {
          method = TLSv1_client_method();
        } else {
          method = TLSv1_server_method();
        }
      }
      break;
    case SSL_PROTOCOL_TLS_12:
    default:
      if (ssl_mode_ == SSL_MODE_DTLS) {
        if (role_ == SSL_CLIENT) {
          method = DTLS_client_method();
        } else {
          method = DTLS_server_method();
        }
      } else {
        if (role_ == SSL_CLIENT) {
          method = TLS_client_method();
        } else {
          method = TLS_server_method();
        }
      }
      break;
  }
  ctx = SSL_CTX_new(method);
 #endif  // OPENSSL_IS_BORINGSSL
  if (ctx == nullptr) {
    return nullptr;
  }
-#ifdef OPENSSL_IS_BORINGSSL
+  // TODO(https://bugs.webrtc.org/10261): Evaluate and drop (D)TLS 1.0 and 1.1
  // support by default.
  SSL_CTX_set_min_proto_version(
      ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_VERSION : TLS1_VERSION);
  switch (ssl_max_version_) {
@ -1034,6 +977,8 @@ SSL_CTX* OpenSSLStreamAdapter::SetupSSLContext() {
          ctx, ssl_mode_ == SSL_MODE_DTLS ? DTLS1_2_VERSION : TLS1_2_VERSION);
      break;
  }
 #ifdef OPENSSL_IS_BORINGSSL
  // SSL_CTX_set_current_time_cb is only supported in BoringSSL.
  if (g_use_time_callback_for_testing) {
    SSL_CTX_set_current_time_cb(ctx, &TimeCallbackForTesting);
  }