[PATCH] Support building with BoringSSL.

Adam Langley agl at google.com
Mon Oct 6 18:44:48 EDT 2014


On Mon, Oct 6, 2014 at 3:35 PM, Jouni Malinen <j at w1.fi> wrote:
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index 4436fb8..7335033 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -1217,7 +1224,7 @@ static int tls_match_suffix(X509 *cert, const char *match)
>
>         ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
>
> -       for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
> +       for (i = 0; ext && i < (int) sk_GENERAL_NAME_num(ext); i++) {
>                 gen = sk_GENERAL_NAME_value(ext, i);
>                 if (gen->type != GEN_DNS)
>                         continue;

Thanks! But I'm confused by this! Firstly, you're correct that there's
sort of a problem here: I didn't notice because Android hasn't updated
to include this code yet.

However, casting to an int is something that you would need to do if
sk_GENERAL_NAME_num was returning a size_t, which it does in
BoringSSL, but you're not building with BoringSSL.

But, rather than cast, the "int i" in this function can be changed to
a stack_index_t.

> @@ -3392,9 +3399,15 @@ unsigned int tls_capabilities(void *tls_ctx)
>   * commented out unless explicitly needed for EAP-FAST in order to be able to
>   * build this file with unmodified openssl. */
>
> +#ifdef OPENSSL_IS_BORINGSSL
> +static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
> +                          STACK_OF(SSL_CIPHER) *peer_ciphers,
> +                          const SSL_CIPHER **cipher, void *arg)
> +#else /* OPENSSL_IS_BORINGSSL */
>  static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
>                            STACK_OF(SSL_CIPHER) *peer_ciphers,
>                            SSL_CIPHER **cipher, void *arg)
> +#endif /* OPENSSL_IS_BORINGSSL */
>  {
>         struct tls_connection *conn = arg;
>         int ret;

This also seems correct, but only needed for BoringSSL. But I can't
imagine that you got it building with BoringSSL.

(Again, I think Android is omitting this code which is why I didn't hit it.)


Cheers

AGL


More information about the HostAP mailing list