[PATCH] Support building with BoringSSL.
Adam Langley
agl
Mon Oct 6 15:44:48 PDT 2014
On Mon, Oct 6, 2014 at 3:35 PM, Jouni Malinen <j at w1.fi> wrote:
> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> index 4436fb8..7335033 100644
> --- a/src/crypto/tls_openssl.c
> +++ b/src/crypto/tls_openssl.c
> @@ -1217,7 +1224,7 @@ static int tls_match_suffix(X509 *cert, const char *match)
>
> ext = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
>
> - for (i = 0; ext && i < sk_GENERAL_NAME_num(ext); i++) {
> + for (i = 0; ext && i < (int) sk_GENERAL_NAME_num(ext); i++) {
> gen = sk_GENERAL_NAME_value(ext, i);
> if (gen->type != GEN_DNS)
> continue;
Thanks! But I'm confused by this! Firstly, you're correct that there's
sort of a problem here: I didn't notice because Android hasn't updated
to include this code yet.
However, casting to an int is something that you would need to do if
sk_GENERAL_NAME_num was returning a size_t, which it does in
BoringSSL, but you're not building with BoringSSL.
But, rather than cast, the "int i" in this function can be changed to
a stack_index_t.
> @@ -3392,9 +3399,15 @@ unsigned int tls_capabilities(void *tls_ctx)
> * commented out unless explicitly needed for EAP-FAST in order to be able to
> * build this file with unmodified openssl. */
>
> +#ifdef OPENSSL_IS_BORINGSSL
> +static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
> + STACK_OF(SSL_CIPHER) *peer_ciphers,
> + const SSL_CIPHER **cipher, void *arg)
> +#else /* OPENSSL_IS_BORINGSSL */
> static int tls_sess_sec_cb(SSL *s, void *secret, int *secret_len,
> STACK_OF(SSL_CIPHER) *peer_ciphers,
> SSL_CIPHER **cipher, void *arg)
> +#endif /* OPENSSL_IS_BORINGSSL */
> {
> struct tls_connection *conn = arg;
> int ret;
This also seems correct, but only needed for BoringSSL. But I can't
imagine that you got it building with BoringSSL.
(Again, I think Android is omitting this code which is why I didn't hit it.)
Cheers
AGL
More information about the Hostap
mailing list