[PATCH] Support building with BoringSSL.

Jouni Malinen j
Sun Sep 28 10:31:46 PDT 2014

On Thu, Sep 18, 2014 at 06:40:03PM -0700, Adam Langley wrote:
> BoringSSL is Google's cleanup of OpenSSL and an attempt to unify
> Chromium, Android and internal codebases around a single OpenSSL.
> As part of moving Android to BoringSSL, the wpa_supplicant maintainers
> in Android requested that I upstream the change. I've worked to reduce
> the size of the patch a lot but I'm afraid that it still contains a
> number of #ifdefs.

Thanks! This looks mostly reasonable. Could you please read the top
level CONTRIBUTIONS file (*) and provide Signed-off-by: line for the
patch so that I can apply this?

(*) http://w1.fi/cgit/hostap/plain/CONTRIBUTIONS

> One change worth noting (which I didn't #ifdef) is the switch from the
> deprecated ERR_remove_state to ERR_remove_thread_state. I think this is
> generally applicable because upstream have deprecated it, but it does
> require OpenSSL 1.0.0 or greater (i.e. not 0.9.8).

I'm still trying to support 0.9.8, so this will need to be made to use
suitable #ifdef or maybe the cleanest options would be to just do
something like this as a backwards compatibility wrapper:

#define ERR_remove_thread_state(tid) ERR_remove_state(0)

> diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
> @@ -38,14 +38,20 @@
> -#ifdef SSL_OP_NO_TICKET
> +#if (defined(SSL_F_SSL_SET_SESSION_TICKET_EXT) && defined(SSL_OP_NO_TICKET)) ||\
> +    defined(OPENSSL_IS_BORINGSSL)

I guess this is because of SSL_F_SSL_SET_SESSION_TICKET_EXT not being
defined in BoringSSL. This could be cleaner to convert to
OPENSSL_VERSION_NUMBER >= 0x10000000L (or something similar.. I don't
remember why I ended up using SSL_F_SSL_SET_SESSION_TICKET_EXT instead..
the early days (well, years..) of EAP-FAST support was somewhat of a
mess with OpenSSL).

Jouni Malinen                                            PGP id EFC895FA

More information about the Hostap mailing list