This repository has been archived by the owner on Oct 24, 2018. It is now read-only.
Standalone builds using OpenSSL. #7
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
briansmith
force-pushed
the
feature/openssl
branch
from
61495b9
to
7de7460
Compare
|
Unfortunately, GitHub deleted all the comments on this pull request because I did a rebase. I updated the Travis configuration in part based on the links Reed provided, so that now there are 24 configurations being built: {gcc-4.8,gcc-4.9,gcc-5,clang-3.4,clang-3.5,clang-3.6,clang-3.7}{x86,x64}{release,debug} - {gcc-4.8,gcc-4.9}{x86}{release,debug}. 32-bit builds for older GCC's require some additions to the Travis CI apt package whitelist before they will succeed. I also added Thanks for your help, Reed! |
| - make openssl CMAKE_BUILD_TYPE=$CMAKE_BUILD_TYPE BITS=$BITS | ||
| - make CMAKE_BUILD_TYPE=$CMAKE_BUILD_TYPE BITS=$BITS | ||
| - make check CMAKE_BUILD_TYPE=$CMAKE_BUILD_TYPE BITS=$BITS | ||
| - git clone -b master --depth 1 --single-branch https://github.com/briansmith/googletest build/gtest |
There was a problem hiding this comment.
What's the difference between this and line 287?
There was a problem hiding this comment.
It's just a mistake. I've already corrected it locally. I am using this same build system for https://github.com/briansmith/ring and it's already been corrected there. I'll update the PR soon.
briansmith
force-pushed
the
feature/openssl
branch
3 times, most recently
from
8a27a7a
to
d8a3d0a
Compare
The bulk of this commit was generated by running:
run-clang-tidy.py \
-checks='-*,llvm-namespace-comment' \
-header-filter=^/.../mozilla-central/.* \
-fix
BUG=https://bugzilla.mozilla.org/show_bug.cgi?id=1182996
Imported-from: https://hg.mozilla.org/mozilla-central/rev/91d6e262b662
1. Change the result of Input and Result functions to a new type that is different from mozilla::pkix::Result, so that they can be more easily used outside of DER parsing. 2. Change the result type of Input and Result functions so that it is more convenient (fewer lines of code) to string multiple calls together. 3. Make it so that Input.h does not include any header files other than standard header files. 4. Refactor tests to take these changes into account. BUG=https://bugzilla.mozilla.org/show_bug.cgi?id=1188957 Imported-from: https://hg.mozilla.org/mozilla-central/rev/50935c255870
Crypto libraries, including OpenSSL in particular, are dropping MD2 support. MD2 support is needed by the test framework to generate certificates signed by MD2 to verify that mozilla::pkix rejects MD2-based signatures except for MD2-based signatures on trust anchors certificates. Define MOZILLA_PKIX_TEST_HAVE_MD2=1 to enable the MD2-based tests.
The code for generating DSS signatures in tests using OpenSSL's libcrypto is not implemented yet. For now, we just avoid building those tests by default. Define MOZILLA_PKIX_TEST_HAVE_DSS=1 to enable the DSS-based tests.
Since mozilla::pkix cannot work without a crypto implementation, and since it is designed to be a component in an application, we don't provie a standalone Makefile. Rather, pkix.mk contains useful rules for integrating mozilla::pkix into a larger multi-component project.
1. In lib/pkixlibcrypto.cpp, add adapters that simplify the creation of mozilla::pkix TrustDomain implementations based on OpenSSL's libcrypto. This commit adds support for signature verification and digest calculation. In a future commit, we'll add support for using OpenSSL's certificate trust store. lib/pkixcrypto.cpp is the OpenSSL counterpart to the NSS adapter in lib/pkixnss.cpp. 2. In test/lib/pkixtestlibcrypto.cpp, implement the test crypto interface so that the unit tests can be run using OpenSSL's libcrypto. test/lib/pkixtestlibcrypto.cpp is the OpenSSL counterpart to the NSS implementation of the test interface in test/lib/pkixtestnss.cpp. Note that the DSS and MD2 portions of the test interface are NOT implemented yet.
Travis CI is now not installing clang-3.7 like it was even earlier today, so disable clang-3.7. Also update the update-travis-yml script to be more in sync with the version in ring.
briansmith
force-pushed
the
feature/openssl
branch
from
d8a3d0a
to
833814b
Compare
|
In this update, I rewrote the pkix[test]libcrypto code so that it builds (and runs) correctly when ring is substituted for openssl. It should also work in BoringSSL too. I've added ring to the Travis CI configuration. |
The original plan was for mozilla::pkix to do all the parsing of the internal structures of public keys and ECDSA signatures itself, bypassing any of the parsing done by the crypto library. However, that would have meant that mozilla::pkix's TrustDomain adapters would have had to add dependencies on low-level details of the crypto implementation such as the bugnum API. That would have been especially bad because those are the details that are most likely to change in incompatible ways in OpenSSL, BoringSSL, and ring. The parsing of these encoded structures in BoringSSL is much more robust than before, so mozilla::pkix usually wouldn't be buying much additional safety by doing that parsing itself.
briansmith
force-pushed
the
feature/openssl
branch
3 times, most recently
from
1fde14c
to
f1a0efc
Compare
briansmith
force-pushed
the
feature/openssl
branch
from
a599b96
to
aa49798
Compare
briansmith
force-pushed
the
feature/openssl
branch
9 times, most recently
from
47d2dbc
to
9e24324
Compare
This adds a new code path specifically for *ring*. In order to minimize the number of distinct code paths, the BoringSSL path was merged with the OpenSSL path.
|_WIN32| is always defined by the compiler, but |WIN32| is only defined if |-DWIN32| is passed on the command line or if a Windows API header file is included, so |_WIN32| is more reliable.
briansmith
force-pushed
the
feature/openssl
branch
4 times, most recently
from
3747929
to
679ba5d
Compare
This uses the same build system as *ring* and assumes that *ring* is in ..\ring and that GTest is in ..\gtest.
briansmith
force-pushed
the
feature/openssl
branch
from
679ba5d
to
010d1a0
Compare
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.